Chapter DWebhook labPage 8 of 8

Webhook lab

Run acceptance tests and make the ship call

Build a FastAPI receiver accepting batch-index completion events and handing validated work to a durable queue as an operable release, not a slide-deck example.

~14 minProduction ship gate

1Try it yourself

Playground

Webhook lab

Webhooks push events — polling pulls. Verify signatures before acting.

Nightly index job finished

Before you start

Why this matters

Before changing code, write the single production outcome this chapter must prove and the signal that would stop you. For this lab, the service boundary is raw bytes plus X-Event-Id, X-Timestamp, and X-Signature headers become a normalized BatchCompleted event only after authentication. Record one request identifier you can follow from ingress through the final decision. If you cannot name the owner of the stop decision, the rollout is not yet controlled.

The source lesson says webhooks push completion events and must be signature-verified and idempotent before work begins. This chapter turns that compact lesson into implementation evidence. The running scenario is a FastAPI receiver accepting batch-index completion events and handing validated work to a durable queue. You will keep the same scenario across all eight chapters so setup decisions, tests, telemetry, and rollback controls accumulate into one coherent system rather than eight disconnected exercises.

2Learn the idea

Read

Assemble the release candidate

Freeze a candidate by recording source SHA, dependency lock digest, configuration revision, fixture digest, and deployment artifact. Run setup from a clean checkout, then execute unit, contract, integration, quality, and failure suites in that order. Do not substitute an old green build for evidence about the frozen candidate.

Review the contract: raw bytes plus X-Event-Id, X-Timestamp, and X-Signature headers become a normalized BatchCompleted event only after authentication. Confirm one realistic request completes the happy path and can be traced end to end. Confirm malformed and unauthorized requests fail before side effects. Confirm duplicate or repeated requests preserve required consistency. Confirm dependency timeout enters the documented degraded mode.

Read

Run the acceptance plan

Execute these acceptance cases and attach evidence:

  1. Functional: the canonical fixture returns the contracted structured result and correct attribution.
  2. Quality: the versioned golden set meets the primary threshold with reviewed case-level failures.
  3. Performance: expected concurrency stays within the latency and saturation budget.
  4. Resilience: timeout, malformed response, and unavailable dependency produce bounded behavior.
  5. Security: cross-tenant or forged input is rejected with zero unauthorized side effects.
  6. Operations: an alert fires, the runbook is followed, and safe behavior is restored within the target.
  7. Rollback: pause workers while continuing durable inbox writes, disable the new event handler by type, and replay quarantined events after repair.

The metric decision uses signature rejects, duplicate rate, receive-to-ack latency, queue age, processing latency, retries, and dead-letter count. Require complete telemetry and the minimum observation window. Record sample counts and confidence where comparisons are statistical. A passing average cannot override a hard security, correctness, or latency guardrail.

Read

Make the ship decision

Use three outcomes. Ship means all blocking tests pass, rollback is timed, dashboards and alerts are live, ownership is accepted, and residual risks have dates. Hold means evidence is missing or a non-critical defect has an explicit repair owner. Rollback means a hard guardrail, security boundary, data-integrity invariant, or recovery target failed.

Conduct a 30-minute game day after deployment. Inject one dependency failure or risky-control breach, let the on-call responder diagnose from telemetry, execute the runbook, and verify recovery from user-visible symptoms. Capture detection time, decision time, recovery time, and any manual step.

Read

Production ship packet

The final packet contains architecture and trust-boundary diagrams, API or event contracts, configuration, test report, golden-set digest, performance result, dashboard and alert links, security review, rollback transcript, runbook, owner, and dated residual risks. The system is shipped only when another operator can use that packet to understand what is live, detect harm, stop exposure, and recover without the author present.

Checking tutor…

Continue learning · glossary & guides