feat(dev-deploy): relay Mailpit to Gmail (Stage 3)

Keep Mailpit as the backend's SMTP submission point and turn on its
relay so OTP/notification mail addressed to the owner reaches a real
Gmail inbox, while everything else stays captured-only.

- mailpit gains --smtp-relay-config + --smtp-relay-matching (default
  non-routable, so an unconfigured stack only captures); relay.conf is
  mounted from a new galaxy-dev-mailpit-config volume
- tools/dev-deploy/mailpit/relay.conf.tmpl + a dev-deploy.yaml step that
  renders it from Gitea secrets (Gmail App Password, never committed)
  and seeds the volume; the GALAXY_DEV_MAIL_RELAY_MATCH var drives the
  relay-matching recipient
- backend SMTP config unchanged (still -> galaxy-mailpit:1025)
- dev-deploy README documents the relay + required secrets/vars

Verified locally: compose config valid; the rendered relay.conf is
accepted by mailpit v1.21.8 (relay + recipient-matching enabled).
Real Gmail delivery is verified at the dev-deploy preview once the
owner sets the secrets.

.gitea/workflows/dev-deploy.yaml

@@ -148,6 +148,31 @@ jobs:
             -v "${{ gitea.workspace }}/pkg/geoip/test-data/test-data:/src:ro" \
             alpine sh -c 'cp /src/GeoIP2-Country-Test.mmdb /dst/geoip.mmdb'
 
+      - name: Seed mailpit relay config
+        env:
+          GALAXY_DEV_MAIL_RELAY_USERNAME: ${{ secrets.GALAXY_DEV_MAIL_RELAY_USERNAME }}
+          GALAXY_DEV_MAIL_RELAY_PASSWORD: ${{ secrets.GALAXY_DEV_MAIL_RELAY_PASSWORD }}
+        run: |
+          # Render the Mailpit relay upstream config from the template,
+          # substituting the Gmail App Password from a Gitea secret, then
+          # seed it into a named volume (same rationale as the geoip seed:
+          # a workspace bind-mount would vanish with the runner workspace).
+          # The secret never lands in git or a committed file; it is
+          # rendered to a tmpfile outside the repo and removed after. Gmail
+          # App Passwords are [a-z]{16}, so the `|` sed delimiter is safe.
+          # When the secret is unset the creds render empty and the compose
+          # default relay-match is non-routable, so the stack only captures.
+          rendered="$(mktemp)"
+          sed -e "s|\${GALAXY_DEV_MAIL_RELAY_USERNAME}|${GALAXY_DEV_MAIL_RELAY_USERNAME}|g" \
+              -e "s|\${GALAXY_DEV_MAIL_RELAY_PASSWORD}|${GALAXY_DEV_MAIL_RELAY_PASSWORD}|g" \
+              "${{ gitea.workspace }}/tools/dev-deploy/mailpit/relay.conf.tmpl" > "$rendered"
+          docker volume create galaxy-dev-mailpit-config >/dev/null
+          docker run --rm \
+            -v galaxy-dev-mailpit-config:/dst \
+            -v "$rendered:/src/relay.conf:ro" \
+            alpine sh -c 'cp /src/relay.conf /dst/relay.conf && chmod 600 /dst/relay.conf'
+          rm -f "$rendered"
+
       - name: Recycle engine containers on image drift
         run: |
           # Compare the freshly-built `galaxy-engine:dev` SHA against
@@ -231,6 +256,11 @@ jobs:
 
       - name: Bring up the stack
         working-directory: tools/dev-deploy
+        env:
+          # Recipient regex Mailpit auto-relays to the owner's Gmail.
+          # Unset/empty → the compose default (non-routable) keeps the
+          # stack capture-only.
+          GALAXY_DEV_MAIL_RELAY_MATCH: ${{ vars.GALAXY_DEV_MAIL_RELAY_MATCH }}
         run: |
           # Resolve in the shell, not in YAML expressions — `env.HOME`
           # is empty at the workflow-evaluation stage.