@directus/api 33.3.1 → 34.0.1

package/dist/ai/tools/flows/index.d.ts

@@ -11,13 +11,13 @@ export declare const FlowsValidateSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
             active: "active";
             inactive: "inactive";
         }>>;
-        trigger: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        trigger: z.ZodOptional<z.ZodEnum<{
             operation: "operation";
             schedule: "schedule";
             event: "event";
             webhook: "webhook";
             manual: "manual";
-        }>, z.ZodNull]>>;
+        }>>;
         options: z.ZodOptional<z.ZodUnion<readonly [z.ZodRecord<z.ZodString, z.ZodAny>, z.ZodNull]>>;
         operation: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNull]>>;
         operations: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -36,10 +36,10 @@ export declare const FlowsValidateSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
         }, z.core.$strip>>>;
         date_created: z.ZodOptional<z.ZodString>;
         user_created: z.ZodOptional<z.ZodString>;
-        accountability: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        accountability: z.ZodOptional<z.ZodEnum<{
             all: "all";
             activity: "activity";
-        }>, z.ZodNull]>>;
+        }>>;
     }, z.core.$strip>;
 }, z.core.$strict>, z.ZodObject<{
     action: z.ZodLiteral<"read">;
@@ -79,13 +79,13 @@ export declare const FlowsValidateSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
             active: "active";
             inactive: "inactive";
         }>>;
-        trigger: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        trigger: z.ZodOptional<z.ZodEnum<{
             operation: "operation";
             schedule: "schedule";
             event: "event";
             webhook: "webhook";
             manual: "manual";
-        }>, z.ZodNull]>>;
+        }>>;
         options: z.ZodOptional<z.ZodUnion<readonly [z.ZodRecord<z.ZodString, z.ZodAny>, z.ZodNull]>>;
         operation: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNull]>>;
         operations: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -104,10 +104,10 @@ export declare const FlowsValidateSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
         }, z.core.$strip>>>;
         date_created: z.ZodOptional<z.ZodString>;
         user_created: z.ZodOptional<z.ZodString>;
-        accountability: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        accountability: z.ZodOptional<z.ZodEnum<{
             all: "all";
             activity: "activity";
-        }>, z.ZodNull]>>;
+        }>>;
     }, z.core.$strip>;
     query: z.ZodOptional<z.ZodObject<{
         fields: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -176,13 +176,13 @@ export declare const FlowsInputSchema: z.ZodObject<{
             active: "active";
             inactive: "inactive";
         }>>;
-        trigger: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        trigger: z.ZodOptional<z.ZodEnum<{
             operation: "operation";
             schedule: "schedule";
             event: "event";
             webhook: "webhook";
             manual: "manual";
-        }>, z.ZodNull]>>;
+        }>>;
         options: z.ZodOptional<z.ZodUnion<readonly [z.ZodRecord<z.ZodString, z.ZodAny>, z.ZodNull]>>;
         operation: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNull]>>;
         operations: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -201,10 +201,10 @@ export declare const FlowsInputSchema: z.ZodObject<{
         }, z.core.$strip>>>;
         date_created: z.ZodOptional<z.ZodString>;
         user_created: z.ZodOptional<z.ZodString>;
-        accountability: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+        accountability: z.ZodOptional<z.ZodEnum<{
             all: "all";
             activity: "activity";
-        }>, z.ZodNull]>>;
+        }>>;
     }, z.core.$strip>>;
     key: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
@@ -217,7 +217,7 @@ export declare const flows: import("../types.js").ToolConfig<{
         color?: string | null | undefined;
         description?: string | null | undefined;
         status?: "active" | "inactive" | undefined;
-        trigger?: "operation" | "schedule" | "event" | "webhook" | "manual" | null | undefined;
+        trigger?: "operation" | "schedule" | "event" | "webhook" | "manual" | undefined;
         options?: Record<string, any> | null | undefined;
         operation?: string | null | undefined;
         operations?: {
@@ -236,7 +236,7 @@ export declare const flows: import("../types.js").ToolConfig<{
         }[] | undefined;
         date_created?: string | undefined;
         user_created?: string | undefined;
-        accountability?: "all" | "activity" | null | undefined;
+        accountability?: "all" | "activity" | undefined;
     };
 } | {
     action: "read";
@@ -273,7 +273,7 @@ export declare const flows: import("../types.js").ToolConfig<{
         color?: string | null | undefined;
         description?: string | null | undefined;
         status?: "active" | "inactive" | undefined;
-        trigger?: "operation" | "schedule" | "event" | "webhook" | "manual" | null | undefined;
+        trigger?: "operation" | "schedule" | "event" | "webhook" | "manual" | undefined;
         options?: Record<string, any> | null | undefined;
         operation?: string | null | undefined;
         operations?: {
@@ -292,7 +292,7 @@ export declare const flows: import("../types.js").ToolConfig<{
         }[] | undefined;
         date_created?: string | undefined;
         user_created?: string | undefined;
-        accountability?: "all" | "activity" | null | undefined;
+        accountability?: "all" | "activity" | undefined;
     };
     query?: {
         fields?: string[] | undefined;

package/dist/ai/tools/schema.d.ts

@@ -272,13 +272,13 @@ export declare const FlowItemInputSchema: z.ZodObject<{
         active: "active";
         inactive: "inactive";
     }>>;
-    trigger: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+    trigger: z.ZodOptional<z.ZodEnum<{
         operation: "operation";
         schedule: "schedule";
         event: "event";
         webhook: "webhook";
         manual: "manual";
-    }>, z.ZodNull]>>;
+    }>>;
     options: z.ZodOptional<z.ZodUnion<readonly [z.ZodRecord<z.ZodString, z.ZodAny>, z.ZodNull]>>;
     operation: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNull]>>;
     operations: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -297,10 +297,10 @@ export declare const FlowItemInputSchema: z.ZodObject<{
     }, z.core.$strip>>>;
     date_created: z.ZodOptional<z.ZodString>;
     user_created: z.ZodOptional<z.ZodString>;
-    accountability: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+    accountability: z.ZodOptional<z.ZodEnum<{
         all: "all";
         activity: "activity";
-    }>, z.ZodNull]>>;
+    }>>;
 }, z.core.$strip>;
 export declare const FlowItemValidateSchema: z.ZodObject<{
     id: z.ZodOptional<z.ZodString>;
@@ -312,13 +312,13 @@ export declare const FlowItemValidateSchema: z.ZodObject<{
         active: "active";
         inactive: "inactive";
     }>>;
-    trigger: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+    trigger: z.ZodOptional<z.ZodEnum<{
         operation: "operation";
         schedule: "schedule";
         event: "event";
         webhook: "webhook";
         manual: "manual";
-    }>, z.ZodNull]>>;
+    }>>;
     options: z.ZodOptional<z.ZodUnion<readonly [z.ZodRecord<z.ZodString, z.ZodAny>, z.ZodNull]>>;
     operation: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNull]>>;
     operations: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -337,10 +337,10 @@ export declare const FlowItemValidateSchema: z.ZodObject<{
     }, z.core.$strip>>>;
     date_created: z.ZodOptional<z.ZodString>;
     user_created: z.ZodOptional<z.ZodString>;
-    accountability: z.ZodOptional<z.ZodUnion<readonly [z.ZodEnum<{
+    accountability: z.ZodOptional<z.ZodEnum<{
         all: "all";
         activity: "activity";
-    }>, z.ZodNull]>>;
+    }>>;
 }, z.core.$strip>;
 export declare const TriggerFlowInputSchema: z.ZodObject<{
     id: z.ZodUnion<readonly [z.ZodNumber, z.ZodString]>;

package/dist/ai/tools/schema.js

@@ -135,13 +135,13 @@ export const FlowItemInputSchema = z
     color: z.union([z.string(), z.null()]),
     description: z.union([z.string(), z.null()]),
     status: z.enum(['active', 'inactive']),
-    trigger: z.union([z.enum(['event', 'schedule', 'operation', 'webhook', 'manual']), z.null()]),
+    trigger: z.enum(['event', 'schedule', 'operation', 'webhook', 'manual']),
     options: z.union([z.record(z.string(), z.any()), z.null()]),
     operation: z.union([z.string(), z.null()]),
     operations: z.array(OperationItemInputSchema),
     date_created: z.string(),
     user_created: z.string(),
-    accountability: z.union([z.enum(['all', 'activity']), z.null()]),
+    accountability: z.enum(['all', 'activity']),
 })
     .partial();
 export const FlowItemValidateSchema = FlowItemInputSchema;

package/dist/app.js

@@ -10,6 +10,7 @@ import express from 'express';
 import { merge } from 'lodash-es';
 import qs from 'qs';
 import { aiChatRouter } from './ai/chat/router.js';
+import { aiFilesRouter } from './ai/files/router.js';
 import { registerAuthProviders } from './auth.js';
 import accessRouter from './controllers/access.js';
 import activityRouter from './controllers/activity.js';
@@ -18,6 +19,7 @@ import authRouter from './controllers/auth.js';
 import collectionsRouter from './controllers/collections.js';
 import commentsRouter from './controllers/comments.js';
 import dashboardsRouter from './controllers/dashboards.js';
+import deploymentWebhookRouter from './controllers/deployment-webhooks.js';
 import deploymentRouter from './controllers/deployment.js';
 import extensionsRouter from './controllers/extensions.js';
 import fieldsRouter from './controllers/fields.js';
@@ -48,7 +50,7 @@ import usersRouter from './controllers/users.js';
 import utilsRouter from './controllers/utils.js';
 import versionsRouter from './controllers/versions.js';
 import { isInstalled, validateDatabaseConnection, validateDatabaseExtensions, validateMigrations, } from './database/index.js';
-import { registerDeploymentDrivers } from './deployment.js';
+import { ensureDeploymentWebhooks, registerDeploymentDrivers } from './deployment.js';
 import emitter from './emitter.js';
 import { getExtensionManager } from './extensions/index.js';
 import { getFlowManager } from './flows.js';
@@ -96,6 +98,7 @@ export default async function createApp() {
     await validateStorage();
     await registerAuthProviders();
     registerDeploymentDrivers();
+    await ensureDeploymentWebhooks();
     const extensionManager = getExtensionManager();
     const flowManager = getFlowManager();
     await extensionManager.initialize();
@@ -161,6 +164,9 @@ export default async function createApp() {
     app.use((req, res, next) => {
         express.json({
             limit: env['MAX_PAYLOAD_SIZE'],
+            verify: (req, _res, buf) => {
+                req.rawBody = buf;
+            },
         })(req, res, (err) => {
             if (err) {
                 return next(new InvalidPayloadError({ reason: err.message }));
@@ -214,6 +220,8 @@ export default async function createApp() {
         app.use(rateLimiter);
     }
     app.get('/server/ping', (_req, res) => res.send('pong'));
+    // Public webhook endpoint (signature-verified by the provider)
+    app.use('/deployments/webhooks', deploymentWebhookRouter);
     app.use(authenticate);
     app.use(schema);
     app.use(sanitizeQuery);
@@ -243,6 +251,7 @@ export default async function createApp() {
     }
     if (toBoolean(env['AI_ENABLED']) === true) {
         app.use('/ai/chat', aiChatRouter);
+        app.use('/ai/files', aiFilesRouter);
     }
     if (env['METRICS_ENABLED'] === true) {
         app.use('/metrics', metricsRouter);

package/dist/auth/drivers/oauth2.js

@@ -21,7 +21,7 @@ import { getSecret } from '../../utils/get-secret.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
 import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 export class OAuth2AuthDriver extends LocalAuthDriver {
     client;
@@ -273,8 +273,12 @@ export function createOAuth2AuthRouter(providerName) {
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
         const otp = req.query['otp'];
-        const redirect = req.query['redirect'];
-        if (!isLoginRedirectAllowed(providerName, redirect)) {
+        let redirect = req.query['redirect'];
+        try {
+            redirect = resolveLoginRedirect(redirect, { provider: providerName });
+        }
+        catch (e) {
+            useLogger().error(e);
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
         const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
@@ -356,8 +360,10 @@ export function createOAuth2AuthRouter(providerName) {
             const claims = verifyJWT(accessToken, getSecret());
             if (claims?.enforce_tfa === true) {
                 const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
-                if (redirect)
+                if (redirect) {
                     url.setQuery('redirect', redirect);
+                    url.setQuery('provider', providerName);
+                }
                 redirect = url.toString();
             }
         }

package/dist/auth/drivers/openid.js

@@ -21,7 +21,7 @@ import { getSecret } from '../../utils/get-secret.js';
 import { verifyJWT } from '../../utils/jwt.js';
 import { Url } from '../../utils/url.js';
 import { generateCallbackUrl } from '../utils/generate-callback-url.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 export class OpenIDAuthDriver extends LocalAuthDriver {
     client;
@@ -324,9 +324,13 @@ export function createOpenIDAuthRouter(providerName) {
         const provider = getAuthProvider(providerName);
         const codeVerifier = provider.generateCodeVerifier();
         const prompt = !!req.query['prompt'];
-        const redirect = req.query['redirect'];
+        let redirect = req.query['redirect'];
         const otp = req.query['otp'];
-        if (!isLoginRedirectAllowed(providerName, redirect)) {
+        try {
+            redirect = resolveLoginRedirect(redirect, { provider: providerName });
+        }
+        catch (e) {
+            useLogger().error(e);
             throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
         }
         const callbackUrl = generateCallbackUrl(providerName, `${req.protocol}://${req.get('host')}`);
@@ -418,8 +422,10 @@ export function createOpenIDAuthRouter(providerName) {
             const claims = verifyJWT(accessToken, getSecret());
             if (claims?.enforce_tfa === true) {
                 const url = new Url(env['PUBLIC_URL']).addPath('admin', 'tfa-setup');
-                if (redirect)
+                if (redirect) {
                     url.setQuery('redirect', redirect);
+                    url.setQuery('provider', providerName);
+                }
                 redirect = url.toString();
             }
         }

package/dist/auth/drivers/saml.js

@@ -13,7 +13,7 @@ import { AuthenticationService } from '../../services/authentication.js';
 import asyncHandler from '../../utils/async-handler.js';
 import { getConfigFromEnv } from '../../utils/get-config-from-env.js';
 import { getSchema } from '../../utils/get-schema.js';
-import { isLoginRedirectAllowed } from '../utils/is-login-redirect-allowed.js';
+import { resolveLoginRedirect } from '../utils/resolve-login-redirect.js';
 import { LocalAuthDriver } from './local.js';
 // Register the samlify schema validator
 samlify.setSchemaValidator(validator);
@@ -94,8 +94,12 @@ export function createSAMLAuthRouter(providerName) {
         const { context: url } = sp.createLoginRequest(idp, 'redirect');
         const parsedUrl = new URL(url);
         if (req.query['redirect']) {
-            const redirect = req.query['redirect'];
-            if (!isLoginRedirectAllowed(providerName, redirect)) {
+            let redirect = req.query['redirect'];
+            try {
+                redirect = resolveLoginRedirect(redirect, { provider: providerName });
+            }
+            catch (e) {
+                useLogger().error(e);
                 throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
             }
             parsedUrl.searchParams.append('RelayState', redirect);
@@ -115,10 +119,16 @@ export function createSAMLAuthRouter(providerName) {
     }));
     router.post('/acs', express.urlencoded({ extended: false }), asyncHandler(async (req, res, next) => {
         const logger = useLogger();
-        const relayState = req.body?.RelayState;
+        let redirect = req.body?.RelayState;
         const authMode = (env[`AUTH_${providerName.toUpperCase()}_MODE`] ?? 'session');
-        if (relayState && isLoginRedirectAllowed(providerName, relayState) === false) {
-            throw new InvalidPayloadError({ reason: `URL "${relayState}" can't be used to redirect after login` });
+        if (redirect) {
+            try {
+                redirect = resolveLoginRedirect(redirect, { provider: providerName });
+            }
+            catch (e) {
+                useLogger().error(e);
+                throw new InvalidPayloadError({ reason: `URL "${redirect}" can't be used to redirect after login` });
+            }
         }
         try {
             const { sp, idp } = getAuthProvider(providerName);
@@ -134,19 +144,19 @@ export function createSAMLAuthRouter(providerName) {
                     expires,
                 },
             };
-            if (relayState) {
+            if (redirect) {
                 if (authMode === 'session') {
                     res.cookie(env['SESSION_COOKIE_NAME'], accessToken, SESSION_COOKIE_OPTIONS);
                 }
                 else {
                     res.cookie(env['REFRESH_TOKEN_COOKIE_NAME'], refreshToken, REFRESH_COOKIE_OPTIONS);
                 }
-                return res.redirect(relayState);
+                return res.redirect(redirect);
             }
             return next();
         }
         catch (error) {
-            if (relayState) {
+            if (redirect) {
                 let reason = 'UNKNOWN_EXCEPTION';
                 if (isDirectusError(error)) {
                     reason = error.code;
@@ -154,7 +164,7 @@ export function createSAMLAuthRouter(providerName) {
                 else {
                     logger.warn(error, `[SAML] Unexpected error during SAML login`);
                 }
-                return res.redirect(`${relayState.split('?')[0]}?reason=${reason}`);
+                return res.redirect(`${redirect.split('?')[0]}?reason=${reason}`);
             }
             logger.warn(error, `[SAML] Unexpected error during SAML login`);
             throw error;

package/dist/auth/utils/resolve-login-redirect.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Resolves and validates the redirect URL after a successful SSO login.
+ * Returns a safe redirect path or URL, or throws if the redirect is invalid or not allowed.
+ * @param redirect URL or relative path to redirect to after login
+ * @param opts.provider SSO provider name, used to check provider-specific allow lists
+ * @returns Resolved redirect path or URL string
+ * @throws If the redirect is not a string, PUBLIC_URL is not defined, or the redirect is not allowed
+ */
+export declare function resolveLoginRedirect(redirect: unknown, opts?: {
+    provider?: string | undefined;
+}): string;

package/dist/auth/utils/resolve-login-redirect.js

@@ -0,0 +1,62 @@
+import { useEnv } from '@directus/env';
+import { toArray } from '@directus/utils';
+import isUrlAllowed from '../../utils/is-url-allowed.js';
+/**
+ * Resolves and validates the redirect URL after a successful SSO login.
+ * Returns a safe redirect path or URL, or throws if the redirect is invalid or not allowed.
+ * @param redirect URL or relative path to redirect to after login
+ * @param opts.provider SSO provider name, used to check provider-specific allow lists
+ * @returns Resolved redirect path or URL string
+ * @throws If the redirect is not a string, PUBLIC_URL is not defined, or the redirect is not allowed
+ */
+export function resolveLoginRedirect(redirect, opts = {}) {
+    const env = useEnv();
+    const publicURL = env['PUBLIC_URL'];
+    // Default empty redirect to root
+    if (!redirect)
+        return '/';
+    if (typeof redirect !== 'string')
+        throw new Error('"redirect" must be a string');
+    if (!publicURL)
+        throw new Error('"PUBLIC_URL" must be defined');
+    // Relative URL
+    if (URL.canParse(redirect) === false) {
+        try {
+            const dummyDomain = 'http://dummy.local';
+            const { protocol: dummyProtocol, host: dummyHost } = new URL(dummyDomain);
+            const parsedRelativeURL = new URL(redirect, dummyDomain);
+            if (dummyProtocol !== parsedRelativeURL.protocol || dummyHost !== parsedRelativeURL.host) {
+                throw new Error('Relative URL mismatch');
+            }
+            // If the protocol & host match then it is a safe relative path
+            return parsedRelativeURL.toString().replace(dummyDomain, '');
+        }
+        catch {
+            // Unparsable URL
+            throw new Error('Invalid relative URL');
+        }
+    }
+    // Absolute redirect
+    const parsedAbsoluteURL = new URL(redirect);
+    if (!['http:', 'https:'].includes(parsedAbsoluteURL.protocol)) {
+        throw new Error('Only http/https redirect protocols are allowed');
+    }
+    if (opts.provider) {
+        const envKey = `AUTH_${opts.provider.toUpperCase()}_REDIRECT_ALLOW_LIST`;
+        if (envKey in env) {
+            const allowedList = toArray(String(env[envKey]));
+            allowedList.push(publicURL);
+            if (isUrlAllowed(redirect, allowedList)) {
+                return parsedAbsoluteURL.toString();
+            }
+        }
+    }
+    if (URL.canParse(publicURL) === false)
+        throw new Error('PUBLIC_URL must be a valid URL');
+    const { protocol: publicProtocol, host: publicHost } = new URL(publicURL);
+    // Reject "app" redirects not matching PUBLIC_URL
+    if (publicProtocol !== parsedAbsoluteURL.protocol || publicHost !== parsedAbsoluteURL.host) {
+        throw new Error('App "redirect" must match PUBLIC_URL');
+    }
+    return parsedAbsoluteURL.toString();
+}

package/dist/controllers/deployment-webhooks.d.ts

@@ -0,0 +1,2 @@
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/dist/controllers/deployment-webhooks.js

@@ -0,0 +1,95 @@
+import { DEPLOYMENT_PROVIDER_TYPES } from '@directus/types';
+import express from 'express';
+import getDatabase from '../database/index.js';
+import { getDeploymentDriver } from '../deployment.js';
+import emitter from '../emitter.js';
+import { useLogger } from '../logger/index.js';
+import { DeploymentProjectsService } from '../services/deployment-projects.js';
+import { DeploymentRunsService } from '../services/deployment-runs.js';
+import { DeploymentService } from '../services/deployment.js';
+import asyncHandler from '../utils/async-handler.js';
+import { getSchema } from '../utils/get-schema.js';
+const router = express.Router();
+router.post('/:provider', asyncHandler(async (req, res) => {
+    const logger = useLogger();
+    const provider = req.params['provider'];
+    if (!DEPLOYMENT_PROVIDER_TYPES.includes(provider)) {
+        return res.sendStatus(404);
+    }
+    const rawBody = req.rawBody;
+    if (!rawBody) {
+        logger.debug(`[webhook:${provider}] No raw body`);
+        return res.sendStatus(400);
+    }
+    const schema = await getSchema();
+    const knex = getDatabase();
+    const deploymentService = new DeploymentService({
+        schema,
+        knex,
+        accountability: null,
+    });
+    let webhookConfig;
+    try {
+        webhookConfig = await deploymentService.getWebhookConfig(provider);
+    }
+    catch {
+        logger.warn(`[webhook:${provider}] No webhook config found`);
+        return res.sendStatus(404);
+    }
+    if (!webhookConfig.webhook_secret) {
+        logger.warn(`[webhook:${provider}] No webhook secret configured`);
+        return res.sendStatus(404);
+    }
+    const driver = getDeploymentDriver(provider, webhookConfig.credentials, webhookConfig.options);
+    // Fallback for providers whose API doesn't support webhook signature headers (e.g. Netlify)
+    const headers = { ...req.headers };
+    const queryToken = req.query['token'];
+    if (typeof queryToken === 'string') {
+        headers['x-webhook-token'] = queryToken;
+    }
+    const event = driver.verifyAndParseWebhook(rawBody, headers, webhookConfig.webhook_secret);
+    if (!event) {
+        logger.warn(`[webhook:${provider}] Verification failed or unknown event`);
+        try {
+            const body = JSON.parse(rawBody.toString('utf-8'));
+            logger.warn(`[webhook:${provider}] Raw event type: ${body.type ?? body.state ?? 'unknown'}`);
+        }
+        catch {
+            logger.warn(`[webhook:${provider}] Unparseable body: ${rawBody.toString('utf-8').slice(0, 200)}`);
+        }
+        return res.sendStatus(401);
+    }
+    // Look up project by external_id
+    const projectsService = new DeploymentProjectsService({
+        schema,
+        knex,
+        accountability: null,
+    });
+    const project = await projectsService.readByExternalId(event.project_external_id);
+    if (!project) {
+        // 410 signals the provider this project is no longer tracked
+        logger.info(`[webhook:${provider}] Project ${event.project_external_id} not tracked`);
+        return res.sendStatus(410);
+    }
+    const runsService = new DeploymentRunsService({
+        schema,
+        knex,
+        accountability: null,
+    });
+    const runId = await runsService.processWebhookEvent(project.id, event);
+    // Emit action events
+    const eventPayload = {
+        provider,
+        project_id: project.id,
+        run_id: runId,
+        external_id: event.deployment_external_id,
+        status: event.status,
+        url: event.url,
+        target: event.target,
+        timestamp: event.timestamp,
+    };
+    emitter.emitAction(['deployment.webhook', `deployment.webhook.${event.type}`], eventPayload, null);
+    logger.info(`[webhook:${provider}] Processed: ${event.type} → run ${runId}`);
+    return res.sendStatus(200);
+}));
+export default router;