From 98b80c2b71a812dfec195340df6faec1f5297d8c Mon Sep 17 00:00:00 2001
From: Xavier Abad <77491413+xabg2@users.noreply.github.com>
Date: Thu, 4 Jun 2026 16:05:37 +0200
Subject: [PATCH 1/2] feat(email): get attachmentWrappedKeys

---
 src/modules/email/email-encryption.ts |  3 +++
 src/modules/email/email.dto.ts        | 14 ++++++++++++++
 src/modules/email/email.types.ts      |  2 ++
 3 files changed, 19 insertions(+)

diff --git a/src/modules/email/email-encryption.ts b/src/modules/email/email-encryption.ts
index 22521e9..e17989d 100644
--- a/src/modules/email/email-encryption.ts
+++ b/src/modules/email/email-encryption.ts
@@ -45,5 +45,8 @@ export function projectForCaller(
   return {
     encryptedPreview: envelope.encryptedPreview,
     wrappedKeys: envelope.wrappedKeys,
+    ...(envelope.attachmentWrappedKey && {
+      attachmentWrappedKey: envelope.attachmentWrappedKey,
+    }),
   };
 }
diff --git a/src/modules/email/email.dto.ts b/src/modules/email/email.dto.ts
index c1da337..efaa49a 100644
--- a/src/modules/email/email.dto.ts
+++ b/src/modules/email/email.dto.ts
@@ -59,6 +59,12 @@ export class EncryptionBlockDto {
     description: 'De-identified wrapped keys, one per recipient',
   })
   wrappedKeys!: EncryptedWrappedKeyDto[];
+
+  @ApiProperty({
+    type: [EncryptedWrappedKeyDto],
+    description: 'De-identified attachment wrapped keys, one per recipient',
+  })
+  attachmentWrappedKey!: EncryptedWrappedKeyDto;
 }
 
 export class AttachmentRefDto {
@@ -218,6 +224,14 @@ export class EncryptedSummaryDto {
       'De-identified wrapped keys; the client trial-decrypts to read',
   })
   wrappedKeys!: EncryptedWrappedKeyDto[];
+
+  @ApiPropertyOptional({
+    type: [EncryptedWrappedKeyDto],
+    description:
+      'De-identified wrapped keys for the symmetric key that encrypts the ' +
+      "email's attachments. Present only when the email has encrypted attachments.",
+  })
+  attachmentWrappedKey?: EncryptedWrappedKeyDto;
 }
 
 export class EmailSummaryResponseDto {
diff --git a/src/modules/email/email.types.ts b/src/modules/email/email.types.ts
index 1fb3525..910466a 100644
--- a/src/modules/email/email.types.ts
+++ b/src/modules/email/email.types.ts
@@ -23,6 +23,7 @@ export interface Mailbox {
 export interface EncryptedSummaryFields {
   encryptedPreview: string;
   wrappedKeys: EncryptedWrappedKey[];
+  attachmentWrappedKey?: EncryptedWrappedKey;
 }
 
 export interface EmailSummary {
@@ -77,6 +78,7 @@ export interface EncryptionBlock {
   encryptedPreview: string;
   encryptedText: string;
   wrappedKeys: EncryptedWrappedKey[];
+  attachmentWrappedKey?: EncryptedWrappedKey;
 }
 
 export interface SendEmailDto {

From d558ce11553ebad7a19287b49b40ef41fae0c9f5 Mon Sep 17 00:00:00 2001
From: Xavier Abad <77491413+xabg2@users.noreply.github.com>
Date: Thu, 4 Jun 2026 16:22:09 +0200
Subject: [PATCH 2/2] fix: attachment wrapped keys per recipient

---
 src/modules/email/email-encryption.ts | 4 ++--
 src/modules/email/email.dto.ts        | 4 ++--
 src/modules/email/email.types.ts      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/modules/email/email-encryption.ts b/src/modules/email/email-encryption.ts
index e17989d..5e0ea16 100644
--- a/src/modules/email/email-encryption.ts
+++ b/src/modules/email/email-encryption.ts
@@ -45,8 +45,8 @@ export function projectForCaller(
   return {
     encryptedPreview: envelope.encryptedPreview,
     wrappedKeys: envelope.wrappedKeys,
-    ...(envelope.attachmentWrappedKey && {
-      attachmentWrappedKey: envelope.attachmentWrappedKey,
+    ...(envelope.attachmentWrappedKeys && {
+      attachmentWrappedKeys: envelope.attachmentWrappedKeys,
     }),
   };
 }
diff --git a/src/modules/email/email.dto.ts b/src/modules/email/email.dto.ts
index efaa49a..5e1753f 100644
--- a/src/modules/email/email.dto.ts
+++ b/src/modules/email/email.dto.ts
@@ -64,7 +64,7 @@ export class EncryptionBlockDto {
     type: [EncryptedWrappedKeyDto],
     description: 'De-identified attachment wrapped keys, one per recipient',
   })
-  attachmentWrappedKey!: EncryptedWrappedKeyDto;
+  attachmentWrappedKeys!: EncryptedWrappedKeyDto[];
 }
 
 export class AttachmentRefDto {
@@ -231,7 +231,7 @@ export class EncryptedSummaryDto {
       'De-identified wrapped keys for the symmetric key that encrypts the ' +
       "email's attachments. Present only when the email has encrypted attachments.",
   })
-  attachmentWrappedKey?: EncryptedWrappedKeyDto;
+  attachmentWrappedKeys?: EncryptedWrappedKeyDto[];
 }
 
 export class EmailSummaryResponseDto {
diff --git a/src/modules/email/email.types.ts b/src/modules/email/email.types.ts
index 910466a..1008f6c 100644
--- a/src/modules/email/email.types.ts
+++ b/src/modules/email/email.types.ts
@@ -23,7 +23,7 @@ export interface Mailbox {
 export interface EncryptedSummaryFields {
   encryptedPreview: string;
   wrappedKeys: EncryptedWrappedKey[];
-  attachmentWrappedKey?: EncryptedWrappedKey;
+  attachmentWrappedKeys?: EncryptedWrappedKey[];
 }
 
 export interface EmailSummary {
@@ -78,7 +78,7 @@ export interface EncryptionBlock {
   encryptedPreview: string;
   encryptedText: string;
   wrappedKeys: EncryptedWrappedKey[];
-  attachmentWrappedKey?: EncryptedWrappedKey;
+  attachmentWrappedKeys?: EncryptedWrappedKey[];
 }
 
 export interface SendEmailDto {