Skip to content

feat: add secure webhook delivery transport#92

Merged
jmcte merged 1 commit into
codex/issue-58-conformance-fixturefrom
codex/issue-55-secure-webhook-delivery
Jul 16, 2026
Merged

feat: add secure webhook delivery transport#92
jmcte merged 1 commit into
codex/issue-58-conformance-fixturefrom
codex/issue-55-secure-webhook-delivery

Conversation

@jmcte

@jmcte jmcte commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Require the fixed executor-owned BOOTSTRAP_NOTIFICATION_WEBHOOK_ALLOWED_HOSTS exact-host allowlist before webhook delivery.
  • Reject URL credentials, non-443 destinations, and literal or DNS-resolved loopback, link-local, private, multicast, documentation, and reserved addresses.
  • Pin each validated public address into a dedicated HTTPS connection with shared-agent reuse disabled, preventing DNS rebinding and pooled-socket bypass.
  • Bound DNS resolution and sequential address failover under one 10-second deadline, and fail closed on response-stream or transport errors.

Governing Issue

Closes #55

Validation

  • Relevant local checks passed
  • Agent-authored changes passed autoreview against the intended PR diff with no accepted/actionable findings
  • Autoreview command and result: /Users/johnteneyckjr./.codex/skills/autoreview/scripts/autoreview --mode branch --base origin/codex/issue-58-conformance-fixture — final rerun clean, no accepted/actionable findings; patch correct (0.88)
  • Required PR checks are expected to satisfy CI Gate
  • Skipped checks are explained below

Local checks on commit b2fb7ef:

  • npm run check — 20 test files, 118 tests passed
  • npm run build — passed
  • npm test -- --run tests/notifications.test.ts — 19 tests passed after the shared-agent fix
  • git diff --check origin/codex/issue-58-conformance-fixture...HEAD — passed
  • PR governance accounting — 258 counted production lines, below the 800-line threshold
  • No local checks were skipped.

Bootstrap Governance

  • Changes are scoped to the linked issue
  • Contributor or PR guidance changes are reflected in CONTRIBUTING.md, .github/PULL_REQUEST_TEMPLATE.md, and docs/bootstrap/onboarding.md when applicable
  • PR author enabled auto-merge where GitHub allows it, or GitHub plan-limit evidence/unavailable reason is recorded and the fallback merge-readiness policy applies
  • No real secrets, runtime auth, or machine-local env files are committed

Material change: no
ADR: not required

Merge Automation

  • PR author enabled auto-merge with gh pr merge --auto --squash, or the reason it is unavailable/unsafe is noted below

Squash auto-merge will be enabled after PR creation; merge remains ordered behind #89.

Notes

  • This PR is stacked on test: restore conformance warning fixture #89 so its review surface is only the secure webhook transport.
  • Athena confirmed the original SSRF blocker was addressed on the combined implementation; this split preserves that reviewed behavior.
  • Final autoreview additionally found and fixed shared global-agent socket reuse by setting agent: false on each pinned webhook request.

Require an executor-owned exact-host allowlist, reject non-public literal and DNS-resolved destinations, and pin validated addresses during HTTPS delivery. Bound resolution and address failover under one deadline and fail closed on transport errors.

Signed-off-by: Your Name <you@example.com>
@jmcte jmcte requested a review from athena-omt July 16, 2026 18:20
@jmcte jmcte merged commit 77a486e into codex/issue-58-conformance-fixture Jul 16, 2026
8 checks passed
@jmcte jmcte deleted the codex/issue-55-secure-webhook-delivery branch July 16, 2026 18:20
jmcte pushed a commit that referenced this pull request Jul 16, 2026
This reverts commit 77a486e.

Signed-off-by: Your Name <you@example.com>
jmcte added a commit that referenced this pull request Jul 16, 2026
* test: restore conformance warning fixture

Keep the canonical conformance fixture aligned with ownership-sidecar enforcement while preserving distinct warning exit semantics. Refs #58.

Signed-off-by: Your Name <you@example.com>

* feat: resolve publisher and class deviations (#90)

Add publisher-neutral spending thresholds and require valid scoped exceptions when a repository cannot yet declare a canonical class. Closes #56.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>

* feat: deliver governed material notifications (#91)

Add plan-first GitHub and webhook delivery, verified maintainer approvals for hard stops, and expiring-exception notification execution. Closes #55.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>

* fix: restrict notification webhook destinations

Require an executor-owned exact-host allowlist, reject non-public literal and DNS-resolved addresses, and pin validated addresses with bounded failover under one delivery deadline. Addresses the security review on #89.

Signed-off-by: Your Name <you@example.com>

* refactor: split secure webhook transport

Keep notification planning, governing-record delivery, and hard-stop verification in this review lane while failing the configured webhook destination closed. The secure network transport moves to a smaller stacked follow-up so both pull requests satisfy the review-size policy.

Signed-off-by: Your Name <you@example.com>

* feat: add secure webhook delivery transport (#92)

Require an executor-owned exact-host allowlist, reject non-public literal and DNS-resolved destinations, and pin validated addresses during HTTPS delivery. Bound resolution and address failover under one deadline and fail closed on transport errors.

Signed-off-by: Your Name <you@example.com>
Co-authored-by: Your Name <you@example.com>

* Revert "feat: add secure webhook delivery transport (#92)"

This reverts commit 77a486e.

Signed-off-by: Your Name <you@example.com>

* fix: clarify disabled webhook delivery in CLI help

Signed-off-by: daedalus-omt <268206840+daedalus-omt@users.noreply.github.com>

---------

Signed-off-by: Your Name <you@example.com>
Signed-off-by: daedalus-omt <268206840+daedalus-omt@users.noreply.github.com>
Co-authored-by: Your Name <you@example.com>
Co-authored-by: daedalus-omt <268206840+daedalus-omt@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant