feat(v1.1.7-email-outbound): SMTP send/send_html

Outbound email reachable from scripts as email::send(#{...}) (plain text) and email::send_html(#{...}) (multipart text + HTML). Backed by a lettre SMTP relay configured from PICLOUD_SMTP_HOST/PORT/USER/PASSWORD/ TLS/TIMEOUT_SECS; if HOST/USER/PASSWORD aren't all set the service runs in disabled mode (every send throws NotConfigured, warned at startup). - EmailService trait + OutboundEmail DTO (picloud-shared); EmailServiceImpl + EmailTransport seam + lettre transport (manager-core), wired into the Services bundle and Rhai engine. - Capability::AppEmailSend (→ script:write); seven-scope commitment held. - Required-field + RFC5322-ish address validation; 25 MB per-message cap (PICLOUD_EMAIL_MAX_MESSAGE_BYTES). reply_to defaults to from. - Per-call connection (pooling deferred to v1.2); no per-app from validation (operator's SMTP/SPF/DKIM concern). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 21:47:46 +02:00
parent 2d11090d1a
commit 8f2d2bc721
21 changed files with 1120 additions and 13 deletions
--- a/crates/manager-core/src/authz.rs
+++ b/crates/manager-core/src/authz.rs
@@ -97,6 +97,10 @@ pub enum Capability {
    /// Write (set/delete) a secret in this app's secrets store (v1.1.7).
    /// Granted to `editor`+, maps to `script:write` on API keys.
    AppSecretsWrite(AppId),
+    /// Send an outbound email from a script in this app (v1.1.7). Maps
+    /// to `script:write` on API keys (sending mail is an outbound
+    /// side-effect like an HTTP request). Granted to `editor`+.
+    AppEmailSend(AppId),
    /// Create / list / delete triggers for this app (v1.1.1). Maps to
    /// `app:admin` on API keys — triggers are app-configuration acts
    /// rather than data-plane access. Granted to `app_admin`+.
@@ -138,6 +142,7 @@ impl Capability {
            | Self::AppPubsubPublish(id)
            | Self::AppSecretsRead(id)
            | Self::AppSecretsWrite(id)
+            | Self::AppEmailSend(id)
            | Self::AppManageTriggers(id)
            | Self::AppDeadLetterManage(id)
            | Self::AppTopicManage(id) => Some(id),
@@ -166,7 +171,8 @@ impl Capability {
            | Self::AppHttpRequest(_)
            | Self::AppFilesWrite(_)
            | Self::AppPubsubPublish(_)
-            | Self::AppSecretsWrite(_) => Scope::ScriptWrite,
+            | Self::AppSecretsWrite(_)
+            | Self::AppEmailSend(_) => Scope::ScriptWrite,
            Self::AppWriteRoute(_) => Scope::RouteWrite,
            Self::AppManageDomains(_) => Scope::DomainManage,
            Self::AppAdmin(_)
@@ -330,6 +336,7 @@ const fn role_satisfies(role: AppRole, cap: Capability) -> bool {
                | Capability::AppFilesWrite(_)
                | Capability::AppPubsubPublish(_)
                | Capability::AppSecretsWrite(_)
+                | Capability::AppEmailSend(_)
        );
    let in_app_admin = in_editor
        || matches!(