feat(notify): Phase 2.5 — Notifier Telegram + Resend email

- internal/notify: Telegram (POST /sendMessage) et Resend email (POST /emails)
- Credentials lus depuis env vars (telegramBaseURL/resendBaseURL overridables en test)
- No-op gracieux quand token/key absents
- 5 tests unitaires avec httptest.Server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/notify/notifier.go

@@ -0,0 +1,113 @@
+// Package notify sends operational alerts via Telegram and Resend email.
+// Credentials are read exclusively from environment variables — never from
+// the config file or source code.
+package notify
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"time"
+
+	"forge.secuaas.ovh/olivier/claude-failover/internal/config"
+)
+
+// Notifier dispatches alerts to configured sinks.
+// All methods are safe to call when credentials are absent — they become no-ops.
+type Notifier struct {
+	telegramToken   string
+	telegramChatID  string
+	resendAPIKey    string
+	notifyEmail     string
+	httpClient      *http.Client
+	telegramBaseURL string // override in tests
+	resendBaseURL   string // override in tests
+}
+
+// New creates a Notifier, reading credentials from the environment variables
+// named in cfg.Notifications.
+func New(cfg *config.Config) *Notifier {
+	n := &Notifier{
+		httpClient:      &http.Client{Timeout: 10 * time.Second},
+		telegramBaseURL: "https://api.telegram.org",
+		resendBaseURL:   "https://api.resend.com",
+	}
+	if cfg.Notifications.TelegramTokenEnv != "" {
+		n.telegramToken = os.Getenv(cfg.Notifications.TelegramTokenEnv)
+	}
+	if cfg.Notifications.TelegramChatIDEnv != "" {
+		n.telegramChatID = os.Getenv(cfg.Notifications.TelegramChatIDEnv)
+	}
+	if cfg.Notifications.ResendAPIKeyEnv != "" {
+		n.resendAPIKey = os.Getenv(cfg.Notifications.ResendAPIKeyEnv)
+	}
+	n.notifyEmail = "admin@example.com"
+	if cfg.Notifications.NotifyEmailEnv != "" {
+		if v := os.Getenv(cfg.Notifications.NotifyEmailEnv); v != "" {
+			n.notifyEmail = v
+		}
+	}
+	return n
+}
+
+// Telegram sends msg to the configured Telegram chat.
+// Returns nil (no-op) when token or chat ID is not configured.
+func (n *Notifier) Telegram(msg string) error {
+	if n.telegramToken == "" || n.telegramChatID == "" {
+		return nil
+	}
+	url := fmt.Sprintf("%s/bot%s/sendMessage", n.telegramBaseURL, n.telegramToken)
+	body := map[string]string{
+		"chat_id":    n.telegramChatID,
+		"text":       msg,
+		"parse_mode": "HTML",
+	}
+	data, _ := json.Marshal(body)
+	resp, err := n.httpClient.Post(url, "application/json", bytes.NewReader(data))
+	if err != nil {
+		return fmt.Errorf("telegram: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("telegram: HTTP %d", resp.StatusCode)
+	}
+	return nil
+}
+
+// Email sends an HTML email via the Resend API.
+// Returns nil (no-op) when the API key is not configured.
+func (n *Notifier) Email(subject, htmlBody string) error {
+	if n.resendAPIKey == "" {
+		return nil
+	}
+	type emailReq struct {
+		From    string   `json:"from"`
+		To      []string `json:"to"`
+		Subject string   `json:"subject"`
+		HTML    string   `json:"html"`
+	}
+	payload := emailReq{
+		From:    "Orchestrator <noreply@example.com>",
+		To:      []string{n.notifyEmail},
+		Subject: subject,
+		HTML:    htmlBody,
+	}
+	data, _ := json.Marshal(payload)
+	req, err := http.NewRequest(http.MethodPost, n.resendBaseURL+"/emails", bytes.NewReader(data))
+	if err != nil {
+		return fmt.Errorf("email: build request: %w", err)
+	}
+	req.Header.Set("Authorization", "Bearer "+n.resendAPIKey)
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := n.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("email: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("email: HTTP %d", resp.StatusCode)
+	}
+	return nil
+}