Skip to content

Add pluggable inbound-webhook framework + Granola meeting summarizer#4

Open
Miyamura80 wants to merge 5 commits into
mainfrom
claude/webhook-listener-meetings-56Ucc
Open

Add pluggable inbound-webhook framework + Granola meeting summarizer#4
Miyamura80 wants to merge 5 commits into
mainfrom
claude/webhook-listener-meetings-56Ucc

Conversation

@Miyamura80

@Miyamura80 Miyamura80 commented May 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Introduces a small framework in webhooks/ for mounting custom inbound webhooks on the existing Bun.serve() instance, and ships the first source: a Granola "meeting finished" handler that streams a Codex summary into Slack.

  • Generic webhook framework. Each source is a factory (ctx: { bot }) => { path, handler } exported from webhooks/<name>.ts. index.ts mounts every factory under Bun.serve({ routes }). Adding a new source = drop a file + one line in index.ts.
  • Shared conventions (documented in CLAUDE.md):
    • Auth via X-Webhook-Secret: $WEBHOOK_SECRET.
    • Per-source dedup via Redis SET key NX EX 604800 (7-day TTL) — retried deliveries return 200 without re-processing.
    • Handlers return 200 immediately and process in the background, so emitter timeouts can't trigger retry storms while Codex is generating.
    • On background-processing failure, post a :warning: notice to the same Slack channel so issues are visible instead of silently swallowed.
  • Granola source (webhooks/granola.ts): POST /api/webhooks/granola accepts { meeting_id, title, transcript, notes?, attendees? }, asks Codex for a Slack-formatted wrap-up (header + 3-5 bullets + optional action items), and streams it into GRANOLA_SLACK_CHANNEL_ID (intended: #edison-os-updates) via bot.channel("slack:Cxxx").post(streamCodex(...)).
  • Refactor: extracted streamCodex out of index.ts into lib/codex.ts so onNewMention and webhook handlers share one implementation.

Files

  • webhooks/types.tsWebhookContext, WebhookRoute, WebhookFactory
  • webhooks/granola.ts — Granola handler
  • lib/codex.ts — shared streamCodex
  • index.ts — wires the webhooks array into Bun.serve({ routes })
  • .env.example — adds WEBHOOK_SECRET and GRANOLA_SLACK_CHANNEL_ID
  • CLAUDE.md — documents the inbound-webhook conventions

Before testing

  1. Add to .env:
    WEBHOOK_SECRET=<something long and random>
    GRANOLA_SLACK_CHANNEL_ID=<Slack channel ID of #edison-os-updates>
    
    (Find the channel ID in Slack: channel header → "View channel details" → scroll to bottom → "Channel ID".)
  2. Make sure local Redis is running (brew services start redis).
  3. Restart the bot: bun run index.ts. Startup logs should show POST /api/webhooks/granola mounted.
  4. The Mac mini runs the bot in tmux behind ngrok — confirm the ngrok tunnel is up if the Granola emitter posts from outside the LAN.

Test plan

  • Bot starts cleanly and logs both POST /api/webhooks/slack and POST /api/webhooks/granola.
  • Missing/invalid X-Webhook-Secret returns 401:
    curl -i -X POST http://localhost:3123/api/webhooks/granola \
      -H "Content-Type: application/json" \
      -d '{"meeting_id":"x","title":"x","transcript":"x"}'
  • Valid request returns 200 immediately and a streamed wrap-up lands in #edison-os-updates a few seconds later:
    curl -X POST http://localhost:3123/api/webhooks/granola \
      -H "X-Webhook-Secret: $WEBHOOK_SECRET" \
      -H "Content-Type: application/json" \
      -d '{"meeting_id":"test-001","title":"Test meeting","transcript":"Alice and Bob discussed shipping the new dashboard. Bob will draft the rollout plan by Friday.","attendees":["Alice","Bob"]}'
  • Replaying the same meeting_id returns 200 Duplicate (already processed) and does not post a second message.
  • Missing required fields returns 400.
  • Force a failure (e.g. temporarily set GRANOLA_SLACK_CHANNEL_ID to an ID the bot can't post to) and confirm a :warning: failure notice attempt is logged.
  • bunx tsc --noEmit is clean (already verified locally).
  • Existing @mention flow still streams a Codex reply (regression check on the streamCodex extraction).

Generated by Claude Code


Summary by cubic

Adds a pluggable inbound-webhook framework and the first source: a Granola “meeting finished” webhook that streams a Codex summary to Slack. Also adds macOS launchd deployment with a parameterized LaunchAgent and clearer, user-safe setup steps.

  • New Features

    • Mount custom webhook handlers from webhooks/ via a factory and Bun.serve routes; startup logs list mounted paths.
    • Shared conventions: X-Webhook-Secret auth, Redis SET NX EX 7d dedup, 200 immediate with background processing, and :warning: failure notices.
    • Granola endpoint POST /api/webhooks/granola accepts {meeting_id, title, transcript, notes?, attendees?} and posts a streamed wrap-up to GRANOLA_SLACK_CHANNEL_ID.
    • Deployment: docs/DEPLOY.md + LaunchAgent template with __USER__/__WORKDIR__ placeholders; run install as the target user; env from .env; external-volume Full Disk Access note; codex revoked-cert diagnostic now resolves npm using the agent’s PATH to avoid false negatives.
  • Bug Fixes

    • Reject non-object JSON bodies early; normalize attendees with Array.isArray before .join.
    • Extracted streamCodex to lib/codex.ts; now awaits the subprocess and throws on non-zero exit so errors surface instead of empty summaries.

Written for commit 3ac8890. Summary will update on new commits.

Review in cubic

Introduces webhooks/ as a place to mount custom webhook listeners on the
same Bun.serve instance. First source is Granola: when a meeting wraps,
the emitter POSTs to /api/webhooks/granola and a Codex-generated summary
is streamed into the configured Slack channel.

- Shared X-Webhook-Secret auth and Redis NX/EX dedup per source
- Handler returns 200 immediately and processes in the background
- Failures post a ⚠️ notice to the same channel so issues are visible
- Extracted streamCodex into lib/codex.ts so mentions and webhooks share it
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 6 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="webhooks/granola.ts">

<violation number="1" location="webhooks/granola.ts:42">
P2: Validate payload types before property access; non-object JSON can currently throw and return 500.</violation>

<violation number="2" location="webhooks/granola.ts:65">
P2: Normalize `attendees` to an array before joining; current code can throw before the catch block.</violation>
</file>

<file name="lib/codex.ts">

<violation number="1" location="lib/codex.ts:35">
P2: Validate the Codex subprocess exit code before returning; non-zero exits are currently treated as success.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Fix all with cubic | Re-trigger cubic

Comment thread webhooks/granola.ts Outdated
Comment thread webhooks/granola.ts Outdated
Comment thread lib/codex.ts
claude and others added 2 commits May 16, 2026 16:55
Addresses three review issues from cubic on PR #4:

- webhooks/granola.ts: reject non-object JSON bodies (null, arrays,
  primitives) before field access, instead of letting a TypeError
  bubble up as a 500.
- webhooks/granola.ts: normalize `attendees` with Array.isArray before
  calling .join, so a malformed (non-array, non-empty) value can no
  longer throw outside the surrounding try/catch in the background
  task.
- lib/codex.ts: await the subprocess and throw on non-zero exit so
  silent codex failures surface as errors instead of empty summaries.
  Callers (webhook handler, onNewMention) now see the failure and can
  react.
Capture the macOS deploy setup that was previously only tribal knowledge:
- deploy/com.edison.assistant-bot.plist: LaunchAgent template (RunAtLoad +
  KeepAlive, direct bun exec, no secrets — env comes from .env).
- docs/DEPLOY.md: install/manage commands plus two gotchas hit in practice:
  (1) a checkout on an external/removable volume needs Full Disk Access on the
  bun binary or launchd gets EPERM reading files (TCC); (2) the codex CLI hangs
  in dyld if its signing cert is revoked — upgrade to a clean build.
- CLAUDE.md: link to the new deploy doc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Eito-Test-Account

Copy link
Copy Markdown

Deployment captured in-repo (0bb7814)

The bot is now running as a macOS launchd LaunchAgent on the Mac mini — auto-starts on login, auto-restarts on crash, verified across a real reboot (survived ~14h unattended; the post-reboot Granola→Slack summary posted fine).

Added so this isn't tribal knowledge:

  • deploy/com.edison.assistant-bot.plist — LaunchAgent template (RunAtLoad + KeepAlive, direct bun run index.ts, no secrets; env still loads from .env).
  • docs/DEPLOY.md — install/manage commands + the two gotchas we hit:
    1. External/removable-volume TCC — this checkout lives on a USB volume (/Volumes/Data, via the ~/Github symlink). launchd-spawned processes get EPERM reading file contents there (metadata/ls works), so the agent starts but never binds :3123 and logs nothing. Fix: grant Full Disk Access to /opt/homebrew/bin/bun (re-add after brew upgrade bun).
    2. codex revoked cert — the Granola handler's codex CLI hung on every invocation (stuck in _dyld_start); spctl --assess reported CSSMERR_TP_CERT_REVOKED on the 0.129.0 build. Fix: npm install -g @openai/codex@latest (0.144.0 assesses clean).

No application/runtime code changed — this commit is docs + a plist template only.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 3 files (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread docs/DEPLOY.md Outdated
Comment thread deploy/com.edison.assistant-bot.plist
Addresses two cubic review comments on 0bb7814:

- deploy/com.edison.assistant-bot.plist: parameterize user-specific fields
  with __USER__ and __WORKDIR__ placeholders instead of hardcoding one
  operator's username in StandardOut/ErrPath, PATH, HOME, and
  WorkingDirectory. Label stays as com.edison.assistant-bot (reverse-DNS
  prefix refers to the org, not the local user).
- docs/DEPLOY.md: install step now renders the template via sed so all
  placeholders get substituted in one command. Documents which fields are
  parameterized and why.
- docs/DEPLOY.md: rewrite the revoked-cert diagnostic. The old command
  relied on `readlink -f` (GNU-only; BSD readlink on macOS errors with
  "illegal option -- f") and manually joined path segments in a way that
  double-nested inside the codex npm package. New command uses `find`
  under `npm root -g` to locate the arch-specific binary — BSD-safe,
  arch-agnostic (arm64 and x86_64), and resilient to whether npm dedups
  the platform packages flat or under codex/node_modules.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All reported issues were addressed across 2 files (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread docs/DEPLOY.md Outdated
Comment thread docs/DEPLOY.md Outdated
Addresses two cubic review comments on 36b5fae:

- docs/DEPLOY.md: the previous "if deploying for a different user, replace
  $USER with the target username" note was misleading — the surrounding
  commands still targeted the current user's ~, $(id -u), and log paths.
  Replace it with a directive to run the whole install sequence as the
  target user so every reference resolves consistently.
- docs/DEPLOY.md: the codex signing-cert diagnostic used the interactive
  shell's `npm root -g`, which nvm/nodenv/asdf can shadow. The bot spawns
  bare `codex` under the LaunchAgent's fixed PATH, so the diagnostic must
  resolve npm through that same PATH — otherwise it may inspect a
  different codex install than the one the bot actually runs, giving a
  false negative on a revoked cert. Rewrite to reproduce the bot's PATH
  and resolve npm via `command -v` under it (BSD-safe, arch-agnostic).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants