Vaulthalla Logo

Operator Emails

Configure and troubleshoot Resend or AWS SES operator notifications.

Operator Emails

Vaulthalla can send operator email through Resend or AWS SES. The runtime uses this channel for watchdog alerts, weekly digests, and security notifications.

Configuration

Enable the email provider in config.yaml and store provider credentials with vh email provider ... set. Do not put API keys, SES access keys, or secret keys in .env files or provider credential files.

Minimal recipient shape:

1email:2  enabled: true3  provider: resend4  from: "Vaulthalla <[email protected]>"5  base_url: "https://vault.example.com"6 7operator_emails:8  enabled: true9  recipients:10    alerts:11      - [email protected]12    weekly:13      - [email protected]14    security:15      - [email protected]

Set email.provider to resend, ses, or none in config.yaml. Provider credentials are stored through:

1vh email provider resend set2vh email provider ses set

Validation and smoke checks:

1vh email doctor2vh email test --dry-run3vh email test --send --to [email protected]4vh email history --limit 100

Notification Types

Watchdog alerts use operator_emails.recipients.alerts and are deduped/rate-limited by runtime health fingerprint.

Weekly digests use operator_emails.recipients.weekly and are deduped by week start.

Security alerts use operator_emails.recipients.security. Admin role create, update, and delete events are emitted from both the shell command path and websocket handler path after the database mutation succeeds.

Security alert controls:

1operator_emails:2  security_alerts:3    enabled: true4    admin_role_changes: true

Privacy

Operator emails should never include raw secrets, provider credentials, auth tokens, session tokens, share tokens, raw IP addresses, or user agents.

Admin role security alerts include only the action, role id/name/description, a capped permission flag summary, actor username/user id, source path, timestamp, instance name, and optional base URL.

Troubleshooting

If no email is sent, check vh email doctor, then inspect vh email history --limit 100. Disabled email, provider none, missing recipients, missing secrets manager, and provider failures are recorded as suppressed or failed delivery attempts.

If security alerts are missing, confirm operator_emails.enabled, operator_emails.security_alerts.enabled, operator_emails.security_alerts.admin_role_changes, and at least one operator_emails.recipients.security recipient.