fix(notification-service): resolve NotificationService-010,011,012 — disconnect SMTP on failure, relocate exception type, OAuth2/token-cache test coverage

code-reviews/NotificationService/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 3 |
+| Open findings | 0 |
 
 ## Summary
 
@@ -360,7 +360,7 @@ under NotificationService-009.
 |--|--|
 | Severity | Low |
 | Category | Performance & resource management |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.NotificationService/NotificationDeliveryService.cs:121-154` |
 
 **Description**
@@ -373,7 +373,16 @@ Move disconnect/dispose into a `finally` block (or use `await using` once `ISmtp
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit pending). Root cause confirmed against the current source:
+`DeliverAsync` invoked `smtp.DisconnectAsync` only on the success path inside the `try`
+block, so a failed `Connect`/`Authenticate`/`Send` left the connection open until
+finalization. `DisconnectAsync` was moved into the existing `finally` block (which also
+releases the NS-007 concurrency slot), so the SMTP connection is always torn down
+regardless of outcome. The disconnect is best-effort — wrapped in its own `try/catch` that
+logs at debug level — so a disconnect failure (e.g. the connection is already dead) cannot
+mask the original delivery exception. Regression tests
+`Send_TransientFailureDuringSend_StillDisconnectsClient` and
+`Send_FailureDuringAuthenticate_StillDisconnectsClient`.
 
 ### NotificationService-011 — `SmtpPermanentException` declared in the wrong file; module conventions
 
@@ -381,7 +390,7 @@ _Unresolved._
 |--|--|
 | Severity | Low |
 | Category | Code organization & conventions |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.NotificationService/NotificationDeliveryService.cs:173-177`, `src/ScadaLink.Commons/Entities/Notifications/SmtpConfiguration.cs:5-15` |
 
 **Description**
@@ -394,7 +403,22 @@ Move `SmtpPermanentException` to its own file. For `SmtpConfiguration`, either k
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit pending). Both issues confirmed against source.
+
+1. **`SmtpPermanentException` placement (in scope — fixed).** The public exception type
+   was extracted from the bottom of `NotificationDeliveryService.cs` into its own file,
+   `src/ScadaLink.NotificationService/SmtpPermanentException.cs`, restoring the
+   one-type-per-file layout. No behaviour change, so no dedicated regression test — the
+   move is verified by the module test suite still compiling and passing (56 tests green).
+2. **`SmtpConfiguration` non-nullable strings (out of scope — re-triaged).**
+   `SmtpConfiguration` lives in `src/ScadaLink.Commons`, which is outside the
+   NotificationService module's edit scope; it cannot be changed here. This is the same
+   Commons entity already flagged for follow-up under **NotificationService-013**
+   (Deferred). The `required`-members / documented-constructor change should be folded into
+   that Commons/ConfigurationDatabase-scoped work. Note the delivery service's actual risk
+   is bounded: `SendAsync`/`DeliverBufferedAsync` already validate `TlsMode` and addresses
+   up front (NS-005/NS-008), and a null `Host`/`AuthType` from a malformed config row
+   surfaces as a classified/clean failure rather than silent corruption.
 
 ### NotificationService-012 — Test coverage gaps: OAuth2 delivery path, permanent-classification fallback, token-cache concurrency
 
@@ -402,7 +426,7 @@ _Unresolved._
 |--|--|
 | Severity | Low |
 | Category | Testing coverage |
-| Status | Open |
+| Status | Resolved |
 | Location | `tests/ScadaLink.NotificationService.Tests/NotificationDeliveryServiceTests.cs`, `tests/ScadaLink.NotificationService.Tests/OAuth2TokenServiceTests.cs` |
 
 **Description**
@@ -415,4 +439,29 @@ Add tests for: OAuth2-authenticated send with a mocked `OAuth2TokenService`; the
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit pending). Each listed gap was re-triaged against the current
+source (the module was substantially rewritten by NS-001..009 since this finding was
+filed) and the genuinely-missing tests were added:
+
+1. **OAuth2 delivery path (gap real — covered).** New test
+   `Send_OAuth2Config_AuthenticatesWithResolvedAccessToken` drives `DeliverAsync` with an
+   `oauth2` `SmtpConfiguration` and a real `OAuth2TokenService` (mocked `IHttpClientFactory`),
+   asserting the SMTP client is authenticated with the *resolved access token*, not the raw
+   `tenant:client:secret` triple.
+2. **5xx-message permanent fallback (gap obsolete — re-triaged).** The substring-based
+   permanent fallback this item describes no longer exists: NS-003 replaced message-text
+   matching with typed-exception/`SmtpStatusCode` classification. The equivalent path is
+   already covered by `Send_Smtp5xxCommandException_ClassifiedPermanent`, and
+   `Send_NonSmtpExceptionWith5xxLookalikeText_NotPromotedToPermanent` proves a "5xx
+   lookalike" message is no longer promoted. No new test needed for a removed branch.
+3. **Token expiry/refresh and concurrent acquisition (gaps real — covered).** New tests
+   `GetTokenAsync_ExpiredToken_RefreshesOnNextCall` (uses `expires_in: 60` so the token is
+   stale immediately given the 60s refresh margin) and
+   `GetTokenAsync_ConcurrentCalls_MakeExactlyOneHttpRequest` (20 racing callers collapse to
+   a single token fetch, exercising the per-credential double-checked lock).
+4. **End-to-end buffer-and-retry (gap already closed — re-triaged).** The
+   buffer-then-retry-then-deliver round trip was added when NS-001 was resolved
+   (`DeliverBuffered_HappyPath_ReturnsTrue`, `DeliverBuffered_ListNoLongerExists_…`, plus
+   `AkkaHostedService` handler registration), so no further test is required here.
+
+Module test suite is green at 56 tests.