Skip to content

fix(webhooks): harden audited provider triggers#3997

Merged
waleedlatif1 merged 23 commits intostagingfrom
waleedlatif1/greenhouse-audit-followups
Apr 7, 2026
Merged

fix(webhooks): harden audited provider triggers#3997
waleedlatif1 merged 23 commits intostagingfrom
waleedlatif1/greenhouse-audit-followups

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented Apr 6, 2026
edited
Loading

Summary

  • harden audited webhook providers across Salesforce, Zoom, Resend, Linear, Vercel, Greenhouse, Gong, and Notion
  • add missing provider lifecycle behavior such as server-side event matching, secure verification, retry/idempotency handling, trigger wiring, and runtime/output alignment
  • improve provider setup guidance and add targeted tests plus a reusable trigger-alignment script for ongoing audits

Test plan

  • Ran targeted webhook/provider tests
  • Verified integrated suite passes: 56 tests across provider, processor, route, and idempotency coverage
  • Checked lints for touched provider and trigger files
  • Reviewed implementation against provider docs during the audit/fix pass
  • Full repository test suite not run
  • Full repository type-check still has unrelated pre-existing failures outside this scope

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 6, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Apr 7, 2026 3:30am

Request Review

@cursor
Copy link
Copy Markdown

cursor bot commented Apr 6, 2026
edited
Loading

PR Summary

Medium Risk
Touches webhook authentication/challenge handling and provider-specific event matching across multiple integrations, so mistakes could drop or incorrectly accept deliveries. Changes are contained to webhook ingestion/providers with added tests to reduce regression risk.

Overview
Hardens webhook ingestion and provider handlers by passing rawBody into provider challenge handlers (notably Zoom) and tightening provider-level verifyAuth logic (e.g., JWT auth for Gong, timestamp-bound signature checks for Linear, explicit secrets for Resend/Vercel/Salesforce).

Improves correctness and deduplication by adding/standardizing matchEvent behavior (fail-closed on unknown trigger IDs for Linear/Greenhouse, new matchers for Vercel/Notion/Salesforce, Zoom rejects validation payload execution) and expanding idempotency key sources (Svix/Resend, Linear, Greenhouse, plus new per-provider extractIdempotencyId implementations).

Adds Salesforce webhook support and trigger wiring via a new salesforce provider handler, pending-verification support, and trigger config updates (required secrets + optional object filtering). Zoom block is wired to expose available triggers.

Developer tooling/docs: introduces apps/sim/scripts/check-trigger-alignment.ts for provider-specific output vs formatInput alignment checks, updates trigger authoring docs accordingly, and adds targeted provider/unit tests (Gong/Linear/Notion/Vercel/Salesforce/Zoom/Greenhouse/idempotency).

Reviewed by Cursor Bugbot for commit 41b0348. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Apr 6, 2026
edited
Loading

Greptile Summary

This PR hardens webhook provider integrations for Salesforce, Zoom, Resend, Linear, Vercel, Greenhouse, Gong, and Notion. It adds missing lifecycle behaviour — server-side event matching, HMAC/JWT signature verification, retry-safe idempotency, subscription create/delete flows, and standardised output schemas — along with targeted tests and a trigger-alignment audit script.

Key improvements:

  • Linear: replay window raised to 5 min (prior review finding resolved), HMAC secret generated on subscription creation, matchEvent filters by resource type/action for v1 triggers
  • Vercel: full subscription lifecycle (create + delete), SHA-1 HMAC verification, per-trigger event filtering
  • Zoom: CRC challenge handler DB-resolves env-backed secrets; block trigger wiring corrected
  • Resend: Svix signing scheme correctly implemented (5-min replay window, base64 secret decode, multi-signature loop)
  • Gong: optional RS256 JWT verification with body_sha256 body-integrity and webhook_url URL-binding claims
  • Salesforce: shared-secret auth (Bearer + custom header), broad eventType normalisation, stable SHA-256 fallback idempotency fingerprint
  • Greenhouse / Notion: HMAC verifiers via createHmacVerifier, event matching, idempotency extraction
  • Idempotency service: atomic Redis SET NX and PostgreSQL ON CONFLICT DO NOTHING claims; in-progress polling; 7-day TTL

Findings:

  • P1 (utils.ts): createHmacVerifier returns null (grants access) when no secret is configured, causing Greenhouse and Notion webhooks to silently accept any request. Salesforce and Vercel fail closed with 401 — the factory should be consistent.
  • P2 (service.ts): IdempotencyResult.previousResult, ProcessingResult.result, and all additionalContext parameters use any instead of unknown, violating the project's TypeScript rules.
  • P2 (vercel.test.ts): Re-mocks @sim/logger which is globally provided by vitest.setup.ts and must not be re-mocked per testing guidelines.
  • P2 (salesforce.test.ts): Missing @vitest-environment node annotation that vercel.test.ts (same PR) correctly includes.

Confidence Score: 4/5

PR is safe to merge after addressing the fail-open security inconsistency in createHmacVerifier for Greenhouse and Notion webhooks.

Score is 4 because the P1 finding (createHmacVerifier silently allowing all requests when no secret is configured) is a real security inconsistency that should be resolved before merging. The existing URL unguessability provides some defence-in-depth, but it is not a substitute for authentication. All other findings are non-blocking P2 style issues. The core webhook hardening logic is well-implemented: timing-safe HMAC comparisons, atomic idempotency claims, correct event filtering, and full subscription lifecycles.

apps/sim/lib/webhooks/providers/utils.ts (createHmacVerifier fail-open for Greenhouse and Notion), apps/sim/lib/core/idempotency/service.ts (any types), apps/sim/lib/webhooks/providers/vercel.test.ts (re-mocks global logger), apps/sim/lib/webhooks/providers/salesforce.test.ts (missing @vitest-environment node)

Important Files Changed

Filename Overview
apps/sim/lib/webhooks/providers/utils.ts createHmacVerifier factory passes (returns null) when secret is unconfigured — inconsistent with salesforce/vercel handlers that fail closed with 401.
apps/sim/lib/core/idempotency/service.ts Atomic Redis SET NX and PG ON CONFLICT claims; 7-day TTL; in-progress polling. Uses any on previousResult, result, and additionalContext parameters.
apps/sim/lib/webhooks/providers/linear.ts Replay window raised to 5 min; HMAC secret generated on subscription create; matchEvent filters resource type and action for v1 triggers.
apps/sim/lib/webhooks/providers/vercel.ts Full subscription lifecycle (create/delete); SHA-1 HMAC verification; per-trigger event filtering; idempotency via top-level delivery id.
apps/sim/lib/webhooks/providers/gong.ts Optional RS256 JWT verification with body_sha256 body-integrity and webhook_url URL-binding claim validation.
apps/sim/lib/webhooks/providers/zoom.ts CRC challenge DB-resolves env-backed secrets; HMAC-SHA256 with 5-min timestamp window; matchEvent blocks url_validation delivery events.
apps/sim/lib/webhooks/providers/salesforce.ts Shared-secret auth (Bearer + X-Sim-Webhook-Secret); broad eventType normalisation; stable SHA-256 fallback idempotency fingerprint.
apps/sim/lib/webhooks/providers/greenhouse.ts HMAC-SHA256 via createHmacVerifier (fails open when unconfigured); event matching via trigger util; idempotency via application/offer/job ID.
apps/sim/lib/webhooks/providers/notion.ts HMAC-SHA256 via createHmacVerifier (fails open when unconfigured); reachability test via verification_token; matchEvent delegates to trigger util.
apps/sim/lib/webhooks/providers/vercel.test.ts Good verifyAuth and idempotency coverage; re-mocks @sim/logger which is globally provided by vitest.setup.ts.
apps/sim/lib/webhooks/providers/salesforce.test.ts Good auth, event-matching, formatInput, and idempotency coverage; missing @vitest-environment node annotation.
apps/sim/app/api/webhooks/trigger/[path]/route.ts Fan-out processing for credential sets; auth verified per webhook before reachability test; challenge handling runs both before and after body parsing.
apps/sim/lib/webhooks/providers/resend.ts Svix signing scheme correctly implemented; full subscription lifecycle; per-trigger event filtering via RESEND_TRIGGER_TO_EVENT_TYPE.
apps/sim/triggers/salesforce/utils.ts Broad event type normalisation via normalised-token Sets; objectType enforcement; output builders for all five trigger variants.
apps/sim/triggers/zoom/utils.ts ZOOM_TRIGGER_EVENT_MAP maps trigger IDs to Zoom event names; isZoomEventMatch correctly passes zoom_webhook; complete output builders.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as /api/webhooks/trigger/[path]
    participant Processor
    participant Provider as Provider Handler
    participant Idempotency
    participant Queue

    Client->>Route: POST body
    Route->>Processor: handleProviderChallenges({})
    Note over Processor: Early CRC/challenge (Zoom etc.)
    Route->>Processor: parseWebhookBody()
    Route->>Processor: handleProviderChallenges(body)
    Note over Processor: Challenge with parsed body
    Route->>Processor: findAllWebhooksForPath()
    loop each webhook (credential fan-out)
        Route->>Provider: verifyAuth()
        Note over Provider: HMAC / RS256 JWT / Bearer check
        Provider-->>Route: null (pass) or 401
        Route->>Provider: handleReachabilityTest()
        Note over Provider: Notion verification_token etc.
        Route->>Processor: checkWebhookPreprocessing()
        Route->>Provider: matchEvent()
        Note over Provider: Event type / resource filter
        Route->>Idempotency: extractIdempotencyId(body)
        Idempotency->>Idempotency: atomicallyClaim(Redis NX / PG conflict)
        Idempotency-->>Route: claimed or duplicate
        Route->>Queue: queueWebhookExecution()
    end
    Route-->>Client: 200 Webhook processed
Loading

Comments Outside Diff (1)

  1. apps/sim/lib/webhooks/providers/utils.ts, line 32-36 (link)

    P1 createHmacVerifier fails open when secret is unconfigured

    createHmacVerifier returns null (grants access) when providerConfig[configKey] is absent. Both greenhouseHandler and notionHandler use this factory, meaning a webhook deployed without a configured secret accepts all inbound requests with no authentication.

    This is inconsistent with salesforceHandler.verifyAuth and vercelHandler.verifyAuth, which both reject with HTTP 401 when their secrets are missing. If Greenhouse and Notion signatures should be required, change the factory to fail closed:

    const secret = providerConfig[configKey] as string | undefined
if (!secret) {
  logger.warn(`[${requestId}] ${providerLabel} webhook missing ${configKey} — rejecting`)
  return new NextResponse(`Unauthorized - ${providerLabel} secret not configured`, { status: 401 })
}

    If signature verification is intentionally opt-in for these providers (e.g. because the URL itself is unguessable), a TSDoc comment explaining this design decision would prevent future confusion and drift.

Reviews (4): Last reviewed commit: "fix(webhooks): address remaining review ..." | Re-trigger Greptile

@waleedlatif1
fix(triggers): apply webhook audit follow-ups
2e89fe5 
Align the Greenhouse webhook matcher with provider conventions and clarify the Notion webhook secret setup text after the audit review.

Made-with: Cursor
@waleedlatif1
fix(webhooks): Salesforce provider handler, Zoom CRC and block wiring
bb716bb 
Add salesforce WebhookProviderHandler with required shared secret auth,
matchEvent filtering, formatInput aligned to trigger outputs, and
idempotency keys. Require webhook secret and document JSON-only Flow
setup; enforce objectType when configured.

Zoom: pass raw body into URL validation signature check, try all active
webhooks on a path for secret match, add extractIdempotencyId, tighten
event matching for specialized triggers. Wire Zoom triggers into the
Zoom block. Extend handleChallenge with optional rawBody.

Register Salesforce pending verification probes for pre-save URL checks.
@waleedlatif1
fix(webhooks): harden Resend and Linear triggers (idempotency, auth, …
0ddc769 
…outputs)

- Dedupe Resend deliveries via svix-id and Linear via Linear-Delivery in idempotency keys
- Require Resend signing secret; validate createSubscription id and signing_secret
- Single source for Resend event maps in triggers/utils; fail closed on unknown trigger IDs
- Add raw event data to Resend trigger outputs and formatInput
- Linear: remove body-based idempotency key; timestamp skew after HMAC verify; format url and actorType
- Tighten isLinearEventMatch for unknown triggers; clarify generic webhook copy; fix header examples
- Add focused tests for idempotency headers and Linear matchEvent
@waleedlatif1
fix(webhooks): harden Vercel and Greenhouse trigger handlers
e9618d9 
Require Vercel signing secret and validate x-vercel-signature; add
matchEvent with dynamic import, delivery idempotency, strict
createSubscription trigger IDs, and formatInput aligned to string IDs.

Greenhouse: dynamic import in matchEvent, strict unknown trigger IDs,
Greenhouse-Event-ID idempotency header, body fallback keys, clearer
optional secret copy. Update generic trigger wording and add tests.
@waleedlatif1
fix(gong): JWT verification, trigger UX, alignment script
317d4ab 
- Optional RS256 verification when Gong JWT public key is configured (webhook_url + body_sha256 per Gong docs); URL secrecy when unset.
- Document that Gong rules filter calls; payload has no event type; add eventType + callId outputs for discoverability.
- Refactor Gong triggers to buildTriggerSubBlocks + shared JWT field; setup copy matches security model.
- Add check-trigger-alignment.ts (Gong bundled; extend PROVIDER_CHECKS for others) and update add-trigger guidance paths.

Made-with: Cursor
@waleedlatif1
fix(notion): align webhook lifecycle and outputs
729667a 
Handle Notion verification requests safely, expose the documented webhook fields in the trigger contract, and update setup guidance so runtime data and user-facing configuration stay aligned.

Made-with: Cursor
@waleedlatif1 waleedlatif1 force-pushed the waleedlatif1/greenhouse-audit-followups branch from 5af8ade to 729667a Compare April 7, 2026 00:03
@waleedlatif1 waleedlatif1 changed the title fix(triggers): apply webhook audit follow-ups fix(webhooks): harden audited provider triggers Apr 7, 2026
@waleedlatif1
fix(webhooks): tighten remaining provider hardening
e79c556 
Close the remaining pre-merge caveats by tightening Salesforce, Zoom, and Linear behavior, and follow through on the deferred provider and tooling cleanup for Vercel, Greenhouse, Gong, and Notion.

Made-with: Cursor
@waleedlatif1
refactor(webhooks): move subscription helpers out of providers
23ccc9b 
Move provider subscription helpers alongside the subscription lifecycle module and add targeted TSDoc so the file placement matches the responsibility boundaries in the webhook architecture.

Made-with: Cursor
@waleedlatif1
fix(zoom): resolve env-backed secrets during validation
e000c5b 
Use the same env-aware secret resolution path for Zoom endpoint validation as regular delivery verification so URL validation works correctly when the secret token is stored via env references.

Made-with: Cursor
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

Follow-up Hardening Checklist

This PR looks reasonable to merge. The items below are follow-up hardening/cleanup work, not current blockers.

  • Salesforce: consolidate duplicated object-type parsing and improve fallback dedupe behavior when Flow payloads omit stable record identity.
  • Zoom: fail closed when triggerId is missing and consider rejecting malformed generic payloads with empty event.
  • Resend: revisit failed-idempotency behavior for repeated svix-id deliveries and add dedicated provider tests.
  • Linear: decide whether unsigned v1 mode should remain allowed and whether missing action should fail closed.
  • Vercel: tighten per-trigger outputs so they align more strictly with the shared formatInput contract.
  • Greenhouse: improve body-fallback idempotency for rare no-header scenarios and keep schema docs aligned with less common payload variants.
  • Gong: decide whether JWT misconfiguration should fail harder instead of silently falling back to URL secrecy.
  • Notion: revisit auth-before-reachability ordering during verification and decide whether more data_source.* events should get dedicated named triggers.
  • Shared lifecycle: consider making challenge handling less hardcoded than CHALLENGE_PROVIDERS, revisit failed-idempotency caching semantics, and continue expanding alignment checks.

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@cursor review

cursor[bot]
cursor bot reviewed Apr 7, 2026
View reviewed changes
@waleedlatif1
refactor(salesforce): share payload object type parsing
7c31044 
Remove dead code in the Salesforce provider and move shared object-type extraction into a single helper so trigger matching and input shaping stay in sync.

Made-with: Cursor
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@cursor review

cursor[bot]
cursor bot reviewed Apr 7, 2026
View reviewed changes
@waleedlatif1
fix(webhooks): address remaining review follow-ups
41b0348 
Loosen Linear's replay window to better tolerate delayed retries and make Notion event mismatches return false consistently with the rest of the hardened providers.

Made-with: Cursor
greptile-apps[bot]
greptile-apps bot reviewed Apr 7, 2026
View reviewed changes
@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@greptile

@waleedlatif1
Copy link
Copy Markdown
Collaborator Author

waleedlatif1 commented Apr 7, 2026

@cursor review

cursor[bot]
cursor bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 41b0348. Configure here.

@waleedlatif1
test(webhooks): separate Zoom coverage and clean Notion output shape
cae9c8b 
Move Zoom provider coverage into its own test file and strip undeclared Notion type fields from normalized output objects so the runtime shape better matches the trigger contract.

Made-with: Cursor
@waleedlatif1
feat(triggers): enrich Vercel and Greenhouse webhook output shapes
a305fc2 
Document and pass through Vercel links, regions, deployment.meta, and
domain.delegated; add top-level Greenhouse applicationId, candidateId,
and jobId aligned with webhook common attributes. Extend alignment checker
for greenhouse, update provider docs, and add formatInput tests.

Made-with: Cursor
@waleedlatif1
feat(webhooks): enrich Resend trigger outputs; clarify Notion output …
3e29341 
…docs

- Resend: expose broadcast_id, template_id, tags, and data_created_at from
  payload data (per Resend webhook docs); keep alignment with formatInput.
- Add resend entry to check-trigger-alignment and unit test for formatInput.
- Notion: tighten output descriptions for authors, entity types, parent types,
  attempt_number, and accessible_by per Notion webhooks event reference.

Made-with: Cursor
@waleedlatif1
feat(webhooks): enrich Zoom and Gong trigger output schemas
5148936 
- Zoom: add formatInput passthrough, fix nested TriggerOutput shape (drop invalid `properties` wrappers), document host_email, join_url, agenda, status, meeting_type on recordings, participant duration, and alignment checker entry.
- Gong: flatten topics/highlights from callData.content in formatInput, extend metaData and trigger outputs per API docs, tests and alignment keys updated.
- Docs: add English webhook trigger sections for Zoom and Gong tools pages.
@waleedlatif1
feat(triggers): enrich Salesforce and Linear webhook output schemas
0600c90 
Salesforce: expose simEventType alongside eventType; pass OwnerId and
SystemModstamp on record lifecycle inputs; add AccountId/OwnerId for
Opportunity and AccountId/ContactId/OwnerId for Case. Align trigger
output docs with Flow JSON payloads and formatInput.

Linear: document actor email and profile url per official webhook
payload; add Comment data.edited from Linear's sample payload.

Tests: extend Salesforce formatInput coverage for new fields.
@waleedlatif1
chore(webhooks): expand trigger alignment coverage
e0580f7 
Extend the trigger alignment checker to cover additional webhook providers so output contracts are verified across more of the recently added trigger surface.

Made-with: Cursor
@waleedlatif1 waleedlatif1 merged commit 64c6cd9 into staging Apr 7, 2026
6 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/greenhouse-audit-followups branch April 7, 2026 03:30
@waleedlatif1 waleedlatif1 mentioned this pull request Apr 7, 2026
Merged
emir-karabeg pushed a commit that referenced this pull request Apr 7, 2026
@waleedlatif1 @emir-karabeg
fix(webhooks): harden audited provider triggers (#3997)
45d159c 
* fix(triggers): apply webhook audit follow-ups

Align the Greenhouse webhook matcher with provider conventions and clarify the Notion webhook secret setup text after the audit review.

Made-with: Cursor

* fix(webhooks): Salesforce provider handler, Zoom CRC and block wiring

Add salesforce WebhookProviderHandler with required shared secret auth,
matchEvent filtering, formatInput aligned to trigger outputs, and
idempotency keys. Require webhook secret and document JSON-only Flow
setup; enforce objectType when configured.

Zoom: pass raw body into URL validation signature check, try all active
webhooks on a path for secret match, add extractIdempotencyId, tighten
event matching for specialized triggers. Wire Zoom triggers into the
Zoom block. Extend handleChallenge with optional rawBody.

Register Salesforce pending verification probes for pre-save URL checks.

* fix(webhooks): harden Resend and Linear triggers (idempotency, auth, outputs)

- Dedupe Resend deliveries via svix-id and Linear via Linear-Delivery in idempotency keys
- Require Resend signing secret; validate createSubscription id and signing_secret
- Single source for Resend event maps in triggers/utils; fail closed on unknown trigger IDs
- Add raw event data to Resend trigger outputs and formatInput
- Linear: remove body-based idempotency key; timestamp skew after HMAC verify; format url and actorType
- Tighten isLinearEventMatch for unknown triggers; clarify generic webhook copy; fix header examples
- Add focused tests for idempotency headers and Linear matchEvent

* fix(webhooks): harden Vercel and Greenhouse trigger handlers

Require Vercel signing secret and validate x-vercel-signature; add
matchEvent with dynamic import, delivery idempotency, strict
createSubscription trigger IDs, and formatInput aligned to string IDs.

Greenhouse: dynamic import in matchEvent, strict unknown trigger IDs,
Greenhouse-Event-ID idempotency header, body fallback keys, clearer
optional secret copy. Update generic trigger wording and add tests.

* fix(gong): JWT verification, trigger UX, alignment script

- Optional RS256 verification when Gong JWT public key is configured (webhook_url + body_sha256 per Gong docs); URL secrecy when unset.
- Document that Gong rules filter calls; payload has no event type; add eventType + callId outputs for discoverability.
- Refactor Gong triggers to buildTriggerSubBlocks + shared JWT field; setup copy matches security model.
- Add check-trigger-alignment.ts (Gong bundled; extend PROVIDER_CHECKS for others) and update add-trigger guidance paths.

Made-with: Cursor

* fix(notion): align webhook lifecycle and outputs

Handle Notion verification requests safely, expose the documented webhook fields in the trigger contract, and update setup guidance so runtime data and user-facing configuration stay aligned.

Made-with: Cursor

* fix(webhooks): tighten remaining provider hardening

Close the remaining pre-merge caveats by tightening Salesforce, Zoom, and Linear behavior, and follow through on the deferred provider and tooling cleanup for Vercel, Greenhouse, Gong, and Notion.

Made-with: Cursor

* refactor(webhooks): move subscription helpers out of providers

Move provider subscription helpers alongside the subscription lifecycle module and add targeted TSDoc so the file placement matches the responsibility boundaries in the webhook architecture.

Made-with: Cursor

* fix(zoom): resolve env-backed secrets during validation

Use the same env-aware secret resolution path for Zoom endpoint validation as regular delivery verification so URL validation works correctly when the secret token is stored via env references.

Made-with: Cursor

* fix build

* consolidate tests

* refactor(salesforce): share payload object type parsing

Remove dead code in the Salesforce provider and move shared object-type extraction into a single helper so trigger matching and input shaping stay in sync.

Made-with: Cursor

* fix(webhooks): address remaining review follow-ups

Loosen Linear's replay window to better tolerate delayed retries and make Notion event mismatches return false consistently with the rest of the hardened providers.

Made-with: Cursor

* test(webhooks): separate Zoom coverage and clean Notion output shape

Move Zoom provider coverage into its own test file and strip undeclared Notion type fields from normalized output objects so the runtime shape better matches the trigger contract.

Made-with: Cursor

* feat(triggers): enrich Vercel and Greenhouse webhook output shapes

Document and pass through Vercel links, regions, deployment.meta, and
domain.delegated; add top-level Greenhouse applicationId, candidateId,
and jobId aligned with webhook common attributes. Extend alignment checker
for greenhouse, update provider docs, and add formatInput tests.

Made-with: Cursor

* feat(webhooks): enrich Resend trigger outputs; clarify Notion output docs

- Resend: expose broadcast_id, template_id, tags, and data_created_at from
  payload data (per Resend webhook docs); keep alignment with formatInput.
- Add resend entry to check-trigger-alignment and unit test for formatInput.
- Notion: tighten output descriptions for authors, entity types, parent types,
  attempt_number, and accessible_by per Notion webhooks event reference.

Made-with: Cursor

* feat(webhooks): enrich Zoom and Gong trigger output schemas

- Zoom: add formatInput passthrough, fix nested TriggerOutput shape (drop invalid `properties` wrappers), document host_email, join_url, agenda, status, meeting_type on recordings, participant duration, and alignment checker entry.
- Gong: flatten topics/highlights from callData.content in formatInput, extend metaData and trigger outputs per API docs, tests and alignment keys updated.
- Docs: add English webhook trigger sections for Zoom and Gong tools pages.

* feat(triggers): enrich Salesforce and Linear webhook output schemas

Salesforce: expose simEventType alongside eventType; pass OwnerId and
SystemModstamp on record lifecycle inputs; add AccountId/OwnerId for
Opportunity and AccountId/ContactId/OwnerId for Case. Align trigger
output docs with Flow JSON payloads and formatInput.

Linear: document actor email and profile url per official webhook
payload; add Comment data.edited from Linear's sample payload.

Tests: extend Salesforce formatInput coverage for new fields.

* remove from mdx

* chore(webhooks): expand trigger alignment coverage

Extend the trigger alignment checker to cover additional webhook providers so output contracts are verified across more of the recently added trigger surface.

Made-with: Cursor

* updated skills

* updated file naming semantics

* rename file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1