Verified local recovery · not client work

07 / WEBHOOK RECOVERY

Webhook Recovery Lab

A dependency-free Python and SQLite reference that turns signed synthetic contact events into visible delivery, review, terminal failure, and reconciliation evidence without retaining raw addresses.

Fixture events
7
Delivery attempts
8
Automated tests
16

THE DELIVERY RISK

A successful webhook response does not prove that every event arrived once.

Cross-system contact workflows fail quietly when signatures are ignored, source events disappear, retries repeat downstream writes, invalid records bypass review, or a destination accepts a write just before the worker loses its local acknowledgement. The lab makes each of those states explicit and compares the accepted ledger with an expected source manifest.

CONTROL PATH

Commit the recovery evidence before calling the delivery complete.

  1. 01
    Verify

    Check HMAC-SHA256 over the exact request bytes and enforce a 16 KiB body ceiling before parsing or persistence.

  2. 02
    Validate

    Require one exact six-field contract, a timezone-aware timestamp, bounded identifiers, contact permission, and deterministic fixture validation.

  3. 03
    Minimize

    Canonicalize the event, bind its ID to a payload hash, store only the contact hash, and quarantine conflicting replay evidence without raw payloads.

  4. 04
    Dispatch

    Commit a transactional outbox before delivery, record one attempt at a time, and stop after the fixed three-attempt ceiling.

  5. 05
    Recover

    Reuse one stable sink idempotency key when delivery succeeded but local acknowledgement was deliberately lost.

  6. 06
    Reconcile

    Compare seven expected source IDs with the event ledger, detect one withheld event, ingest it, and prove the final set is complete.

VERIFICATION EVIDENCE

What was actually executed.

  • Native local runtimeThe committed fixtures ran on Python 3.12.13 and SQLite 3.50.4 with zero third-party runtime dependencies.
  • Seven accounted eventsFour finished delivered, two entered review after invalid or provider-error fixture outcomes, and one became terminal after the three-attempt ceiling.
  • Replay and conflict policyAn exact semantic replay added no event, outbox, attempt, audit, quarantine, or sink call. A changed payload under the same event ID preserved the original and added one hash-only quarantine record.
  • Transient and terminal behaviorOne event delivered on its second attempt; another remained visibly terminal after three synthetic transient failures.
  • Ambiguous delivery recoveryThe synthetic sink accepted one event before an injected local acknowledgement loss. Retry returned one duplicate acknowledgement while the sink retained exactly one unique delivery.
  • Source reconciliationThe first comparison reported missing evt-007. After bounded recovery, all seven expected IDs were present with zero unexpected IDs.
  • Database and privacy boundarySQLite integrity was ok with zero foreign-key violations, raw payloads, raw emails, network actions, client-system actions, or external actions.
  • Sixteen automated testsThe suite covers signature, size, contract, replay, conflict, review, retry, terminal, ambiguous-delivery, reconciliation, rollback, integrity, and raw-address absence. It also caught and fixed an open SQLite handle on Windows.

HONEST LIMITS

This proves local recovery semantics—not a named-vendor deployment.

The source code and dated verification remain private and are not publicly released. The lab is not a Donorbox, ZeroBounce, SendGrid, Zapier, Make, or n8n implementation and does not prove client delivery, real email validation or list delivery, lawful contact permission, TLS termination, secret rotation, replay-window defense, queue concurrency, distributed locking, provider rate limits, backup or restore, retention compliance, throughput, security posture, deliverability, support outcome, ROI, or business impact. Those controls require an authorized vendor sandbox and separately accepted operating design.

MISSING OR REPEATED EVENTS?

Define what a recovered delivery must prove.

Bring one authorized source, one destination, representative failure evidence, a safe sandbox, source counts, and an accountable acceptance owner. Do not send credentials, production payloads, or personal records. Price and schedule remain separate owner-approved decisions.

Review the service boundary Use the recovery checklist