Webhooks and audit (MVP)

Outbound workspace webhooks complement the existing in-dashboard audit log API. MVP delivers signed JSON for policy.published when encryption is configured for signing-secret storage.

HTTP API (session or management key)

• GET /keys/dashboard/api/webhooks — list subscriptions (no secrets).
• POST /keys/dashboard/api/webhooks — JSON body with url and optional event_types; response includes signing_secret once.
• DELETE /keys/dashboard/api/webhooks?id=<uuid> — remove subscription.

Requires RESTORMEL_CREDENTIALS_ENCRYPTION_KEY (same as hosted provider credentials) to encrypt signing secrets at rest.

Payload and signature

POST body JSON: event, occurred_at, workspace_id, data (event-specific; no raw keys). Headers: X-Restormel-Event, X-Restormel-Signature: v1=<hmac-sha256-hex> over the raw body.

Audit log

GET /keys/dashboard/api/audit remains the pull-style trail for workspace actions. Normalise both streams in your SIEM if needed (webhook push vs audit poll).

Repo reference

docs/integrations/webhooks-audit-mvp.md