feat(admin): Phase 4 — doctor, admin completeness, and bubbletea TUI

Adds the admin/diagnostics surface from SPEC §7.2:

- doctor [--account]: per-account IMAP + (RW) SMTP connectivity/auth checks via
  new mail.CheckIMAP/CheckSMTP (connect+auth only, no mail). Exit non-zero on any
  failure; secrets never printed.
- store.UpdateAccount: partial edit, re-encrypts password/secrets only when a
  non-empty value is supplied (blank keeps existing). RecentAuditFor(account).
- config set/get (validates audit_retention_days), audit list [--account][--limit],
  account edit (flag partial-update) / remove [--yes].
- internal/tui: bubbletea AccountForm with pure, fully-tested Fields (validation +
  store.Account assembly + edit prefill). init / bare `account add` / `account edit
  --name X` drop into the TUI; flag forms remain for scripting.

Built test-first; full suite green incl -race. Validated live against the mxlogin
(password) and Gmail (app-password) accounts. Live validation caught a real bug:
doctor authenticated with empty passwords because it iterated ListAccounts (which
strips secrets) — fixed to re-fetch via GetAccount, locked in by a regression test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/cli/run_test.go

@@ -36,7 +36,7 @@ func TestListUsageErrorIsJSON(t *testing.T) {
 	// Agent command with a missing required flag emits a JSON error envelope.
 	var out, errOut bytes.Buffer
 	t.Setenv("EMCLI_KEY", b64Key())
-	t.Setenv("EMCLI_DB", "") // default path is fine; command fails before connecting
+	t.Setenv("EMCLI_DB", "")                     // default path is fine; command fails before connecting
 	code := Run([]string{"list"}, &out, &errOut) // missing --account
 	if code == 0 {
 		t.Fatal("missing --account should be non-zero")