trydirect
diff --git a/‎.env.sample‎
Lines changed: 9 additions & 0 deletions b/‎.env.sample‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/alerting/notifications.rs‎
Lines changed: 141 additions & 0 deletions b/‎src/alerting/notifications.rs‎
Lines changed: 141 additions & 0 deletions
diff --git a/‎src/docker/containers.rs‎
Lines changed: 28 additions & 3 deletions b/‎src/docker/containers.rs‎
Lines changed: 28 additions & 3 deletions
@@ -23,3 +23,12 @@ RUST_BACKTRACE=full
 #STACKDOG_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T.../B.../xxxxx
 # Generic webhook endpoint for alert notifications
 #STACKDOG_WEBHOOK_URL=https://example.com/webhook
+#STACKDOG_SMTP_HOST=smtp.example.com
+#STACKDOG_SMTP_PORT=587
+#STACKDOG_SMTP_USER=alerts@example.com
+#STACKDOG_SMTP_PASSWORD=secret
+#STACKDOG_EMAIL_RECIPIENTS=soc@example.com,oncall@example.com
+#
+# Action notification toggles
+#STACKDOG_NOTIFY_IP_BAN_ACTIONS=true
+#STACKDOG_NOTIFY_QUARANTINE_ACTIONS=true
@@ -6,6 +6,7 @@ use anyhow::{Context, Result};
 use lettre::message::{Mailbox, MultiPart, SinglePart};
 use lettre::transport::smtp::authentication::Credentials;
 use lettre::{AsyncSmtpTransport, AsyncTransport, Message, Tokio1Executor};
+use std::env;
 
 use crate::alerting::alert::{Alert, AlertSeverity};
 
@@ -35,6 +36,30 @@ impl NotificationConfig {
         }
     }
 
+    /// Build notification config from environment variables.
+    pub fn from_env() -> Self {
+        Self {
+            slack_webhook: env::var("STACKDOG_SLACK_WEBHOOK_URL").ok(),
+            smtp_host: env::var("STACKDOG_SMTP_HOST").ok(),
+            smtp_port: env::var("STACKDOG_SMTP_PORT")
+                .ok()
+                .and_then(|value| value.parse().ok()),
+            smtp_user: env::var("STACKDOG_SMTP_USER").ok(),
+            smtp_password: env::var("STACKDOG_SMTP_PASSWORD").ok(),
+            webhook_url: env::var("STACKDOG_WEBHOOK_URL").ok(),
+            email_recipients: env::var("STACKDOG_EMAIL_RECIPIENTS")
+                .ok()
+                .map(|recipients| {
+                    recipients
+                        .split(',')
+                        .map(|recipient| recipient.trim().to_string())
+                        .filter(|recipient| !recipient.is_empty())
+                        .collect()
+                })
+                .unwrap_or_default(),
+        }
+    }
+
     /// Set Slack webhook
     pub fn with_slack_webhook(mut self, url: String) -> Self {
         self.slack_webhook = Some(url);
@@ -139,6 +164,17 @@ impl NotificationConfig {
     }
 }
 
+pub fn env_flag_enabled(name: &str, default: bool) -> bool {
+    env::var(name)
+        .ok()
+        .and_then(|value| match value.trim().to_ascii_lowercase().as_str() {
+            "1" | "true" | "yes" | "on" => Some(true),
+            "0" | "false" | "no" | "off" => Some(false),
+            _ => None,
+        })
+        .unwrap_or(default)
+}
+
 /// Notification channel
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum NotificationChannel {
@@ -329,6 +365,41 @@ impl NotificationChannel {
     }
 }
 
+pub async fn dispatch_stored_alert(
+    alert: &crate::database::models::Alert,
+    config: &NotificationConfig,
+) -> Result<usize> {
+    let mut runtime_alert = Alert::new(alert.alert_type, alert.severity, alert.message.clone());
+
+    if let Some(metadata) = &alert.metadata {
+        if let Some(container_id) = &metadata.container_id {
+            runtime_alert.add_metadata("container_id".into(), container_id.clone());
+        }
+        if let Some(source) = &metadata.source {
+            runtime_alert.add_metadata("source".into(), source.clone());
+        }
+        if let Some(reason) = &metadata.reason {
+            runtime_alert.add_metadata("reason".into(), reason.clone());
+        }
+        for (key, value) in &metadata.extra {
+            runtime_alert.add_metadata(key.clone(), value.clone());
+        }
+    }
+
+    let channels = config.configured_channels_for_severity(alert.severity);
+    let mut sent = 0;
+    for channel in &channels {
+        match channel.send(&runtime_alert, config).await? {
+            NotificationResult::Success(_) => sent += 1,
+            NotificationResult::Failure(message) => {
+                log::warn!("Action notification channel reported failure: {}", message)
+            }
+        }
+    }
+
+    Ok(sent)
+}
+
 /// Notification result
 #[derive(Debug, Clone)]
 pub enum NotificationResult {
@@ -443,6 +514,21 @@ fn build_email_html(alert: &Alert) -> String {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use std::sync::Mutex;
+
+    static ENV_MUTEX: Mutex<()> = Mutex::new(());
+
+    fn clear_notification_env() {
+        env::remove_var("STACKDOG_SLACK_WEBHOOK_URL");
+        env::remove_var("STACKDOG_WEBHOOK_URL");
+        env::remove_var("STACKDOG_SMTP_HOST");
+        env::remove_var("STACKDOG_SMTP_PORT");
+        env::remove_var("STACKDOG_SMTP_USER");
+        env::remove_var("STACKDOG_SMTP_PASSWORD");
+        env::remove_var("STACKDOG_EMAIL_RECIPIENTS");
+        env::remove_var("STACKDOG_NOTIFY_IP_BAN_ACTIONS");
+        env::remove_var("STACKDOG_NOTIFY_QUARANTINE_ACTIONS");
+    }
 
     #[tokio::test]
     async fn test_console_notification() {
@@ -457,6 +543,61 @@ mod tests {
         assert!(result.is_ok());
     }
 
+    #[test]
+    fn test_notification_config_from_env_reads_channels() {
+        let _guard = ENV_MUTEX.lock().unwrap();
+        clear_notification_env();
+
+        env::set_var(
+            "STACKDOG_SLACK_WEBHOOK_URL",
+            "https://hooks.slack.test/services/1",
+        );
+        env::set_var("STACKDOG_WEBHOOK_URL", "https://example.test/webhook");
+        env::set_var("STACKDOG_SMTP_HOST", "smtp.example.com");
+        env::set_var("STACKDOG_SMTP_PORT", "2525");
+        env::set_var("STACKDOG_SMTP_USER", "alerts@example.com");
+        env::set_var("STACKDOG_SMTP_PASSWORD", "secret");
+        env::set_var(
+            "STACKDOG_EMAIL_RECIPIENTS",
+            "soc@example.com,oncall@example.com",
+        );
+
+        let config = NotificationConfig::from_env();
+
+        assert_eq!(
+            config.slack_webhook(),
+            Some("https://hooks.slack.test/services/1")
+        );
+        assert_eq!(config.webhook_url(), Some("https://example.test/webhook"));
+        assert_eq!(config.smtp_host(), Some("smtp.example.com"));
+        assert_eq!(config.smtp_port(), Some(2525));
+        assert_eq!(config.smtp_user(), Some("alerts@example.com"));
+        assert_eq!(config.smtp_password(), Some("secret"));
+        assert_eq!(
+            config.email_recipients(),
+            &[
+                "soc@example.com".to_string(),
+                "oncall@example.com".to_string()
+            ]
+        );
+
+        clear_notification_env();
+    }
+
+    #[test]
+    fn test_env_flag_enabled_honors_boolean_values() {
+        let _guard = ENV_MUTEX.lock().unwrap();
+        clear_notification_env();
+
+        assert!(env_flag_enabled("STACKDOG_NOTIFY_IP_BAN_ACTIONS", true));
+        env::set_var("STACKDOG_NOTIFY_IP_BAN_ACTIONS", "false");
+        assert!(!env_flag_enabled("STACKDOG_NOTIFY_IP_BAN_ACTIONS", true));
+        env::set_var("STACKDOG_NOTIFY_IP_BAN_ACTIONS", "yes");
+        assert!(env_flag_enabled("STACKDOG_NOTIFY_IP_BAN_ACTIONS", false));
+
+        clear_notification_env();
+    }
+
     #[test]
     fn test_severity_to_slack_color() {
         assert_eq!(severity_to_slack_color(AlertSeverity::Critical), "#FF0000");
 
@@ -1,6 +1,7 @@
 //! Container management
 
 use crate::alerting::alert::{AlertSeverity, AlertType};
+use crate::alerting::notifications::{dispatch_stored_alert, env_flag_enabled, NotificationConfig};
 use crate::database::models::{Alert, AlertMetadata};
 use crate::database::{create_alert, get_container_alert_summary, DbPool};
 use crate::docker::client::{ContainerInfo, DockerClient};
@@ -54,7 +55,9 @@ impl ContainerManager {
                 .with_reason(reason),
         );
 
-        let _ = create_alert(&self.pool, alert).await;
+        let stored_alert = create_alert(&self.pool, alert).await?;
+        self.notify_action_alert(&stored_alert, "container quarantine")
+            .await;
 
         log::info!("Container {} quarantined: {}", container_id, reason);
         Ok(())
@@ -67,8 +70,19 @@ impl ContainerManager {
             .release_container(container_id, "bridge")
             .await?;
 
-        // Update any quarantine alerts
-        // (In production, would query for specific alerts)
+        let alert = Alert::new(
+            AlertType::SystemEvent,
+            AlertSeverity::Info,
+            format!("Container {} released from quarantine", container_id),
+        )
+        .with_metadata(
+            AlertMetadata::default()
+                .with_container_id(container_id)
+                .with_reason("Container released from quarantine"),
+        );
+        let stored_alert = create_alert(&self.pool, alert).await?;
+        self.notify_action_alert(&stored_alert, "container quarantine release")
+            .await;
 
         log::info!("Container {} released from quarantine", container_id);
         Ok(())
@@ -89,6 +103,17 @@ impl ContainerManager {
             security_state: summary.security_state().to_string(),
         })
     }
+
+    async fn notify_action_alert(&self, alert: &Alert, action_name: &str) {
+        if !env_flag_enabled("STACKDOG_NOTIFY_QUARANTINE_ACTIONS", true) {
+            return;
+        }
+
+        let config = NotificationConfig::from_env();
+        if let Err(err) = dispatch_stored_alert(alert, &config).await {
+            log::warn!("Failed to send {} notification: {}", action_name, err);
+        }
+    }
 }
 
 /// Container security status