test: add webhook conformance smoke coverage

[khaliqgant]

Summary

• add outbound webhook conformance coverage for subscription lifecycle, SSRF rejection, scoped auth, and DLQ shape
• add public-receiver-gated e2e delivery smoke with HMAC/header verification, in-order delivery checks, duplicate-content distinct event IDs, and no delivery after delete
• add a conformance --help fast path so parse checks do not start a server

Validation

• npx tsx scripts/conformance.ts --help 2>&1 || true
• git diff --check
• no-install TypeScript check run by Codex1: tsc --noEmit on scripts/conformance.ts and scripts/e2e.ts with external @types/node path

Notes

• delivery smoke requires a deployed CF worker plus --webhook-receiver-url / RELAYFILE_WEBHOOK_RECEIVER_URL; without it the smoke logs the documented skip message

[coderabbitai]

Warning

Review limit reached

@khaliqgant, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 30 minutes and 37 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3c80ce76-f0a9-43a5-a5a5-a747ac811766

📥 Commits

Reviewing files that changed from the base of the PR and between 7b335b3 and 3809c5b.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• .agentworkforce/trajectories/completed/2026-06/traj_gaeqizrg7xrp/summary.md
• .agentworkforce/trajectories/completed/2026-06/traj_gaeqizrg7xrp/trajectory.json
• .agentworkforce/trajectories/completed/2026-06/traj_n21cpwtav76z/summary.md
• .agentworkforce/trajectories/completed/2026-06/traj_n21cpwtav76z/trajectory.json
• scripts/conformance.ts
• scripts/e2e.ts

📝 Walkthrough

Walkthrough

Two test scripts gain outbound webhook coverage. conformance.ts adds a webhooksSection() covering subscription lifecycle, SSRF URL rejection, path-scoped token enforcement, and DLQ checks, plus CLI --help support and expanded webhook scopes. e2e.ts adds a local HTTP receiver, HMAC signature verification, event-polling helpers, and a full delivery smoke test.

Changes

Outbound Webhook Testing

Layer / File(s)	Summary
CLI flags, scope setup, and shared helpers scripts/conformance.ts, scripts/e2e.ts	conformance.ts gains --help/-h detection, expands ALL_SCOPES with webhook-related entries, adds three helpers (subscriptionId, list normalizer, error code reader), and updates main() usage text. e2e.ts refactors flag parsing to a shared argv/flags set and adds --webhook-receiver-url stored in WEBHOOK_RECEIVER_URL.
Local webhook receiver and validation helpers scripts/e2e.ts	Defines a captured-request shape and a local HTTP server that buffers bodies, parses JSON, and timestamps requests. Adds readHeader, verifySignature (HMAC via timingSafeEqual), waitForWebhookRequest, waitForEventId, and getReceiverUrl helpers.
Conformance webhooksSection and suite wiring scripts/conformance.ts	Calls webhooksSection() from runSuite() before the Export step and renumbers the writeback lifecycle, ACL, WebSocket, and concurrency section labels. webhooksSection() tests register/list/delete lifecycle, SSRF rejection for loopback and non-HTTPS URLs, 403 enforcement for path-scoped tokens, and DLQ endpoint shape.
E2E webhook delivery smoke test scripts/e2e.ts	Registers a subscription with a generated secret and path-glob, writes two files to trigger deliveries, asserts eventId consistency and HMAC signature validity for both in write order, deletes the subscription, and confirms no further delivery is received; always cleans up in a finally block.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• AgentWorkforce/relayfile#281: Introduced the TypeScript SDK client-side webhook operations (register/list/delete/DLQ/replay) that the new conformance and E2E tests exercise directly.

Poem

🐇 Hop hop, a webhook arrives!
I sniff the HMAC to see if it's live,
SSRF loopback? Rejected with glee,
Scoped tokens get a 403 from me.
DLQ checked, lifecycle complete—
These bouncing deliveries can't be beat! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'test: add webhook conformance smoke coverage' clearly summarizes the main change: adding webhook-related test coverage.
Description check	✅ Passed	The description directly relates to the changeset, detailing webhook conformance coverage, e2e delivery smoke tests, and validation steps that align with the code changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ar-267-webhook-conformance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces outbound webhook testing to both the conformance and end-to-end test suites. It adds new webhook-related scopes, helper functions, and a comprehensive suite of webhook lifecycle tests in scripts/conformance.ts. Additionally, scripts/e2e.ts now includes a local webhook receiver server to capture and verify signed webhook deliveries, along with support for a public tunnel URL via --webhook-receiver-url. The review feedback highlights a few issues: the -h flag is currently ignored because the flags parser only filters arguments starting with --, active keep-alive connections on the test server could cause server.close() to hang, and a potential TypeError exists if resp.data is null when checking events.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

The flags set is constructed by filtering arguments that start with --. Consequently, any single-hyphen flag like -h is excluded from the set, making flags.has('-h') always evaluate to false. To fix this, check process.argv directly for the -h flag.

Suggested change

	const HELP = flags.has('--help') || flags.has('-h');
	const HELP = flags.has('--help') || process.argv.slice(2).includes('-h');

[gemini-code-assist]

When shutting down the test server, active keep-alive connections (e.g., from a public tunnel or client) can prevent server.close() from resolving quickly, potentially causing the test suite to hang or timeout. Calling server.closeAllConnections() before closing the server ensures all active connections are immediately terminated.

    close: () => new Promise<void>((resolve, reject) => {
      server.closeAllConnections?.();
      server.close((err) => (err ? reject(err) : resolve()));
    }),

[gemini-code-assist]

If the API response body is null (which is valid JSON), accessing resp.data.events will throw a TypeError. Using optional chaining (resp.data?.events) ensures the check is safe and robust against null responses.

Suggested change

	const events = Array.isArray(resp.data.events) ? resp.data.events : [];
	const events = Array.isArray(resp.data?.events) ? resp.data.events : [];

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7b335b3424

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate outbound webhook conformance until routes exist

When scripts/conformance.ts is run locally or with --remote, this unconditional section now POSTs to /v1/workspaces/{id}/webhooks, but the server only routes /v1/workspaces/{id}/webhooks/ingest and the OpenAPI contract likewise only documents the ingest path (internal/httpapi/server.go:228, openapi/relayfile-v1.openapi.yaml:1577; repo-wide rg finds no subscription/DLQ routes). As a result the suite fails with 404 before export/writeback/WebSocket coverage, unless those outbound webhook endpoints are implemented or this section is feature-gated.

Useful? React with 👍 / 👎.

[agent-relay-code]

Findings

1. Blocking: conformance now asserts routes the Go server does not implement.
   scripts/conformance.ts:653, :662, :667, :721 call POST/GET/DELETE /v1/workspaces/{id}/webhooks and GET /webhooks/dlq, but the current router only exposes POST /webhooks/ingest at internal/httpapi/server.go:228. Running conformance locally would fail these new tests with 404s. This needs a human contract decision: either add the outbound webhook subscription API to server + OpenAPI, or change the conformance tests to target the implemented contract.

2. Blocking: e2e webhook smoke cannot observe deliveries when using --webhook-receiver-url.
   scripts/e2e.ts:727 starts a random local receiver, but scripts/e2e.ts:732 registers the externally supplied URL instead, then scripts/e2e.ts:754 waits on the local receiver’s in-memory request list. Unless the external URL is dynamically forwarded to that exact random port, the test will time out. The receiver/tunnel ownership model needs to be clarified before this can be made reliable.

3. Blocking: e2e token does not include webhook scopes for the new webhook API.
   scripts/e2e.ts:338 mints only fs:read, fs:write, sync:read, and ops:read, then scripts/e2e.ts:735 tries to register a webhook. If the intended outbound webhook API enforces the new webhooks:* scopes used by conformance, this smoke test will fail authorization.

Addressed comments

• Devin review comment BUG_pr-review-job-19c9f68a0b294753987d516e35f5dfc3_0001: stale/invalid for current checkout; packages/relayfile-sdk/tsconfig.json does not exist, and the current SDK tsconfig at packages/sdk/typescript/tsconfig.json:11 already excludes src/**/*.test.ts.
• Devin review comment BUG_pr-review-job-309b1d0508384dcc9a8f56825f979c2e_0002: stale; current BulkWriteResponse includes correlationId at packages/sdk/typescript/src/types.ts:120.
• Devin summary item 1, internal/mountfuse/wsinvalidate.go:134: stale/resolved; current websocket path is /v1/workspaces/%s/fs/ws at internal/mountfuse/wsinvalidate.go:200.
• Devin summary item 2, internal/mountfuse/dir.go:130: stale/resolved; current open path returns fuse.FOPEN_KEEP_CACHE at internal/mountfuse/dir.go:135.
• Devin summary item 3, internal/mountfuse/file.go:248: stale/resolved; current flush captures protected fields under the handle mutex at internal/mountfuse/file.go:222.
• Devin summary item 4, internal/mountfuse/file.go:225: stale/resolved; current flush invalidates, stores, then refreshes the node at internal/mountfuse/file.go:239.
• Devin summary item 5, packages/core/src/webhooks.ts:387: not changed; unrelated to this PR’s webhook-conformance script changes, so no auto-edit was made.
• Devin summary item 6, internal/mountfuse/wsinvalidate.go:71: not changed; unrelated to this PR and in connection lifecycle code, so no auto-edit was made.
• Devin summary item 7, internal/mountfuse/dir.go:130: stale/resolved at internal/mountfuse/dir.go:135.
• Devin summary item 8, internal/mountfuse/wsinvalidate.go:134: stale/resolved at internal/mountfuse/wsinvalidate.go:200.
• Devin summary item 9, internal/mountfuse/file.go:248: stale/resolved at internal/mountfuse/file.go:222.
• Devin summary item 10, internal/mountfuse/file.go:225: stale/resolved at internal/mountfuse/file.go:239.
• Devin summary item 11, internal/mountfuse/file.go:231: not changed; unrelated to this PR and not a mechanical cleanup.
• Devin summary item 12, internal/mountfuse/wsinvalidate.go:133: not changed; unrelated to this PR and in websocket lifecycle code.

Verification

No files were edited.

Checks run:

• npx tsx scripts/conformance.ts --help passed.
• npx tsc --noEmit --target ES2022 --module NodeNext --moduleResolution NodeNext --types node scripts/conformance.ts scripts/e2e.ts passed.
• go test ./... could not run because go is not installed in this sandbox.
• npm ci at root and in packages/sdk/typescript failed before tests due existing lockfile/package mismatch for @relayfile/mount-* optional packages 0.8.27 vs 0.8.28.

Advisory Notes

The lockfile mismatch is outside this PR’s changed files, but it currently prevents the Node CI jobs from starting in this checkout. I left it unchanged because it is unrelated to the webhook conformance PR purpose.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

scripts/e2e.ts (1)

337-338: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add webhook scopes to the e2e token before registering subscriptions.

The new smoke test uses TOKEN for webhook POST/DELETE, but this token only has file/sync/ops scopes. An auth-enforcing server should reject Lines 735 and 784 before any delivery assertions run.

Proposed fix

-  TOKEN = rs256Auth.generateToken(WORKSPACE, 'e2e', ['fs:read', 'fs:write', 'sync:read', 'ops:read'], 3600);
+  TOKEN = rs256Auth.generateToken(WORKSPACE, 'e2e', [
+    'fs:read',
+    'fs:write',
+    'sync:read',
+    'ops:read',
+    'webhooks:read',
+    'webhooks:write',
+  ], 3600);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/e2e.ts` around lines 337 - 338, The e2e TOKEN generated on line 338
via rs256Auth.generateToken() is missing webhook scopes and only includes
file/sync/ops scopes, but the token is used for webhook POST/DELETE operations
later in the test. Add webhook-related scopes (such as 'webhook:read' and
'webhook:write') to the scopes array passed to the generateToken method call for
rs256Auth to ensure the token has the necessary permissions for webhook
subscription operations.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/conformance.ts`:
- Around line 720-723: The DLQ endpoint test in the test function labeled 'DLQ
endpoint' is using the incorrect endpoint path and response structure. Update
the api call to use the correct endpoint path from the OpenAPI contract: change
from ${ws()}/webhooks/dlq to ${ws()}/sync/dead-letter. Then update the assertion
that checks for r.data?.items to instead validate the response according to the
DeadLetterFeedResponse format defined in the OpenAPI contract, ensuring the
conformance test matches the actual API specification.
- Around line 26-29: The filter condition in the flags Set initialization only
accepts arguments starting with '--', which excludes the '-h' short form flag.
When the HELP constant checks for flags.has('-h'), it will never find it because
'-h' was filtered out. Modify the filter function used when creating the flags
Set to accept both arguments starting with '--' and also the '-h' argument, so
that the HELP constant properly detects both '--help' and '-h' command line
arguments.

In `@scripts/e2e.ts`:
- Around line 185-199: The local receiver binds to an ephemeral port (port 0 in
server.listen) but when WEBHOOK_RECEIVER_URL environment variable is set, the
subscription uses that external URL instead while tests still wait on the local
receiver.requests array. To fix this misalignment, either configure the
server.listen call to bind to a specific port that matches a configured port in
WEBHOOK_RECEIVER_URL (instead of using port 0), or implement a public receiver
capture/polling API endpoint that the test can query to retrieve webhook
requests instead of relying on the local receiver.requests array. This issue
applies at multiple locations in the file where webhook receiver setup and
request polling occur, so ensure any fix is consistently applied across all
affected sites.
- Around line 730-744: The pathGlob and filePath variables both call Date.now()
separately, which can result in different millisecond values and cause the glob
pattern to fail matching the actual file path, leading to a timeout. Capture
Date.now() once into a single timestamp variable and use that same variable in
both the pathGlob construction (the glob pattern for the webhook receiver) and
the filePath construction (the delivery file path) to ensure they match
correctly.

---

Outside diff comments:
In `@scripts/e2e.ts`:
- Around line 337-338: The e2e TOKEN generated on line 338 via
rs256Auth.generateToken() is missing webhook scopes and only includes
file/sync/ops scopes, but the token is used for webhook POST/DELETE operations
later in the test. Add webhook-related scopes (such as 'webhook:read' and
'webhook:write') to the scopes array passed to the generateToken method call for
rs256Auth to ensure the token has the necessary permissions for webhook
subscription operations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 581ad6d8-a71c-4730-9835-0264286736df

📥 Commits

Reviewing files that changed from the base of the PR and between fdfe017 and 7b335b3.

📒 Files selected for processing (2)

• scripts/conformance.ts
• scripts/e2e.ts

[agent-relay-code]

Findings

1. scripts/conformance.ts:447 calls webhooksSection() unconditionally, but the checked-out server only routes POST /v1/workspaces/{workspaceId}/webhooks/ingest at internal/httpapi/server.go:228. The PR’s new conformance checks call subscription routes like POST/GET/DELETE /webhooks at scripts/conformance.ts:653, :663, and :668, so the suite will fail with 404 before later conformance coverage runs. This needs a semantic decision: implement the outbound webhook subscription API or feature-gate/remove this conformance section.

2. scripts/conformance.ts:722 checks GET /webhooks/dlq, but the OpenAPI contract defines DLQ listing as GET /sync/dead-letter with DeadLetterFeedResponse at openapi/relayfile-v1.openapi.yaml:1044 and :2827. I did not auto-edit this because it changes the tested API contract behavior.

3. scripts/e2e.ts:187 binds the local receiver to a random local port, but when RELAYFILE_WEBHOOK_RECEIVER_URL is set, scripts/e2e.ts:732 registers the external URL while still polling local receiver.requests. A normal public tunnel cannot know the random port in advance, and a separate deployed receiver will not populate this in-process array.

4. scripts/e2e.ts:731 and scripts/e2e.ts:744 use separate Date.now() values for the webhook glob and file path. If the millisecond changes, the subscription glob may not match the file write path.

5. scripts/e2e.ts:338 generates the E2E token without webhook scopes, but the new smoke test uses that token for webhook POST/DELETE at scripts/e2e.ts:735 and :784.

Changed

Applied one mechanical fix: scripts/conformance.ts:26 now stores argv, and scripts/conformance.ts:30 checks argv.includes('-h'), so -h reaches the help fast path.

Addressed comments

• gemini-code-assist, scripts/conformance.ts -h flag unreachable: fixed in scripts/conformance.ts:26 and scripts/conformance.ts:30.
• gemini-code-assist, scripts/e2e.ts server close may hang on active keep-alive connections: not changed; this is lifecycle/termination behavior and needs a human-authored patch.
• gemini-code-assist, scripts/e2e.ts resp.data.events may throw on JSON null: not changed; defensive runtime behavior change, not mechanical.
• chatgpt-codex-connector, outbound webhook conformance routes do not exist: valid, left as finding at scripts/conformance.ts:447 and internal/httpapi/server.go:228.
• coderabbitai, scripts/conformance.ts -h flag unreachable: fixed in scripts/conformance.ts:26 and scripts/conformance.ts:30.
• coderabbitai, DLQ endpoint should use /sync/dead-letter: valid, left as finding at scripts/conformance.ts:722.
• coderabbitai, receiver URL and captured endpoint do not line up: valid, left as finding at scripts/e2e.ts:187 and scripts/e2e.ts:732.
• coderabbitai, webhook glob/file path use different timestamps: valid, left as finding at scripts/e2e.ts:731 and scripts/e2e.ts:744.
• coderabbitai, E2E token lacks webhook scopes: valid, left as finding at scripts/e2e.ts:338.
• coderabbitai rate-limit/walkthrough/docstring warning: no code action; it did not identify a validated code defect in the current checkout.

Validation

Passed:

• npx tsx scripts/conformance.ts -h
• npx tsx scripts/conformance.ts --help
• npx -p typescript@5.7.3 -p @types/node@22.0.0 tsc --noEmit --target ES2022 --module NodeNext --moduleResolution NodeNext --types node scripts/conformance.ts scripts/e2e.ts
• ./scripts/check-contract-surface.sh

Blocked:

• npm ci at root and in packages/sdk/typescript fails because package lock entries for @relayfile/mount-* are 0.8.27 while package metadata requires 0.8.28.
• go test ./... and Go build could not run because go is not installed in this environment.

I am not printing READY because CI-equivalent validation is blocked and the PR still has validated semantic findings.

[github-actions]

Relayfile Eval Review

Run: .relayfile/evals/runs/2026-06-15T13-45-21-494Z-HEAD-provider
Mode: provider
Git SHA: ba0e092

Passed: 4 | Needs human: 0 | Reviewable: 0 | Missing output: 0 | Failed: 0 | Skipped: 0

Human Review Cases

No reviewable human-review cases captured Relayfile output.