Skip to content

Fix maildesk receive-only sender lifecycle#37

Merged
rogu3bear merged 1 commit into
mainfrom
build/maildesk-disabled-sender-lifecycle
Jul 1, 2026
Merged

Fix maildesk receive-only sender lifecycle#37
rogu3bear merged 1 commit into
mainfrom
build/maildesk-disabled-sender-lifecycle

Conversation

@rogu3bear

Copy link
Copy Markdown
Owner

Summary

  • Align cfctl maildesk-cf with the public maildesk template by defaulting generated and checked-in specs to sender.mode: disabled with no authenticated sender domains.
  • Treat disabled / receive_only as an intentional receive-only sender posture, so provisioning plans no longer emit sender_adapter_receive_only drift or sender-provider operations for Milestone 1.
  • Keep provider-enabled sender coverage by splitting the contract test into disabled-template readiness and explicit Cloudflare Email Service sender-domain drift, and bound maildesk ack receipt lookup to maildesk envelopes so the blocked-ack proof stays fast.

Behavioral implications

  • cfctl maildesk-cf init --domain example.com now emits a public-template-safe receive-only sender block.
  • cfctl maildesk-cf verify|provision --plan can show template/instance readiness without requiring outbound sender authentication unless the spec enables cloudflare_email_service or resend.
  • Composite maildesk-cf provision --ack-plan <operation-id> remains intentionally blocked until component writes are preview-gated.

Risk areas and confidence

  • Disabled sender lifecycle: high confidence; covered by contract fixture, live init readback, and live verify/plan readbacks.
  • Provider-enabled sender drift: high confidence; contract now uses an explicit Cloudflare Email Service spec and still expects sender-domain drift/preview command.
  • Ack receipt lookup: medium-high confidence; scope is narrowed to maildesk-cf-maildesk-cf-*.json runtime envelopes to avoid scanning unrelated evidence, with the blocked-ack contract passing.
  • Docs/catalog wording: high confidence; static contract passed after updates.

Test plan

  • ./scripts/verify_maildesk_cf_contract.sh
  • ./scripts/verify_static_contract.sh
  • git diff --check
  • ./cfctl maildesk-cf init --domain example.com | jq '{ok, sender: .result.generated_spec.sender, operation_count: .summary.operation_count}'
  • ./cfctl maildesk-cf verify --file /Users/star/dev/maildesk-cf/config/desired-state.example.json | jq '{ok, summary: .summary, drift_classes: .result.drift_classes, sender: .result.checks.sender}'
  • ./cfctl maildesk-cf provision --file /Users/star/dev/maildesk-cf/config/desired-state.example.json --plan | jq '{ok, operation_id, summary: .summary, drift_classes: .result.drift_classes, sender: .result.checks.sender}'
  • ./cfctl doctor | jq '{ok, summary: .summary}'

Remaining blocked outside this checkout

  • Real maildesk deployment still requires component preview/apply lanes for Worker deploys, D1 database creation, R2 bucket creation, Queue creation, Email Routing enablement, and each Email Routing alias.
  • The live preview against the merged maildesk public example produced operation 20260701T185539Z-84095-155793269, with drift classes limited to missing_resource, email_routing_alias_drift, and the informational optional_live_send_not_requested; sender mode is ready and no sender-provider operation remains.
  • email.routing enablement is still reported as blocked by ownership policy: resource creation must use the owning primitive cfctl surface or app deploy lane.
  • Targeted live delivery proof remains intentionally outside this PR and should only be run after a real domain/resource provision path exists.

CI note

  • Recent cfctl contract GitHub Actions runs on main and prior PRs are already failing before this branch. Local contract proof for this branch is green.

Align the cfctl maildesk-cf lifecycle with the public template contract by making generated and checked-in specs default to disabled outbound sender mode. Disabled/receive-only mode now proves sender readiness without creating sender-provider drift, while provider-enabled specs still exercise DNS and provider readback paths. The contract test splits those cases so Milestone 1 can prove provisioning shape without pretending outbound sending is configured. The only runtime helper change bounds maildesk ack receipt lookup to maildesk envelopes so the blocked ack proof remains fast even with a large evidence directory.
@rogu3bear

Copy link
Copy Markdown
Owner Author

@codex please review the receive-only sender readiness semantics and the bounded maildesk ack receipt lookup. The intent is that sender.mode: disabled is a valid Milestone 1 receive-only posture with no sender-provider drift, while provider-enabled specs still require DNS/provider readback and composite ack stays blocked.

@rogu3bear rogu3bear merged commit 2b6b60c into main Jul 1, 2026
1 of 2 checks passed
@rogu3bear rogu3bear deleted the build/maildesk-disabled-sender-lifecycle branch July 1, 2026 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant