Releases: voyvodka/webhook-engine
Release list
WebhookEngine v0.3.1
WebhookEngine v0.3.1
Maintenance patch — a runtime base-image security refresh that clears 16 container CVEs (1 critical) reported by Docker Scout, plus a full dependency refresh across the dashboard, the @webhookengine/endpoint-manager package, and backend NuGet. No user-visible behaviour changes and no breaking changes; the v1 route prefix, the Standard Webhooks signature surface, and the WebhookEngine.Sdk public API are unchanged.
Features / Fixes / Changes
Security
- Runtime base image refresh clears 16 container CVEs (Docker Scout).
mcr.microsoft.com/dotnet/aspnet:10.0-alpinerepinnedf03685b → 57bd717(Alpine3.23.4 → 3.23.5, OpenSSL3.5.6-r0 → 3.5.7-r0), clearing the 16 CVEs Docker Scout reported against the publishedvoyvodka/webhook-engine:latestimage — 1 critical (CVE-2026-34182, CVSS 9.1), 8 high, 5 medium, 2 low — all in the Alpine base layer (OpenSSL plus one BusyBox advisory), none in application code (Scout's layer view showed our own layers at 0/0/0). The rebuilt image scans clean (0 vulnerabilities under Trivy). The build-stagemcr.microsoft.com/dotnet/sdk:10.0is also repinned548d93f → ea8bde3for Dependabot tracking — build-only, never ships in the final image.
Changed
- Frontend dependency refresh. Dashboard bundle:
react-router7.17.0 → 8.0.1(major; v8's only hard breaking change is removing thereact-router-domre-export, which the dashboard never used),lucide-react1.18.0 → 1.22.0,recharts3.8.1 → 3.9.0. Dev / build tooling:vite8.0.16 → 8.1.0,@vitejs/plugin-react6.0.2 → 6.0.3,@types/node25.9.3 → 26.0.1,eslint10.5.0 → 10.6.0, andtypescript-eslint8.61.0 → 8.62.0(dashboard and@webhookengine/endpoint-manager); plusvite8.0.11 → 8.0.16insamples/portal-host. - Backend dependency refresh.
OpenTelemetry.Instrumentation.AspNetCore1.15.2 → 1.16.0andScalar.AspNetCore2.16.4 → 2.16.6(runtime);Microsoft.NET.Test.Sdk18.6.0 → 18.7.0(test projects — build-only, no runtime impact).
Quick Start
docker pull voyvodka/webhook-engine:0.3.1
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -dDashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).
Links
- Docker Hub: voyvodka/webhook-engine:0.3.1 (multi-arch:
linux/amd64+linux/arm64) - NuGet: WebhookEngine.Sdk 0.3.1
- Docs: docs/ — API, DATABASE, ARCHITECTURE, PORTAL, GETTING-STARTED, SELF-HOSTING, RELEASE
- Landing: webhook.sametozkan.com.tr
- Full changelog: CHANGELOG.md — 0.3.1 section
WebhookEngine v0.3.0
WebhookEngine v0.3.0
SDK feature expansion, a breaking realignment of three response-model properties, full SDK test coverage (32 new cases), portal client correctness fixes, and a hardened CI/security baseline. Test suite grows from 280 to 312. Breaking change for SDK consumers reading EndpointResponse.CustomHeadersJson, EndpointResponse.MetadataJson, or MessageAttemptResponse.RequestHeadersJson as Dictionary<string,string>? — those properties now return JsonElement / JsonElement? to match the wire format. The v1 route prefix and Standard Webhooks signature surface are preserved.
Features / Fixes / Changes
Added
EndpointClient.TestAsyncin the SDK:EndpointClient.TestAsync(endpointId, request)covers the one live/api/v1/*route that had no SDK binding. Returns the live response and the exact signed request via new modelsTestEndpointRequest,EndpointTestResult, andEndpointTestRequestPreview.- SDK request models now expose all API fields:
CreateEventTypeRequest/UpdateEventTypeRequest.IdempotencyWindowMinutesandCreateEndpointRequest/UpdateEndpointRequest.{AllowedIps, TransformExpression, TransformEnabled}— previously these fields were accepted by the API but unreachable from the SDK. - First
WebhookEngine.Sdk.Testsproject (32 cases): coversWebhookVerifierconstant-time HMAC across tolerance, secret-encoding (whsec_vs base64), multi-signature, tamper, and missing-field cases, plus a stub-HttpMessageHandlercontract suite that deserializes real API envelopes through the client so response-DTO drift now fails CI.
Changed
- SDK response models realigned with the engine DTOs (breaking for three properties):
EndpointResponse.CustomHeadersJson/MetadataJsonandMessageAttemptResponse.RequestHeadersJsonchange fromDictionary<string,string>?toJsonElement/JsonElement?. The old dictionary type silently dropped the entire field for any non-string value; the new types match the wire format exactly.EndpointResponsealso gainsAllowedIps,TransformExpression,TransformEnabled,TransformValidatedAt;EventTypeResponsegainsIdempotencyWindowMinutes— all were sent on the wire but silently dropped before this release. - Concurrency regression tests on real PostgreSQL: new Testcontainers tests cover the idempotency UNIQUE race (
23505on N concurrent inserts of the same key), theFOR UPDATE SKIP LOCKEDdequeue (K workers never double-claim), and theMark*AsyncCAS guard. Worker helper methods are nowinternaland exercised directly so a production regression fails CI rather than silently passing a logic copy.
Fixed
@webhookengine/endpoint-managerportal client realigned: three concrete defects against a real engine —updateEndpoint()sentPUTinstead ofPATCH(every update failed); the client read a non-existentisActiveflag instead of the engine'sstatusstring (badge always showed "Disabled"); it readcustomHeadersinstead ofcustomHeaderNames(silently wiped headers on every save). Types now mirror the engine; a contract test prevents this class of drift from shipping again.- Dependabot lockfile-sync now re-triggers CI:
sync-bun-lock.ymlpreviously pushed withGITHUB_TOKEN, which GitHub's recursion guard blocks from triggering new runs — leaving PRs blocked on required checks until manual close/reopen. The push now uses a short-lived GitHub App installation token so the sync commit re-triggers checks automatically. - Dependabot lockfile auto-sync extended to all workspace members: the
pull_request_targettrigger previously only watchedsrc/dashboard/package.json; bumps inpackages/endpoint-manager/package.jsonsilently left a stalebun.lockand broke CI. - Documentation accuracy pass: README
docker runexample corrected (ConnectionStrings__Default, port5100);docs/PRD.md,docs/ROADMAP.md,docs/ARCHITECTURE.md, andAGENTS.mdsynced to current state.
Security
- Repository security baseline hardened: added
SECURITY.mdwith supported-versions policy and private-vulnerability-reporting flow. Added explicitpermissions: contents: readtoci.ymlandrelease.yml. Extended Dependabot to the/packages/endpoint-managernpm workspace. Addedtimeout-minutesto CI jobs. - Secret-scanning false-positive suppression:
.github/secret_scanning.ymladdspaths-ignorefordocs/**,samples/**,tests/**, and**/*.md— WebhookEngine'swhsec_examples collide with the Stripe webhook-secret pattern; source paths remain scanned.
Quick Start
docker pull voyvodka/webhook-engine:0.3.0
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -dDashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).
Links
WebhookEngine v0.2.2
WebhookEngine v0.2.2
Maintenance patch — a full dependency refresh across NuGet, npm, Docker base images, and GitHub Actions, plus a CI fix that realigns the Bun toolchain (1.2.x → 1.3.x) and repairs the Dependabot lockfile auto-sync. No user-visible behaviour changes and no breaking API changes; the v1 route prefix and Standard Webhooks signature surface are unchanged.
Features / Fixes / Changes
Security
- Docker base image digest bumps.
dotnet/aspnet(60eb031→1e37a82),dotnet/sdk(8a90a47→dc8430e), andoven/bun(4de4753→5acc90a) refreshed to pick up the latest patched Alpine layers in the published image.
Changed
- NuGet runtime dependency refresh.
Microsoft.AspNetCore.OpenApi,Microsoft.EntityFrameworkCore(+.Relational,.Design),Microsoft.Extensions.Http,.Hosting.Abstractions, and.DependencyInjectionbumped10.0.7 → 10.0.8;Scalar.AspNetCore2.14.11 → 2.14.14. Test-only:FluentAssertions8.9.0 → 8.10.0,coverlet.collector10.0.0 → 10.0.1,Microsoft.AspNetCore.Mvc.Testing/EntityFrameworkCore.InMemory10.0.7 → 10.0.8,Testcontainers.PostgreSql4.11.0 → 4.12.0. - npm / frontend dependency refresh.
lucide-react1.14.0 → 1.16.0,react-router7.15.0 → 7.15.1,vite8.0.11 → 8.0.13,@vitejs/plugin-react6.0.1 → 6.0.2,eslint10.3.0 → 10.4.0,typescript-eslint8.59.2 → 8.59.3,@types/node25.6.2 → 25.8.0. (lucide-react,react-router, andviteship in the dashboard bundle; the rest are dev/build tooling.) - GitHub Actions version bumps.
actions/dependency-review-actionv4 → v5;actions/setup-nodev5 → v6.
Fixed
- CI Bun toolchain aligned to 1.3.x and the Dependabot lockfile auto-sync repaired.
ci.yml,sync-bun-lock.yml, andpublish-portal.ymlpinnedBUN_VERSION: "1.2.x"while the committedbun.lockis in Bun 1.3 text-lockfile format, the Docker dashboard build runsoven/bun:1, and local dev runs 1.3.x. The skew failed every grouped Dependabot npm bump attsc --noEmitunder 1.2.x's transitive resolution (a duplicate vitePlugintype identity invite.config.ts). Separately, the lockfile-sync step ranbun install --no-save, which never writesbun.lock, so the auto-sync silently no-op'd and frontend dependency PRs landed with stale lockfiles that brokebun install --frozen-lockfile. All three pins are now1.3.xand the sync step writes the refreshed lockfile back to the PR branch.
Quick Start
docker pull voyvodka/webhook-engine:0.2.2
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -dDashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).
Links
- Docker Hub: voyvodka/webhook-engine:0.2.2 (multi-arch:
linux/amd64+linux/arm64) - NuGet: WebhookEngine.Sdk 0.2.2
- Docs: docs/ — API, DATABASE, ARCHITECTURE, PORTAL, GETTING-STARTED, SELF-HOSTING, RELEASE
- Landing: webhook.sametozkan.com.tr
- Full changelog: CHANGELOG.md — 0.2.2 section
WebhookEngine v0.2.1
WebhookEngine v0.2.1
Patch release closing the v0.2.0 portal audit follow-up: three P0 security hardening fixes, 23 new tests filling the portal coverage gaps, four P1 behaviour corrections, two ADRs locking in portal architecture decisions, full API and architecture documentation for the portal stack, and build hygiene (Docker Hub sync hard-failure, comment-noise removal).
Features / Fixes / Changes
Security
- Portal rate-limit enforcement on mutating routes.
PortalEndpointsControllernow carries[EnableRateLimiting("send-by-appid")]at the controller level; a leaked portal token could previously spam/test(real outbound HTTP POST) without sharing the per-tenant rate-limit budget. - JWT parser size cap — DoS amplification path closed.
PortalTokenAuthMiddlewarenow rejects Bearer payloads larger than 8 KiB before the JWT parser runs (down from the .NET default ~250 KiB); oversized tokens return401immediately. PortalLookupCacheatomic CTS swap — race window closed.Setnow usesAddOrUpdateto atomically swap and dispose the previousCancellationTokenSource, preventing a racingInvalidateApplicationfrom binding a fresh cache entry to a disposed token.- Portal CORS preflight deny-cache.
PortalCorsMiddlewarenow caches both allow and deny outcomes for the signing-key lookup TTL (default 60 s), removing a low-effort DB hammer vector from repeatedOPTIONSagainst disallowed origins.
Behaviour
PATCH /api/v1/portal/endpoints/{id}replacesPUT. The route's partial-replace semantics were alwaysPATCH; the[HttpPut]attribute was a mislabel. The<EndpointManager />component already issuesPATCH.- Portal disable preserves
AllowedPortalOriginsJson. Disabling an app's portal now only revokes the signing key; the operator-curated CORS allowlist is kept so a re-enable does not require re-entering origins. - Validator drift consolidated via
EndpointValidationRules. Six shared extension methods replace per-validator duplicates across the four admin and two portal endpoint validators — a single source of truth for rule tightening going forward. - npm publish workflow (
publish-portal.yml). Fires onportal-v*tags; publishes@webhookengine/endpoint-managerwith sigstore provenance and aprivate:trueguard.
Tests
- 23 new tests closing v0.2.0 portal coverage gaps.
PortalCorsMiddlewareTests(7 facts),PortalLookupCacheTests(5 facts),PortalOriginsAllowlistE2ETests(7 facts, Testcontainers against real PostgreSQL JSONB), plus cross-tenant guard and empty-capabilities defense-in-depth facts inPortalEndpointsControllerTests. Total test count: 279.
Docs
docs/API.md§3.8 — Portal API reference. Covers HS256 JWT contract, capability scopes, per-app CORS, every/api/v1/portal/*route, the portal-specific error code table, and an end-to-end Node.js + cURL probe.docs/ARCHITECTURE.md§4.3 — Portal token authentication. Documents middleware ordering,PortalLookupCacheTTL + atomic-CTS-swap behaviour, and JWT validator defense-in-depth choices.- ADR-004 — Portal signing key storage. Locks in the plaintext
varchar(64)decision, no-grace rotation lifecycle, and one-shot reveal contract. - ADR-005 — Portal CORS preflight deny-cache TTL. Locks in the
PortalAuth:LookupCacheTtlSeconds-symmetric TTL and documents why no synchronous invalidation hook is needed. docs/RELEASE.md§1 updated.DOCKERHUB_TOKENnow documents all three required scopes to eliminate the "release ran but Docker Hub overview is stale" debugging session.
Infrastructure / Build
release.ymlcontinue-on-errorworkaround removed. TheSync Docker Hub descriptionstep now hard-fails on scope misconfiguration instead of silently succeeding.samples/portal-host/reference application added;docs/PORTAL.md§5 component usage section completed.- Section-header comment noise removed (~30 lines of banner separators with no WHY content cleared from controllers and SDK models).
Quick Start
docker pull voyvodka/webhook-engine:0.2.1
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -dDashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).
Links
- Docker Hub: voyvodka/webhook-engine:0.2.1 (multi-arch:
linux/amd64+linux/arm64) - NuGet: WebhookEngine.Sdk 0.2.1
- Docs: docs/ — API, DATABASE, ARCHITECTURE, PORTAL, GETTING-STARTED, SELF-HOSTING, RELEASE
- Landing: webhook.sametozkan.com.tr
- Full changelog: CHANGELOG.md — 0.2.1 section
@webhookengine/endpoint-manager v0.1.0
@webhookengine/endpoint-manager v0.1.0
Initial public release of the embeddable customer portal React component for WebhookEngine. Pairs with engine v0.2.0+ (which exposes the /api/v1/portal/* route group). ESM-only, peer deps react ^19 and react-dom ^19, zero runtime dependencies, ~14.2 KB gz JS + ~4.3 KB gz CSS.
Features / Fixes / Changes
Added
<EndpointManager />: the headline embeddable React component. Wraps a self-contained portal that authenticates against a host SaaS-minted HS256 JWT and serves a customer-facing endpoint management UI. Props:baseUrl,token,appId,capabilities,theme,className,onError,onUnauthorized.<EndpointList />: paginated table of endpoints with status badges, capability-gated[+ New endpoint]plus per-row Edit / Enable / Disable / Delete / Test / Attempts actions.<EndpointEditor />: modal-style overlay for create + edit. URL (HTTPS), description, custom headers (key/value editor), event-type filter, secret override (whsec_prefix + 32+ char client-side check). Server validationfieldErrorsroute to per-field inline messages. Field narrowing enforced at the DTO level —transformExpression/transformEnabled/allowedIpsJsonare silently dropped on write.<EndpointTester />: modal opened from the Test row action. JSON payload validation on blur, color-coded response panel (status + latency + body, collapsed if >500 chars), collapsible signed-request preview showing the URL + headers (webhook-id/webhook-timestamp/webhook-signature) + body the receiver actually HMAC-verifies.<AttemptList />: modal opened from the Attempts row action. Paginated delivery history with relative + absolute timestamps, success / failure status badges, HTTP code, latency, expandable response excerpts.createPortalClient(): fetch wrapper, zero runtime dependencies. Bearer auth,ApiEnvelopeunwrap, 4xx/5xx →PortalErrorwithcode+status+fieldErrors, 401 hooksonUnauthorizedfor token re-mint flows. Methods:listEndpoints,getEndpoint,createEndpoint,updateEndpoint,deleteEndpoint,enableEndpoint,disableEndpoint,testEndpoint,listAttempts,listEventTypes.PortalCapabilityunion and full TypeScript types forPortalAppState,PortalEndpointSummary,PortalEndpointDetail,PortalAttempt,PortalTestResult,PortalListResult<T>,PortalError,PortalClientOptions,EndpointManagerProps.- Tailwind 4 internal compile pipeline:
dist/style.cssships pre-compiled with the package. The@themeblock defines--color-whe-*tokens (background, text, border, accent, success, danger, warning) — consumers override at:rootor.whe-portalscope to re-theme without touching component code. - 42-test vitest suite covering the client contract, capability gating, field-narrowing, JSON validation, secret-override entropy floor, signed-request preview, status badge color-coding, and pagination boundaries.
samples/portal-host/reference app in the engine repo demonstrating consumer integration: Vite + mocked fetch + browser-side JWT mint (DEMO ONLY — production minting belongs on the host SaaS's own backend).
Notes
- Engine compatibility: v0.2.0 or later. Earlier engines lack the
/api/v1/portal/*surface. - JWT requirements: HS256, signed with the per-app
PortalSigningKey(rotated from the engine's operator dashboard). Lifetime cap defaults to 15 min on the engine side. The component never sees the signing key — only the bearer token. - Provenance: Published with sigstore attestation via
--provenance.
Links
WebhookEngine v0.2.0 — embeddable customer portal (engine half)
WebhookEngine v0.2.0
The first minor release. Adds an embeddable customer-facing portal: SaaS operators can now hand customers a self-service <EndpointManager /> React component that runs against a narrowed /api/v1/portal/* API surface, scoped per-application via short-lived HS256 JWTs minted by the host SaaS backend. The engine never mints these tokens — it only verifies them — and the per-app signing key is generated, rotated, and revoked from the operator dashboard. No breaking API changes — the v1 route prefix and Standard Webhooks signature header names are preserved. Test count moved from 215 to 252.
Features / Fixes / Changes
Added
- Embeddable customer portal — engine half (B1 Steps 2-4): new
Application.PortalSigningKey(HS256 secret, 64-char varchar) andApplication.AllowedPortalOriginsJson(JSONB) columns; newPortalTokenAuthMiddlewarevalidates short-lived HS256 JWTs (algorithm-pinned, 15-minute lifetime cap, capability-scoped viaendpoints:read|write|testandattempts:read); newPortalCorsMiddlewaredoes per-application dynamic CORS with RFC 6454-compliant ordinal-case-insensitive origin matching; new/api/v1/portal/*route group exposes a narrowed CRUD-and-test surface that silently strips admin-only fields (transformExpression,allowedIpsJson) on writes and never returns the signing key. - Embeddable customer portal — operator dashboard (B1 Step 5): new
DashboardPortalController(/api/v1/dashboard/applications/{appId}/portal/...) with 5 cookie-authed actions (read, enable, rotate, disable, update-origins). New<PortalAccessModal />React component opened from the Applications page row actions: enable / rotate / disable controls with show-once secret reveal, chip-list editor for allowed CORS origins, copy-paste embed snippet for the host SaaS. Audit log records every mutating action withPortalSigningKeyredacted to aportalEnabledboolean — the literal secret never enters the snapshot. Cache invalidation viaPortalLookupCache.InvalidateApplication(appId)after every mutating write so rotations take effect within milliseconds rather than within the 60-second cache TTL. Application.PortalRotatedAt: new column for surfacing "last rotated at" in the dashboard portal-management UI.MessageRepository.ListAttemptsByEndpointAsync/CountAttemptsByEndpointAsync: drives the portal's per-endpoint attempt history feed; uses the existingidx_attempts_endpoint_statuscovering index, no new migration.- Bun workspaces (B1 Step 1): root
package.jsondeclares["src/dashboard", "packages/*"]so the upcoming@webhookengine/endpoint-managerpackage can land atpackages/endpoint-manager/without a second migration. Singlebun.lockat the workspace root; Dockerfile and CI workflow updated to follow.
Changed
AuditLogsControllerno longer bypasses the repository pattern: newAuditLogRepository.ListAsync(...)carries the filter chain and pagination; the controller keeps the JSON hydration since that is HTTP response-shaping, not persistence. Behavior unchanged.- Dependabot npm PRs auto-sync
bun.lockvia a newpull_request_target-triggered workflow gated ongithub.actor == 'dependabot[bot]'. Eliminates the manualbun install + commit + pushthat every minor / patch frontend bump previously required. - Documentation drift sync:
CLAUDE.mdandREADME.mdstack lines updated to matchsrc/dashboard/package.json(TypeScript 6 / Vite 8 / TanStack Query 5; previous wording said TypeScript 5.9 / Vite 7). ADR-003 (payload transformation) flipped from Proposed to Accepted with an Implementation section recording the three-phase rollout that shipped in v0.1.4. - Dependency refresh:
tailwindcssand@tailwindcss/vite4.2.4 → 4.3.0 (with the transitive@tailwindcss/nodeand@tailwindcss/oxideplatform binaries).
Security
- HS256-only algorithm allowlist on portal JWTs:
ValidAlgorithms = [HmacSha256]is enforced viaMicrosoft.IdentityModel.Tokens8.17.0;alg=noneandalg=HS384/HS512tokens are rejected withPORTAL_AUTH_INVALID_SIGNATURE. The catch-ladder absorbs algorithm-rejection exceptions without echoing the rejected algorithm name in the error response. - Per-app dynamic CORS with explicit allowed-origins enumeration (no wildcards);
PortalCorsMiddlewareechoes the validated requestOrigin(never*) and is RFC 6454-compliant case-insensitive on host comparisons. - App-scope isolation across the portal surface: every portal route reads
AppIdfrom the JWT, never from query / body / route. Cross-tenant probes return404 PORTAL_NOT_FOUND(not 403) so the response shape doesn't leak the existence of cross-tenant resources. SecretOverrideentropy floor on portal writes: the portalCreate/Updateendpoint validators require thewhsec_prefix and a 32-128 char range so a customer cannot silently downgrade their HMAC secret topassword123.- Audit redaction:
DashboardPortalControllerwrites audit-log snapshots withPortalSigningKeyreduced to a booleanportalEnabledflag; the literal secret never entersbefore_json/after_json. Verified by a load-bearing negative test that scans the column forwhsec_after a real enable call.
Quick Start
docker pull voyvodka/webhook-engine:0.2.0
docker compose -f docker/docker-compose.yml up -dThe app starts on http://localhost:5100. Dashboard login: admin@example.com / changeme. Portal access for an application is enabled from the dashboard's Applications page → row actions → Portal access.
Links
WebhookEngine v0.1.6
WebhookEngine v0.1.6
Feature & polish cut covering eight new capabilities (per-resource overrides, IP allowlist, audit log, endpoint test webhook, SignalR endpoint health, validate-time URL guard), three rounds of dashboard polish (a11y, UX, TanStack Query data layer), three reviewer-finding fixes (transient DNS retry, cascade delete, polling debounce), and a backend correctness pass on the IP allowlist matcher, application rate-limiter sweep, and endpoint health tracker. No breaking API changes — the v1 route prefix and Standard Webhooks signature surface are preserved. Test count moved from 211 to 215.
Features / Fixes / Changes
Added
- Endpoint test webhook (F1):
POST /api/v1/dashboard/endpoints/{id}/testfires a customizable, fully-signed webhook to the endpoint URL without enqueueing a realMessage, and returns the receiver's response plus the exact request that was sent. Dashboard endpoint editor carries a Send test drawer. - Per-application rate-limit override (F6):
Application.RateLimitPerSecond1-second sliding-window override complements the per-endpoint per-minute gate; idle-evicted at 15 minutes. - Per-application retention overrides (F3):
Application.RetentionDeliveredDaysandRetentionDeadLetterDaysoverrideWebhookEngine:Retentiondefaults per tenant; the cleanup worker partitions its sweep accordingly. - Per-event-type idempotency window (F4):
EventType.IdempotencyWindowMinutesoverrides the per-app default for tighter or looser dedupe per event family. - Per-endpoint IP allowlist (F8):
Endpoint.AllowedIpsJsoncarries a CIDR positive-list (IPv4 + IPv6); deliveries only proceed when every resolved address sits inside at least one allowed CIDR. - Append-only audit log (F9): Admin actions across applications, endpoints, event types, replay, retry, and rotate-key write a forensic row to the new
audit_logstable with before / after snapshots andrequest_id.GET /api/v1/dashboard/auditexposes a paginated, filterable view. The table holds no FKs — rows survive cascades. - SignalR endpoint health channel (F7):
DeliveryHubbroadcastsEndpointHealthChanged(endpointId, status, circuitState, consecutiveFailures, cooldownUntilUtc)wheneverEndpointHealthTrackermutates an endpoint's circuit or visible status. DashboardEndpointsPageconsumes the event and invalidates its cache. - TanStack Query dashboard data layer (F12): Every dashboard page (Dashboard, Messages, Applications, Endpoints, EventTypes, DeliveryLog) routes server data through
useQuery/useMutation. ManualsetIntervalpolling and the smart-debounce shim are gone in favor of cache-aware refetching driven by SignalR invalidation.EndpointsPageinitial chunk drops from ~1.5 MB to ~20 kB (CodeMirror lazy-loaded).
Changed
- Validator chain rejects private-IP endpoint URLs at create / update (F2). Same SSRF rules already enforced at delivery (
ConnectCallback) now run at validate time too — a misconfigured URL is rejected before the row exists. - Modal a11y, mobile, dvh (DPR-1 + DPR-3):
role="dialog", ARIA wiring, focus trap,max-h-[85dvh], mobile filtermd:grid-cols-3, URL field server-side errors as field-scoped messages, payload editor errors split out, SignalR Live / Offline pill in the EndpointsPage header. - Dashboard consolidation (DPR-2): Shared
StatusBadge,inputClasses, and CodeMirroreditorTheme. CodeMirror isReact.lazy()— the 1.5 MB chunk loads only when the endpoint editor mounts.parseErrorreturns anApiErrorwith optionalfieldErrors. - Backend polish (R2 + R4 + R5):
IpAllowlistMatcher.AllAddressesAllowedshort-circuits empty allowlists before the empty-resolution deny branch (load-bearing ordering).ApplicationRateLimiter._lastSweepTicksisVolatile.Read+ CAS so torn 32-bit reads can't spawn back-to-back sweeps.EndpointHealthTracker.WithEndpointLockAsyncno longer double-fetches the endpoint row. - Dependency refresh: Backend —
Scalar.AspNetCore2.14.10 → 2.14.11,coverlet.collector8.0.1 → 10.0.0. Frontend —react/react-dom/react-is19.2.5 → 19.2.6,react-router7.14.2 → 7.15.0,@codemirror/view6.41.1 → 6.42.1,vite8.0.10 → 8.0.11, plus@tanstack/react-query5.100.9 (drives F12).
Fixed
- Transient DNS failures retry within budget (R1):
SocketException/ArgumentExceptionfrom the IP-allowlist resolution now route throughMarkFailedForRetryAsyncinstead of dead-lettering on first miss; only after the retry budget is exhausted does the message dead-letter. - Application / endpoint deletion cascades to bound messages (R3):
Message → ApplicationandMessage → Endpointforeign keys carryON DELETE CASCADE. Migration20260508081704_CascadeMessageDeleteOnAppAndEndpointis hand-written SQL because EF doesn't diffOnDeletechanges. - Modal focus trap, awaited refetches, SignalR cache invalidation on reconnect (DPR-1): Skeleton loaders carry
aria-busy="true"; mutating actions await their refetch before closing modals;useDeliveryFeed.onreconnectedresetslastHealthChangeso a stale event from before the disconnect doesn't double-fire. - Smart-debounced dashboard polling (R6) folded into F12: SignalR events now invalidate cache keys; TanStack Query handles the refetch cadence.
Security
- Endpoint URL DNS resolution at validator chain (F2): Same private-IP rules already enforced at delivery time now run at create / update — a misconfigured URL is refused before the row exists.
- Per-endpoint IP allowlist (F8): Opt-in CIDR positive-list at delivery time; transient resolver failures retry within the message's normal budget (R1) so flaky DNS doesn't cascade into dead-letter floods.
- Append-only audit log (F9): Forensic trail of admin actions; rows survive cascades for post-incident reconstruction.
Quick Start
docker pull voyvodka/webhook-engine:0.1.6
git clone https://github.com/voyvodka/webhook-engine.git
cd webhook-engine
docker compose -f docker/docker-compose.yml up -dDashboard at http://localhost:5100 — login admin@example.com / changeme (reset before exposing publicly).
Links
- 🐳 Docker Hub:
voyvodka/webhook-engine:0.1.6(multi-arch:linux/amd64+linux/arm64) - 📦 NuGet:
WebhookEngine.Sdk 0.1.6 - 📚 Docs:
docs/— API, DATABASE, ARCHITECTURE, GETTING-STARTED, SELF-HOSTING, RELEASE - 🏠 Landing: webhook.sametozkan.com.tr
- 📋 Full changelog:
CHANGELOG.md— 0.1.6 section
WebhookEngine v0.1.5
WebhookEngine v0.1.5
Post-audit hardening release. A multi-agent deep audit covered security, memory, concurrency, code quality, frontend, operations, timezone correctness, and NuGet SDK compliance; the resulting fixes (F1–F10) plus an idempotency race fix (F7) and an SDK target-framework simplification all land here. No breaking API changes — the v1 route prefix and Standard Webhooks header names are preserved.
Features / Fixes / Changes
Added
- health probes:
/health/live(process up) and/health/ready(AppReadinessGate+DbContext.CanConnectAsync) for orchestrators (F5) - observability: OpenTelemetry tracing with optional OTLP export via
OpenTelemetry:OtlpEndpoint(F5) - sdk:
WebhookVerifierfor Standard Webhooks signature verification —FixedTimeEquals, 5-min default tolerance,whsec_/ base64 secrets, multi-value signatures (F9)
Changed
- sdk: target framework simplified from
net10.0;net9.0;net8.0tonet10.0only — pre-v1.0cleanup, NuGet badge flips to.NET 10.0 - memory:
IMemoryCachesize-bounded (SizeLimit = 10_000) with per-app cancellation-token-source invalidation (F4) - shutdown:
HostOptions.ShutdownTimeout = 45sso in-flight HTTP deliveries can drain on SIGTERM (F10) - security: dashboard admin default credentials rejected at startup outside Development (F5)
Fixed
- idempotency race: UNIQUE partial index on
(app_id, endpoint_id, idempotency_key)+ Stripe-style 23505-replay + retention NULL-out for window reuse (F7) - duplicate attempts on lock loss: CAS guards on
Mark{Delivered,FailedForRetry,DeadLetter}Asyncreturningbool(F2) - circuit-breaker race:
EndpointHealthTrackermutations serialized viapg_advisory_xact_locknamespace100_001(F3) - frontend:
webhookengine:auth-expiredCustomEventon 401 +RouteErrorBoundaryforChunkLoadErrorafter deploys (F8) - memory leaks:
HttpResponseMessagedisposal +EndpointRateLimiteridle-window eviction (15-minIdleAfter, 5-min sweep) (F9) - migration race: startup migration block wrapped in
pg_advisory_locknamespace200_000(F5)
Security
- SSRF + DNS rebinding:
PrivateIpDetectorblocks RFC1918/loopback/link-local/CGNAT/IPv6 unique-local;SocketsHttpHandler.ConnectCallbackpins resolved IP (F1) - headers + metrics gate: HSTS / CSP / X-Frame-Options DENY / X-Content-Type-Options / Referrer-Policy / Permissions-Policy;
/metricsBearer-token auth viaWebhookEngine:Metrics:ScrapeToken; cookieSecurePolicy = Alwaysoutside Dev/Testing (F6) - custom headers:
CustomHeaderPolicyrejects reserved headers (Authorization,Cookie,Host,Content-*,webhook-*), strips CR/LF, bounds size (F10)
Migration
One auto-applying migration ships in this release: 20260505140607_AddIdempotencyUniqueIndex. It NULL-outs any pre-existing duplicate (app_id, endpoint_id, idempotency_key) triples (keeping the most-recent row per group) before creating the unique index, so it cannot fail on legacy data.
Quick Start
docker pull voyvodka/webhook-engine:0.1.5
docker compose upLinks
v0.1.4 — Payload Transformation & Multi-arch
WebhookEngine v0.1.4
ADR-003 (payload transformation) shipped end-to-end, OpenAPI/Scalar reference surface, NuGet brand icon, Docker Hub overview sync, and the multi-arch image (linux/amd64 + linux/arm64). Alpine base layers refreshed to clear 7 of the 11 Docker Scout CVEs against v0.1.3.
Added
- Payload transformation (ADR-003) — full rollout: per-endpoint JMESPath expressions reshape the body before signing and POSTing. Schema (Phase 1), delivery integration with timeout + output-size guards (Phase 2), and a CodeMirror 6-powered dashboard editor with live
POST /api/v1/dashboard/transform/validatepreview (Phase 3). Fail-open contract — any error falls back to the original payload. - OpenAPI document + Scalar interactive reference:
/openapi/v1.json+/scalarUI, mapped only in Development and Staging. - NuGet brand icon:
WebhookEngine.Sdknow ships with the project mark embedded. - Docker Hub overview sync: the GitHub README is now synced into the Docker Hub repository overview tab on every release.
- Security automations: CodeQL (csharp + js-ts), Dependency Review, Dependabot for NuGet/npm/GitHub Actions/Docker base images.
Fixed
- Multi-architecture Docker image:
linux/amd64+linux/arm64manifest list. Previous releases were amd64-only — Apple Silicon Macs and arm64 Linux servers can nowdocker pullcleanly. - Removed phantom
unknown / unknownrow on Docker Hub: provenance + SBOM attestations explicitly disabled so the tag listing shows only the real platforms.
Security
- Alpine base image refresh: openssl/libcrypto3/libssl3
3.5.5-r0→3.5.6-r0(1 critical + 5 high CVEs cleared) and musl1.2.5-r21→1.2.5-r23(1 high CVE cleared) via Docker Scout. All Dockerfile FROMs now SHA-pinned for Dependabot tracking. - Log-forging hardening: the JMESPath transformer now sanitizes user-supplied expressions before logging (4
cs/log-forgingalerts resolved).LogSanitizermoved toWebhookEngine.Core.Utilitiesso both API and Infrastructure can consume it.
Changed
- Frontend toolchain: dashboard package manager migrated from Yarn to Bun 1.2+.
Removed
WebhookEngine.Applicationproject: empty since the CQRS scaffold removal in v0.1.0; cleaned up across the solution and ADR-002.
Quick Start
docker pull voyvodka/webhook-engine:0.1.4 # amd64 + arm64
# or
docker pull voyvodka/webhook-engine:latest
cd docker && docker compose up -dLinks
v0.1.3 — Landing Page & SDK Alignment
WebhookEngine v0.1.3
Documentation and packaging update accompanying the new project landing page.
Changes
- landing page: new project site at webhook.sametozkan.com.tr — features, quick start, and links to all resources
- readme: website, Docker Hub, and NuGet links added to the header
- sdk: version aligned with main project (
0.1.3); package project URL updated to the landing page - docs: removed stale internal planning files (backlog-v0.1.1, triage-flow, typescript-sdk-demand-criteria)
Links
- Docker Hub —
docker pull voyvodka/webhook-engine:0.1.3 - NuGet —
dotnet add package WebhookEngine.Sdk --version 0.1.3 - Documentation