feat: add security email filter to email worker

[riderx]

Summary (AI generated)

• Added new security email category to detect generic/vague security vulnerability reports
• Implemented AI-powered and heuristic-based classification for security emails
• Created auto-reply system that explains our security reporting requirements
• Distinguishes between valid specific reports (sent to support) and generic vague reports (auto-replied)

Motivation (AI generated)

Security researchers and automated scanners frequently send vague vulnerability reports without specific code references (e.g., "we found Prototype Pollution on your website" without mentioning actual vulnerable code). These generic reports:

• Waste time because they don't reference our actual code
• Often concern third-party services (Supabase, jQuery) that we don't control
• Require back-and-forth communication to get useful information

The security email filter automatically:

• Detects generic security reports based on keywords and lack of code references
• Sends a professional auto-reply explaining our requirements
• Encourages reporters to submit specific, actionable findings with code locations
• Informs them we pay for valid security reports

Business Impact (AI generated)

• Reduces email noise by automatically handling vague security reports
• Improves security researcher experience by clearly explaining expectations
• Preserves team time by filtering low-quality security noise before it reaches the team
• Signals to security community that we pay for valid reports but need specific details
• Maintains professional communication with legitimate security researchers

Test Plan (AI generated)

• Test generic security report (e.g., "I found XSS on capgo.app") → receives auto-reply
• Test specific security report (e.g., "bug in cloudflare_workers/email/index.ts line 42") → sent to Discord support channel
• Test third-party report (e.g., "Supabase has a vulnerability") → receives auto-reply explaining scope
• Test backlink request → receives backlink auto-reply (existing functionality)
• Test valid support email → sent to Discord (existing functionality)
• Verify auto-reply mentions GitHub repos (https://github.com/cap-go/capgo, https://github.com/cap-go/website)
• Verify auto-reply mentions payment for valid reports
• Verify auto-reply lists out-of-scope items (Supabase, jQuery, Cloudflare, etc.)

Generated with AI

Summary by CodeRabbit

• New Features

  • Added a new "security" email category and AI-generated security auto-replies for vulnerability reports.
  • Incoming security-related emails are routed to a specialized handling flow.

• Refactor / Improvements

  • Improved email parsing and cleaning robustness and refined heuristic detection for security vs. non-security signals.

• Documentation

  • Expanded and reformatted setup, debugging, and multi-domain docs for clarity.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@riderx has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 16 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 7425119 and 0b9dd9a.

📒 Files selected for processing (1)

• cloudflare_workers/email/classifier.ts

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds a new 'security' email category, detection heuristics, and an AI-driven auto-reply path. The classifier and main email handler route security-classified messages to a specialized flow that generates and sends security-focused responses via Anthropic Claude.

Changes

Cohort / File(s)	Summary
Security Classification & Auto-Reply Generation cloudflare_workers/email/classifier.ts	Adds 'security' to EmailCategory. Enhances classifyEmailHeuristic with security-detection patterns and backlink regex tweaks. Exports SecurityAutoReply and generateSecurityAutoReply(env, email); adds internal helpers buildSecurityReplyPrompt, parseSecurityReplyResponse, getDefaultSecurityReply. Adjusts attachment/screenshot heuristics.
Security Email Routing & Handler cloudflare_workers/email/index.ts	Imports generateSecurityAutoReply, adds handleSecurityEmail(env, email) to generate/send auto-replies with Message-ID and logging, and routes security-classified emails to this handler. Renames fetch second parameter to _env. Minor formatting changes.
Email parsing / cleaning refinements cloudflare_workers/email/discord.ts, cloudflare_workers/email/email-parser.ts	Broader MIME/boundary/header stripping and entity-decoding adjustments in discord.ts. Permissive charset/hex handling and minor decode tweaks in email-parser.ts. Mostly resilient decoding and parsing improvements.
Docs / Guides cloudflare_workers/email/CAPGO_SETUP.md, DEBUGGING.md, DISCORD_TO_EMAIL.md, MULTI_DOMAIN_SETUP.md, README.md	Presentation and content expansions; added examples, log guidance, and formatting edits. No behavioral changes.

Sequence Diagram

sequenceDiagram
    participant EmailReceiver as Email System
    participant Classifier
    participant Router as Main Handler
    participant ClaudeAPI as Anthropic Claude
    participant MailOut as Mail Sender

    EmailReceiver->>Classifier: classifyEmail(parsedEmail)
    Classifier->>Classifier: classifyEmailHeuristic(detect security signals)
    Classifier-->>Router: return category='security'
    Router->>Classifier: generateSecurityAutoReply(env, email)
    Classifier->>ClaudeAPI: build prompt & call API
    ClaudeAPI-->>Classifier: security auto-reply (subject, text, html)
    Router->>MailOut: send auto-reply (with Message-ID)
    MailOut-->>Router: send result/status
    Router-->>EmailReceiver: log result

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• fix: improve email encoding and HTML rendering #1435 — Overlapping changes to email parsing and HTML-to-text/cleaning logic (relates to email-parser.ts and discord.ts edits).
• fix: clean email formatting for Discord messages #1441 — Related adjustments to MIME boundary/header stripping and HTML-decoding in discord.ts.

Poem

🐰 In the burrow the rabbit taps keys in delight,
A new "security" flag gleams in the night,
Claude crafts a reply, polite and aware,
Quick as a thump, we respond with care,
Hops and bytes guard inboxes tight.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add security email filter to email worker' is clear and directly describes the main change: adding a security email filter to the email worker component.
Description check	✅ Passed	The PR description provides a comprehensive summary, motivation, business impact, and detailed test plan covering multiple scenarios. However, it does not fully follow the template structure (missing explicit 'Screenshots' section acknowledgment and incomplete 'Checklist').
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 79a8966747

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Consider endpoint-only security reports as valid

When AI classification is disabled or unavailable, the heuristic uses validSecurityReportPatterns to decide if a security report should be routed to support. That list only checks for repo/file/path references, so a report that provides a concrete vulnerable endpoint or URL (e.g., /api/... or https://capgo.app/...) but no file path will be treated as generic and auto-replied, potentially dropping actionable reports. Consider treating endpoint/URL evidence as valid in this heuristic so specific vulnerability reports still reach support.

Useful? React with 👍 / 👎.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
13.4% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud