Validate v1 Cloudflare signature; preserve state

Align signature parsing with production Cloudflare format and harden validation, and prevent wiping agent state.

- signature.utils: import SignatureVersionInvalidError, parse headers expecting `t=<timestamp>,v1=<sig>`, validate numeric timestamp and explicit `v1` version, compute HMAC over `<timestamp>.<JSON-payload>` and compare. Improves robustness and throws clear errors for invalid version/timestamp.
- cloudflare/helpers: change rememberLastRef to merge the new STATE_KEY into existing agent.state instead of replacing it, preventing loss of other state properties.
- cloudflare.test: update tests to use the `t=` header format, add a test for invalid signature version, and adjust the fake agent/setState test to ensure other state keys are preserved.

Author: scopsy

packages/framework/src/servers/cloudflare/cloudflare.test.ts

@@ -86,7 +86,7 @@ describe('validateNovuSignature()', () => {
     const timestamp = Date.now();
     const hash = await createHmacSubtle(secret, `${timestamp}.${JSON.stringify(body)}`);
 
-    return `${timestamp}=${timestamp},v1=${hash}`;
+    return `t=${timestamp},v1=${hash}`;
   }
 
   it('should pass for a valid signature', async () => {
@@ -126,10 +126,18 @@ describe('validateNovuSignature()', () => {
   it('should throw SignatureExpiredError for old timestamps', async () => {
     const oldTimestamp = Date.now() - 1000 * 60 * 60;
     const hash = await createHmacSubtle(secretKey, `${oldTimestamp}.${JSON.stringify(payload)}`);
-    const header = `${oldTimestamp}=${oldTimestamp},v1=${hash}`;
+    const header = `t=${oldTimestamp},v1=${hash}`;
 
     await expect(validateNovuSignature(payload, header, secretKey, true)).rejects.toThrow('Signature expired');
   });
+
+  it('should throw SignatureVersionInvalidError for wrong version', async () => {
+    const timestamp = Date.now();
+    const hash = await createHmacSubtle(secretKey, `${timestamp}.${JSON.stringify(payload)}`);
+    const header = `t=${timestamp},v2=${hash}`;
+
+    await expect(validateNovuSignature(payload, header, secretKey, true)).rejects.toThrow('Signature version is invalid');
+  });
 });
 
 describe('withNovuAgent mixin', () => {
@@ -252,13 +260,13 @@ describe('helpers: rememberLastRef / replyToLastConversation', () => {
   it('round-trips a ref through setState / state', async () => {
     const { rememberLastRef, replyToLastConversation } = await import('./helpers');
 
-    let storedState: Record<string, unknown> = {};
+    let storedState: Record<string, unknown> = { other: 'keep-me' };
 
     const fakeAgent = {
       env: { NOVU_SECRET_KEY: 'test-key' },
       state: storedState,
-      setState(patch: Record<string, unknown>) {
-        Object.assign(storedState, patch);
+      setState(newState: Record<string, unknown>) {
+        storedState = newState;
         this.state = storedState;
       },
     };
@@ -273,6 +281,7 @@ describe('helpers: rememberLastRef / replyToLastConversation', () => {
       conversationId: 'conv-456',
       integrationIdentifier: 'slack-main',
     });
+    expect(storedState.other).toBe('keep-me');
 
     await replyToLastConversation(fakeAgent, 'ping');
 

packages/framework/src/servers/cloudflare/helpers.ts

@@ -35,7 +35,7 @@ interface StatefulAgent {
  * Call this inside `onNovuMessage` / `onNovuAction` / etc.
  */
 export function rememberLastRef(agent: StatefulAgent, ctx: AgentContext): void {
-  agent.setState({ [STATE_KEY]: ctx.serialize() });
+  agent.setState({ ...agent.state, [STATE_KEY]: ctx.serialize() });
 }
 
 /**

packages/framework/src/servers/cloudflare/with-novu-agent.ts

@@ -165,10 +165,13 @@ export function withNovuAgent<TBase extends Constructor>(Base: TBase) {
         };
 
         const handler = handlerMap[event as AgentEventEnum];
-        if (handler) {
-          await handler(ctx);
+        if (!handler) {
+          console.warn(`[novu-agent] Unknown event: ${event}`);
+
+          return Response.json({ error: `Unknown event: ${event}` }, { status: 400 });
         }
 
+        await handler(ctx);
         await ctx.flush();
 
         return Response.json({ status: 'ok' });
@@ -183,5 +186,5 @@ export function withNovuAgent<TBase extends Constructor>(Base: TBase) {
     }
   }
 
-  return NovuAgentMixin as unknown as TBase & NovuAgentStatics;
+  return NovuAgentMixin as unknown as TBase & NovuAgentStatics & (new (...args: any[]) => NovuAgentInstance);
 }