Finding
ID: Enterprise Gap | Severity: π MEDIUM
No X-Aegis-Signature header on outbound webhooks. Receivers cannot verify payload authenticity.
Fix Required
- Add
webhookSecret?: string to webhook channel config
- Sign payload with
HMAC-SHA256(webhookSecret, body) and include as X-Aegis-Signature: sha256=<hex>
Files: src/channels/webhook.ts, src/config.ts
Acceptance Criteria
Webhook receiver validates X-Aegis-Signature and rejects tampered payloads.
Milestone
M-E5: API & Integration
Finding
ID: Enterprise Gap | Severity: π MEDIUM
No
X-Aegis-Signatureheader on outbound webhooks. Receivers cannot verify payload authenticity.Fix Required
webhookSecret?: stringto webhook channel configHMAC-SHA256(webhookSecret, body)and include asX-Aegis-Signature: sha256=<hex>Files:
src/channels/webhook.ts,src/config.tsAcceptance Criteria
Webhook receiver validates
X-Aegis-Signatureand rejects tampered payloads.Milestone
M-E5: API & Integration