@hogsend/engine 0.7.0 → 0.8.0

package/src/lib/outbound.ts

@@ -0,0 +1,216 @@
+import { randomUUID } from "node:crypto";
+import type { HatchetClient } from "@hatchet-dev/typescript-sdk/v1/index.js";
+import {
+  type Database,
+  webhookDeliveries,
+  webhookEndpoints,
+} from "@hogsend/db";
+import { and, eq, isNull, sql } from "drizzle-orm";
+import { deliverWebhookTask } from "../workflows/deliver-webhook.js";
+import type { SerializedContact } from "./contacts.js";
+import type { Logger } from "./logger.js";
+import {
+  WEBHOOK_EVENT_TYPES,
+  type WebhookEventType,
+} from "./webhook-signing.js";
+
+export {
+  type ResendEmailSendContext,
+  resolveEmailSendContextByResendId,
+} from "./tracking-events.js";
+
+/**
+ * The outbound event catalog re-exported for the emit spine. Identical to the
+ * signing lib's {@link WEBHOOK_EVENT_TYPES} — the single source of truth.
+ */
+export const OUTBOUND_EVENTS = WEBHOOK_EVENT_TYPES;
+export type OutboundEventName = WebhookEventType;
+
+interface EmailEventPayload {
+  emailSendId: string;
+  resendId: string | null;
+  templateKey: string | null;
+  userId: string | null;
+  to: string;
+  at: string;
+}
+
+interface BucketEventPayload {
+  bucketId: string;
+  bucketName: string;
+  userId: string;
+  userEmail: string | null;
+  transition: "entered" | "left";
+  entryCount: number;
+  source: string;
+}
+
+/**
+ * The typed per-event payload map. `data` in each delivered envelope is exactly
+ * `OutboundPayloads[E]` for the emitted event `E`. Producers (the 12 hook
+ * points) construct these; subscribers receive them under `envelope.data`.
+ */
+export interface OutboundPayloads {
+  "contact.created": SerializedContact;
+  "contact.updated": SerializedContact;
+  "contact.deleted": {
+    id: string;
+    externalId: string | null;
+    email: string | null;
+  };
+  "contact.unsubscribed": {
+    externalId: string | null;
+    email: string | null;
+    category: string | null;
+    scope: "all" | "category";
+  };
+  "email.sent": {
+    emailSendId: string;
+    resendId: string;
+    templateKey: string | null;
+    to: string;
+    userId: string | null;
+    category: string | null;
+    journeyStateId: string | null;
+    subject: string;
+    sentAt: string;
+  };
+  "email.delivered": EmailEventPayload;
+  "email.opened": EmailEventPayload;
+  "email.clicked": EmailEventPayload & { linkUrl?: string; linkId?: string };
+  "email.bounced": EmailEventPayload & {
+    bounceType?: string;
+    bounceReason?: string;
+  };
+  "journey.completed": {
+    journeyId: string;
+    journeyName: string;
+    stateId: string;
+    userId: string;
+    userEmail: string;
+    completedAt: string;
+  };
+  "bucket.entered": BucketEventPayload;
+  "bucket.left": BucketEventPayload & { reason?: string };
+}
+
+/**
+ * The signed envelope shape written to `webhook_deliveries.payload` and sent
+ * verbatim to subscribers. `id` is the shared `Webhook-Id`; `timestamp` is the
+ * logical-event time (ISO); `data` is the typed per-event payload.
+ */
+interface OutboundEnvelope<E extends OutboundEventName> {
+  id: string;
+  type: E;
+  timestamp: string;
+  data: OutboundPayloads[E];
+}
+
+/**
+ * THE fire-and-forget emit spine. It does NOT deliver — it selects the active,
+ * subscribed endpoints for `event`, inserts one `webhook_deliveries` row per
+ * endpoint (all sharing ONE `webhookId` = the `Webhook-Id` header), and enqueues
+ * the durable {@link deliverWebhookTask} per inserted row.
+ *
+ * Idempotency: when `dedupeKey` is provided, the unique
+ * `(endpointId, dedupeKey)` index makes a re-emit (e.g. a Hatchet retry of the
+ * producing task) a no-op via `onConflictDoNothing` — no duplicate row, no
+ * second enqueue. Events without a `dedupeKey` are never deduped (NULL keys are
+ * distinct in Postgres), which is correct for non-retryable emit points.
+ *
+ * NEVER throws to callers. Internal failures (endpoint select, insert, enqueue)
+ * are logged via `logger.warn` and swallowed so a transient outbound error can
+ * never fail a contact upsert / email send / journey step. Callers MUST STILL
+ * wrap the call as `void emitOutbound(...).catch(logger.warn)` — the `.catch` is
+ * defence-in-depth against a programming error that escapes this guard.
+ *
+ * Single-tenant: only endpoints with `organizationId IS NULL` are selected and
+ * the delivery rows are written with `organizationId ?? null`. Multi-tenant
+ * scoping is a later non-breaking change.
+ */
+export async function emitOutbound<E extends OutboundEventName>(opts: {
+  db: Database;
+  hatchet: HatchetClient;
+  logger: Logger;
+  event: E;
+  payload: OutboundPayloads[E];
+  dedupeKey?: string;
+  organizationId?: string | null;
+}): Promise<void> {
+  const { db, logger, event, payload, dedupeKey } = opts;
+  const organizationId = opts.organizationId ?? null;
+
+  try {
+    const webhookId = `msg_${randomUUID()}`;
+    const timestamp = new Date();
+
+    // (2) Active, subscribed endpoints. `event_types @> '["<event>"]'` matches
+    // the jsonb array containing this event. Single-tenant: organizationId IS
+    // NULL (NOT a hardcoded tenant — keeps the MT wiring non-breaking).
+    const endpoints = await db
+      .select({ id: webhookEndpoints.id })
+      .from(webhookEndpoints)
+      .where(
+        and(
+          eq(webhookEndpoints.disabled, false),
+          isNull(webhookEndpoints.organizationId),
+          sql`${webhookEndpoints.eventTypes} @> ${JSON.stringify([event])}::jsonb`,
+        ),
+      );
+
+    if (endpoints.length === 0) return;
+
+    // (3) The frozen envelope — signed + sent verbatim by the delivery task.
+    const envelope: OutboundEnvelope<E> = {
+      id: webhookId,
+      type: event,
+      timestamp: timestamp.toISOString(),
+      data: payload,
+    };
+
+    // (4) One delivery row per endpoint, sharing the webhookId. onConflictDoNothing
+    // on (endpointId, dedupeKey) is the producer-side fan-out idempotency guard.
+    const inserted = await db
+      .insert(webhookDeliveries)
+      .values(
+        endpoints.map((endpoint) => ({
+          endpointId: endpoint.id,
+          organizationId,
+          webhookId,
+          eventType: event,
+          dedupeKey: dedupeKey ?? null,
+          payload: envelope as unknown as Record<string, unknown>,
+          status: "pending" as const,
+          attemptCount: 0,
+          nextRetryAt: timestamp,
+        })),
+      )
+      .onConflictDoNothing({
+        target: [webhookDeliveries.endpointId, webhookDeliveries.dedupeKey],
+      })
+      .returning({ id: webhookDeliveries.id });
+
+    // (5) Enqueue the durable delivery task per freshly-inserted row,
+    // fire-and-forget. A failed enqueue is recovered by the reaper (the row is
+    // already `pending` with `nextRetryAt <= now`), so a broker hiccup here only
+    // delays — never drops — a delivery.
+    for (const row of inserted) {
+      void deliverWebhookTask
+        .runNoWait({ deliveryId: row.id })
+        .catch((error: unknown) => {
+          logger.warn("emitOutbound: deliverWebhookTask enqueue failed", {
+            deliveryId: row.id,
+            event,
+            error: error instanceof Error ? error.message : String(error),
+          });
+        });
+    }
+  } catch (error) {
+    // FAIL-SAFE: never propagate an outbound error onto the producer's hot path.
+    logger.warn("emitOutbound failed", {
+      event,
+      dedupeKey,
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+}

package/src/lib/preferences.ts

@@ -2,6 +2,11 @@ import type { Database } from "@hogsend/db";
 import { emailPreferences } from "@hogsend/db";
 import { sql } from "drizzle-orm";
 import { resolveRecipient } from "./contacts.js";
+import { hatchet } from "./hatchet.js";
+import { createLogger } from "./logger.js";
+import { emitOutbound } from "./outbound.js";
+
+const logger = createLogger(process.env.LOG_LEVEL);
 
 /**
  * Single source of truth for an `email_preferences` upsert: the `(user_id, email)`
@@ -61,6 +66,32 @@ export async function upsertEmailPreference(opts: {
       target: [emailPreferences.userId, emailPreferences.email],
       set: setClause,
     });
+
+  // OUTBOUND `contact.unsubscribed` — this is the SINGLE choke for ALL preference
+  // writes (token unsub, preference center, list-membership flips), so the emit
+  // lives here once. GATED to a genuine opt-OUT only: a full unsubscribe
+  // (`unsubscribedAll === true`) or a category flip to false. A resubscribe
+  // (`unsubscribedAll === false` / `categoryValue === true`) does NOT emit. Uses
+  // the engine `hatchet`/`logger` singletons (this lib has no request container);
+  // fire-and-forget so a transient outbound error never fails the pref write.
+  const isUnsubscribe =
+    update.unsubscribedAll === true || update.categoryValue === false;
+  if (isUnsubscribe) {
+    const scope: "all" | "category" =
+      update.unsubscribedAll === true ? "all" : "category";
+    void emitOutbound({
+      db,
+      hatchet,
+      logger,
+      event: "contact.unsubscribed",
+      payload: {
+        externalId,
+        email,
+        category: update.categoryKey ?? null,
+        scope,
+      },
+    }).catch(logger.warn);
+  }
 }
 
 /**

package/src/lib/tracked.ts

@@ -20,7 +20,15 @@ import type {
   TrackedSendResult,
 } from "./email-service-types.js";
 import { isFrequencyCapped } from "./frequency-cap.js";
-import type { Logger } from "./logger.js";
+import { hatchet } from "./hatchet.js";
+import { createLogger, type Logger } from "./logger.js";
+import { emitOutbound } from "./outbound.js";
+
+// Module-level fallback logger for the outbound emit — the tracked-mailer's
+// `logger` dep is optional, but `emitOutbound` requires one. Mirrors the
+// `createLogger(process.env.LOG_LEVEL)` singleton pattern used elsewhere in the
+// engine libs (define-journey, preferences).
+const emitLogger = createLogger(process.env.LOG_LEVEL);
 
 export type PrepareTrackedHtmlFn = (opts: {
   html: string;
@@ -270,16 +278,50 @@ export async function sendTrackedEmail<K extends TemplateName>(
       replyTo: options.replyTo,
     });
 
+    const sentAt = new Date();
     await db
       .update(emailSends)
       .set({
         resendId: result.id,
         status: "sent",
-        sentAt: new Date(),
-        updatedAt: new Date(),
+        sentAt,
+        updatedAt: sentAt,
       })
       .where(eq(emailSends.id, emailSendId));
 
+    // OUTBOUND `email.sent` — fired ONLY on a real provider-accepted send (this
+    // success branch). Suppressed/frequency-capped/failed branches and the
+    // `db === undefined` mailer fallback do NOT reach here, so they never emit.
+    // `dedupeKey` = `email.sent:<emailSendId>`: this runs inside the tracked
+    // mailer which a journey (a Hatchet-retryable durable task) invokes, so a
+    // re-execution recomputes the identical key and the unique
+    // `(endpointId, dedupeKey)` index absorbs the duplicate. STRICTLY
+    // fire-and-forget: an un-caught reject here would bubble into the catch below
+    // and wrongly re-mark the (already sent) row `failed` (risk 2).
+    void emitOutbound({
+      db,
+      hatchet,
+      logger: logger ?? emitLogger,
+      event: "email.sent",
+      dedupeKey: `email.sent:${emailSendId}`,
+      payload: {
+        emailSendId,
+        resendId: result.id,
+        templateKey: options.templateKey,
+        to: options.to,
+        userId: options.userId ?? null,
+        category: effectiveCategory ?? null,
+        journeyStateId: options.journeyStateId ?? null,
+        subject,
+        sentAt: sentAt.toISOString(),
+      },
+    }).catch((err: unknown) => {
+      (logger ?? emitLogger).warn("emitOutbound email.sent failed", {
+        emailSendId,
+        error: err instanceof Error ? err.message : String(err),
+      });
+    });
+
     return {
       emailSendId,
       resendId: result.id,

package/src/lib/tracking-events.ts

@@ -10,6 +10,8 @@ interface EmailSendContext {
   userId: string;
   userEmail: string;
   templateKey: string | null;
+  resendId: string | null;
+  to: string;
 }
 
 export async function resolveEmailSendContext(
@@ -20,6 +22,7 @@ export async function resolveEmailSendContext(
     .select({
       toEmail: emailSends.toEmail,
       templateKey: emailSends.templateKey,
+      resendId: emailSends.resendId,
       userId: journeyStates.userId,
       userEmail: journeyStates.userEmail,
     })
@@ -35,6 +38,58 @@ export async function resolveEmailSendContext(
     userId: row.userId ?? row.toEmail,
     userEmail: row.userEmail ?? row.toEmail,
     templateKey: row.templateKey,
+    resendId: row.resendId,
+    to: row.toEmail,
+  };
+}
+
+export interface ResendEmailSendContext {
+  emailSendId: string;
+  userId: string;
+  userEmail: string;
+  templateKey: string | null;
+  to: string;
+}
+
+/**
+ * Mirror of {@link resolveEmailSendContext} that resolves by the provider's
+ * `resendId` instead of the internal `email_sends.id`. Used by the
+ * provider-webhook enrichment path (`email.delivered`/`email.bounced`) where the
+ * only handle we hold is the Resend `email_id`.
+ *
+ * Returns the internal `emailSendId` plus the same denormalized identity
+ * (`userId`/`userEmail` fall back to the recipient address, exactly like the
+ * id-keyed resolver) and `to` recipient. Returns null when no send row carries
+ * that `resendId` yet (e.g. a webhook arriving before the send row is committed).
+ */
+export async function resolveEmailSendContextByResendId(
+  db: Database,
+  resendId: string,
+): Promise<ResendEmailSendContext | null> {
+  const rows = await db
+    .select({
+      emailSendId: emailSends.id,
+      toEmail: emailSends.toEmail,
+      templateKey: emailSends.templateKey,
+      userId: journeyStates.userId,
+      userEmail: journeyStates.userEmail,
+      sendUserId: emailSends.userId,
+      sendUserEmail: emailSends.userEmail,
+    })
+    .from(emailSends)
+    .leftJoin(journeyStates, eq(emailSends.journeyStateId, journeyStates.id))
+    .where(eq(emailSends.resendId, resendId))
+    .limit(1);
+
+  const row = rows[0];
+  if (!row) return null;
+
+  return {
+    emailSendId: row.emailSendId,
+    userId: row.userId ?? row.sendUserId ?? row.toEmail,
+    userEmail: row.userEmail ?? row.sendUserEmail ?? row.toEmail,
+    templateKey: row.templateKey,
+    to: row.toEmail,
   };
 }
 
@@ -47,6 +102,13 @@ export interface PushTrackingEventOpts {
   event: string;
   emailSendId: string;
   properties?: Record<string, unknown>;
+  /**
+   * Pre-resolved send context. When provided (including `null`), the duplicate
+   * `resolveEmailSendContext` read is skipped — the tracking routes resolve once
+   * and share the result with the outbound emit on the hot path. Omit to resolve
+   * lazily.
+   */
+  resolvedContext?: EmailSendContext | null;
 }
 
 export async function pushTrackingEvent(
@@ -54,7 +116,10 @@ export async function pushTrackingEvent(
 ): Promise<void> {
   const { db, hatchet, registry, logger, posthog, event, emailSendId } = opts;
 
-  const ctx = await resolveEmailSendContext(db, emailSendId);
+  const ctx =
+    opts.resolvedContext !== undefined
+      ? opts.resolvedContext
+      : await resolveEmailSendContext(db, emailSendId);
   if (!ctx) return;
 
   const properties: Record<string, unknown> = {

package/src/lib/webhook-signing.ts

@@ -0,0 +1,151 @@
+import { randomBytes } from "node:crypto";
+import { Webhook } from "svix";
+
+/**
+ * Outbound webhook signing core.
+ *
+ * Hogsend emits a Svix-style HMAC-SHA256 signed event stream. The signing
+ * scheme is the Standard Webhooks spec (the same one `svix` implements and that
+ * `plugin-resend` consumes for inbound Resend webhooks):
+ *
+ *   signedContent = `${id}.${timestampSeconds}.${body}`
+ *   signature     = base64( HMAC_SHA256( base64decode(secret without `whsec_`), signedContent ) )
+ *   header value  = `v1,${signature}`
+ *
+ * Pure `node:crypto` equivalent (documented for the SDK / spec consumers and
+ * subscriber-side verification without a `svix` dependency):
+ *
+ *   import { createHmac, timingSafeEqual } from "node:crypto";
+ *   const key = Buffer.from(secret.slice(6), "base64"); // drop the `whsec_` prefix
+ *   const sig = createHmac("sha256", key)
+ *     .update(`${id}.${ts}.${body}`)
+ *     .digest("base64");
+ *   const header = `v1,${sig}`;
+ *   // compare each space-delimited `v1,<sig>` candidate with timingSafeEqual.
+ */
+
+/**
+ * The 12-event catalog — the SINGLE source of truth (schema, routes, client,
+ * CLI all derive from this). The `webhook.test` sentinel is intentionally NOT a
+ * member (it is delivered out-of-band regardless of an endpoint's `eventTypes`).
+ */
+export const WEBHOOK_EVENT_TYPES = [
+  "contact.created",
+  "contact.updated",
+  "contact.deleted",
+  "contact.unsubscribed",
+  "email.sent",
+  "email.delivered",
+  "email.opened",
+  "email.clicked",
+  "email.bounced",
+  "journey.completed",
+  "bucket.entered",
+  "bucket.left",
+] as const;
+
+export type WebhookEventType = (typeof WEBHOOK_EVENT_TYPES)[number];
+
+/**
+ * Generate a new `whsec_<base64(32 bytes)>` signing secret plus its display
+ * prefix (safe to surface on list/get responses).
+ *
+ * NOTE: the secret body is STANDARD base64, not base64url. svix (via
+ * standardwebhooks → @stablelib/base64) strips the `whsec_` prefix and decodes
+ * the remainder with a STRICT standard-base64 decoder that rejects the `-`/`_`
+ * characters base64url emits (~74% of base64url secrets contain one and fail
+ * `new Webhook(secret)`). Standard base64 round-trips cleanly through both svix
+ * and the `node:crypto` fallback (`Buffer.from(secret.slice(6), "base64")`).
+ */
+export function generateWebhookSecret(): {
+  secret: string;
+  secretPrefix: string;
+} {
+  const secret = `whsec_${randomBytes(32).toString("base64")}`;
+  return { secret, secretPrefix: secret.slice(0, 12) };
+}
+
+export interface SignedWebhook {
+  headers: {
+    "Webhook-Id": string;
+    "Webhook-Timestamp": string;
+    "Webhook-Signature": string;
+    "Content-Type": "application/json";
+  };
+  /**
+   * The EXACT bytes that were signed AND must be sent. Never re-stringify the
+   * payload between signing and sending — the signature covers these bytes.
+   */
+  body: string;
+}
+
+/**
+ * Sign an outbound webhook payload, producing the Standard Webhooks header set
+ * (`Webhook-Id` / `Webhook-Timestamp` / `Webhook-Signature`) plus the exact
+ * `body` bytes that were signed.
+ *
+ * `timestamp` is unix SECONDS — the caller passes `Math.floor(Date.now()/1000)`.
+ * `payload` is JSON-stringified when an object; a string is used verbatim.
+ */
+export function signWebhook(opts: {
+  id: string;
+  timestamp: number;
+  payload: unknown;
+  secret: string;
+}): SignedWebhook {
+  const body =
+    typeof opts.payload === "string"
+      ? opts.payload
+      : JSON.stringify(opts.payload);
+
+  const wh = new Webhook(opts.secret);
+  // svix's `sign` takes the timestamp as a Date and floors it to seconds
+  // internally; pass the canonical seconds back through a Date to keep the exact
+  // value the caller intended.
+  const signature = wh.sign(opts.id, new Date(opts.timestamp * 1000), body);
+
+  return {
+    headers: {
+      "Webhook-Id": opts.id,
+      "Webhook-Timestamp": String(opts.timestamp),
+      "Webhook-Signature": signature,
+      "Content-Type": "application/json",
+    },
+    body,
+  };
+}
+
+/**
+ * Consumer/test-facing verification of an inbound Hogsend webhook. Enforces the
+ * 5-minute timestamp tolerance and uses a constant-time signature compare (both
+ * inside svix). Throws on a bad signature or stale timestamp.
+ *
+ * Accepts either Title-Case (`Webhook-Id`) or lowercase (`webhook-id`) header
+ * keys — and the `svix-*` aliases — by normalizing the header map first.
+ */
+export function verifyWebhookSignature(opts: {
+  payload: string;
+  headers: Record<string, string>;
+  secret: string;
+}): unknown {
+  const lowered: Record<string, string> = {};
+  for (const [key, value] of Object.entries(opts.headers)) {
+    lowered[key.toLowerCase()] = value;
+  }
+
+  // Coalesce to "" so a genuinely-absent header reaches svix as an empty
+  // string — svix then throws its own clear "Missing required header" rather
+  // than a type error here.
+  const id = lowered["webhook-id"] ?? lowered["svix-id"] ?? "";
+  const timestamp =
+    lowered["webhook-timestamp"] ?? lowered["svix-timestamp"] ?? "";
+  const signature =
+    lowered["webhook-signature"] ?? lowered["svix-signature"] ?? "";
+
+  const wh = new Webhook(opts.secret);
+  return wh.verify(opts.payload, {
+    "webhook-id": id,
+    "webhook-timestamp": timestamp,
+    "webhook-signature": signature,
+  });
+}

package/src/routes/admin/contacts.ts

@@ -9,6 +9,7 @@ import {
   serializeContact as serializeContactRow,
   serializePrefs,
 } from "../../lib/contacts.js";
+import { emitOutbound } from "../../lib/outbound.js";
 
 const contactSchema = z.object({
   id: z.string(),
@@ -262,13 +263,18 @@ export const contactsRouter = new OpenAPIHono<AppEnv>()
     );
   })
   .openapi(createRoute_, async (c) => {
-    const { db } = c.get("container");
+    const { db, hatchet, logger } = c.get("container");
     const body = c.req.valid("json");
 
     // Delegate to the identity resolver (D1): it upserts/merges on the provided
     // identity keys (externalId and/or email), so the hand-rolled existence
     // check + raw insert + 409 are gone (§5). Read the row back to serialize.
-    const { id } = await resolveOrCreateContact({
+    const {
+      id,
+      created: wasCreated,
+      linked,
+      merged,
+    } = await resolveOrCreateContact({
       db,
       userId: body.externalId,
       email: body.email,
@@ -280,10 +286,26 @@ export const contactsRouter = new OpenAPIHono<AppEnv>()
       throw new Error("Failed to create contact");
     }
 
+    // INTENT-LAYER outbound emit (decision #3): admin upsert mirrors the public
+    // route — `contact.created` on a real creation, `contact.updated` when an
+    // existing contact was linked/merged with a non-empty property delta.
+    const hadPropertyDelta = Boolean(
+      body.properties && Object.keys(body.properties).length > 0,
+    );
+    if (wasCreated || (linked || merged ? hadPropertyDelta : false)) {
+      void emitOutbound({
+        db,
+        hatchet,
+        logger,
+        event: wasCreated ? "contact.created" : "contact.updated",
+        payload: serializeContactRow(created),
+      }).catch(logger.warn);
+    }
+
     return c.json({ contact: serializeContact(created) }, 201);
   })
   .openapi(updateRoute, async (c) => {
-    const { db } = c.get("container");
+    const { db, hatchet, logger } = c.get("container");
     const { id } = c.req.valid("param");
     const body = c.req.valid("json");
 
@@ -331,6 +353,24 @@ export const contactsRouter = new OpenAPIHono<AppEnv>()
       throw new Error("Failed to update contact");
     }
 
+    // INTENT-LAYER outbound emit (decision #3): the admin update is an explicit
+    // edit — emit `contact.updated` on a non-empty property delta or a filled
+    // email (a newly-attached identity). Fire-and-forget; the serialized updated
+    // row is the catalog payload.
+    const hadPropertyDelta = Boolean(
+      body.properties && Object.keys(body.properties).length > 0,
+    );
+    const filledEmail = Boolean(body.email && body.email !== current.email);
+    if (hadPropertyDelta || filledEmail) {
+      void emitOutbound({
+        db,
+        hatchet,
+        logger,
+        event: "contact.updated",
+        payload: serializeContactRow(updated),
+      }).catch(logger.warn);
+    }
+
     return c.json({ contact: serializeContact(updated) }, 200);
   })
   .openapi(deleteRoute, async (c) => {

package/src/routes/admin/index.ts

@@ -20,6 +20,7 @@ import { reportingRouter } from "./reporting.js";
 import { suppressionsRouter } from "./suppressions.js";
 import { templatesRouter } from "./templates.js";
 import { timelineRouter } from "./timeline.js";
+import { webhooksRouter } from "./webhooks.js";
 
 export const adminRouter = new OpenAPIHono<AppEnv>();
 adminRouter.use("*", requireAdmin);
@@ -39,6 +40,7 @@ adminRouter.route("/reporting", reportingRouter);
 adminRouter.route("/templates", templatesRouter);
 adminRouter.route("/suppressions", suppressionsRouter);
 adminRouter.route("/api-keys", apiKeysRouter);
+adminRouter.route("/webhooks", webhooksRouter);
 adminRouter.route("/audit-logs", auditLogsRouter);
 adminRouter.route("/alerts", alertsRouter);
 adminRouter.route("/dlq", dlqRouter);