feat(endpoints): add payload transformation schema and API (ADR-003 Phase 1)

Per ADR-003, Phase 1 stores transformation configuration on endpoints without applying it during delivery. Schema additions on the endpoints table:
- transform_expression (varchar(4096), nullable) — JMESPath expression to apply
- transform_enabled (boolean, default false) — kill switch per endpoint
- transform_validated_at (timestamptz, nullable) — last successful validation time

Migration generated via dotnet ef migrations add includes Up/Down operations and updates ModelSnapshot for downstream diffs.

API surface: CreateEndpointRequest / UpdateEndpointRequest and the dashboard equivalents accept optional TransformExpression and TransformEnabled fields. EndpointResponseDto, the EndpointListItem repository projection, and the dashboard endpoint create/update inline responses expose all three fields. FluentValidation rules enforce the 4096-character cap, and the UpdateEndpointRequest "at least one field" guard now treats Transform fields as valid inputs. Setting a non-empty TransformExpression on update resets TransformValidatedAt to null so a fresh validation pass is required before the expression is trusted.

Pipeline integration (HttpDeliveryService applying the expression with JmesPath.Net + 100 ms timeout + fail-open) and the dashboard expression editor remain in ADR-003 Phase 2 and Phase 3. The optional /transform/validate endpoint will land alongside the JmesPath.Net dependency in Phase 2.

Author: voyvodka

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.ht
 
 ## [Unreleased]
 
+### Added
+- **Payload transformation schema and API (ADR-003 Phase 1):** endpoints now accept `transformExpression` (JMESPath, max 4096 chars), `transformEnabled` (kill switch, default `false`), and a server-managed `transformValidatedAt` timestamp on create/update. Both the public Bearer-key API (`POST /api/v1/endpoints`, `PUT /api/v1/endpoints/{id}`) and the dashboard endpoints (`POST /api/v1/dashboard/endpoints`, `PUT /api/v1/dashboard/endpoints/{id}`) carry the new fields, and `EndpointResponseDto` exposes them on read. Stored only — pipeline integration (delivery-time application with `JmesPath.Net` + 100 ms timeout + fail-open) and the dashboard editor land in ADR-003 Phase 2 and Phase 3 respectively.
+- **Security automations:** CodeQL workflow (csharp + javascript-typescript, push/PR/Mondays at 06:30 UTC), Dependency Review action on PRs (high-severity fail + GPL/LGPL/AGPL/EUPL/SSPL deny-list), and Dependabot config covering NuGet, npm, GitHub Actions, and Docker base images. Five repo labels (`dependencies`, `nuget`, `npm`, `ci`, `docker`) created to support the Dependabot config.
+
 ### Changed
 - **Frontend toolchain:** migrated dashboard package manager from Yarn to [Bun](https://bun.sh/) 1.2+. `yarn.lock` replaced with `bun.lock` (text format introduced in Bun 1.2); CI, Dockerfile, contributor docs, and PR template now reference `bun` commands. No runtime behavior changes.
 

src/WebhookEngine.API/Contracts/ApiResponseDtos.cs

@@ -25,6 +25,9 @@ public sealed class EndpointResponseDto
     public JsonElement CustomHeadersJson { get; init; }
     public string? SecretOverride { get; init; }
     public JsonElement MetadataJson { get; init; }
+    public string? TransformExpression { get; init; }
+    public bool TransformEnabled { get; init; }
+    public DateTime? TransformValidatedAt { get; init; }
     public List<Guid> FilterEventTypes { get; init; } = [];
     public DateTime CreatedAt { get; init; }
     public DateTime UpdatedAt { get; init; }
@@ -89,6 +92,9 @@ public static EndpointResponseDto ToDto(this EndpointEntity endpoint)
             CustomHeadersJson = JsonValueParser.ParseOrEmptyObject(endpoint.CustomHeadersJson),
             SecretOverride = endpoint.SecretOverride,
             MetadataJson = JsonValueParser.ParseOrEmptyObject(endpoint.MetadataJson),
+            TransformExpression = endpoint.TransformExpression,
+            TransformEnabled = endpoint.TransformEnabled,
+            TransformValidatedAt = endpoint.TransformValidatedAt,
             FilterEventTypes = endpoint.EventTypes.Select(et => et.Id).ToList(),
             CreatedAt = endpoint.CreatedAt,
             UpdatedAt = endpoint.UpdatedAt
@@ -107,6 +113,9 @@ public static EndpointResponseDto ToDto(this EndpointListItem endpoint)
             CustomHeadersJson = JsonValueParser.ParseOrEmptyObject(endpoint.CustomHeadersJson),
             SecretOverride = endpoint.SecretOverride,
             MetadataJson = JsonValueParser.ParseOrEmptyObject(endpoint.MetadataJson),
+            TransformExpression = endpoint.TransformExpression,
+            TransformEnabled = endpoint.TransformEnabled,
+            TransformValidatedAt = endpoint.TransformValidatedAt,
             FilterEventTypes = endpoint.EventTypeIds,
             CreatedAt = endpoint.CreatedAt,
             UpdatedAt = endpoint.UpdatedAt

src/WebhookEngine.API/Controllers/DashboardEndpointController.cs

@@ -83,7 +83,9 @@ public async Task<IActionResult> CreateEndpoint([FromBody] DashboardCreateEndpoi
             Description = request.Description,
             SecretOverride = string.IsNullOrWhiteSpace(request.SecretOverride) ? null : request.SecretOverride,
             CustomHeadersJson = System.Text.Json.JsonSerializer.Serialize(request.CustomHeaders ?? new Dictionary<string, string>()),
-            MetadataJson = System.Text.Json.JsonSerializer.Serialize(request.Metadata ?? new Dictionary<string, string>())
+            MetadataJson = System.Text.Json.JsonSerializer.Serialize(request.Metadata ?? new Dictionary<string, string>()),
+            TransformExpression = string.IsNullOrWhiteSpace(request.TransformExpression) ? null : request.TransformExpression,
+            TransformEnabled = request.TransformEnabled ?? false
         };
 
         if (request.FilterEventTypes is not null && request.FilterEventTypes.Count > 0)
@@ -117,6 +119,9 @@ public async Task<IActionResult> CreateEndpoint([FromBody] DashboardCreateEndpoi
             circuitState = created?.Health?.CircuitState.ToString().ToLowerInvariant() ?? "closed",
             eventTypes = created?.EventTypes.Select(et => et.Name).ToList() ?? [],
             eventTypeIds = created?.EventTypes.Select(et => et.Id).ToList() ?? [],
+            transformExpression = endpoint.TransformExpression,
+            transformEnabled = endpoint.TransformEnabled,
+            transformValidatedAt = endpoint.TransformValidatedAt,
             createdAt = endpoint.CreatedAt,
             updatedAt = endpoint.UpdatedAt
         }));
@@ -147,6 +152,16 @@ public async Task<IActionResult> UpdateEndpoint(Guid endpointId, [FromBody] Dash
         if (request.Metadata is not null)
             endpoint.MetadataJson = System.Text.Json.JsonSerializer.Serialize(request.Metadata);
 
+        if (request.TransformExpression is not null)
+        {
+            // Empty/whitespace clears the expression; any new expression resets validation timestamp.
+            endpoint.TransformExpression = string.IsNullOrWhiteSpace(request.TransformExpression) ? null : request.TransformExpression;
+            endpoint.TransformValidatedAt = null;
+        }
+
+        if (request.TransformEnabled is not null)
+            endpoint.TransformEnabled = request.TransformEnabled.Value;
+
         if (request.FilterEventTypes is not null)
         {
             endpoint.EventTypes.Clear();
@@ -180,6 +195,9 @@ public async Task<IActionResult> UpdateEndpoint(Guid endpointId, [FromBody] Dash
             circuitState = updated?.Health?.CircuitState.ToString().ToLowerInvariant() ?? "closed",
             eventTypes = updated?.EventTypes.Select(et => et.Name).ToList() ?? [],
             eventTypeIds = updated?.EventTypes.Select(et => et.Id).ToList() ?? [],
+            transformExpression = endpoint.TransformExpression,
+            transformEnabled = endpoint.TransformEnabled,
+            transformValidatedAt = endpoint.TransformValidatedAt,
             createdAt = endpoint.CreatedAt,
             updatedAt = endpoint.UpdatedAt
         }));
@@ -375,6 +393,8 @@ public class DashboardCreateEndpointRequest
     public Dictionary<string, string>? CustomHeaders { get; set; }
     public Dictionary<string, string>? Metadata { get; set; }
     public string? SecretOverride { get; set; }
+    public string? TransformExpression { get; set; }
+    public bool? TransformEnabled { get; set; }
 }
 
 public class DashboardUpdateEndpointRequest
@@ -385,6 +405,8 @@ public class DashboardUpdateEndpointRequest
     public Dictionary<string, string>? CustomHeaders { get; set; }
     public Dictionary<string, string>? Metadata { get; set; }
     public string? SecretOverride { get; set; }
+    public string? TransformExpression { get; set; }
+    public bool? TransformEnabled { get; set; }
 }
 
 public class DashboardCreateEventTypeRequest

src/WebhookEngine.API/Controllers/EndpointsController.cs

@@ -37,7 +37,9 @@ public async Task<IActionResult> Create([FromBody] CreateEndpointRequest request
             Url = request.Url,
             Description = request.Description,
             CustomHeadersJson = System.Text.Json.JsonSerializer.Serialize(request.CustomHeaders ?? new Dictionary<string, string>()),
-            MetadataJson = System.Text.Json.JsonSerializer.Serialize(request.Metadata ?? new Dictionary<string, string>())
+            MetadataJson = System.Text.Json.JsonSerializer.Serialize(request.Metadata ?? new Dictionary<string, string>()),
+            TransformExpression = string.IsNullOrWhiteSpace(request.TransformExpression) ? null : request.TransformExpression,
+            TransformEnabled = request.TransformEnabled ?? false
         };
 
         if (request.FilterEventTypes is not null && request.FilterEventTypes.Count > 0)
@@ -114,6 +116,16 @@ public async Task<IActionResult> Update(Guid endpointId, [FromBody] UpdateEndpoi
         if (request.SecretOverride is not null)
             endpoint.SecretOverride = string.IsNullOrWhiteSpace(request.SecretOverride) ? null : request.SecretOverride;
 
+        if (request.TransformExpression is not null)
+        {
+            // Treat empty/whitespace as a clear, otherwise store the new expression and reset validation timestamp.
+            endpoint.TransformExpression = string.IsNullOrWhiteSpace(request.TransformExpression) ? null : request.TransformExpression;
+            endpoint.TransformValidatedAt = null;
+        }
+
+        if (request.TransformEnabled is not null)
+            endpoint.TransformEnabled = request.TransformEnabled.Value;
+
         if (request.FilterEventTypes is not null)
         {
             endpoint.EventTypes.Clear();
@@ -236,6 +248,8 @@ public class CreateEndpointRequest
     public List<Guid>? FilterEventTypes { get; set; }
     public Dictionary<string, string>? CustomHeaders { get; set; }
     public Dictionary<string, string>? Metadata { get; set; }
+    public string? TransformExpression { get; set; }
+    public bool? TransformEnabled { get; set; }
 }
 
 public class UpdateEndpointRequest
@@ -246,4 +260,6 @@ public class UpdateEndpointRequest
     public Dictionary<string, string>? CustomHeaders { get; set; }
     public Dictionary<string, string>? Metadata { get; set; }
     public string? SecretOverride { get; set; }
+    public string? TransformExpression { get; set; }
+    public bool? TransformEnabled { get; set; }
 }

src/WebhookEngine.API/Validators/RequestValidators.cs

@@ -76,6 +76,11 @@ public CreateEndpointRequestValidator()
         RuleFor(x => x.Description)
             .MaximumLength(500)
             .When(x => x.Description is not null);
+
+        RuleFor(x => x.TransformExpression)
+            .MaximumLength(4096)
+            .When(x => x.TransformExpression is not null)
+            .WithMessage("TransformExpression must not exceed 4096 characters.");
     }
 
     private static bool BeValidHttpsUrl(string? url)
@@ -103,13 +108,20 @@ public UpdateEndpointRequestValidator()
             .MaximumLength(500)
             .When(x => x.Description is not null);
 
+        RuleFor(x => x.TransformExpression)
+            .MaximumLength(4096)
+            .When(x => x.TransformExpression is not null)
+            .WithMessage("TransformExpression must not exceed 4096 characters.");
+
         RuleFor(x => x)
             .Must(x => x.Url is not null
                 || x.Description is not null
                 || x.FilterEventTypes is not null
                 || x.CustomHeaders is not null
                 || x.Metadata is not null
-                || x.SecretOverride is not null)
+                || x.SecretOverride is not null
+                || x.TransformExpression is not null
+                || x.TransformEnabled is not null)
             .WithMessage("At least one field must be provided.");
     }
 
@@ -140,6 +152,11 @@ public DashboardCreateEndpointRequestValidator()
         RuleFor(x => x.Description)
             .MaximumLength(500)
             .When(x => x.Description is not null);
+
+        RuleFor(x => x.TransformExpression)
+            .MaximumLength(4096)
+            .When(x => x.TransformExpression is not null)
+            .WithMessage("TransformExpression must not exceed 4096 characters.");
     }
 
     private static bool BeValidHttpsUrl(string? url)
@@ -167,13 +184,20 @@ public DashboardUpdateEndpointRequestValidator()
             .MaximumLength(500)
             .When(x => x.Description is not null);
 
+        RuleFor(x => x.TransformExpression)
+            .MaximumLength(4096)
+            .When(x => x.TransformExpression is not null)
+            .WithMessage("TransformExpression must not exceed 4096 characters.");
+
         RuleFor(x => x)
             .Must(x => x.Url is not null
                 || x.Description is not null
                 || x.FilterEventTypes is not null
                 || x.CustomHeaders is not null
                 || x.Metadata is not null
-                || x.SecretOverride is not null)
+                || x.SecretOverride is not null
+                || x.TransformExpression is not null
+                || x.TransformEnabled is not null)
             .WithMessage("At least one field must be provided.");
     }
 

src/WebhookEngine.Core/Entities/Endpoint.cs

@@ -12,6 +12,14 @@ public class Endpoint
     public string CustomHeadersJson { get; set; } = "{}";
     public string? SecretOverride { get; set; }
     public string MetadataJson { get; set; } = "{}";
+
+    // Payload transformation (ADR-003) — declarative JMESPath reshape applied
+    // before delivery. Stored only in Phase 1; pipeline integration arrives in
+    // Phase 2 (HttpDeliveryService) and the dashboard editor in Phase 3.
+    public string? TransformExpression { get; set; }
+    public bool TransformEnabled { get; set; }
+    public DateTime? TransformValidatedAt { get; set; }
+
     public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
     public DateTime UpdatedAt { get; set; } = DateTime.UtcNow;
 

src/WebhookEngine.Infrastructure/Data/WebhookDbContext.cs

@@ -75,6 +75,9 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
             entity.Property(e => e.CustomHeadersJson).HasColumnName("custom_headers").HasColumnType("jsonb").HasDefaultValueSql("'{}'");
             entity.Property(e => e.SecretOverride).HasColumnName("secret_override").HasMaxLength(64);
             entity.Property(e => e.MetadataJson).HasColumnName("metadata").HasColumnType("jsonb").HasDefaultValueSql("'{}'");
+            entity.Property(e => e.TransformExpression).HasColumnName("transform_expression").HasMaxLength(4096);
+            entity.Property(e => e.TransformEnabled).HasColumnName("transform_enabled").HasDefaultValue(false);
+            entity.Property(e => e.TransformValidatedAt).HasColumnName("transform_validated_at");
             entity.Property(e => e.CreatedAt).HasColumnName("created_at").HasDefaultValueSql("NOW()");
             entity.Property(e => e.UpdatedAt).HasColumnName("updated_at").HasDefaultValueSql("NOW()");