@wolpertingerlabs/drawlatch 1.0.0-alpha.10.0 → 1.0.0-alpha.12.0

package/dist/connections/developer-tools/github-events-poll.json

@@ -0,0 +1,78 @@
+{
+  "name": "GitHub Events API (Poll)",
+  "stability": "beta",
+  "category": "developer-tools",
+  "description": "GitHub Events REST API — polls repository events for push, pull_request, issues, and more. A webhook-free alternative to the GitHub webhook connection. Auth is handled automatically via the GITHUB_TOKEN environment variable. Uses ETag caching to minimize rate limit consumption. Use poll_events to retrieve buffered events.",
+  "docsUrl": "https://docs.github.com/en/rest/activity/events",
+  "headers": {
+    "Authorization": "Bearer ${GITHUB_TOKEN}",
+    "Accept": "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+    "User-Agent": "drawlatch"
+  },
+  "secrets": {
+    "GITHUB_TOKEN": "${GITHUB_TOKEN}"
+  },
+  "allowedEndpoints": ["https://api.github.com/**"],
+  "ingestor": {
+    "type": "poll",
+    "poll": {
+      "url": "https://api.github.com/repos/${GITHUB_POLL_REPO}/events",
+      "intervalMs": 60000,
+      "method": "GET",
+      "deduplicateBy": "id",
+      "eventType": "github_event",
+      "etag": true
+    }
+  },
+  "testIngestor": {
+    "description": "Executes a single poll of the repository events endpoint to verify access",
+    "strategy": "poll_once",
+    "request": {
+      "method": "GET",
+      "url": "https://api.github.com/repos/${GITHUB_POLL_REPO}/events?per_page=1",
+      "expectedStatus": [200]
+    }
+  },
+  "listenerConfig": {
+    "name": "GitHub Events Poll Listener",
+    "description": "Polls the GitHub Events API for repository activity. A webhook-free alternative — ideal for environments without a public URL.",
+    "supportsMultiInstance": true,
+    "fields": [
+      {
+        "key": "GITHUB_POLL_REPO",
+        "label": "Repository",
+        "description": "Repository to poll for events (owner/repo format).",
+        "type": "text",
+        "instanceKey": true,
+        "overrideKey": "GITHUB_POLL_REPO",
+        "placeholder": "e.g., octocat/Hello-World",
+        "group": "Connection"
+      },
+      {
+        "key": "intervalMs",
+        "label": "Poll Interval (ms)",
+        "description": "How often to check for new events, in milliseconds. GitHub caches events for ~60s, so polling faster is wasteful.",
+        "type": "number",
+        "default": 60000,
+        "min": 30000,
+        "max": 3600000,
+        "group": "Connection"
+      },
+      {
+        "key": "bufferSize",
+        "label": "Buffer Size",
+        "description": "Maximum number of events to keep in memory.",
+        "type": "number",
+        "default": 200,
+        "min": 10,
+        "max": 1000,
+        "group": "Advanced"
+      }
+    ]
+  },
+  "testConnection": {
+    "url": "https://api.github.com/user",
+    "description": "Fetches the authenticated user profile"
+  }
+}

package/dist/connections/developer-tools/github.json

@@ -13,7 +13,8 @@
   },
   "secrets": {
     "GITHUB_TOKEN": "${GITHUB_TOKEN}",
-    "GITHUB_WEBHOOK_SECRET": "${GITHUB_WEBHOOK_SECRET}"
+    "GITHUB_WEBHOOK_SECRET": "${GITHUB_WEBHOOK_SECRET}",
+    "GITHUB_WEBHOOK_URL": "${GITHUB_WEBHOOK_URL}"
   },
   "allowedEndpoints": ["https://api.github.com/**"],
   "ingestor": {
@@ -21,7 +22,51 @@
     "webhook": {
       "path": "github",
       "signatureHeader": "X-Hub-Signature-256",
-      "signatureSecret": "GITHUB_WEBHOOK_SECRET"
+      "signatureSecret": "GITHUB_WEBHOOK_SECRET",
+      "callbackUrl": "${GITHUB_WEBHOOK_URL}",
+      "lifecycle": {
+        "list": {
+          "method": "GET",
+          "url": "https://api.github.com/repos/${repoFilter}/hooks",
+          "headers": {
+            "Authorization": "Bearer ${GITHUB_TOKEN}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28"
+          },
+          "callbackUrlField": "config.url",
+          "idField": "id"
+        },
+        "register": {
+          "method": "POST",
+          "url": "https://api.github.com/repos/${repoFilter}/hooks",
+          "headers": {
+            "Authorization": "Bearer ${GITHUB_TOKEN}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28"
+          },
+          "body": {
+            "name": "web",
+            "active": true,
+            "events": ["push", "pull_request", "issues", "issue_comment", "create", "delete", "release", "workflow_run", "check_run"],
+            "config": {
+              "url": "${GITHUB_WEBHOOK_URL}/webhooks/github",
+              "content_type": "json",
+              "secret": "${GITHUB_WEBHOOK_SECRET}",
+              "insecure_ssl": "0"
+            }
+          },
+          "idField": "id"
+        },
+        "unregister": {
+          "method": "DELETE",
+          "url": "https://api.github.com/repos/${repoFilter}/hooks/${_webhookId}",
+          "headers": {
+            "Authorization": "Bearer ${GITHUB_TOKEN}",
+            "Accept": "application/vnd.github+json",
+            "X-GitHub-Api-Version": "2022-11-28"
+          }
+        }
+      }
     }
   },
   "testIngestor": {

package/dist/remote/ingestors/e2e/setup.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Shared E2E test setup for connection ingestor tests.
+ *
+ * Provides helpers to:
+ *   - Load .env.e2e environment variables
+ *   - Build a RemoteServerConfig with in-memory keys and requested connections
+ *   - Boot an Express server on a random port
+ *   - Generate valid webhook signatures (GitHub, Trello)
+ *   - Wait for ingestor state transitions and event arrival
+ */
+import type { Server } from 'node:http';
+import { IngestorManager } from '../manager.js';
+import type { RemoteServerConfig } from '../../../shared/config.js';
+import type { IngestedEvent, IngestorState } from '../types.js';
+export declare function loadE2EEnv(): void;
+/**
+ * Check that all required env vars are set.
+ * Returns the missing var names (empty array = all present).
+ */
+export declare function checkEnvVars(vars: string[]): string[];
+/**
+ * Build a RemoteServerConfig for E2E tests.
+ *
+ * Creates a single caller ("e2e-client") with the requested connections.
+ * Env vars are injected into caller.env so secret resolution works against
+ * process.env (already loaded by loadE2EEnv).
+ */
+export declare function buildE2EConfig(connections: string[], opts?: {
+    env?: Record<string, string>;
+    ingestorOverrides?: Record<string, Record<string, unknown>>;
+}): RemoteServerConfig;
+export interface E2EServer {
+    server: Server;
+    baseUrl: string;
+    ingestorManager: IngestorManager;
+    /** Gracefully shut down server and stop all ingestors. */
+    teardown: () => Promise<void>;
+}
+/**
+ * Boot an Express server with the given config on a random port.
+ * Starts all ingestors and returns handles for testing.
+ */
+export declare function bootServer(config: RemoteServerConfig): Promise<E2EServer>;
+/** Generate a valid GitHub HMAC-SHA256 signature for a raw body. */
+export declare function signGitHubPayload(rawBody: string | Buffer, secret: string): string;
+/** Generate a valid Trello HMAC-SHA1 base64 signature for body + callbackUrl. */
+export declare function signTrelloPayload(rawBody: string | Buffer, callbackUrl: string, secret: string): string;
+/**
+ * Wait for an ingestor to reach a specific state.
+ * Polls every 250ms until the timeout is reached.
+ */
+export declare function waitForIngestorState(manager: IngestorManager, callerAlias: string, connection: string, targetState: IngestorState, timeoutMs?: number): Promise<void>;
+/**
+ * Poll until at least one event appears for a connection.
+ * Returns the events array once non-empty.
+ */
+export declare function pollUntilEvent(manager: IngestorManager, callerAlias: string, connection: string, timeoutMs?: number): Promise<IngestedEvent[]>;
+/** Common shape every IngestedEvent must satisfy (for use with toMatchObject). */
+export declare const INGESTED_EVENT_SHAPE: {
+    id: any;
+    idempotencyKey: any;
+    receivedAt: any;
+    receivedAtMs: any;
+    callerAlias: string;
+    source: any;
+    eventType: any;
+    data: any;
+};
+//# sourceMappingURL=setup.d.ts.map

package/dist/remote/ingestors/e2e/setup.js

@@ -0,0 +1,147 @@
+/**
+ * Shared E2E test setup for connection ingestor tests.
+ *
+ * Provides helpers to:
+ *   - Load .env.e2e environment variables
+ *   - Build a RemoteServerConfig with in-memory keys and requested connections
+ *   - Boot an Express server on a random port
+ *   - Generate valid webhook signatures (GitHub, Trello)
+ *   - Wait for ingestor state transitions and event arrival
+ */
+import crypto from 'node:crypto';
+import path from 'node:path';
+import dotenv from 'dotenv';
+import { expect } from 'vitest';
+import { createApp } from '../../server.js';
+import { generateKeyBundle, extractPublicKeys } from '../../../shared/crypto/index.js';
+import { IngestorManager } from '../manager.js';
+// ── Env loading ─────────────────────────────────────────────────────────
+/** Load .env.e2e from the project root (idempotent). */
+let envLoaded = false;
+export function loadE2EEnv() {
+    if (envLoaded)
+        return;
+    dotenv.config({ path: path.resolve(import.meta.dirname, '../../../../.env.e2e') });
+    envLoaded = true;
+}
+/**
+ * Check that all required env vars are set.
+ * Returns the missing var names (empty array = all present).
+ */
+export function checkEnvVars(vars) {
+    loadE2EEnv();
+    return vars.filter((v) => !process.env[v]);
+}
+// ── Config builder ──────────────────────────────────────────────────────
+/**
+ * Build a RemoteServerConfig for E2E tests.
+ *
+ * Creates a single caller ("e2e-client") with the requested connections.
+ * Env vars are injected into caller.env so secret resolution works against
+ * process.env (already loaded by loadE2EEnv).
+ */
+export function buildE2EConfig(connections, opts) {
+    return {
+        host: '127.0.0.1',
+        port: 0,
+        callers: {
+            'e2e-client': {
+                connections,
+                env: opts?.env,
+                ingestorOverrides: opts?.ingestorOverrides,
+            },
+        },
+        rateLimitPerMinute: 600,
+    };
+}
+/**
+ * Boot an Express server with the given config on a random port.
+ * Starts all ingestors and returns handles for testing.
+ */
+export async function bootServer(config) {
+    const serverKeys = generateKeyBundle();
+    const clientKeys = generateKeyBundle();
+    const clientPub = extractPublicKeys(clientKeys);
+    const ingestorManager = new IngestorManager(config);
+    const app = createApp({
+        config,
+        ownKeys: serverKeys,
+        authorizedPeers: [{ alias: 'e2e-client', keys: clientPub }],
+        ingestorManager,
+        disableRateLimiting: true,
+    });
+    // Start ingestors
+    await ingestorManager.startAll();
+    // Listen on random port
+    const server = await new Promise((resolve) => {
+        const s = app.listen(0, '127.0.0.1', () => resolve(s));
+    });
+    const addr = server.address();
+    const baseUrl = `http://127.0.0.1:${addr.port}`;
+    return {
+        server,
+        baseUrl,
+        ingestorManager,
+        teardown: async () => {
+            await ingestorManager.stopAll();
+            await new Promise((resolve, reject) => {
+                server.close((err) => (err ? reject(err) : resolve()));
+            });
+        },
+    };
+}
+// ── Signature helpers ───────────────────────────────────────────────────
+/** Generate a valid GitHub HMAC-SHA256 signature for a raw body. */
+export function signGitHubPayload(rawBody, secret) {
+    const buf = typeof rawBody === 'string' ? Buffer.from(rawBody) : rawBody;
+    const sig = crypto.createHmac('sha256', secret).update(buf).digest('hex');
+    return `sha256=${sig}`;
+}
+/** Generate a valid Trello HMAC-SHA1 base64 signature for body + callbackUrl. */
+export function signTrelloPayload(rawBody, callbackUrl, secret) {
+    const bodyStr = typeof rawBody === 'string' ? rawBody : rawBody.toString('utf-8');
+    return crypto.createHmac('sha1', secret).update(bodyStr + callbackUrl).digest('base64');
+}
+// ── Polling helpers ─────────────────────────────────────────────────────
+/**
+ * Wait for an ingestor to reach a specific state.
+ * Polls every 250ms until the timeout is reached.
+ */
+export async function waitForIngestorState(manager, callerAlias, connection, targetState, timeoutMs = 15_000) {
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+        const statuses = manager.getStatuses(callerAlias);
+        const status = statuses.find((s) => s.connection === connection);
+        if (status?.state === targetState)
+            return;
+        await new Promise((r) => setTimeout(r, 250));
+    }
+    throw new Error(`Timed out waiting for ${connection} to reach state "${targetState}" (${timeoutMs}ms)`);
+}
+/**
+ * Poll until at least one event appears for a connection.
+ * Returns the events array once non-empty.
+ */
+export async function pollUntilEvent(manager, callerAlias, connection, timeoutMs = 10_000) {
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+        const events = manager.getEvents(callerAlias, connection);
+        if (events.length > 0)
+            return events;
+        await new Promise((r) => setTimeout(r, 250));
+    }
+    throw new Error(`Timed out waiting for events from ${connection} (${timeoutMs}ms)`);
+}
+// ── Shared assertions ───────────────────────────────────────────────────
+/** Common shape every IngestedEvent must satisfy (for use with toMatchObject). */
+export const INGESTED_EVENT_SHAPE = {
+    id: expect.any(Number),
+    idempotencyKey: expect.any(String),
+    receivedAt: expect.stringMatching(/^\d{4}-\d{2}-\d{2}T/),
+    receivedAtMs: expect.any(Number),
+    callerAlias: 'e2e-client',
+    source: expect.any(String),
+    eventType: expect.any(String),
+    data: expect.anything(),
+};
+//# sourceMappingURL=setup.js.map

package/dist/remote/ingestors/manager.d.ts

@@ -43,6 +43,8 @@ export declare class IngestorManager {
     private readonly config;
     /** Active ingestor instances, keyed by `callerAlias:connectionAlias:instanceId`. */
     private ingestors;
+    /** Trigger rule engines per caller. Created during startAll() for callers with triggerRules. */
+    private triggerEngines;
     /**
      * Optional config loader for hot-reload support. When provided, `startOne()`
      * uses it to get fresh config from disk instead of the constructor snapshot.
@@ -63,6 +65,12 @@ export declare class IngestorManager {
      * Internal: create, register, and start a single ingestor instance.
      */
     private startIngestor;
+    /**
+     * Initialize trigger rule engines for callers with triggerRules config.
+     * Subscribes to 'event' emissions from matching ingestors and dispatches
+     * to Claude Code remote triggers.
+     */
+    private initTriggerEngines;
     /**
      * Stop all running ingestors. Called during graceful shutdown.
      */

package/dist/remote/ingestors/manager.js

@@ -15,6 +15,7 @@
  */
 import { resolveCallerRoutes, resolveRoutes, resolveSecrets, } from '../../shared/config.js';
 import { createLogger } from '../../shared/logger.js';
+import { TriggerRuleEngine } from '../triggers/rule-engine.js';
 const log = createLogger('ingestor');
 import { createIngestor } from './registry.js';
 import { WebhookIngestor } from './webhook/base-webhook-ingestor.js';
@@ -48,6 +49,8 @@ export class IngestorManager {
     config;
     /** Active ingestor instances, keyed by `callerAlias:connectionAlias:instanceId`. */
     ingestors = new Map();
+    /** Trigger rule engines per caller. Created during startAll() for callers with triggerRules. */
+    triggerEngines = new Map();
     /**
      * Optional config loader for hot-reload support. When provided, `startOne()`
      * uses it to get fresh config from disk instead of the constructor snapshot.
@@ -114,6 +117,8 @@ export class IngestorManager {
         if (count > 0) {
             log.info(`${count} ingestor(s) started`);
         }
+        // Wire up trigger rule engines for callers that have triggerRules
+        this.initTriggerEngines();
     }
     /**
      * Internal: create, register, and start a single ingestor instance.
@@ -146,6 +151,35 @@ export class IngestorManager {
             }
         }
     }
+    /**
+     * Initialize trigger rule engines for callers with triggerRules config.
+     * Subscribes to 'event' emissions from matching ingestors and dispatches
+     * to Claude Code remote triggers.
+     */
+    initTriggerEngines() {
+        const config = this.getConfig();
+        for (const [callerAlias, callerConfig] of Object.entries(config.callers)) {
+            if (!callerConfig.triggerRules || callerConfig.triggerRules.length === 0)
+                continue;
+            // Resolve caller-level secrets for API key access
+            const callerEnvResolved = resolveSecrets(callerConfig.env ?? {});
+            const engine = new TriggerRuleEngine(callerConfig.triggerRules, callerEnvResolved);
+            if (engine.activeRuleCount === 0)
+                continue;
+            this.triggerEngines.set(callerAlias, engine);
+            // Subscribe the engine to all ingestors belonging to this caller
+            for (const [key, ingestor] of this.ingestors) {
+                const { caller } = parseKey(key);
+                if (caller !== callerAlias)
+                    continue;
+                // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-explicit-any -- BaseIngestor extends EventEmitter; .on() is inherited
+                ingestor.on('event', (event) => {
+                    engine.handleEvent(event);
+                });
+            }
+            log.info(`Trigger rule engine for ${callerAlias}: ${engine.activeRuleCount} active rule(s)`);
+        }
+    }
     /**
      * Stop all running ingestors. Called during graceful shutdown.
      */

package/dist/remote/ingestors/poll/poll-ingestor.d.ts

@@ -31,6 +31,8 @@ export declare class PollIngestor extends BaseIngestor {
     private readonly responsePath;
     private readonly eventType;
     private readonly pollHeaders;
+    private readonly useEtag;
+    private lastEtag;
     /** Resolved headers from the parent connection route (injected by manager). */
     private readonly routeHeaders;
     constructor(connectionAlias: string, secrets: Record<string, string>, pollConfig: PollIngestorConfig, 

package/dist/remote/ingestors/poll/poll-ingestor.js

@@ -42,6 +42,8 @@ export class PollIngestor extends BaseIngestor {
     responsePath;
     eventType;
     pollHeaders;
+    useEtag;
+    lastEtag = null;
     /** Resolved headers from the parent connection route (injected by manager). */
     routeHeaders;
     constructor(connectionAlias, secrets, pollConfig, 
@@ -56,6 +58,7 @@ export class PollIngestor extends BaseIngestor {
         this.deduplicateBy = pollConfig.deduplicateBy;
         this.responsePath = pollConfig.responsePath;
         this.eventType = pollConfig.eventType ?? 'poll';
+        this.useEtag = pollConfig.etag ?? false;
         this.routeHeaders = routeHeaders;
         // Resolve ${VAR} placeholders in poll-specific headers
         this.pollHeaders = {};
@@ -95,6 +98,10 @@ export class PollIngestor extends BaseIngestor {
                 ...this.routeHeaders,
                 ...this.pollHeaders,
             };
+            // Add ETag conditional request header if enabled and we have a cached ETag
+            if (this.useEtag && this.lastEtag) {
+                headers['If-None-Match'] = this.lastEtag;
+            }
             // Build request options
             const fetchOptions = {
                 method: this.method,
@@ -115,9 +122,23 @@ export class PollIngestor extends BaseIngestor {
                 }
             }
             const response = await fetch(this.url, fetchOptions);
+            // Handle ETag 304 Not Modified — no new data, not an error
+            if (this.useEtag && response.status === 304) {
+                this.consecutiveErrors = 0;
+                if (this.state !== 'connected')
+                    this.state = 'connected';
+                log.debug(`${this.connectionAlias}: 304 Not Modified (ETag cache hit)`);
+                return;
+            }
             if (!response.ok) {
                 throw new Error(`HTTP ${response.status} ${response.statusText}`);
             }
+            // Store ETag for subsequent conditional requests
+            if (this.useEtag) {
+                const etag = response.headers.get('etag');
+                if (etag)
+                    this.lastEtag = etag;
+            }
             const responseBody = await response.json();
             // Extract items array from response using responsePath
             const items = this.extractItems(responseBody);

package/dist/remote/ingestors/types.d.ts

@@ -86,6 +86,12 @@ export interface PollIngestorConfig {
      *  Values may contain ${VAR} placeholders.
      *  These are merged UNDER the connection's route headers (route headers take precedence). */
     headers?: Record<string, string>;
+    /** Enable ETag-based conditional requests.
+     *  When true, the poller stores the ETag from each successful response and sends
+     *  `If-None-Match` on subsequent requests. HTTP 304 responses are treated as a
+     *  successful no-op (no items, no error). Useful for APIs like GitHub Events
+     *  where 304s do not count against rate limits. */
+    etag?: boolean;
 }
 /** A single event received by an ingestor, stored in the ring buffer. */
 export interface IngestedEvent {

package/dist/remote/ingestors/webhook/github-webhook-ingestor.d.ts

@@ -20,6 +20,11 @@ export declare class GitHubWebhookIngestor extends WebhookIngestor {
      */
     private readonly repoFilter;
     constructor(connectionAlias: string, secrets: Record<string, string>, webhookConfig: WebhookIngestorConfig, bufferSize?: number, instanceId?: string);
+    /**
+     * Return the repository name for multi-instance webhook lifecycle management.
+     * Enables the lifecycle manager to match and clean up stale webhooks per-repo.
+     */
+    protected getModelId(): string | undefined;
     /**
      * Filter webhooks by repository for multi-instance support.
      * When repoFilter is set, only events from those repos are accepted.

package/dist/remote/ingestors/webhook/github-webhook-ingestor.js

@@ -29,6 +29,13 @@ export class GitHubWebhookIngestor extends WebhookIngestor {
         // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-explicit-any -- injected by IngestorManager for multi-instance support
         this.repoFilter = webhookConfig._repoFilter ?? [];
     }
+    /**
+     * Return the repository name for multi-instance webhook lifecycle management.
+     * Enables the lifecycle manager to match and clean up stale webhooks per-repo.
+     */
+    getModelId() {
+        return this.repoFilter.length === 1 ? this.repoFilter[0] : undefined;
+    }
     /**
      * Filter webhooks by repository for multi-instance support.
      * When repoFilter is set, only events from those repos are accepted.

package/dist/remote/ingestors/webhook/webhook-lifecycle-manager.js

@@ -88,33 +88,33 @@ export class WebhookLifecycleManager {
                 const listConfig = this.config.list;
                 // Find a webhook matching our callback URL (and model ID if applicable)
                 const matching = existingWebhooks.find((wh) => {
-                    const rawUrl = wh[listConfig.callbackUrlField];
+                    const rawUrl = getByPath(wh, listConfig.callbackUrlField);
                     const whCallbackUrl = typeof rawUrl === 'string' ? rawUrl : '';
                     const urlMatch = whCallbackUrl === callbackUrl;
                     if (!urlMatch)
                         return false;
                     if (modelId && listConfig.modelIdField) {
-                        const rawModelId = wh[listConfig.modelIdField];
+                        const rawModelId = getByPath(wh, listConfig.modelIdField);
                         return (typeof rawModelId === 'string' ? rawModelId : '') === modelId;
                     }
                     return true;
                 });
                 if (matching) {
-                    const webhookId = String(matching[listConfig.idField]);
+                    const webhookId = String(getByPath(matching, listConfig.idField));
                     log.info(`Found existing webhook (ID: ${webhookId}), reusing`);
                     return { registered: true, webhookId, lastAttempt: now };
                 }
                 // Clean up stale webhooks (matching model but wrong callback URL)
                 if (modelId && listConfig.modelIdField && this.config.unregister) {
                     const stale = existingWebhooks.filter((wh) => {
-                        const rawModelId = wh[listConfig.modelIdField];
+                        const rawModelId = getByPath(wh, listConfig.modelIdField);
                         const whModelId = typeof rawModelId === 'string' ? rawModelId : '';
-                        const rawUrl = wh[listConfig.callbackUrlField];
+                        const rawUrl = getByPath(wh, listConfig.callbackUrlField);
                         const whCallbackUrl = typeof rawUrl === 'string' ? rawUrl : '';
                         return whModelId === modelId && whCallbackUrl !== callbackUrl;
                     });
                     for (const staleWh of stale) {
-                        const staleId = String(staleWh[listConfig.idField]);
+                        const staleId = String(getByPath(staleWh, listConfig.idField));
                         log.info(`Cleaning up stale webhook (ID: ${staleId})`);
                         try {
                             await this.unregister(staleId);

package/dist/remote/triggers/rule-engine.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Trigger Rule Engine.
+ *
+ * Subscribes to ingestor `'event'` emissions and evaluates trigger rules
+ * against each event. When a rule matches, dispatches the event to the
+ * configured Claude Code remote trigger.
+ *
+ * Features:
+ * - Source + event type + dot-path filter matching
+ * - Token-bucket rate limiting per rule
+ * - Deduplication within the throttle window
+ * - Graceful error handling (dispatch failures never crash ingestors)
+ * - Audit logging for all dispatch attempts
+ */
+import type { IngestedEvent } from '../ingestors/types.js';
+import type { TriggerRule, TriggerDispatchResult } from './types.js';
+export declare class TriggerRuleEngine {
+    private readonly rules;
+    private readonly secrets;
+    private readonly ruleStates;
+    /** Recent dispatch results for diagnostics. */
+    private readonly dispatchLog;
+    private static readonly MAX_DISPATCH_LOG;
+    constructor(rules: TriggerRule[], secrets: Record<string, string>);
+    /** Handle an ingestor event — evaluate all rules and dispatch matches. */
+    handleEvent(event: IngestedEvent): void;
+    /** Get recent dispatch results for diagnostics. */
+    getDispatchLog(): readonly TriggerDispatchResult[];
+    /** Get the number of active rules. */
+    get activeRuleCount(): number;
+    /** Check if an event matches a rule's criteria. */
+    private matches;
+    /** Check and update throttle state. Returns true if the dispatch should proceed. */
+    private checkThrottle;
+    /** Dispatch an event to the rule's target. Never throws. */
+    private dispatch;
+    /** Record a dispatch result in the audit log. */
+    private logDispatch;
+}
+//# sourceMappingURL=rule-engine.d.ts.map

package/dist/remote/triggers/rule-engine.js

@@ -0,0 +1,228 @@
+/**
+ * Trigger Rule Engine.
+ *
+ * Subscribes to ingestor `'event'` emissions and evaluates trigger rules
+ * against each event. When a rule matches, dispatches the event to the
+ * configured Claude Code remote trigger.
+ *
+ * Features:
+ * - Source + event type + dot-path filter matching
+ * - Token-bucket rate limiting per rule
+ * - Deduplication within the throttle window
+ * - Graceful error handling (dispatch failures never crash ingestors)
+ * - Audit logging for all dispatch attempts
+ */
+import { createLogger } from '../../shared/logger.js';
+const log = createLogger('trigger-engine');
+/** Default maximum dispatches per minute when no throttle is configured. */
+const DEFAULT_MAX_PER_MINUTE = 10;
+/** Duration of the throttle window in milliseconds. */
+const THROTTLE_WINDOW_MS = 60_000;
+/** Maximum dedup keys to track per rule (prevents memory leaks). */
+const MAX_DEDUP_KEYS = 1_000;
+// ── Helpers ──────────────────────────────────────────────────────────────
+/**
+ * Resolve a dot-separated path on an object.
+ * E.g., `getByPath(obj, 'payload.action')` → `obj.payload.action`.
+ */
+function getByPath(obj, path) {
+    let current = obj;
+    for (const segment of path.split('.')) {
+        if (current === null || current === undefined || typeof current !== 'object') {
+            return undefined;
+        }
+        current = current[segment];
+    }
+    return current;
+}
+// ── Rule Engine ──────────────────────────────────────────────────────────
+export class TriggerRuleEngine {
+    rules;
+    secrets;
+    ruleStates = new Map();
+    /** Recent dispatch results for diagnostics. */
+    dispatchLog = [];
+    static MAX_DISPATCH_LOG = 100;
+    constructor(rules, secrets) {
+        this.rules = rules.filter((r) => r.enabled !== false);
+        this.secrets = secrets;
+        // Initialize per-rule state
+        for (const rule of this.rules) {
+            this.ruleStates.set(rule.name, {
+                dispatchTimestamps: [],
+                recentDedupKeys: new Set(),
+            });
+        }
+        if (this.rules.length > 0) {
+            log.info(`Trigger rule engine initialized with ${this.rules.length} active rule(s)`);
+        }
+    }
+    /** Handle an ingestor event — evaluate all rules and dispatch matches. */
+    handleEvent(event) {
+        for (const rule of this.rules) {
+            if (this.matches(rule, event)) {
+                void this.dispatch(rule, event);
+            }
+        }
+    }
+    /** Get recent dispatch results for diagnostics. */
+    getDispatchLog() {
+        return this.dispatchLog;
+    }
+    /** Get the number of active rules. */
+    get activeRuleCount() {
+        return this.rules.length;
+    }
+    // ── Rule matching ──────────────────────────────────────────────────────
+    /** Check if an event matches a rule's criteria. */
+    matches(rule, event) {
+        // Source must match
+        if (rule.source !== event.source)
+            return false;
+        // Instance ID filter (if specified)
+        if (rule.instanceId !== undefined && rule.instanceId !== event.instanceId)
+            return false;
+        // Event type filter (empty = match all)
+        if (rule.eventTypes && rule.eventTypes.length > 0) {
+            if (!rule.eventTypes.includes(event.eventType))
+                return false;
+        }
+        // Dot-path filter predicates (AND logic)
+        if (rule.filter) {
+            for (const [path, acceptedValues] of Object.entries(rule.filter)) {
+                const actualValue = getByPath(event.data, path);
+                if (!Array.isArray(acceptedValues))
+                    continue;
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                if (!acceptedValues.includes(actualValue))
+                    return false;
+            }
+        }
+        return true;
+    }
+    // ── Throttle & dedup ───────────────────────────────────────────────────
+    /** Check and update throttle state. Returns true if the dispatch should proceed. */
+    checkThrottle(rule, event) {
+        const state = this.ruleStates.get(rule.name);
+        if (!state)
+            return false;
+        const now = Date.now();
+        const maxPerMinute = rule.throttle?.maxPerMinute ?? DEFAULT_MAX_PER_MINUTE;
+        // Prune timestamps outside the window
+        state.dispatchTimestamps = state.dispatchTimestamps.filter((ts) => now - ts < THROTTLE_WINDOW_MS);
+        // Rate limit check
+        if (state.dispatchTimestamps.length >= maxPerMinute) {
+            log.warn(`${rule.name}: throttled (${maxPerMinute}/min limit reached)`);
+            return false;
+        }
+        // Dedup check
+        if (rule.throttle?.deduplicateBy) {
+            const dedupValue = getByPath(event.data, rule.throttle.deduplicateBy);
+            if (dedupValue !== undefined && dedupValue !== null) {
+                const dedupKey = typeof dedupValue === 'string' ? dedupValue : JSON.stringify(dedupValue);
+                if (state.recentDedupKeys.has(dedupKey)) {
+                    log.debug(`${rule.name}: deduplicated (key: ${dedupKey})`);
+                    return false;
+                }
+                state.recentDedupKeys.add(dedupKey);
+                if (state.recentDedupKeys.size > MAX_DEDUP_KEYS) {
+                    // Prune oldest half
+                    const pruneCount = Math.floor(state.recentDedupKeys.size / 2);
+                    let removed = 0;
+                    for (const key of state.recentDedupKeys) {
+                        if (removed >= pruneCount)
+                            break;
+                        state.recentDedupKeys.delete(key);
+                        removed++;
+                    }
+                }
+            }
+        }
+        // Record this dispatch
+        state.dispatchTimestamps.push(now);
+        return true;
+    }
+    // ── Dispatch ───────────────────────────────────────────────────────────
+    /** Dispatch an event to the rule's target. Never throws. */
+    async dispatch(rule, event) {
+        // Check throttle/dedup before dispatching
+        if (!this.checkThrottle(rule, event))
+            return;
+        const { triggerId } = rule.target;
+        const now = new Date().toISOString();
+        try {
+            const apiKey = this.secrets.ANTHROPIC_API_KEY;
+            if (!apiKey) {
+                this.logDispatch({
+                    rule: rule.name,
+                    success: false,
+                    triggerId,
+                    error: 'ANTHROPIC_API_KEY not configured in caller secrets',
+                    dispatchedAt: now,
+                });
+                return;
+            }
+            const url = `https://api.anthropic.com/v1/code/triggers/${triggerId}/run`;
+            const body = JSON.stringify({
+                event: {
+                    source: event.source,
+                    instanceId: event.instanceId,
+                    eventType: event.eventType,
+                    receivedAt: event.receivedAt,
+                    data: event.data,
+                },
+            });
+            log.info(`${rule.name}: dispatching to trigger ${triggerId} (event: ${event.eventType})`);
+            const response = await fetch(url, {
+                method: 'POST',
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    'Content-Type': 'application/json',
+                    'anthropic-version': '2023-06-01',
+                },
+                body,
+            });
+            if (response.ok) {
+                this.logDispatch({
+                    rule: rule.name,
+                    success: true,
+                    triggerId,
+                    statusCode: response.status,
+                    dispatchedAt: now,
+                });
+                log.info(`${rule.name}: trigger ${triggerId} invoked successfully`);
+            }
+            else {
+                const errorBody = await response.text().catch(() => '');
+                this.logDispatch({
+                    rule: rule.name,
+                    success: false,
+                    triggerId,
+                    statusCode: response.status,
+                    error: `HTTP ${response.status}: ${errorBody.slice(0, 200)}`,
+                    dispatchedAt: now,
+                });
+                log.warn(`${rule.name}: trigger dispatch failed (${response.status}): ${errorBody.slice(0, 200)}`);
+            }
+        }
+        catch (err) {
+            const error = err instanceof Error ? err.message : String(err);
+            this.logDispatch({
+                rule: rule.name,
+                success: false,
+                triggerId,
+                error,
+                dispatchedAt: now,
+            });
+            log.error(`${rule.name}: trigger dispatch error: ${error}`);
+        }
+    }
+    /** Record a dispatch result in the audit log. */
+    logDispatch(result) {
+        this.dispatchLog.push(result);
+        if (this.dispatchLog.length > TriggerRuleEngine.MAX_DISPATCH_LOG) {
+            this.dispatchLog.splice(0, this.dispatchLog.length - TriggerRuleEngine.MAX_DISPATCH_LOG);
+        }
+    }
+}
+//# sourceMappingURL=rule-engine.js.map

package/dist/remote/triggers/types.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Trigger rule types for the event-to-agent bridge.
+ *
+ * Trigger rules define how ingestor events are dispatched to Claude Code
+ * remote triggers. Each rule matches events by source, event type, and
+ * optional filter predicates, then invokes a remote trigger with the
+ * event payload.
+ */
+/** A single trigger rule that maps ingestor events to a remote trigger invocation. */
+export interface TriggerRule {
+    /** Human-readable name for logging and diagnostics. */
+    name: string;
+    /** Connection alias to match events from (e.g., "github", "discord-bot"). */
+    source: string;
+    /** Optional instance ID filter (for multi-instance listeners). */
+    instanceId?: string;
+    /** Event types to match. Empty or omitted = match all event types. */
+    eventTypes?: string[];
+    /**
+     * Dot-path filter predicates applied to the event data.
+     *
+     * Keys are dot-separated paths into `event.data` (e.g., "payload.action").
+     * Values are arrays of acceptable values — the event matches if the resolved
+     * value equals any entry in the array.
+     *
+     * All predicates must match for the rule to fire (AND logic).
+     */
+    filter?: Record<string, unknown[]>;
+    /** Target to invoke when the rule matches. */
+    target: TriggerTarget;
+    /** Rate limiting and deduplication. */
+    throttle?: TriggerThrottle;
+    /** Whether this rule is active. Default: true. */
+    enabled?: boolean;
+}
+/** Target for a trigger rule — currently only remote triggers are supported. */
+export interface TriggerTarget {
+    /** Target type. */
+    type: 'remote_trigger';
+    /** Claude Code RemoteTrigger ID (e.g., "trg_abc123"). */
+    triggerId: string;
+}
+/** Rate limiting and deduplication for trigger dispatch. */
+export interface TriggerThrottle {
+    /** Maximum dispatches per minute for this rule. Default: 10. */
+    maxPerMinute?: number;
+    /**
+     * Dot-path into event data to use as a deduplication key.
+     * E.g., "payload.pull_request.number" — prevents the same PR from
+     * triggering multiple times within the throttle window.
+     */
+    deduplicateBy?: string;
+}
+/** Result of a single trigger dispatch attempt. */
+export interface TriggerDispatchResult {
+    /** Rule name that fired. */
+    rule: string;
+    /** Whether the dispatch succeeded. */
+    success: boolean;
+    /** Trigger ID that was invoked. */
+    triggerId: string;
+    /** HTTP status code from the remote trigger API. */
+    statusCode?: number;
+    /** Error message if dispatch failed. */
+    error?: string;
+    /** ISO-8601 timestamp of the dispatch. */
+    dispatchedAt: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/remote/triggers/types.js

@@ -0,0 +1,10 @@
+/**
+ * Trigger rule types for the event-to-agent bridge.
+ *
+ * Trigger rules define how ingestor events are dispatched to Claude Code
+ * remote triggers. Each rule matches events by source, event type, and
+ * optional filter predicates, then invokes a remote trigger with the
+ * event payload.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/shared/config.d.ts

@@ -11,6 +11,7 @@
  * Keys directory: ~/.drawlatch/keys/
  */
 import type { IngestorConfig } from '../remote/ingestors/types.js';
+import type { TriggerRule } from '../remote/triggers/types.js';
 import type { TestConnectionConfig, TestIngestorConfig, ListenerConfigSchema } from './listener-config.js';
 export type { TestConnectionConfig, TestIngestorConfig, ListenerConfigSchema, } from './listener-config.js';
 export type { ListenerConfigField, ListenerConfigOption } from './listener-config.js';
@@ -182,6 +183,10 @@ export interface CallerConfig {
      *  }
      *  ``` */
     listenerInstances?: Record<string, Record<string, IngestorOverrides>>;
+    /** Trigger rules that map ingestor events to Claude Code remote trigger invocations.
+     *  When an ingestor event matches a rule's criteria (source, event type, filter),
+     *  the engine dispatches the event to the configured remote trigger. */
+    triggerRules?: TriggerRule[];
 }
 /** Remote server configuration */
 export interface RemoteServerConfig {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wolpertingerlabs/drawlatch",
-  "version": "1.0.0-alpha.10.0",
+  "version": "1.0.0-alpha.12.0",
   "description": "Encrypted MCP proxy with mutual authentication. Local MCP server forwards requests through an encrypted channel to a remote secrets-holding server.",
   "type": "module",
   "main": "./dist/mcp/server.js",
@@ -69,6 +69,7 @@
     "start:remote": "NODE_ENV=production node dist/remote/server.js",
     "start:mcp": "node dist/mcp/server.js",
     "test": "vitest run",
+    "test:e2e": "vitest run --config vitest.e2e.config.ts",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "lint": "eslint src/",