feat(backend): Add webhook delivery system for card view events

[Dipti45sktech]

Summary

Implements the full webhook delivery system for card view and contact-save events as specified in issue #40. This includes endpoint registration, HMAC-SHA256 payload signing, exponential backoff retry logic, delivery logging, and full test coverage. The idea is simple — when someone views a card or saves a contact, any external system that has registered a webhook endpoint should get notified automatically with a signed POST request.

Closes #40

---

Type of Change

• New feature
• Tests only

---

What Changed

• Added WebhookEndpoint and WebhookDelivery models to Prisma schema
• Created apps/backend/src/routes/webhooks.ts with 4 REST endpoints (POST to register, GET to list, DELETE to remove, GET deliveries for logs)
• Created apps/backend/src/utils/webhookDispatch.ts with HMAC-SHA256 payload signing via x-DevCard-Signature header and retry logic with exponential backoff (30s - 5min - 30min)
• Hooked dispatchWebhook into card view and contact-save events in app.ts
• Added 17 tests in webhooks.test.ts covering endpoint registration, signature generation, and delivery retry logic.

---

How to Test

1. Run pnpm -r run test - all 17 webhook tests should pass
2. Register a webhook endpoint via POST /api/webhooks
3. Trigger a card view event and verify the external endpoint receives a signed POST request with x-DevCard-Signature header

---

Checklist

• I have added or updated tests for the changes I made.
• All tests pass locally (pnpm -r run test).
• No new console.log or debug statements left in the code.

[vercel]

@Dipti45sktech is attempting to deploy a commit to the Prashantkumar Khatri's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Hi @Dipti45sktech,

Thanks for opening this pull request.

This PR has been automatically classified based on the files modified.

Applied Labels

• gssoc:approved
• backend

Primary Review Area

• backend

Reviewer

@Harxhit has been identified as the primary reviewer for this pull request.

If you have any questions regarding the affected area or implementation details, feel free to reach out to the assigned reviewer.

Thank you for your contribution!

[github-actions]

CI — All Checks Passed

Backend — PASS

Check	Result
Lint	PASS
Test	PASS
Typecheck	PASS

Mobile — SKIP

Check	Result
Lint	-
Test	-

Web — SKIP

Check	Result
Build	-

---

Last updated: Tue, 23 Jun 2026 06:11:23 GMT

[Dipti45sktech]

Hi @ShantKhatri please reassign me on issue #40 - I had completed this implementation earlier but the PR had to be closed due to branch conflicts. This is a clean resubmission of the same work. Kindly take a look.

[Harxhit]

Review of the webhook delivery system. The route/dispatch design is solid (HMAC signing, encrypted secret at rest, ownership checks, endpoint cap), but there are blocking issues: the Prisma schema is corrupted, the core WebhookEndpoint model is missing, and dispatchWebhook is never called from any event handler — so card-view/contact-save events don't actually trigger anything as shipped. Inline comments below. Note: this PR also carries unrelated changes (CI lint removal, app.ts/auth/seed rewrites) that I'd recommend splitting out.

[Dipti45sktech]

Hi @ShantKhatri and @Harxhit, thank you for the thorough review - I've addressed all the comments. Please let me know if anything else needs attention!

Please also make changes in DB seed too.

[Harxhit]

@Dipti45sktech Could please also add DB seed and DB migrations proofs in PR description.