Skip to content

docs(email): add public email-setup walkthrough + reclassify hook regex#28

Merged
MrChengLen merged 1 commit into
mainfrom
pr-audit-email-setup-doc
May 11, 2026
Merged

docs(email): add public email-setup walkthrough + reclassify hook regex#28
MrChengLen merged 1 commit into
mainfrom
pr-audit-email-setup-doc

Conversation

@MrChengLen
Copy link
Copy Markdown
Owner

@MrChengLen MrChengLen commented May 11, 2026

Closes audit gap H6: until now, public docs mentioned SMTP_* envs but gave no guided walkthrough for picking a provider, choosing a port/TLS mode, or understanding what happens when SMTP is unconfigured. A self-hoster wiring up password-reset + email-verification had to piece it together from .env.example + scattered references in installation.md, self-hosting.md, and api-reference.md.

Doc content (docs/email-setup.md, NEW)

  • Which features need SMTP (with their token TTLs and graceful-503 fallbacks when SMTP_HOST is empty)
  • Full env-var matrix with one-line meanings
  • Port 587 (STARTTLS) vs 465 (SMTPS) — incl. the egress-block pitfall some cloud hosts apply to 465
  • Three deployment-agnostic walkthroughs: transactional ESP, mailbox-provider SMTP, self-hosted relay
  • Verification curl + four troubleshooting checks (app log, SPF/DKIM/DMARC, sandbox mode, port reachability)
  • DSGVO note: SMTP relay = sub-processor; update privacy disclosure

The page is deployment-agnostic by design — no operator-specific provider, no hardcoded domain, every example value is a placeholder. Cross-links land in installation.md (env-var step) and self-hosting.md (auth-flows section), so the discovery path is "Cloud Edition setup -> SMTP -> read this doc". Also dropped a stray operator-domain reference in self-hosting.md that the soft scope-review flagged.

Hook regex update (.githooks/pre-commit + pre-push) ---------------------------------------------------

  • ALLOW_RE: added docs/email-setup.md so the placeholder credential lines in the new doc don't trip the content scanner.
  • INTERNAL_PATHS: removed email-setup (was previously assumed to be ops-internal). The new public version supersedes that classification.

Both regexes are kept in sync between pre-commit and pre-push (the H4 drift-check test asserts this). H4 regression test updated to match the new state (1 case added to allowlist, 1 removed from internal-paths, 1 added to public-docs negative test). 61 cases pass (was 60).

Verification

pytest tests/test_hook_allowlist_regression.py -> 61 passed
pytest tests/ -> no regressions expected (doc-only + hook regex)
All cross-link targets exist

@MrChengLen
docs(email): add public email-setup walkthrough + reclassify hook regex
aa043d7 
Closes audit gap H6: until now, public docs mentioned `SMTP_*` envs but
gave no guided walkthrough for picking a provider, choosing a port/TLS
mode, or understanding what happens when SMTP is unconfigured. A
self-hoster wiring up password-reset + email-verification had to piece
it together from .env.example + scattered references in
installation.md, self-hosting.md, and api-reference.md.

Doc content (docs/email-setup.md, NEW)
--------------------------------------
  - Which features need SMTP (with their token TTLs and graceful-503
    fallbacks when SMTP_HOST is empty)
  - Full env-var matrix with one-line meanings
  - Port 587 (STARTTLS) vs 465 (SMTPS) — incl. the egress-block
    pitfall some cloud hosts apply to 465
  - Three deployment-agnostic walkthroughs: transactional ESP,
    mailbox-provider SMTP, self-hosted relay
  - Verification curl + four troubleshooting checks (app log,
    SPF/DKIM/DMARC, sandbox mode, port reachability)
  - DSGVO note: SMTP relay = sub-processor; update privacy disclosure

The page is deployment-agnostic by design — no operator-specific
provider, no hardcoded domain, every example value is a placeholder.
Cross-links land in installation.md (env-var step) and self-hosting.md
(auth-flows section), so the discovery path is "Cloud Edition setup ->
SMTP -> read this doc". Also dropped a stray operator-domain reference
in self-hosting.md that the soft scope-review flagged.

Hook regex update (.githooks/pre-commit + pre-push)
---------------------------------------------------
  - ALLOW_RE: added docs/email-setup.md so the placeholder credential
    lines in the new doc don't trip the content scanner.
  - INTERNAL_PATHS: removed email-setup (was previously assumed to
    be ops-internal). The new public version supersedes that
    classification.

Both regexes are kept in sync between pre-commit and pre-push (the H4
drift-check test asserts this). H4 regression test updated to match the
new state (1 case added to allowlist, 1 removed from internal-paths,
1 added to public-docs negative test). 61 cases pass (was 60).

Verification
------------
  pytest tests/test_hook_allowlist_regression.py -> 61 passed
  pytest tests/ -> no regressions expected (doc-only + hook regex)
  All cross-link targets exist
@MrChengLen MrChengLen merged commit 714fe4b into main May 11, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MrChengLen