fix: verify SMTP TLS in send_message_tool

Add regression coverage for the standalone email send path and pass an explicit default SSL context to STARTTLS for certificate verification, matching the gateway email adapter hardening salvaged from PR #994.

tests/gateway/test_email.py

@@ -1007,8 +1007,9 @@ class TestSendEmailStandalone(unittest.TestCase):
         "EMAIL_SMTP_PORT": "587",
     })
     def test_send_email_tool_success(self):
-        """_send_email should use SMTP to send."""
+        """_send_email should use verified STARTTLS when sending."""
         import asyncio
+        import ssl
         from tools.send_message_tool import _send_email
 
         with patch("smtplib.SMTP") as mock_smtp:
@@ -1021,6 +1022,8 @@ class TestSendEmailStandalone(unittest.TestCase):
 
             self.assertTrue(result["success"])
             self.assertEqual(result["platform"], "email")
+            _, kwargs = mock_server.starttls.call_args
+            self.assertIsInstance(kwargs["context"], ssl.SSLContext)
 
     @patch.dict(os.environ, {
         "EMAIL_ADDRESS": "hermes@test.com",

tools/send_message_tool.py

@@ -9,6 +9,7 @@ import json
 import logging
 import os
 import re
+import ssl
 import time
 
 logger = logging.getLogger(__name__)
@@ -432,7 +433,7 @@ async def _send_email(extra, chat_id, message):
         msg["Subject"] = "Hermes Agent"
 
         server = smtplib.SMTP(smtp_host, smtp_port)
-        server.starttls()
+        server.starttls(context=ssl.create_default_context())
         server.login(address, password)
         server.send_message(msg)
         server.quit()