feat: add email domain health workflow and security page polish

[dcoln25-writer]

Summary

• add a new Email Domain Health workflow end-to-end: proto RPCs, Go handlers, persistence models + migration, Connect/web API wrappers, and a dedicated /security/email-domain-health page
• integrate Email Domain Health into Security Graph with a summary card and navigation entry
• harden mail-auth evaluation so malformed/permissive records do not appear healthy:
  • flag SPF ?all
  • validate DMARC p= to none|quarantine|reject
  • treat invalid DKIM p= key material as an issue (not healthy)
• expand domain discovery to include connected saas_identities email/external identifiers so domains are found even when integration account ids are slugs
• add graceful frontend fallback for unimplemented/404 RPC responses on Email Domain Health loading
• normalize spacing rhythm across Security Graph, Email Domain Health, and Findings pages

Validation

• go build ./...
• go vet ./...
• go test ./... -short
• npm run typecheck
• npm run test:api
• npm run build:web

[github-actions]

Droid finished @dcoln25-writer's task —— View job

---

The Email Domain Health feature is well structured: handlers are session-authenticated and scoped by organization_id, SQL is parameterized, and normalizeDomainCandidate rejects IPs and internal suffixes. Two non-blocking issues remain: DKIM key size is derived from the encoded SPKI byte length rather than the RSA modulus (inaccurate displayed bits and skewed thresholds), and the unconditional refresh path performs unbounded, unthrottled DNS resolution that an authenticated user could abuse for resource exhaustion.

[github-actions]

Droid encountered an error —— View job

---

Droid is reviewing code and running a security check…

[github-actions]

Droid finished @dcoln25-writer's task —— View job

---

The Email Domain Health feature is well structured and the two prior review comments (DKIM key-bit calculation and refresh-handler throttling) are addressed at this head SHA. The main remaining concern is that the list/ensure read path still performs unbounded, unthrottled outbound DNS on every page load, lacking the rate limit and bulk cap applied to the refresh handler. Secondary correctness issues are an Ed25519 DKIM false-positive that forces domains to FAILING and an empty refresh-all response when no domains are stale.

[github-actions]

Droid encountered an error —— View job

---

Droid is reviewing code and running a security check…

[github-actions]

Droid finished @dcoln25-writer's task —— View job

---

The Email Domain Health feature is well structured, and all five previously flagged issues (DKIM key-bit calculation, list/refresh DNS rate-limiting, Ed25519 false-positive, and refresh-all empty result) are resolved at this head SHA. Remaining items are non-blocking: the getEmailDomainHealth read path still triggers outbound DNS without the rate limit applied to the other handlers, the list endpoint returns an incomplete set on first load for orgs with >10 domains, raw DNS error strings are surfaced to clients, and a nested-route highlight glitch in the sidebar nav.

[github-actions]

Droid encountered an error —— View job

---

Droid is reviewing code and running a security check…

[dcoln25-writer]

Repushed at .

Addressed the follow-up review items on this branch:

• Added explicit list/get email-domain request rate limiting (with policy assertions in tests).
• Kept refresh DNS work bounded by stale-window + bulk cap and preserved refresh-all current-row behavior when nothing is stale.
• Ensured list responses include discovered-but-not-yet-checked domains as placeholders.
• Sanitized DNS lookup error details returned to clients (no raw resolver internals).
• Fixed nested sidebar active-state highlighting so Email Domain Health no longer double-highlights.

[dcoln25-writer]

Repushed at 53de11e.

Addressed the follow-up review items on this branch:

• Added explicit list/get email-domain request rate limiting (with policy assertions in tests).
• Kept refresh DNS work bounded by stale-window + bulk cap and preserved refresh-all current-row behavior when nothing is stale.
• Ensured list responses include discovered-but-not-yet-checked domains as UNKNOWN placeholders.
• Sanitized DNS lookup error details returned to clients (no raw resolver internals).
• Fixed nested /security/* sidebar active-state highlighting so Email Domain Health no longer double-highlights.

[github-actions]

Droid finished @dcoln25-writer's task —— View job

---

No issues found. The Email Domain Health feature is well structured: handlers are session-authenticated and org-scoped, SQL is parameterized, and DNS read/refresh paths are rate-limited and bulk-capped. All previously flagged issues are resolved at this head SHA and no new high-confidence, actionable issues were found.