Implement M3: expiration threshold alerting with dedup and status transitions

- Add alert_thresholds_days JSONB column to renewal_policies (default [30,14,7,0]) - Add RenewalPolicy.AlertThresholdsDays field + EffectiveAlertThresholds() helper - Add RenewalPolicyRepository interface + postgres implementation - Rewrite CheckExpiringCertificates with per-policy threshold alerting - Add SendThresholdAlert + HasThresholdNotification for deduplication via [threshold:N] tags - Add Type and MessageLike filters to NotificationFilter + postgres query support - Auto-transition certs to Expiring (>0 days) or Expired (<=0 days) status - Record expiration_alert_sent audit events per threshold crossing - Fix .gitignore: allow SQL migration files, scope server/agent build artifact rules - Track previously untracked cmd/ and migrations/ directories - Update docs (README, architecture, demo-advanced) for threshold alerting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-12 20:38:53 +00:00 · 2026-03-15 00:03:43 -04:00
parent ae67b10708
commit 1d1b89c9b5
17 changed files with 1485 additions and 37 deletions
@@ -34,12 +34,26 @@ func NewNotificationService(
 	}
 }

-// SendExpirationWarning sends a certificate expiration warning.
+// SendExpirationWarning sends a certificate expiration warning for a specific threshold.
 func (s *NotificationService) SendExpirationWarning(ctx context.Context, cert *domain.ManagedCertificate, daysUntilExpiry int) error {
-	body := fmt.Sprintf(
-		"The certificate for %s will expire in %d days (%s).\n\nPlease schedule renewal.",
-		cert.CommonName, daysUntilExpiry, cert.ExpiresAt.Format("2006-01-02"),
-	)
+	return s.SendThresholdAlert(ctx, cert, daysUntilExpiry, daysUntilExpiry)
+}
+
+// SendThresholdAlert sends an expiration alert for a specific threshold (e.g., 30-day, 14-day, expired).
+// The threshold parameter indicates which configured threshold triggered the alert.
+func (s *NotificationService) SendThresholdAlert(ctx context.Context, cert *domain.ManagedCertificate, daysUntilExpiry int, threshold int) error {
+	var body string
+	if threshold <= 0 {
+		body = fmt.Sprintf(
+			"[EXPIRED] The certificate for %s has expired (%s).\n\nImmediate action required.\n\n[threshold:%d]",
+			cert.CommonName, cert.ExpiresAt.Format("2006-01-02"), threshold,
+		)
+	} else {
+		body = fmt.Sprintf(
+			"The certificate for %s will expire in %d days (%s).\n\nPlease schedule renewal.\n\n[threshold:%d]",
+			cert.CommonName, daysUntilExpiry, cert.ExpiresAt.Format("2006-01-02"), threshold,
+		)
+	}

 	// Create notification record
 	notif := &domain.NotificationEvent{
@@ -61,6 +75,24 @@ func (s *NotificationService) SendExpirationWarning(ctx context.Context, cert *d
 	return s.sendNotification(ctx, notif)
 }

+// HasThresholdNotification checks whether an expiration warning has already been sent
+// for a specific certificate and threshold combination. Used for deduplication.
+func (s *NotificationService) HasThresholdNotification(ctx context.Context, certID string, threshold int) (bool, error) {
+	filter := &repository.NotificationFilter{
+		CertificateID: certID,
+		Type:          string(domain.NotificationTypeExpirationWarning),
+		MessageLike:   fmt.Sprintf("%%[threshold:%d]%%", threshold),
+		PerPage:       1,
+	}
+
+	existing, err := s.notifRepo.List(ctx, filter)
+	if err != nil {
+		return false, fmt.Errorf("failed to check existing notifications: %w", err)
+	}
+
+	return len(existing) > 0, nil
+}
+
 // SendRenewalNotification sends a renewal success or failure notification.
 func (s *NotificationService) SendRenewalNotification(ctx context.Context, cert *domain.ManagedCertificate, success bool, err error) error {
 	var body string