Module webhooks 

Webhook delivery engine — the SINGLE deliverer of generic events to external systems, superseding the old single-URL alert notifier.

Each enabled WebhookSubscription is an independent at-least-once deliverer: it keeps its own persisted cursor_at (an events.created_at, mirroring the old notifier cursor), an event-type + severity filter, and an optional HMAC-SHA256 secret. Every tick we load the enabled subscriptions and, for each, deliver the events newer than its cursor that pass the filter — POSTing the JSON envelope with X-Heldar-Event / X-Heldar-Delivery / X-Heldar-Timestamp headers and, when a secret is set, X-Heldar-Signature: sha256=<hex HMAC-SHA256(secret, raw_body)>. Each attempt is recorded in webhook_deliveries; a retryable failure keeps the cursor (retried next cycle) until the per-event attempts in that ledger reach [MAX_ATTEMPTS], after which the event is given up on and the cursor advances so one bad endpoint cannot wedge the queue forever.

run() NEVER returns: with no enabled subscriptions it idles the cycle. The supervisor in main therefore spawns it unconditionally and never tight-loops respawning it.

Structs

SendResult

Outcome of a single signed POST: success flag, HTTP status (if a response came back), and an error string for the delivery ledger.

Functions

event_body

The JSON envelope POSTed for an event (the body that is HMAC-signed verbatim).

matches_event_type

Whether event_type is selected by a subscription’s filter. ["*"] matches everything; otherwise it is exact membership.

record_delivery

Insert one row into the webhook_deliveries ledger. Best-effort: a failure is logged, not fatal.

run

send_event

POST a signed webhook body. The body is serialized ONCE and both signed and sent verbatim so the X-Heldar-Signature always covers the exact bytes the receiver gets. Used by the delivery loop and by the synthetic /test route.