feat(email): add GPG/PGP email encryption and decryption

[qasim-nylas]

Summary

Add full GPG/PGP email encryption support to the Nylas CLI, complementing the existing signing feature. Users can now send encrypted emails that only the intended recipient can read, and decrypt encrypted emails they receive.

Sending Encrypted Email

• --encrypt flag encrypts email with recipient's public key
• --recipient-key to specify key ID (optional - auto-detects from email)
• --sign --encrypt combines signing and encryption for maximum security
• Auto-fetches recipient keys from public key servers:
  • keys.openpgp.org
  • keyserver.ubuntu.com
  • pgp.mit.edu
  • keys.gnupg.net

Reading Encrypted Email

• --decrypt flag decrypts PGP/MIME encrypted messages
• --decrypt --verify for messages that are both signed and encrypted
• Shows decryption key ID and signature verification details

Usage Examples

# Encrypt only (auto-fetches recipient's public key)
nylas email send --to bob@example.com --subject "Secret" --body "..." --encrypt

# Sign AND encrypt (recommended)
nylas email send --to bob@example.com --subject "Secret" --body "..." --sign --encrypt

# Decrypt received email
nylas email read <message-id> --decrypt

# Decrypt and verify signature
nylas email read <message-id> --decrypt --verify

Changes

New Files

File	Purpose
internal/adapters/gpg/encrypt.go	Encryption/decryption methods, key lookup, key server fetching
internal/adapters/gpg/encrypt_test.go	Unit tests for encryption
internal/adapters/mime/encrypted.go	RFC 3156 PGP/MIME encrypted message builder
internal/adapters/mime/encrypted_test.go	Unit tests for MIME builder
internal/cli/email/read_decrypt.go	Decrypt command handling
internal/cli/email/read_decrypt_test.go	Unit tests for decryption
docs/commands/encryption.md	Comprehensive documentation (500+ lines)

Modified Files

• internal/cli/email/send.go - Added --encrypt and --recipient-key flags
• internal/cli/email/send_gpg.go - Refactored for sign/encrypt/both modes
• internal/cli/email/read.go - Added --decrypt flag
• internal/adapters/gpg/service.go - Added interface methods
• internal/adapters/gpg/types.go - Added EncryptResult, DecryptResult types
• internal/adapters/mime/builder.go - Refactored with shared interface to reduce duplication
• docs/COMMANDS.md - Updated with encryption commands
• docs/commands/email.md - Added GPG section
• docs/commands/email-signing.md - Updated cross-references

Technical Details

• Implements RFC 3156 PGP/MIME encrypted message format
• Uses multipart/encrypted with protocol="application/pgp-encrypted"
• Supports multiple recipients (To/Cc/Bcc all encrypted)
• Sign+encrypt uses GPG's combined --sign --encrypt for proper ordering
• Shared messageRequest interface reduces code duplication in MIME builder

Test Plan

• Unit tests for encryption validation
• Unit tests for decryption output parsing
• Unit tests for MIME structure
• Unit tests for encrypted message parsing
• Integration tests (require GPG setup)
• Manual testing with real encrypted emails
• make ci-full passes