Fix Serilog email sink: configure in code, not JSON config

Serilog.Settings.Configuration cannot deserialize NetworkCredential or
MailKit's SecureSocketOptions from JSON, causing an InvalidOperationException
in the binder and preventing containers from starting.

Fix: remove Email from the WriteTo JSON array entirely and wire it in code
inside ConfigureJsonSerilog using a dedicated SerilogEmail:* config section.
The sink is skipped when From/To/Host are absent, so local dev is unaffected.

Also renames the docker-compose env vars from the verbose
Serilog__WriteTo__2__Args__* prefix to the clean SerilogEmail__* prefix.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Apis/api/Controllers/FileDownloadController.cs

@@ -69,6 +69,8 @@ namespace Api.Controllers
         {
             try
             {
+                var userIp = HttpContext.Connection.RemoteIpAddress?.ToString();
+
                 // Captcha required on the initial (full) download only — range requests are resume continuations.
                 var isRangeRequest = !string.IsNullOrEmpty(Request.Headers[HeaderNames.Range].ToString());
                 if (!isRangeRequest)
@@ -79,7 +81,6 @@ namespace Api.Controllers
                         return BadRequest(new ErrorResponse { Error = "Captcha token is required.", Code = "captcha_token_missing" });
                     }
 
-                    var userIp = HttpContext.Connection.RemoteIpAddress?.ToString();
                     var verdict = await _captcha.VerifyAsync(captchaToken, userIp, "file_download", CancellationToken.None);
                     if (!verdict.Success)
                     {
@@ -125,7 +126,6 @@ namespace Api.Controllers
                 if (!_contentTypeProvider.TryGetContentType(filePath, out var contentType))
                     contentType = "application/octet-stream";
 
-                var userIp = HttpContext.Connection.RemoteIpAddress?.ToString();
                 _ = Task.Run(async () =>
                 {
                     try