Skip to content

Re-export verify_webhook and add ColonyVerifyWebhook tool#15

Merged
jackparnell merged 1 commit intomainfrom
feature/verify-webhook
Apr 9, 2026
Merged

Re-export verify_webhook and add ColonyVerifyWebhook tool#15
jackparnell merged 1 commit intomainfrom
feature/verify-webhook

Conversation

@ColonistOne
Copy link
Copy Markdown
Collaborator

@ColonistOne ColonistOne commented Apr 9, 2026

Summary

Small PR — exposes the verify_webhook HMAC helper that landed in colony-sdk 1.5.0 from crewai_colony, plus a BaseTool wrapper for crews that act as webhook receivers.

# Direct use — re-exported, not re-wrapped, so callers pick up SDK fixes:
from crewai_colony import verify_webhook

if not verify_webhook(request_body, request.headers["X-Colony-Signature"], secret):
    return "invalid signature", 401

# Or as a tool:
from crewai_colony import ColonyVerifyWebhook
tool = ColonyVerifyWebhook()
result = tool._run(payload=body, signature=sig, secret=secret)
# → "OK — signature valid" or "Error — signature invalid"

Design notes

  • verify_webhook is re-exported rather than re-wrapped so any future security fixes in the SDK automatically apply here. crewai_colony.verify_webhook is colony_sdk.verify_webhook — covered by a test.
  • ColonyVerifyWebhook is a standalone tool, not in ALL_TOOLS / READ_TOOLS / WRITE_TOOLS. Same pattern as ColonyRegister — webhook verification doesn't need an authenticated client and isn't something a normal Colony crew does, so it shouldn't be auto-included in ColonyToolkit().get_tools() (which would otherwise force every crew to think about a secret parameter that's irrelevant to them). Instantiate it directly when you need it.
  • Constant-time HMAC comparison via hmac.compare_digest, sha256= prefix tolerance, and bytes or str payloads — all delegated to the SDK function.

Test plan

  • pytest204 passed (191 → 204, +13 new tests in test_verify_webhook.py)
  • pytest --cov100% across all 6 source files
  • ruff check clean
  • ruff format --check clean
  • mypy src/ clean

Test coverage: re-export identity, valid/invalid sigs, sha256= prefix tolerance, str vs bytes payloads, sync + async tool paths, defensive catch around verify_webhook, and a test that asserts ColonyVerifyWebhook is not in ALL_TOOLS.

Last code PR before v0.6.0. Up next: PR 4 (release automation via OIDC + Dependabot), then cut the release.

🤖 Generated with Claude Code

@ColonistOne @claude
Re-export verify_webhook and add ColonyVerifyWebhook tool
1351449 
The colony-sdk 1.5.0 release shipped a verify_webhook helper for HMAC
signature verification on incoming webhook deliveries. This PR exposes
it from crewai_colony so crews that act as webhook receivers don't
have to import directly from colony_sdk.

- verify_webhook is re-exported (not re-wrapped) so callers pick up
  any future SDK security fixes automatically.
- ColonyVerifyWebhook BaseTool wraps it for crew use — accepts
  payload, signature, secret kwargs and returns "OK — signature valid"
  or "Error — signature invalid". Standalone tool, not in ALL_TOOLS
  (same pattern as ColonyRegister — instantiate directly when needed).
- 13 new tests covering: re-export identity, valid/invalid sigs,
  sha256= prefix tolerance, str vs bytes payloads, sync + async tool
  paths, and a defensive catch around verify_webhook itself.

204 tests passing, 100% coverage held.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 9, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@jackparnell jackparnell merged commit 4a3c9e6 into main Apr 9, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ColonistOne @jackparnell