feat: add notifications infrastructure for key auto-rotation events

- NotificationsStore trait + implementations (SQLite, PostgreSQL, MySQL)
- SMTP email notifier (lettre) for renewal warnings and rotation events
- SmtpConfig + RenewalNotificationStrategy configuration
- dispatch_renewal_warnings() background scanner with threshold-based dedup
- rotate_last_warning_days attribute to prevent duplicate warnings
- HTTP API: GET /notifications, GET /notifications/unread/count,
  POST /notifications/{id}/read, POST /notifications/read-all
- NoopNotificationsStore for Redis-findex backend
- Allow 0BSD license (quoted_printable, transitive dep of lettre)

Author: Manuthor

CHANGELOG/feat_key-rotation-notifications.md

@@ -0,0 +1,10 @@
+# Features
+
+- Add notifications infrastructure for key auto-rotation events
+    - `NotificationsStore` trait and implementations (SQLite, PostgreSQL, MySQL) for persisting in-app notifications
+    - SMTP email notifier (`EmailNotifier`) using `lettre` for renewal warnings and rotation success/failure emails
+    - `SmtpConfig` and `RenewalNotificationStrategy` configuration structs (`NotificationsConfig`)
+    - `dispatch_renewal_warnings()` background function: scans objects approaching rotation and emits threshold-based warnings
+    - `rotate_last_warning_days` attribute on `Attributes` to prevent duplicate warnings in the same cycle
+    - HTTP API endpoints: `GET /notifications`, `GET /notifications/unread/count`, `POST /notifications/{id}/read`, `POST /notifications/read-all`
+    - `NoopNotificationsStore` for Redis-findex backend (notifications not supported)

Cargo.lock

@@ -174,6 +174,7 @@ http = "1.4"
 jsonwebtoken = { version = "10.3", features = ["rust_crypto"] }
 lazy_static = "1.5"
 leb128 = "0.2"
+lettre = { version = "0.11", default-features = false }
 libloading = "0.8"
 log = { version = "0.4", default-features = false }
 lru = "0.16"

Cargo.toml

@@ -26,6 +26,7 @@ num-bigint-dig = { workspace = true, features = [
   "serde",
   "zeroize",
 ] }
+serde = { workspace = true }
 serde_json = { workspace = true }
 thiserror = { workspace = true }
 time = { workspace = true }

crate/interfaces/Cargo.toml

@@ -11,7 +11,10 @@ pub use hsm::{
     HSM, HsmKeyAlgorithm, HsmKeypairAlgorithm, HsmObject, HsmObjectFilter, HsmStore, KeyMaterial,
     RsaPrivateKeyMaterial, RsaPublicKeyMaterial,
 };
-pub use stores::{AtomicOperation, ObjectWithMetadata, ObjectsStore, PermissionsStore};
+pub use stores::{
+    AtomicOperation, Notification, NotificationsStore, ObjectWithMetadata, ObjectsStore,
+    PermissionsStore,
+};
 
 /// Supported cryptographic object types
 /// in plugins

crate/interfaces/src/lib.rs

@@ -1,7 +1,9 @@
+mod notifications_store;
 pub(crate) mod object_with_metadata;
 mod objects_store;
 mod permissions_store;
 
+pub use notifications_store::{Notification, NotificationsStore};
 pub use object_with_metadata::ObjectWithMetadata;
 pub use objects_store::{AtomicOperation, ObjectsStore};
 pub use permissions_store::PermissionsStore;

crate/interfaces/src/stores/mod.rs

@@ -0,0 +1,50 @@
+use async_trait::async_trait;
+use serde::{Deserialize, Serialize};
+use time::OffsetDateTime;
+
+use crate::InterfaceResult;
+
+/// A persisted notification event.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Notification {
+    pub id: i64,
+    pub user_id: String,
+    pub event_type: String,
+    pub message: String,
+    pub object_id: Option<String>,
+    #[serde(with = "time::serde::rfc3339")]
+    pub created_at: OffsetDateTime,
+    #[serde(with = "time::serde::rfc3339::option")]
+    pub read_at: Option<OffsetDateTime>,
+}
+
+#[async_trait(?Send)]
+pub trait NotificationsStore {
+    /// Persist a new notification record and return its auto-generated id.
+    async fn create_notification(
+        &self,
+        user_id: &str,
+        event_type: &str,
+        message: &str,
+        object_id: Option<&str>,
+        created_at: OffsetDateTime,
+    ) -> InterfaceResult<i64>;
+
+    /// List notifications for a user (unread first, then by descending creation date).
+    async fn list_notifications(
+        &self,
+        user_id: &str,
+        limit: i64,
+        offset: i64,
+    ) -> InterfaceResult<Vec<Notification>>;
+
+    /// Return the count of unread notifications for a user.
+    async fn count_unread(&self, user_id: &str) -> InterfaceResult<i64>;
+
+    /// Mark a single notification as read (returns false if not found or not owned by user).
+    async fn mark_read(&self, id: i64, user_id: &str, now: OffsetDateTime)
+    -> InterfaceResult<bool>;
+
+    /// Mark all notifications as read for the given user.
+    async fn mark_all_read(&self, user_id: &str, now: OffsetDateTime) -> InterfaceResult<()>;
+}

crate/interfaces/src/stores/notifications_store.rs

@@ -401,6 +401,12 @@ pub struct Attributes {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub rotate_offset: Option<i32>,
 
+    /// Tracks the last warning threshold (in days) for which a renewal-warning
+    /// notification was already sent in the current rotation cycle.
+    /// Reset to `None` after each successful rotation so warnings restart fresh.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub rotate_last_warning_days: Option<i32>,
+
     /// If True then the server SHALL prevent the object value being retrieved
     /// (via the Get operation) unless it is wrapped by another key. The server
     /// SHALL set the value to False if the value is not provided by the client.
@@ -734,6 +740,7 @@ impl Attributes {
         merge_option_field!(rotate_latest);
         merge_option_field!(rotate_name);
         merge_option_field!(rotate_offset);
+        merge_option_field!(rotate_last_warning_days);
         merge_option_field!(sensitive);
         merge_option_field!(short_unique_identifier);
         merge_option_field!(state);
@@ -964,6 +971,9 @@ impl Display for Attributes {
         if let Some(value) = &self.rotate_offset {
             writeln!(f, "  Rotate Offset: {value}")?;
         }
+        if let Some(value) = &self.rotate_last_warning_days {
+            writeln!(f, "  Rotate Last Warning Days: {value}")?;
+        }
         if let Some(value) = &self.sensitive {
             writeln!(f, "  Sensitive: {value}")?;
         }

crate/kmip/src/kmip_2_1/kmip_attributes.rs

@@ -81,6 +81,12 @@ futures = { workspace = true }
 hex = { workspace = true, features = ["serde"] }
 http = { workspace = true }
 jsonwebtoken = { workspace = true }
+lettre = { workspace = true, features = [
+  "tokio1",
+  "smtp-transport",
+  "tokio1-native-tls",
+  "builder",
+] }
 num-bigint-dig = { workspace = true, features = [
   "std",
   "rand",

crate/server/Cargo.toml

@@ -10,7 +10,7 @@ use serde::{Deserialize, Serialize};
 
 use super::{
     GoogleCseConfig, HsmConfig, HttpConfig, IdpAuthConfig, KmipPolicyConfig, MainDBConfig,
-    WorkspaceConfig, logging::LoggingConfig, ui_config::UiConfig,
+    NotificationsConfig, WorkspaceConfig, logging::LoggingConfig, ui_config::UiConfig,
 };
 use crate::{
     config::{AzureEkmConfig, ProxyConfig, SocketServerConfig, TlsConfig},
@@ -71,6 +71,7 @@ impl Default for ClapConfig {
             kmip_policy: KmipPolicyConfig::default(),
             azure_ekm_config: AzureEkmConfig::default(),
             auto_rotation_check_interval_secs: 0,
+            notifications: NotificationsConfig::default(),
         }
     }
 }
@@ -219,6 +220,11 @@ pub struct ClapConfig {
     /// Set to 0 (default) to disable the auto-rotation background task.
     #[clap(long, default_value = "0", verbatim_doc_comment)]
     pub auto_rotation_check_interval_secs: u64,
+
+    /// Notification settings (SMTP, renewal warnings).
+    #[clap(flatten)]
+    #[serde(default)]
+    pub notifications: NotificationsConfig,
 }
 
 impl ClapConfig {
@@ -661,6 +667,7 @@ impl fmt::Debug for ClapConfig {
             "auto_rotation_check_interval_secs",
             &self.auto_rotation_check_interval_secs,
         );
+        let x = x.field("notifications", &self.notifications);
 
         x.finish()
     }