Skip to content

Releases: aatuh/webhookery

Webhookery v0.1.0-rc1

27 May 13:51
@aatuh aatuh
v0.1.0-rc1
910c05c

Choose a tag to compare

View all tags
Webhookery v0.1.0-rc1 Pre-release
Pre-release

Webhookery v0.1.0-rc1 Release Notes

Status: release candidate for controlled, single-region, self-hosted
evaluation.

Date: 2026-05-27

This release packages Webhookery as self-hosted webhook evidence infrastructure:
durable capture before inbound success, provider-aware verification, signed
delivery, replay, reconciliation evidence, retention, audit-chain verification,
and operator-facing release evidence.

Who This Release Is For

Use this release candidate if you need to evaluate whether Webhookery can help
with webhook evidence, debugging, replay, and self-hosted operational review.
It is most relevant for platform, SRE, security, and integration teams that need
to prove what happened to webhook events.

Do not treat this release candidate as a managed service, compliance
certification, or provider completeness guarantee.

Implemented Core Behavior

  • Durable inbound capture before returning success.
  • Raw body and header evidence preservation.
  • Provider signature verification and local conformance vectors.
  • Tenant-scoped sources, endpoints, routes, subscriptions, events, deliveries,
    attempts, replay, DLQ, quarantine, retention, audit, and export APIs.
  • Signed outbound delivery with retry, DLQ, replay, and payload evidence.
  • Versioned configuration evidence for reproducible route, retry, adapter,
    transformation, and replay decisions.
  • Audit hash-chain verification and release evidence export foundations.
  • Provider reconciliation and gap evidence where provider APIs and credentials
    permit it.
  • Redacted production doctor, performance smoke, provider conformance checks,
    backup/restore scripts, deployment profiles, and observability examples.

Release Evidence

The canonical evidence template is docs/release-evidence-template.md.

For this release candidate, release evidence should include:

  • commit SHA and tag
  • make release-acceptance output
  • make rc-check output
  • DB-backed make rc-check output when WEBHOOKERY_TEST_DATABASE_URL is
    available
  • provider conformance output
  • performance smoke output
  • Docker image digest
  • source and image SBOMs
  • Trivy HIGH/CRITICAL image scan result
  • branch protection or repository ruleset status
  • external review status or accepted-risk record

The GitHub release workflow generates a release evidence artifact with SBOMs,
image digest, local fake-provider/fake-receiver evidence, and non-claim
language. It does not perform live Stripe, GitHub, Shopify, Slack, AWS, Vault,
or customer receiver calls.

Upgrade And Rollback Notes

  • Read docs/stability.md before relying on API, CLI, migration, or support
    windows.
  • Run migrations only against a backed-up database.
  • Run the restore drill from docs/operations.md before promoting a deployment
    that changes persistence or evidence storage behavior.
  • Rollback across applied migrations may require restoring from backup; do not
    assume automatic down-migration safety for production data.

Known Limitations

  • Single-region self-hosted operation is the supported release-candidate
    posture.
  • Operators own PostgreSQL durability, object storage durability, backups,
    network policy, TLS, alert routing, and incident response.
  • Provider reconciliation cannot prove provider-side event completeness.
  • Local release acceptance uses fake/local providers and receivers only.
  • Performance smoke output is a local sizing signal, not an SLA.
  • Commercial support and license exceptions require a separate written
    agreement.

Non-Claims

Webhookery v0.1.0-rc1 does not claim:

  • exactly-once delivery
  • provider-side event completeness
  • downstream business success
  • compliance certification
  • external timestamping
  • legal evidence certification
  • hosted-service availability
  • multi-region active-active operation

Commercial Evaluation

Commercial license exceptions and paid evaluation packages are described in
COMMERCIAL.md. The commercial path does not change the technical non-claims
above unless a written agreement explicitly narrows scope for a specific
engagement.

Validation Commands

Run these from a clean checkout:

make docs-check
make release-acceptance
make rc-check
make finalize

For DB-backed release-candidate checks:

WEBHOOKERY_TEST_DATABASE_URL=postgres://... make rc-check
Loading