Webhook delivery engine, event taxonomy, and gRPC services exist in 1.1.x backend but lack E2E coverage. Tracked under coverage policy #66.
Sub-tasks (1.1.x scope)
7.1 Webhook delivery retry engine (exponential backoff 30s -> 2m -> 15m -> 1h -> 4h)
7.2 Dead-letter queue handling for exhausted attempts
7.3 Max-attempts exhaustion scenario
7.4 Async retry job triggering (process_webhook_retries)
7.5 HMAC signature generation and X-Webhook-Signature header injection
7.6 Webhook secret rotation/revocation
7.7 Custom header injection
7.8 SSRF prevention on webhook URLs (private IPs, metadata servers, loopback)
7.9 URL re-validation at delivery time (DNS rebinding prevention)
7.10 Repository-scoped webhook filtering
7.11 Multi-event filtering (currently only artifact.uploaded tested)
7.12 Webhook test/dry-run endpoint (POST /{id}/test)
7.13 Webhook enable/disable toggle (POST /{id}/enable, /{id}/disable)
7.14 Event delivery list filtering by status
7.15 SSE event stream consumption from a client (with backpressure / lagged-event handling)
7.16 Cross-handler event propagation (artifact.created -> webhook delivery -> SSE broadcast)
7.17 gRPC SbomService (port 9090): GenerateSbom, GetSbom, ListSbomsForArtifact, ConvertSbom, DeleteSbom, RegenerateSbom, CheckLicenseCompliance
7.18 gRPC CveHistoryService: GetCveHistory, UpdateCveStatus, GetCveTrends, TriggerRetroactiveScan
7.19 gRPC SecurityPolicyService: license policy CRUD
Webhook delivery engine, event taxonomy, and gRPC services exist in 1.1.x backend but lack E2E coverage. Tracked under coverage policy #66.
Sub-tasks (1.1.x scope)
7.1 Webhook delivery retry engine (exponential backoff 30s -> 2m -> 15m -> 1h -> 4h)
7.2 Dead-letter queue handling for exhausted attempts
7.3 Max-attempts exhaustion scenario
7.4 Async retry job triggering (
process_webhook_retries)7.5 HMAC signature generation and
X-Webhook-Signatureheader injection7.6 Webhook secret rotation/revocation
7.7 Custom header injection
7.8 SSRF prevention on webhook URLs (private IPs, metadata servers, loopback)
7.9 URL re-validation at delivery time (DNS rebinding prevention)
7.10 Repository-scoped webhook filtering
7.11 Multi-event filtering (currently only artifact.uploaded tested)
7.12 Webhook test/dry-run endpoint (
POST /{id}/test)7.13 Webhook enable/disable toggle (
POST /{id}/enable,/{id}/disable)7.14 Event delivery list filtering by status
7.15 SSE event stream consumption from a client (with backpressure / lagged-event handling)
7.16 Cross-handler event propagation (artifact.created -> webhook delivery -> SSE broadcast)
7.17 gRPC SbomService (port 9090): GenerateSbom, GetSbom, ListSbomsForArtifact, ConvertSbom, DeleteSbom, RegenerateSbom, CheckLicenseCompliance
7.18 gRPC CveHistoryService: GetCveHistory, UpdateCveStatus, GetCveTrends, TriggerRetroactiveScan
7.19 gRPC SecurityPolicyService: license policy CRUD