@anshugarg15checks…webhooks/canonical-authz-docs → master4 files · +215 −0updated 1mo agoAdds a canonical WEBHOOK_TRIGGER_AUTHZ.md to four shipped apps. Each file describes the app's authz model around the 3 enforcement knobs Composio has today:
setup() — scope + resource checks at trigger creationThese are the persistent reference for future webhook-trigger work on these apps. The internal webhook-trigger-builder skill (in ~/.claude/skills/) reads them as anchors during Stage 1 (Authz design) — Step 2.5 scans apps/*/WEBHOOK_TRIGGER_AUTHZ.md to learn from how previously-shipped providers solved similar shapes.
The four apps cover the major authz patterns:
apps/notion/WEBHOOK_TRIGGER_AUTHZ.md — resource-gated, idempotent token, accessible_by[].person_id payload disambiguation. Multiple connected_accounts in the same auth_config share one token; cross-CA leak structurally collapses.apps/hubspot/WEBHOOK_TRIGGER_AUTHZ.md — resource-universal, provider enforces required-scope at delivery, route by portalId. Mandatory disclosure of per-record ACL bypass (HubSpot tokens read every record covered by granted scopes regardless of UI permissions).apps/linear/WEBHOOK_TRIGGER_AUTHZ.md — mixed: app-level for public teams, polling for private. User-level webhooks rejected because admin-gated.apps/shopify/WEBHOOK_TRIGGER_AUTHZ.md — resource-universal, (client_id, shop_id) grant, app-level webhooks via app manifest + POST for optional scopes. Admin-gated install.🤖 Generated with Claude Code