feat(admin): Phase 4 — doctor, admin completeness, and bubbletea TUI

Adds the admin/diagnostics surface from SPEC §7.2:

- doctor [--account]: per-account IMAP + (RW) SMTP connectivity/auth checks via
  new mail.CheckIMAP/CheckSMTP (connect+auth only, no mail). Exit non-zero on any
  failure; secrets never printed.
- store.UpdateAccount: partial edit, re-encrypts password/secrets only when a
  non-empty value is supplied (blank keeps existing). RecentAuditFor(account).
- config set/get (validates audit_retention_days), audit list [--account][--limit],
  account edit (flag partial-update) / remove [--yes].
- internal/tui: bubbletea AccountForm with pure, fully-tested Fields (validation +
  store.Account assembly + edit prefill). init / bare `account add` / `account edit
  --name X` drop into the TUI; flag forms remain for scripting.

Built test-first; full suite green incl -race. Validated live against the mxlogin
(password) and Gmail (app-password) accounts. Live validation caught a real bug:
doctor authenticated with empty passwords because it iterated ListAccounts (which
strips secrets) — fixed to re-fetch via GetAccount, locked in by a regression test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/store/update_test.go

@@ -0,0 +1,82 @@
+package store
+
+import (
+	"testing"
+	"time"
+)
+
+func TestUpdateAccountChangesFieldsKeepsPasswordWhenBlank(t *testing.T) {
+	s := openTemp(t)
+	if _, err := s.AddAccount(sampleAccount()); err != nil { // RO, password "s3cr3t"
+		t.Fatalf("AddAccount: %v", err)
+	}
+	upd := sampleAccount()
+	upd.Mode = "RW"
+	upd.IMAPPort = 143
+	upd.SMTPHost = "smtp.example.com"
+	upd.SMTPPort = 587
+	upd.SMTPSecurity = "starttls"
+	upd.Password = "" // blank => keep existing password
+	if err := s.UpdateAccount(upd); err != nil {
+		t.Fatalf("UpdateAccount: %v", err)
+	}
+	got, err := s.GetAccount("work")
+	if err != nil {
+		t.Fatalf("GetAccount: %v", err)
+	}
+	if got.Mode != "RW" || got.IMAPPort != 143 || got.SMTPHost != "smtp.example.com" || got.SMTPPort != 587 {
+		t.Fatalf("fields not updated: %+v", got)
+	}
+	if got.Password != "s3cr3t" {
+		t.Fatalf("blank password should preserve existing, got %q", got.Password)
+	}
+}
+
+func TestUpdateAccountReEncryptsNewPassword(t *testing.T) {
+	s := openTemp(t)
+	_, _ = s.AddAccount(sampleAccount())
+	upd := sampleAccount()
+	upd.Password = "n3wpass"
+	if err := s.UpdateAccount(upd); err != nil {
+		t.Fatalf("UpdateAccount: %v", err)
+	}
+	got, _ := s.GetAccount("work")
+	if got.Password != "n3wpass" {
+		t.Fatalf("password not updated: %q", got.Password)
+	}
+	// And it is encrypted at rest.
+	var blob []byte
+	_ = s.db.QueryRow("SELECT enc_password FROM accounts WHERE name='work'").Scan(&blob)
+	if string(blob) == "n3wpass" || len(blob) == 0 {
+		t.Fatalf("new password not encrypted at rest")
+	}
+}
+
+func TestUpdateAccountMissing(t *testing.T) {
+	s := openTemp(t)
+	if err := s.UpdateAccount(sampleAccount()); err == nil {
+		t.Fatal("updating a non-existent account must error")
+	}
+}
+
+func TestRecentAuditForFiltersByAccount(t *testing.T) {
+	s := openTemp(t)
+	now := time.Date(2026, 6, 22, 0, 0, 0, 0, time.UTC)
+	_ = s.Audit(now, AuditEntry{Account: "a", Action: "list", Target: "INBOX", Result: "allowed"})
+	_ = s.Audit(now, AuditEntry{Account: "b", Action: "send", Target: "x@y.com", Result: "allowed"})
+	_ = s.Audit(now, AuditEntry{Account: "a", Action: "get", Target: "1", Result: "allowed"})
+
+	all, err := s.RecentAuditFor("", 50)
+	if err != nil || len(all) != 3 {
+		t.Fatalf("RecentAuditFor all: len=%d err=%v", len(all), err)
+	}
+	onlyA, err := s.RecentAuditFor("a", 50)
+	if err != nil || len(onlyA) != 2 {
+		t.Fatalf("RecentAuditFor a: len=%d err=%v", len(onlyA), err)
+	}
+	for _, e := range onlyA {
+		if e.Account != "a" {
+			t.Fatalf("filter leaked account %q", e.Account)
+		}
+	}
+}