fix(alerts): backend hardening + complete ACKNOWLEDGED migration

- new AlertInstanceRepository.filterInEnvLive(ids, env): single-query bulk ID validation - AlertController.inEnvLiveIds now one SQL round-trip instead of N - bulkMarkRead SQL: defense-in-depth AND deleted_at IS NULL - bulkAck SQL already had deleted_at IS NULL guard — no change needed - PostgresAlertInstanceRepositoryIT: add filterInEnvLive_excludes_other_env_and_soft_deleted - V12MigrationIT: remove alert_reads assertion (table dropped by V17) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 18:48:57 +02:00
parent c70fa130ab
commit 99b739d946
5 changed files with 34 additions and 8 deletions
--- a/cameleer-server-app/src/main/java/com/cameleer/server/app/alerting/controller/AlertController.java
+++ b/cameleer-server-app/src/main/java/com/cameleer/server/app/alerting/controller/AlertController.java
@@ -151,11 +151,7 @@ public class AlertController {
    }

    private List<UUID> inEnvLiveIds(List<UUID> ids, UUID envId) {
-        return ids.stream()
-                .filter(id -> instanceRepo.findById(id)
-                        .map(i -> i.environmentId().equals(envId) && i.deletedAt() == null)
-                        .orElse(false))
-                .toList();
+        return instanceRepo.filterInEnvLive(ids, envId);
    }

    private String currentUserId() {
--- a/cameleer-server-app/src/main/java/com/cameleer/server/app/alerting/storage/PostgresAlertInstanceRepository.java
+++ b/cameleer-server-app/src/main/java/com/cameleer/server/app/alerting/storage/PostgresAlertInstanceRepository.java
@@ -196,7 +196,7 @@ public class PostgresAlertInstanceRepository implements AlertInstanceRepository
            c.createArrayOf("uuid", ids.toArray()));
        jdbc.update("""
            UPDATE alert_instances SET read_at = ?
-             WHERE id = ANY(?) AND read_at IS NULL
+             WHERE id = ANY(?) AND read_at IS NULL AND deleted_at IS NULL
            """, Timestamp.from(when), idArray);
    }

@@ -262,6 +262,17 @@ public class PostgresAlertInstanceRepository implements AlertInstanceRepository
            """, rowMapper(), Timestamp.from(now));
    }

+    @Override
+    public List<UUID> filterInEnvLive(List<UUID> ids, UUID environmentId) {
+        if (ids == null || ids.isEmpty()) return List.of();
+        Array idArray = jdbc.execute((ConnectionCallback<Array>) c ->
+            c.createArrayOf("uuid", ids.toArray()));
+        return jdbc.query("""
+            SELECT id FROM alert_instances
+             WHERE id = ANY(?) AND environment_id = ? AND deleted_at IS NULL
+            """, (rs, i) -> (UUID) rs.getObject("id"), idArray, environmentId);
+    }
+
    @Override
    public void deleteResolvedBefore(Instant cutoff) {
        jdbc.update("""