- Updated API to support Telegram as a notification provider type.
- Enhanced tests to cover Telegram provider creation, updates, and token handling.
- Modified frontend forms to include Telegram-specific fields and validation.
- Added localization strings for Telegram provider.
- Implemented security measures to ensure bot tokens are not exposed in API responses.
Unifies the two previously independent email subsystems — MailService
(net/smtp transport) and NotificationService (HTTP-based providers) —
so email can participate in the notification dispatch pipeline.
Key changes:
- SendEmail signature updated to accept context.Context and []string
recipients to enable timeout propagation and multi-recipient dispatch
- NotificationService.dispatchEmail() wires MailService as a first-class
provider type with IsConfigured() guard and 30s context timeout
- 'email' added to isSupportedNotificationProviderType() and
supportsJSONTemplates() returns false for email (plain/HTML only)
- settings_handler.go test-email endpoint updated to new SendEmail API
- Frontend: 'email' added to provider type union in notifications.ts,
Notifications.tsx shows recipient field and hides URL/token fields for
email providers
- All existing tests updated to match new SendEmail signature
- New tests added covering dispatchEmail paths, IsConfigured guards,
recipient validation, and context timeout behaviour
Also fixes confirmed false-positive CodeQL go/email-injection alerts:
- smtp.SendMail, sendSSL w.Write, and sendSTARTTLS w.Write sites now
carry inline codeql[go/email-injection] annotations as required by the
CodeQL same-line suppression spec; preceding-line annotations silently
no-op in current CodeQL versions
- auth_handler.go c.SetCookie annotated for intentional Secure=false on
local non-HTTPS loopback (go/cookie-secure-not-set warning only)
Closes part of #800
Remove all deprecated Shoutrrr integration artifacts and dead legacy fallback
code from the notification subsystem.
- Remove legacySendFunc field, ErrLegacyFallbackDisabled error, and
legacyFallbackInvocationError() from notification service
- Delete ShouldUseLegacyFallback() from notification router; simplify
ShouldUseNotify() by removing now-dead providerEngine parameter
- Remove EngineLegacy engine constant; EngineNotifyV1 is the sole engine
- Remove legacy.fallback_enabled feature flag, retiredLegacyFallbackEnvAliases,
and parseFlagBool/resolveRetiredLegacyFallback helpers from flags handler
- Remove orphaned EmailRecipients field from NotificationConfig model
- Delete feature_flags_coverage_v2_test.go (tested only the retired flag path)
- Delete security_notifications_test.go.archived (stale archived file)
- Move FIREFOX_E2E_FIXES_SUMMARY.md to docs/implementation/
- Remove root-level scan artifacts tracked in error; add gitignore patterns to
prevent future tracking of trivy-report.json and related outputs
- Update ARCHITECTURE.instructions.md: Notifications row Shoutrrr → Notify
No functional changes to active notification dispatch or mail delivery.
- Updated current specification to reflect the integration of Staticcheck into pre-commit hooks.
- Added problem statement, success criteria, and implementation plan for Staticcheck integration.
- Enhanced QA validation report to confirm successful implementation of Staticcheck pre-commit blocking.
- Created new Playwright configuration and example test cases for frontend testing.
- Updated package.json and package-lock.json to include Playwright and related dependencies.
- Archived previous QA report for CI workflow documentation updates.
- Updated references from `CPMP_TOKEN` to `CHARON_TOKEN` in beta release draft PR body, beta release PR body, and GitHub setup documentation.
- Enhanced clarity in documentation regarding the use of `GITHUB_TOKEN` and fallback options.
- Removed outdated sections from the archived plan for the Docs-to-Issues workflow fix, streamlining the document.
- Initiated integration of Staticcheck into pre-commit hooks to improve code quality, including updates to Makefile, VS Code tasks, and documentation.
- Mark current specification as complete and ready for the next task.
- Document completed work on CI/CD workflow fixes, including implementation summary and QA report links.
- Archive previous planning documents related to GitHub security warnings.
- Revise QA report to reflect the successful validation of CI workflow documentation updates, with zero high/critical issues found.
- Add new QA report for Grype SBOM remediation implementation, detailing security scans, validation results, and recommendations.
- Removed outdated security remediation plan for DoD failures, indicating no active specifications.
- Documented recent completion of Grype SBOM remediation, including implementation summary and QA report.
- Updated QA report to reflect successful validation of security scans with zero HIGH/CRITICAL findings.
- Deleted the previous QA report file as its contents are now integrated into the current report.
