You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: AGENTS.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -147,6 +147,17 @@ metadata:
147
147
148
148
- Keep SKILL.md under 500 lines / < 5,000 tokens
149
149
- Put detailed reference material in `references/` files
150
+
-**Inline code in `SKILL.md` is for the verification core only** — keep it short (typically under 25 lines) and limit it to the algorithm/header/comparison essentials an agent needs to answer "how do I verify X?" without loading another file. The full Express/Next.js/FastAPI handler (route wiring, event dispatch, error responses) lives in `examples/`. Point to the example by path rather than duplicating the handler:
> **For complete handlers with tests**, see [examples/express/](examples/express/), [examples/nextjs/](examples/nextjs/), [examples/fastapi/](examples/fastapi/).
159
+
```
160
+
This keeps `SKILL.md` focused, lets agents copy the canonical verification fast, and avoids drift between `SKILL.md` and the runnable (CI-tested) examples.
150
161
-**Links within the same skill:** Use relative paths (e.g. `references/verification.md`, `examples/express/`).
151
162
-**Links to another skill:** Use absolute GitHub URLs so links resolve when only one skill is installed. Use the `main` branch: `https://github.com/hookdeck/webhook-skills/blob/main/skills/{skill-name}/…` for a file, or `https://github.com/hookdeck/webhook-skills/tree/main/skills/{skill-name}` for the skill root.
Do **not** write `hookdeck listen ...` (assumes a global install), and do **not** omit the source positional arg (the CLI would otherwise prompt interactively). See `AGENTS.md` → "Local Development" for the rationale.
75
+
7.**`SKILL.md` inline code is for the verification core only** — keep it short (typically under 25 lines) and scoped to the algorithm/header/comparison essentials. The full Express/Next.js/FastAPI handler (route wiring, event dispatch, error responses) belongs in `examples/`, not in `SKILL.md`. After the verification snippet, link the example directories so agents can pull the runnable, CI-tested version:
76
+
77
+
```markdown
78
+
> **For complete handlers with tests**, see [examples/express/](examples/express/), [examples/nextjs/](examples/nextjs/), [examples/fastapi/](examples/fastapi/).
79
+
```
80
+
81
+
Do **not** duplicate the full handler from `examples/<framework>/src/...` into `SKILL.md`. Drift between the two is a recurring source of bugs (e.g. SDK API changes captured only in the example).
75
82
76
83
## CRITICAL: Consistency Checks
77
84
78
85
**Before finalizing, verify these are consistent across all files:**
79
86
80
87
1.**Event names** - SKILL.md, overview.md, and all three example handlers must use identical event names
81
88
2.**Header names** - All files must reference the same signature header(s)
82
-
3.**Verification algorithm** - SKILL.md inline code must match example implementations exactly
89
+
3.**Verification algorithm** - the verification core snippet in `SKILL.md` (algorithm + header parse + timing-safe compare) must match how the example handlers verify. Keep the SKILL.md snippet short and focused; the full handler lives in `examples/`
83
90
4.**Environment variable names** - Consistent across .env.example and code files
Copy file name to clipboardExpand all lines: skills/github-webhooks/SKILL.md
+19-82Lines changed: 19 additions & 82 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,107 +20,44 @@ metadata:
20
20
- Understanding GitHub event types and payloads
21
21
- Handling push, pull request, or issue events
22
22
23
-
## Essential Code (USE THIS)
23
+
## Verification (core)
24
24
25
-
### GitHub Signature Verification (JavaScript)
25
+
GitHub signs the raw body with HMAC-SHA256 keyed on your webhook secret and sends the digest in `X-Hub-Signature-256` formatted as `sha256=<hex>`. Use `X-Hub-Signature-256` (not the legacy SHA-1 `X-Hub-Signature`), pass the **raw** body, and compare timing-safe.
Copy file name to clipboardExpand all lines: skills/shopify-webhooks/SKILL.md
+20-73Lines changed: 20 additions & 73 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,99 +20,46 @@ metadata:
20
20
- Understanding Shopify event types and payloads
21
21
- Handling order, product, or customer events
22
22
23
-
## Essential Code (USE THIS)
23
+
## Verification (core)
24
24
25
-
### Shopify Signature Verification (JavaScript)
25
+
Shopify signs the raw body with HMAC-SHA256 keyed on the app's API secret and sends the digest in `X-Shopify-Hmac-SHA256` as **base64** (not hex). Pass the **raw** body, decode base64, and compare timing-safe. The topic is in `X-Shopify-Topic`; the shop domain in `X-Shopify-Shop-Domain`.
> **Important**: Shopify requires webhook endpoints to respond within 5 seconds with a 200 OK status. Process webhooks asynchronously if your handler logic takes longer.
Copy file name to clipboardExpand all lines: skills/stripe-webhooks/SKILL.md
+21-63Lines changed: 21 additions & 63 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,82 +20,40 @@ metadata:
20
20
- Understanding Stripe event types and payloads
21
21
- Handling payment, subscription, or invoice events
22
22
23
-
## Essential Code (USE THIS)
23
+
## Verification (core)
24
24
25
-
### Express Webhook Handler
25
+
Stripe ships official SDK helpers that verify the `Stripe-Signature` header (HMAC-SHA256 over `timestamp.body`) and parse the event in one call. Pass the **raw** request body — don't `JSON.parse` first.
0 commit comments