test(webhooks): wire signer-conformance harness into npm test (#2546, #2549)#2609
Merged
test(webhooks): wire signer-conformance harness into npm test (#2546, #2549)#2609
Conversation
The harness (tests/webhook-hmac-signer-conformance.test.cjs) and fixtures (static/test-vectors/webhook-hmac-sha256.json signer_side block) were added by #2548 but the harness had no npm script wiring, so it wasn't on the default test path. A regression in the reference signer or a fixture miscategorization would not have failed CI. Adds test:hmac-signer-conformance npm script and slots it into the top-level test chain next to test:hmac-vectors. No code or fixture changes. Closes #2546 (fixture was landed by #2548). Closes #2549 (harness wired to CI by this change). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up from code review on the initial PR. The previous commit added test:hmac-signer-conformance to the top-level npm test chain, but CI doesn't invoke npm test — it runs a hand-picked subset of scripts via build-check.yml and schema-validation.yml. The script was discoverable locally but unreachable on PRs. Turns out the sibling test:hmac-vectors had the same dead-wiring — landed as an npm script but never called by any workflow. Changes: - .github/workflows/schema-validation.yml: new step runs both test:hmac-vectors (verifier-side) and test:hmac-signer-conformance (signer-side). One gate, both sides of the duplicate-key contract. - tests/webhook-hmac-signer-conformance.test.cjs: assert the signer_side fixture block exists and both vector kinds are non-empty, so a future fixture refactor can't silently make the gate vacuous (the for-of loops would otherwise exit 0 with zero assertions). The npm script and test-chain slot-in from the prior commit stay — still useful for local discovery and for any future CI path that does invoke the top-level npm test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The signer-side duplicate-key fixtures (#2546) and the signer-conformance harness (#2549) were both landed by PR #2548, but the harness wasn't wired into CI. A regression in the reference signer — or a fixture miscategorization — would not have failed any build.
Code review on the initial commit caught that the sibling
test:hmac-vectors(verifier-side) had the same dead-wiring — present as an npm script but never invoked by any workflow.This PR closes both gaps in one move.
What ships
.github/workflows/schema-validation.ymlgains a new "HMAC webhook conformance (verifier + signer)" step that runs bothtest:hmac-vectorsandtest:hmac-signer-conformanceon every PR.package.jsongains thetest:hmac-signer-conformancenpm script and slots it into the top-leveltestchain for local discoverability.tests/webhook-hmac-signer-conformance.test.cjsgains a top-level assertion that thesigner_sidefixture block exists with non-emptyrejection_vectorsandpositive_vectors— so a future fixture refactor can't silently make the gate vacuous.No changes to fixtures, reference signer, or any production code.
Closes
Review findings addressed
npm test; adding to the chain was insufficient. Fixed by wiring into schema-validation.yml directly.signer_sideblock. Added guard assertion.Test plan
npm run test:hmac-signer-conformance— 31 tests pass (30 + new fixture guard)npm run test:hmac-vectors— passesnpm test— 631 tests pass, typecheck clean🤖 Generated with Claude Code