BREAKING CHANGE(rust-bridge): make Rust the primary security backend, remove all TS fallbacks

Phase 3 of the Rust migration: the Rust security bridge is now mandatory
and all TypeScript security fallback implementations have been removed.

- UnifiedEmailServer.start() throws if Rust bridge fails to start
- SpfVerifier gutted to thin wrapper (parseSpfRecord stays in TS)
- DKIMVerifier gutted to thin wrapper delegating to bridge.verifyDkim()
- IPReputationChecker delegates to bridge.checkIpReputation(), keeps LRU cache
- DmarcVerifier keeps alignment logic (works with pre-computed results)
- DKIM signing via bridge.signDkim() in all 4 locations
- Removed mailauth and ip packages from plugins.ts (~1,200 lines deleted)

ts/mail/delivery/classes.smtp.client.legacy.ts

@@ -1,10 +1,11 @@
 import * as plugins from '../../plugins.js';
 import { logger } from '../../logger.js';
-import { 
-  SecurityLogger, 
-  SecurityLogLevel, 
-  SecurityEventType 
+import {
+  SecurityLogger,
+  SecurityLogLevel,
+  SecurityEventType
 } from '../../security/index.js';
+import { RustSecurityBridge } from '../../security/classes.rustsecuritybridge.js';
 
 import { 
   MtaConnectionError, 
@@ -844,42 +845,22 @@ export class SmtpClient {
     
     try {
       logger.log('debug', `Signing email with DKIM for domain ${this.options.dkim.domain}`);
-      
-      // Format email for DKIM signing
-      const { dkimSign } = plugins;
+
       const emailContent = await this.getFormattedEmail(email);
-      
-      // Sign email
-      const signOptions = {
-        signingDomain: this.options.dkim.domain,
+
+      // Sign via Rust bridge
+      const bridge = RustSecurityBridge.getInstance();
+      const signResult = await bridge.signDkim({
+        rawMessage: emailContent,
+        domain: this.options.dkim.domain,
         selector: this.options.dkim.selector,
         privateKey: this.options.dkim.privateKey,
-        canonicalization: 'relaxed/relaxed' as const,
-        algorithm: 'rsa-sha256' as const,
-        signTime: new Date(),
-        signatureData: [
-          {
-            signingDomain: this.options.dkim.domain,
-            selector: this.options.dkim.selector,
-            privateKey: this.options.dkim.privateKey,
-            algorithm: 'rsa-sha256',
-            canonicalization: 'relaxed/relaxed',
-          }
-        ]
-      };
+      });
 
-      const signResult = await dkimSign(emailContent, signOptions);
-
-      // Add DKIM-Signature header from the signing result
-      if (signResult.signatures) {
-        const dkimHeader = signResult.signatures.split('\r\n')
-          .find(line => line.startsWith('DKIM-Signature: '));
-
-        if (dkimHeader) {
-          email.addHeader('DKIM-Signature', dkimHeader.substring('DKIM-Signature: '.length));
-        }
+      if (signResult.header) {
+        email.addHeader('DKIM-Signature', signResult.header);
       }
-      
+
       logger.log('debug', 'DKIM signature applied successfully');
     } catch (error) {
       logger.log('error', `Failed to apply DKIM signature: ${error.message}`);