feat: Enable Email Notifications#800
Merged
Wikid82 merged 102 commits intodevelopmentfrom Mar 9, 2026
Merged
Conversation
…n-major-updates chore(deps): update github/codeql-action digest to b6dfacb (feature/beta-release)
Wikid82
added
enhancement
Contributor
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Contributor
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
…Strategy" in agent instructions
Remove all deprecated Shoutrrr integration artifacts and dead legacy fallback code from the notification subsystem. - Remove legacySendFunc field, ErrLegacyFallbackDisabled error, and legacyFallbackInvocationError() from notification service - Delete ShouldUseLegacyFallback() from notification router; simplify ShouldUseNotify() by removing now-dead providerEngine parameter - Remove EngineLegacy engine constant; EngineNotifyV1 is the sole engine - Remove legacy.fallback_enabled feature flag, retiredLegacyFallbackEnvAliases, and parseFlagBool/resolveRetiredLegacyFallback helpers from flags handler - Remove orphaned EmailRecipients field from NotificationConfig model - Delete feature_flags_coverage_v2_test.go (tested only the retired flag path) - Delete security_notifications_test.go.archived (stale archived file) - Move FIREFOX_E2E_FIXES_SUMMARY.md to docs/implementation/ - Remove root-level scan artifacts tracked in error; add gitignore patterns to prevent future tracking of trivy-report.json and related outputs - Update ARCHITECTURE.instructions.md: Notifications row Shoutrrr → Notify No functional changes to active notification dispatch or mail delivery.
Add email as a recognized, feature-flagged notification service type. The flag defaults to false and acts as a dispatch gate alongside the existing discord, gotify, and webhook notification service flags. - Add FlagEmailServiceEnabled constant to the notifications feature flag registry with the canonical key convention - Register the flag in the handler defaults so it appears in the feature flags API response with a false default - Recognise 'email' as a supported notification provider type so that providers of this type pass the type validation gate - Gate email dispatch on the new flag in isDispatchEnabled() following the same pattern as gotify and webhook service flags - Expand the E2E test fixtures FeatureFlags interface to include the new flag key so typed fixture objects remain accurate No email message dispatch is wired in this commit; the flag registration alone makes the email provider type valid and toggleable.
…ation After email was recognised as a supported provider type, the existing rejection assertion for unsupported types incorrectly included email in its denial list, causing a nil-dereference panic. - Remove email from the unsupported-type rejection list and cover it in the accepted-types path instead - Correct allFeaturesEnabled fixture to set email flag to true, keeping the fixture semantically consistent with all other service flags
Two unit tests cover the code paths introduced when email was registered as a recognised notification provider type in Stage 2. - TestSendExternal_EmailProviderSkipsJSONTemplate exercises the goroutine warn path where an enabled email provider passes isDispatchEnabled but fails supportsJSONTemplates, producing a warning log without panicking - TestTestProvider_EmailRejectsJSONTemplateStep asserts TestProvider returns a clear error for email providers because the JSON template dispatch path does not apply to email delivery Patch coverage: 6/6 changed lines covered (100%)
…riage information
…VE-2026-22184 in Grype configuration
…1; add unbash and yaml packages
…n-major-updates chore(deps): update dependency knip to ^5.86.0 (feature/beta-release)
- Implemented email notification functionality in the NotificationService. - Added support for rendering email templates based on event types. - Created HTML templates for various notification types (security alerts, SSL events, uptime events, and system events). - Updated the dispatchEmail method to utilize the new email templates. - Added tests for email template rendering and fallback mechanisms. - Enhanced documentation to include email notification setup and usage instructions. - Introduced end-to-end tests for the email notification provider in the settings.
…n-major-updates chore(deps): update release-drafter/release-drafter digest to 6a93d82 (feature/beta-release)
…lementing features - Create sa-generate.md for generating implementation documentation from plans - Create sa-implement.md for executing implementation plans step-by-step - Create sa-plan.md for collaborating with users to design development plans - Add security scan commands for CodeQL, Docker images, Go vulnerabilities, and GORM - Implement SQL code review and optimization commands - Add supply chain vulnerability remediation process - Introduce backend and frontend test commands with coverage checks - Update settings.json for command permissions - Document governance, project overview, code quality rules, and critical architecture rules in CLAUDE.md - Establish root cause analysis protocol and definition of done for development
…r, config loading, and mail service
- Scope base JS/TS configs to only JS/TS file extensions, preventing TypeError when ESLint applies core rules to markdown/CSS/JSON files - Remove silent data loss from duplicate JSON keys in five translation files where the second dashboard block was overriding the first - Fix unsafe optional chaining in CredentialManager that would throw TypeError when providerTypeInfo is undefined - Remove stale eslint-disable directive for a rule now handled globally by the unused-imports plugin - Downgrade high-volume lint rules (testing-library, jsx-a11y, import-x, vitest) from error to warn to unblock development while preserving visibility for incremental cleanup
…and golang.org/x/sys
Contributor
There was a problem hiding this comment.
Pull request overview
Enables Email as a notification provider (Notify-based) and wires feature-flag + SMTP/mail service usage, while also updating security/QA tooling, CI versions, and related docs/tests.
Changes:
- Add Email provider support across backend + frontend provider type lists and tests.
- Introduce email notification templates and a feature flag (
feature.notifications.service.email.enabled) to control dispatch. - Update local/CI security tooling (Semgrep/CodeQL/Trivy ignore docs), Go/Caddy version references, and various planning/agent docs.
Reviewed changes
Copilot reviewed 192 out of 198 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| verify-security-state-for-ui-tests | Root artifact marker (now gitignored) |
| tests/settings/notifications.spec.ts | E2E: include Email in provider type options assertions |
| tests/fixtures/settings.ts | Test fixtures: add email notifications feature flag |
| tests/fixtures/notifications.ts | Test fixtures: add email provider configs and type union |
| scripts/pre-commit-hooks/semgrep-scan.sh | Default Semgrep config + scope/severity filtering |
| scripts/pre-commit-hooks/codeql-js-scan.sh | CodeQL JS scan messaging update (lefthook) |
| scripts/pre-commit-hooks/codeql-go-scan.sh | CodeQL Go scan messaging update (lefthook) |
| scripts/pre-commit-hooks/codeql-check-findings.sh | Update instructions to use lefthook |
| scripts/caddy-compat-matrix.sh | Bump candidate Caddy version default |
| package.json | Dependency bumps (root) |
| go.work | Bump Go workspace version |
| frontend/src/pages/tests/Notifications.test.tsx | Unit test: include email provider type |
| frontend/src/locales/zh/translation.json | Remove dashboard translations (locale change) |
| frontend/src/locales/fr/translation.json | Remove dashboard translations (locale change) |
| frontend/src/locales/es/translation.json | Remove dashboard translations (locale change) |
| frontend/src/locales/de/translation.json | Remove dashboard translations (locale change) |
| frontend/src/components/tests/SecurityNotificationSettingsModal.test.tsx | Unit test: include email provider type |
| frontend/src/components/CredentialManager.tsx | Import order + minor loop refactor |
| frontend/src/api/notifications.ts | Add email to supported provider types |
| frontend/src/api/notifications.test.ts | Update unsupported-type assertion now that email is supported |
| frontend/package.json | Dependency bumps (frontend) |
| eslint.config.js | ESLint config formatting/ignores adjustments |
| docs/reports/caddy-security-posture.md | Update Caddy candidate version reference |
| docs/reports/caddy-compatibility-matrix.md | Update Caddy candidate version reference |
| docs/plans/proof-of-concept/test-backend-coverage.SKILL.md | Update Go version in plan snippet |
| docs/plans/archive/nightly_branch_implementation.md | Update Go version in archived plan snippet |
| docs/plans/archive/go_version_management_strategy.md | Update Go version in archived plan snippet |
| docs/implementation/PHASE_5_COMPLETE.md | Rename QA skill reference to lefthook variant |
| docs/implementation/PHASE_4_COMPLETE.md | Rename QA skill reference to lefthook variant |
| docs/implementation/PHASE_3_COMPLETE.md | Rename QA skill reference to lefthook variant |
| docs/features.md | Update docs to reference lefthook integration |
| categories.txt | Remove root artifact file |
| backend/internal/services/uptime_service_notification_test.go | Update NotificationService constructor usage |
| backend/internal/services/templates/email_uptime_event.html | Add email HTML template for uptime events |
| backend/internal/services/templates/email_system_event.html | Add email HTML template for system events |
| backend/internal/services/templates/email_ssl_event.html | Add email HTML template for SSL events |
| backend/internal/services/templates/email_security_alert.html | Add email HTML template for security alerts |
| backend/internal/services/security_notification_service.go | Remove default EmailRecipients field from returned config |
| backend/internal/services/notification_service_template_test.go | Update NotificationService constructor usage |
| backend/internal/services/backup_service.go | Adjust decompression limit enforcement logic |
| backend/internal/notifications/router.go | Simplify test router API (remove legacy engine params) |
| backend/internal/notifications/feature_flags.go | Add email notification service feature flag constant |
| backend/internal/notifications/engine.go | Remove legacy engine constant |
| backend/internal/models/notification_config.go | Remove EmailRecipients field from API model |
| backend/internal/models/manual_challenge_test.go | Add ExpiresAt assertion |
| backend/internal/crowdsec/hub_pull_apply_test.go | Reduce wall-clock race by simulating cache expiry |
| backend/internal/config/config_test.go | Add test for JWT secret fallback generation |
| backend/internal/api/routes/routes.go | Wire MailService into NotificationService construction |
| backend/internal/api/handlers/user_handler.go | Add explanatory comment for invite email validation |
| backend/internal/api/handlers/uptime_monitor_initial_state_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/uptime_handler_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/security_notifications_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/security_notifications_single_source_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/remote_server_handler_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/remote_server_handler.go | Make notification message more generic |
| backend/internal/api/handlers/proxy_host_handler_update_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/proxy_host_handler_security_headers_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/proxy_host_handler.go | Make notification message more generic |
| backend/internal/api/handlers/notification_provider_patch_coverage_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/logs_ws.go | Tighten WebSocket CheckOrigin logic |
| backend/internal/api/handlers/feature_flags_handler_coverage_test.go | Add coverage test for email feature flag default |
| backend/internal/api/handlers/domain_handler_test.go | Update NotificationService constructor usage |
| backend/internal/api/handlers/domain_handler.go | Make notification message more generic |
| backend/internal/api/handlers/certificate_handler.go | Make notification message more generic |
| backend/internal/api/handlers/cerberus_logs_ws.go | Add semgrep suppression note re shared upgrader CheckOrigin |
| backend/internal/api/handlers/auth_handler.go | Clarify cookie secure behavior + CodeQL suppression annotation |
| backend/internal/api/handlers/audit_log_handler.go | Avoid division by zero when computing totalPages |
| Makefile | Add security-local target (govulncheck + Semgrep) |
| ARCHITECTURE.md | Update referenced Caddy version |
| .trivyignore | Add suppression entry for zlib CVE (with review date) |
| .grype.yaml | Extend suppression expiry date |
| .gitignore | Ignore additional root artifacts + trivy-report.json |
| .github/workflows/supply-chain-pr.yml | Update CodeQL upload-sarif action pin |
| .github/workflows/security-pr.yml | Update CodeQL upload-sarif action pin |
| .github/workflows/release-goreleaser.yml | Bump GO_VERSION env to 1.26.1 |
| .github/workflows/quality-checks.yml | Bump GO_VERSION env to 1.26.1 |
| .github/workflows/e2e-tests-split.yml | Bump GO_VERSION + update Docker action pins |
| .github/workflows/codecov-upload.yml | Bump GO_VERSION env to 1.26.1 |
| .github/workflows/benchmark.yml | Bump GO_VERSION env to 1.26.1 |
| .github/workflows/auto-changelog.yml | Update release-drafter action pin |
| .github/skills/security-scan-trivy.SKILL.md | Update QA skill reference to lefthook variant |
| .github/skills/security-scan-gorm.SKILL.md | Update QA skill reference to lefthook variant |
| .github/skills/security-scan-codeql.SKILL.md | Update QA skill reference to lefthook variant |
| .github/skills/examples/gorm-scanner-ci-workflow.yml | Update Go version in example workflow |
| .github/skills/README.md | Update QA skill name/reference to lefthook variant |
| .github/instructions/subagent.instructions.md | Typo in header (“Cmmit”) |
| .github/instructions/structure.instructions.md | Remove pre-commit config mention in root rules |
| .github/instructions/go.instructions.md | Update guidance to lefthook pre-commit-phase hooks |
| .github/instructions/ARCHITECTURE.instructions.md | Update Caddy version + notifications tech name |
| .github/agents/Planning.agent.md | Typo in heading (“Cmmit”) |
| .github/agents/Frontend_Dev.agent.md | Update QA step to lefthook |
| .dockerignore | Remove pre-commit-specific ignore entry + update wording |
| .claude/settings.json | Add Claude tool permission configuration |
| .claude/commands/update-implementation-plan.md | Add Claude command doc |
| .claude/commands/test-frontend-unit.md | Add Claude command doc |
| .claude/commands/test-frontend-coverage.md | Add Claude command doc |
| .claude/commands/test-backend-unit.md | Add Claude command doc |
| .claude/commands/test-backend-coverage.md | Add Claude command doc |
| .claude/commands/security-scan-trivy.md | Add Claude command doc |
| .claude/commands/security-scan-gorm.md | Add Claude command doc |
| .claude/commands/security-scan-go-vuln.md | Add Claude command doc |
| .claude/commands/security-scan-docker-image.md | Add Claude command doc |
| .claude/commands/security-scan-codeql.md | Add Claude command doc |
| .claude/commands/sa-implement.md | Add Claude command doc |
| .claude/commands/integration-test-all.md | Add Claude command doc |
| .claude/commands/docker-stop-dev.md | Add Claude command doc |
| .claude/commands/docker-start-dev.md | Add Claude command doc |
| .claude/commands/docker-rebuild-e2e.md | Add Claude command doc |
| .claude/commands/docker-prune.md | Add Claude command doc |
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
Comments suppressed due to low confidence (4)
frontend/src/locales/es/translation.json:80
- The
dashboardtranslation block was removed, but the app still referencesdashboard.*keys (e.g.,Dashboard.tsx,SystemSettings.tsx). This will cause missing-translation fallbacks (showing raw keys) when the UI is viewed in Spanish.
Please restore the dashboard keys for this locale (or update the UI to stop using them) so non-English languages don’t regress.
frontend/src/locales/fr/translation.json:80
- The
dashboardtranslation block was removed, but the app still referencesdashboard.*keys (e.g.,Dashboard.tsx,SystemSettings.tsx). This will cause missing-translation fallbacks (showing raw keys) when the UI is viewed in French.
Please restore the dashboard keys for this locale (or update the UI to stop using them) so non-English languages don’t regress.
frontend/src/locales/de/translation.json:80
- The
dashboardtranslation block was removed, but the app still referencesdashboard.*keys (e.g.,Dashboard.tsx,SystemSettings.tsx). This will cause missing-translation fallbacks (showing raw keys) when the UI is viewed in German.
Please restore the dashboard keys for this locale (or update the UI to stop using them) so non-English languages don’t regress.
frontend/src/locales/zh/translation.json:80
- The
dashboardtranslation block was removed, but the app still referencesdashboard.*keys (e.g.,Dashboard.tsx,SystemSettings.tsx). This will cause missing-translation fallbacks (showing raw keys) when the UI is viewed in Chinese.
Please restore the dashboard keys for this locale (or update the UI to stop using them) so non-English languages don’t regress.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR scope is to enable Email notifications through Notify as well as make sure the SMPT setup settings are used for these notifications as well as inviting users after the reorganization of User Management