feat(notifications): Phase 4 — notification delivery relay (#2513)

* feat(notifications): Phase 4 — notification delivery relay

- api/notify.ts: Vercel edge bridge — validates Clerk JWT, publishes
  wm:breaking-news events to Upstash wm:events:notify channel
- scripts/notification-relay.cjs: Railway relay subscribing to
  Upstash long-poll; fans out to Telegram (with 429 retry + 403
  deactivation), Slack (SSRF-guarded DNS check + AES-256-GCM decrypt),
  and Resend email; SET NX dedup prevents double-delivery within 30min
- breaking-news-alerts.ts: fire-and-forget POST to /api/notify after
  wm:breaking-news dispatch (web-only, no-op if not signed in)
- convex/notificationChannels.ts: add getChannelsByUserId query for
  relay use (fetches channels by userId without auth requirement)
- .env.example: add RESEND_FROM_EMAIL

* fix(notify-relay): address Greptile P0/P1 security findings

- Change getChannelsByUserId to internalQuery (P0: was public/unauthenticated)
- Add /relay/channels HTTP action with timing-safe RELAY_SECRET validation
- Relay now calls Convex HTTP action instead of public query
- Remove parse_mode: 'HTML' from sendTelegram (P1: injection risk)
- Add AbortSignal.timeout(10000) to sendTelegram (P1: hung connections)
- Add res.ok guard in upstashRest with warning log (P1: silent error swallow)
- Document RELAY_SECRET in .env.example (must be set in both Railway + Convex)

* fix(notify-relay): reuse RELAY_SHARED_SECRET instead of new RELAY_SECRET var

Author: koala73

.env.example

@@ -305,3 +305,6 @@ NOTIFICATION_ENCRYPTION_KEY=
 # Resend API key for email notification delivery.
 # Get from: resend.com/api-keys
 RESEND_API_KEY=
+
+# "From" address for email notifications (must be a verified Resend sender domain)
+RESEND_FROM_EMAIL=WorldMonitor <alerts@worldmonitor.app>

api/notify.ts

@@ -0,0 +1,87 @@
+/**
+ * Notification publish endpoint.
+ *
+ * POST /api/notify — validates Clerk JWT, publishes event to Upstash wm:events:notify channel
+ *
+ * Authentication: Clerk Bearer token in Authorization header.
+ * Requires UPSTASH_REDIS_REST_URL + UPSTASH_REDIS_REST_TOKEN env vars.
+ */
+
+export const config = { runtime: 'edge' };
+
+// @ts-expect-error — JS module, no declaration file
+import { getCorsHeaders, isDisallowedOrigin } from './_cors.js';
+// @ts-expect-error — JS module, no declaration file
+import { jsonResponse } from './_json-response.js';
+import { validateBearerToken } from '../server/auth-session';
+
+export default async function handler(req: Request): Promise<Response> {
+  if (isDisallowedOrigin(req)) {
+    return jsonResponse({ error: 'Origin not allowed' }, 403);
+  }
+
+  const cors = getCorsHeaders(req, 'POST, OPTIONS');
+
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { status: 204, headers: cors });
+  }
+
+  if (req.method !== 'POST') {
+    return jsonResponse({ error: 'Method not allowed' }, 405, cors);
+  }
+
+  const authHeader = req.headers.get('Authorization') ?? '';
+  const token = authHeader.startsWith('Bearer ') ? authHeader.slice(7) : '';
+  if (!token) {
+    return jsonResponse({ error: 'UNAUTHENTICATED' }, 401, cors);
+  }
+
+  const session = await validateBearerToken(token);
+  if (!session.valid || !session.userId) {
+    return jsonResponse({ error: 'UNAUTHENTICATED' }, 401, cors);
+  }
+
+  let body: { eventType?: unknown; payload?: unknown; severity?: unknown };
+  try {
+    body = await req.json();
+  } catch {
+    return jsonResponse({ error: 'Invalid JSON' }, 400, cors);
+  }
+
+  if (typeof body.eventType !== 'string' || !body.eventType || body.eventType.length > 64) {
+    return jsonResponse({ error: 'eventType required (string, max 64 chars)' }, 400, cors);
+  }
+
+  if (typeof body.payload !== 'object' || body.payload === null || Array.isArray(body.payload)) {
+    return jsonResponse({ error: 'payload must be an object' }, 400, cors);
+  }
+
+  const upstashUrl = process.env.UPSTASH_REDIS_REST_URL;
+  const upstashToken = process.env.UPSTASH_REDIS_REST_TOKEN;
+
+  if (!upstashUrl || !upstashToken) {
+    return jsonResponse({ error: 'Service unavailable' }, 503, cors);
+  }
+
+  const { eventType, payload } = body;
+  const severity = typeof body.severity === 'string' ? body.severity : 'high';
+
+  const msg = JSON.stringify({
+    eventType,
+    payload,
+    severity,
+    publishedAt: Date.now(),
+    userId: session.userId,
+  });
+
+  const res = await fetch(
+    `${upstashUrl}/publish/wm:events:notify/${encodeURIComponent(msg)}`,
+    { method: 'POST', headers: { Authorization: `Bearer ${upstashToken}` } },
+  );
+
+  if (!res.ok) {
+    return jsonResponse({ error: 'Publish failed' }, 502, cors);
+  }
+
+  return jsonResponse({ ok: true }, 200, cors);
+}

convex/http.ts

@@ -1,5 +1,6 @@
 import { anyApi, httpRouter } from "convex/server";
 import { httpAction } from "./_generated/server";
+import { internal } from "./_generated/api";
 
 const TRUSTED = [
   "https://worldmonitor.app",
@@ -181,4 +182,46 @@ http.route({
   }),
 });
 
+http.route({
+  path: "/relay/channels",
+  method: "POST",
+  handler: httpAction(async (ctx, request) => {
+    const secret = process.env.RELAY_SHARED_SECRET ?? "";
+    const provided = (request.headers.get("Authorization") ?? "").replace(/^Bearer\s+/, "");
+
+    if (!secret || !(await timingSafeEqualStrings(provided, secret))) {
+      return new Response(JSON.stringify({ error: "UNAUTHORIZED" }), {
+        status: 401,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    let body: { userId?: string };
+    try {
+      body = await request.json();
+    } catch {
+      return new Response(JSON.stringify({ error: "INVALID_JSON" }), {
+        status: 400,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    if (typeof body.userId !== "string" || !body.userId) {
+      return new Response(JSON.stringify({ error: "MISSING_USER_ID" }), {
+        status: 400,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    const channels = await ctx.runQuery(internal.notificationChannels.getChannelsByUserId, {
+      userId: body.userId,
+    });
+
+    return new Response(JSON.stringify(channels ?? []), {
+      status: 200,
+      headers: { "Content-Type": "application/json" },
+    });
+  }),
+});
+
 export default http;

convex/notificationChannels.ts

@@ -1,7 +1,17 @@
 import { ConvexError, v } from "convex/values";
-import { mutation, query } from "./_generated/server";
+import { internalQuery, mutation, query } from "./_generated/server";
 import { channelTypeValidator } from "./constants";
 
+export const getChannelsByUserId = internalQuery({
+  args: { userId: v.string() },
+  handler: async (ctx, args) => {
+    return await ctx.db
+      .query("notificationChannels")
+      .withIndex("by_user", (q) => q.eq("userId", args.userId))
+      .collect();
+  },
+});
+
 export const getChannels = query({
   args: {},
   handler: async (ctx) => {