-
Notifications
You must be signed in to change notification settings - Fork 0
Back to Milestones
M3 — Security hardening + receiver verify
OpenJun 28, 2026
No due date
•Last updated Non-bypassable SSRF guard (HTTPS-only, IP filtering, anti-rebinding, no-redirect); payload/response caps; secret-at-rest via host IDataProtectionProvider; WebhookVerifier + timestamp replay protection.
0% complete
List view
0 of 5 selected 0 issues of 5 selected
epic: security hardening + receiver verify
area:securitySSRF guard, signing, secret-at-rest, receiver verifySSRF guard, signing, secret-at-rest, receiver verifyepicA north-star milestone-level item to decomposeA north-star milestone-level item to decomposepriority:p2Normal priorityNormal priorityrisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)SSRF/signing/secret/public-API/migrations; review + design (Opus, max)Status: Open.#9 In williamdewitt/Caliber.Webhooks;feat(security): non-bypassable SSRF guard (M3a)
area:deliveryDelivery loop / dispatcher / retry / signingDelivery loop / dispatcher / retry / signingarea:securitySSRF guard, signing, secret-at-rest, receiver verifySSRF guard, signing, secret-at-rest, receiver verifypriority:p2Normal priorityNormal priorityreadyHas acceptance criteria + DoD; pickable by the loopHas acceptance criteria + DoD; pickable by the looprisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)SSRF/signing/secret/public-API/migrations; review + design (Opus, max)type:featNew featureNew featureStatus: Open.#70 In williamdewitt/Caliber.Webhooks;feat(security): outbound payload + response-read caps + TLS-on (M3b)
area:deliveryDelivery loop / dispatcher / retry / signingDelivery loop / dispatcher / retry / signingarea:securitySSRF guard, signing, secret-at-rest, receiver verifySSRF guard, signing, secret-at-rest, receiver verifypriority:p2Normal priorityNormal priorityreadyHas acceptance criteria + DoD; pickable by the loopHas acceptance criteria + DoD; pickable by the looprisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)SSRF/signing/secret/public-API/migrations; review + design (Opus, max)type:featNew featureNew featureStatus: Open.#71 In williamdewitt/Caliber.Webhooks;feat(security): secret-at-rest via host IDataProtectionProvider (M3c)
area:securitySSRF guard, signing, secret-at-rest, receiver verifySSRF guard, signing, secret-at-rest, receiver verifypriority:p2Normal priorityNormal priorityreadyHas acceptance criteria + DoD; pickable by the loopHas acceptance criteria + DoD; pickable by the looprisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)SSRF/signing/secret/public-API/migrations; review + design (Opus, max)type:featNew featureNew featureStatus: Open.#72 In williamdewitt/Caliber.Webhooks;feat(security): receiver WebhookVerifier + replay protection (M3d)
area:securitySSRF guard, signing, secret-at-rest, receiver verifySSRF guard, signing, secret-at-rest, receiver verifypriority:p2Normal priorityNormal priorityreadyHas acceptance criteria + DoD; pickable by the loopHas acceptance criteria + DoD; pickable by the looprisk:criticalSSRF/signing/secret/public-API/migrations; review + design (Opus, max)SSRF/signing/secret/public-API/migrations; review + design (Opus, max)type:featNew featureNew featureStatus: Open.#73 In williamdewitt/Caliber.Webhooks;