Skip to content

WebhookEngine v0.3.0

Latest
Latest

Choose a tag to compare

View all tags
@voyvodka voyvodka released this 08 Jun 07:49
· 5 commits to main since this release
v0.3.0
917f898
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

WebhookEngine v0.3.0

SDK feature expansion, a breaking realignment of three response-model properties, full SDK test coverage (32 new cases), portal client correctness fixes, and a hardened CI/security baseline. Test suite grows from 280 to 312. Breaking change for SDK consumers reading EndpointResponse.CustomHeadersJson, EndpointResponse.MetadataJson, or MessageAttemptResponse.RequestHeadersJson as Dictionary<string,string>? — those properties now return JsonElement / JsonElement? to match the wire format. The v1 route prefix and Standard Webhooks signature surface are preserved.

Features / Fixes / Changes

Added

  • EndpointClient.TestAsync in the SDK: EndpointClient.TestAsync(endpointId, request) covers the one live /api/v1/* route that had no SDK binding. Returns the live response and the exact signed request via new models TestEndpointRequest, EndpointTestResult, and EndpointTestRequestPreview.
  • SDK request models now expose all API fields: CreateEventTypeRequest/UpdateEventTypeRequest.IdempotencyWindowMinutes and CreateEndpointRequest/UpdateEndpointRequest.{AllowedIps, TransformExpression, TransformEnabled} — previously these fields were accepted by the API but unreachable from the SDK.
  • First WebhookEngine.Sdk.Tests project (32 cases): covers WebhookVerifier constant-time HMAC across tolerance, secret-encoding (whsec_ vs base64), multi-signature, tamper, and missing-field cases, plus a stub-HttpMessageHandler contract suite that deserializes real API envelopes through the client so response-DTO drift now fails CI.

Changed

  • SDK response models realigned with the engine DTOs (breaking for three properties): EndpointResponse.CustomHeadersJson / MetadataJson and MessageAttemptResponse.RequestHeadersJson change from Dictionary<string,string>? to JsonElement / JsonElement?. The old dictionary type silently dropped the entire field for any non-string value; the new types match the wire format exactly. EndpointResponse also gains AllowedIps, TransformExpression, TransformEnabled, TransformValidatedAt; EventTypeResponse gains IdempotencyWindowMinutes — all were sent on the wire but silently dropped before this release.
  • Concurrency regression tests on real PostgreSQL: new Testcontainers tests cover the idempotency UNIQUE race (23505 on N concurrent inserts of the same key), the FOR UPDATE SKIP LOCKED dequeue (K workers never double-claim), and the Mark*Async CAS guard. Worker helper methods are now internal and exercised directly so a production regression fails CI rather than silently passing a logic copy.

Fixed

  • @webhookengine/endpoint-manager portal client realigned: three concrete defects against a real engine — updateEndpoint() sent PUT instead of PATCH (every update failed); the client read a non-existent isActive flag instead of the engine's status string (badge always showed "Disabled"); it read customHeaders instead of customHeaderNames (silently wiped headers on every save). Types now mirror the engine; a contract test prevents this class of drift from shipping again.
  • Dependabot lockfile-sync now re-triggers CI: sync-bun-lock.yml previously pushed with GITHUB_TOKEN, which GitHub's recursion guard blocks from triggering new runs — leaving PRs blocked on required checks until manual close/reopen. The push now uses a short-lived GitHub App installation token so the sync commit re-triggers checks automatically.
  • Dependabot lockfile auto-sync extended to all workspace members: the pull_request_target trigger previously only watched src/dashboard/package.json; bumps in packages/endpoint-manager/package.json silently left a stale bun.lock and broke CI.
  • Documentation accuracy pass: README docker run example corrected (ConnectionStrings__Default, port 5100); docs/PRD.md, docs/ROADMAP.md, docs/ARCHITECTURE.md, and AGENTS.md synced to current state.

Security

  • Repository security baseline hardened: added SECURITY.md with supported-versions policy and private-vulnerability-reporting flow. Added explicit permissions: contents: read to ci.yml and release.yml. Extended Dependabot to the /packages/endpoint-manager npm workspace. Added timeout-minutes to CI jobs.
  • Secret-scanning false-positive suppression: .github/secret_scanning.yml adds paths-ignore for docs/**, samples/**, tests/**, and **/*.md — WebhookEngine's whsec_ examples collide with the Stripe webhook-secret pattern; source paths remain scanned.

Quick Start

docker pull voyvodka/webhook-engine:0.3.0
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -d

Dashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).

Links

Assets 2
Loading