BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks

Phase 3 of the Rust migration: the Rust security bridge is now mandatory
and all TypeScript security fallback implementations have been removed.

- UnifiedEmailServer.start() throws if Rust bridge fails to start
- SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS)
- DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim()
- IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache
- DmarcVerifier keeps alignment logic (works with pre-computed results)
- DKIM signing via bridge.signDkim() in all 4 locations
- Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted)

dist_ts/mail/delivery/classes.emailsignjob.js

@@ -1,4 +1,5 @@
 import * as plugins from '../../plugins.js';
+import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
 export class EmailSignJob {
     emailServerRef;
     jobOptions;
@@ -12,25 +13,14 @@ export class EmailSignJob {
     }
     async getSignatureHeader(emailMessage) {
         const privateKey = await this.loadPrivateKey();
-        const signResult = await plugins.dkimSign(emailMessage, {
-            signingDomain: this.jobOptions.domain,
+        const bridge = RustSecurityBridge.getInstance();
+        const signResult = await bridge.signDkim({
+            rawMessage: emailMessage,
+            domain: this.jobOptions.domain,
             selector: this.jobOptions.selector,
             privateKey,
-            canonicalization: 'relaxed/relaxed',
-            algorithm: 'rsa-sha256',
-            signTime: new Date(),
-            signatureData: [
-                {
-                    signingDomain: this.jobOptions.domain,
-                    selector: this.jobOptions.selector,
-                    privateKey,
-                    algorithm: 'rsa-sha256',
-                    canonicalization: 'relaxed/relaxed',
-                },
-            ],
         });
-        const signature = signResult.signatures;
-        return signature;
+        return signResult.header;
     }
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5lbWFpbHNpZ25qb2IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9tYWlsL2RlbGl2ZXJ5L2NsYXNzZXMuZW1haWxzaWduam9iLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFjNUMsTUFBTSxPQUFPLFlBQVk7SUFDdkIsY0FBYyxDQUFxQjtJQUNuQyxVQUFVLENBQXVCO0lBRWpDLFlBQVksY0FBa0MsRUFBRSxPQUE2QjtRQUMzRSxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsVUFBVSxHQUFHLE9BQU8sQ0FBQztJQUM1QixDQUFDO0lBRUQsS0FBSyxDQUFDLGNBQWM7UUFDbEIsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMzRixPQUFPLE9BQU8sQ0FBQyxVQUFVLENBQUM7SUFDNUIsQ0FBQztJQUVNLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxZQUFvQjtRQUNsRCxNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUMvQyxNQUFNLFVBQVUsR0FBRyxNQUFNLE9BQU8sQ0FBQyxRQUFRLENBQUMsWUFBWSxFQUFFO1lBQ3RELGFBQWEsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU07WUFDckMsUUFBUSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUTtZQUNsQyxVQUFVO1lBQ1YsZ0JBQWdCLEVBQUUsaUJBQWlCO1lBQ25DLFNBQVMsRUFBRSxZQUFZO1lBQ3ZCLFFBQVEsRUFBRSxJQUFJLElBQUksRUFBRTtZQUNwQixhQUFhLEVBQUU7Z0JBQ2I7b0JBQ0UsYUFBYSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTTtvQkFDckMsUUFBUSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUTtvQkFDbEMsVUFBVTtvQkFDVixTQUFTLEVBQUUsWUFBWTtvQkFDdkIsZ0JBQWdCLEVBQUUsaUJBQWlCO2lCQUNwQzthQUNGO1NBQ0YsQ0FBQyxDQUFDO1FBQ0gsTUFBTSxTQUFTLEdBQUcsVUFBVSxDQUFDLFVBQVUsQ0FBQztRQUN4QyxPQUFPLFNBQVMsQ0FBQztJQUNuQixDQUFDO0NBQ0YifQ==
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5lbWFpbHNpZ25qb2IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9tYWlsL2RlbGl2ZXJ5L2NsYXNzZXMuZW1haWxzaWduam9iLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sa0JBQWtCLENBQUM7QUFFNUMsT0FBTyxFQUFFLGtCQUFrQixFQUFFLE1BQU0sOENBQThDLENBQUM7QUFhbEYsTUFBTSxPQUFPLFlBQVk7SUFDdkIsY0FBYyxDQUFxQjtJQUNuQyxVQUFVLENBQXVCO0lBRWpDLFlBQVksY0FBa0MsRUFBRSxPQUE2QjtRQUMzRSxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsVUFBVSxHQUFHLE9BQU8sQ0FBQztJQUM1QixDQUFDO0lBRUQsS0FBSyxDQUFDLGNBQWM7UUFDbEIsTUFBTSxPQUFPLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMzRixPQUFPLE9BQU8sQ0FBQyxVQUFVLENBQUM7SUFDNUIsQ0FBQztJQUVNLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxZQUFvQjtRQUNsRCxNQUFNLFVBQVUsR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztRQUMvQyxNQUFNLE1BQU0sR0FBRyxrQkFBa0IsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUNoRCxNQUFNLFVBQVUsR0FBRyxNQUFNLE1BQU0sQ0FBQyxRQUFRLENBQUM7WUFDdkMsVUFBVSxFQUFFLFlBQVk7WUFDeEIsTUFBTSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTTtZQUM5QixRQUFRLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxRQUFRO1lBQ2xDLFVBQVU7U0FDWCxDQUFDLENBQUM7UUFDSCxPQUFPLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDM0IsQ0FBQztDQUNGIn0=

dist_ts/mail/security/classes.dkimverifier.d.ts

@@ -11,36 +11,19 @@ export interface IDkimVerificationResult {
     signatureFields?: Record<string, string>;
 }
 /**
- * Enhanced DKIM verifier using smartmail capabilities
+ * DKIM verifier — delegates to the Rust security bridge.
  */
 export declare class DKIMVerifier {
-    private verificationCache;
-    private cacheTtl;
     constructor();
     /**
-     * Verify DKIM signature for an email
-     * @param emailData The raw email data
-     * @param options Verification options
-     * @returns Verification result
+     * Verify DKIM signature for an email via Rust bridge
      */
     verify(emailData: string, options?: {
         useCache?: boolean;
         returnDetails?: boolean;
     }): Promise<IDkimVerificationResult>;
-    /**
-     * Fetch DKIM public key from DNS
-     * @param domain The domain
-     * @param selector The DKIM selector
-     * @returns The DKIM public key or null if not found
-     */
-    private fetchDkimKey;
-    /**
-     * Clear the verification cache
-     */
+    /** No-op — Rust bridge handles its own caching */
     clearCache(): void;
-    /**
-     * Get the size of the verification cache
-     * @returns Number of cached items
-     */
+    /** Always 0 — cache is managed by the Rust side */
     getCacheSize(): number;
 }

dist_ts/mail/security/classes.spfverifier.d.ts

@@ -50,54 +50,22 @@ export interface SpfResult {
     error?: string;
 }
 /**
- * Class for verifying SPF records
+ * Class for verifying SPF records.
+ * Delegates actual SPF evaluation to the Rust security bridge.
+ * Retains parseSpfRecord() for lightweight local parsing.
  */
 export declare class SpfVerifier {
-    private dnsManager?;
-    private lookupCount;
-    constructor(dnsManager?: any);
+    constructor(_dnsManager?: any);
     /**
-     * Parse SPF record from TXT record
-     * @param record SPF TXT record
-     * @returns Parsed SPF record or null if invalid
+     * Parse SPF record from TXT record (pure string parsing, no DNS)
      */
     parseSpfRecord(record: string): SpfRecord | null;
     /**
-     * Check if IP is in CIDR range
-     * @param ip IP address to check
-     * @param cidr CIDR range
-     * @returns Whether the IP is in the CIDR range
-     */
-    private isIpInCidr;
-    /**
-     * Check if a domain has the specified IP in its A or AAAA records
-     * @param domain Domain to check
-     * @param ip IP address to check
-     * @returns Whether the domain resolves to the IP
-     */
-    private isDomainResolvingToIp;
-    /**
-     * Verify SPF for a given email with IP and helo domain
-     * @param email Email to verify
-     * @param ip Sender IP address
-     * @param heloDomain HELO/EHLO domain used by sender
-     * @returns SPF verification result
+     * Verify SPF for a given email — delegates to Rust bridge
      */
     verify(email: Email, ip: string, heloDomain: string): Promise<SpfResult>;
     /**
-     * Check SPF record against IP address
-     * @param spfRecord Parsed SPF record
-     * @param domain Domain being checked
-     * @param ip IP address to check
-     * @returns SPF result
-     */
-    private checkSpfRecord;
-    /**
-     * Check if email passes SPF verification
-     * @param email Email to verify
-     * @param ip Sender IP address
-     * @param heloDomain HELO/EHLO domain used by sender
-     * @returns Whether email passes SPF
+     * Check if email passes SPF verification and apply headers
      */
     verifyAndApply(email: Email, ip: string, heloDomain: string): Promise<boolean>;
 }