`9d2ffa4`

S29: register notify:fanout worker job

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 5 days ago

SHA: 9d2ffa44e75b233b55b8e41772c566b07d12e366
Parents: 424bde8
Tree: 722483f

4 changed files

Status	File	+
M	`cmd/shithubd/worker.go`	77
M	`internal/infra/config/config.go`	12
A	`internal/worker/jobs/notify_fanout.go`	69
M	`internal/worker/types.go`	9

cmd/shithubd/worker.gomodified

  package main
  import (
 +	"crypto/sha256"
 +	"encoding/base64"
  	"errors"
  	"fmt"
  	"log/slog"
  	"github.com/spf13/cobra"
  	"github.com/tenseleyFlow/shithub/internal/auth/audit"
 +	"github.com/tenseleyFlow/shithub/internal/auth/email"
  	"github.com/tenseleyFlow/shithub/internal/infra/config"
  	"github.com/tenseleyFlow/shithub/internal/infra/db"
  	"github.com/tenseleyFlow/shithub/internal/infra/storage"
  			Pool: pool, Logger: logger,
  		}))
 +		notifSender, _ := pickNotifEmailSender(cfg)
 +		p.Register(worker.KindNotifyFanout, jobs.NotifyFanout(jobs.NotifyFanoutDeps{
 +			Pool:           pool,
 +			Logger:         logger,
 +			EmailSender:    notifSender,
 +			EmailFrom:      cfg.Auth.EmailFrom,
 +			SiteName:       cfg.Auth.SiteName,
 +			BaseURL:        cfg.Auth.BaseURL,
 +			UnsubscribeKey: notifUnsubscribeKey(cfg, logger),
 +		}))
++
  		return p.Run(ctx)
  	},
+ }
  	workerCmd.Flags().Int("workers", 0, "Number of worker goroutines (default 4)")
  	rootCmd.AddCommand(workerCmd)
+ }
++
 +// pickNotifEmailSender mirrors pickAdminEmailSender / pickEmailSender
 +// in the web binary. Kept local to the worker so failure to construct
 +// the sender doesn't kill the process — fan-out without email is a
 +// supported degraded mode (inbox rows still land).
 +func pickNotifEmailSender(cfg config.Config) (email.Sender, error) {
 +	switch cfg.Auth.EmailBackend {
 +	case "stdout":
 +		return email.NewStdoutSender(os.Stdout), nil
 +	case "smtp":
 +		return &email.SMTPSender{
 +			Addr:     cfg.Auth.SMTP.Addr,
 +			From:     cfg.Auth.EmailFrom,
 +			Username: cfg.Auth.SMTP.Username,
 +			Password: cfg.Auth.SMTP.Password,
 +		}, nil
 +	case "postmark":
 +		return &email.PostmarkSender{
 +			ServerToken: cfg.Auth.Postmark.ServerToken,
 +			From:        cfg.Auth.EmailFrom,
 +		}, nil
 +	default:
 +		return nil, errors.New("worker: unknown email_backend")
 +	}
 +}
++
 +// notifUnsubscribeKey resolves the HMAC key used to sign one-click
 +// unsubscribe URLs. Operators set Notif.UnsubscribeKeyB64 in prod.
 +// In dev (key empty) we derive a deterministic 32-byte key from the
 +// session secret so unsubscribe links survive process restarts
 +// without operator action — and we log a loud warning so the
 +// derivation can't sneak into prod by accident.
 +func notifUnsubscribeKey(cfg config.Config, logger *slog.Logger) []byte {
 +	if cfg.Notif.UnsubscribeKeyB64 != "" {
 +		k, err := base64.StdEncoding.DecodeString(cfg.Notif.UnsubscribeKeyB64)
 +		if err == nil && len(k) >= 16 {
 +			return k
 +		}
 +		if logger != nil {
 +			logger.Warn("notif: unsubscribe_key_b64 invalid; falling back to derived key",
 +				"hint", "set Notif.UnsubscribeKeyB64 to base64-encoded 32+ random bytes")
 +		}
 +	}
 +	if cfg.Session.KeyB64 != "" {
 +		seed, err := base64.StdEncoding.DecodeString(cfg.Session.KeyB64)
 +		if err == nil && len(seed) > 0 {
 +			sum := sha256.Sum256(append([]byte("notif-unsub:"), seed...))
 +			if logger != nil {
 +				logger.Warn("notif: deriving unsubscribe key from session secret (dev fallback)",
 +					"hint", "set Notif.UnsubscribeKeyB64 in prod")
 +			}
 +			return sum[:]
 +		}
 +	}
 +	// Last-resort static dev key — links work but anyone with source
 +	// access can mint them. Logged at WARN so operators notice in
 +	// prod logs.
 +	if logger != nil {
 +		logger.Warn("notif: no key material — using static dev key",
 +			"hint", "set Notif.UnsubscribeKeyB64 (or session.key_b64)")
 +	}
 +	return []byte("shithub-dev-unsub-static-key-32B")
 +}

internal/infra/config/config.gomodified

  	Session        SessionConfig        `toml:"session"`
  	Storage        StorageConfig        `toml:"storage"`
  	Auth           AuthConfig           `toml:"auth"`
 +	Notif          NotifConfig          `toml:"notif"`
 +}
++
 +// NotifConfig configures the S29 notification surface. UnsubscribeKeyB64
 +// is the base64-encoded HMAC-SHA256 key that signs one-click
 +// unsubscribe URLs (RFC 8058). When empty (dev default), the
 +// fan-out worker derives a deterministic key from the session key so
 +// links are stable across restarts without operator action — this
 +// derivation is NOT suitable for prod and the wiring layer logs a
 +// warning when it fires.
 +type NotifConfig struct {
 +	UnsubscribeKeyB64 string `toml:"unsubscribe_key_b64"`
+ }
  // WebConfig holds HTTP server settings.

internal/worker/jobs/notify_fanout.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package jobs
++
 +import (
 +	"context"
 +	"encoding/json"
 +	"log/slog"
++
 +	"github.com/jackc/pgx/v5/pgxpool"
++
 +	"github.com/tenseleyFlow/shithub/internal/auth/email"
 +	"github.com/tenseleyFlow/shithub/internal/notif"
 +	"github.com/tenseleyFlow/shithub/internal/worker"
 +)
++
 +// NotifyFanoutDeps wires the fan-out handler against the runtime.
 +// EmailSender is optional — when nil, inbox rows still get written
 +// but no email goes out (matches the dev-mode "look at the inbox in
 +// the web UI" loop).
 +type NotifyFanoutDeps struct {
 +	Pool           *pgxpool.Pool
 +	Logger         *slog.Logger
 +	EmailSender    email.Sender
 +	EmailFrom      string
 +	SiteName       string
 +	BaseURL        string
 +	UnsubscribeKey []byte
 +}
++
 +// NotifyFanout returns the worker handler for `notify:fanout`. The
 +// handler ignores the payload (cursor lives in
 +// domain_events_processed) and drains up to FanoutBatch events per
 +// invocation. The pool re-runs the job through normal retry cadence
 +// when a drain partially fails, and the cron-driven scheduler re-
 +// enqueues on a tick.
 +func NotifyFanout(deps NotifyFanoutDeps) worker.Handler {
 +	return func(ctx context.Context, _ json.RawMessage) error {
 +		processed, err := notif.FanoutOnce(ctx, notif.Deps{
 +			Pool:           deps.Pool,
 +			Logger:         deps.Logger,
 +			EmailSender:    deps.EmailSender,
 +			EmailFrom:      deps.EmailFrom,
 +			SiteName:       deps.SiteName,
 +			BaseURL:        deps.BaseURL,
 +			UnsubscribeKey: deps.UnsubscribeKey,
 +		})
 +		if err != nil {
 +			return err
 +		}
 +		if deps.Logger != nil && processed > 0 {
 +			deps.Logger.InfoContext(ctx, "notify:fanout drained events",
 +				"count", processed)
 +		}
 +		// If we drained a full batch, more events probably exist.
 +		// Re-enqueue ourselves so we keep going on the next tick
 +		// without waiting for the next cron beat. Best-effort: an
 +		// enqueue failure is logged but not surfaced as a job error
 +		// (the next cron tick will pick up).
 +		if processed >= notif.FanoutBatch {
 +			if _, err := worker.Enqueue(ctx, deps.Pool, worker.KindNotifyFanout,
 +				map[string]any{}, worker.EnqueueOptions{}); err != nil && deps.Logger != nil {
 +				deps.Logger.WarnContext(ctx, "notify:fanout self-enqueue failed",
 +					"error", err)
 +			}
 +		}
 +		return nil
 +	}
 +}

internal/worker/types.gomodified

  	KindRepoIndexReconcile Kind = "repo:index_reconcile"
+ )
 +// S29 notification kinds. notify:fanout drains the domain_events
 +// table past the persisted cursor and materializes inbox rows +
 +// (optional) emails. Self-throttling per FanoutBatch; loop-friendly
 +// (the handler returns the count so the pool can re-enqueue when a
 +// drain didn't catch up).
 +const (
 +	KindNotifyFanout Kind = "notify:fanout"
 +)
++
  // NotifyChannel is the Postgres LISTEN/NOTIFY channel the pool subscribes
  // to so it wakes up immediately when a job is enqueued, instead of
  // polling. Callers wrapping enqueue in a tx must NOTIFY inside the