backend/app/schemas/board_webhooks.py

"""Schemas for board webhook configuration and payload capture endpoints."""

from __future__ import annotations

from datetime import datetime
from typing import Annotated
from uuid import UUID

from pydantic import BeforeValidator
from sqlmodel import SQLModel

from app.schemas.common import NonEmptyStr

RUNTIME_ANNOTATION_TYPES = (datetime, UUID, NonEmptyStr)


def _normalize_secret(v: str | None) -> str | None:
    """Normalize blank/whitespace-only secrets to None."""
    if v is None:
        return None
    stripped = v.strip()
    return stripped or None


NormalizedSecret = Annotated[str | None, BeforeValidator(_normalize_secret)]


class BoardWebhookCreate(SQLModel):
    """Payload for creating a board webhook."""

    description: NonEmptyStr
    enabled: bool = True
    agent_id: UUID | None = None
    secret: NormalizedSecret = None
    signature_header: str | None = None


class BoardWebhookUpdate(SQLModel):
    """Payload for updating a board webhook."""

    description: NonEmptyStr | None = None
    enabled: bool | None = None
    agent_id: UUID | None = None
    secret: NormalizedSecret = None
    signature_header: str | None = None


class BoardWebhookRead(SQLModel):
    """Serialized board webhook configuration."""

    id: UUID
    board_id: UUID
    agent_id: UUID | None = None
    description: str
    enabled: bool
    has_secret: bool = False
    signature_header: str | None = None
    endpoint_path: str
    endpoint_url: str | None = None
    created_at: datetime
    updated_at: datetime


class BoardWebhookPayloadRead(SQLModel):
    """Serialized stored webhook payload."""

    id: UUID
    board_id: UUID
    webhook_id: UUID
    payload: dict[str, object] | list[object] | str | int | float | bool | None = None
    headers: dict[str, str] | None = None
    source_ip: str | None = None
    content_type: str | None = None
    received_at: datetime


class BoardWebhookIngestResponse(SQLModel):
    """Response payload for inbound webhook ingestion."""

    ok: bool = True
    board_id: UUID
    webhook_id: UUID
    payload_id: UUID
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`"""Schemas for board webhook configuration and payload capture endpoints."""`

			`from __future__ import annotations`

			`from datetime import datetime`
fix: use Annotated+BeforeValidator for webhook secret normalization The previous field_validator approach passed `cls` as the first argument to `_normalize_secret`, which only accepted `v`, causing a TypeError at runtime. Switch to `Annotated[str \| None, BeforeValidator(...)]` which calls the function with just the value and also eliminates the repeated validator assignment in both schema classes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:31:58 -07:00			`from typing import Annotated`
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`from uuid import UUID`

fix: use Annotated+BeforeValidator for webhook secret normalization The previous field_validator approach passed `cls` as the first argument to `_normalize_secret`, which only accepted `v`, causing a TypeError at runtime. Switch to `Annotated[str \| None, BeforeValidator(...)]` which calls the function with just the value and also eliminates the repeated validator assignment in both schema classes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:31:58 -07:00			`from pydantic import BeforeValidator`
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`from sqlmodel import SQLModel`

			`from app.schemas.common import NonEmptyStr`

			`RUNTIME_ANNOTATION_TYPES = (datetime, UUID, NonEmptyStr)`


fix: normalize webhook secret via schema validator instead of inline Move blank/whitespace-only secret normalization to a shared field_validator on both BoardWebhookCreate and BoardWebhookUpdate. This ensures consistent behavior across create and update paths and removes the inline normalization from the endpoint handlers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:25:37 -07:00			`def _normalize_secret(v: str \| None) -> str \| None:`
			`"""Normalize blank/whitespace-only secrets to None."""`
			`if v is None:`
			`return None`
			`stripped = v.strip()`
			`return stripped or None`


fix: use Annotated+BeforeValidator for webhook secret normalization The previous field_validator approach passed `cls` as the first argument to `_normalize_secret`, which only accepted `v`, causing a TypeError at runtime. Switch to `Annotated[str \| None, BeforeValidator(...)]` which calls the function with just the value and also eliminates the repeated validator assignment in both schema classes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:31:58 -07:00			`NormalizedSecret = Annotated[str \| None, BeforeValidator(_normalize_secret)]`


feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`class BoardWebhookCreate(SQLModel):`
			`"""Payload for creating a board webhook."""`

			`description: NonEmptyStr`
			`enabled: bool = True`
refactor: add agent_id to various interfaces and improve field organization 2026-02-15 13:36:57 +05:30			`agent_id: UUID \| None = None`
fix: use Annotated+BeforeValidator for webhook secret normalization The previous field_validator approach passed `cls` as the first argument to `_normalize_secret`, which only accepted `v`, causing a TypeError at runtime. Switch to `Annotated[str \| None, BeforeValidator(...)]` which calls the function with just the value and also eliminates the repeated validator assignment in both schema classes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:31:58 -07:00			`secret: NormalizedSecret = None`
feat: add configurable signature_header for webhook HMAC verification Not all webhook providers use X-Hub-Signature-256 or X-Webhook-Signature. Add an optional signature_header field so users can specify which header carries the HMAC signature. When set, that exact header is checked; when unset, the existing auto-detect fallback is preserved. The custom header is also excluded from stored/exposed payload headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 01:35:25 -07:00			`signature_header: str \| None = None`
fix: normalize webhook secret via schema validator instead of inline Move blank/whitespace-only secret normalization to a shared field_validator on both BoardWebhookCreate and BoardWebhookUpdate. This ensures consistent behavior across create and update paths and removes the inline normalization from the endpoint handlers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:25:37 -07:00
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30
			`class BoardWebhookUpdate(SQLModel):`
			`"""Payload for updating a board webhook."""`

			`description: NonEmptyStr \| None = None`
			`enabled: bool \| None = None`
refactor: add agent_id to various interfaces and improve field organization 2026-02-15 13:36:57 +05:30			`agent_id: UUID \| None = None`
fix: use Annotated+BeforeValidator for webhook secret normalization The previous field_validator approach passed `cls` as the first argument to `_normalize_secret`, which only accepted `v`, causing a TypeError at runtime. Switch to `Annotated[str \| None, BeforeValidator(...)]` which calls the function with just the value and also eliminates the repeated validator assignment in both schema classes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:31:58 -07:00			`secret: NormalizedSecret = None`
feat: add configurable signature_header for webhook HMAC verification Not all webhook providers use X-Hub-Signature-256 or X-Webhook-Signature. Add an optional signature_header field so users can specify which header carries the HMAC signature. When set, that exact header is checked; when unset, the existing auto-detect fallback is preserved. The custom header is also excluded from stored/exposed payload headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 01:35:25 -07:00			`signature_header: str \| None = None`
fix: normalize webhook secret via schema validator instead of inline Move blank/whitespace-only secret normalization to a shared field_validator on both BoardWebhookCreate and BoardWebhookUpdate. This ensures consistent behavior across create and update paths and removes the inline normalization from the endpoint handlers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 22:25:37 -07:00
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30
			`class BoardWebhookRead(SQLModel):`
			`"""Serialized board webhook configuration."""`

			`id: UUID`
			`board_id: UUID`
refactor: add agent_id to various interfaces and improve field organization 2026-02-15 13:36:57 +05:30			`agent_id: UUID \| None = None`
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`description: str`
			`enabled: bool`
security: add HMAC signature verification to webhook ingest Webhook ingest endpoint was completely unauthenticated. Add an optional `secret` field to BoardWebhook. When configured, inbound requests must include a valid HMAC-SHA256 signature in X-Hub-Signature-256 or X-Webhook-Signature headers. Uses hmac.compare_digest for timing safety. Includes migration to add the secret column. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-03 13:33:28 -07:00			`has_secret: bool = False`
feat: add configurable signature_header for webhook HMAC verification Not all webhook providers use X-Hub-Signature-256 or X-Webhook-Signature. Add an optional signature_header field so users can specify which header carries the HMAC signature. When set, that exact header is checked; when unset, the existing auto-detect fallback is preserved. The custom header is also excluded from stored/exposed payload headers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-04 01:35:25 -07:00			`signature_header: str \| None = None`
feat: add board webhook configuration and payload models 2026-02-13 00:31:32 +05:30			`endpoint_path: str`
			`endpoint_url: str \| None = None`
			`created_at: datetime`
			`updated_at: datetime`


			`class BoardWebhookPayloadRead(SQLModel):`
			`"""Serialized stored webhook payload."""`

			`id: UUID`
			`board_id: UUID`
			`webhook_id: UUID`
			`payload: dict[str, object] \| list[object] \| str \| int \| float \| bool \| None = None`
			`headers: dict[str, str] \| None = None`
			`source_ip: str \| None = None`
			`content_type: str \| None = None`
			`received_at: datetime`


			`class BoardWebhookIngestResponse(SQLModel):`
			`"""Response payload for inbound webhook ingestion."""`

			`ok: bool = True`
			`board_id: UUID`
			`webhook_id: UUID`
			`payload_id: UUID`