Skip to content

Add preview-gated sender-domain enable#30

Merged
rogu3bear merged 1 commit into
mainfrom
build/maildesk-sender-domain-preview
Jun 30, 2026
Merged

Add preview-gated sender-domain enable#30
rogu3bear merged 1 commit into
mainfrom
build/maildesk-sender-domain-preview

Conversation

@rogu3bear

Copy link
Copy Markdown
Owner

Summary

  • Add sender_domain enable as a preview-gated cfctl apply operation backed by Cloudflare Email Sending sender-subdomain API planning and acknowledged-apply verification.
  • Wire maildesk sender-domain drift to emit a concrete component preview command instead of a permanent unsupported-surface blocker.
  • Add Email Sending Write to deploy/full-operator bootstrap permission guidance and refresh generated capabilities docs.

Behavioral Changes

  • cfctl apply sender_domain enable --zone <zone> --name <domain> --plan now prepares the sender-domain creation/re-enable request without mutating Cloudflare.
  • A non-plan apply still requires the normal cfctl preview/ack gate and then verifies by reading the sender-domain list.
  • cfctl maildesk-cf provision --plan preserves mail_ready=false for unauthenticated sender domains, but component operations now carry preview commands when provider readback exists.
  • Provider readback unavailable remains blocked rather than being treated as actionable drift.

Proof

  • ./scripts/verify_maildesk_cf_contract.sh
  • ./scripts/verify_static_contract.sh
  • python3 scripts/verify_permission_catalog.py --cfctl ./cfctl
  • git diff --check
  • Plan-only live readback: direct sender_domain enable preview returned ok=true, plan_mode=true, no verification apply.
  • Plan-only private maildesk readback returned ok=true; sender-domain drift operations had preview commands and no component blockers while edge_ready=false / mail_ready=false remained honest.

Risk / Confidence

  • Sender-domain API shape: medium-high confidence; uses the documented Email Sending subdomains endpoint and keeps mutation behind existing cfctl ack gating.
  • Maildesk readiness semantics: high confidence; readiness blockers are unchanged, only the component preview command changed for actionable sender-domain drift.
  • Permissions: medium confidence; bootstrap fixtures now include Email Sending Write, but live permission-group drift should be watched in environments with older token profiles.

Next Steps

  • Review the Cloudflare Email Sending endpoint body and verification assumptions before merge.
  • After merge, rerun the private maildesk --plan path and only then decide whether to acknowledge any sender-domain operations.

Maildesk provisioning could detect sender-domain drift but left it permanently blocked because cfctl had only read inventory for Email Sending sender domains. That made the private maildesk plan unable to express the next operator-safe step even though Cloudflare exposes an Email Sending subdomain creation endpoint that can be wrapped behind the existing cfctl preview/ack contract.

Add sender_domain apply metadata for an enable operation, a cf_mutate_sender_domain.sh backend that prepares POST /zones/:zone_id/email/sending/subdomains and verifies by reading the sender-domain list after an acknowledged apply, and dispatch wiring from cfctl apply. Add Email Sending Write to the deploy/full-operator permission catalog so bootstrap guidance is explicit about the new write path.

Maildesk sender-domain drift now emits cfctl apply sender_domain enable --zone <domain> --name <domain> --plan as a component preview command while preserving mail_ready=false until authentication is actually applied and read back. Provider-readback-unavailable remains blocked.

Risk is bounded to a new preview-gated Cloudflare mutation surface; existing tests cover catalog shape, permission fixture drift, bash syntax, maildesk readiness behavior, and a live plan-only dry run.
@rogu3bear

Copy link
Copy Markdown
Owner Author

@codex Please review the new sender_domain enable apply surface with focus on: (1) whether POST /zones/:zone_id/email/sending/subdomains with {name} is the right documented shape for create/re-enable and whether the list readback is sufficient verification, and (2) whether adding Email Sending Write to the deploy profile is the least-privilege fit for maildesk sender authentication.

@rogu3bear

Copy link
Copy Markdown
Owner Author

Local proof completed because GitHub Actions did not start: the static contract check annotation says the account is locked due to a billing issue.

Proof run locally on branch build/maildesk-sender-domain-preview:

  • ./scripts/verify_maildesk_cf_contract.sh passed
  • ./scripts/verify_static_contract.sh passed
  • python3 scripts/verify_permission_catalog.py --cfctl ./cfctl passed
  • git diff --check passed
  • Plan-only live direct sender_domain enable preview returned ok=true, plan_mode=true, no apply verification
  • Plan-only private maildesk provision returned ok=true; sender-domain drift operations had preview commands with no component blockers while readiness remained honestly false for unperformed work

@rogu3bear rogu3bear merged commit da7ba2d into main Jun 30, 2026
1 of 2 checks passed
@rogu3bear rogu3bear deleted the build/maildesk-sender-domain-preview branch June 30, 2026 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant