[TTAHUB-5387] Add notification handlers

[thewatermethod]

Description of change

Add handlers for actionable notifications. Note that only a few operations actually require API endpoints, most of the notification CRUD actions will be handled programmatically by triggers

How to test

Confirm that the spec is accurate to the UI expectations. Review the code and the tests.

Issue(s)

• https://jira.acf.gov/browse/TTAHUB-5387

Checklists

Every PR

• Meets issue criteria
• JIRA ticket status updated
• Code is meaningfully tested
• Meets accessibility standards (WCAG 2.1 Levels A, AA)
• API Documentation updated
• Boundary diagram updated
• Logical Data Model updated
• Architectural Decision Records written for major infrastructure decisions
• UI review complete
• QA review complete

Before merge to main

• OHS demo complete
• Ready to create production PR

Production Deploy

• PR created as Draft
• Staging smoke test completed
• PR transitioned to Open (this ready_for_review transition triggers the Slack/Jira automation)
• Reviewer added after the PR is Open (elainaparrish is the authorized approver under normal circumstances)
  • Sequence: Draft PR → Smoke test → Open PR (automation runs) → Add reviewer
  • Confirm that the Slack notification was sent after the PR was opened
  • Confirm that linked Jira ticket(s) transitioned as expected; if not, review the GitHub Actions workflow logs

After merge/deploy

• Update JIRA ticket status

[github-actions]

⚠️ Review count advisory: 0 of 2 required human approvals. 2 more needed.

[github-actions]

⚠️ Diff size advisory: This PR is 2950 lines (2949+, 1−), exceeding the 500-line guideline. Consider splitting into smaller changes.

[Copilot]

Pull request overview

This PR introduces initial backend support for “actionable notifications” by adding an API router + handlers, a notifications authorization policy, and hardening the notification listing query with allowlisted sorting/pagination.

Changes:

• Added /api/.../notifications route module with handlers for listing, updating, and admin creation of global notifications.
• Added Notifications policy (admin-or-owner) and checkNotificationIdParam middleware export + tests.
• Updated getNotifications to allowlist sort fields/directions and added tests for sort fallbacks.

Impact Assessment

• Benefits: Medium — establishes the backend surface area (handlers/policy/service hardening) needed for actionable notifications.
• Risks: High — new routes/handlers have a couple of wiring/data-shape issues that will prevent successful runtime use unless addressed.

Key Issues Noted (severity)

• (high) Notifications router is not mounted in the main API router, so endpoints will be unreachable until wired into src/routes/apiDirectory.js.
• (high) createGlobalNotificationHandler treats triggeredAt as a Date and calls .toISOString(); real JSON request bodies will provide a string, causing a runtime exception.
• (medium) getNotifications pagination parsing allows negative limit/offset values, which can cause Sequelize errors or inconsistent behavior.
• (medium) Policy/tests model “global notification” as userId: undefined, but persisted global notifications use userId: null.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
src/services/types/notifications.ts	Tweaks notification type alias to a direct indexed lookup of NOTIFICATION_TYPES values.
src/services/notifications.ts	Adds allowlisted sort fields/directions and clamps/normalizes pagination inputs (partially).
src/services/notifications.test.js	Adds tests for allowed sort and sort fallback behavior.
src/routes/notifications/index.ts	Adds notifications router (POST admin global create, PUT update, GET list).
src/routes/notifications/handlers.ts	Adds handlers for list/update/admin global create.
src/routes/notifications/handlers.test.ts	Adds unit tests for the new handlers (mocked services/models).
src/policies/notifications.ts	Adds Notifications policy (admin-or-owner update authorization).
src/policies/notifications.test.ts	Adds unit tests for the Notifications policy.
src/middleware/checkIdParamMiddleware.js	Exposes checkNotificationIdParam helper.
src/middleware/checkIdParamMiddleware.test.js	Adds tests for checkNotificationIdParam.

[AdamAdHocTeam]

Overall looks good might need minor tweaks as we implement it on the FE but overall good.

AI says (but might just be a result of what we are starting out with implementing):

High — Undefined keys in NOTIFICATION_TYPE_MAP
notificationType.ts

The trainingReport and other buckets reference keys that do not exist in NOTIFICATION_TYPES (e.g., TRAINING_REPORT_POC_ADDED_DIGEST, COMMUNICATION_LOG_TTA_STAFF_ADDED_DIGEST, etc.). Since constants.js defines no digest types, these all evaluate to undefined at runtime. That means Op.in queries will contain undefined values, which can generate invalid SQL or silently corrupt filtering.

The coverage test only checks in one direction (every NOTIFICATION_TYPES value is in a bucket), so it won't catch these extra undefined entries.

Fix: Either add the missing digest enum keys to NOTIFICATION_TYPES / the migration's enum array, or remove the undefined references from the map until those types are defined.

[kryswisnaskas]

Could we match the spec and make this a real upsert instead of findOne followed by create/update? My concern is that, even inside the request transaction, the current read then write flow can still race under concurrent requests and fail on the unique constraint rather than behaving like an atomic upsert.

[thewatermethod]

@kryswisnaskas I can if you want, but I was told that Sequelize + Postgres runs the upsert (really an insert... on conflict do nothing) outside of the transaction wrapper. That's why we converted all our upserts to this pattern years ago