fix(ashby): add secretToken to webhook creation and fix trigger UX

[waleedlatif1]

Summary

• Add required secretToken field to Ashby webhook.create API call (fixes "secretToken: Invalid input" error)
• Register Ashby in pending webhook verification so ping during creation returns 200 instead of 404
• Add HMAC-SHA256 signature verification for incoming Ashby webhooks via Ashby-Signature header
• Remove webhook URL display from Ashby triggers (we manage the lifecycle via API)
• Fix setup instructions (remove "Save Configuration" reference, update copy)
• Refactor toast component to a simpler general-purpose system; move notification-specific behavior (stacking, countdown rings, auto-dismiss) into the Notifications component

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[cursor]

PR Summary

High Risk
High risk because it changes webhook subscription creation/stored secrets and adds new HMAC signature enforcement for ashby, which can block legitimate traffic if misconfigured; it also refactors user-facing notification/toast rendering and timing behavior.

Overview
Fixes Ashby webhook lifecycle by generating/persisting a per-webhook secretToken during webhook.create, treating Ashby ping events as pending-verification probes, and enforcing HMAC-SHA256 validation of incoming Ashby webhooks via the ashby-signature header.

Refactors the UI notification system by removing the workspace-level ToastProvider wrapper, moving stacking/auto-dismiss/countdown-ring behavior into the workflow Notifications component (with new global keyframes), and simplifying the shared toast component into a generic, variant-styled, optional-description toast list (no pause/dismiss-all logic).

^{Written by Cursor Bugbot for commit 373481a. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 14, 2026 1:25pm

[greptile-apps]

Greptile Summary

This PR fixes the Ashby webhook integration by wiring up the required secretToken during webhook creation, registering Ashby in the pending-verification system (so the creation-time ping returns 200), and adding HMAC-SHA256 signature verification via the Ashby-Signature header. It also removes the webhook URL display from Ashby trigger UIs (correct, since the lifecycle is API-managed) and refactors the toast/notification architecture — moving stacking, countdown rings, and auto-dismiss logic from the generic ToastProvider into the Notifications component directly.

Key changes:

• provider-subscriptions.ts: Generates a UUID as secretToken, sends it to Ashby on webhook.create, and stores it in providerConfig for later verification
• pending-verification.ts: Adds Ashby registration and probe matchers so the creation-time ping (POST with action: "ping") returns 200 instead of 404
• utils.server.ts / processor.ts: Adds validateAshbySignature (HMAC-SHA256, sha256=<hex> format) and invokes it during webhook auth
• triggers/ashby/utils.ts: Replaces buildTriggerSubBlocks + buildAshbyExtraFields with the consolidated buildAshbySubBlocks, dropping the webhook URL sub-block for all Ashby triggers
• notifications.tsx / toast.tsx: Notifications component is now self-contained with its own stacking and timer logic; ToastProvider is simplified to a general-purpose display system with no auto-dismiss by default

Issue found:

• The clear-notifications keyboard command calls clearNotifications(...) but no longer cancels the pending auto-dismiss timers in timersRef.current. In the old code dismissAll() handled this; in the refactor that call was removed, leaving stale timers that fire after the notifications are cleared.

Confidence Score: 4/5

• Safe to merge — the core Ashby webhook fixes are correct and the toast refactor is sound, with one minor logic gap in timer cleanup.
• The webhook security additions (HMAC verification, pending-verification registration, secretToken storage) are well-implemented and consistent with other providers. The Ashby trigger simplification is clean. One real bug exists in notifications.tsx: stale auto-dismiss timers are not cancelled when all notifications are cleared via the keyboard shortcut, a regression introduced by removing the dismissAll() call in the refactor. The fix is a one-liner. All other changes are correct.
• apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/notifications/notifications.tsx — stale timer cleanup on clear-notifications

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/processor.ts	Adds HMAC-SHA256 Ashby signature verification using the stored secretToken; consistent with other provider verification patterns in the file.
apps/sim/lib/webhooks/provider-subscriptions.ts	Generates a random secretToken via crypto.randomUUID(), sends it to Ashby on webhook creation, and persists it in providerConfig for later verification. Return type updated to include secretToken.
apps/sim/lib/webhooks/utils.server.ts	Adds validateAshbySignature — validates sha256=<hex> header format and uses constant-time comparison via safeCompare. Implementation is correct.
apps/sim/lib/webhooks/pending-verification.ts	Registers Ashby in pending-webhook matchers so the ping during creation returns 200 instead of 404. Probe matcher correctly identifies Ashby ping events by action === 'ping'.
apps/sim/triggers/ashby/utils.ts	Consolidates subBlock construction into buildAshbySubBlocks, removing webhook URL display and simplifying setup instructions. The API key block correctly keeps paramVisibility: 'user-only'.
apps/sim/components/emcn/components/toast/toast.tsx	Simplified to a general-purpose toast system: per-item dismiss timers, no stacking, default duration 0 (manual dismiss). ctx correctly wrapped in useMemo. Removes CountdownRing, pauseAll, dismissAll which are now owned by Notifications.
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/notifications/notifications.tsx	Notifications is now a self-contained UI component with stacking, countdown rings, and auto-dismiss. Contains a logic gap: stale dismiss timers are not cancelled when visibleNotifications becomes empty (e.g., via clear-notifications command).
apps/sim/app/workspace/[workspaceId]/layout.tsx	Removes ToastProvider from the workspace layout. Verified safe: no other component within this subtree calls useToast() after the refactor.

Sequence Diagram

sequenceDiagram
    participant UI as Trigger UI
    participant PS as provider-subscriptions.ts
    participant Ashby as Ashby API
    participant PV as pending-verification.ts
    participant WH as Webhook Endpoint
    participant Proc as processor.ts

    UI->>PS: Save Ashby trigger (apiKey, triggerId)
    PS->>PS: Generate secretToken (UUID)
    PS->>Ashby: POST webhook.create with requestUrl + secretToken
    Ashby-->>PS: webhook id
    PS->>PS: Store externalId and secretToken in providerConfig
    PS->>PV: Register ashby in pending verification

    Ashby->>WH: POST ping event (action=ping)
    WH->>PV: ashby probeMatcher checks method and action
    PV-->>WH: match (return 200)
    WH-->>Ashby: 200 OK

    Note over Ashby,Proc: Real webhook event arrives later

    Ashby->>WH: POST event with Ashby-Signature header
    WH->>Proc: verifyProviderAuth(request, rawBody)
    Proc->>Proc: Read secretToken from providerConfig
    Proc->>Proc: validateAshbySignature(secretToken, header, rawBody)
    alt valid signature
        Proc-->>WH: nil, proceed
    else missing or invalid
        Proc-->>WH: 401 Unauthorized
    end

Loading

_{Last reviewed commit: 373481a}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}