| 1 | -- SPDX-License-Identifier: AGPL-3.0-or-later |
| 2 | -- |
| 3 | -- S33 — Webhooks. Two tables: |
| 4 | -- |
| 5 | -- * webhooks — operator-configured subscriptions. Owner is a |
| 6 | -- repo OR an org (org-owned repos can carry |
| 7 | -- their own org-level webhooks too, fanned out |
| 8 | -- on every repo event in the org). |
| 9 | -- * webhook_deliveries — one row per delivery attempt. Pending / |
| 10 | -- retry rows are picked up by the deliver |
| 11 | -- worker. Successful and terminally-failed rows |
| 12 | -- are kept for the redelivery UI; the purge |
| 13 | -- cron prunes them after retention. |
| 14 | -- |
| 15 | -- Secrets at rest: |
| 16 | -- - `secret_ciphertext` + `secret_nonce` are wrapped with |
| 17 | -- `internal/auth/secretbox` (chacha20poly1305 AEAD; 32-byte key |
| 18 | -- from config). The key is the same TOTP key for now — see |
| 19 | -- `webhooks.md` for rotation procedure. |
| 20 | -- |
| 21 | -- Auto-disable: |
| 22 | -- - `consecutive_failures` increments on terminal failure, resets on |
| 23 | -- success. When it crosses `auto_disable_threshold` the deliverer |
| 24 | -- sets `disabled_at` + `disabled_reason` and surfaces a warning to |
| 25 | -- repo/org admins. |
| 26 | |
| 27 | -- +goose Up |
| 28 | |
| 29 | CREATE TYPE webhook_owner_kind AS ENUM ('repo', 'org'); |
| 30 | CREATE TYPE webhook_content_type AS ENUM ('json', 'form'); |
| 31 | CREATE TYPE webhook_delivery_status AS ENUM ( |
| 32 | 'pending', 'succeeded', 'failed_retry', 'failed_permanent' |
| 33 | ); |
| 34 | |
| 35 | CREATE TABLE webhooks ( |
| 36 | id bigserial PRIMARY KEY, |
| 37 | owner_kind webhook_owner_kind NOT NULL, |
| 38 | owner_id bigint NOT NULL, |
| 39 | url text NOT NULL, |
| 40 | content_type webhook_content_type NOT NULL DEFAULT 'json', |
| 41 | -- Subscribed event kinds. Empty set means "all"; explicit subset |
| 42 | -- restricts the fan-out match. Rows that change shape (e.g. push |
| 43 | -- with no commits) still fire — filter expressions are post-MVP. |
| 44 | events text[] NOT NULL DEFAULT ARRAY[]::text[], |
| 45 | secret_ciphertext bytea NOT NULL, |
| 46 | secret_nonce bytea NOT NULL, |
| 47 | active boolean NOT NULL DEFAULT true, |
| 48 | -- Per-webhook SSL verification override. Default keeps verification |
| 49 | -- on; self-hosters with internal CAs can flip it (UI surfaces a |
| 50 | -- loud warning). Enforcement ships with the deliverer; the column |
| 51 | -- is wired up day-1 so config doesn't churn later. |
| 52 | ssl_verification boolean NOT NULL DEFAULT true, |
| 53 | consecutive_failures int NOT NULL DEFAULT 0, |
| 54 | auto_disable_threshold int NOT NULL DEFAULT 50, |
| 55 | disabled_at timestamptz, |
| 56 | disabled_reason text, |
| 57 | last_success_at timestamptz, |
| 58 | last_failure_at timestamptz, |
| 59 | created_by_user_id bigint REFERENCES users(id) ON DELETE SET NULL, |
| 60 | created_at timestamptz NOT NULL DEFAULT now(), |
| 61 | updated_at timestamptz NOT NULL DEFAULT now(), |
| 62 | |
| 63 | CONSTRAINT webhooks_url_length CHECK (char_length(url) BETWEEN 1 AND 2048), |
| 64 | CONSTRAINT webhooks_threshold_positive CHECK (auto_disable_threshold > 0) |
| 65 | ); |
| 66 | |
| 67 | CREATE INDEX webhooks_owner_idx ON webhooks (owner_kind, owner_id); |
| 68 | CREATE INDEX webhooks_active_idx ON webhooks (owner_kind, owner_id) WHERE active = true AND disabled_at IS NULL; |
| 69 | |
| 70 | CREATE TRIGGER set_updated_at BEFORE UPDATE ON webhooks |
| 71 | FOR EACH ROW EXECUTE FUNCTION tg_set_updated_at(); |
| 72 | |
| 73 | CREATE TABLE webhook_deliveries ( |
| 74 | id bigserial PRIMARY KEY, |
| 75 | webhook_id bigint NOT NULL REFERENCES webhooks(id) ON DELETE CASCADE, |
| 76 | -- event_kind mirrors `domain_events.kind`. event_id points at the |
| 77 | -- triggering domain_events row; NULL for synthetic deliveries |
| 78 | -- (ping, redelivery from a manual UI click). |
| 79 | event_kind text NOT NULL, |
| 80 | event_id bigint, |
| 81 | delivery_uuid uuid NOT NULL DEFAULT gen_random_uuid(), |
| 82 | payload jsonb NOT NULL, |
| 83 | request_headers jsonb NOT NULL DEFAULT '{}'::jsonb, |
| 84 | request_body bytea NOT NULL DEFAULT ''::bytea, |
| 85 | response_status int, |
| 86 | response_headers jsonb, |
| 87 | response_body bytea, |
| 88 | response_truncated boolean NOT NULL DEFAULT false, |
| 89 | started_at timestamptz NOT NULL DEFAULT now(), |
| 90 | completed_at timestamptz, |
| 91 | attempt int NOT NULL DEFAULT 1, |
| 92 | max_attempts int NOT NULL DEFAULT 8, |
| 93 | next_retry_at timestamptz, |
| 94 | status webhook_delivery_status NOT NULL DEFAULT 'pending', |
| 95 | -- idempotency_key is sha256(payload + webhook_id + event_id); |
| 96 | -- subscribers can dedupe across retries with it. |
| 97 | idempotency_key text NOT NULL, |
| 98 | error_summary text, |
| 99 | -- Set when the delivery was created via UI redelivery; points at |
| 100 | -- the original delivery for audit. Nullable for first attempts. |
| 101 | redeliver_of bigint REFERENCES webhook_deliveries(id) ON DELETE SET NULL, |
| 102 | |
| 103 | CONSTRAINT webhook_deliveries_event_kind_length CHECK (char_length(event_kind) BETWEEN 1 AND 64), |
| 104 | CONSTRAINT webhook_deliveries_attempt_positive CHECK (attempt >= 1), |
| 105 | CONSTRAINT webhook_deliveries_max_attempts_positive CHECK (max_attempts >= 1) |
| 106 | ); |
| 107 | |
| 108 | -- Deliver-loop hot path: pending or retry-ready, due now. |
| 109 | CREATE INDEX webhook_deliveries_pending_due_idx |
| 110 | ON webhook_deliveries (next_retry_at) |
| 111 | WHERE status IN ('pending', 'failed_retry'); |
| 112 | |
| 113 | -- Per-webhook delivery list (settings UI). |
| 114 | CREATE INDEX webhook_deliveries_webhook_started_idx |
| 115 | ON webhook_deliveries (webhook_id, started_at DESC); |
| 116 | |
| 117 | -- +goose Down |
| 118 | DROP TABLE IF EXISTS webhook_deliveries; |
| 119 | DROP TABLE IF EXISTS webhooks; |
| 120 | DROP TYPE IF EXISTS webhook_delivery_status; |
| 121 | DROP TYPE IF EXISTS webhook_content_type; |
| 122 | DROP TYPE IF EXISTS webhook_owner_kind; |
| 123 |