Add factory webhook handler

[khaliqgant]

Summary

• add factory-sdk webhook handler for Relayfile outbound webhook HMAC verification, dedupe, and provider path routing
• add webhook registrar and in-memory factory state store exports
• add focused webhook handler tests for valid routes, invalid HMAC, duplicate event IDs, and retryable handler failures

Tests

• npm run typecheck
• npx vitest run packages/factory-sdk/src/webhook/handler.test.ts

[coderabbitai]

Warning

Review limit reached

@khaliqgant, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 46 minutes and 27 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 084bd692-b833-439b-aa6b-431253e0129a

📥 Commits

Reviewing files that changed from the base of the PR and between 31d9871 and 7faad14.

📒 Files selected for processing (8)

• packages/factory-sdk/src/index.ts
• packages/factory-sdk/src/state/index.ts
• packages/factory-sdk/src/state/store.ts
• packages/factory-sdk/src/webhook/handler.test.ts
• packages/factory-sdk/src/webhook/handler.ts
• packages/factory-sdk/src/webhook/index.ts
• packages/factory-sdk/src/webhook/registrar.test.ts
• packages/factory-sdk/src/webhook/registrar.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ar-347-factory-webhook-handler

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a webhook handling and registration system along with an in-memory state store in the factory-sdk package. Specifically, it adds a WebhookHandler for processing and verifying signatures of incoming events (Linear, Slack, GitHub), a WebhookRegistrar for managing subscriptions, and an InMemoryStateStore implementing a StateStore interface. The review feedback highlights several critical improvements: preventing a memory leak in the webhook deduplication cache, addressing potential timing leaks and decoding vulnerabilities in the signature verification function, validating incoming payloads to avoid runtime type errors, and adding a guard to prevent orphaned webhook subscriptions when registering multiple times.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The #seen Set is used to deduplicate webhook events by eventId. However, because it is an unbounded Set, it will grow indefinitely as more events are processed. In a long-running server process, this will eventually lead to a memory leak and potential Out Of Memory (OOM) crashes.

To prevent this, we can limit the size of the Set by evicting the oldest entries (FIFO) when a threshold (e.g., 10,000 events) is exceeded.

    if (eventId) {
      this.#seen.add(eventId)
      if (this.#seen.size > 10000) {
        const oldest = this.#seen.values().next().value
        if (oldest !== undefined) {
          this.#seen.delete(oldest)
        }
      }
    }

[gemini-code-assist]

The current implementation of timingSafeHexEqual has potential timing leaks and vulnerabilities:

1. Length-based Timing Leak: If a.length !== b.length, it returns false immediately, leaking the length of the expected signature.
2. Hex Decoding Anomalies: Buffer.from(b, 'hex') can produce buffers of different lengths if b contains non-hex characters (e.g., Buffer.from('zz', 'hex') has length 0). This causes bufA.length === bufB.length to short-circuit, leaking whether the input contains valid hex characters.

To resolve these issues, we can compare the strings as UTF-8 buffers (since hex characters are safe ASCII/UTF-8). If the lengths differ, we can perform a dummy comparison against bufA itself to ensure constant-time execution before returning false.

Suggested change

	function timingSafeHexEqual(a: string, b: string): boolean {
	if (a.length !== b.length) return false
	const bufA = Buffer.from(a, 'hex')
	const bufB = Buffer.from(b, 'hex')
	return bufA.length === bufB.length && cryptoTimingSafeEqual(bufA, bufB)
	}
	function timingSafeHexEqual(a: string, b: string): boolean {
	const bufA = Buffer.from(a, 'utf8')
	const bufB = Buffer.from(b, 'utf8')
	if (bufA.length !== bufB.length) {
	cryptoTimingSafeEqual(bufA, bufA)
	return false
	}
	return cryptoTimingSafeEqual(bufA, bufB)
	}

[gemini-code-assist]

The parsed event is cast directly to WebhookEvent without validation. If the incoming payload is malformed or missing the path property, event.path will be undefined. This will cause event.path.startsWith(...) to throw a TypeError, resulting in a 500 internal_error response.

To make the handler more robust and return a proper 400 bad_request for malformed payloads, we should validate that event?.path is a string before proceeding.

    let event: WebhookEvent
    try {
      event = JSON.parse(rawBody) as WebhookEvent
    } catch {
      return new Response('bad_request', { status: 400 })
    }

    if (typeof event?.path !== 'string') {
      return new Response('bad_request', { status: 400 })
    }

[gemini-code-assist]

If register() is called multiple times on the same registrar instance, it will overwrite this.#subscriptionId without unregistering or throwing an error. This can lead to orphaned webhook subscriptions on the RelayFile server.

We should add a guard to prevent registering again if a subscription is already active.

Suggested change

	async register(): Promise<void> {
	const pathGlobs = this.#config.pathGlobs ?? [
	async register(): Promise<void> {
	if (this.#subscriptionId) {
	throw new Error('Webhook is already registered')
	}
	const pathGlobs = this.#config.pathGlobs ?? [

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3401544ae5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Coalesce duplicate webhook deliveries while in flight

When two deliveries with the same x-relay-event-id arrive concurrently, both requests can pass this #seen check before either handler finishes and adds the id at the end, so both provider handlers run and can spawn duplicate factory work or duplicate writebacks. Duplicate delivery is a normal Relayfile failure mode; reserve the event id or keep a keyed in-flight promise before invoking the provider handler, and clear it on retryable failure so later retries still work.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Avoid creating duplicate webhook subscriptions

Calling register() more than once creates another webhook subscription and overwrites the only stored #subscriptionId; unregister() can then delete only the newest subscription, leaving the earlier one active and causing duplicate webhook deliveries for the same factory. This can happen on retries/reconnects or repeated startup paths, so register() should be idempotent and preferably coalesce concurrent calls before invoking registerWebhook.

Useful? React with 👍 / 👎.

[agent-relay-code]

Findings

1. packages/factory-sdk/src/webhook/registrar.ts: register() is not idempotent. Calling it twice creates another webhook subscription and overwrites #subscriptionId, so unregister() can only delete the last one and leaves earlier subscriptions active. That will multiply deliveries for the same logical event. This needs a human-authored behavior fix, not an auto-edit.

2. packages/factory-sdk/src/webhook/handler.ts: duplicate suppression only uses the x-relay-event-id header, even though WebhookEvent requires eventId in the signed body. If a valid relay/client sends the identity in the payload but omits the header, duplicate deliveries are reprocessed. Consider parsing first after signature verification and deduping on the stable event identity from header or body.

Addressed Comments

• No bot or reviewer comments were present in .workforce/context.json or other .workforce files, so there were no existing threads to address.

Verification

No files were edited.

Ran:

• npm ci
• npm run verify:mcp-resources-drift
• npm run lint passes with existing warnings
• npm run typecheck:web
• npm run typecheck:node
• npm test
• npx vitest run failed once on an existing timing-sensitive factory heartbeat test, then the targeted rerun passed, and a second full npx vitest run passed
• npm run build
• npm run build:web
• npx playwright test --config playwright.fidelity.config.ts
• npx playwright test --config playwright.redraw.config.ts

I did not run the macOS-only packaging smoke job locally.

[agent-relay-code]

Findings

1. packages/factory-sdk/src/webhook/handler.ts: duplicate webhook deliveries are only marked seen after the provider handler finishes at lines 54-67. Two concurrent requests with the same eventId can both pass the #seen check and both invoke the handler. This needs a human-authored in-flight/idempotency patch, so I did not edit it.

2. packages/factory-sdk/src/webhook/registrar.ts: register() is idempotent for sequential calls, but not concurrent calls. Two simultaneous calls can both pass the #subscriptionId guard before either stores the result, creating duplicate webhooks. This is lifecycle/ownership logic, so I left it as a review finding.

3. packages/factory-sdk/src/webhook/handler.ts: signed but malformed JSON payloads are cast to WebhookEvent without validation. For example, {} reaches event.path.startsWith(...), throws, and returns 500, causing retry behavior for a bad request. This is behavioral validation logic, so I did not auto-edit it.

Addressed comments

• coderabbitai[bot]: rate-limit notice only; no actionable code review comment to fix.
• gemini-code-assist[bot]: unbounded #seen set in handler.ts is valid, but cache eviction policy is semantic; left unchanged.
• gemini-code-assist[bot]: timingSafeHexEqual concern at handler.ts; reviewed, not treated as a blocking PR issue because expected signature length is not secret and invalid hex still fails closed.
• gemini-code-assist[bot]: duplicate register() comment is stale for sequential calls because registrar.ts now returns when already registered; concurrent duplicate registration remains valid and is listed above.
• gemini-code-assist[bot]: review summary also raised payload validation; validated current checkout and listed above at handler.ts.
• chatgpt-codex-connector[bot]: top-level review banner only; no specific code action.
• chatgpt-codex-connector[bot]: concurrent duplicate webhook delivery finding is valid in handler.ts; left unchanged because it is semantic/safety logic.
• chatgpt-codex-connector[bot]: concurrent duplicate webhook registration finding is valid in registrar.ts; left unchanged because it is lifecycle logic.
• agent-relay-code[bot]: prior registrar finding is stale for sequential calls but valid for concurrent calls; see registrar.ts.
• agent-relay-code[bot]: prior body/header event ID finding is stale; current code uses event.eventId || headerEventId at handler.ts.

Verification

No files were edited.

Ran successfully:

• npm ci
• npm run verify:mcp-resources-drift
• npm run lint passes with existing warnings
• npm run typecheck:web
• npm run typecheck:node
• npx vitest run packages/factory-sdk/src/webhook/handler.test.ts packages/factory-sdk/src/webhook/registrar.test.ts
• npm test
• npx vitest run passed on rerun; first run hit a transient existing factory heartbeat timing failure that passed in isolation
• npm run build
• npm run build:web
• npx playwright install --with-deps chromium
• npx playwright test --config playwright.redraw.config.ts
• npx playwright test --config playwright.fidelity.config.ts passed sequentially; a prior parallel local run timed out under contention

GitHub reports PR #360 is already merged/closed, so I am not printing READY.