PD-180 — Decomposition multi-agents¶
Story¶
- ID : PD-180
- Titre : Webhooks sortants d'evenements utilisateur
- Date : 2026-03-07
Agents et modules¶
| Agent | Modules | Fichiers |
|---|---|---|
| agent-foundation | CC-180-01 (entities), CC-180-02 (DTOs), CC-180-10 (module) | 9 fichiers |
| agent-core | CC-180-03 (CRUD), CC-180-06 (delivery), CC-180-07 (rate limiter), CC-180-08 (worker), CC-180-11 (event listener) | 5 fichiers |
| agent-crypto | CC-180-04 (signature HMAC) | 1 fichier |
| agent-security | CC-180-05 (SSRF) | 1 fichier |
| agent-api | CC-180-09 (controller) | 1 fichier |
Fichiers produits¶
Enums (3)¶
src/modules/webhooks/enums/webhook-status.enum.ts— WebhookStatus + matrice de transitionssrc/modules/webhooks/enums/delivery-status.enum.ts— DeliveryStatussrc/modules/webhooks/enums/event-type.enum.ts— EventType + variantes A/B/C
Entities (3)¶
src/modules/webhooks/entities/webhook.entity.ts— Webhook (vault_secure, RLS)src/modules/webhooks/entities/webhook-delivery.entity.ts— WebhookDelivery (intention)src/modules/webhooks/entities/webhook-delivery-attempt.entity.ts— Attempt (append-only)
DTOs (6)¶
src/modules/webhooks/dto/create-webhook.dto.ts— CreateWebhookDtosrc/modules/webhooks/dto/update-webhook.dto.ts— UpdateWebhookDtosrc/modules/webhooks/dto/webhook-response.dto.ts— WebhookResponseDto + ListDtosrc/modules/webhooks/dto/replay-event.dto.ts— ReplayEventParamsDtosrc/modules/webhooks/dto/delivery-log-response.dto.ts— DeliveryLogResponseDtosrc/modules/webhooks/dto/pagination-query.dto.ts— PaginationQueryDto
Services (5)¶
src/modules/webhooks/services/webhooks.service.ts— CRUD, quota, transitions, secretsrc/modules/webhooks/services/webhook-signature.service.ts— HMAC-SHA256, variantes A/B/Csrc/modules/webhooks/services/webhook-ssrf.service.ts— DNS resolution, IP blocking, pinningsrc/modules/webhooks/services/webhook-delivery.service.ts— Livraison, retry, replay, purgesrc/modules/webhooks/services/webhook-rate-limiter.service.ts— Redis ZSET sliding window
Infrastructure (3)¶
src/modules/webhooks/processors/webhook-delivery.processor.ts— BullMQ workersrc/modules/webhooks/listeners/webhook-event.listener.ts— EventEmitter2 listenersrc/modules/webhooks/webhooks.module.ts— Module NestJS
Controller (1)¶
src/modules/webhooks/webhooks.controller.ts— REST API (9 endpoints)
Migration (1)¶
src/database/migrations/1741900000000-PD-180-CreateWebhookTables.ts— DDL + RLS
Tests (3)¶
src/modules/webhooks/__tests__/webhook-signature.service.spec.ts— 11 testssrc/modules/webhooks/__tests__/webhook-ssrf.service.spec.ts— 15 testssrc/modules/webhooks/__tests__/webhooks.service.spec.ts— 7 tests
Resultats tests¶
- 33 tests, 33 passes, 0 echecs
- TSC compilation : 0 erreurs
Invariants couverts¶
| INV | Implementation | Test |
|---|---|---|
| INV-01 | SignatureService.buildCanonicalPayload() variantes A/B/C | TC-NOM-05, TC-NOM-15, TC-NOM-16, TC-INV-01 |
| INV-02 | SignatureService.sign() HMAC-SHA256(secretSha256, t.payload) | TC-NOM-05, TC-NOM-17 |
| INV-03 | Timestamp Unix in header t= | TC-NOM-05 |
| INV-04 | SsrfService.validateUrl() HTTPS only | TC-ERR-01 |
| INV-05 | Axios maxRedirects: 0 | Delivery service |
| INV-06 | INSERT intention BEFORE BullMQ enqueue | Outbox pattern |
| INV-07 | Append-only attempts, purge >30j | TC-NOM-14, TC-INV-07 |
| INV-08 | org_id + RLS on all entities | Migration RLS policies |
| INV-09 | secret_hint 4 chars, never secret_sha256 | TC-NOM-01 |
| INV-10 | @CurrentUser('tenant') — never client param | Controller |
| INV-11 | No probatory module imports | WebhooksModule |
| INV-12 | EventEmitter2 post-commit + existence check | EventListener |
| INV-13 | Transition matrix explicit | TC-NOM-03, TC-NOM-04, TC-INV-13 |
| INV-14 | Transaction DB + post-commit BullMQ | Outbox pattern |
| INV-15 | DNS + IP validation + IP pinning | TC-INV-15 |