Skip to content

WebhookTrigger: provider-agnostic template verifier #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chubes4 merged 1 commit into from
Apr 24, 2026
Merged

WebhookTrigger: provider-agnostic template verifier #1189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
315 changes: 187 additions & 128 deletions docs/api/endpoints/webhook-triggers.md
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 9 additions & 7 deletions docs/core-system/abilities-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,16 +67,18 @@ All abilities support `agent_id` and `user_id` parameters for multi-agent scopin
| `datamachine/queue-move` | Reorder queue item | `Flow/QueueAbility.php` |
| `datamachine/queue-settings` | Get/set queue settings | `Flow/QueueAbility.php` |

### Webhook Triggers (6 abilities)
### Webhook Triggers (8 abilities)

| Ability | Description | Location |
|---------|-------------|----------|
| `datamachine/webhook-trigger-enable` | Enable webhook trigger for a flow. Supports `bearer` (default) or `hmac_sha256` auth modes. | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-disable` | Disable webhook trigger, revoke all auth material (token and HMAC secret) | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-regenerate` | Regenerate Bearer token (bearer auth mode only; old token immediately invalidated) | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-set-secret` | Set or rotate the HMAC shared secret; switches the flow to `hmac_sha256` mode | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-rate-limit` | Set rate limiting for flow webhook trigger | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-status` | Get webhook trigger status for a flow (auth mode, header, format — never the secret) | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-enable` | Enable webhook trigger for a flow. Supports `bearer` (default) or `hmac` (template-based). | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-disable` | Disable webhook trigger, revoke all auth material (token, template, secrets). | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-regenerate` | Regenerate Bearer token (bearer mode only; old token immediately invalidated). | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-set-secret` | Set or replace a specific secret id on an existing HMAC flow (no grace window). | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-rotate-secret` | **Zero-downtime rotation** — demote current → previous with a TTL, install a fresh current. | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-forget-secret` | Remove a specific secret by id from the rotation list. | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-rate-limit` | Set rate limiting for flow webhook trigger. | `Flow/WebhookTriggerAbility.php` |
| `datamachine/webhook-trigger-status` | Get webhook trigger status — auth mode, template, secret ids. Never the secret values. | `Flow/WebhookTriggerAbility.php` |

### Job Execution (9 abilities)

Expand Down
55 changes: 31 additions & 24 deletions docs/core-system/wp-cli.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,49 +107,56 @@ wp datamachine flows queue validate 10 "AI agents" --post_type=post --threshold=

### datamachine flows webhook

Manage webhook triggers. Supports two auth modes: Bearer (default) and HMAC-SHA256. **Since**: 0.31.0 (Bearer), 0.79.0 (HMAC).
Manage webhook triggers. Two auth primitives: **bearer** (default) and **hmac**
(template-based, provider-agnostic). **Since**: 0.31.0 (Bearer), 0.79.0 (HMAC
template verifier).

```bash
# Enable webhook trigger with default Bearer auth
# Enable with default Bearer auth
wp datamachine flows webhook enable 10

# Enable with HMAC-SHA256 auth (GitHub-style) and a generated secret
wp datamachine flows webhook enable 10 --auth-mode=hmac_sha256 --generate-secret
# Enable with HMAC via a registered preset (core ships zero presets;
# they come from plugins / mu-plugins registering the filter).
wp datamachine flows webhook enable 10 --preset=<name> --generate-secret

# Enable with HMAC for a non-GitHub provider (Shopify example)
wp datamachine flows webhook enable 10 \
--auth-mode=hmac_sha256 \
--signature-header=X-Shopify-Hmac-Sha256 \
--signature-format=base64 \
--secret=<shopify_secret>
# Enable with HMAC via an explicit template config
wp datamachine flows webhook enable 10 --config=@template.json --secret=<value>

# Set or rotate the HMAC secret (prints the new secret once)
# Deep-merge overrides on top of a preset or config
wp datamachine flows webhook enable 10 --preset=<name> \
--overrides=@overrides.json --generate-secret

# List available presets
wp datamachine flows webhook presets

# Zero-downtime secret rotation — keeps the old secret verifying for 7d.
wp datamachine flows webhook rotate 10 --generate
wp datamachine flows webhook rotate 10 --generate --previous-ttl-seconds=86400
wp datamachine flows webhook forget 10 previous

# Replace a single secret id (no grace window). HMAC mode only.
wp datamachine flows webhook set-secret 10 --generate
wp datamachine flows webhook set-secret 10 --secret=<value>

# Check webhook status (shows auth mode; never shows secret/token)
# Regenerate the Bearer token (bearer mode only)
wp datamachine flows webhook regenerate 10

# Check webhook status — shows auth mode, template, secret ids (never values).
wp datamachine flows webhook status 10

# List all webhook-enabled flows
wp datamachine flows webhook list

# Regenerate Bearer token (bearer mode only)
wp datamachine flows webhook regenerate 10

# Configure rate limiting
wp datamachine flows webhook rate-limit 10 --max=10 --window=60

# Disable webhook (clears all auth material, both modes)
# Disable webhook (clears all auth material)
wp datamachine flows webhook disable 10
```

**Signature formats for HMAC mode** (`--signature-format`):
- `sha256=hex` (default) — GitHub-style `sha256=<hex>` header values.
- `hex` — raw hex digest (e.g. Linear).
- `base64` — base64-encoded raw digest (e.g. Shopify).

See [Webhook Triggers](../api/endpoints/webhook-triggers.md) for the full
GitHub walkthrough and security notes.
**DM core ships no provider names.** Preset registrations belong in companion
plugins. See [Webhook Triggers](../api/endpoints/webhook-triggers.md) for the
template config grammar, the `datamachine_webhook_auth_presets` filter, and
the backward-compat migration path for legacy v1 flows.

### datamachine flows bulk-config

Expand Down
Loading
Loading