ShipSecAI · betterclever · Jan 2, 2026 · Jan 1, 2026 · Jan 1, 2026 · Jan 1, 2026
diff --git a/backend/drizzle/0018_create-webhooks.sql b/backend/drizzle/0018_create-webhooks.sql
@@ -0,0 +1,34 @@
+CREATE TABLE IF NOT EXISTS "webhook_configurations" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "workflow_id" uuid NOT NULL,
+  "workflow_version_id" uuid,
+  "workflow_version" integer,
+  "name" text NOT NULL,
+  "description" text,
+  "webhook_path" varchar(255) UNIQUE NOT NULL,
+  "parsing_script" text NOT NULL,
+  "expected_inputs" jsonb NOT NULL,
+  "status" text NOT NULL DEFAULT 'active',
+  "organization_id" varchar(191),
+  "created_by" varchar(191),
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE TABLE IF NOT EXISTS "webhook_deliveries" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  "webhook_id" uuid NOT NULL REFERENCES "webhook_configurations"("id") ON DELETE CASCADE,
+  "workflow_run_id" text,
+  "status" text NOT NULL DEFAULT 'processing',
+  "payload" jsonb NOT NULL,
+  "headers" jsonb,
+  "parsed_data" jsonb,
+  "error_message" text,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "completed_at" timestamptz
+);
+
+CREATE INDEX IF NOT EXISTS "webhook_configurations_workflow_idx" ON "webhook_configurations" ("workflow_id", "status");
+CREATE INDEX IF NOT EXISTS "webhook_configurations_path_idx" ON "webhook_configurations" ("webhook_path");
+CREATE INDEX IF NOT EXISTS "webhook_deliveries_webhook_idx" ON "webhook_deliveries" ("webhook_id", "created_at" DESC);
+CREATE INDEX IF NOT EXISTS "webhook_deliveries_run_id_idx" ON "webhook_deliveries" ("workflow_run_id");
diff --git a/backend/package.json b/backend/package.json
@@ -36,6 +36,7 @@
     "bcryptjs": "^3.0.3",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.1",
+    "date-fns": "^4.1.0",
     "dotenv": "^17.2.3",
     "drizzle-orm": "^0.44.6",
     "ioredis": "^5.4.1",

diff --git a/backend/src/auth/__tests__/auth.guard.spec.ts b/backend/src/auth/__tests__/auth.guard.spec.ts
@@ -1,6 +1,7 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'bun:test';
 import type { ExecutionContext } from '@nestjs/common';
 import { UnauthorizedException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
 import type { Request } from 'express';
 
 import { AuthGuard, type RequestWithAuthContext } from '../auth.guard';
@@ -18,6 +19,9 @@ describe('AuthGuard', () => {
   let mockApiKeysService: {
     validateKey: ReturnType<typeof vi.fn>;
   };
+  let mockReflector: {
+    getAllAndOverride: ReturnType<typeof vi.fn>;
+  };
   let mockExecutionContext: ExecutionContext;
   let mockRequest: RequestWithAuthContext;
 
@@ -30,11 +34,15 @@ describe('AuthGuard', () => {
     mockApiKeysService = {
       validateKey: vi.fn(),
     };
+    mockReflector = {
+      getAllAndOverride: vi.fn(),
+    };
 
     // Create guard with mocked dependencies
     guard = new AuthGuard(
       mockAuthService as unknown as AuthService,
       mockApiKeysService as unknown as ApiKeysService,
+      mockReflector as unknown as Reflector,
     );
 
     // Setup mock request
@@ -50,6 +58,8 @@ describe('AuthGuard', () => {
       switchToHttp: vi.fn(() => ({
         getRequest: vi.fn(() => mockRequest),
       })),
+      getHandler: vi.fn(),
+      getClass: vi.fn(),
     } as unknown as ExecutionContext;
   });
 
@@ -59,6 +69,8 @@ describe('AuthGuard', () => {
         switchToHttp: vi.fn(() => ({
           getRequest: vi.fn(() => null),
         })),
+        getHandler: vi.fn(),
+        getClass: vi.fn(),
       } as unknown as ExecutionContext;
 
       const result = await guard.canActivate(contextWithoutRequest);
@@ -565,5 +577,35 @@ describe('AuthGuard', () => {
       expect(mockRequest.auth?.provider).toBe('api-key');
     });
   });
+
+  describe('Public decorator', () => {
+    it('should allow access to endpoints marked as public', async () => {
+      mockReflector.getAllAndOverride.mockReturnValue(true);
+
+      const result = await guard.canActivate(mockExecutionContext);
+
+      expect(result).toBe(true);
+      expect(mockAuthService.authenticate).not.toHaveBeenCalled();
+      expect(mockApiKeysService.validateKey).not.toHaveBeenCalled();
+      expect(mockRequest.auth).toBeUndefined();
+    });
+
+    it('should continue authentication for endpoints not marked as public', async () => {
+      mockReflector.getAllAndOverride.mockReturnValue(false);
+      mockAuthService.authenticate.mockResolvedValue({
+        userId: 'user-1',
+        organizationId: 'org-1',
+        roles: ['MEMBER'],
+        isAuthenticated: true,
+        provider: 'clerk',
+      });
+
+      const result = await guard.canActivate(mockExecutionContext);
+
+      expect(result).toBe(true);
+      expect(mockAuthService.authenticate).toHaveBeenCalled();
+      expect(mockRequest.auth?.userId).toBe('user-1');
+    });
+  });
 });
 
diff --git a/backend/src/auth/auth.guard.ts b/backend/src/auth/auth.guard.ts
@@ -1,9 +1,11 @@
 import type { CanActivate, ExecutionContext } from '@nestjs/common';
 import { Injectable, Logger, UnauthorizedException, Inject, forwardRef } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
 import type { Request } from 'express';
 
 import { AuthService } from './auth.service';
 import { ApiKeysService } from '../api-keys/api-keys.service';
+import { IS_PUBLIC_KEY } from './public.decorator';
 import type { AuthContext } from './types';
 import { DEFAULT_ROLES } from './types';
 import { DEFAULT_ORGANIZATION_ID } from './constants';
@@ -20,9 +22,19 @@ export class AuthGuard implements CanActivate {
     private readonly authService: AuthService,
     @Inject(forwardRef(() => ApiKeysService))
     private readonly apiKeysService: ApiKeysService,
+    private readonly reflector: Reflector,
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    if (isPublic) {
+      return true;
+    }
+
     const http = context.switchToHttp();
     const request = http.getRequest<RequestWithAuthContext>();
     if (!request) {

diff --git a/backend/src/auth/public.decorator.ts b/backend/src/auth/public.decorator.ts
@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const IS_PUBLIC_KEY = 'isPublic';
+export const Public = () => SetMetadata(IS_PUBLIC_KEY, true);
diff --git a/backend/src/database/schema/index.ts b/backend/src/database/schema/index.ts
@@ -12,6 +12,7 @@ export * from './workflow-roles';
 export * from './integrations';
 export * from './workflow-schedules';
 export * from './human-input-requests';
+export * from './webhooks';
 
 export * from './terminal-records';
 export * from './agent-trace-events';

diff --git a/backend/src/database/schema/webhooks.ts b/backend/src/database/schema/webhooks.ts
@@ -0,0 +1,42 @@
+import { integer, jsonb, pgTable, text, timestamp, uuid, varchar } from 'drizzle-orm/pg-core';
+
+export const webhookConfigurationsTable = pgTable('webhook_configurations', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  workflowId: uuid('workflow_id').notNull(),
+  workflowVersionId: uuid('workflow_version_id'),
+  workflowVersion: integer('workflow_version'),
+  name: text('name').notNull(),
+  description: text('description'),
+  webhookPath: varchar('webhook_path', { length: 255 }).notNull().unique(),
+  parsingScript: text('parsing_script').notNull(),
+  expectedInputs: jsonb('expected_inputs').notNull().$type<Array<{
+    id: string;
+    label: string;
+    type: 'text' | 'number' | 'json' | 'array' | 'file';
+    required: boolean;
+    description?: string;
+  }>>(),
+  status: text('status').notNull().default('active').$type<'active' | 'inactive'>(),
+  organizationId: varchar('organization_id', { length: 191 }),
+  createdBy: varchar('created_by', { length: 191 }),
+  createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
+});
+
+export const webhookDeliveriesTable = pgTable('webhook_deliveries', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  webhookId: uuid('webhook_id').notNull().references(() => webhookConfigurationsTable.id, { onDelete: 'cascade' }),
+  workflowRunId: text('workflow_run_id'),
+  status: text('status').notNull().default('processing').$type<'processing' | 'delivered' | 'failed'>(),
+  payload: jsonb('payload').notNull().$type<Record<string, unknown>>(),
+  headers: jsonb('headers').$type<Record<string, string> | undefined>(),
+  parsedData: jsonb('parsed_data').$type<Record<string, unknown>>(),
+  errorMessage: text('error_message'),
+  createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+  completedAt: timestamp('completed_at', { withTimezone: true }),
+});
+
+export type WebhookConfigurationRecord = typeof webhookConfigurationsTable.$inferSelect;
+export type WebhookConfigurationInsert = typeof webhookConfigurationsTable.$inferInsert;
+export type WebhookDeliveryRecord = typeof webhookDeliveriesTable.$inferSelect;
+export type WebhookDeliveryInsert = typeof webhookDeliveriesTable.$inferInsert;