Date: 2026-04-02
Version: 3.0.0 branch audit
Scope: src, .actor, public, docs, tests/setup, tests/unit,
tests/integration, tests/e2e, Dockerfile*, and GitHub workflow files.
The current Webhook Debugger & Logger branch demonstrates a high level of maturity, resilience, and operational readiness. Compared with the earlier audit baseline, this branch now presents a much more explicit product shape: the project behaves as a documented standby-mode web server, supports both Apify-hosted and self-hosted operation, and exposes a broader, better-tested, and better-documented management API.
Key strengths in the current branch include:
- Architecture: A cleaner modular monolith split across routes, middleware, services, repositories, constants, and utilities.
- Runtime Contract: An OpenAPI-based web server schema wired through
.actor/web_server_schema.jsonandusesStandbyMode. - Security: SSRF protection, auth gating, IP allowlisting, request/body redaction, forwarding loop prevention, and provider-aware signature verification.
- Operability: Health and readiness endpoints, structured logging,
configuration hot reload, local
.envsupport, and a standalone Docker path. - Quality: A significantly expanded test pyramid and a much stronger set of architecture, API, and operational documents.
Overall assessment: production-grade, with the main remaining concerns in release management and metadata alignment rather than runtime design.
- Pattern: The application follows a modular monolith architecture with explicit ownership boundaries for transport, orchestration, persistence, and shared utilities.
- Separation of Concerns: Middleware handles auth, security, and parsing; services handle forwarding and synchronization; repositories encapsulate the DuckDB read model; routes expose the HTTP surface.
- DuckDB Read Model: The current branch uses
@duckdb/node-apiwith cached instance management, pooled connections, and serialized writes viaBottleneck. This is a stronger and more modern posture than the earlier audit baseline. - Sync Mechanism: The synchronization flow still reflects a durable disposable-read-model design, rebuilding and querying from actor-managed data without coupling ingress performance to query-time filtering.
- Hot Reload:
HotReloadManagernow supports both Apify key-value-store polling and local filesystem watch behavior, improving both operator agility and local DX. - Environment Loading:
src/utils/load_env.jsadds one-time local.envloading for CLI and self-hosted usage without overriding already injected runtime configuration.
- Standby Web Server:
.actor/actor.jsonnow declaresusesStandbyMode: true, which materially changes the Actor's hosted operating model. - Machine-Readable API Contract:
.actor/web_server_schema.jsondocuments the HTTP API surface and raises the quality bar for runtime discoverability. - Management Surface: The service now formalizes routes for dashboard, runtime info, logs, log detail, payload retrieval, replay, SSE streaming, health, readiness, and system metrics.
- Query Model:
/logsnow behaves like a proper query interface, including richer filters, sort controls, range parsing, and cursor-based pagination. - Input Schema Breadth:
.actor/input_schema.jsonnow exposes controls for replay retries and timeouts, manual memory override, alerting, response simulation, forwarding, redaction, auth, allowlists, and signature verification.
- Type Safety: JSDoc plus TypeScript
checkJsenforcement continue to provide strong guardrails in a JavaScript codebase. - Linting and Formatting: ESLint, Prettier, Husky, and lint-staged are all present and materially stronger than the earlier audit state.
- Constants and Config Hygiene: The branch replaces older inline constants
with a modular
src/consts/layout, improving discoverability and reducing magic values. - Documentation Density: Architecture notes, playbooks, API reference, publication guidance, and operational docs are now extensive and aligned with the actual runtime surface.
- SSRF Protection:
src/utils/ssrf.jsremains one of the stronger parts of the codebase, resolving and validating addresses rather than trusting raw hostnames. - Authentication: When
authKeyis configured, the current branch can protect both management endpoints and webhook ingress, reducing accidental public exposure. - Rate Limiting: The current runtime separates management endpoint limits from the webhook-specific ingress limiter, which is the right shape for a mixed control-plane and data-plane service.
- Signature Verification: The current branch validates webhook signatures for Stripe, Shopify, GitHub, Slack, and custom HMAC flows with optional timestamp tolerance.
- Safe Forwarding: Forwarding loop detection prevents recursive self-calls, which is a common class of webhook automation failure.
- Injection Prevention:
- SQL:
LogRepositoryuses parameterized queries. - XSS: HTML output paths use escaping and CSP-backed rendering.
- JSON Handling: Parsing and validation are centralized rather than scattered across handlers.
- SQL:
- Database Choice: DuckDB remains a strong fit for in-process analytical querying of captured webhook traffic.
- Connection Handling: The current branch already uses
@duckdb/node-api, so the earlier recommendation to migrate to the newer API is obsolete. - Large Payload Handling: Oversized bodies are offloaded to key-value storage, reducing in-memory pressure on the request path.
- Write Serialization:
Bottleneckprotects the file-backed database from lock contention on writes. - Pagination Strategy: Cursor pagination is a concrete improvement for large log sets and standby-mode operation.
- Streaming: SSE handling explicitly disables buffering/compression hazards for real-time log delivery.
- Graceful Shutdown:
src/main.jscontinues to handle process shutdown and database cleanup appropriately. - Health Checks:
/healthand/readymake the service more suitable for orchestration and container platforms. - Self-Hosted Distribution:
Dockerfile.standaloneadds a real self-hosting track and broadens the deployment story beyond Apify. - Release Automation: The repository now includes a Docker release workflow and validation scripts for version and schema drift.
- Developer Onboarding:
.env.example, local Docker guidance, and the growing document set substantially improve operator and contributor readiness.
- Test Pyramid: The repository now has explicit
unit,integration, ande2esuites instead of relying on a flatter legacy layout. - Harness Quality:
tests/setup/helpersnow provides reusable building blocks for app bootstrapping, DB lifecycle, process harnesses, mock setup, payload fixtures, and signature-specific assertions. - Coverage Tooling: The branch adds dedicated coverage matrix and threshold scripts, improving the repeatability of release validation.
- Operational Docs: The addition of
docs/api-reference.md,docs/architecture.md, and multiple playbooks is a material quality signal.
- Version Metadata Alignment: Align
package.json,.actor/actor.json, runtime display/version references,CHANGELOG.md, and release notes before the next formal release. The current branch now targets3.0.0runtime metadata with newer changelog entries. - Schema Drift Guarding: Keep the web server schema validation script wired into release validation so that route behavior and published API contract do not diverge.
- SSRF DNS Caching: If ingress volume grows significantly, a short-lived DNS cache could reduce repeated lookup overhead in SSRF validation.
- Standby Load Monitoring: Monitor long-lived standby workloads for file size growth and connection-pool pressure in file-backed DuckDB deployments.
- Config Discoverability: The configuration story is much stronger than the earlier baseline, but operator defaults still span actor input, environment variables, runtime constants, and docs. Continued consolidation would improve discoverability.
The Webhook Debugger & Logger branch is a production-grade webhook capture, inspection, replay, and API-mocking platform. No critical architectural flaws or obvious high-severity vulnerabilities were found in the sampled review. The largest remaining risk is release metadata drift, not product capability or runtime robustness.