fix(email-core): enforce reply allowlist for reply-all recipients

[stevenobiajulu]

Summary

This closes the reply allowlist gap in reply_to_email when reply_all is enabled.

• validate the full effective recipient set before sending a reply
• include caller-supplied cc addresses in the allowlist gate
• skip the current mailbox only for auto-expanded thread recipients so reply-all does not self-block
• add regression coverage for reply-all thread CCs, sender-only replies, and explicit CCs
• update the tool reference wording to reflect send-path allowlist enforcement

Root Cause

reply_to_email only checked originalMessage.from.email before calling the provider send path. When reply_all was left at its default true, provider reply expansion could still add non-allowlisted thread recipients, which bypassed the send allowlist.

Impact

Outbound replies now fail before send if any effective reply recipient falls outside the send allowlist, which brings the action behavior back in line with the documented security model.

Fixes #57.

Validation

• npm run test:run -w @usejunior/email-core -- src/actions/reply.test.ts
• npm run lint -w @usejunior/email-core

[codecov]

Codecov Report

❌ Patch coverage is 83.78378% with 6 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
packages/email-core/src/actions/reply.ts	83.78%	6 Missing ⚠️

📢 Thoughts on this report? Let us know!