Skip to content

chore(observability): scope stripe webhook requirement#3410

Open
smanthey wants to merge 1 commit intosimstudioai:mainfrom
smanthey:main
Open

chore(observability): scope stripe webhook requirement#3410
smanthey wants to merge 1 commit intosimstudioai:mainfrom
smanthey:main

Conversation

@smanthey
Copy link

@smanthey smanthey commented Mar 4, 2026

Adds claw-observability override to scope Stripe webhook signature requirement for this repo scan context.

@vercel
Copy link

vercel bot commented Mar 4, 2026

Someone is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 4, 2026

Greptile Summary

This PR adds a claw-observability.json configuration file to the repository root to override the stripeWebhookRequired scan signal for the claw observability scanner. The override is needed because the Sim app includes Stripe trigger definitions (used as workflow UI configuration) that cause the scanner to flag the repo, even though actual Stripe webhook signature verification is handled by the better-auth provider runtime (via toNextJsHandler(auth.handler) in apps/sim/app/api/auth/webhook/stripe/route.ts) rather than inline constructEvent calls that the scanner would typically look for.

Key points:

  • The notes field in the config clearly documents the rationale for the override.
  • No application logic or security behavior is changed — this is purely a scanner configuration.
  • The Stripe webhook signing secret is still captured as a user-provided field in the trigger definition (apps/sim/triggers/stripe/webhook.ts), and billing webhook handlers in apps/sim/lib/billing/webhooks/ remain unaffected.

Confidence Score: 5/5

  • This PR is safe to merge — it adds only a scanner config override with no impact on application logic or security.
  • The change is a single 4-line JSON file that configures the claw observability scanner. It does not touch any application code, security controls, or infrastructure. The override is well-justified in the notes field, and the actual Stripe webhook signature verification remains intact in the better-auth runtime layer.
  • No files require special attention.

Important Files Changed

Filename Overview
claw-observability.json New observability override config disabling the stripeWebhookRequired scan signal for this repo, with a clear explanatory note; change is safe and well-justified.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Stripe sends POST to webhook endpoint] --> B[api/auth/webhook/stripe/route.ts]
    B --> C[better-auth runtime handler]
    C --> D[Signature verification inside better-auth]
    D --> E[Dispatch to billing webhook handlers]

    F[Claw Observability Scanner] -->|Scans repo| G{stripeWebhookRequired check}
    G -->|Stripe trigger definitions found| H[Would flag as missing verification]
    H -->|claw-observability.json override| I[stripeWebhookRequired = false]
    I --> J[Scanner skips requirement for this repo]

    style I fill:#90EE90
    style J fill:#90EE90
Loading

Last reviewed commit: 8dc54c1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smanthey