Webhook security audit CLI — finds signature-verification bugs in JavaScript, TypeScript, Python, and PHP codebases. Local, deterministic, zero-network. 230 rules across 21 providers (Stripe, GitHub, Shopify, Slack, Twilio, Square, Sentry, Zendesk, DocuSi
hookwarden audit engine — handler discovery, reachability analysis, and evidence collection for webhook signature verification. Browser-safe, pure-functional, zero I/O. Powers the @hookwarden CLI, GitHub Action, and MCP server.
hookwarden auto-remediation — mechanical AST rewrites for the safe-codegen rule subset (timing-unsafe → constant-time comparison, raw-body misuse). Atomic staging, re-scan before replace, never edits inside strings or comments. Powers `hookwarden fix`.
GitHub Action wrapper for hookwarden CLI.
hookwarden detection rule pack — 230 webhook signature-verification rules across 21 providers (Stripe, GitHub, Shopify, Slack, Twilio, Square + 15 more, including Standard Webhooks conformant). Every rule cited (CWE / RFC / Svix / Stripe spec). Test-path-
Markdown PR-comment renderer for hookwarden. Single source of truth for the sticky-comment shape used by the public GitHub Action and the SaaS continuous-scanning worker.
In-house RFC 8785 JSON Canonicalization Scheme (JCS) encoder. Zero runtime dependencies, pure ECMAScript, no Node built-ins. The byte-equality anchor for hookwarden's audit-log signing + evidence-pack verification — vendorable into cross-language auditor
Model Context Protocol server for hookwarden — exposes the scan_handler tool so AI coding agents (Claude Code, Cursor, Continue, Anthropic Agent SDK) can find webhook signature-verification bugs locally. 230 rules across 21 providers, 100% cited (CWE / RF