BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks

Phase 3 of the Rust migration: the Rust security bridge is now mandatory
and all TypeScript security fallback implementations have been removed.

- UnifiedEmailServer.start() throws if Rust bridge fails to start
- SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS)
- DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim()
- IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache
- DmarcVerifier keeps alignment logic (works with pre-computed results)
- DKIM signing via bridge.signDkim() in all 4 locations
- Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted)

dist_ts/mail/security/classes.dkimverifier.d.ts

@@ -11,36 +11,19 @@ export interface IDkimVerificationResult {
     signatureFields?: Record<string, string>;
 }
 /**
- * Enhanced DKIM verifier using smartmail capabilities
+ * DKIM verifier — delegates to the Rust security bridge.
  */
 export declare class DKIMVerifier {
-    private verificationCache;
-    private cacheTtl;
     constructor();
     /**
-     * Verify DKIM signature for an email
-     * @param emailData The raw email data
-     * @param options Verification options
-     * @returns Verification result
+     * Verify DKIM signature for an email via Rust bridge
      */
     verify(emailData: string, options?: {
         useCache?: boolean;
         returnDetails?: boolean;
     }): Promise<IDkimVerificationResult>;
-    /**
-     * Fetch DKIM public key from DNS
-     * @param domain The domain
-     * @param selector The DKIM selector
-     * @returns The DKIM public key or null if not found
-     */
-    private fetchDkimKey;
-    /**
-     * Clear the verification cache
-     */
+    /** No-op — Rust bridge handles its own caching */
     clearCache(): void;
-    /**
-     * Get the size of the verification cache
-     * @returns Number of cached items
-     */
+    /** Always 0 — cache is managed by the Rust side */
     getCacheSize(): number;
 }

dist_ts/mail/security/classes.spfverifier.d.ts

@@ -50,54 +50,22 @@ export interface SpfResult {
     error?: string;
 }
 /**
- * Class for verifying SPF records
+ * Class for verifying SPF records.
+ * Delegates actual SPF evaluation to the Rust security bridge.
+ * Retains parseSpfRecord() for lightweight local parsing.
  */
 export declare class SpfVerifier {
-    private dnsManager?;
-    private lookupCount;
-    constructor(dnsManager?: any);
+    constructor(_dnsManager?: any);
     /**
-     * Parse SPF record from TXT record
-     * @param record SPF TXT record
-     * @returns Parsed SPF record or null if invalid
+     * Parse SPF record from TXT record (pure string parsing, no DNS)
      */
     parseSpfRecord(record: string): SpfRecord | null;
     /**
-     * Check if IP is in CIDR range
-     * @param ip IP address to check
-     * @param cidr CIDR range
-     * @returns Whether the IP is in the CIDR range
-     */
-    private isIpInCidr;
-    /**
-     * Check if a domain has the specified IP in its A or AAAA records
-     * @param domain Domain to check
-     * @param ip IP address to check
-     * @returns Whether the domain resolves to the IP
-     */
-    private isDomainResolvingToIp;
-    /**
-     * Verify SPF for a given email with IP and helo domain
-     * @param email Email to verify
-     * @param ip Sender IP address
-     * @param heloDomain HELO/EHLO domain used by sender
-     * @returns SPF verification result
+     * Verify SPF for a given email — delegates to Rust bridge
      */
     verify(email: Email, ip: string, heloDomain: string): Promise<SpfResult>;
     /**
-     * Check SPF record against IP address
-     * @param spfRecord Parsed SPF record
-     * @param domain Domain being checked
-     * @param ip IP address to check
-     * @returns SPF result
-     */
-    private checkSpfRecord;
-    /**
-     * Check if email passes SPF verification
-     * @param email Email to verify
-     * @param ip Sender IP address
-     * @param heloDomain HELO/EHLO domain used by sender
-     * @returns Whether email passes SPF
+     * Check if email passes SPF verification and apply headers
      */
     verifyAndApply(email: Email, ip: string, heloDomain: string): Promise<boolean>;
 }