fix: stop storing code review findings in dashboard, use PR comments only

Code review findings are not actionable in the findings dashboard — they
lack PR context and clutter the list. The PR review pipeline already
posts inline comments directly on PRs (GitHub, Gitea, GitLab), which is
the appropriate place for code review feedback.

- Remove LLM code review stage from the scan pipeline (orchestrator)
- Remove "Code Review" option from the findings type filter dropdown

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

compliance-agent/src/config.rs

@@ -54,6 +54,9 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
         pentest_verification_email: env_var_opt("PENTEST_VERIFICATION_EMAIL"),
         pentest_imap_host: env_var_opt("PENTEST_IMAP_HOST"),
         pentest_imap_port: env_var_opt("PENTEST_IMAP_PORT").and_then(|p| p.parse().ok()),
+        pentest_imap_tls: env_var_opt("PENTEST_IMAP_TLS")
+            .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+            .unwrap_or(true),
         pentest_imap_username: env_var_opt("PENTEST_IMAP_USERNAME"),
         pentest_imap_password: env_secret_opt("PENTEST_IMAP_PASSWORD"),
     })

compliance-agent/src/pentest/cleanup.rs

@@ -336,6 +336,7 @@ mod tests {
             pentest_verification_email: None,
             pentest_imap_host: None,
             pentest_imap_port: None,
+            pentest_imap_tls: true,
             pentest_imap_username: None,
             pentest_imap_password: None,
         }

compliance-agent/src/pipeline/orchestrator.rs

@@ -10,7 +10,6 @@ use compliance_core::AgentConfig;
 use crate::database::Database;
 use crate::error::AgentError;
 use crate::llm::LlmClient;
-use crate::pipeline::code_review::CodeReviewScanner;
 use crate::pipeline::cve::CveScanner;
 use crate::pipeline::git::GitOps;
 use crate::pipeline::gitleaks::GitleaksScanner;
@@ -241,21 +240,6 @@ impl PipelineOrchestrator {
             Err(e) => tracing::warn!("[{repo_id}] Lint scanning failed: {e}"),
         }
 
-        // Stage 4c: LLM Code Review (only on incremental scans)
-        if let Some(old_sha) = &repo.last_scanned_commit {
-            tracing::info!("[{repo_id}] Stage 4c: LLM Code Review");
-            self.update_phase(scan_run_id, "code_review").await;
-            let review_output = async {
-                let reviewer = CodeReviewScanner::new(self.llm.clone());
-                reviewer
-                    .review_diff(&repo_path, &repo_id, old_sha, &current_sha)
-                    .await
-            }
-            .instrument(tracing::info_span!("stage_code_review"))
-            .await;
-            all_findings.extend(review_output.findings);
-        }
-
         // Stage 4.5: Graph Building
         tracing::info!("[{repo_id}] Stage 4.5: Graph Building");
         self.update_phase(scan_run_id, "graph_building").await;

compliance-core/src/config.rs

@@ -33,6 +33,8 @@ pub struct AgentConfig {
     pub pentest_verification_email: Option<String>,
     pub pentest_imap_host: Option<String>,
     pub pentest_imap_port: Option<u16>,
+    /// Use implicit TLS (IMAPS, port 993) instead of plain IMAP.
+    pub pentest_imap_tls: bool,
     pub pentest_imap_username: Option<String>,
     pub pentest_imap_password: Option<SecretString>,
 }

compliance-dashboard/src/pages/findings.rs

@@ -123,7 +123,6 @@ pub fn FindingsPage() -> Element {
                 option { value: "oauth", "OAuth" }
                 option { value: "secret_detection", "Secrets" }
                 option { value: "lint", "Lint" }
-                option { value: "code_review", "Code Review" }
             }
             select {
                 onchange: move |e| { status_filter.set(e.value()); page.set(1); },

deploy/docker-compose.mailserver.yml

@@ -8,14 +8,14 @@ services:
     container_name: mailserver
     ports:
       - "25:25"      # SMTP (inbound mail)
-      - "143:143"    # IMAP (orchestrator reads mail)
-      - "993:993"    # IMAPS (TLS)
-      - "587:587"    # Submission (outbound, if needed)
+      - "993:993"    # IMAPS (TLS-only)
+      - "587:587"    # Submission (STARTTLS)
     volumes:
       - maildata:/var/mail
       - mailstate:/var/mail-state
       - maillogs:/var/log/mail
       - /etc/localtime:/etc/localtime:ro
+      - /etc/letsencrypt:/etc/letsencrypt:ro
     environment:
       # Hostname
       - OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
@@ -34,8 +34,14 @@ services:
       # Plus-addressing (critical for pentest)
       - POSTFIX_RECIPIENT_DELIMITER=+
 
-      # SSL (start with no TLS, add Let's Encrypt later)
-      - SSL_TYPE=
+      # TLS — use Let's Encrypt certs mounted from Coolify/Caddy
+      - SSL_TYPE=manual
+      - SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
+      - SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem
+
+      # Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
+      # Disable plaintext auth on unencrypted connections
+      - DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
 
       # Accept mail for our domain
       - PERMIT_DOCKER=none