You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds support for certificate issuance, renewal, and revocation alert event types, complementing the existing expiration alerts across all notification channels.
Screenshots
Steps to verify the change
Type
Fix
Feature
Improvement
Breaking
Docs
Chore
Checklist
Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
This PR extends the PKI alerting system from expiration-only to support four certificate lifecycle event types: Expiration (existing, scheduled daily), Issuance, Renewal, and Revocation (all new, real-time via a new PkiAlertV2Event queue). All notification channels (Email, Slack, PagerDuty, Webhook) are updated to carry event-specific metadata. Frontend and documentation are updated to match. The overall architecture is sound — the queue-based event dispatch is fire-and-forget with retries, which keeps the critical certificate operation paths safe from alert failures.
Key issues found:
Missing CA certificate filter in sendEventNotifications (pki-alert-v2-service.ts): sendAlertNotifications explicitly excludes CertificateOrigin.CA certificates from notifications, but sendEventNotifications does not apply the same filter. CA certificate lifecycle events could inadvertently trigger alerts.
Weak eventType typing in queue payload (queue-service.ts): eventType is typed as string instead of PkiAlertEventType, forcing an unsafe cast in the queue processor.
Potential "undefined" literal in PagerDuty summary (pki-alert-v2-channel-pagerduty-fns.ts): For EXPIRATION alerts, alert.alertBefore is interpolated directly into the summary string. Now that alertBefore is typed as optional, this could render as the literal string "undefined" without a null-fallback.
Structured logging convention not followed (pki-alert-v2-queue.ts): New log lines use plain string interpolation rather than the project's required bracket-formatted structured logging pattern.
useEffect stale closure (CreatePkiAlertV2Modal.tsx): The effect that resets selectedTabIndex suppresses an exhaustive-deps ESLint warning; using a functional state updater would be cleaner and safer.
Confidence Score: 3/5
PR is mostly safe to merge but has a logic inconsistency (missing CA cert filter) and a weak type in the queue payload that should be addressed before shipping.
The overall architecture is solid and new code paths are fire-and-forget with proper error handling. However, the missing CA certificate exclusion in sendEventNotifications (inconsistent with sendAlertNotifications) could send unexpected notifications for CA certificate events. The string typing for eventType in the queue payload requires an unsafe cast. The PagerDuty summary could render "undefined" for malformed expiration alerts. These are correctness concerns rather than security vulnerabilities, but they warrant fixes before the feature ships.
backend/src/services/pki-alert-v2/pki-alert-v2-service.ts (missing CA cert filter), backend/src/queue/queue-service.ts (weak eventType typing), and backend/src/services/pki-alert-v2/pki-alert-v2-channel-pagerduty-fns.ts (alertBefore undefined risk)
Adds sendEventNotifications for real-time event alerts and refactors shared logic into dispatchToChannels. Missing CA certificate filter (enrollmentType !== CertificateOrigin.CA) present in sendAlertNotifications is absent from sendEventNotifications.
backend/src/queue/queue-service.ts
Registers new PkiAlertV2Event queue name and job. The payload eventType is typed as string instead of PkiAlertEventType, requiring an unsafe cast at processing time.
Adds event-type-aware severity and summary for PagerDuty alerts. For EXPIRATION alerts, alert.alertBefore (now optional) is interpolated directly into the summary string without a null-fallback, potentially rendering as the literal "undefined".
Adds new PkiAlertEventType values (ISSUANCE, RENEWAL, REVOCATION), webhook event type mappings, getRevocationReasonLabel helper, and makes alertBefore optional throughout. Changes look correct and well-structured.
Adds certificateId filter option and revokedAt/revocationReason fields to certificate queries. Column references are properly qualified with table names, no unsafe OR conditions introduced.
Dynamically adjusts form tabs based on event type (removes the "Preview" tab for non-expiration types). The useEffect that resets selectedTabIndex uses eslint-disable to suppress a missing selectedTabIndex dependency warning; a functional updater pattern would be safer.
Adds new PkiAlertV2Event queue and queueCertificateEvent/processEventAlert functions. Log lines for the new queue worker don't follow the project's structured logging convention. The eventType cast from string to PkiAlertEventType bypasses type safety due to the weak typing in queue-service.ts.
Comments Outside Diff (2)
backend/src/services/pki-alert-v2/pki-alert-v2-channel-pagerduty-fns.ts, line 113-116 (link)
alertBefore could render as literal "undefined" in PagerDuty summary
TAlertInfo.alertBefore is now string | undefined. When eventType === EXPIRATION, the summary string is:
`Infisical: ${totalCertificates} certificate(s) expiring within ${alert.alertBefore} - Alert: ${alert.name}`
If alertBefore is undefined (which shouldn't happen with current validation, but the type allows it), this would produce the literal string "...expiring within undefined..." in the PagerDuty event summary. Add a fallback:
frontend/src/views/PkiAlertsV2Page/components/CreatePkiAlertV2Modal.tsx, line 2081-2085 (link)
useEffect suppresses lint warning about missing selectedTabIndex dependency
The effect reads selectedTabIndex and formTabs but only declares watchedEventType as a dependency. The eslint-disable-line comment suppresses the exhaustive-deps warning. Since formTabs is derived from watchedEventType this is fine, but selectedTabIndex is a true stale-closure risk: if selectedTabIndex changes independently without watchedEventType changing, the guard won't re-run.
Consider using a functional updater to avoid reading selectedTabIndex from the outer scope:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Context
Adds support for certificate issuance, renewal, and revocation alert event types, complementing the existing expiration alerts across all notification channels.
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).