fix(typescript): support alphabetical body param sorting in webhook signature verification

[iamnamananand996]

Description

Linear ticket: Refs FER-8948

The TypeScript SDK generator's WebhooksHelperGenerator now handles the bodySort: ALPHABETICAL field on WebhookPayloadFormat in the IR. When a provider's webhook signing algorithm requires POST body parameters to be sorted alphabetically by key before computing the HMAC signature, the generated verifySignature method now supports this.

Changes Made

• WebhooksHelperGenerator.ts:
  • buildHmacParameters: When bodySort is set, the requestBody parameter type changes from string to string | Record<string, string>
  • addPayloadConstruction: When bodySort is set, generates a runtime typeof check that either uses the raw string or sorts Record keys alphabetically and concatenates key + value pairs
  • buildJsDoc: Adds documentation about the dual-type requestBody parameter when bodySort is present
• WebhooksHelperGenerator.test.ts: 3 new test cases (BODY-only with bodySort, NOTIFICATION_URL + BODY with bodySort, JSDoc generation)
• versions.yml: Added changelog entry for v3.61.0-rc.1 (fix, irVersion 66)

Review Checklist

• Sorting expression correctness: The generated code is Object.keys(requestBody).sort().map(key => key + requestBody[key]).join(""). Params sorted alphabetically by key, each key+value concatenated (no separator between pairs). Verify this matches the expected signing spec.
• Backwards compatibility: When bodySort is undefined (all existing webhook configs), the generated code is byte-for-byte identical to before — no type change, no sorting logic. Existing snapshots are unchanged.
• bodySort property access: Accessed directly from config.payloadFormat.bodySort using the native IR SDK type — no local type extensions or casts.

Testing

• Unit tests added: 3 new tests covering BODY-only payload with bodySort, NOTIFICATION_URL + BODY payload, and JSDoc generation
• Snapshot tests updated (2 new snapshots)
• All 62 CI checks pass (compile, test, lint, biome, depcheck, seed tests, etc.)
• No e2e testing — changes validated via unit/snapshot tests only

Link to Devin session: https://app.devin.ai/sessions/e1333475cf904a6e98026ecfaa106ad9
Requested by: @iamnamananand996

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

SDK Generation Benchmark Results

Comparing PR branch against latest nightly baseline on main (2026-04-09T04:46:50Z).

Full benchmark table (click to expand)

Generator	Spec	main (generator)	main (E2E)	PR (generator)	Delta
ts-sdk	square	98s	134s	99s	+1s (+1.0%)

main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via fern generate). main (E2E): full customer-observable time including build/test scripts (nightly baseline, informational). Delta is computed against generator-only baseline.
⚠️ = generation exited with a non-zero exit code (timing may not reflect a successful run).
Baseline from nightly runs on main (latest: 2026-04-09T04:46:50Z). Trigger benchmark-baseline to refresh.