feat(admin): Phase 4 — doctor, admin completeness, and bubbletea TUI

Adds the admin/diagnostics surface from SPEC §7.2:

- doctor [--account]: per-account IMAP + (RW) SMTP connectivity/auth checks via
  new mail.CheckIMAP/CheckSMTP (connect+auth only, no mail). Exit non-zero on any
  failure; secrets never printed.
- store.UpdateAccount: partial edit, re-encrypts password/secrets only when a
  non-empty value is supplied (blank keeps existing). RecentAuditFor(account).
- config set/get (validates audit_retention_days), audit list [--account][--limit],
  account edit (flag partial-update) / remove [--yes].
- internal/tui: bubbletea AccountForm with pure, fully-tested Fields (validation +
  store.Account assembly + edit prefill). init / bare `account add` / `account edit
  --name X` drop into the TUI; flag forms remain for scripting.

Built test-first; full suite green incl -race. Validated live against the mxlogin
(password) and Gmail (app-password) accounts. Live validation caught a real bug:
doctor authenticated with empty passwords because it iterated ListAccounts (which
strips secrets) — fixed to re-fetch via GetAccount, locked in by a regression test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/store/account.go

@@ -100,6 +100,42 @@ func (s *Store) ListAccounts() ([]Account, error) {
 	return out, rows.Err()
 }
 
+// UpdateAccount updates an existing account's mutable fields, matched by Name.
+// The password and OAuth secrets are re-encrypted only when a non-empty value is
+// supplied; a blank value preserves whatever is already stored. Returns
+// ErrAccountNotFound if no account has that name.
+func (s *Store) UpdateAccount(a Account) error {
+	// Build the SET clause, conditionally including secret columns.
+	set := `mode=?, imap_host=?, imap_port=?, imap_security=?,
+	        smtp_host=?, smtp_port=?, smtp_security=?,
+	        auth_type=?, username=?,
+	        whitelist_in_enabled=?, whitelist_out_enabled=?, subject_regex=?, process_backlog=?`
+	args := []any{
+		a.Mode, a.IMAPHost, a.IMAPPort, a.IMAPSecurity,
+		nullStr(a.SMTPHost), nullInt(a.SMTPPort), nullStr(a.SMTPSecurity),
+		a.AuthType, a.Username,
+		b2i(a.WhitelistInEnabled), b2i(a.WhitelistOutEnabled),
+		nullStr(a.SubjectRegex), b2i(a.ProcessBacklog),
+	}
+	if a.Password != "" {
+		enc, err := crypto.Seal(s.key, []byte(a.Password))
+		if err != nil {
+			return err
+		}
+		set += ", enc_password=?"
+		args = append(args, enc)
+	}
+	args = append(args, a.Name)
+	res, err := s.db.Exec("UPDATE accounts SET "+set+" WHERE name=?", args...)
+	if err != nil {
+		return fmt.Errorf("update account: %w", err)
+	}
+	if n, _ := res.RowsAffected(); n == 0 {
+		return ErrAccountNotFound
+	}
+	return nil
+}
+
 func (s *Store) DeleteAccount(name string) error {
 	res, err := s.db.Exec("DELETE FROM accounts WHERE name = ?", name)
 	if err != nil {

internal/store/audit.go

@@ -43,8 +43,21 @@ func (s *Store) PurgeAudit(now time.Time) (int64, error) {
 }
 
 func (s *Store) RecentAudit(limit int) ([]AuditEntry, error) {
-	rows, err := s.db.Query(
-		"SELECT ts,account,action,target,result,COALESCE(reason,'') FROM audit_log ORDER BY id DESC LIMIT ?", limit)
+	return s.RecentAuditFor("", limit)
+}
+
+// RecentAuditFor returns recent audit entries, newest first. An empty account
+// returns entries for all accounts; otherwise only that account's entries.
+func (s *Store) RecentAuditFor(account string, limit int) ([]AuditEntry, error) {
+	q := "SELECT ts,account,action,target,result,COALESCE(reason,'') FROM audit_log"
+	var args []any
+	if account != "" {
+		q += " WHERE account=?"
+		args = append(args, account)
+	}
+	q += " ORDER BY id DESC LIMIT ?"
+	args = append(args, limit)
+	rows, err := s.db.Query(q, args...)
 	if err != nil {
 		return nil, err
 	}

internal/store/update_test.go

@@ -0,0 +1,82 @@
+package store
+
+import (
+	"testing"
+	"time"
+)
+
+func TestUpdateAccountChangesFieldsKeepsPasswordWhenBlank(t *testing.T) {
+	s := openTemp(t)
+	if _, err := s.AddAccount(sampleAccount()); err != nil { // RO, password "s3cr3t"
+		t.Fatalf("AddAccount: %v", err)
+	}
+	upd := sampleAccount()
+	upd.Mode = "RW"
+	upd.IMAPPort = 143
+	upd.SMTPHost = "smtp.example.com"
+	upd.SMTPPort = 587
+	upd.SMTPSecurity = "starttls"
+	upd.Password = "" // blank => keep existing password
+	if err := s.UpdateAccount(upd); err != nil {
+		t.Fatalf("UpdateAccount: %v", err)
+	}
+	got, err := s.GetAccount("work")
+	if err != nil {
+		t.Fatalf("GetAccount: %v", err)
+	}
+	if got.Mode != "RW" || got.IMAPPort != 143 || got.SMTPHost != "smtp.example.com" || got.SMTPPort != 587 {
+		t.Fatalf("fields not updated: %+v", got)
+	}
+	if got.Password != "s3cr3t" {
+		t.Fatalf("blank password should preserve existing, got %q", got.Password)
+	}
+}
+
+func TestUpdateAccountReEncryptsNewPassword(t *testing.T) {
+	s := openTemp(t)
+	_, _ = s.AddAccount(sampleAccount())
+	upd := sampleAccount()
+	upd.Password = "n3wpass"
+	if err := s.UpdateAccount(upd); err != nil {
+		t.Fatalf("UpdateAccount: %v", err)
+	}
+	got, _ := s.GetAccount("work")
+	if got.Password != "n3wpass" {
+		t.Fatalf("password not updated: %q", got.Password)
+	}
+	// And it is encrypted at rest.
+	var blob []byte
+	_ = s.db.QueryRow("SELECT enc_password FROM accounts WHERE name='work'").Scan(&blob)
+	if string(blob) == "n3wpass" || len(blob) == 0 {
+		t.Fatalf("new password not encrypted at rest")
+	}
+}
+
+func TestUpdateAccountMissing(t *testing.T) {
+	s := openTemp(t)
+	if err := s.UpdateAccount(sampleAccount()); err == nil {
+		t.Fatal("updating a non-existent account must error")
+	}
+}
+
+func TestRecentAuditForFiltersByAccount(t *testing.T) {
+	s := openTemp(t)
+	now := time.Date(2026, 6, 22, 0, 0, 0, 0, time.UTC)
+	_ = s.Audit(now, AuditEntry{Account: "a", Action: "list", Target: "INBOX", Result: "allowed"})
+	_ = s.Audit(now, AuditEntry{Account: "b", Action: "send", Target: "x@y.com", Result: "allowed"})
+	_ = s.Audit(now, AuditEntry{Account: "a", Action: "get", Target: "1", Result: "allowed"})
+
+	all, err := s.RecentAuditFor("", 50)
+	if err != nil || len(all) != 3 {
+		t.Fatalf("RecentAuditFor all: len=%d err=%v", len(all), err)
+	}
+	onlyA, err := s.RecentAuditFor("a", 50)
+	if err != nil || len(onlyA) != 2 {
+		t.Fatalf("RecentAuditFor a: len=%d err=%v", len(onlyA), err)
+	}
+	for _, e := range onlyA {
+		if e.Account != "a" {
+			t.Fatalf("filter leaked account %q", e.Account)
+		}
+	}
+}