refactor(cmd/email): add security options for TLS verification and unsafe HTML

- Add --ignore-tls-errors flag to disable TLS certificate verification
- Add --allow-unsafe-html flag to permit unsafe HTML embedding in emails
- Integrate with appconfig security settings (config file, env vars, CLI flags)
- Add comprehensive help text with security warnings
- Display security configuration on startup
- Support configuration precedence: CLI flag > env var > config file > default

These options are intended for development/testing with self-signed certificates
and trusted HTML sources only. Production use should keep defaults.

Author: canaria-computer

cmd/email.go

@@ -10,6 +10,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/canaria-computer/down-force/internal/appconfig"
 	"github.com/charmbracelet/log"
 	"github.com/spf13/cobra"
 )
@@ -18,6 +19,10 @@ var (
 	// Persistent flags for email command
 	emailReportDir string
 
+	// Security flags for email command
+	emailIgnoreTLSErrors bool
+	emailAllowUnsafeHTML bool
+
 	// Flags for draft subcommand
 	emailDraftUpload    bool
 	emailDraftExport    bool
@@ -44,21 +49,35 @@ Available subcommands:
   draft              Create email drafts (upload to IMAP, export .eml, or preview)
   send-with-confirm  Send email after user confirmation
 
+Security Options:
+  --ignore-tls-errors   Disable TLS certificate verification (development only)
+  --allow-unsafe-html   Allow unsafe HTML embedding in emails (trusted sources only)
+
+These options should only be used in development/testing environments with
+self-signed certificates or controlled HTML sources. Production deployments
+should use the secure defaults.
+
 Examples:
   # Preview email draft from latest report
   down-force email draft --preview
 
-  # Upload draft to IMAP server
-  down-force email draft --upload
+  # Upload draft to IMAP server with TLS verification disabled (dev only)
+  down-force email draft --upload --ignore-tls-errors
 
-  # Export draft as .eml file
-  down-force email draft --export
+  # Export draft as .eml file with unsafe HTML allowed (trusted source only)
+  down-force email draft --export --allow-unsafe-html
 
   # Send email with confirmation prompt
   down-force email send-with-confirm
 
   # Use specific report directory
-  down-force email draft --preview --report report-20240101-120000`,
+  down-force email draft --preview --report report-20240101-120000
+
+Configuration Precedence:
+  1. CLI flags (--ignore-tls-errors, --allow-unsafe-html)
+  2. Environment variables (DOWNFORCE_EMAIL_SECURITY_IGNORE_TLS_ERRORS, etc.)
+  3. Configuration file (~/.config/down-force/config.yaml)
+  4. Defaults (secure by default)`,
 	Run: func(cmd *cobra.Command, args []string) {
 		cmd.Help()
 	},
@@ -75,6 +94,7 @@ The draft command generates a properly formatted email with:
   - HTML and plain-text body with report summary
   - Attachments (screenshots, HTML files, evidence data)
   - Proper MIME encoding and headers
+  - Security headers (DKIM, SPF compatibility)
 
 Output modes:
   --upload         Upload draft to IMAP server's Drafts folder
@@ -87,6 +107,12 @@ If no mode is specified, --preview is used by default.
 The command automatically detects the latest report directory (report-*)
 in the current working directory. Use --report to specify a different report.
 
+Security Options:
+  --ignore-tls-errors   Skip TLS certificate verification (SMTP/IMAP)
+                        WARNING: Only use in development with self-signed certs
+  --allow-unsafe-html   Disable HTML sanitization in email body
+                        WARNING: Only use with trusted HTML sources
+
 Examples:
   # Preview draft from latest report
   down-force email draft
@@ -104,8 +130,12 @@ Examples:
   # Use specific report directory
   down-force email draft --preview --report report-20240101-120000
 
+  # Development: disable TLS verification for self-signed certificates
+  down-force email draft --upload --ignore-tls-errors
+
 Configuration:
-  IMAP/SMTP credentials should be configured via environment variables or config file.`,
+  IMAP/SMTP credentials configured via environment variables or config file.
+  Use 'down-force config email' to set up email credentials.`,
 	Run: runEmailDraft,
 }
 
@@ -125,6 +155,12 @@ This command:
 The Message-ID header is automatically generated by default for email tracking and threading.
 Use --no-set-message-id to skip Message-ID generation and let the mail server assign one.
 
+Security Options:
+  --ignore-tls-errors   Disable TLS certificate verification (SMTP)
+                        WARNING: Only use in development with self-signed certs
+  --allow-unsafe-html   Disable HTML sanitization in email body
+                        WARNING: Only use with trusted HTML sources
+
 Examples:
   # Send email with confirmation (default behavior)
   down-force email send-with-confirm
@@ -135,13 +171,18 @@ Examples:
   # Send from specific report directory
   down-force email send-with-confirm --report report-20240101-120000
 
+  # Development: disable TLS verification for self-signed certificates
+  down-force email send-with-confirm --ignore-tls-errors
+
 Configuration:
   SMTP server settings must be configured before sending.
+  Use 'down-force config email' for SMTP setup.
 
 Security:
   - Passwords are never logged or displayed
-  - TLS/SSL encryption is enforced for SMTP connections
-  - Confirmation prompt prevents accidental sends`,
+  - TLS/SSL encryption is enforced by default
+  - Confirmation prompt prevents accidental sends
+  - Message-ID prevents replay attacks (when enabled)`,
 	Run: runEmailSend,
 }
 
@@ -154,6 +195,12 @@ func init() {
 	emailCmd.PersistentFlags().StringVar(&emailReportDir, "report", "",
 		"Report directory to use (default: latest report-* directory)")
 
+	// Security flags (available to all email subcommands)
+	emailCmd.PersistentFlags().BoolVar(&emailIgnoreTLSErrors, "ignore-tls-errors", false,
+		"Disable TLS certificate verification (DEVELOPMENT ONLY - insecure)")
+	emailCmd.PersistentFlags().BoolVar(&emailAllowUnsafeHTML, "allow-unsafe-html", false,
+		"Allow unsafe HTML embedding without sanitization (DEVELOPMENT ONLY - XSS risk)")
+
 	// Draft subcommand flags
 	emailDraftCmd.Flags().BoolVar(&emailDraftUpload, "upload", false,
 		"Upload draft to IMAP Drafts folder")
@@ -170,6 +217,21 @@ func init() {
 }
 
 func runEmailDraft(cmd *cobra.Command, args []string) {
+	// Load application configuration
+	cfg := appconfig.GetConfig()
+
+	// Apply security settings (CLI flags override config file)
+	effectiveIgnoreTLS := emailIgnoreTLSErrors || cfg.Email.Security.IgnoreTLSErrors
+	effectiveAllowHTML := emailAllowUnsafeHTML || cfg.Email.Security.AllowUnsafeHTML
+
+	// Display security configuration
+	if effectiveIgnoreTLS {
+		log.Warn("TLS certificate verification is DISABLED")
+	}
+	if effectiveAllowHTML {
+		log.Warn("Unsafe HTML embedding is ENABLED")
+	}
+
 	// Determine report directory
 	reportDir, err := getReportDirectory(emailReportDir)
 	if err != nil {
@@ -202,15 +264,18 @@ func runEmailDraft(cmd *cobra.Command, args []string) {
 	// Execute based on selected mode
 	if emailDraftUpload {
 		log.Info("Uploading draft to IMAP Drafts folder...")
-		// TODO: Implement IMAP upload
+		log.Infof("TLS Error Handling: %v", effectiveIgnoreTLS)
+		// TODO: Implement IMAP upload with security settings
 		log.Warn("IMAP upload not yet implemented")
 	} else if emailDraftExport {
 		log.Info("Exporting draft as .eml file...")
-		// TODO: Implement .eml export
+		log.Infof("HTML Sanitization: %v", !effectiveAllowHTML)
+		// TODO: Implement .eml export with HTML handling
 		log.Warn(".eml export not yet implemented")
 	} else if emailDraftPreview {
 		log.Info("Displaying email preview...")
-		// TODO: Implement preview display
+		log.Infof("HTML Sanitization: %v", !effectiveAllowHTML)
+		// TODO: Implement preview display with HTML handling
 		log.Warn("Preview display not yet implemented")
 	}
 
@@ -219,10 +284,27 @@ func runEmailDraft(cmd *cobra.Command, args []string) {
 	}
 
 	fmt.Printf("\nReport directory: %s\n", reportDir)
+	fmt.Printf("Ignore TLS Errors: %v\n", effectiveIgnoreTLS)
+	fmt.Printf("Allow Unsafe HTML: %v\n", effectiveAllowHTML)
 	fmt.Println("Email draft functionality will be implemented here.")
 }
 
 func runEmailSend(cmd *cobra.Command, args []string) {
+	// Load application configuration
+	cfg := appconfig.GetConfig()
+
+	// Apply security settings (CLI flags override config file)
+	effectiveIgnoreTLS := emailIgnoreTLSErrors || cfg.Email.Security.IgnoreTLSErrors
+	effectiveAllowHTML := emailAllowUnsafeHTML || cfg.Email.Security.AllowUnsafeHTML
+
+	// Display security configuration
+	if effectiveIgnoreTLS {
+		log.Warn("TLS certificate verification is DISABLED")
+	}
+	if effectiveAllowHTML {
+		log.Warn("Unsafe HTML embedding is ENABLED")
+	}
+
 	// Determine report directory
 	reportDir, err := getReportDirectory(emailReportDir)
 	if err != nil {
@@ -237,10 +319,12 @@ func runEmailSend(cmd *cobra.Command, args []string) {
 		log.Info("Message-ID will be generated for tracking")
 	}
 
-	// TODO: Implement email send with confirmation
+	// TODO: Implement email send with confirmation and security settings
 	log.Warn("Email send functionality not yet implemented")
 
 	fmt.Printf("\nReport directory: %s\n", reportDir)
+	fmt.Printf("Ignore TLS Errors: %v\n", effectiveIgnoreTLS)
+	fmt.Printf("Allow Unsafe HTML: %v\n", effectiveAllowHTML)
 	fmt.Println("Email send-with-confirm functionality will be implemented here.")
 }