feat(v1.1.7-email-outbound): SMTP send/send_html

Outbound email reachable from scripts as email::send(#{...}) (plain
text) and email::send_html(#{...}) (multipart text + HTML). Backed by a
lettre SMTP relay configured from PICLOUD_SMTP_HOST/PORT/USER/PASSWORD/
TLS/TIMEOUT_SECS; if HOST/USER/PASSWORD aren't all set the service runs
in disabled mode (every send throws NotConfigured, warned at startup).

- EmailService trait + OutboundEmail DTO (picloud-shared);
  EmailServiceImpl + EmailTransport seam + lettre transport
  (manager-core), wired into the Services bundle and Rhai engine.
- Capability::AppEmailSend (→ script:write); seven-scope commitment held.
- Required-field + RFC5322-ish address validation; 25 MB per-message cap
  (PICLOUD_EMAIL_MAX_MESSAGE_BYTES). reply_to defaults to from.
- Per-call connection (pooling deferred to v1.2); no per-app from
  validation (operator's SMTP/SPF/DKIM concern).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

crates/picloud/src/lib.rs

@@ -17,8 +17,8 @@ use picloud_manager_core::{
     AdminState, AdminUserRepository, AdminsState, ApiKeyRepository, ApiKeysState,
     AppDomainRepository, AppMembersRepository, AppMembersState, AppRepository, AppsState,
     AuthState, AuthzRepo, DeadLetterRepo, DeadLettersState, Dispatcher, DocsServiceImpl,
-    FilesAdminState, FilesConfig, FilesServiceImpl, FsFilesRepo, HttpConfig, HttpServiceImpl,
-    KvServiceImpl, OutboxEventEmitter, OutboxRepo, PostgresAbandonedRepo,
+    EmailServiceImpl, FilesAdminState, FilesConfig, FilesServiceImpl, FsFilesRepo, HttpConfig,
+    HttpServiceImpl, KvServiceImpl, OutboxEventEmitter, OutboxRepo, PostgresAbandonedRepo,
     PostgresAdminSessionRepository, PostgresAdminUserRepository, PostgresApiKeyRepository,
     PostgresAppDomainRepository, PostgresAppMembersRepository, PostgresAppRepository,
     PostgresAppSecretsRepo, PostgresDeadLetterRepo, PostgresDeadLetterService, PostgresDocsRepo,
@@ -36,10 +36,10 @@ use picloud_orchestrator_core::{
     ExecutionGate, InProcessBroadcaster, InboxRegistry, LocalExecutorClient, RealtimeState,
 };
 use picloud_shared::{
-    DeadLetterService, DocsService, ExecutionLogSink, FilesService, HttpService, InboxResolver,
-    KvService, MasterKey, OutboxWriter, PubsubService, RealtimeAuthority, RealtimeBroadcaster,
-    ScriptValidator, SecretsService, ServiceEventEmitter, Services, API_VERSION, PRODUCT_VERSION,
-    SDK_VERSION, WIRE_VERSION,
+    DeadLetterService, DocsService, EmailService, ExecutionLogSink, FilesService, HttpService,
+    InboxResolver, KvService, MasterKey, OutboxWriter, PubsubService, RealtimeAuthority,
+    RealtimeBroadcaster, ScriptValidator, SecretsService, ServiceEventEmitter, Services,
+    API_VERSION, PRODUCT_VERSION, SDK_VERSION, WIRE_VERSION,
 };
 use sqlx::postgres::PgPoolOptions;
 use sqlx::PgPool;
@@ -222,6 +222,9 @@ pub async fn build_app(
         master_key.clone(),
         secrets_config,
     ));
+    // v1.1.7 outbound email. Builds a lettre SMTP transport from
+    // PICLOUD_SMTP_* env (disabled mode + warning if unconfigured).
+    let email: Arc<dyn EmailService> = Arc::new(EmailServiceImpl::from_env(authz.clone()));
     let services = Services::new(
         kv,
         docs,
@@ -232,6 +235,7 @@ pub async fn build_app(
         files,
         pubsub,
         secrets,
+        email,
     );
     let engine = Arc::new(Engine::new(Limits::default(), services));