817b61058a
Four focused correctness fixes for the "fire exactly once per FAILED exchange" use case (alerting layer only; HTTP-level idempotency is a separate scope): 1. Composite cursor (startTime, executionId) replaces the current single-timestamp, inclusive cursor — prevents same-millisecond drops and same-exchange re-selection. 2. First-run cursor initialized to rule createdAt (not null) — prevents the current unbounded historical-retention scan on first tick of a new rule. 3. Transactional coupling of instance writes + notification enqueue + cursor advance — eliminates partial-progress failure modes on crash or rollback. 4. Config hygiene: reNotifyMinutes forced to 0, forDurationSeconds rejected, perExchangeLingerSeconds removed entirely (was validated as required but never read) — the rule shape stops admitting nonsensical PER_EXCHANGE combinations. Alert stays FIRING until human ack/resolve (no auto-resolve); webhook fires exactly once per AlertInstance; Inbox never sees duplicates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>