feat: HMAC-SHA1 webhook signature verification and idempotency guard for Make.com events

[Copilot]

Incoming Make.com webhook events lacked signature verification and had no protection against concurrent duplicate processing, causing scenario-level concurrency errors.

Changes

api/peacock_core.py

• verify_webhook_sha1_signature(payload, signature_header, secret) — validates X-Hub-Signature: sha1=<digest> headers via hmac.compare_digest (timing-safe)
• IdempotencyGuard — thread-safe, TTL-based in-memory deduplication keyed on event_id; auto-evicts expired entries and caps size at 10k

api/index.py

• mirror_digital_event handler now:
  • Rejects requests with invalid HMAC-SHA1 signatures (401) when MAKE_WEBHOOK_SECRET is set
  • Returns 200 {"duplicate": true, "skipped": true} for already-seen event_ids within TTL window

tests/test_peacock_core.py

• 15 new tests covering: valid/invalid signatures, tampered payloads, empty inputs, case-insensitive digest comparison, TTL expiry, max-size eviction

Example

# Signature verification
secret = os.environ["MAKE_WEBHOOK_SECRET"]
sig = request.headers.get("X-Hub-Signature", "")
if not verify_webhook_sha1_signature(raw_body, sig, secret):
    return 401  # rejected

# Idempotency
if _idempotency_guard.is_duplicate(event_id):
    return {"status": "ok", "duplicate": True, "skipped": True}
_idempotency_guard.mark_seen(event_id)

Signature verification is opt-in (no-op when MAKE_WEBHOOK_SECRET is unset); event_id deduplication is skipped for events that omit the field.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
tryonyou-app	Ready	Preview, Comment	Apr 9, 2026 3:53am
tryonyou-pilot	Error		Apr 9, 2026 3:53am