feat(api): add team event-types webhooks controller

[ThyMinimalDev]

What does this PR do?

Adds a new API v2 controller for managing webhooks on team event types, following the existing pattern from event-types-webhooks.controller.ts.

New endpoints at /v2/teams/:teamId/event-types/:eventTypeId/webhooks:

• POST / - Create a webhook for a team event type
• PATCH /:webhookId - Update a webhook
• GET /:webhookId - Get a specific webhook
• GET / - List all webhooks (paginated)
• DELETE /:webhookId - Delete a specific webhook
• DELETE / - Delete all webhooks for the event type

New files:

• TeamsEventTypesWebhooksController - Main controller with CRUD endpoints
• IsTeamEventTypeWebhookGuard - Authorization guard validating team admin/owner membership and event type ownership
• TeamEventTypeWebhooksService - Business logic layer for webhook operations
• teams-event-types-webhooks.controller.e2e-spec.ts - E2E tests covering all endpoints

Configuration change:

• Added unsafeParameterDecoratorsEnabled: true to biome.json to support NestJS parameter decorators

Updates since last revision

• Updated IsTeamEventTypeWebhookGuard to only allow team admins or owners to manage webhooks (not regular team members). The guard now uses getUserAdminOrOwnerTeamMembership instead of findMembershipByTeamId.
• Fixed import type statements in controller, service, and guard files per cubic-dev-ai feedback. Changed to regular imports for services, repositories, and DTOs that require runtime availability for NestJS dependency injection and class-validator/class-transformer.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - API endpoints are auto-documented via OpenAPI decorators.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Create a team with an event type
2. Use API v2 with a team admin's API key
3. Test CRUD operations on /v2/teams/{teamId}/event-types/{eventTypeId}/webhooks
4. Verify non-admin team members cannot access the endpoints (should get 403)
5. Verify non-team-members cannot access the endpoints
6. Verify webhooks are correctly associated with the team event type

E2E tests can be run with:

TZ=UTC yarn test:e2e --testPathPattern="teams-event-types-webhooks.controller.e2e-spec.ts"

Human Review Checklist

• Verify the guard correctly restricts access to team admins/owners only (uses getUserAdminOrOwnerTeamMembership)
• Verify the guard correctly validates event type belongs to the team before allowing access
• Review the biome.json global configuration change for NestJS decorator support
• Verify E2E tests adequately cover authorization edge cases (non-team-member access, webhook not belonging to event type, etc.)

---

Link to Devin run: https://app.devin.ai/sessions/3afb0c9b900f43f8a86ace48c190c5a0
Requested by: morgan@cal.com (@ThyMinimalDev)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
cal	Ignored		Jan 5, 2026 2:22pm
cal-companion	Ignored	Preview	Jan 5, 2026 2:22pm
cal-eu	Ignored		Jan 5, 2026 2:22pm

[cubic-dev-ai]

4 issues found across 7 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts">

<violation number="1" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:25">
P1: Using `import type` for DTO classes used with `@Body()` will prevent class-validator and class-transformer from working correctly. The actual class constructors are needed at runtime for validation. Use a regular import instead.</violation>

<violation number="2" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:34">
P0: Using `import type` for injected services will break NestJS dependency injection at runtime. Type-only imports are erased during compilation, so the DI container cannot resolve `TeamEventTypeWebhooksService`. Use a regular import instead.</violation>
</file>

<file name="apps/api/v2/src/modules/webhooks/services/team-event-type-webhooks.service.ts">

<violation number="1" location="apps/api/v2/src/modules/webhooks/services/team-event-type-webhooks.service.ts:4">
P0: Using `import type` for `WebhooksRepository` will break NestJS dependency injection. The type is erased at compile time, so the DI container won&#39;t know what to inject. Use a regular import like the existing `event-type-webhooks.service.ts` does.</violation>
</file>

<file name="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.e2e-spec.ts">

<violation number="1" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.e2e-spec.ts:80">
P2: Missing test case for non-admin team member authorization. The PR claims to test that &quot;non-admin team members cannot access the endpoints (should get 403)&quot; but all test users are created with `role: &quot;ADMIN&quot;`. Consider adding a test user with `role: &quot;MEMBER&quot;` and a test case verifying they receive 403 when accessing webhook endpoints on their team&#39;s event types.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[supalarry]

Review:

[github-actions]

E2E results are ready!

• Workflow #97002.1 latest results

[cubic-dev-ai]

1 issue found across 9 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts">

<violation number="1" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:2">
P1: Using `import type` for `SkipTakePagination` will erase the class at runtime, breaking query parameter validation and transformation. This class has `@Transform`, `@IsNumber`, `@Min`, `@Max` decorators that require runtime availability. Change to a regular import to match the pattern in `event-types-webhooks.controller.ts`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[supalarry]

Review:

[cubic-dev-ai]

4 issues found across 9 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.e2e-spec.ts">

<violation number="1" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.e2e-spec.ts:79">
P2: Missing test coverage for MEMBER role restriction. The PR specifically changes the guard to only allow team admins/owners, but there&#39;s no test verifying that a regular team MEMBER gets 403 when accessing these endpoints. Consider adding a test with a user who has `role: &quot;MEMBER&quot;` membership on the team and verify they receive 403.</violation>
</file>

<file name="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts">

<violation number="1" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:52">
P1: Missing authorization check: The `eventTypeId` is not validated to belong to the team. A team admin could create webhooks on event types belonging to other teams. Consider adding a guard that validates event type ownership (similar to how `IsTeamEventTypeWebhookGuard.validateAndGetEventType` checks `teamsEventTypesRepository.getTeamEventType(teamId, eventTypeId)`).</violation>

<violation number="2" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:52">
P0: Missing authorization check: The `eventTypeId` is not validated to belong to the team. A team admin could delete all webhooks from event types belonging to other teams. This is a critical authorization bypass. Consider adding a guard that validates event type ownership before allowing deletion.</violation>

<violation number="3" location="apps/api/v2/src/modules/teams/event-types/controllers/teams-event-types-webhooks.controller.ts:91">
P1: Missing authorization check: The `eventTypeId` is not validated to belong to the team. A team member could list webhooks from event types belonging to other teams. Consider adding a guard that validates the event type belongs to the specified team before returning webhooks.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[volnei]

🚀