fix(sec): Authorization-Bypässe und Path-Traversal schließen, Xapian-Doku bereinigen

- SEC: requireMailAccess auf GET /api/threads/{threadID} — superadmin/domain_admin konnten Mail-Metadaten lesen
- SEC: requireMailAccess auf POST /api/export/ediscovery — superadmin/domain_admin konnten bis zu 10k EML exportieren
- SEC: V1-API user-role Keys müssen 'contact=' angeben — verhindert vollständige Tenant-Enumeration
- SEC: Domain-Regex-Validierung in handleCertACME vor filepath.Join und certbot-Aufruf
- docs: README und config.test.yml auf Manticore Search aktualisiert (kein Xapian mehr)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/api/v1_handlers.go

@@ -64,6 +64,12 @@ func (s *Server) handleV1SearchMails(w http.ResponseWriter, r *http.Request) {
 		Page:     page,
 	}
 
+	// User-role keys must always scope their search to a specific contact address.
+	if akSess.Role == "user" && contactFilter == "" {
+		writeError(w, http.StatusBadRequest, "user-role API keys require the 'contact' parameter")
+		return
+	}
+
 	// "contact" searches both From and To fields via OwnEmail.
 	if contactFilter != "" {
 		req.OwnEmail = contactFilter
@@ -153,13 +159,6 @@ func (s *Server) handleV1SearchMails(w http.ResponseWriter, r *http.Request) {
 		}
 		m.HasAttachments = len(pm.Attachments) > 0
 
-		// Role-based filtering: "user" role only sees mails they are involved in.
-		if akSess.Role == "user" {
-			// User keys need a contact filter or the mail must belong to the tenant.
-			// For user-role keys without explicit contact filter, we still return
-			// all tenant mails (tenant isolation is handled by the index).
-		}
-
 		mails = append(mails, m)
 	}