Skip to main content
The Webhooks and Event Triggers subsystem provides a mechanism for Palyra to ingest external events and record internal state changes. This system is divided into inbound Webhooks, which allow external platforms (like GitHub or custom services) to push data to the daemon, and System Events, which provide an append-only audit log of daemon activities.

Inbound Webhooks

The daemon manages a registry of webhook integrations, each defined by a provider, a secret for signature validation, and a set of allowed event types.

Webhook Registry and Persistence

Webhook configurations are persisted in a TOML-backed registry managed by the WebhookRegistry struct crates/palyra-daemon/src/webhooks.rs#107-111. The registry is stored at webhooks.toml within the daemon’s state root crates/palyra-daemon/src/webhooks.rs#16. Key constraints enforced by the registry:

Security and Validation

To prevent unauthorized or malicious payloads, the subsystem implements several security layers:
  1. Signature Validation: If signature_required is enabled for an integration, the daemon validates the inbound request signature using a secret stored in the Vault crates/palyra-daemon/src/webhooks.rs:41, 62.
  2. Replay Protection: The system checks for duplicate payloads within a configured window fuzz/fuzz_targets/webhook_replay_verifier.rs#1-10.
  3. Envelope Schema: Inbound JSON must conform to the webhook-envelope.v1.json schema, ensuring consistent parsing of event types and sources.
Sources: crates/palyra-daemon/src/webhooks.rs#15-72, fuzz/fuzz_targets/webhook_payload_parser.rs#1-15

System Events

System Events are internal triggers emitted by various subsystems (Gateway, Auth, Memory) to record significant actions. These are stored in the Journal Store’s journal_events table.

Event Emission Flow

Events are emitted via the console/v1/system/events/emit endpoint crates/palyra-cli/src/commands/system.rs#41. Each event includes:

Data Flow: System Event Ingestion

The following diagram illustrates how a system event moves from a subsystem like the ConnectorSupervisor to the persistent journal. Title: System Event Propagation Sources: crates/palyra-connector-core/src/supervisor.rs#227-240, crates/palyra-daemon/src/transport/http/handlers/console/system.rs#159-168

CLI Management

The palyra webhooks and palyra system command families provide administrative control over these subsystems.

Webhook Commands

The CLI allows operators to manage the lifecycle of webhook integrations:

System Event Commands

Used for auditing and manual event injection:

Code Entity Association

This diagram maps CLI commands to the underlying Rust functions and API routes. Title: CLI to Daemon Mapping Sources: crates/palyra-cli/src/commands/system.rs#15-56, crates/palyra-daemon/src/webhooks.rs#107-118, crates/palyra-cli/src/args/system.rs#21-39

Technical Specifications

Webhook Integration Record

Each entry in the RegistryDocument contains the following fields:
FieldTypeDescription
integration_idStringUnique identifier (normalized)
providerStringSource platform (e.g., “github”, “stripe”)
secret_vault_refStringReference to palyra-vault for signature keys
allowed_eventsVec<String>Filter for permitted event types
signature_requiredboolEnables cryptographic payload validation
max_payload_bytesu64Hard cap on inbound POST body size
Sources: crates/palyra-daemon/src/webhooks.rs#52-72

Diagnostic Statuses

The system tracks readiness via WebhookReadiness crates/palyra-daemon/src/webhooks.rs#75-80, which checks:
  1. Secret Presence: Verifies the VaultRef resolves to a valid secret crates/palyra-daemon/src/webhooks.rs#89-93.
  2. Configuration: Validates that filters and identifiers meet byte-size constraints.
Sources: crates/palyra-daemon/src/webhooks.rs#81-93