@electric-ax/agents-server 0.4.5 → 0.4.6

package/dist/entrypoint.js

@@ -4,7 +4,7 @@ import { DurableStreamTestServer } from "@durable-streams/server";
 import { createServer } from "node:http";
 import { createServerAdapter } from "@whatwg-node/server";
 import { Agent } from "undici";
-import { appendPathToUrl, assertTags, buildTagsIndex, createEntityRegistry, createRuntimeHandler, entityStateSchema, getCronStreamPath, getCronStreamPathFromSpec, getEntitiesStreamPath, getNextCronFireAt, getSharedStateStreamPath, manifestChildKey, manifestSharedStateKey, manifestSourceKey, normalizeTags, parseCronStreamPath, resolveCronScheduleSpec, sourceRefForTags } from "@electric-ax/agents-runtime";
+import { appendPathToUrl, assertTags, buildTagsIndex, createEntityRegistry, createRuntimeHandler, entityStateSchema, getCronStreamPath, getCronStreamPathFromSpec, getEntitiesStreamPath, getNextCronFireAt, getSharedStateStreamPath, manifestChildKey, manifestSharedStateKey, manifestSourceKey, normalizeTags, parseCronStreamPath, resolveCronScheduleSpec, sourceRefForTags, verifyWebhookSignature } from "@electric-ax/agents-runtime";
 import fs, { existsSync } from "node:fs";
 import path, { dirname, resolve } from "node:path";
 import { drizzle } from "drizzle-orm/postgres-js";
@@ -19,7 +19,7 @@ import { SpanKind, SpanStatusCode, context, propagation, trace } from "@opentele
 import { Type } from "@sinclair/typebox";
 import pino from "pino";
 import Ajv from "ajv";
-import { createHash, randomUUID } from "node:crypto";
+import { createHash, createPrivateKey, createPublicKey, generateKeyPairSync, randomUUID, sign } from "node:crypto";
 import fastq from "fastq";
 import { ShapeStream, isChangeMessage, isControlMessage } from "@electric-sql/client";
 
@@ -1378,6 +1378,87 @@ function isLoopbackHostname(hostname) {
 	return hostname === `localhost` || hostname === `127.0.0.1` || hostname === `::1`;
 }
 
+//#endregion
+//#region src/webhook-signing.ts
+const encoder = new TextEncoder();
+const defaultWebhookSigner = createEd25519WebhookSigner();
+function createEd25519WebhookSigner(options = {}) {
+	const privateKey = options.privateKey ? importPrivateKey(options.privateKey) : generateKeyPairSync(`ed25519`).privateKey;
+	if (privateKey.asymmetricKeyType !== `ed25519`) throw new Error(`Webhook signing key must be an Ed25519 private key`);
+	const publicJwk = buildPublicJwk(privateKey, options.kid);
+	return {
+		sign: (body) => signWebhookBody(privateKey, publicJwk.kid, body),
+		jwks: () => ({ keys: [{ ...publicJwk }] })
+	};
+}
+function getDefaultWebhookSigner() {
+	return defaultWebhookSigner;
+}
+async function webhookSigningMetadata(signer, streamRootUrl) {
+	const jwks = await signer.jwks();
+	const key = jwks.keys[0];
+	if (!key) throw new Error(`Webhook signer did not provide any public keys`);
+	return {
+		alg: `ed25519`,
+		kid: key.kid,
+		jwks_url: appendPathToUrl(streamRootUrl, `/__ds/jwks.json`)
+	};
+}
+function signWebhookBody(privateKey, kid, body) {
+	const timestamp$1 = Math.floor(Date.now() / 1e3);
+	const payload = bytesWithTimestamp(timestamp$1, body);
+	const signature = sign(null, payload, privateKey).toString(`base64url`);
+	return `t=${timestamp$1},kid=${kid},ed25519=${signature}`;
+}
+function bytesWithTimestamp(timestamp$1, body) {
+	const prefix = encoder.encode(`${timestamp$1}.`);
+	const bodyBytes = typeof body === `string` ? encoder.encode(body) : body;
+	return Buffer.concat([Buffer.from(prefix), Buffer.from(bodyBytes)]);
+}
+function importPrivateKey(input) {
+	if (isKeyObject(input)) return input;
+	if (typeof input === `string`) {
+		const trimmed = input.trim();
+		if (trimmed.startsWith(`{`)) return createPrivateKey({
+			key: JSON.parse(trimmed),
+			format: `jwk`
+		});
+		return createPrivateKey(trimmed.replace(/\\n/g, `\n`));
+	}
+	if (Buffer.isBuffer(input)) return createPrivateKey(input);
+	return createPrivateKey({
+		key: input,
+		format: `jwk`
+	});
+}
+function isKeyObject(input) {
+	return typeof input === `object` && `type` in input && input.type === `private`;
+}
+function buildPublicJwk(privateKey, kid) {
+	const exported = createPublicKey(privateKey).export({ format: `jwk` });
+	if (exported.kty !== `OKP` || exported.crv !== `Ed25519` || !exported.x) throw new Error(`Failed to export Ed25519 webhook signing key`);
+	return {
+		kty: `OKP`,
+		crv: `Ed25519`,
+		x: exported.x,
+		kid: kid ?? deriveKeyId({
+			kty: exported.kty,
+			crv: exported.crv,
+			x: exported.x
+		}),
+		use: `sig`,
+		alg: `EdDSA`
+	};
+}
+function deriveKeyId(jwk) {
+	const thumbprintInput = JSON.stringify({
+		crv: jwk.crv,
+		kty: jwk.kty,
+		x: jwk.x
+	});
+	return `ds_${createHash(`sha256`).update(thumbprintInput).digest(`base64url`)}`;
+}
+
 //#endregion
 //#region src/routing/durable-streams-router.ts
 const subscriptionProxyBodySchema = Type.Object({ webhook: Type.Optional(Type.Object({ url: Type.String() }, { additionalProperties: true })) }, { additionalProperties: true });
@@ -1394,6 +1475,7 @@ durableStreamsRouter.delete(`/__ds/subscriptions/:subscriptionId`, deleteSubscri
 durableStreamsRouter.post(`/__ds/subscriptions/:subscriptionId/streams`, postSubscriptionStreams);
 durableStreamsRouter.delete(`/__ds/subscriptions/:subscriptionId/streams/:streamPath+`, deleteSubscriptionStream);
 for (const action of subscriptionControlActions) durableStreamsRouter.post(`/__ds/subscriptions/:subscriptionId/${action}`, subscriptionAction(action));
+durableStreamsRouter.get(`/__ds/jwks.json`, webhookJwks);
 durableStreamsRouter.all(`/__ds`, controlPassThrough);
 durableStreamsRouter.all(`/__ds/*`, controlPassThrough);
 durableStreamsRouter.post(`*`, streamAppend);
@@ -1402,12 +1484,16 @@ function bodyFromBytes$1(body) {
 	return body.buffer.slice(body.byteOffset, body.byteOffset + body.byteLength);
 }
 function responseFromUpstream$1(response, body) {
-	return new Response(body ? bodyFromBytes$1(body) : response.body, {
+	const responseBody = forbidsResponseBody$1(response.status) ? null : body !== void 0 ? bodyFromBytes$1(body) : response.body;
+	return new Response(responseBody, {
 		status: response.status,
 		statusText: response.statusText,
 		headers: responseHeaders(response)
 	});
 }
+function forbidsResponseBody$1(status$1) {
+	return status$1 === 204 || status$1 === 205 || status$1 === 304;
+}
 async function forwardToDurableStreams(ctx, request, body, route = `stream`, urlOverride, durableStreamsBearerMode = `overwrite`) {
 	const headers = new Headers(request.headers);
 	headers.delete(`host`);
@@ -1441,28 +1527,32 @@ function rewriteSubscriptionBodyForBackend(payload, service, routingAdapter) {
 		return next;
 	});
 }
-function rewriteSubscriptionResponseForClient(bytes, response, service, routingAdapter) {
+async function rewriteSubscriptionResponseForClient(bytes, response, ctx, routingAdapter) {
 	if (!response.headers.get(`content-type`)?.includes(`application/json`)) return bytes;
 	const payload = decodeJson(bytes);
 	if (!payload) return bytes;
-	if (typeof payload.pattern === `string`) payload.pattern = routingAdapter.toRuntimeStreamPath(service, payload.pattern);
+	if (typeof payload.pattern === `string`) payload.pattern = routingAdapter.toRuntimeStreamPath(ctx.service, payload.pattern);
 	if (Array.isArray(payload.streams)) payload.streams = payload.streams.map((stream) => {
-		if (typeof stream === `string`) return routingAdapter.toRuntimeStreamPath(service, stream);
+		if (typeof stream === `string`) return routingAdapter.toRuntimeStreamPath(ctx.service, stream);
 		if (stream && typeof stream === `object` && typeof stream.path === `string`) return {
 			...stream,
-			path: routingAdapter.toRuntimeStreamPath(service, stream.path)
+			path: routingAdapter.toRuntimeStreamPath(ctx.service, stream.path)
 		};
 		return stream;
 	});
-	if (typeof payload.wake_stream === `string`) payload.wake_stream = routingAdapter.toRuntimeStreamPath(service, payload.wake_stream);
-	if (typeof payload.stream === `string`) payload.stream = routingAdapter.toRuntimeStreamPath(service, payload.stream);
+	if (typeof payload.wake_stream === `string`) payload.wake_stream = routingAdapter.toRuntimeStreamPath(ctx.service, payload.wake_stream);
+	if (typeof payload.stream === `string`) payload.stream = routingAdapter.toRuntimeStreamPath(ctx.service, payload.stream);
 	if (Array.isArray(payload.acks)) payload.acks = payload.acks.map((ack) => {
 		if (!ack || typeof ack !== `object`) return ack;
 		const next = { ...ack };
-		if (typeof next.stream === `string`) next.stream = routingAdapter.toRuntimeStreamPath(service, next.stream);
-		if (typeof next.path === `string`) next.path = routingAdapter.toRuntimeStreamPath(service, next.path);
+		if (typeof next.stream === `string`) next.stream = routingAdapter.toRuntimeStreamPath(ctx.service, next.stream);
+		if (typeof next.path === `string`) next.path = routingAdapter.toRuntimeStreamPath(ctx.service, next.path);
 		return next;
 	});
+	if (payload.webhook && typeof payload.webhook === `object` && !Array.isArray(payload.webhook)) {
+		const webhook = payload.webhook;
+		webhook.signing = await webhookSigningMetadata(resolveWebhookSigner$1(ctx), ctx.publicUrl);
+	}
 	return new TextEncoder().encode(JSON.stringify(payload));
 }
 function decodeJson(bytes) {
@@ -1481,6 +1571,9 @@ function routeParam$2(request, name) {
 function subscriptionRoutingAdapter(ctx) {
 	return resolveDurableStreamsRoutingAdapter(ctx.durableStreamsRouting, ctx.durableStreamsUrl);
 }
+function resolveWebhookSigner$1(ctx) {
+	return ctx.webhookSigner ?? getDefaultWebhookSigner();
+}
 async function rewriteSubscriptionRequestBody(request, ctx, subscriptionId, routingAdapter) {
 	const body = await readRequestBody(request);
 	if (body.length === 0) return {
@@ -1509,7 +1602,7 @@ async function rewriteSubscriptionRequestBody(request, ctx, subscriptionId, rout
 async function forwardSubscriptionRequest(request, ctx, routingAdapter, opts = {}) {
 	const upstream = await forwardToDurableStreams(ctx, request, opts.body, `control`, opts.requestUrl, opts.bearerMode ?? `overwrite`);
 	let responseBytes = upstream.body ? new Uint8Array(await upstream.arrayBuffer()) : new Uint8Array();
-	responseBytes = rewriteSubscriptionResponseForClient(responseBytes, upstream, ctx.service, routingAdapter);
+	responseBytes = await rewriteSubscriptionResponseForClient(responseBytes, upstream, ctx, routingAdapter);
 	return {
 		upstream,
 		response: responseFromUpstream$1(upstream, responseBytes)
@@ -1582,6 +1675,15 @@ async function controlPassThrough(request, ctx) {
 	const upstream = await forwardToDurableStreams(ctx, request, void 0, `control`);
 	return responseFromUpstream$1(upstream);
 }
+async function webhookJwks(_request, ctx) {
+	return new Response(JSON.stringify(await resolveWebhookSigner$1(ctx).jwks()), {
+		status: 200,
+		headers: {
+			"content-type": `application/jwk-set+json`,
+			"cache-control": `public, max-age=300`
+		}
+	});
+}
 async function streamAppend(request, ctx) {
 	return await electricAgentsStreamAppendRouter.fetch(createStreamAppendRouteRequest(request), ctx.runtime, (req, body) => forwardFetchRequest({
 		request: {
@@ -1966,7 +2068,7 @@ var PostgresRegistry = class {
 		const heartbeatAt = input.heartbeatAt ?? new Date();
 		await this.db.update(consumerClaims).set({
 			lastHeartbeatAt: heartbeatAt,
-			leaseExpiresAt: input.leaseExpiresAt ?? null,
+			...input.leaseExpiresAt !== void 0 ? { leaseExpiresAt: input.leaseExpiresAt } : {},
 			updatedAt: heartbeatAt
 		}).where(and(eq(consumerClaims.tenantId, this.tenantId), eq(consumerClaims.consumerId, input.consumerId), eq(consumerClaims.epoch, input.epoch)));
 	}
@@ -1979,17 +2081,24 @@ var PostgresRegistry = class {
 			updatedAt: releasedAt
 		}).where(and(eq(consumerClaims.tenantId, this.tenantId), eq(consumerClaims.consumerId, input.consumerId), eq(consumerClaims.epoch, input.epoch))).returning();
 		const claim = rows[0] ? this.rowToConsumerClaim(rows[0]) : null;
-		if (claim) await this.db.update(entityDispatchState).set({
-			activeConsumerId: null,
-			activeRunnerId: null,
-			activeEpoch: null,
-			activeClaimedAt: null,
-			activeLeaseExpiresAt: null,
-			lastReleasedAt: releasedAt,
-			lastCompletedAt: releasedAt,
-			updatedAt: releasedAt
-		}).where(and(eq(entityDispatchState.tenantId, this.tenantId), eq(entityDispatchState.entityUrl, claim.entity_url), eq(entityDispatchState.activeConsumerId, input.consumerId), eq(entityDispatchState.activeEpoch, input.epoch)));
-		return claim;
+		let entityCleared = false;
+		if (claim) {
+			const cleared = await this.db.update(entityDispatchState).set({
+				activeConsumerId: null,
+				activeRunnerId: null,
+				activeEpoch: null,
+				activeClaimedAt: null,
+				activeLeaseExpiresAt: null,
+				lastReleasedAt: releasedAt,
+				lastCompletedAt: releasedAt,
+				updatedAt: releasedAt
+			}).where(and(eq(entityDispatchState.tenantId, this.tenantId), eq(entityDispatchState.entityUrl, claim.entity_url), eq(entityDispatchState.activeConsumerId, input.consumerId), eq(entityDispatchState.activeEpoch, input.epoch))).returning({ entityUrl: entityDispatchState.entityUrl });
+			entityCleared = cleared.length > 0;
+		}
+		return {
+			claim,
+			entityCleared
+		};
 	}
 	async getActiveClaimsForRunner(runnerId) {
 		const rows = await this.db.select().from(consumerClaims).where(and(eq(consumerClaims.tenantId, this.tenantId), eq(consumerClaims.runnerId, runnerId), eq(consumerClaims.status, `active`)));
@@ -5117,12 +5226,16 @@ function bodyFromBytes(body) {
 	return body.buffer.slice(body.byteOffset, body.byteOffset + body.byteLength);
 }
 function responseFromUpstream(response, body) {
-	return new Response(body ? bodyFromBytes(body) : response.body, {
+	const responseBody = forbidsResponseBody(response.status) ? null : body !== void 0 ? bodyFromBytes(body) : response.body;
+	return new Response(responseBody, {
 		status: response.status,
 		statusText: response.statusText,
 		headers: responseHeaders(response)
 	});
 }
+function forbidsResponseBody(status$1) {
+	return status$1 === 204 || status$1 === 205 || status$1 === 304;
+}
 function forwardHeadersFromRequest(request) {
 	const headers = new Headers(request.headers);
 	headers.delete(`host`);
@@ -5131,6 +5244,45 @@ function forwardHeadersFromRequest(request) {
 function durableStreamsSubscriptionCallback(value) {
 	return value.startsWith(DS_SUBSCRIPTION_CALLBACK_PREFIX) ? value.slice(DS_SUBSCRIPTION_CALLBACK_PREFIX.length) : null;
 }
+function resolveWebhookSigner(ctx) {
+	return ctx.webhookSigner ?? getDefaultWebhookSigner();
+}
+function durableStreamsWebhookJwksUrl(ctx) {
+	if (!ctx.durableStreamsRouting) return appendPathToUrl(ctx.durableStreamsUrl, `/__ds/jwks.json`);
+	return resolveDurableStreamsRoutingAdapter(ctx.durableStreamsRouting, ctx.durableStreamsUrl).controlUrl({
+		durableStreamsUrl: ctx.durableStreamsUrl,
+		serviceId: ctx.service,
+		requestUrl: appendPathToUrl(ctx.publicUrl, `/__ds/jwks.json`)
+	}).toString();
+}
+function durableStreamsJwksFetchClient(ctx) {
+	return async (input, init) => {
+		const headers = new Headers(init?.headers);
+		await applyDurableStreamsBearer(headers, ctx.durableStreamsBearer, { overwrite: false });
+		const nextInit = {
+			...init ?? {},
+			headers
+		};
+		if (ctx.durableStreamsDispatcher) nextInit.dispatcher = ctx.durableStreamsDispatcher;
+		return await fetch(input, nextInit);
+	};
+}
+function resolveDurableStreamsWebhookSignature(ctx) {
+	if (ctx.durableStreamsWebhookSignature === false) return false;
+	return {
+		jwksUrl: ctx.durableStreamsWebhookSignature?.jwksUrl ?? durableStreamsWebhookJwksUrl(ctx),
+		toleranceSeconds: ctx.durableStreamsWebhookSignature?.toleranceSeconds,
+		cacheTtlMs: ctx.durableStreamsWebhookSignature?.cacheTtlMs,
+		fetchClient: ctx.durableStreamsWebhookSignature?.fetchClient ?? durableStreamsJwksFetchClient(ctx)
+	};
+}
+async function verifyDurableStreamsWebhook(request, ctx, body) {
+	const config = resolveDurableStreamsWebhookSignature(ctx);
+	if (config === false) return null;
+	const verification = await verifyWebhookSignature(body, request.headers.get(`webhook-signature`), config);
+	if (verification.ok) return null;
+	return apiError(verification.status, verification.status === 401 ? ErrCodeUnauthorized : `WEBHOOK_SIGNATURE_UNAVAILABLE`, verification.error);
+}
 function claimTokenFromRequest(request) {
 	const electricClaimToken = request.headers.get(`electric-claim-token`)?.trim();
 	if (electricClaimToken) return electricClaimToken;
@@ -5164,7 +5316,10 @@ async function webhookForward(request, ctx) {
 	const rootSpan = getRequestSpan(request);
 	rootSpan?.updateName(`webhook-forward`);
 	rootSpan?.setAttribute(`electric_agents.webhook.subscription_id`, subscriptionId);
-	const lookupPromise = tracer.startActiveSpan(`db.lookupSubscription`, async (span) => {
+	const body = await readRequestBody(request);
+	const signatureError = await verifyDurableStreamsWebhook(request, ctx, body);
+	if (signatureError) return signatureError;
+	const targetWebhookUrl = await tracer.startActiveSpan(`db.lookupSubscription`, async (span) => {
 		try {
 			const rows = await ctx.pgDb.select().from(subscriptionWebhooks).where(and(eq(subscriptionWebhooks.tenantId, ctx.service), eq(subscriptionWebhooks.subscriptionId, subscriptionId))).limit(1);
 			return rows[0]?.webhookUrl ?? null;
@@ -5172,7 +5327,6 @@ async function webhookForward(request, ctx) {
 			span.end();
 		}
 	});
-	const [targetWebhookUrl, body] = await Promise.all([lookupPromise, readRequestBody(request)]);
 	if (!targetWebhookUrl) return apiError(404, ErrCodeSubscriptionNotFound, `Unknown webhook subscription`);
 	const parsedBodyResult = validateOptionalJsonBody(webhookForwardBodySchema, body, request.headers.get(`content-type`));
 	if (!parsedBodyResult.ok) return parsedBodyResult.response;
@@ -5261,6 +5415,7 @@ async function webhookForward(request, ctx) {
 	const headers = forwardHeadersFromRequest(request);
 	headers.set(`content-type`, `application/json`);
 	headers.delete(`content-length`);
+	headers.set(`webhook-signature`, await resolveWebhookSigner(ctx).sign(forwardBody));
 	let upstream;
 	try {
 		upstream = await tracer.startActiveSpan(`fetch.agent-handler`, async (span) => {
@@ -5348,8 +5503,9 @@ async function callbackForward(request, ctx) {
 			serverLog.info(`[callback-forward] done received for stream=${target.primaryStream} consumer=${consumerId}`);
 			const stillOwnsClaim = ctx.runtime.claimWriteTokens.owns(ctx.service, target.primaryStream, consumerId);
 			const entity = await ctx.entityManager.registry.getEntityByStream(target.primaryStream);
-			if (entity && stillOwnsClaim) {
-				if (epoch !== void 0) await ctx.entityManager.registry.materializeReleasedClaim?.({
+			let entityCleared = false;
+			if (epoch !== void 0) {
+				const result = await ctx.entityManager.registry.materializeReleasedClaim?.({
 					consumerId,
 					epoch,
 					ackedStreams: Array.isArray(requestBody?.acks) ? requestBody.acks.flatMap((ack) => {
@@ -5361,13 +5517,15 @@ async function callbackForward(request, ctx) {
 						}] : [];
 					}) : void 0
 				});
+				entityCleared = result?.entityCleared ?? false;
+			}
+			if (entity && (entityCleared || stillOwnsClaim)) {
 				await ctx.entityManager.registry.updateStatus(entity.url, `idle`);
-				ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
 				await ctx.entityBridgeManager.onEntityChanged(entity.url);
 				serverLog.info(`[callback-forward] status updated to idle for ${entity.url}`);
-			} else if (stillOwnsClaim) ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
-			else if (entity) serverLog.info(`[callback-forward] done ignored for stale claim stream=${target.primaryStream} consumer=${consumerId}`);
-			else serverLog.warn(`[callback-forward] done received but no entity found for stream=${target.primaryStream}`);
+			} else if (!entity) serverLog.warn(`[callback-forward] done received but no entity found for stream=${target.primaryStream}`);
+			if (stillOwnsClaim) ctx.runtime.claimWriteTokens.clearStream(ctx.service, target.primaryStream);
+			else if (entity) serverLog.info(`[callback-forward] done arrived after in-memory token evicted (stream=${target.primaryStream} consumer=${consumerId})`);
 		} else if (requestBody?.done === true) serverLog.warn(`[callback-forward] done received but skipped: upstream.ok=${upstream.ok} primaryStream=${target.primaryStream ?? `null`} consumer=${consumerId}`);
 	} catch (err) {
 		serverLog.error(`[callback-forward] error processing done for consumer=${consumerId}: ${err instanceof Error ? err.message : String(err)}`);
@@ -7560,11 +7718,13 @@ var ElectricAgentsServer = class {
 	shuttingDown = false;
 	streamsAgent;
 	standaloneRuntime;
+	webhookSigner;
 	streamClient;
 	options;
 	constructor(options) {
 		if (!options.durableStreamsUrl && !options.durableStreamsServer) throw new Error(`Either durableStreamsUrl or durableStreamsServer is required`);
 		this.options = options;
+		this.webhookSigner = options.webhookSigner ?? createEd25519WebhookSigner({ privateKey: options.webhookSigningKey });
 		this.streamClient = options.durableStreamsUrl ? new StreamClient(options.durableStreamsUrl, { bearer: options.durableStreamsBearer }) : null;
 	}
 	get url() {
@@ -7720,6 +7880,8 @@ var ElectricAgentsServer = class {
 			durableStreamsBearer: this.options.durableStreamsBearer,
 			durableStreamsRouting: this.options.durableStreamsRouting,
 			durableStreamsDispatcher: this.streamsAgent,
+			durableStreamsWebhookSignature: this.options.durableStreamsWebhookSignature,
+			webhookSigner: this.webhookSigner,
 			electricUrl: this.options.electricUrl,
 			electricSecret: this.options.electricSecret,
 			ownAgentHandlerPaths: this.mockAgentBootstrap ? [MOCK_AGENT_HANDLER_PATH] : void 0,
@@ -7790,6 +7952,7 @@ function resolveElectricAgentsEntrypointOptions(env = process.env, cwd = process
 	const postgresUrl = validateUrl(`Postgres URL`, readRequiredEnv(env, [`ELECTRIC_AGENTS_DATABASE_URL`, `DATABASE_URL`], `Postgres connection URL`));
 	const electricUrl = readEnv(env, [`ELECTRIC_AGENTS_ELECTRIC_URL`, `ELECTRIC_URL`]);
 	const electricSecret = readEnv(env, [`ELECTRIC_AGENTS_ELECTRIC_SECRET`]);
+	const webhookSigningKey = readEnv(env, [`ELECTRIC_AGENTS_WEBHOOK_SIGNING_PRIVATE_KEY`, `WEBHOOK_SIGNING_PRIVATE_KEY`]);
 	const baseUrl = readEnv(env, [`ELECTRIC_AGENTS_BASE_URL`, `BASE_URL`]);
 	return {
 		service: readEnv(env, [`ELECTRIC_AGENTS_SERVICE`, `SERVICE`]),
@@ -7800,6 +7963,7 @@ function resolveElectricAgentsEntrypointOptions(env = process.env, cwd = process
 		postgresUrl,
 		electricUrl: electricUrl ? validateUrl(`Electric URL`, electricUrl) : void 0,
 		electricSecret,
+		webhookSigningKey,
 		host: readEnv(env, [`ELECTRIC_AGENTS_HOST`, `HOST`]) ?? DEFAULT_HOST,
 		port: readPort(env),
 		workingDirectory: readEnv(env, [`ELECTRIC_AGENTS_WORKING_DIRECTORY`, `WORKING_DIRECTORY`]) ?? cwd,