Use strategy Telegram alert target for workflow alerts

Author: Pigbibi

.github/workflows/execution-report-heartbeat.yml

@@ -52,6 +52,9 @@ jobs:
       CLOUD_RUN_SERVICES: ${{ vars.CLOUD_RUN_SERVICES }}
       CLOUD_RUN_SERVICE_TARGETS_JSON: ${{ vars.CLOUD_RUN_SERVICE_TARGETS_JSON }}
       GLOBAL_TELEGRAM_CHAT_ID: ${{ vars.GLOBAL_TELEGRAM_CHAT_ID }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN: ${{ secrets.STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME }}
       TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_TOKEN }}
       TELEGRAM_TOKEN_SECRET_NAME: ${{ vars.TELEGRAM_TOKEN_SECRET_NAME }}
     steps:

.github/workflows/runtime-guard.yml

@@ -55,6 +55,9 @@ jobs:
       CLOUD_RUN_SERVICES: ${{ vars.CLOUD_RUN_SERVICES }}
       CLOUD_RUN_SERVICE_TARGETS_JSON: ${{ vars.CLOUD_RUN_SERVICE_TARGETS_JSON }}
       GLOBAL_TELEGRAM_CHAT_ID: ${{ vars.GLOBAL_TELEGRAM_CHAT_ID }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN: ${{ secrets.STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN }}
+      STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME }}
       TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_TOKEN }}
       TELEGRAM_TOKEN_SECRET_NAME: ${{ vars.TELEGRAM_TOKEN_SECRET_NAME }}
     steps:

scripts/cloud_run_runtime_guard.py

@@ -182,9 +182,6 @@ def _summarize(entry: dict[str, Any]) -> str:
     suffix = f" {text}" if text else ""
     return f"- {timestamp} {target or '<unknown>'} severity={severity}{status_text}{suffix}"
 
-
-
-
 def _telegram_secret_project() -> str | None:
     return (
         os.environ.get("RUNTIME_HEARTBEAT_GCP_PROJECT_ID")
@@ -194,42 +191,76 @@ def _telegram_secret_project() -> str | None:
     )
 
 
-def _load_telegram_token_from_secret() -> str:
-    secret_name = (os.environ.get("TELEGRAM_TOKEN_SECRET_NAME") or "").strip()
+def _load_telegram_token_from_secret(secret_env_name: str) -> str:
+    secret_name = (os.environ.get(secret_env_name) or "").strip()
     if not secret_name:
         return ""
-    command = ["gcloud", "secrets", "versions", "access", "latest", "--secret", secret_name]
+    command = [
+        "gcloud",
+        "secrets",
+        "versions",
+        "access",
+        "latest",
+        "--secret",
+        secret_name,
+    ]
     project = _telegram_secret_project()
     if project:
         command.extend(["--project", project])
     result = _run_gcloud(command)
     if result.returncode != 0:
         detail = (result.stderr or result.stdout or "").strip()
         print(
-            f"Unable to read Telegram token from Secret Manager: {detail or 'gcloud failed'}",
+            f"Unable to read Telegram token from {secret_env_name}: "
+            f"{detail or 'gcloud failed'}",
             file=sys.stderr,
         )
         return ""
     return result.stdout.strip()
 
 
-def _telegram_token() -> str:
-    direct_token = (os.environ.get("TELEGRAM_TOKEN") or os.environ.get("TG_TOKEN") or "").strip()
-    if direct_token:
-        return direct_token
-    return _load_telegram_token_from_secret()
+def _first_env_value(*names: str) -> str:
+    for name in names:
+        value = (os.environ.get(name) or "").strip()
+        if value:
+            return value
+    return ""
 
-def _send_telegram(message: str) -> bool:
-    targets: list[tuple[str, str]] = []
 
-    token = _telegram_token()
-    for chat_id in _split_values(os.environ.get("GLOBAL_TELEGRAM_CHAT_ID")):
-        if token:
-            targets.append((token, chat_id))
+def _telegram_targets() -> list[tuple[str, str]]:
+    strategy_chat_ids = _split_values(
+        os.environ.get("STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS")
+    )
+    if strategy_chat_ids:
+        strategy_token = _first_env_value("STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN")
+        if not strategy_token:
+            strategy_token = _load_telegram_token_from_secret(
+                "STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME"
+            )
+        if strategy_token:
+            return list(
+                dict.fromkeys((strategy_token, chat_id) for chat_id in strategy_chat_ids)
+            )
+        return []
+
+    token = _first_env_value("TELEGRAM_TOKEN", "TG_TOKEN")
+    if not token:
+        token = _load_telegram_token_from_secret("TELEGRAM_TOKEN_SECRET_NAME")
+    targets = [
+        (token, chat_id)
+        for chat_id in _split_values(os.environ.get("GLOBAL_TELEGRAM_CHAT_ID"))
+        if token
+    ]
+    return list(dict.fromkeys(targets))
+
 
-    unique_targets = list(dict.fromkeys(targets))
+def _send_telegram(message: str) -> bool:
+    unique_targets = _telegram_targets()
     if not unique_targets:
-        print("No Telegram token/chat configured; unable to send runtime guard alert.", file=sys.stderr)
+        print(
+            "No Telegram token/chat configured; unable to send runtime guard alert.",
+            file=sys.stderr,
+        )
         return False
 
     ok = True

scripts/execution_report_heartbeat.py

@@ -665,9 +665,6 @@ def _is_accepted_report(payload: dict[str, Any]) -> tuple[bool, str]:
         return True, "report exists"
     return False, f"unaccepted status={status or '-'} stage={stage or '-'}"
 
-
-
-
 def _telegram_secret_project() -> str | None:
     return (
         os.environ.get("RUNTIME_HEARTBEAT_GCP_PROJECT_ID")
@@ -677,43 +674,80 @@ def _telegram_secret_project() -> str | None:
     )
 
 
-def _load_telegram_token_from_secret() -> str:
-    secret_name = (os.environ.get("TELEGRAM_TOKEN_SECRET_NAME") or "").strip()
+def _load_telegram_token_from_secret(secret_env_name: str) -> str:
+    secret_name = (os.environ.get(secret_env_name) or "").strip()
     if not secret_name:
         return ""
-    command = ["gcloud", "secrets", "versions", "access", "latest", "--secret", secret_name]
+    command = [
+        "gcloud",
+        "secrets",
+        "versions",
+        "access",
+        "latest",
+        "--secret",
+        secret_name,
+    ]
     project = _telegram_secret_project()
     if project:
         command.extend(["--project", project])
     result = _run_gcloud(command)
     if result.returncode != 0:
         detail = (result.stderr or result.stdout or "").strip()
         print(
-            f"Unable to read Telegram token from Secret Manager: {detail or 'gcloud failed'}",
+            f"Unable to read Telegram token from {secret_env_name}: "
+            f"{detail or 'gcloud failed'}",
             file=sys.stderr,
         )
         return ""
     return result.stdout.strip()
 
 
-def _telegram_token() -> str:
-    direct_token = (os.environ.get("TELEGRAM_TOKEN") or os.environ.get("TG_TOKEN") or "").strip()
-    if direct_token:
-        return direct_token
-    return _load_telegram_token_from_secret()
+def _first_env_value(*names: str) -> str:
+    for name in names:
+        value = (os.environ.get(name) or "").strip()
+        if value:
+            return value
+    return ""
+
+
+def _telegram_targets() -> list[tuple[str, str]]:
+    strategy_chat_ids = _split_values(
+        os.environ.get("STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS")
+    )
+    if strategy_chat_ids:
+        strategy_token = _first_env_value("STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN")
+        if not strategy_token:
+            strategy_token = _load_telegram_token_from_secret(
+                "STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME"
+            )
+        if strategy_token:
+            return list(
+                dict.fromkeys((strategy_token, chat_id) for chat_id in strategy_chat_ids)
+            )
+        return []
+
+    token = _first_env_value("TELEGRAM_TOKEN", "TG_TOKEN")
+    if not token:
+        token = _load_telegram_token_from_secret("TELEGRAM_TOKEN_SECRET_NAME")
+    targets = [
+        (token, chat_id)
+        for chat_id in _split_values(os.environ.get("GLOBAL_TELEGRAM_CHAT_ID"))
+        if token
+    ]
+    return list(dict.fromkeys(targets))
+
 
 def _send_telegram(message: str) -> bool:
-    targets: list[tuple[str, str]] = []
-    token = _telegram_token()
-    for chat_id in _split_values(os.environ.get("GLOBAL_TELEGRAM_CHAT_ID")):
-        if token:
-            targets.append((token, chat_id))
-    unique_targets = list(dict.fromkeys(targets))
+    unique_targets = _telegram_targets()
     if not unique_targets:
-        print("No Telegram token/chat configured; unable to send heartbeat alert.", file=sys.stderr)
+        print(
+            "No Telegram token/chat configured; unable to send heartbeat alert.",
+            file=sys.stderr,
+        )
         return False
-    base_url = "https://api.telegram.org"
+
     ok = True
+    base_url = "https://api.telegram.org"
     for token_value, chat_id in unique_targets:
         body = urllib.parse.urlencode({"chat_id": chat_id, "text": message}).encode()
         request = urllib.request.Request(
@@ -723,7 +757,9 @@ def _send_telegram(message: str) -> bool:
         )
         try:
             with urllib.request.urlopen(request, timeout=15) as response:
-                ok = ok and response.status < 400
+                if response.status >= 400:
+                    ok = False
+                    print(f"Telegram returned HTTP {response.status}", file=sys.stderr)
         except Exception as exc:  # noqa: BLE001
             ok = False
             print(f"Telegram send failed: {type(exc).__name__}", file=sys.stderr)

tests/test_cloud_run_runtime_guard.py

@@ -15,29 +15,48 @@ def test_scheduler_job_pattern_includes_service_alias():
     assert re.search(pattern, "interactive-brokers-live-u1599-tqqq-scheduler")
     assert not re.search(pattern, "interactive-brokers-live-u1660-soxl-scheduler")
 
-def test_telegram_token_falls_back_to_secret_manager(monkeypatch):
+def test_telegram_targets_prefer_strategy_plugin_alert_secret(monkeypatch):
     monkeypatch.delenv("TELEGRAM_TOKEN", raising=False)
     monkeypatch.delenv("TG_TOKEN", raising=False)
+    monkeypatch.delenv("STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN", raising=False)
+    monkeypatch.setenv(
+        "STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS",
+        "strategy-chat; backup-chat",
+    )
+    monkeypatch.setenv(
+        "STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME",
+        "strategy-plugin-telegram-token",
+    )
+    monkeypatch.setenv("GLOBAL_TELEGRAM_CHAT_ID", "platform-chat")
     monkeypatch.setenv("TELEGRAM_TOKEN_SECRET_NAME", "platform-telegram-token")
     monkeypatch.setenv("GCP_PROJECT_ID", "interactivebrokersquant")
-    observed = {}
+    observed = []
 
     def fake_run_gcloud(command):
-        observed["command"] = command
-        return subprocess.CompletedProcess(command, 0, stdout="secret-token\n", stderr="")
+        observed.append(command)
+        return subprocess.CompletedProcess(
+            command,
+            0,
+            stdout="strategy-token\n",
+            stderr="",
+        )
 
     monkeypatch.setattr(guard, "_run_gcloud", fake_run_gcloud)
 
-    assert guard._telegram_token() == "secret-token"
-    assert observed["command"] == [
-        "gcloud",
-        "secrets",
-        "versions",
-        "access",
-        "latest",
-        "--secret",
-        "platform-telegram-token",
-        "--project",
-        "interactivebrokersquant",
+    assert guard._telegram_targets() == [
+        ("strategy-token", "strategy-chat"),
+        ("strategy-token", "backup-chat"),
+    ]
+    assert observed == [
+        [
+            "gcloud",
+            "secrets",
+            "versions",
+            "access",
+            "latest",
+            "--secret",
+            "strategy-plugin-telegram-token",
+            "--project",
+            "interactivebrokersquant",
+        ]
     ]
-

tests/test_execution_report_heartbeat.py

@@ -334,29 +334,48 @@ def test_main_skips_when_runtime_target_is_disabled(monkeypatch, capsys):
     assert "Execution report heartbeat skipped for Disabled runtime" in output
     assert "runtime target is disabled" in output
 
-def test_telegram_token_falls_back_to_secret_manager(monkeypatch):
+def test_telegram_targets_prefer_strategy_plugin_alert_secret(monkeypatch):
     monkeypatch.delenv("TELEGRAM_TOKEN", raising=False)
     monkeypatch.delenv("TG_TOKEN", raising=False)
+    monkeypatch.delenv("STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN", raising=False)
+    monkeypatch.setenv(
+        "STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS",
+        "strategy-chat; backup-chat",
+    )
+    monkeypatch.setenv(
+        "STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME",
+        "strategy-plugin-telegram-token",
+    )
+    monkeypatch.setenv("GLOBAL_TELEGRAM_CHAT_ID", "platform-chat")
     monkeypatch.setenv("TELEGRAM_TOKEN_SECRET_NAME", "platform-telegram-token")
     monkeypatch.setenv("GCP_PROJECT_ID", "interactivebrokersquant")
-    observed = {}
+    observed = []
 
     def fake_run_gcloud(command):
-        observed["command"] = command
-        return subprocess.CompletedProcess(command, 0, stdout="secret-token\n", stderr="")
+        observed.append(command)
+        return subprocess.CompletedProcess(
+            command,
+            0,
+            stdout="strategy-token\n",
+            stderr="",
+        )
 
     monkeypatch.setattr(heartbeat, "_run_gcloud", fake_run_gcloud)
 
-    assert heartbeat._telegram_token() == "secret-token"
-    assert observed["command"] == [
-        "gcloud",
-        "secrets",
-        "versions",
-        "access",
-        "latest",
-        "--secret",
-        "platform-telegram-token",
-        "--project",
-        "interactivebrokersquant",
+    assert heartbeat._telegram_targets() == [
+        ("strategy-token", "strategy-chat"),
+        ("strategy-token", "backup-chat"),
+    ]
+    assert observed == [
+        [
+            "gcloud",
+            "secrets",
+            "versions",
+            "access",
+            "latest",
+            "--secret",
+            "strategy-plugin-telegram-token",
+            "--project",
+            "interactivebrokersquant",
+        ]
     ]
-