Dev1

.gitignore

@@ -102,4 +102,7 @@ $RECYCLE.BIN/
 
 # Application generated files
 evidence.yaml
-screenshot.*
+screenshot.*
+Report.md
+report.eml
+evidence.snapshot.yaml

cmd/email.go

@@ -10,14 +10,25 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/canaria-computer/down-force/internal/appconfig"
+	"github.com/canaria-computer/down-force/internal/email"
+	"github.com/charmbracelet/glamour"
 	"github.com/charmbracelet/log"
 	"github.com/spf13/cobra"
+	mail "github.com/xhit/go-simple-mail/v2"
 )
 
 var (
 	// Persistent flags for email command
 	emailReportDir string
 
+	// Security flags for email command
+	emailIgnoreTLSErrors bool
+	emailAllowUnsafeHTML bool
+
+	// IMAP timeout override flag
+	emailIMAPTimeout int
+
 	// Flags for draft subcommand
 	emailDraftUpload    bool
 	emailDraftExport    bool
@@ -44,23 +55,39 @@ Available subcommands:
   draft              Create email drafts (upload to IMAP, export .eml, or preview)
   send-with-confirm  Send email after user confirmation
 
+Security Options:
+  --ignore-tls-errors   Disable TLS certificate verification (development only)
+  --allow-unsafe-html   Allow unsafe HTML embedding in emails (trusted sources only)
+
+These options should only be used in development/testing environments with
+self-signed certificates or controlled HTML sources. Production deployments
+should use the secure defaults.
+
 Examples:
   # Preview email draft from latest report
   down-force email draft --preview
 
-  # Upload draft to IMAP server
-  down-force email draft --upload
+  # Upload draft to IMAP server with TLS verification disabled (dev only)
+  down-force email draft --upload --ignore-tls-errors
 
-  # Export draft as .eml file
-  down-force email draft --export
+  # Export draft as .eml file with unsafe HTML allowed (trusted source only)
+  down-force email draft --export --allow-unsafe-html
 
   # Send email with confirmation prompt
   down-force email send-with-confirm
 
   # Use specific report directory
-  down-force email draft --preview --report report-20240101-120000`,
+  down-force email draft --preview --report report-20240101-120000
+
+Configuration Precedence:
+  1. CLI flags (--ignore-tls-errors, --allow-unsafe-html)
+  2. Environment variables (DOWNFORCE_EMAIL_SECURITY_IGNORE_TLS_ERRORS, etc.)
+  3. Configuration file (~/.config/down-force/config.yaml)
+  4. Defaults (secure by default)`,
 	Run: func(cmd *cobra.Command, args []string) {
-		cmd.Help()
+		if err := cmd.Help(); err != nil {
+			log.Fatal("Failed to display help: %v", err)
+		}
 	},
 }
 
@@ -75,6 +102,7 @@ The draft command generates a properly formatted email with:
   - HTML and plain-text body with report summary
   - Attachments (screenshots, HTML files, evidence data)
   - Proper MIME encoding and headers
+  - Security headers (DKIM, SPF compatibility)
 
 Output modes:
   --upload         Upload draft to IMAP server's Drafts folder
@@ -87,6 +115,12 @@ If no mode is specified, --preview is used by default.
 The command automatically detects the latest report directory (report-*)
 in the current working directory. Use --report to specify a different report.
 
+Security Options:
+  --ignore-tls-errors   Skip TLS certificate verification (SMTP/IMAP)
+                        WARNING: Only use in development with self-signed certs
+  --allow-unsafe-html   Disable HTML sanitization in email body
+                        WARNING: Only use with trusted HTML sources
+
 Examples:
   # Preview draft from latest report
   down-force email draft
@@ -104,8 +138,12 @@ Examples:
   # Use specific report directory
   down-force email draft --preview --report report-20240101-120000
 
+  # Development: disable TLS verification for self-signed certificates
+  down-force email draft --upload --ignore-tls-errors
+
 Configuration:
-  IMAP/SMTP credentials should be configured via environment variables or config file.`,
+  IMAP/SMTP credentials configured via environment variables or config file.
+  Use 'down-force config email' to set up email credentials.`,
 	Run: runEmailDraft,
 }
 
@@ -125,6 +163,12 @@ This command:
 The Message-ID header is automatically generated by default for email tracking and threading.
 Use --no-set-message-id to skip Message-ID generation and let the mail server assign one.
 
+Security Options:
+  --ignore-tls-errors   Disable TLS certificate verification (SMTP)
+                        WARNING: Only use in development with self-signed certs
+  --allow-unsafe-html   Disable HTML sanitization in email body
+                        WARNING: Only use with trusted HTML sources
+
 Examples:
   # Send email with confirmation (default behavior)
   down-force email send-with-confirm
@@ -135,13 +179,18 @@ Examples:
   # Send from specific report directory
   down-force email send-with-confirm --report report-20240101-120000
 
+  # Development: disable TLS verification for self-signed certificates
+  down-force email send-with-confirm --ignore-tls-errors
+
 Configuration:
   SMTP server settings must be configured before sending.
+  Use 'down-force config email' for SMTP setup.
 
 Security:
   - Passwords are never logged or displayed
-  - TLS/SSL encryption is enforced for SMTP connections
-  - Confirmation prompt prevents accidental sends`,
+  - TLS/SSL encryption is enforced by default
+  - Confirmation prompt prevents accidental sends
+  - Message-ID prevents replay attacks (when enabled)`,
 	Run: runEmailSend,
 }
 
@@ -154,6 +203,16 @@ func init() {
 	emailCmd.PersistentFlags().StringVar(&emailReportDir, "report", "",
 		"Report directory to use (default: latest report-* directory)")
 
+	// Security flags (available to all email subcommands)
+	emailCmd.PersistentFlags().BoolVar(&emailIgnoreTLSErrors, "ignore-tls-errors", false,
+		"Disable TLS certificate verification (DEVELOPMENT ONLY - insecure)")
+	emailCmd.PersistentFlags().BoolVar(&emailAllowUnsafeHTML, "allow-unsafe-html", false,
+		"Allow unsafe HTML embedding without sanitization (DEVELOPMENT ONLY - XSS risk)")
+
+	// IMAP timeout override flag
+	emailCmd.PersistentFlags().IntVar(&emailIMAPTimeout, "imap-timeout", 0,
+		"IMAP connection timeout in seconds (default: uses config value or 30s)")
+
 	// Draft subcommand flags
 	emailDraftCmd.Flags().BoolVar(&emailDraftUpload, "upload", false,
 		"Upload draft to IMAP Drafts folder")
@@ -170,6 +229,21 @@ func init() {
 }
 
 func runEmailDraft(cmd *cobra.Command, args []string) {
+	// Load application configuration
+	cfg := appconfig.GetConfig()
+
+	// Apply security settings (CLI flags override config file)
+	effectiveIgnoreTLS := emailIgnoreTLSErrors || cfg.Email.Security.IgnoreTLSErrors
+	effectiveAllowHTML := emailAllowUnsafeHTML || cfg.Email.Security.AllowUnsafeHTML
+
+	// Display security configuration
+	if effectiveIgnoreTLS {
+		log.Warn("TLS certificate verification is DISABLED")
+	}
+	if effectiveAllowHTML {
+		log.Warn("Unsafe HTML embedding is ENABLED")
+	}
+
 	// Determine report directory
 	reportDir, err := getReportDirectory(emailReportDir)
 	if err != nil {
@@ -178,12 +252,13 @@ func runEmailDraft(cmd *cobra.Command, args []string) {
 
 	log.Infof("Using report directory: %s", reportDir)
 
-	// Determine output mode (default to preview if none specified)
+	// Determine output mode (default to export + upload if none specified)
 	if !emailDraftUpload && !emailDraftExport && !emailDraftPreview {
-		emailDraftPreview = true
+		emailDraftExport = true
+		emailDraftUpload = true
 	}
 
-	// Validate that only one mode is selected
+	// Validate that only one mode is selected (unless default behavior)
 	modeCount := 0
 	if emailDraftUpload {
 		modeCount++
@@ -195,35 +270,126 @@ func runEmailDraft(cmd *cobra.Command, args []string) {
 		modeCount++
 	}
 
-	if modeCount > 1 {
-		log.Fatal("Error: Only one output mode can be specified (--upload, --export, or --preview)")
+	if modeCount > 2 {
+		log.Fatal("Error: Only one or two output modes can be specified")
+	}
+
+	// Load report content
+	reportContent, err := email.LoadReportContent(reportDir)
+	if err != nil {
+		log.Fatalf("Failed to load report content: %v", err)
+	}
+
+	// Build email message (needed for both export and upload)
+	includeHTML := !emailDraftPlainText
+	msg, err := email.BuildEmailMessage(reportContent, includeHTML, emailDraftExport)
+	if err != nil {
+		log.Fatalf("Failed to build email message: %v", err)
+	}
+
+	// Execute based on selected mode(s)
+	if emailDraftExport {
+		log.Info("Exporting draft as .eml file...")
+		log.Infof("HTML Sanitization: %v", !effectiveAllowHTML)
+
+		if err := saveEmlFile(msg, reportDir); err != nil {
+			log.Errorf("Failed to save .eml file: %v", err)
+		} else {
+			log.Info("Draft exported successfully")
+		}
 	}
 
-	// Execute based on selected mode
 	if emailDraftUpload {
 		log.Info("Uploading draft to IMAP Drafts folder...")
-		// TODO: Implement IMAP upload
-		log.Warn("IMAP upload not yet implemented")
-	} else if emailDraftExport {
-		log.Info("Exporting draft as .eml file...")
-		// TODO: Implement .eml export
-		log.Warn(".eml export not yet implemented")
-	} else if emailDraftPreview {
+		log.Infof("TLS Error Handling: %v", effectiveIgnoreTLS)
+
+		// Validate IMAP configuration
+		if cfg.Email.IMAP.URI == "" {
+			log.Error("IMAP URI is not configured")
+			log.Info("Please configure IMAP settings using:")
+			log.Info("  down-force config init")
+			log.Info("Or set environment variable:")
+			log.Info("  export DOWNFORCE_EMAIL_IMAP_URI='imap://user:pass@imap.example.com:993'")
+			return
+		}
+
+		// Connect to IMAP server (authentication credentials only, no placeholders)
+		client, err := email.ConnectIMAP(cfg.Email.IMAP, effectiveIgnoreTLS, emailIMAPTimeout)
+		if err != nil {
+			log.Errorf("Failed to connect to IMAP server: %v", err)
+			log.Info("Check your IMAP configuration in ~/.config/down-force/config.yaml")
+			return
+		}
+		defer func() {
+			if err := client.Close(); err != nil {
+				log.Warnf("Failed to close IMAP connection: %v", err)
+			}
+		}()
+
+		// Find or create Drafts mailbox
+		draftFolder, err := email.FindOrCreateDraftMailbox(client, cfg.Email.IMAP.DraftFolder)
+		if err != nil {
+			log.Errorf("Failed to find or create Drafts mailbox: %v", err)
+			return
+		}
+
+		// Upload draft message
+		if err := email.UploadDraftMessage(client, msg, draftFolder); err != nil {
+			log.Errorf("Failed to upload draft message: %v", err)
+			return
+		}
+
+		log.Info("Draft uploaded successfully to IMAP server")
+
+		// Logout
+		if err := client.Logout().Wait(); err != nil {
+			log.Warnf("IMAP logout warning: %v", err)
+		}
+	}
+
+	if emailDraftPreview {
 		log.Info("Displaying email preview...")
-		// TODO: Implement preview display
-		log.Warn("Preview display not yet implemented")
+		log.Infof("HTML Sanitization: %v", !effectiveAllowHTML)
+		displayEmailPreview(string(reportContent.Body))
 	}
 
 	if emailDraftPlainText {
-		log.Info("Generating plain-text only format")
+		log.Info("Generated plain-text only format")
+	}
+}
+
+func saveEmlFile(msg *mail.Email, reportDir string) error {
+	emlPath := filepath.Join(reportDir, "report.eml")
+	err := os.WriteFile(emlPath, []byte(msg.GetMessage()), 0600)
+	if err != nil {
+		return err
 	}
+	log.Info("Draft saved to: " + emlPath)
+	return nil
+}
 
-	fmt.Printf("\nReport directory: %s\n", reportDir)
-	fmt.Println("Email draft functionality will be implemented here.")
+func displayEmailPreview(content string) {
+	out, err := glamour.Render(content, "dark")
+	if err != nil {
+		log.Errorf("Failed to render markdown preview: %v", err)
+		return
+	}
+	fmt.Println(out)
 }
 
 func runEmailSend(cmd *cobra.Command, args []string) {
-	// Determine report directory
+	cfg := appconfig.GetConfig()
+
+	effectiveIgnoreTLS := emailIgnoreTLSErrors || cfg.Email.Security.IgnoreTLSErrors
+	effectiveAllowHTML := emailAllowUnsafeHTML || cfg.Email.Security.AllowUnsafeHTML
+
+	if effectiveIgnoreTLS {
+		log.Warn("TLS certificate verification is DISABLED")
+	}
+	if effectiveAllowHTML {
+		log.Warn("Unsafe HTML embedding is ENABLED")
+	}
+
 	reportDir, err := getReportDirectory(emailReportDir)
 	if err != nil {
 		log.Fatalf("Failed to determine report directory: %v", err)
@@ -237,11 +403,21 @@ func runEmailSend(cmd *cobra.Command, args []string) {
 		log.Info("Message-ID will be generated for tracking")
 	}
 
-	// TODO: Implement email send with confirmation
-	log.Warn("Email send functionality not yet implemented")
+	includeHTML := cfg.Email.MimeType == "multipart/alternative"
+
+	reportContent, err := email.LoadReportContent(reportDir)
+	if err != nil {
+		log.Fatalf("Failed to load report content: %v", err)
+	}
 
-	fmt.Printf("\nReport directory: %s\n", reportDir)
-	fmt.Println("Email send-with-confirm functionality will be implemented here.")
+	msg, err := email.BuildEmailMessage(reportContent, includeHTML, false)
+	if err != nil {
+		log.Fatalf("Failed to build email message: %v", err)
+	}
+
+	// TODO: Implement email send with confirmation and security settings
+	log.Warn("Email send functionality not yet implemented")
+	_ = msg
 }
 
 // getReportDirectory determines which report directory to use