feat(api): add webhook delivery utility and card event integration (#392)

* feat(api): add webhook delivery utility and card event integration

Add the core webhook delivery logic and wire it into card mutations:

- Add sendWebhookToUrl() with HMAC-SHA256 signing, 10s timeout
- Add sendWebhooksForWorkspace() for fan-out delivery (fire-and-forget)
- Add createCardWebhookPayload() for building webhook payloads
- Fire webhooks on card create, update, move, and delete events
- Add unit tests for webhook utility functions

Depends on #391 (DB schema & repository).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api): use correct boardId in webhook payloads and add rejection safety

- Fix bug where workspaceId was incorrectly passed as boardId in all
  webhook payloads — now uses board's publicId via boardPublicId
- Replace void sendWebhooksForWorkspace() with .catch() to prevent
  unhandled promise rejections if the DB query inside fails

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(api): add SSRF protection to webhook delivery

Block webhook URLs targeting internal networks:
- Require HTTPS (reject HTTP)
- Block localhost, 127.0.0.1, ::1, 0.0.0.0
- Block cloud metadata endpoints (169.254.169.254, metadata.google.internal)
- Block private IP ranges (10.x, 172.16-31.x, 192.168.x)
- Add tests for all blocked URL patterns

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(api): use WebhookEvent type from schema instead of duplicating

Replace the hardcoded WebhookEventType union with the canonical
WebhookEvent type from @kan/db/schema, addressing reviewer feedback
on PR #392.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor(api): improve webhook delivery safety and validation

Cherry-pick delivery-related changes from b2cc9ac:
- Extract URL validation into reusable webhookUrlSchema zod validator
  for SSRF checks
- Wrap sendWebhooksForWorkspace in try/catch to prevent unhandled
  promise rejections
- Document SSRF risk mitigation on sendWebhookToUrl
- Add corresponding tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: nickmeinhold

packages/api/src/routers/card.ts

@@ -13,6 +13,10 @@ import { mergeActivities } from "../utils/activities";
 import { sendMentionEmails } from "../utils/notifications";
 import { assertCanDelete, assertCanEdit, assertPermission } from "../utils/permissions";
 import { generateAttachmentUrl, generateAvatarUrl } from "@kan/shared/utils";
+import {
+  createCardWebhookPayload,
+  sendWebhooksForWorkspace,
+} from "../utils/webhook";
 
 export const cardRouter = createTRPCRouter({
   create: protectedProcedure
@@ -165,6 +169,32 @@ export const cardRouter = createTRPCRouter({
         });
       }
 
+      // Fire webhooks (non-blocking)
+      sendWebhooksForWorkspace(
+        ctx.db,
+        list.workspaceId,
+        createCardWebhookPayload(
+          "card.created",
+          {
+            id: String(newCard.id),
+            title: input.title,
+            description: input.description,
+            dueDate: input.dueDate ?? null,
+            listId: String(newCard.listId),
+          },
+          {
+            boardId: list.boardPublicId,
+            boardName: list.boardName,
+            listName: list.name,
+            user: ctx.user
+              ? { id: ctx.user.id, name: ctx.user.name }
+              : undefined,
+          },
+        ),
+      ).catch((error) => {
+        console.error("Webhook delivery failed:", error);
+      });
+
       return newCard;
     }),
   addComment: protectedProcedure
@@ -1007,6 +1037,59 @@ export const cardRouter = createTRPCRouter({
         await cardActivityRepo.bulkCreate(ctx.db, activities);
       }
 
+      // Build changes object for webhook
+      const webhookChanges: Record<string, { from: unknown; to: unknown }> = {};
+      if (input.title && existingCard.title !== input.title) {
+        webhookChanges.title = { from: existingCard.title, to: input.title };
+      }
+      if (input.description && existingCard.description !== input.description) {
+        webhookChanges.description = {
+          from: existingCard.description,
+          to: input.description,
+        };
+      }
+      if (
+        input.dueDate !== undefined &&
+        previousDueDate?.getTime() !== input.dueDate?.getTime()
+      ) {
+        webhookChanges.dueDate = { from: previousDueDate, to: input.dueDate };
+      }
+      if (newListId && existingCard.listId !== newListId) {
+        webhookChanges.listId = { from: existingCard.listId, to: newListId };
+      }
+
+      // Fire webhooks (non-blocking)
+      sendWebhooksForWorkspace(
+        ctx.db,
+        card.workspaceId,
+        createCardWebhookPayload(
+          newListId && existingCard.listId !== newListId
+            ? "card.moved"
+            : "card.updated",
+          {
+            id: String(result.id),
+            title: result.title,
+            description: result.description,
+            dueDate: result.dueDate,
+            listId: String(newListId ?? existingCard.listId),
+          },
+          {
+            boardId: card.boardPublicId,
+            boardName: card.boardName,
+            listName: card.listName,
+            user: ctx.user
+              ? { id: ctx.user.id, name: ctx.user.name }
+              : undefined,
+            changes:
+              Object.keys(webhookChanges).length > 0
+                ? webhookChanges
+                : undefined,
+          },
+        ),
+      ).catch((error) => {
+        console.error("Webhook delivery failed:", error);
+      });
+
       return result;
     }),
   delete: protectedProcedure
@@ -1054,6 +1137,9 @@ export const cardRouter = createTRPCRouter({
         card.createdBy,
       );
 
+      // Fetch full card data before delete for webhook
+      const fullCard = await cardRepo.getByPublicId(ctx.db, input.cardPublicId);
+
       const deletedAt = new Date();
 
       await cardRepo.softDelete(ctx.db, {
@@ -1068,6 +1154,34 @@ export const cardRouter = createTRPCRouter({
         createdBy: userId,
       });
 
+      // Fire webhooks (non-blocking)
+      if (fullCard) {
+        sendWebhooksForWorkspace(
+          ctx.db,
+          card.workspaceId,
+          createCardWebhookPayload(
+            "card.deleted",
+            {
+              id: String(fullCard.id),
+              title: fullCard.title,
+              description: fullCard.description,
+              dueDate: fullCard.dueDate,
+              listId: String(fullCard.listId),
+            },
+            {
+              boardId: card.boardPublicId,
+              boardName: card.boardName,
+              listName: card.listName,
+              user: ctx.user
+                ? { id: ctx.user.id, name: ctx.user.name }
+                : undefined,
+            },
+          ),
+        ).catch((error) => {
+          console.error("Webhook delivery failed:", error);
+        });
+      }
+
       return { success: true };
     }),
 });