feat: add knock-webhooks skill#64
Merged
Merged
Conversation
Adds receive/verify skill for Knock outbound webhooks. Knock signs with
HMAC-SHA256 (base64) over `${timestamp_ms}.${raw_body}` and ships it in a
single `x-knock-signature: t=<ms>,s=<sig>` header — the timestamp is in
**milliseconds**, an explicit deviation from Stripe that silently breaks any
ported Stripe verifier. Includes Express, Next.js (App Router), and FastAPI
examples with regression tests that reject seconds-based signatures, plus
references covering the full 23-event taxonomy.
https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB
…ketplace.json
- README.md: add Knock row (alphabetically between Intercom and Linear), linkified to docs, flagging the millisecond-timestamp deviation in the description so reviewers don't miss it
- providers.yaml: add knock entry with HMAC-SHA256/base64 over `{timestamp_ms}.{body}` scheme, the full 23-event taxonomy across 6 categories, prominent ms-vs-seconds gotcha, and the explicit "no SDK helper" note (confirmed by reading @knocklabs/node v1.32.0 + knockapi v1.25.0 source — neither exposes a verify/unwrap/constructEvent function for inbound webhooks). No `sdks` field — the verification path is purely stdlib HMAC; the official SDKs aren't pulled into example dependencies.
- .claude-plugin/marketplace.json: add `knock-webhooks` plugin entry alphabetically and append `./skills/knock-webhooks` to the `webhook-skills` bundle (bundle now lists 39 skill paths).
Skill content (skills/knock-webhooks/) landed in the previous commit via the generator. Tests pass on Express, Next.js, and FastAPI. The verification reference prominently calls out the milliseconds-vs-seconds foot-gun for anyone porting from a Stripe verifier.
https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a complete
knock-webhooksprovider skill for Knock (notification infrastructure). Manual HMAC-SHA256 verification with the unusual{timestamp_ms}.{body}signed content — the timestamps are milliseconds, not seconds (Knock's explicit deviation from Stripe's scheme).What's included
skills/knock-webhooks/SKILL.md— entry point with frontmatter and verification coreskills/knock-webhooks/references/— overview (full 23-event taxonomy across 6 categories), setup (dashboard config + per-endpoint secret), verification (algorithm,skills/knock-webhooks/examples/— Express, Next.js App Router, FastAPI handlers + tests (all manual stdlib HMAC; no third-party verification library pulled in)README.md,providers.yaml,.claude-plugin/marketplace.json(as a standalone plugin and added to thewebhook-skillsbundle, now 39 skills)Notes
x-knock-signature: t=<timestamp_ms>,s=<base64-hmac-sha256>{timestamp_ms}.{raw-body}(literal period separator). Pass the raw request body; don't JSON.parse and re-serialize.300_000ms). The skill's verification reference recommends checking this on top of the signature.references/verification.mdcalls this out with a dedicated section.@knocklabs/nodev1.32.0 (npm) andknockapiv1.25.0 (PyPI) — neither exposeswebhooks.unwrap(),constructEvent(), or any verification function for inbound webhooks. The official JS example in the docs usescrypto.createHmacdirectly. Manual stdlib HMAC is the canonical path. Nosdksentry inproviders.yamlbecause the verification path doesn't import the SDK.message.sent,message.delivered,message.delivery_attempted,message.undelivered,message.bounced,message.seen,message.unseen,message.read,message.unread,message.archived,message.unarchived,message.interacted,message.link_clickedworkflow.updated,workflow.committedemail_layout.updated,email_layout.committedtranslation.updated,translation.committedsource_event_action.updated,source_event_action.committedpartial.updated,partial.committedidfield.Test plan
cd skills/knock-webhooks/examples/express && npm install && npm testcd skills/knock-webhooks/examples/nextjs && npm install && npm testcd skills/knock-webhooks/examples/fastapi && python3 -m venv venv && source venv/bin/activate && pip install -r requirements.txt && pytest test_webhook.py -v"s=" + base64(HMAC-SHA256(secret, ts_ms + "." + raw_body))and the timestamp is treated as milliseconds throughout (HMAC input string AND freshness comparison)webhook-skillsmarketplace bundle now lists 39 skill pathsGeneration details
./scripts/generate-skills.sh generate knock --config providers.yaml --model claude-opus-4-7npx hookdeck-cli listen 3000 knock --path /webhooks/knockhttps://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB
Generated by Claude Code