feat: Enhance Dockerfile for Caddy with security patches and automate dependency management

- Added custom manager in renovate.json to track Go dependencies patched in Dockerfile for Caddy CVE fixes.
- Updated Dockerfile to pre-fetch and override vulnerable module versions for dependencies (expr, quic-go, smallstep/certificates) during the build process.
- Improved build resilience by implementing a fallback mechanism for Caddy versioning.
- Introduced tests for user SMTP audit, covering invite token security, input validation, authorization, and SMTP config security.
- Enhanced user invite functionality with duplicate email protection and case-insensitive checks.
- Updated go.work.sum to include new dependencies and ensure compatibility.

.github/agents/QA_Security.agent.md

@@ -1,8 +1,7 @@
 name: QA_Security
 description: Security Engineer and QA specialist focused on breaking the implementation.
 argument-hint: The feature or endpoint to audit (e.g., "Audit the new Proxy Host creation flow")
-# ADDED 'write_file' and 'list_dir' below
-tools: ['search', 'runSubagent', 'read_file', 'run_terminal_command', 'usages', 'write_file', 'list_dir']
+tools: ['search', 'runSubagent', 'read_file', 'run_terminal_command', 'usages', 'write_file', 'list_dir', 'run_task']
 
 ---
 You are a SECURITY ENGINEER and QA SPECIALIST.
@@ -31,6 +30,33 @@ Your job is to act as an ADVERSARY. The Developer says "it works"; your job is t
     -   **Cleanup**: If the test was temporary, delete it. If it's valuable, keep it.
 </workflow>
 
+<trivy-cve-remediation>
+When Trivy reports CVEs in container dependencies (especially Caddy transitive deps):
+
+1.  **Triage**: Determine if CVE is in OUR code or a DEPENDENCY.
+    -   If ours: Fix immediately.
+    -   If dependency (e.g., Caddy's transitive deps): Patch in Dockerfile.
+
+2.  **Patch Caddy Dependencies**:
+    -   Open `Dockerfile`, find the `caddy-builder` stage.
+    -   Add a Renovate-trackable comment + `go get` line:
+        ```dockerfile
+        # renovate: datasource=go depName=github.com/OWNER/REPO
+        go get github.com/OWNER/REPO@vX.Y.Z || true; \
+        ```
+    -   Run `go mod tidy` after all patches.
+    -   The `XCADDY_SKIP_CLEANUP=1` pattern preserves the build env for patching.
+
+3.  **Verify**:
+    -   Rebuild: `docker build --no-cache -t charon:local-patched .`
+    -   Re-scan: `docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --severity CRITICAL,HIGH charon:local-patched`
+    -   Expect 0 vulnerabilities for patched libs.
+
+4.  **Renovate Tracking**:
+    -   Ensure `.github/renovate.json` has a `customManagers` regex for `# renovate:` comments in Dockerfile.
+    -   Renovate will auto-PR when newer versions release.
+</trivy-cve-remediation>
+
 <constraints>
 - **TERSE OUTPUT**: Do not explain the code. Output ONLY the code blocks or command results.
 - **NO CONVERSATION**: If the task is done, output "DONE".

.github/renovate.json

@@ -16,7 +16,27 @@
   "vulnerabilityAlerts": { "enabled": true },
   "schedule": ["every weekday"],
   "rangeStrategy": "bump",
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
+      ],
+      "datasourceTemplate": "go",
+      "versioningTemplate": "semver"
+    }
+  ],
   "packageRules": [
+    {
+      "description": "Caddy transitive dependency patches in Dockerfile",
+      "matchManagers": ["regex"],
+      "matchFileNames": ["Dockerfile"],
+      "matchPackagePatterns": ["expr-lang/expr", "quic-go/quic-go", "smallstep/certificates"],
+      "labels": ["dependencies", "caddy-patch", "security"],
+      "automerge": true
+    },
     {
       "description": "Automerge safe patch updates",
       "matchUpdateTypes": ["patch"],