Reference
Webhooks
Subscribe to deterministic events from codingassist.bot.
codingassist.bot emits at-least-once webhooks for every lifecycle event, signed with HMAC-SHA256.
Events
| Event | When |
|---|---|
review.queued | A new review is accepted |
review.completed | The orchestrator emitted a verdict |
review.failed | Pipeline failure (see error_code) |
finding.created | Surfaced after deduplication |
Verify a webhook
The signature is sent in the X-Coding Assist-Signature header as t=...,v1=....
import { createHmac, timingSafeEqual } from "node:crypto";
export function verify(rawBody: string, header: string, secret: string) {
const parts = Object.fromEntries(header.split(",").map((p) => p.split("=")));
const expected = createHmac("sha256", secret)
.update(`${parts.t}.${rawBody}`)
.digest("hex");
return timingSafeEqual(Buffer.from(parts.v1, "hex"), Buffer.from(expected, "hex"));
}Related
Was this page helpful?