feat(manage-ui): improve trigger authentication UI

[amikofalvy]

Summary

• Remove showAuth query parameter gate - authentication/signature verification sections are now always visible
• Restructure Authentication UI into two separate sections:
  • Authentication Headers (Optional) - For required header validation
  • Signature Verification - For HMAC signature verification with dedicated toggle
• Add signatureVerificationEnabled toggle to show/hide complex signature configuration
• Add provider presets (GitHub, Slack, Zendesk, Stripe) with brand icons using existing ProviderIcon component
• Presets apply all signature verification settings (header name, prefix, algorithm, signed components)
• Add request preview section showing example webhook request format based on current configuration
• Secrets are masked in preview display

Changes

UI Restructuring

• Split the original "Authentication" card into two distinct sections
• Signature Verification has its own toggle that controls visibility of configuration options
• When toggle is OFF, signature verification fields are not sent to backend
• When toggle is ON, full configuration UI is shown including presets, credential selection, and advanced options

Presets Enhancement

• Quick Setup Presets section with collapsible UI
• Provider icons for GitHub, Slack, Zendesk, Stripe
• Applied preset shown as badge after selection
• Presets auto-fill: header name, signature prefix, algorithm, encoding, signed components

Request Preview

• Shows example HTTP request format based on current configuration
• Only visible when auth headers exist OR signature verification is enabled with a credential
• Displays expected headers, signature format, and computation details

Test Plan

Manual Testing (Completed via Browser Automation)

• Navigate to trigger create/edit page
• Verify authentication headers and signature verification are in separate sections
• Test signature verification toggle shows/hides configuration UI
• Test applying different presets (GitHub, Slack, Zendesk, Stripe)
• Verify preset auto-fills header name, prefix, and signed component
• Test selecting signing secret credential
• Verify request preview updates based on configuration
• Create trigger without signature verification - verify it saves correctly
• Create trigger with signature verification - verify it saves correctly
• Edit saved triggers - verify all values persist correctly

Existing Test Coverage

• API CRUD tests for triggers including signatureVerification field
• Unit tests for signature verification logic (GitHub, Slack, Zendesk, Stripe patterns)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 45ca307

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
agents-api	Ready	Preview, Comment	Jan 24, 2026 1:26am
agents-manage-ui	Ready	Preview, Comment	Jan 24, 2026 1:26am

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
agents-docs	Skipped		Jan 24, 2026 1:26am

[claude]

Claude finished @amikofalvy's task —— View job

---

Code Review Complete ✅

Completed comprehensive review of the trigger authentication UI improvements. Here's my analysis:

Todo List:

• Read and analyze the main changes in trigger-form.tsx
• Research existing patterns and related code in the codebase
• Review architectural consistency and design patterns
• Evaluate TypeScript quality, security, and UX considerations
• Provide comprehensive feedback on areas for improvement

---

Review Summary

This PR represents a significant enhancement to the trigger authentication UI with substantial improvements to user experience, security patterns, and code organization. The changes align well with the system's existing patterns and demonstrate thoughtful UX considerations.

🚀 Notable Improvements

User Experience Excellence:

• Always-visible authentication section removes cognitive overhead of query parameters
• Clearable credential select with X button provides intuitive deselection
• Provider presets with brand icons streamline common configurations
• Smart collapsible presets that minimize visual clutter after selection
• Request preview gives users confidence in their configuration

Security & Architecture:

• Proper secret masking (••••••••) in all preview displays
• Project-scoped credential filtering enforces security boundaries
• Comprehensive signature verification configuration with advanced options

🛠 Areas for Architectural Improvement

1. Form State Management & Performance (Medium Priority)

Issue: The useMemo for request preview re-computes on every watched field change, and individual watch() calls create multiple subscriptions.

// Current: Multiple watch subscriptions
const watchedAuthHeaders = form.watch('authHeaders');
const watchedSigningCredential = form.watch('signingSecretCredentialReferenceId');
// ... 7 more individual watch calls

Recommendation:

// Better: Single subscription with selective updates
const watchedFields = form.watch([
  'authHeaders', 'signingSecretCredentialReferenceId', 
  'signatureKey', 'signaturePrefix', /* ... */
]);

const generateRequestPreview = useMemo(() => {
  const [authHeaders, signingCredential, signatureKey, ...rest] = watchedFields;
  // ... generation logic
}, [watchedFields]);

Impact: Reduces form subscriptions from 8 to 1, improving performance on large forms.

2. Provider Preset Type Safety (High Priority)

Issue: The providerPresets object lacks proper TypeScript constraints and the preset application logic has potential runtime failures.

// Current: Unsafe access pattern
const preset = providerPresets[presetKey]; // Could be undefined
if (!preset) return; // Silent failure

Recommendation:

// Add compile-time safety
const PROVIDER_PRESET_KEYS = ['github', 'slack', 'zendesk', 'stripe'] as const;
type ProviderPresetKey = typeof PROVIDER_PRESET_KEYS[number];

const providerPresets: Record<ProviderPresetKey, ProviderPreset> = {
  // ... existing presets
};

// Improve preset application
const applyPreset = (presetKey: ProviderPresetKey) => {
  const preset = providerPresets[presetKey]; // Now guaranteed to exist
  // ... rest of logic
};

3. Component Extraction & Reusability (Medium Priority)

Issue: The 1,600-line component handles multiple concerns: form logic, preset management, validation, and complex rendering.

Recommendation: Extract specialized components:

• SignatureVerificationSection (lines 1100-1566)
• ProviderPresetsSelector (lines 1022-1097)
• RequestPreviewCard (lines 1572-1588)
• SignedComponentsBuilder (lines 1277-1447)

Benefits:

• Improved testability and maintainability
• Clearer separation of concerns
• Easier to reason about individual features

4. Validation Error Handling (Medium Priority)

Issue: Manual validation with local state creates inconsistent error display patterns.

// Current: Manual error state management
const [signatureKeyError, setSignatureKeyError] = useState<string | undefined>();
const [signatureRegexError, setSignatureRegexError] = useState<string | undefined>();

Recommendation: Integrate with react-hook-form's validation system:

// Better: Unified validation through schema
const triggerFormSchema = z.object({
  // ...
  signatureKey: z.string()
    .optional()
    .refine((val) => !val || validateJMESPath(val) === undefined, {
      message: "Invalid JMESPath expression"
    }),
});

🔒 Security Considerations

Excellent security patterns observed:

• ✅ Consistent secret masking in UI (••••••••)
• ✅ Project-scoped credential enforcement
• ✅ No credential values logged or exposed
• ✅ Proper authentication header handling

Additional recommendation:
Consider adding CSP-friendly inline styles for the preview code block instead of style attributes.

🎯 UX & Accessibility

Strong UX patterns:

• ✅ Clear visual hierarchy with collapsible sections
• ✅ Provider icons improve recognition
• ✅ Helpful placeholder text and descriptions
• ✅ Logical form flow and grouping

Enhancement suggestion:
The preview section could benefit from a "Copy" button for developer convenience.

📋 Minor Technical Notes

1. Line 387: The as any cast in zodResolver suggests a type mismatch that should be investigated:

   resolver: zodResolver(triggerFormSchema) as any,

2. Lines 352, 367: Using (trigger as any) indicates missing type definitions for signature verification properties.

3. Consistent patterns: Great use of existing GenericSelect, ProviderIcon, and other established components.

🎉 Overall Assessment

This is a high-quality implementation that significantly improves the user experience while maintaining security best practices. The code follows existing patterns well and the UX improvements are thoughtful and user-centered.

Severity Assessment:

• High Priority: Provider preset type safety
• Medium Priority: Form performance optimization, component extraction, validation consistency
• Low Priority: Minor TypeScript improvements

The changes are production-ready and represent a meaningful improvement to the platform's webhook configuration experience.

---