hooklens 0.1.1 → 1.0.0

package/dist/index.js

@@ -1,11 +1,380 @@
 #!/usr/bin/env node
 
 // src/cli/index.ts
-import { Command as Command4 } from "commander";
+import { Command as Command7 } from "commander";
 
-// src/cli/listen.ts
+// src/errors.ts
+function toError(value) {
+  return value instanceof Error ? value : new Error(String(value));
+}
+function errorMessage(value) {
+  return value instanceof Error ? value.message : String(value);
+}
+
+// src/cli/clear.ts
 import { Command } from "commander";
 
+// src/storage/index.ts
+import os from "os";
+import fs from "fs";
+import { createRequire } from "module";
+import path from "path";
+
+// src/types.ts
+import { z } from "zod";
+var verificationResultSchema = z.object({
+  valid: z.boolean(),
+  provider: z.string(),
+  message: z.string(),
+  code: z.enum([
+    "valid",
+    "missing_header",
+    "malformed_header",
+    "expired_timestamp",
+    "signature_mismatch",
+    "body_mutated"
+  ])
+});
+var webhookEventSchema = z.object({
+  id: z.string(),
+  timestamp: z.string(),
+  method: z.string(),
+  path: z.string(),
+  headers: z.record(z.string(), z.string()),
+  body: z.string(),
+  verification: verificationResultSchema.nullable().optional()
+});
+var eventRowSchema = z.object({
+  id: z.string(),
+  timestamp: z.string(),
+  method: z.string(),
+  path: z.string(),
+  headers: z.string(),
+  body: z.string(),
+  verification: z.string().nullable().optional()
+});
+var replayResultSchema = z.object({
+  status: z.number().int(),
+  body: z.string()
+});
+
+// src/storage/index.ts
+var require2 = createRequire(import.meta.url);
+var { DatabaseSync } = require2("node:sqlite");
+function defaultDbPath() {
+  return path.join(os.homedir(), ".hooklens", "events.db");
+}
+function rowToEvent(row) {
+  const verification = row.verification ? verificationResultSchema.parse(JSON.parse(row.verification)) : null;
+  return webhookEventSchema.parse({
+    id: row.id,
+    timestamp: row.timestamp,
+    method: row.method,
+    path: row.path,
+    headers: JSON.parse(row.headers),
+    body: row.body,
+    verification
+  });
+}
+function createStorage(dbPath) {
+  fs.mkdirSync(path.dirname(dbPath), { recursive: true });
+  const db = new DatabaseSync(dbPath);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS events (
+      id TEXT PRIMARY KEY,
+      timestamp TEXT NOT NULL,
+      method TEXT NOT NULL,
+      path TEXT NOT NULL,
+      headers TEXT NOT NULL,
+      body TEXT NOT NULL,
+      verification TEXT
+    )
+  `);
+  try {
+    db.exec(`ALTER TABLE events ADD COLUMN verification TEXT`);
+  } catch (error) {
+    if (!(error instanceof Error && /duplicate column/i.test(error.message))) {
+      throw error;
+    }
+  }
+  const insertStmt = db.prepare(
+    `INSERT OR REPLACE INTO events (id, timestamp, method, path, headers, body, verification)
+     VALUES (?, ?, ?, ?, ?, ?, ?)`
+  );
+  const getStmt = db.prepare(`SELECT * FROM events WHERE id = ?`);
+  const listAllStmt = db.prepare(`SELECT * FROM events ORDER BY timestamp DESC`);
+  const listLimitedStmt = db.prepare(`SELECT * FROM events ORDER BY timestamp DESC LIMIT ?`);
+  const deleteStmt = db.prepare(`DELETE FROM events WHERE id = ?`);
+  const clearStmt = db.prepare(`DELETE FROM events`);
+  return {
+    save(event) {
+      insertStmt.run(
+        event.id,
+        event.timestamp,
+        event.method,
+        event.path,
+        JSON.stringify(event.headers),
+        event.body,
+        event.verification ? JSON.stringify(event.verification) : null
+      );
+    },
+    load(id) {
+      const raw = getStmt.get(id);
+      if (!raw) return null;
+      const row = eventRowSchema.parse(raw);
+      return rowToEvent(row);
+    },
+    list(limit) {
+      if (limit !== void 0 && (!Number.isInteger(limit) || limit <= 0)) {
+        throw new Error(`Invalid limit: must be a positive integer, got ${limit}`);
+      }
+      const raw = limit === void 0 ? listAllStmt.all() : listLimitedStmt.all(limit);
+      const rows = raw.map((r) => eventRowSchema.parse(r));
+      return rows.map(rowToEvent);
+    },
+    delete(id) {
+      const result = deleteStmt.run(id);
+      return result.changes > 0;
+    },
+    clear() {
+      const result = clearStmt.run();
+      return Number(result.changes);
+    },
+    close() {
+      db.close();
+    }
+  };
+}
+
+// src/ui/terminal.ts
+import chalk from "chalk";
+function writeLine(stream, line) {
+  stream.write(`${line}
+`);
+}
+function verificationLabel(result) {
+  if (!result) return chalk.cyan("RECV");
+  return result.valid ? chalk.green("PASS") : chalk.red("FAIL");
+}
+function createTerminal(stdout = process.stdout, stderr = process.stderr) {
+  return {
+    printListenStarted(info) {
+      writeLine(
+        stdout,
+        `${chalk.bold("Listening on")} ${chalk.cyan(`http://127.0.0.1:${info.port}`)}`
+      );
+      writeLine(stdout, `Verifier: ${info.verifier ?? "none"}`);
+      writeLine(stdout, `Forwarding to: ${info.forwardTo ?? "disabled"}`);
+      writeLine(stdout, `Storage: ${info.dbPath}`);
+    },
+    printEventCaptured(event, result) {
+      const label = verificationLabel(result);
+      const summary = `${label} ${chalk.bold(event.id)} ${event.method} ${event.path}`;
+      if (!result) {
+        writeLine(stdout, summary);
+        return;
+      }
+      writeLine(stdout, `${summary} ${result.message}`);
+    },
+    printForwardError(eventId, reason) {
+      writeLine(stdout, `${chalk.red("FWD")} ${chalk.bold(eventId)} ${reason}`);
+    },
+    printForwardRetry(eventId, attempt, maxRetries, reason) {
+      writeLine(
+        stdout,
+        `${chalk.yellow("RETRY")} ${chalk.bold(eventId)} attempt ${attempt}/${maxRetries} ${reason}`
+      );
+    },
+    printEventList(events) {
+      if (!events.length) {
+        writeLine(stdout, chalk.dim("No stored events."));
+        return;
+      }
+      for (const event of events) {
+        const row = `${chalk.dim(event.timestamp)} ${chalk.cyan(event.method)} ${chalk.bold(event.id)} ${event.path}`;
+        writeLine(stdout, row);
+      }
+    },
+    printEventDetail(event) {
+      writeLine(stdout, `${chalk.bold("Event:")}   ${event.id}`);
+      writeLine(stdout, `${chalk.bold("Time:")}    ${event.timestamp}`);
+      writeLine(stdout, `${chalk.bold("Method:")}  ${event.method}`);
+      writeLine(stdout, `${chalk.bold("Path:")}    ${event.path}`);
+      if (event.verification) {
+        const v = event.verification;
+        const label = v.valid ? chalk.green("PASS") : chalk.red("FAIL");
+        writeLine(stdout, "");
+        writeLine(stdout, chalk.bold("Verification:"));
+        writeLine(stdout, `  Result:   ${label}`);
+        writeLine(stdout, `  Provider: ${v.provider}`);
+        writeLine(stdout, `  Message:  ${v.message}`);
+      }
+      writeLine(stdout, "");
+      writeLine(stdout, chalk.bold("Headers:"));
+      for (const [key, value] of Object.entries(event.headers)) {
+        writeLine(stdout, `  ${key}: ${value}`);
+      }
+      writeLine(stdout, "");
+      writeLine(stdout, chalk.bold("Body:"));
+      let bodyText;
+      try {
+        bodyText = JSON.stringify(JSON.parse(event.body), null, 2);
+      } catch {
+        bodyText = event.body;
+      }
+      for (const line of bodyText.split("\n")) {
+        writeLine(stdout, `  ${line}`);
+      }
+    },
+    printReplayResult(result) {
+      const summary = `${chalk.bold("Replay response:")} ${chalk.cyan(String(result.status))}`;
+      if (!result.body) {
+        writeLine(stdout, summary);
+        return;
+      }
+      writeLine(stdout, `${summary} ${result.body}`);
+    },
+    printDeleted(eventId) {
+      writeLine(stdout, `Deleted ${chalk.bold(eventId)}`);
+    },
+    printCleared(count) {
+      writeLine(stdout, `Cleared ${chalk.bold(String(count))} events`);
+    },
+    printListenStopped() {
+      writeLine(stdout, chalk.dim("Stopped listening."));
+    },
+    printError(message) {
+      writeLine(stderr, chalk.red(message));
+    }
+  };
+}
+
+// src/cli/clear.ts
+async function defaultConfirm() {
+  const { createInterface } = await import("readline");
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question("Delete all stored events? [y/N] ", (answer) => {
+      rl.close();
+      resolve(answer.trim().toLowerCase() === "y");
+    });
+  });
+}
+async function runClear(flags, deps = {}) {
+  const terminal = deps.terminal ?? createTerminal();
+  if (!flags.yes) {
+    const confirm = deps.confirm ?? defaultConfirm;
+    const confirmed = await confirm();
+    if (!confirmed) {
+      return;
+    }
+  }
+  const storage = createStorage(defaultDbPath());
+  try {
+    const count = storage.clear();
+    terminal.printCleared(count);
+  } finally {
+    storage.close();
+  }
+}
+var clearCommand = new Command("clear").description("Delete all stored webhook events").option("--yes", "Skip confirmation prompt").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens clear --yes
+  hooklens clear`
+).action(async (options) => {
+  const terminal = createTerminal();
+  try {
+    await runClear(options, { terminal });
+  } catch (error) {
+    terminal.printError(errorMessage(error));
+    process.exitCode = 1;
+  }
+});
+
+// src/cli/delete.ts
+import { Command as Command2 } from "commander";
+async function runDelete(eventId, deps = {}) {
+  const terminal = deps.terminal ?? createTerminal();
+  const storage = createStorage(defaultDbPath());
+  try {
+    const deleted = storage.delete(eventId);
+    if (!deleted) {
+      throw new Error(`Event "${eventId}" not found.`);
+    }
+    terminal.printDeleted(eventId);
+  } finally {
+    storage.close();
+  }
+}
+var deleteCommand = new Command2("delete").description("Delete a stored webhook event").argument("<event-id>", "ID of the event to delete").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens delete evt_abc123`
+).action(async (eventId) => {
+  const terminal = createTerminal();
+  try {
+    await runDelete(eventId, { terminal });
+  } catch (error) {
+    terminal.printError(errorMessage(error));
+    process.exitCode = 1;
+  }
+});
+
+// src/cli/inspect.ts
+import { Command as Command3 } from "commander";
+
+// src/cli/json-output.ts
+function writeJsonLine(stdout, data) {
+  const json = JSON.stringify(data);
+  if (json === void 0) {
+    throw new Error(
+      "Cannot serialize value to JSON \u2013 received a non-serializable type (undefined, function, or symbol)"
+    );
+  }
+  stdout.write(json + "\n");
+}
+
+// src/cli/inspect.ts
+async function runInspect(eventId, flags, deps = {}) {
+  const terminal = deps.terminal ?? createTerminal();
+  const storage = createStorage(defaultDbPath());
+  try {
+    const event = storage.load(eventId);
+    if (!event) {
+      throw new Error(`Event "${eventId}" not found.`);
+    }
+    if (flags.json) {
+      const out = deps.stdout ?? process.stdout;
+      writeJsonLine(out, event);
+    } else {
+      terminal.printEventDetail(event);
+    }
+  } finally {
+    storage.close();
+  }
+}
+var inspectCommand = new Command3("inspect").description("View full details of a stored webhook event").argument("<event-id>", "ID of the event to inspect").option("--json", "Output as JSON").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens inspect evt_abc123
+  hooklens inspect evt_abc123 --json`
+).action(async (eventId, options) => {
+  const terminal = createTerminal();
+  try {
+    await runInspect(eventId, options, { terminal });
+  } catch (error) {
+    terminal.printError(errorMessage(error));
+    process.exitCode = 1;
+  }
+});
+
+// src/cli/listen.ts
+import { Command as Command4 } from "commander";
+
 // src/server/index.ts
 import http from "http";
 import crypto from "crypto";
@@ -23,6 +392,8 @@ var FORWARD_STRIP = /* @__PURE__ */ new Set([
 ]);
 var DEFAULT_MAX_BODY_BYTES = 1024 * 1024;
 var DEFAULT_FORWARD_TIMEOUT_MS = 5e3;
+var DEFAULT_RETRY_BASE_DELAY_MS = 100;
+var RETRY_BACKOFF_MULTIPLIER = 4;
 function forwardedStripSet(headers) {
   const strip = new Set(FORWARD_STRIP);
   for (const [key, value] of Object.entries(headers)) {
@@ -156,7 +527,29 @@ function mergeForwardSearch(targetSearch, incomingSearch) {
 function isAbortError(error) {
   return error instanceof Error && error.name === "AbortError";
 }
-async function forwardEvent(targetUrl, event, timeoutMs = DEFAULT_FORWARD_TIMEOUT_MS) {
+async function readResponseBody(response, maxBytes, controller) {
+  const reader = response.body?.getReader();
+  if (!reader) return "";
+  const chunks = [];
+  let totalBytes = 0;
+  try {
+    for (; ; ) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      totalBytes += value.byteLength;
+      if (totalBytes > maxBytes) {
+        await reader.cancel();
+        controller.abort();
+        throw new Error(`forward response too large: max ${maxBytes} bytes`);
+      }
+      chunks.push(value);
+    }
+  } finally {
+    reader.releaseLock();
+  }
+  return Buffer.concat(chunks, totalBytes).toString("utf8");
+}
+async function forwardEvent(targetUrl, event, timeoutMs = DEFAULT_FORWARD_TIMEOUT_MS, maxResponseBytes = DEFAULT_MAX_BODY_BYTES) {
   const target = new URL(targetUrl);
   const destination = new URL(target.href);
   const parsedEventPath = parseEventPath(event.path);
@@ -174,23 +567,46 @@ async function forwardEvent(targetUrl, event, timeoutMs = DEFAULT_FORWARD_TIMEOU
     });
     return {
       status: response.status,
-      body: await response.text()
+      body: await readResponseBody(response, maxResponseBytes, controller)
     };
   } catch (error) {
     if (isAbortError(error)) {
       throw new Error(`forward timed out after ${timeoutMs}ms`);
     }
-    throw error;
+    const cause = error instanceof Error ? error.cause : void 0;
+    const code = cause instanceof Error ? cause.code : void 0;
+    const message = cause instanceof Error && cause.message ? cause.message : code;
+    throw new Error(message ?? errorMessage(error));
   } finally {
     clearTimeout(timeout);
   }
 }
+function cancellableDelay(ms, req) {
+  if (ms <= 0) return Promise.resolve();
+  return new Promise((resolve) => {
+    const timer = setTimeout(resolve, ms);
+    const onAbort = () => {
+      clearTimeout(timer);
+      resolve();
+    };
+    req.once("close", onAbort);
+    timer.unref();
+  });
+}
+function clampRetryCount(value) {
+  const n = value ?? 0;
+  if (!Number.isFinite(n) || !Number.isInteger(n)) return 0;
+  return Math.max(0, Math.min(n, 10));
+}
 function createServer(opts) {
   let boundPort = opts.port;
   let httpServer = null;
   let isStarting = false;
   const maxBodyBytes = opts.maxBodyBytes ?? DEFAULT_MAX_BODY_BYTES;
+  const maxForwardResponseBytes = opts.maxForwardResponseBytes ?? DEFAULT_MAX_BODY_BYTES;
   const forwardTimeoutMs = opts.forwardTimeoutMs ?? DEFAULT_FORWARD_TIMEOUT_MS;
+  const retryCount = clampRetryCount(opts.retryCount);
+  const retryBaseDelayMs = opts.retryBaseDelayMs ?? DEFAULT_RETRY_BASE_DELAY_MS;
   const handleRequest = async (req, res) => {
     const body = await readBody(req, maxBodyBytes);
     const event = {
@@ -201,22 +617,45 @@ function createServer(opts) {
       headers: headersToRecord(req.headers),
       body
     };
-    opts.storage.save(event);
     const verification = opts.verifier?.verify({ headers: event.headers, body: event.body }) ?? null;
+    event.verification = verification;
+    opts.storage.save(event);
     opts.onEvent?.(event, verification);
     if (!opts.forwardTo) {
       res.statusCode = 200;
       res.end("ok");
       return;
     }
+    let lastError = new Error("forward failed");
+    for (let attempt = 0; attempt <= retryCount; attempt++) {
+      if (attempt > 0) {
+        const delayMs = retryBaseDelayMs * Math.pow(RETRY_BACKOFF_MULTIPLIER, attempt - 1);
+        await cancellableDelay(delayMs, req);
+        try {
+          opts.onForwardRetry?.(event, attempt, retryCount, lastError);
+        } catch {
+        }
+      }
+      try {
+        const forwarded = await forwardEvent(
+          opts.forwardTo,
+          event,
+          forwardTimeoutMs,
+          maxForwardResponseBytes
+        );
+        res.statusCode = forwarded.status;
+        res.end(forwarded.body);
+        return;
+      } catch (error) {
+        lastError = toError(error);
+      }
+    }
     try {
-      const forwarded = await forwardEvent(opts.forwardTo, event, forwardTimeoutMs);
-      res.statusCode = forwarded.status;
-      res.end(forwarded.body);
+      opts.onForwardError?.(event, lastError);
     } catch {
-      res.statusCode = 502;
-      res.end("bad gateway");
     }
+    res.statusCode = 502;
+    res.end(`bad gateway: ${lastError.message}`);
   };
   return {
     get port() {
@@ -235,7 +674,7 @@ function createServer(opts) {
             return;
           }
           res.statusCode = 500;
-          res.end(err instanceof Error ? err.message : String(err));
+          res.end(errorMessage(err));
         });
       });
       httpServer = server;
@@ -285,177 +724,7 @@ function createServer(opts) {
   };
 }
 
-// src/storage/index.ts
-import os from "os";
-import fs from "fs";
-import { createRequire } from "module";
-import path from "path";
-
-// src/types.ts
-import { z } from "zod";
-var webhookEventSchema = z.object({
-  id: z.string(),
-  timestamp: z.string(),
-  method: z.string(),
-  path: z.string(),
-  headers: z.record(z.string(), z.string()),
-  body: z.string()
-});
-var eventRowSchema = z.object({
-  id: z.string(),
-  timestamp: z.string(),
-  method: z.string(),
-  path: z.string(),
-  headers: z.string(),
-  body: z.string()
-});
-var verificationResultSchema = z.object({
-  valid: z.boolean(),
-  provider: z.string(),
-  message: z.string(),
-  code: z.enum([
-    "valid",
-    "missing_header",
-    "malformed_header",
-    "expired_timestamp",
-    "signature_mismatch",
-    "body_mutated"
-  ])
-});
-var replayResultSchema = z.object({
-  status: z.number().int(),
-  body: z.string()
-});
-
-// src/storage/index.ts
-var require2 = createRequire(import.meta.url);
-var { DatabaseSync } = require2("node:sqlite");
-function defaultDbPath() {
-  return path.join(os.homedir(), ".hooklens", "events.db");
-}
-function rowToEvent(row) {
-  return webhookEventSchema.parse({
-    id: row.id,
-    timestamp: row.timestamp,
-    method: row.method,
-    path: row.path,
-    headers: JSON.parse(row.headers),
-    body: row.body
-  });
-}
-function createStorage(dbPath) {
-  fs.mkdirSync(path.dirname(dbPath), { recursive: true });
-  const db = new DatabaseSync(dbPath);
-  db.exec(`
-    CREATE TABLE IF NOT EXISTS events (
-      id TEXT PRIMARY KEY,
-      timestamp TEXT NOT NULL,
-      method TEXT NOT NULL,
-      path TEXT NOT NULL,
-      headers TEXT NOT NULL,
-      body TEXT NOT NULL
-    )
-  `);
-  const insertStmt = db.prepare(
-    `INSERT OR REPLACE INTO events (id, timestamp, method, path, headers, body)
-     VALUES (?, ?, ?, ?, ?, ?)`
-  );
-  const getStmt = db.prepare(`SELECT * FROM events WHERE id = ?`);
-  const listAllStmt = db.prepare(`SELECT * FROM events ORDER BY timestamp DESC`);
-  const listLimitedStmt = db.prepare(`SELECT * FROM events ORDER BY timestamp DESC LIMIT ?`);
-  const clearStmt = db.prepare(`DELETE FROM events`);
-  return {
-    save(event) {
-      insertStmt.run(
-        event.id,
-        event.timestamp,
-        event.method,
-        event.path,
-        JSON.stringify(event.headers),
-        event.body
-      );
-    },
-    load(id) {
-      const raw = getStmt.get(id);
-      if (!raw) return null;
-      const row = eventRowSchema.parse(raw);
-      return rowToEvent(row);
-    },
-    list(limit) {
-      if (limit !== void 0 && (!Number.isInteger(limit) || limit <= 0)) {
-        throw new Error(`Invalid limit: must be a positive integer, got ${limit}`);
-      }
-      const raw = limit === void 0 ? listAllStmt.all() : listLimitedStmt.all(limit);
-      const rows = raw.map((r) => eventRowSchema.parse(r));
-      return rows.map(rowToEvent);
-    },
-    clear() {
-      clearStmt.run();
-    },
-    close() {
-      db.close();
-    }
-  };
-}
-
-// src/ui/terminal.ts
-import chalk from "chalk";
-function writeLine(stream, line) {
-  stream.write(`${line}
-`);
-}
-function verificationLabel(result) {
-  if (!result) return chalk.cyan("RECV");
-  return result.valid ? chalk.green("PASS") : chalk.red("FAIL");
-}
-function createTerminal(stdout = process.stdout, stderr = process.stderr) {
-  return {
-    printListenStarted(info) {
-      writeLine(
-        stdout,
-        `${chalk.bold("Listening on")} ${chalk.cyan(`http://127.0.0.1:${info.port}`)}`
-      );
-      writeLine(stdout, `Verifier: ${info.verifier ?? "none"}`);
-      writeLine(stdout, `Forwarding to: ${info.forwardTo ?? "disabled"}`);
-      writeLine(stdout, `Storage: ${info.dbPath}`);
-    },
-    printEventCaptured(event, result) {
-      const label = verificationLabel(result);
-      const summary = `${label} ${chalk.bold(event.id)} ${event.method} ${event.path}`;
-      if (!result) {
-        writeLine(stdout, summary);
-        return;
-      }
-      writeLine(stdout, `${summary} ${result.message}`);
-    },
-    printEventList(events) {
-      if (!events.length) {
-        writeLine(stdout, chalk.dim("No stored events."));
-        return;
-      }
-      for (const event of events) {
-        const row = `${chalk.dim(event.timestamp)} ${chalk.cyan(event.method)} ${chalk.bold(event.id)} ${event.path}`;
-        writeLine(stdout, row);
-      }
-    },
-    printReplayResult(result) {
-      const summary = `${chalk.bold("Replay response:")} ${chalk.cyan(String(result.status))}`;
-      if (!result.body) {
-        writeLine(stdout, summary);
-        return;
-      }
-      writeLine(stdout, `${summary} ${result.body}`);
-    },
-    printListenStopped() {
-      writeLine(stdout, chalk.dim("Stopped listening."));
-    },
-    printError(message) {
-      writeLine(stderr, chalk.red(message));
-    }
-  };
-}
-
-// src/verify/stripe.ts
+// src/verify/github.ts
 import crypto2 from "crypto";
 
 // src/verify/headers.ts
@@ -466,10 +735,86 @@ function getHeaderCaseInsensitive(headers, name) {
   }
   return void 0;
 }
+function tryCanonicalForm(payload) {
+  try {
+    const canonical = JSON.stringify(JSON.parse(payload));
+    return canonical === payload ? null : canonical;
+  } catch {
+    return null;
+  }
+}
+
+// src/verify/github.ts
+var PROVIDER = "github";
+var PREFIX = "sha256=";
+var SHA256_HEX = /^[0-9a-fA-F]{64}$/;
+function computeHmac(secret, payload) {
+  return crypto2.createHmac("sha256", secret).update(payload).digest("hex");
+}
+function constantTimeMatch(expected, actual) {
+  if (expected.length !== actual.length) return false;
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const actualBuf = Buffer.from(actual, "utf8");
+  return crypto2.timingSafeEqual(expectedBuf, actualBuf);
+}
+function success(message) {
+  return { valid: true, provider: PROVIDER, code: "valid", message };
+}
+function failure(code, message) {
+  return { valid: false, provider: PROVIDER, code, message };
+}
+function verifyGitHubSignature(opts) {
+  if (!opts.header) {
+    return failure(
+      "missing_header",
+      "x-hub-signature-256 header not found. Is this actually from GitHub?"
+    );
+  }
+  if (!opts.header.startsWith(PREFIX)) {
+    return failure("malformed_header", "x-hub-signature-256 header must start with sha256=");
+  }
+  const signature = opts.header.slice(PREFIX.length);
+  if (signature.length === 0) {
+    return failure("malformed_header", "x-hub-signature-256 header has no signature after sha256=");
+  }
+  if (!SHA256_HEX.test(signature)) {
+    return failure("malformed_header", "x-hub-signature-256 header has invalid sha256 hex digest");
+  }
+  const normalizedSignature = signature.toLowerCase();
+  const expected = computeHmac(opts.secret, opts.payload);
+  if (constantTimeMatch(expected, normalizedSignature)) {
+    return success("Signature verified.");
+  }
+  const canonical = tryCanonicalForm(opts.payload);
+  if (canonical !== null) {
+    const expectedCanonical = computeHmac(opts.secret, canonical);
+    if (constantTimeMatch(expectedCanonical, normalizedSignature)) {
+      return failure(
+        "body_mutated",
+        "Signature mismatch with correct secret. Body was likely parsed and re-serialized by your framework."
+      );
+    }
+  }
+  return failure(
+    "signature_mismatch",
+    "Signature mismatch. Check your webhook secret matches the GitHub settings."
+  );
+}
+function createGitHubVerifier(opts) {
+  return {
+    provider: PROVIDER,
+    verify: (event) => verifyGitHubSignature({
+      payload: event.body,
+      header: getHeaderCaseInsensitive(event.headers, "x-hub-signature-256"),
+      secret: opts.secret
+    })
+  };
+}
 
 // src/verify/stripe.ts
+import crypto3 from "crypto";
 var DEFAULT_TOLERANCE_SECONDS = 300;
-var PROVIDER = "stripe";
+var PROVIDER2 = "stripe";
 function parseHeader(header) {
   let timestamp = null;
   const signatures = [];
@@ -489,42 +834,34 @@ function parseHeader(header) {
   if (timestamp === null || signatures.length === 0) return null;
   return { timestamp, signatures };
 }
-function computeHmac(secret, signedPayload) {
-  return crypto2.createHmac("sha256", secret).update(signedPayload).digest("hex");
+function computeHmac2(secret, signedPayload) {
+  return crypto3.createHmac("sha256", secret).update(signedPayload).digest("hex");
 }
-function constantTimeMatch(expected, candidates) {
+function constantTimeMatch2(expected, candidates) {
   const expectedBuf = Buffer.from(expected, "utf8");
   for (const candidate of candidates) {
     if (candidate.length !== expected.length) continue;
     const candidateBuf = Buffer.from(candidate, "utf8");
-    if (crypto2.timingSafeEqual(expectedBuf, candidateBuf)) return true;
+    if (crypto3.timingSafeEqual(expectedBuf, candidateBuf)) return true;
   }
   return false;
 }
-function tryCanonicalForm(payload) {
-  try {
-    const canonical = JSON.stringify(JSON.parse(payload));
-    return canonical === payload ? null : canonical;
-  } catch {
-    return null;
-  }
-}
-function success(message) {
-  return { valid: true, provider: PROVIDER, code: "valid", message };
+function success2(message) {
+  return { valid: true, provider: PROVIDER2, code: "valid", message };
 }
-function failure(code, message) {
-  return { valid: false, provider: PROVIDER, code, message };
+function failure2(code, message) {
+  return { valid: false, provider: PROVIDER2, code, message };
 }
 function verifyStripeSignature(opts) {
   if (!opts.header) {
-    return failure(
+    return failure2(
       "missing_header",
       "stripe-signature header not found. Is this actually from Stripe?"
     );
   }
   const parsed = parseHeader(opts.header);
   if (!parsed) {
-    return failure(
+    return failure2(
       "malformed_header",
       "stripe-signature header is malformed. Expected format: t=timestamp,v1=signature"
     );
@@ -534,34 +871,34 @@ function verifyStripeSignature(opts) {
   const ageSeconds = Math.floor(nowMs / 1e3) - parsed.timestamp;
   if (ageSeconds > tolerance) {
     const minutes = Math.floor(ageSeconds / 60);
-    return failure(
+    return failure2(
       "expired_timestamp",
       `Timestamp is ${minutes} minutes old. Event expired or your clock is drifting.`
     );
   }
   const signedPayload = `${parsed.timestamp}.${opts.payload}`;
-  const expected = computeHmac(opts.secret, signedPayload);
-  if (constantTimeMatch(expected, parsed.signatures)) {
-    return success("Signature verified.");
+  const expected = computeHmac2(opts.secret, signedPayload);
+  if (constantTimeMatch2(expected, parsed.signatures)) {
+    return success2("Signature verified.");
   }
   const canonical = tryCanonicalForm(opts.payload);
   if (canonical !== null) {
-    const expectedCanonical = computeHmac(opts.secret, `${parsed.timestamp}.${canonical}`);
-    if (constantTimeMatch(expectedCanonical, parsed.signatures)) {
-      return failure(
+    const expectedCanonical = computeHmac2(opts.secret, `${parsed.timestamp}.${canonical}`);
+    if (constantTimeMatch2(expectedCanonical, parsed.signatures)) {
+      return failure2(
         "body_mutated",
         "Signature mismatch with correct secret. Body was likely parsed and re-serialized by your framework."
       );
     }
   }
-  return failure(
+  return failure2(
     "signature_mismatch",
     "Signature mismatch. Check your webhook secret matches the Stripe dashboard."
   );
 }
 function createStripeVerifier(opts) {
   return {
-    provider: PROVIDER,
+    provider: PROVIDER2,
     verify: (event) => verifyStripeSignature({
       payload: event.body,
       header: getHeaderCaseInsensitive(event.headers, "stripe-signature"),
@@ -580,6 +917,14 @@ function parsePort(port) {
   }
   return parsed;
 }
+function parseRetryCount(retry) {
+  if (retry === void 0) return 0;
+  const parsed = typeof retry === "number" ? retry : Number(retry);
+  if (!Number.isInteger(parsed) || parsed < 0 || parsed > 10) {
+    throw new Error(`Invalid retry count "${retry}". Expected an integer between 0 and 10.`);
+  }
+  return parsed;
+}
 function buildVerifier(flags) {
   if (!flags.verify) return void 0;
   switch (flags.verify) {
@@ -589,8 +934,14 @@ function buildVerifier(flags) {
       }
       return createStripeVerifier({ secret: flags.secret });
     }
+    case "github": {
+      if (!flags.secret) {
+        throw new Error("--secret is required when --verify github is set");
+      }
+      return createGitHubVerifier({ secret: flags.secret });
+    }
     default:
-      throw new Error(`Unknown --verify provider "${flags.verify}". Supported: stripe`);
+      throw new Error(`Unknown --verify provider "${flags.verify}". Supported: stripe, github`);
   }
 }
 async function stopServer(server) {
@@ -601,12 +952,12 @@ function printEventCapturedBestEffort(terminal, event, result) {
   try {
     terminal.printEventCaptured(event, result);
   } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    console.error(`Failed to print captured event: ${message}`);
+    console.error(`Failed to print captured event: ${errorMessage(error)}`);
   }
 }
 async function runListen(flags, deps = {}) {
   const port = parsePort(flags.port);
+  const retryCount = parseRetryCount(flags.retry);
   const verifier = buildVerifier(flags);
   const dbPath = defaultDbPath();
   const signals = deps.signals ?? process;
@@ -656,7 +1007,10 @@ async function runListen(flags, deps = {}) {
       storage,
       verifier,
       forwardTo: flags.forwardTo,
-      onEvent: (event, result) => printEventCapturedBestEffort(terminal, event, result)
+      retryCount,
+      onEvent: (event, result) => printEventCapturedBestEffort(terminal, event, result),
+      onForwardError: (event, error) => terminal.printForwardError(event.id, error.message),
+      onForwardRetry: (event, attempt, maxRetries, error) => terminal.printForwardRetry(event.id, attempt, maxRetries, error.message)
     });
     signals.on("SIGINT", onSignal);
     signals.on("SIGTERM", onSignal);
@@ -680,18 +1034,27 @@ async function runListen(flags, deps = {}) {
     throw error;
   }
 }
-var listenCommand = new Command("listen").description("Start receiving webhooks").option("-p, --port <port>", "Port to listen on", "4400").option("--verify <provider>", "Verify signatures (stripe)").option("--secret <secret>", "Webhook signing secret").option("--forward-to <url>", "Forward received webhooks to this URL").action(async (options) => {
+var listenCommand = new Command4("listen").description("Start receiving webhooks").option("-p, --port <port>", "Port to listen on", "4400").option("--verify <provider>", "Verify signatures (stripe, github)").option("--secret <secret>", "Webhook signing secret").option("--forward-to <url>", "Forward received webhooks to this URL").option("--retry <count>", "Retry failed forwards with exponential backoff", "0").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens listen
+  hooklens listen -p 8080 --forward-to http://localhost:3000/webhook
+  hooklens listen --verify stripe --secret whsec_xxx
+  hooklens listen --verify github --secret ghsecret_xxx
+  hooklens listen --forward-to http://localhost:3000/webhook --retry 3`
+).action(async (options) => {
   const terminal = createTerminal();
   try {
     await runListen(options, { terminal });
   } catch (error) {
-    terminal.printError(error instanceof Error ? error.message : String(error));
+    terminal.printError(errorMessage(error));
     process.exitCode = 1;
   }
 });
 
 // src/cli/list.ts
-import { Command as Command2 } from "commander";
+import { Command as Command5 } from "commander";
 function parseLimit(limit) {
   const raw = limit;
   const parsed = typeof raw === "number" ? raw : Number(raw);
@@ -706,23 +1069,42 @@ async function runList(flags, deps = {}) {
   const storage = createStorage(defaultDbPath());
   try {
     const events = storage.list(limit);
-    terminal.printEventList(events);
+    if (flags.json) {
+      const out = deps.stdout ?? process.stdout;
+      for (const event of events) {
+        writeJsonLine(out, {
+          id: event.id,
+          timestamp: event.timestamp,
+          method: event.method,
+          path: event.path
+        });
+      }
+    } else {
+      terminal.printEventList(events);
+    }
   } finally {
     storage.close();
   }
 }
-var listCommand = new Command2("list").description("Show received webhook events").option("-n, --limit <count>", "Number of events to show", "20").action(async (options) => {
+var listCommand = new Command5("list").description("Show received webhook events").option("-n, --limit <count>", "Number of events to show", "20").option("--json", "Output as newline-delimited JSON").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens list
+  hooklens list -n 5
+  hooklens list --json`
+).action(async (options) => {
   const terminal = createTerminal();
   try {
     await runList(options, { terminal });
   } catch (error) {
-    terminal.printError(error instanceof Error ? error.message : String(error));
+    terminal.printError(errorMessage(error));
     process.exitCode = 1;
   }
 });
 
 // src/cli/replay.ts
-import { Command as Command3 } from "commander";
+import { Command as Command6 } from "commander";
 var DEFAULT_REPLAY_TARGET_URL = "http://localhost:3000/webhook";
 function parseTargetUrl(targetUrl) {
   const raw = targetUrl ?? DEFAULT_REPLAY_TARGET_URL;
@@ -743,40 +1125,53 @@ async function runReplay(eventId, flags, deps = {}) {
     }
     try {
       const result = await forwardEvent(targetUrl, event);
-      const body = result.body.length <= 200 ? result.body : `${result.body.slice(0, 197)}...`;
-      terminal.printReplayResult({
-        status: result.status,
-        body
-      });
+      if (flags.json) {
+        const out = deps.stdout ?? process.stdout;
+        writeJsonLine(out, { status: result.status, body: result.body });
+      } else {
+        const body = result.body.length <= 200 ? result.body : `${result.body.slice(0, 197)}...`;
+        terminal.printReplayResult({
+          status: result.status,
+          body
+        });
+      }
     } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new Error(`Failed to replay "${eventId}" to ${targetUrl}: ${message}`);
+      throw new Error(`Failed to replay "${eventId}" to ${targetUrl}: ${errorMessage(error)}`);
     }
   } finally {
     storage.close();
   }
 }
-var replayCommand = new Command3("replay").description("Replay a stored webhook event").argument("<event-id>", "ID of the event to replay").option("--to <url>", "Target URL to send the event to", DEFAULT_REPLAY_TARGET_URL).action(async (eventId, options) => {
+var replayCommand = new Command6("replay").description("Replay a stored webhook event").argument("<event-id>", "ID of the event to replay").option("--to <url>", "Target URL to send the event to", DEFAULT_REPLAY_TARGET_URL).option("--json", "Output as JSON").addHelpText(
+  "after",
+  `
+Examples:
+  hooklens replay evt_abc123
+  hooklens replay evt_abc123 --to http://localhost:8080/hook
+  hooklens replay evt_abc123 --json`
+).action(async (eventId, options) => {
   const terminal = createTerminal();
   try {
     await runReplay(eventId, options, { terminal });
   } catch (error) {
-    terminal.printError(error instanceof Error ? error.message : String(error));
+    terminal.printError(errorMessage(error));
     process.exitCode = 1;
   }
 });
 
 // src/cli/index.ts
-var program = new Command4();
+var program = new Command7();
 program.name("hooklens").description("Inspect, verify, and replay webhooks from your terminal").version("0.1.0");
 program.addCommand(listenCommand);
 program.addCommand(listCommand);
+program.addCommand(inspectCommand);
 program.addCommand(replayCommand);
+program.addCommand(deleteCommand);
+program.addCommand(clearCommand);
 try {
   await program.parseAsync(process.argv);
 } catch (error) {
-  const message = error instanceof Error ? error.message : String(error);
-  console.error(message);
+  console.error(errorMessage(error));
   process.exitCode = 1;
 }
 //# sourceMappingURL=index.js.map