feat: add orb-webhooks skill

[leggetter]

Summary

Adds a complete orb-webhooks provider skill for Orb (usage-based billing). HMAC-SHA256 manual verification with the unusual signed-content format v1:{X-Orb-Timestamp}:{rawBody} (literal v1 prefix, ISO-8601 timestamp, colon separators).

What's included

• skills/orb-webhooks/SKILL.md — entry point with frontmatter and the verification core
• skills/orb-webhooks/references/ — overview (event taxonomy + summary-webhooks variant), setup (dashboard config + per-endpoint secret), verification (signature algorithm, gotchas, idempotency recommendation)
• skills/orb-webhooks/examples/ — Express, Next.js App Router, FastAPI handlers with tests
• Integration: providers.yaml, README.md, .claude-plugin/marketplace.json (both as a standalone plugin and added to the webhook-skills bundle)

Notes

• Header pair: X-Orb-Signature: v1=<hex> carries the HMAC; X-Orb-Timestamp: <ISO-8601> carries the timestamp separately.
• Signed content: v1:{X-Orb-Timestamp}:{raw-body} — literal v1, colon, ISO timestamp (as a string, not a Unix epoch), colon, raw body bytes. Pass the raw request body; don't JSON.parse and re-serialize.
• Signing key: per-endpoint signing secret from the Orb dashboard. Each webhook endpoint gets its own secret (NOT the account API key).
• Replay protection: the docs don't mandate a tolerance window — Orb just delivers X-Orb-Timestamp and recommends consumers pick a threshold. The skill recommends a 5-minute window in handlers plus event-id idempotency for at-least-once delivery safety.
• Common events: customer (customer.created, customer.credit_balance_dropped), subscriptions (subscription.created / .started / .ended / .plan_changed / .edited / .usage_exceeded), invoices (invoice.issued / .payment_succeeded / .payment_failed / .edited), data exports (data_exports.transfer_success).
• Summary webhooks: opt-in variant covering the same events with smaller payloads (line_items omitted from invoices; customer/plan minified to identification fields). Same signature scheme. Skill recommends fetching full resources via API when detail is needed.
• SDKs: orb-billing on both npm and PyPI (same package name on both). Neither SDK exposes a Stripe-style unwrap()/constructEvent() helper at the time of writing — manual HMAC verification is the canonical path. The SDK is declared in providers.yaml's sdks field so future review runs will catch stale pins.

Test plan

• cd skills/orb-webhooks/examples/express && npm install && npm test
• cd skills/orb-webhooks/examples/nextjs && npm install && npm test
• cd skills/orb-webhooks/examples/fastapi && python3 -m venv venv && source venv/bin/activate && pip install -r requirements.txt && pytest test_webhook.py -v
• Verify the signature helpers reproduce the exact format from https://docs.withorb.com/integrations-and-exports/webhooks ("v1=" + HMAC-SHA256(secret, "v1:" + iso_ts + ":" + body).hexdigest())
• Confirm event names match the live docs across both regular and summary webhook variants
• Confirm the webhook-skills marketplace bundle now lists 38 skill paths (37 → 38)

Generation details

• Generated via ./scripts/generate-skills.sh generate orb --config providers.yaml --model claude-opus-4-7
• 1 iteration (initial generation passed review on first pass)
• Locally: npx hookdeck-cli listen 3000 orb --path /webhooks/orb

https://claude.ai/code/session_01NNTgQRJss1V7gyzzJ9rjnB

---

Generated by Claude Code