test(webhooks): cover relay client and harden splitCommaList empty handling

- splitCommaList now returns undefined for empty/whitespace-only values so
  callers treat them as "not provided" rather than sending an empty array
- list now prints the iterator hint when paginating
- add relay-client tests plus list/replay/update/verify coverage
- README: clarify keepalive probe timing and JSON-mode type discriminator

Claude-Session: https://claude.ai/code/session_01Mwcxk4pmfNYtmvjwWs9jUE

Author: rafa-thayto

packages/cli-core/src/commands/webhooks/README.md

@@ -247,10 +247,10 @@ clerk webhooks listen [--forward-to <url>] [--events <list>] [--skip-verify] [--
 Behavior notes:
 
 - **Relay token**: `c_` + 10 random base62 chars — the same token goes in the start frame, the inbox URL, and the per-instance CLI config (`relay.<instanceId>.token`). Live-relay verified: `play.svix.com` rejects unprefixed tokens, and the relay only registers an inbox when the start frame carries the `c_` token. Close code 1008 = token collision → new token generated, persisted, redialed, and the endpoint URL re-pointed.
-- **Keepalive**: the relay server pings ~every 21s, but Bun's client WebSocket auto-pongs below the JS API (no ping events). After 30s of silence the client sends an active `ws.ping()` probe — writes to a dead link surface as close/error, which redials with the same token. Reconnects never change the relay URL.
+- **Keepalive**: the relay server pings ~every 21s, but Bun's client WebSocket auto-pongs below the JS API (no ping events). A probe timer fires every `RELAY_SILENCE_TIMEOUT_MS / 2` (~15s) and, once at least `RELAY_SILENCE_TIMEOUT_MS` (30s) has elapsed with no inbound message, sends an active `ws.ping()` (so a probe lands 30–45s into a silence, depending on timer phase) — writes to a dead link surface as close/error, which redials with the same token. Reconnects never change the relay URL.
 - **Per-delivery output**: human mode prints `time --> event_type msg_…` then `<-- status method path ms` via `log.ui` (bypasses the stderr throttle). Diagnostics: 401 → `clerkMiddleware` public-route hint; 400 → raw-body/`verifyWebhook()` order hint; 5xx → response body inline plus the exact `clerk webhooks replay <msg_id>` line; unreachable handler → synthetic **502** framed back to the relay.
 - **Verification**: deliveries failing HMAC are warned about and still forwarded (the mismatch means the relay secret diverged, not that the local handler should silently miss events).
-- **Agent/`--json` mode**: NDJSON on stdout — one `ready` line (`relay_url`, `signing_secret`, `endpoint_id`, `events_filter`), then one `event` line per delivery (`svix_id`, `event_type`, `headers`, `body_b64`, `forward_status`, `latency_ms`). An event line saved to a file is directly consumable by `verify --delivery @file`.
+- **Agent/`--json` mode**: NDJSON on stdout. Every line carries a `type` discriminator: one `{ "type": "ready", ... }` line (`relay_url`, `signing_secret`, `endpoint_id`, `events_filter`), then one `{ "type": "event", ... }` line per delivery (`svix_id`, `event_type`, `headers`, `body_b64`, `forward_status`, `latency_ms`). An event line saved to a file is directly consumable by `verify --delivery @file`.
 - **SIGINT**: `listen` replaces the global cleanup-free handler before opening the socket: close socket, drain in-flight forwards, exit 130. The relay endpoint is **never** deleted on exit — its URL and `whsec_` stay stable across restarts. `listen` never exits 0.
 
 ### API endpoints

packages/cli-core/src/commands/webhooks/list.test.ts

@@ -130,6 +130,15 @@ describe("webhooks list", () => {
     expect(captured.err).toContain("--iterator iter_next");
   });
 
+  test("still hints at the next --iterator on an empty page with has_next_page", async () => {
+    mockListWebhookEndpoints.mockResolvedValue(listResponse({ data: [], has_next_page: true }));
+
+    await webhooksList();
+
+    expect(captured.err).toContain("No webhook endpoints found.");
+    expect(captured.err).toContain("--iterator iter_next");
+  });
+
   test("omits the pagination hint on the last page", async () => {
     await webhooksList();
 

packages/cli-core/src/commands/webhooks/list.ts

@@ -59,6 +59,7 @@ export async function webhooksList(options: WebhooksListOptions = {}): Promise<v
 
   if (response.data.length === 0) {
     log.warn("No webhook endpoints found.");
+    printIteratorHint(response.cursor);
     return;
   }
 

packages/cli-core/src/commands/webhooks/relay-client.test.ts

@@ -0,0 +1,257 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { useCaptureLog } from "../../test/lib/stubs.ts";
+import { RelayClient } from "./relay-client.ts";
+import {
+  RELAY_CLOSE_TOKEN_COLLISION,
+  RELAY_RECONNECT_DELAY_MS,
+  RELAY_SILENCE_TIMEOUT_MS,
+  encodeStartFrame,
+} from "./relay-protocol.ts";
+
+/**
+ * Stand-in for Bun's client WebSocket. Records what the client sends/pings,
+ * and exposes manual `open()`/`message()`/`fireClose()` triggers so tests drive
+ * the connection lifecycle without a real socket.
+ */
+class FakeWebSocket {
+  static OPEN = 1;
+  static instances: FakeWebSocket[] = [];
+
+  readyState = FakeWebSocket.OPEN;
+  onopen: (() => void) | null = null;
+  onmessage: ((event: { data: string }) => void) | null = null;
+  onerror: (() => void) | null = null;
+  onclose: ((event: { code: number }) => void) | null = null;
+  sent: string[] = [];
+  pingCount = 0;
+  closedWith: number | undefined;
+  pingThrows = false;
+
+  constructor(readonly url: string) {
+    FakeWebSocket.instances.push(this);
+  }
+
+  send(frame: string): void {
+    this.sent.push(frame);
+  }
+
+  ping(): void {
+    if (this.pingThrows) throw new Error("dead link");
+    this.pingCount++;
+  }
+
+  close(code?: number): void {
+    this.closedWith = code;
+  }
+
+  open(): void {
+    this.onopen?.();
+  }
+
+  message(data: string): void {
+    this.onmessage?.({ data });
+  }
+
+  fireClose(code: number): void {
+    this.onclose?.({ code });
+  }
+}
+
+const flush = () => new Promise<void>((resolve) => setImmediate(resolve));
+
+/** Fetch a constructed socket, asserting it exists (satisfies noUncheckedIndexedAccess). */
+function wsAt(index: number): FakeWebSocket {
+  const ws = FakeWebSocket.instances[index];
+  if (!ws) throw new Error(`expected a relay socket at index ${index}`);
+  return ws;
+}
+
+// Captured timer callbacks so tests can invoke them on demand instead of waiting.
+let intervalCallback: (() => void) | undefined;
+let intervalDelay: number | undefined;
+let timeoutCallback: (() => void) | undefined;
+let timeoutDelay: number | undefined;
+let now = 0;
+
+const realWebSocket = globalThis.WebSocket;
+const realSetInterval = globalThis.setInterval;
+const realClearInterval = globalThis.clearInterval;
+const realSetTimeout = globalThis.setTimeout;
+const realNow = Date.now;
+
+describe("RelayClient", () => {
+  useCaptureLog();
+
+  beforeEach(() => {
+    FakeWebSocket.instances = [];
+    intervalCallback = undefined;
+    intervalDelay = undefined;
+    timeoutCallback = undefined;
+    timeoutDelay = undefined;
+    now = 1_000_000;
+
+    (globalThis as unknown as { WebSocket: unknown }).WebSocket = FakeWebSocket;
+    Date.now = () => now;
+    globalThis.setInterval = ((fn: () => void, delay?: number) => {
+      intervalCallback = fn;
+      intervalDelay = delay;
+      return 1 as unknown as ReturnType<typeof setInterval>;
+    }) as typeof setInterval;
+    globalThis.clearInterval = (() => {}) as typeof clearInterval;
+    globalThis.setTimeout = ((fn: () => void, delay?: number) => {
+      timeoutCallback = fn;
+      timeoutDelay = delay;
+      return 2 as unknown as ReturnType<typeof setTimeout>;
+    }) as unknown as typeof setTimeout;
+  });
+
+  afterEach(() => {
+    (globalThis as unknown as { WebSocket: unknown }).WebSocket = realWebSocket;
+    globalThis.setInterval = realSetInterval;
+    globalThis.clearInterval = realClearInterval;
+    globalThis.setTimeout = realSetTimeout;
+    Date.now = realNow;
+  });
+
+  function makeClient(overrides: Partial<ConstructorParameters<typeof RelayClient>[0]> = {}) {
+    const events: Array<{ id: string }> = [];
+    const rotated: string[] = [];
+    let reconnects = 0;
+    const client = new RelayClient({
+      token: "c_original00",
+      url: "ws://relay.test",
+      onEvent: (event) => events.push(event),
+      onTokenRotated: async (token) => {
+        rotated.push(token);
+      },
+      onReconnect: () => {
+        reconnects++;
+      },
+      ...overrides,
+    });
+    return {
+      client,
+      events,
+      rotated,
+      get reconnects() {
+        return reconnects;
+      },
+    };
+  }
+
+  async function openClient(overrides?: Partial<ConstructorParameters<typeof RelayClient>[0]>) {
+    const harness = makeClient(overrides);
+    const started = harness.client.start();
+    wsAt(0).open();
+    await started;
+    return harness;
+  }
+
+  test("start() dials the override URL and sends the c_-prefixed start frame", async () => {
+    const { client } = await openClient();
+    const ws = wsAt(0);
+
+    expect(ws.url).toBe("ws://relay.test");
+    expect(ws.sent[0]).toBe(encodeStartFrame("c_original00"));
+    expect(client.token).toBe("c_original00");
+  });
+
+  test("schedules the keepalive probe at RELAY_SILENCE_TIMEOUT_MS / 2", async () => {
+    await openClient();
+    expect(intervalDelay).toBe(RELAY_SILENCE_TIMEOUT_MS / 2);
+  });
+
+  test("keepalive pings only after RELAY_SILENCE_TIMEOUT_MS of silence", async () => {
+    await openClient();
+    const ws = wsAt(0);
+
+    now += RELAY_SILENCE_TIMEOUT_MS - 1; // still within the window
+    intervalCallback?.();
+    expect(ws.pingCount).toBe(0);
+
+    now += 2; // now past the silence threshold
+    intervalCallback?.();
+    expect(ws.pingCount).toBe(1);
+  });
+
+  test("an inbound message resets the silence clock, deferring the next ping", async () => {
+    const { events } = await openClient();
+    const ws = wsAt(0);
+
+    now += RELAY_SILENCE_TIMEOUT_MS - 5;
+    ws.message(
+      JSON.stringify({
+        type: "event",
+        data: { id: "frm_1", method: "POST", headers: {}, body: "" },
+      }),
+    );
+    expect(events).toHaveLength(1);
+
+    // Only 5ms have elapsed since the message reset lastActivityAt.
+    now += 5;
+    intervalCallback?.();
+    expect(ws.pingCount).toBe(0);
+  });
+
+  test("a dead-link ping closes the socket so the redial path fires", async () => {
+    await openClient();
+    const ws = wsAt(0);
+    ws.pingThrows = true;
+
+    now += RELAY_SILENCE_TIMEOUT_MS + 1;
+    intervalCallback?.();
+    expect(ws.closedWith).toBeUndefined(); // close() called with no code on ping failure
+    expect(ws.pingCount).toBe(0);
+  });
+
+  test("a non-1008 close reconnects with the SAME token after the reconnect delay", async () => {
+    const harness = await openClient();
+    wsAt(0).fireClose(1006);
+
+    expect(harness.reconnects).toBe(1);
+    expect(timeoutDelay).toBe(RELAY_RECONNECT_DELAY_MS);
+    expect(FakeWebSocket.instances).toHaveLength(1); // no redial until the timer fires
+
+    timeoutCallback?.();
+    expect(FakeWebSocket.instances).toHaveLength(2);
+    wsAt(1).open();
+    expect(wsAt(1).sent[0]).toBe(encodeStartFrame("c_original00"));
+    expect(harness.rotated).toHaveLength(0);
+  });
+
+  test("a 1008 collision rotates to a fresh c_ token, persists it, and redials", async () => {
+    const harness = await openClient();
+    wsAt(0).fireClose(RELAY_CLOSE_TOKEN_COLLISION);
+    await flush();
+
+    expect(harness.client.token).not.toBe("c_original00");
+    expect(harness.client.token).toMatch(/^c_[0-9A-Za-z]{10}$/);
+    expect(harness.rotated).toEqual([harness.client.token]);
+
+    expect(FakeWebSocket.instances).toHaveLength(2); // immediate redial, no reconnect-delay timer
+    wsAt(1).open();
+    expect(wsAt(1).sent[0]).toBe(encodeStartFrame(harness.client.token));
+    expect(harness.reconnects).toBe(0); // collision is not a generic reconnect
+  });
+
+  test("stop() closes with 1000 and suppresses any further reconnect", async () => {
+    const harness = await openClient();
+    const ws = wsAt(0);
+
+    harness.client.stop();
+    expect(ws.closedWith).toBe(1000);
+
+    ws.fireClose(1000);
+    expect(harness.reconnects).toBe(0);
+    expect(FakeWebSocket.instances).toHaveLength(1);
+  });
+
+  test("ignores non-event frames without invoking onEvent", async () => {
+    const { events } = await openClient();
+    const ws = wsAt(0);
+
+    ws.message(JSON.stringify({ type: "pong" }));
+    ws.message("not json");
+    expect(events).toHaveLength(0);
+  });
+});

packages/cli-core/src/commands/webhooks/replay.test.ts

@@ -67,6 +67,10 @@ describe("webhooks replay", () => {
       label: "--until without --since",
       options: { msgId: "msg_1", until: "2026-05-01T00:00:00Z" },
     },
+    {
+      label: "--until alone (no <msg_id>, no --since)",
+      options: { until: "2026-05-01T00:00:00Z" },
+    },
     {
       label: "--since without --endpoint",
       options: { since: "2026-05-01T00:00:00Z" },

packages/cli-core/src/commands/webhooks/shared.ts

@@ -117,12 +117,17 @@ export function formatEndpointDetails(endpoint: WebhookEndpoint): void {
   }
 }
 
-/** Split a comma-separated flag value into trimmed, non-empty entries. */
+/**
+ * Split a comma-separated flag value into trimmed, non-empty entries. Returns
+ * undefined when the flag was absent OR carried no real values (`""`, `","`,
+ * whitespace) — so callers can treat an empty value as "not provided" instead
+ * of sending an empty array.
+ */
 export function splitCommaList(value: string | undefined): string[] | undefined {
   if (value === undefined) return undefined;
   const parts = value
     .split(",")
     .map((part) => part.trim())
     .filter(Boolean);
-  return parts;
+  return parts.length > 0 ? parts : undefined;
 }

packages/cli-core/src/commands/webhooks/update.test.ts

@@ -105,6 +105,16 @@ describe("webhooks update", () => {
     expect(mockUpdateWebhookEndpoint).not.toHaveBeenCalled();
   });
 
+  test.each([
+    { label: "--events", options: { events: "" } },
+    { label: "--channels", options: { channels: " , " } },
+  ])("an empty $label value does not bypass the no-flags guard", async ({ options }) => {
+    await expect(webhooksUpdate({ endpointId: "ep_1", ...options })).rejects.toMatchObject({
+      code: ERROR_CODE.USAGE_ERROR,
+    });
+    expect(mockUpdateWebhookEndpoint).not.toHaveBeenCalled();
+  });
+
   test("prints the updated endpoint in human mode", async () => {
     await webhooksUpdate({ endpointId: "ep_1", description: "Updated" });
 

packages/cli-core/src/commands/webhooks/verify.test.ts

@@ -234,6 +234,19 @@ describe("webhooks verify command", () => {
     ).rejects.toThrow("in the past");
   });
 
+  test("mismatch on a future timestamp includes a humanized skew hint", async () => {
+    const futureTimestamp = String(Number(TIMESTAMP) + 3600);
+    const payloadPath = await writeTempFile("body.json", PAYLOAD);
+
+    await expect(
+      webhooksVerify({
+        ...explicitFlags(),
+        timestamp: futureTimestamp,
+        payload: `@${payloadPath}`,
+      }),
+    ).rejects.toThrow("in the future");
+  });
+
   test.each([
     { label: "missing --secret", options: {} },
     { label: "malformed --secret", options: { secret: "sk_nope" } },