Notifications Templates

Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

Templates shape the payload rendered for each channel when a rule action fires. They are deterministic, locale-aware artefacts stored alongside rules so Notify.Worker replicas can render identical messages regardless of environment.

1. Template lifecycle

Authoring. Operators create templates via the API (POST /templates) or UI. Each template binds to a channel type (Slack, Teams, Email, Webhook, Custom) and a locale.
Reference. Rule actions opt in by referencing the template key (actions[].template). Channel defaults apply when no template is specified.
Rendering. During delivery, the worker resolves the template (locale fallbacks included), executes it using the safe Handlebars-style engine, and passes the rendered payload plus metadata to the connector.
Audit. Rendered payloads stored in the delivery ledger include the templateId so operators can trace which text was used.

2. Template schema reference

Field	Type	Notes
`templateId`	string	Stable identifier (UUID/slug).
`tenantId`	string	Must match the tenant header in API calls.
`channelType`	`NotifyChannelType`	Determines connector payload envelope.
`key`	string	Human-readable key referenced by rules (`tmpl-critical`).
`locale`	string	BCP-47 tag, stored lower-case (`en-us`, `bg-bg`).
`body`	string	Template body; rendered strictly without executing arbitrary code.
`renderMode`	enum	`Markdown`, `Html`, `AdaptiveCard`, `PlainText`, or `Json`. Guides connector sanitisation.
`format`	enum	`Slack`, `Teams`, `Email`, `Webhook`, or `Json`. Signals delivery payload structure.
`description`	string?	Optional operator note.
`metadata`	map<string,string>	Sorted map for automation (layout hints, fallback text).
`createdBy`/`createdAt`	string?, instant	Auto-populated.
`updatedBy`/`updatedAt`	string?, instant	Auto-populated.
`schemaVersion`	string	Auto-upgraded on persistence.

Templates are normalised: string fields trimmed, locale lower-cased, metadata sorted to preserve determinism.

3. Variables, helpers, and context

Templates receive a structured context derived from the Notify event, rule match, and rendering metadata.

Path	Description
`event.*`	Canonical event envelope (`kind`, `tenant`, `ts`, `actor`).
`event.scope.*`	Namespace, repository, digest, image, component identifiers, labels, attributes.
`payload.*`	Raw event payload (e.g., `payload.verdict`, `payload.delta.`, `payload.links.`).
`rule.*`	Rule descriptor (`ruleId`, `name`, `labels`, `metadata`).
`action.*`	Action descriptor (`actionId`, `channel`, `digest`, `throttle`, `metadata`).
`policy.*`	Policy metadata when supplied (`revisionId`, `name`).
`topFindings[]`	Top-N findings summarised for convenience (vulnerability ID, severity, reachability).
`digest.*`	When rendering digest flushes: `window`, `openedAt`, `itemCount`.

Built-in helpers mirror the architecture dossier:

Helper	Usage
`severity_icon severity`	Returns emoji/text badge representing severity.
`link text url`	Produces channel-safe hyperlink.
`pluralize count "finding"`	Adds plural suffix when `count != 1`.
`truncate text maxLength`	Cuts strings while preserving determinism.
`code text`	Formats inline code (Markdown/HTML aware).

Connectors may expose additional helpers via partials, but must remain deterministic and side-effect free.

4. Sample templates

4.1 Slack (Markdown + block kit)

{{#*inline "findingLine"}}
- {{severity_icon severity}} {{vulnId}} ({{severity}}) in `{{component}}`
{{/inline}}

*:rotating_light: {{payload.summary.total}} findings {{#if payload.delta.newCritical}}(new critical: {{payload.delta.newCritical}}){{/if}}*

{{#if topFindings.length}}
Top findings:
{{#each topFindings}}{{> findingLine}}{{/each}}
{{/if}}

{{link "Open report in Console" payload.links.ui}}

4.2 Email (HTML + text alternative)

<h2>{{payload.verdict}} for {{event.scope.repo}}</h2>
<p>{{payload.summary.total}} findings ({{payload.summary.blocked}} blocked, {{payload.summary.warned}} warned)</p>
<table>
  <thead><tr><th>Finding</th><th>Severity</th><th>Package</th></tr></thead>
  <tbody>
    {{#each topFindings}}
    <tr>
      <td>{{this.vulnId}}</td>
      <td>{{this.severity}}</td>
      <td>{{this.component}}</td>
    </tr>
    {{/each}}
  </tbody>
</table>
<p>{{link "View full analysis" payload.links.ui}}</p>

When delivering via email, connectors automatically attach a plain-text alternative derived from the rendered content to preserve accessibility.

5. Preview and validation

POST /channels/{id}/test accepts an optional templateId and sample payload to produce a rendered preview without dispatching the event. Results include channel type, target, title/summary, locale, body hash, and connector metadata.
UI previews rely on the same API and highlight connector fallbacks (e.g., Teams adaptive card vs. text fallback).
Offline Kit scenarios can call /internal/notify/templates/normalize to ensure bundled templates match the canonical schema before packaging.

6. Best practices

Keep channel-specific limits in mind (Slack block/character quotas, Teams adaptive card size, email line length). Lean on digests to summarise long lists.
Provide locale-specific versions for high-volume tenants; Notify selects the closest locale, falling back to en-us.
Store connector-specific hints (metadata.layout, metadata.emoji) in template metadata rather than rules when they affect rendering.
Version template bodies through metadata (e.g., metadata.revision: "2025-10-28") so tenants can track changes over time.
Run test previews whenever introducing new helpers to confirm body hashes remain stable across environments.

7. Attestation & signing lifecycle templates (NOTIFY-ATTEST-74-001)

Attestation lifecycle events (verification failures, expiring attestations, key revocations, transparency anomalies) reuse the same structural context so operators can differentiate urgency while reusing channels. Every template must surface:

Subject (payload.subject.digest, payload.subject.repository, payload.subject.tag).
Attestation metadata (payload.attestation.kind, payload.attestation.id, payload.attestation.issuedAt, payload.attestation.expiresAt).
Signer/Key fingerprint (payload.signer.kid, payload.signer.algorithm, payload.signer.rotationId).
Traceability (payload.links.console, payload.links.rekor, payload.links.docs).

7.1 Template keys & channels

Event	Template key	Required channels	Optional channels	Notes
Verification failure (`attestor.verification.failed`)	`tmpl-attest-verify-fail`	Slack `sec-alerts`, Email `supply-chain@`, Webhook (Pager/SOC)	Teams `risk-war-room`, Custom SIEM feed	Include failure code, Rekor UUID, last-known good attestation link.
Expiring attestation (`attestor.attestation.expiring`)	`tmpl-attest-expiry-warning`	Email summary, Slack reminder	Digest window (daily)	Provide expiration window, renewal instructions, `expiresIn` helper.
Key revocation/rotation (`authority.keys.revoked`, `authority.keys.rotated`)	`tmpl-attest-key-rotation`	Email + Webhook	Slack (if SOC watches channel)	Add rotation batch ID, impacted tenants/services, remediation steps.
Transparency anomaly (`attestor.transparency.anomaly`)	`tmpl-attest-transparency-anomaly`	Slack high-priority, Webhook, PagerDuty	Email follow-up	Show Rekor index delta, witness ID, anomaly classification, recommended actions.

Assign these keys when creating templates so rule actions can reference them deterministically (actions[].template: "tmpl-attest-verify-fail").

7.2 Context helpers

attestation_status_badge status: renders ✅/⚠️/❌ depending on verdict (valid, expiring, failed).
expires_in expiresAt now: returns human-readable duration, constrained to deterministic units (h/d).
fingerprint key: shortens long key IDs/pems, exposing the last 10 characters.

7.3 Slack sample (verification failure)

:rotating_light: {{attestation_status_badge payload.failure.status}} verification failed for `{{payload.subject.digest}}`
Signer: `{{fingerprint payload.signer.kid}}` ({{payload.signer.algorithm}})
Reason: `{{payload.failure.reasonCode}}` — {{payload.failure.reason}}
Last valid attestation: {{link "Console report" payload.links.console}}
Rekor entry: {{link "Transparency log" payload.links.rekor}}

7.4 Email sample (expiring attestation)

<h2>Attestation expiry notice</h2>
<p>The attestation for <code>{{payload.subject.repository}}</code> (digest {{payload.subject.digest}}) expires on <strong>{{payload.attestation.expiresAt}}</strong>.</p>
<ul>
  <li>Issued: {{payload.attestation.issuedAt}}</li>
  <li>Signer: {{payload.signer.kid}} ({{payload.signer.algorithm}})</li>
  <li>Time remaining: {{expires_in payload.attestation.expiresAt event.ts}}</li>
</ul>
<p>Please rotate the attestation before expiry. Reference <a href="{{payload.links.docs}}">renewal steps</a>.</p>

7.5 Webhook sample (transparency anomaly)

{
  "event": "attestor.transparency.anomaly",
  "tenantId": "{{event.tenant}}",
  "subjectDigest": "{{payload.subject.digest}}",
  "rekorIndex": "{{payload.transparency.rekorIndex}}",
  "witnessId": "{{payload.transparency.witnessId}}",
  "anomaly": "{{payload.transparency.classification}}",
  "detailsUrl": "{{payload.links.console}}",
  "recommendation": "{{payload.recommendation}}"
}

7.6 Offline kit guidance

Bundle these templates (JSON export) under offline/notifier/templates/attestation/.
Baseline English templates for Slack, Email, and Webhook ship in the repository at offline/notifier/templates/attestation/*.template.json; copy and localise them per tenant as needed.
Provide localized variants for en-us and de-de at minimum; additional locales can be appended per customer.
Include preview fixtures in Offline Kit smoke tests to guarantee channel render parity when air-gapped.

Imposed rule reminder: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.

8. Incident mode templates (NOTIFY-OBS-55-001)

Incident toggles are high-noise events that must pierce quiet hours and include audit-ready context. Use dedicated templates so downstream tooling can distinguish activation vs. recovery and surface the required evidence.

Required context keys

payload.incidentId, payload.reason, payload.startedAt / payload.stoppedAt.
payload.links.trace (root cause trace/span), payload.links.evidence (timeline/export bundle), payload.links.timeline.
payload.retentionDays (active) and payload.retentionBaselineDays (post-incident).
payload.quietHoursOverride (boolean) to justify bypassing quiet hours.
payload.legal.jurisdiction, payload.legal.ticket, payload.legal.logPath for compliance logging.

Template keys

tmpl-incident-start — activation notice.
tmpl-incident-stop — recovery/cleanup notice.

Slack sample (start)

:rotating_light: Incident mode activated for {{payload.incidentId}}
Reason: {{payload.reason}}
Trace: {{link "root span" payload.links.trace}} · Evidence: {{link "bundle" payload.links.evidence}}
Retention extended to {{payload.retentionDays}} days (baseline {{payload.retentionBaselineDays}})
Quiet hours overridden: {{payload.quietHoursOverride}}
Legal: {{payload.legal.jurisdiction}} (ticket {{payload.legal.ticket}})

Email sample (stop)

<h2>Incident mode cleared: {{payload.incidentId}}</h2>
<p>Stopped at {{payload.stoppedAt}} — retention reset to {{payload.retentionBaselineDays}} days.</p>
<p>Timeline: {{link "view timeline" payload.links.timeline}} · Audit log: {{payload.legal.logPath}}</p>

See src/Notifier/StellaOps.Notifier/docs/incident-mode-rules.sample.json for ready-to-import rules referencing these templates with quiet-hour overrides and legal logging metadata.