Maintenant

Highlights

This release reshapes how alerts get from a monitor to a human, and adds a full Pro-grade escalation pipeline on top.

A clearer alert routing model

Notification channels and routing decisions are now distinct concerns:

• Channels describe where a notification can go (Discord, generic webhook, Slack/Teams/Email on Pro). They stay silent until something points at them.
• Alert Triggers decide when a channel fires. Each trigger combines a filter (severity, source, and on Pro: entity scope, tag) and a list of destination channels.
• Escalation Policies (Pro) decide how long to wait before paging the next person, with independent channel sets per level.

The same channel can be referenced by multiple triggers and policies without producing duplicate notifications — the engine de-dupes per alert.

This split also enables a new reserved-escalation channel pattern: a channel that exists only in an escalation policy at a delayed level (e.g. management email at T+1h) without ever firing on the initial dispatch.

Alert Triggers

A new resource and CRUD API at /api/v1/alert-triggers, plus matching MCP tools (list_triggers, get_trigger, create_trigger, update_trigger, delete_trigger) and a frontend tab under Alerts → Triggers.

| Filter | CE | Pro |
| --------------------- | :-: | :-: |
| filter_severities | ✅ | ✅ |
| filter_sources | ✅ | ✅ |
| filter_scopes | — | ✅ |
| filter_tags | — | ✅ |

Filters are CSV strings — empty matches everything, so a trigger with no filter behaves like a "broadcast to these channels" rule.

Escalation Policies (Pro)

Multi-level chains for unacknowledged alerts. Each level defines a delay and a set of target channels.

Alert fires
    ├── Level 1 (T+5 min)   → #slack-oncall
    ├── Level 2 (T+15 min)  → on-call SMS gateway
    └── Level 3 (T+1 h)     → CTO email

Behavior:

• Acknowledgment stops the chain (stopped_by_ack) and notifies any already-paged channel that the alert was acknowledged.
• Resolution stops the chain (stopped_by_resolution).
• Maintenance windows pause the run; remaining delays resume from where the pause started, so no level is skipped.
• Exhausted chain notifies the last level's channels with an explicit "human action required" message.
• Each delivery attempt is recorded in escalation_deliveries with pending/sent/failed status and the channel-specific error if any.

Operations:

• HTTP CRUD at /api/v1/escalation-policies, including an overlap-probe endpoint that flags policies whose filter matrices overlap before you save.
• Per-alert and per-policy run history (/api/v1/alerts/{id}/escalation-runs, /api/v1/escalation-policies/{id}/runs).
• MCP tools for end-to-end automation from Claude.
• A new Escalation page in the web UI with policy list, level editor, and overlap warnings.
• Active runs are displayed alongside the alert in the Active alerts view, with their current level and next action time.
• Runs older than 90 days are purged nightly; active runs are never purged.

Downgrading from Pro to Community deactivates all policies and stops all active runs with stopped_by_edition_downgrade. Re-upgrading restores the previously-active state.

Migration

Existing routing_rules attached to channels are auto-converted to Alert Triggers on first startup (one trigger per rule). Channels that had no rule receive a generated Default — all alerts → {channel name} trigger so that the legacy broadcast behavior is preserved end-to-end.

The legacy endpoints /api/v1/channels/{id}/rules* have been removed.

Security

• MCP OAuth redirect_uri allowlist (CWE-601). /oauth/authorize now validates the requested redirect_uri against a configured allowlist before redirecting. A new env var MAINTENANT_MCP_ALLOWED_REDIRECT_URIS (comma-separated full URIs) is required when MAINTENANT_MCP_CLIENT_ID / MAINTENANT_MCP_CLIENT_SECRET are set.
• Email channel hardening. Display names and subjects are sanitized to prevent header injection (CR/LF), and the SMTP client now requires TLS 1.2 as a minimum.
• CodeQL configuration added at the repo level for continuous static analysis of the Go and TypeScript trees.

Fixes

• License cache. The cached license is now loaded during license-manager construction, so IsProEnabled() reflects the persisted state immediately. Pro-gated wiring (escalation runner, maintenance suppressor) is now applied correctly on the first startup, even before the network verification round-trip completes.
• License grace period. The graceful-degradation path no longer mutates the shared state pointer, eliminating a race where two consecutive checks could blend their messages.
• Update alerts. When an image update is no longer pending (image was upgraded, container removed, or update tracker reset), the corresponding alert is now resolved automatically.
• Escalation runner. Maintenance pause condition simplified and made strictly time-based; the runner state machine no longer over-paces during edge transitions.
• Resource collector noise. The resource: alerts not configured debug log now fires once per container instead of every collection cycle.

Upgrade notes

1. MCP users: if you have MAINTENANT_MCP_CLIENT_ID / MAINTENANT_MCP_CLIENT_SECRET set, also configure MAINTENANT_MCP_ALLOWED_REDIRECT_URIS with the callback URLs of the clients you allow (e.g. https://claude.ai/api/mcp/auth_callback,http://localhost:33418/oauth/callback). Without it, OAuth authorization requests are rejected.
2. API consumers of /api/v1/channels/{id}/rules* must migrate to /api/v1/alert-triggers. Existing data is migrated automatically.
3. No database action required — migrations 18 (escalation policies) and 19 (alert triggers) run on startup.

Documentation

• New page: Alert Escalation.
• Updated: Alert Engine, MCP Server, Configuration, API Reference.