fix(email): short-circuit to no-op sender when EMAIL_ENABLED=false (closes #332)

[cristim]

Summary

Two related fixes to internal/email/ so the package matches its
documented contract and produces useful diagnostics when degraded.

Changes

1. Factory short-circuits to no-op sender on EMAIL_ENABLED=false (closes #332)

internal/email/factory.go::NewSenderFromEnvironment now returns a
no-op SenderInterface at the top of the function when
EMAIL_ENABLED=false, before dispatching by SECRET_PROVIDER.

The factory and the secret resolver share SECRET_PROVIDER for two
different purposes (cloud email backend vs. secret-store backend).
The local-dev docker-compose.yml already declares
EMAIL_ENABLED: "false" and explains "Email disabled for local
development (no SNS topic)", but the factory never reads the flag.
So SECRET_PROVIDER=env (the documented local-dev resolver per
internal/secrets/resolver.go:50) + EMAIL_ENABLED=false hard-fails
on startup with failed to initialize email sender: unsupported email provider: env, even though no email will ever be sent.

The new internal/email/nop_sender.go implements all 15
SenderInterface methods, logs each invocation at debug level so
local-dev traces still show where an email would have gone, and is
guarded by a compile-time
var _ SenderInterface = (*NopSender)(nil) assertion.

2. Log HTML approval-request render fallback

sendPurchaseApprovalRequestVia in internal/email/templates.go
silently swallowed RenderPurchaseApprovalRequestEmailHTML errors
when degrading to text-only delivery. Now emits
logging.Warnf("email: HTML approval-request render failed, falling back to text-only: %v", htmlErr) at the fallback site so
template regressions surface in logs without breaking email delivery.
The graceful fallback itself is unchanged — htmlBody = "" still
routes through the multipart sender's text-only path.

Originally a CodeRabbit nitpick on PR #298 that raced with the merge
(commit eb09eabe4 on the closed feat/issue-287 branch). Folded
into this PR since both changes touch internal/email/ and the
change is six lines.

Closes #332.

Test plan

• go build ./... clean
• go test ./... clean (0 failures)
• go test ./internal/email/... clean
• Manual: start the local docker-compose stack with
  SECRET_PROVIDER=env and EMAIL_ENABLED=false; backend reaches
  /api/health HTTP 200; logs show
  "Email sending is disabled (EMAIL_ENABLED=false); using no-op sender".

Summary by CodeRabbit

• New Features

  • Option to fully disable email delivery via an environment setting; when disabled the system suppresses outbound emails and logs the change.

• Improvements

  • Added a no-op email sender that silently suppresses sends while logging minimal, non-PII details.
  • Approval email template render failures now log a warning and fall back to plain-text delivery.

• Tests

  • Added tests verifying the disable flag behavior and the no-op sender's nil-safe, no-error contract.

[cristim]

@coderabbitai review

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eadc1df7-e611-4a6d-852b-a23f5d0cd61b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The PR adds a no-op email sender and integrates an EMAIL_ENABLED early-exit in the factory to return it when disabled; it also logs HTML template render failures for purchase-approval emails while keeping text-only fallback.

Changes

Email Disabling with No-op Sender

Layer / File(s)	Summary
No-op Sender Implementation internal/email/nop_sender.go	Defines NopSender with NewNopSender() and implements all SenderInterface methods. Each method suppresses delivery by returning nil and emits debug logs with only limited non-PII metadata. Includes compile-time interface satisfaction check.
Factory Early-Exit Logic internal/email/factory.go	Adds strconv import and updates NewSenderFromEnvironment to read EMAIL_ENABLED; when set and parsed to false it logs and returns NewNopSender() early. Unparseable values emit a warning and continue normal provider detection.
Template Error Logging internal/email/templates.go	Adds pkg/logging import and changes sendPurchaseApprovalRequestVia to log a logging.Warnf if HTML template rendering fails; preserves non-fatal text-only fallback (HTML body set to "").
Tests internal/email/factory_test.go, internal/email/nop_sender_test.go	Adds tests verifying EMAIL_ENABLED gating behavior in the factory and that NewNopSender() methods all return nil and are nil-safe; also runtime interface assignment check.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• LeanerCloud/CUDly#298: Related prior changes to the email sender interface and HTML render fallback handling.

Suggested labels

severity/low, urgency/this-quarter, effort/s

Poem

🐰 A silent sender hops in place,
Debugging traces, no outbound race.
EMAIL_ENABLED whispers "no",
Factory returns the quiet show.
Templates warn when HTML fails—soft grace.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly and specifically summarizes the main change: adding a short-circuit to a no-op sender when EMAIL_ENABLED=false, with reference to the closed issue.
Linked Issues check	✅ Passed	All objectives from issue #332 are met: EMAIL_ENABLED=false triggers no-op sender (factory.go), all 15 SenderInterface methods implemented with compile-time assertion (nop_sender.go), debug-level logging implemented, HTML render fallback logs warning (templates.go), and tests verify all requirements.
Out of Scope Changes check	✅ Passed	All changes are within scope: factory.go reads EMAIL_ENABLED and returns NopSender, nop_sender.go implements the no-op type, templates.go adds logging as a bundled follow-up per #332, and test files validate both.
Docstring Coverage	✅ Passed	Docstring coverage is 88.89% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/email-nop-sender

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/email/factory.go`:
- Around line 47-50: Replace the literal string check of EMAIL_ENABLED with
boolean parsing: read os.Getenv("EMAIL_ENABLED"), call strconv.ParseBool on it
(import strconv), and if the parsed value is false return NewNopSender() and log
the same message; handle parse errors by either treating them as enabled (and
optionally logging a warning) or defaulting to false per your policy. Ensure you
reference the same env var name "EMAIL_ENABLED" and keep NewNopSender() as the
no-op return path.

In `@internal/email/nop_sender.go`:
- Around line 26-33: NopSender currently logs raw recipient and CC email
addresses in SendToEmail and SendToEmailWithCCMultipart (and other no-op sender
methods), which leaks PII; update those logging calls to avoid printing raw
emails by either removing the address fields or replacing them with non-PII info
(e.g., masked addresses, recipient count, or domains only); implement a small
helper (e.g., maskEmail or summarizeRecipients) and use it in
NopSender.SendToEmail and NopSender.SendToEmailWithCCMultipart (and the other
no-op methods flagged) so logs retain useful context without exposing full email
addresses.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2d427b08-aaa4-448c-9218-950a35d64802

📥 Commits

Reviewing files that changed from the base of the PR and between c95a6ac and a553b96.

📒 Files selected for processing (3)

• internal/email/factory.go
• internal/email/nop_sender.go
• internal/email/templates.go

[cristim]

@coderabbitai — addressed both actionable items from review 4266799238 in commit 46c0609b7:

1. EMAIL_ENABLED parsing — switched to strconv.ParseBool so the full false-y spelling set is honoured (false/False/FALSE/0/f/F). Unset/empty keeps the default (enabled) so existing deployments are unaffected; unparseable values emit a Warnf and fall through to enabled, so a misconfiguration is visible in logs without bringing the app down.

2. PII redaction in no-op logs — removed recipient emails, subjects, and embedded admin emails from every NopSender.* log line. Replaced with method-name + recipient counts (to=1 cc=3) — enough trace context to know which path was invoked without leaking who it would have gone to. Documented the policy in the NopSender type doc comment so a future maintainer doesn't add addresses back. Considered using the existing redactEmail helper in internal/auth/service_password.go but it's package-private and even a masked address is gratuitous for a no-op sender.

Verification: go build ./... clean, go test ./... clean (0 failures), go test ./internal/email/... clean.

@coderabbitai review

[coderabbitai]

@cristim — thanks for the thorough follow-up. Both changes look well-considered:

1. strconv.ParseBool for EMAIL_ENABLED — idiomatic Go, covers the full boolean spelling set, and the warn-then-fall-through behaviour for unparseable values is the right trade-off (visible misconfiguration without a hard crash). The "unset = enabled" default preserves backward compatibility for existing deployments.

2. PII redaction in no-op logs — replacing email addresses and subjects with to=N cc=N counts is exactly the right level of detail for a dev/trace path: enough to confirm which code branch fired, nothing that leaks PII into log sinks. Documenting the policy in the NopSender type comment is a nice touch to guard against future regressions.

Triggering a fresh review of the updated commit now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

Added unit tests in commit b04594e:

• TestNewSenderFromEnvironment_EmailEnabled — 15 sub-cases covering every branch (6 false-y spellings short-circuit to NopSender with SECRET_PROVIDER=env to prove the short-circuit fires before dispatch; 6 true-y spellings fall through to AWS sender; unset/empty fall through; unparseable warns + falls through).
• TestNopSender_AllMethodsReturnNil — exercises every one of the 15 SenderInterface methods on NopSender.
• TestNopSender_NilSafe — nil/empty inputs don't panic.
• TestNopSender_NilContext — nil context doesn't panic.
• TestNopSender_SatisfiesInterface — runtime echo of the compile-time guard.

go test ./... clean. @coderabbitai review

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

@cristim — the test suite looks thorough and well-structured:

• TestNewSenderFromEnvironment_EmailEnabled with 15 sub-cases is exactly the right approach — pinning every false-y/true-y spelling plus the unset/empty/unparseable edge cases to concrete assertions.
• TestNopSender_NilSafe and TestNopSender_NilContext are good defensive additions; nil-input panics in no-op paths are a common footgun that often gets missed.
• TestNopSender_SatisfiesInterface as a runtime echo of the compile-time guard is a nice belt-and-suspenders touch.

Triggering a fresh review of the updated commit now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/email/factory_test.go`:
- Around line 258-260: In the "unset_falls_through" subtest, capture the
original EMAIL_ENABLED value before calling os.Unsetenv and register a t.Cleanup
that restores the environment after the test; i.e., inside the
t.Run("unset_falls_through", ...) before os.Unsetenv("EMAIL_ENABLED") save orig
:= os.LookupEnv("EMAIL_ENABLED") and call t.Cleanup(func(){ if present restore
with os.Setenv else call os.Unsetenv }) so the test (and helper aws(t)) does not
leak mutated env state to later tests.

🪄 Autofix (Beta)

❌ Autofix failed (check again to retry)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 416d50af-d1a3-49e1-8793-42bc7d814ab1

📥 Commits

Reviewing files that changed from the base of the PR and between 46c0609 and b04594e.

📒 Files selected for processing (2)

• internal/email/factory_test.go
• internal/email/nop_sender_test.go

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

⚠️ Branch updated during autofix.

The branch was updated while autofix was in progress. Please try again.

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 1 file(s) based on 1 unresolved review comment.

Files modified:

• internal/email/factory_test.go

Commit: b415e7e5485be882742094bc944dbe1a0920a105

The changes have been pushed to the feat/email-nop-sender branch.

Time taken: 2m 17s