Add webhook payload redaction guard

[taherdhanera]

/claim #19

Summary

Adds webhook-payload-redaction-guard, a self-contained Enterprise Tooling slice that validates outbound institutional webhook/API payloads before delivery.

The guard evaluates:

• event-type and schema allowlists
• private project fields
• PII/direct identifier exposure
• private storage URLs
• data-residency destination regions
• signature metadata and unsafe signing algorithms
• dataset access safety and embargoed download links
• event-level delivery decisions: deliver, redact-and-review, or block-delivery

Non-overlap

This is not a webhook replay ledger, admin notification escalation guard, connector certification gate, API change governance guard, data export approval queue, deposit reconciliation guard, SCIM/HRIS deprovisioning guard, LMS roster passback guard, usage cost-allocation guard, incident response workflow, data residency policy module, or secret rotation gate. It focuses specifically on outbound payload minimization and redaction before institutional delivery.

Local validation

Run from webhook-payload-redaction-guard/:

npm run check
npm test
npm run demo
npm run demo:video

All four commands passed locally.

Reviewer artifacts

• reports/summary.json
• reports/reviewer-packet.md
• reports/summary.svg
• reports/demo.webm

Safety

All data is synthetic. The module does not call live webhook delivery, repository sync, LMS sync, identity services, storage systems, or external providers. It does not include private institutional payloads, credentials, secrets, real users, or live admin mutations.

Current status - 2026-05-29

Verified after newer same-issue #19 activity: this PR remains open, non-draft, CLEAN/mergeable, and distinct from KoiosSG PR #411. PR #383 is the webhook payload-redaction guard; PR #411 is a separate enterprise dashboard accessibility guard.

[taherdhanera]

Reviewer-ready checkpoint for /claim #19. This PR is open, non-draft, mergeable/CLEAN, Bounty claim labeled, and the body contains /claim #19. Scope remains webhook payload redaction: event/schema allowlists, private project fields, PII/direct identifier exposure, private storage URLs, residency checks, signature safety, embargoed links, and deterministic deliver/redact/block decisions from synthetic data only.

[taherdhanera]

Visibility update after the new API rate-limit PR: this #19 claim remains open, non-draft, mergeable/CLEAN, bounty-labeled, and already claim-marked.

Scope remains the webhook payload redaction/minimization guard, not API rate-limit contract or retry/backoff work. This PR covers event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions.

The reviewer packet, deterministic artifacts, validation commands, and claim marker are already in place. I do not see a contributor-side blocker for review/reward decision.

[taherdhanera]

Visibility update after PR #411: this existing /claim #19 remains open, non-draft, CLEAN, bounty-labeled, and claim-marked.

Scope remains the webhook payload redaction/minimization guard, separate from the newer enterprise dashboard accessibility readiness slice. This PR covers event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions.

The reviewer packet, deterministic artifacts, validation commands, and claim marker are already in place. I do not see a contributor-side blocker for review/reward decision.

[taherdhanera]

Status refresh after the latest issue #19 external claim follow-up: PR #383 remains open, non-draft, mergeable, bounty-labeled, and claim-marked for the existing #19 submission. No code changes are needed from my side unless reviewers request revisions.

[taherdhanera]

Status refresh after the newer same-issue PR #445 activity: PR #383 remains open, non-draft, mergeable/CLEAN, bounty-labeled, and claim-marked for issue #19.

The submitted scope remains the webhook payload redaction/minimization guard: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions before institutional webhook/API payload delivery.

This is distinct from PR #445's webhook delivery failure guard, enterprise admin dashboard accessibility readiness, API rate-limit contract work, vendor-DPA/subprocessor review, and the other #19 slices.

[taherdhanera]

Status refresh after the newer same-issue PR #411 hardening activity: PR #383 remains open, non-draft, mergeable/CLEAN, bounty-labeled, and claim-marked for issue #19.

The submitted scope remains the webhook payload redaction/minimization guard: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions before institutional webhook/API payload delivery.

This is distinct from PR #411's enterprise admin dashboard accessibility readiness guard and hardening update, PR #445's webhook delivery failure guard, API rate-limit contract work, vendor-DPA/subprocessor review, and other #19 enterprise tooling slices. No contributor-side code changes are pending unless reviewers request revisions.

[taherdhanera]

Status refresh after the newer same-issue PR #453 activity: PR #383 remains open, non-draft, mergeable/CLEAN, bounty-labeled, and claim-marked for issue #19.

The submitted scope remains the webhook payload redaction/minimization guard: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and delivery decisions to deliver, redact-and-review, or block delivery.

PR #453 appears to add a separate institutional admin auditor for owner admins, MFA, dashboard widgets, API scopes, key rotation, signed webhooks, export dry runs, audit logging, SLA, and DPA readiness. That is adjacent, but PR #383 is still the prior webhook payload minimization/redaction layer for this issue.

[taherdhanera]

Visibility refresh after later same-issue PR #485 activity on May 29.

This existing submission remains PR #383, open, non-draft, CLEAN/mergeable, bounty-labeled, /claim #19 present, and tied to the Pending USD 175 Algora claim: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Maintainer review target remains the webhook payload redaction/minimization guard implemented here: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block delivery decisions. That scope is separate from PR #485's institutional repository sync SLA guard.

[taherdhanera]

Visibility refresh after the newer same-issue PR #496 activity.

This existing submission remains PR #383, open, non-draft, CLEAN/mergeable, bounty-labeled, /claim #19 present, and tied to the Pending USD 175 Algora claim: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Maintainer review target remains the webhook payload redaction/minimization guard implemented here: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block decisions before institutional webhook/API payload delivery. PR #496 appears to add a separate enterprise integration contract drift guard; PR #383 remains the prior outbound payload minimization and redaction layer.

[taherdhanera]

Visibility refresh after PR #411's newer hardening pass for table/export accessibility summaries and private accessibility text.

My existing issue #19 submission remains PR #383: #383

Current status re-verified now: PR #383 is open, non-draft, CLEAN/mergeable, bounty-labeled, includes /claim #19, and its Algora claim remains Pending for USD 175: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope reminder for review: PR #383 is the webhook payload redaction/minimization guard for Enterprise Tooling. It covers event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and delivery decisions to deliver, redact-and-review, or block delivery before institutional webhook/API payload delivery.

This remains separate from PR #411's enterprise dashboard accessibility and table-summary privacy hardening, PR #496's enterprise integration contract drift guard, PR #485's institutional repository sync SLA guard, and other adjacent #19 slices. No contributor-side code changes are pending unless maintainers request revisions.

[taherdhanera]

Status refresh after newer same-issue #19 PR activity, including KoiosSG PR #411.

This PR #383 remains open, non-draft, CLEAN/mergeable, and claims #19. It focuses specifically on outbound institutional webhook/API payload minimization and redaction before delivery: schema/event allowlists, PII/direct identifiers, private storage URLs, residency destination checks, signing metadata, dataset access safety, and embargoed download links.

Non-overlap: PR #411 focuses on enterprise dashboard accessibility readiness. That is a separate dashboard release/export accessibility slice and does not replace this webhook payload-redaction guard. No contributor-side changes are pending unless maintainers request revisions.

[taherdhanera]

Visibility refresh after KoiosSG updated same-issue #19 PR #411 later than my last status.

This PR #383 remains open, non-draft, CLEAN/mergeable, bounty-labeled, and claim-marked for issue #19. It is tied to the Pending USD 175 Algora claim: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains distinct: PR #383 is the webhook payload redaction/minimization guard covering event/schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block decisions before institutional webhook/API payload delivery. PR #411 remains a separate enterprise dashboard accessibility readiness and export/accessibility hardening slice. No contributor-side code changes are pending unless maintainers request revisions.

[taherdhanera]

Visibility refresh after newer same-issue #19 competitor PR activity from yunrongy424-oss PR #445.

This PR #383 remains open, non-draft, MERGEABLE, bounty-labeled, and claim-marked for issue #19. It is tied to the Pending USD 175 Algora claim: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains distinct: webhook payload redaction/minimization across event/schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block decisions. No contributor-side changes are pending unless maintainers request revisions.

[taherdhanera]

Visibility refresh after KoiosSG updated same-issue #19 PR #411 again with missing contrast-evidence hardening.

This PR #383 remains open, non-draft, MERGEABLE, bounty-labeled, and claim-marked for issue #19. It is tied to the Pending USD 175 Algora claim: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains distinct: webhook payload redaction/minimization across event/schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block decisions. PR #411 remains a separate enterprise dashboard accessibility release-gating slice. No contributor-side changes are pending unless maintainers request revisions.

[taherdhanera]

PR-side visibility refresh after newer same-issue #19 activity from @KoiosSG in PR #411 (enterprise dashboard accessibility guard).

PR #383 remains open, non-draft, MERGEABLE/CLEAN, bounty-labeled, and claim-marked for #19. Algora reward link remains indexed: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains the webhook delivery observability guard, separate from PR #411's enterprise dashboard accessibility guard. No contributor-side changes are pending unless maintainers request revisions.

[taherdhanera]

Visibility and merge/reward readiness refresh after newer same-issue #19 activity from @KoiosSG on PR #411:

• Add enterprise dashboard accessibility guard #411

My active #19 submission remains PR #383: #383

Current status re-verified now:

• PR Add webhook payload redaction guard #383 is open and non-draft
• PR Add webhook payload redaction guard #383 is MERGEABLE/CLEAN
• Bounty claim label is present
• PR body includes /claim #19
• Algora claim remains Pending for USD 175: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains the webhook payload redaction/minimization guard for Enterprise Tooling: event/schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destination regions, signature metadata, unsafe signing algorithms, dataset access safety, embargoed download links, and deliver/redact/block decisions before institutional webhook/API payload delivery.

This is separate from PR #411's enterprise dashboard accessibility guard and its contrast/focus/table-summary release gates. No contributor-side changes are pending unless maintainers request revisions. Could a maintainer please review PR #383 for merge/reward decision, or point me to the exact change needed to unblock it?

[taherdhanera]

PR-side visibility refresh after newer same-issue #19 activity from @jaxassistant55 on PR #525:

• Enterprise Tooling #19 (comment)
• Add enterprise SSO certificate rollover guard #525

This PR #383 remains my active issue #19 submission.

Current status re-verified now:

• open and non-draft
• MERGEABLE/CLEAN
• Bounty claim label present
• PR body includes /claim #19
• Algora claim remains Pending for USD 175: https://algora.io/claims/8PbXSF2qS8yVB3Pv

Scope remains the webhook payload redaction/minimization guard, separate from PR #525's institutional SSO signing-certificate rollover readiness guard. No contributor-side changes are pending unless maintainers request revisions.