expire_imminent: route resource.expiry_imminent through Go renderer

mastermanas805 · claude · mastermanas805 · commit edf0c47361c5 · 2026-05-15T09:56:26.000+05:30
User got the broken "Your resource expires in 6 hours" email again
after the first fix shipped. Worker log proved it: BOTH expiry kinds
fired for the same recipient at 04:12:56 UTC:

  kind=anon.expiry_warning      path=raw_html  template_id=0   (new fix)
  kind=resource.expiry_imminent path=template  template_id=6   (still broken)

The first fix only registered renderAnonExpiryEmail for
anon.expiry_warning. The sibling kind from expire_imminent.go
(authenticated/paid resources) was still routed through Brevo's
templateId=6 — the same template that hardcodes "6 hours" + reads
param names we don't emit (empty Type/Token/Expires rows).

Fix:
- Register renderAnonExpiryEmail for resource.expiry_imminent in
  eventEmailBodyRenderers. Same renderer — both kinds have identical
  user-facing semantics ("your resource expires in N hours, click to
  keep") and the renderer treats missing optional params as empty.
- Extend buildResourceExpiring to emit upgrade_url, resource_url,
  token_prefix, reminder_index="1" (single-fire — paid path has no
  stage concept) + audit_kind so the renderer view struct fills.
- Extend expire_imminent.go's audit insert to populate the same
  metadata fields (token_prefix is first 8 chars of r.token only,
  never the full secret; upgrade_url carries source=
  resource_expiry_imminent for funnel attribution).

Tests:
- TestEventEmailBodyRenderers_CoversBothExpiryKinds: regression guard
  that fails if either expiry kind isn't registered. Catches the
  exact bug class that bit us today.
- TestBuildResourceExpiring_EmitsAllRendererParams: asserts every
  renderer-required key is non-empty after the build.
- All 9 targeted tests pass; ./internal/jobs/... ./internal/email/...
  full suite green (ok 22.533s + 0.544s).

The Brevo template_id=6 fallback in BREVO_TEMPLATE_IDS is left in
place — brevo_provider.go::SendEvent prefers HTMLBody != "" so any
legacy events queued before this deploy still route through the new
path; the templateId is harmless dead-code for new sends.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/jobs/event_email_mapping.go b/internal/jobs/event_email_mapping.go
@@ -200,11 +200,21 @@ type eventEmailBodyRenderer func(params map[string]string) (subject, html, text
 //
 // Currently registered (2026-05-15):
 //
-//   anon.expiry_warning — replaces a broken Brevo dashboard template
+//   anon.expiry_warning      — replaces a broken Brevo dashboard template
 //     (hardcoded "6 hours" subject, empty body fields).
 //     Renderer: renderAnonExpiryEmail in expiry_reminder_email.go.
+//
+//   resource.expiry_imminent — same broken template (template_id=6) was
+//     also wired for the paid/authenticated expiry path. Both audit kinds
+//     fired for the same recipient on 2026-05-15 04:12 UTC and the
+//     authenticated email was the broken one. Reuses renderAnonExpiryEmail
+//     because the payload shape is identical (resource_type, hours_remaining,
+//     expires_at, token_prefix, upgrade_url, resource_url) — see the
+//     buildResourceExpiring/expire_imminent.go changes that emit the
+//     matching params.
 var eventEmailBodyRenderers = map[string]eventEmailBodyRenderer{
-	auditKindAnonExpiryWarning: renderAnonExpiryEmail,
+	auditKindAnonExpiryWarning:      renderAnonExpiryEmail,
+	auditKindResourceExpiryImminent: renderAnonExpiryEmail,
 }
 
 // eventEmailBuilders maps an audit_log.kind to the builder that produces
@@ -334,11 +344,27 @@ func buildResourceExpiring(row auditRow) (map[string]string, bool) {
 	}
 	meta := decodeMeta(row.Metadata)
 	params := baseParams(row)
+	params["audit_kind"] = row.Kind
 	if row.ResourceType != "" {
 		params["resource_type"] = row.ResourceType
 	}
 	copyMetaStr(params, meta, "expires_at", "expires_at")
 	copyMetaStr(params, meta, "hours_remaining", "hours_remaining")
+	// 2026-05-15 — the paid expiry path now shares the Go renderer
+	// (renderAnonExpiryEmail) with the anon path. There is no multi-stage
+	// reminder cadence for paid/authenticated resources (single-fire), but
+	// the renderer reads reminder_index to decide between "Heads up" /
+	// "Reminder" / "Final reminder" subject prefixes — pin to "1" so paid
+	// emails read as "Heads up — your instanode <type> expires in Nh".
+	// Also surface resource_id / token_prefix / upgrade_url / resource_url
+	// so the body's Type/Token/Expires panel and CTA links render correctly
+	// (the previous Brevo dashboard template referenced these but the
+	// worker wasn't sending them — rendering empty cells in production).
+	params["reminder_index"] = "1"
+	copyMetaStr(params, meta, "resource_id", "resource_id")
+	copyMetaStr(params, meta, "token_prefix", "token_prefix")
+	copyMetaStr(params, meta, "upgrade_url", "upgrade_url")
+	copyMetaStr(params, meta, "resource_url", "resource_url")
 	return params, true
 }
 
diff --git a/internal/jobs/expire_imminent.go b/internal/jobs/expire_imminent.go
@@ -226,13 +226,29 @@ func (w *ExpireImminentWorker) Work(ctx context.Context, job *river.Job[ExpireIm
 		// (loops_event_mapping.go::buildResourceExpiring). The
 		// resource_id field is also the dedupe key the next sweep's
 		// NOT IN subquery joins on, so it must be a parseable uuid.
+		//
+		// 2026-05-15: token_prefix / upgrade_url / resource_url were
+		// added so the Go-rendered email body (renderAnonExpiryEmail,
+		// shared with the anon expiry path) has the values it needs
+		// to fill the Type/Token/Expires panel and the upgrade /
+		// resource-detail CTAs. The previous Brevo dashboard template
+		// referenced these but the worker wasn't emitting them, so the
+		// rendered email had empty cells. token_prefix is the first 8
+		// chars of the resource token (uuid.UUID is always 36 chars
+		// so the min() is defensive — protects against future schema
+		// changes where token isn't a uuid).
+		tokenStr := r.token.String()
+		tokenPrefix := tokenStr[:min(8, len(tokenStr))]
 		meta := map[string]any{
 			"resource_id":     r.resourceID.String(),
 			"resource_type":   r.resourceType,
 			"expires_at":      r.expiresAt.UTC().Format(time.RFC3339),
 			"hours_remaining": hoursRemaining,
 			"email":           r.ownerEmail.String,
-			"token":           r.token.String(),
+			"token":           tokenStr,
+			"token_prefix":    tokenPrefix,
+			"upgrade_url":     "https://instanode.dev/app/billing?upgrade=hobby&source=resource_expiry_imminent",
+			"resource_url":    "https://instanode.dev/app/resources/" + r.resourceID.String(),
 		}
 		metaBytes, mErr := json.Marshal(meta)
 		if mErr != nil {
diff --git a/internal/jobs/expiry_reminder_email_test.go b/internal/jobs/expiry_reminder_email_test.go
@@ -148,6 +148,71 @@ func TestEventEmailBodyRenderers_RegistersAnonExpiryWarning(t *testing.T) {
 	}
 }
 
+// TestEventEmailBodyRenderers_CoversBothExpiryKinds locks in the
+// 2026-05-15 follow-up fix: the broken Brevo dashboard template_id=6
+// was wired to BOTH anon.expiry_warning AND resource.expiry_imminent.
+// The first fix only registered the renderer for anon — the
+// authenticated paid path still routed through the broken template
+// and the user received the broken email at 04:12 UTC.
+//
+// This test FAILS on the post-first-fix master (only one kind
+// registered) and PASSES after the second fix registers both kinds.
+// Fail-fast in CI if anyone adds a third expiry kind and forgets to
+// register a renderer.
+func TestEventEmailBodyRenderers_CoversBothExpiryKinds(t *testing.T) {
+	for _, kind := range []string{"anon.expiry_warning", "resource.expiry_imminent"} {
+		if _, ok := eventEmailBodyRenderers[kind]; !ok {
+			t.Errorf("eventEmailBodyRenderers missing renderer for %q — email would route through Brevo template_id and lose all the new params", kind)
+		}
+	}
+}
+
+// TestBuildResourceExpiring_EmitsAllRendererParams asserts the paid
+// expiry builder emits every key the shared renderer reads. Caught the
+// production bug where buildResourceExpiring emitted only three keys
+// (resource_type / expires_at / hours_remaining) and the renderer's
+// Type/Token/Expires panel rendered empty cells.
+func TestBuildResourceExpiring_EmitsAllRendererParams(t *testing.T) {
+	row := auditRow{
+		ID:           "x",
+		TeamID:       "t",
+		Kind:         auditKindResourceExpiryImminent,
+		ResourceType: "postgres",
+		OwnerEmail:   "test@example.com",
+		Metadata: []byte(`{
+			"hours_remaining":"4",
+			"expires_at":"2026-05-16T00:00:00Z",
+			"resource_id":"abc-123",
+			"token_prefix":"abc12345",
+			"upgrade_url":"https://instanode.dev/app/billing?upgrade=hobby",
+			"resource_url":"https://instanode.dev/app/resources/abc-123"
+		}`),
+	}
+	params, ok := buildResourceExpiring(row)
+	if !ok {
+		t.Fatal("buildResourceExpiring returned ok=false unexpectedly")
+	}
+	for _, k := range []string{
+		"resource_type",
+		"hours_remaining",
+		"expires_at",
+		"reminder_index",
+		"token_prefix",
+		"upgrade_url",
+		"resource_url",
+	} {
+		if params[k] == "" {
+			t.Errorf("buildResourceExpiring must emit non-empty %q; got params=%v", k, params)
+		}
+	}
+	// reminder_index must pin to "1" (paid path is single-fire — no
+	// stage cadence) so the subject reads "Heads up", not "Reminder"
+	// or "Final reminder".
+	if params["reminder_index"] != "1" {
+		t.Errorf("reminder_index = %q; want \"1\" (paid path is single-fire)", params["reminder_index"])
+	}
+}
+
 // TestRenderAnonExpiryEmail_NeverSaysSixHoursWhenItsNot is a guard
 // against the regression that prompted this whole change: the old
 // template hardcoded "6 hours" in the subject regardless of the actual
