feat: inbound webhook receivers (#155)#268
Merged
Merged
Conversation
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #155
What
External systems (CI/CD pipelines, uptime monitors, arbitrary tools) can now push events into LogTide through per-receiver tokenized webhook endpoints. Payloads are normalized into standard log entries by adapters and flow through the regular ingestion pipeline, so PII masking (fail-closed), usage quotas, Sigma detection, log pipelines, metering and live tail all apply automatically.
How it works
POST /api/v1/receivers/:receiverId/:token. The URL is the credential (lr_-prefixed token, SHA-256 hash stored, timing-safe compare) because GitHub and Uptime Robot cannot send custom headers. Responds202and processes asynchronously via a newreceiver-eventsqueue job (queue abstraction, works on both BullMQ and graphile-worker). Payloads capped at 256 KB.github: workflow_run (completed) and deployment_status events, conclusion-to-level mapping; ping and unsupported events are marked skipped, not faileduptime: shape-detects Uptime Robot (alertType 1/2/3) and Better Stack incident payloadsgeneric: any JSON object, with optional dot-path field mapping (message/level/service/timestamp, levelMap, defaults) validated by a shared Zod schema; full payload always preserved in metadatareceiver_eventsrow (raw payload, normalized output, processed/skipped/failed status, error), pruned to the newest 100 per receiver./api/v1/projects/:projectId/receivers(session auth, same pattern as api-keys), audit-logged asreceiver.created/receiver.deleted. Newreceivers.maxcapability limit enforced with the canonical withLimitLock pattern (unlimited by default for OSS).docs/receivers.md(endpoint contract, adapter reference, field-mapping reference).Database
Migration
052_receivers.sql:receiversandreceiver_eventstables. Both registered in the tenant-table manifest and scoping tripwire.Tests
check:tenant-scopingOKOut of scope (follow-ups)
GitHub HMAC signature verification (X-Hub-Signature-256), per-receiver rate limiting, token rotation, more adapters (GitLab, Sentry, PagerDuty).