Add webhook payload redaction guard

[taherdhanera]

/claim #19

Summary

Adds webhook-payload-redaction-guard, a self-contained Enterprise Tooling slice that validates outbound institutional webhook/API payloads before delivery.

The guard evaluates:

• event-type and schema allowlists
• private project fields
• PII/direct identifier exposure
• private storage URLs
• data-residency destination regions
• signature metadata and unsafe signing algorithms
• dataset access safety and embargoed download links
• event-level delivery decisions: deliver, redact-and-review, or block-delivery

Non-overlap

This is not a webhook replay ledger, admin notification escalation guard, connector certification gate, API change governance guard, data export approval queue, deposit reconciliation guard, SCIM/HRIS deprovisioning guard, LMS roster passback guard, usage cost-allocation guard, incident response workflow, data residency policy module, or secret rotation gate. It focuses specifically on outbound payload minimization and redaction before institutional delivery.

Local validation

Run from webhook-payload-redaction-guard/:

npm run check
npm test
npm run demo
npm run demo:video

All four commands passed locally.

Reviewer artifacts

• reports/summary.json
• reports/reviewer-packet.md
• reports/summary.svg
• reports/demo.webm

Safety

All data is synthetic. The module does not call live webhook delivery, repository sync, LMS sync, identity services, storage systems, or external providers. It does not include private institutional payloads, credentials, secrets, real users, or live admin mutations.

[taherdhanera]

Reviewer-ready checkpoint for /claim #19. This PR is open, non-draft, mergeable/CLEAN, Bounty claim labeled, and the body contains /claim #19. Scope remains webhook payload redaction: event/schema allowlists, private project fields, PII/direct identifier exposure, private storage URLs, residency checks, signature safety, embargoed links, and deterministic deliver/redact/block decisions from synthetic data only.

[taherdhanera]

Visibility update after the new API rate-limit PR: this #19 claim remains open, non-draft, mergeable/CLEAN, bounty-labeled, and already claim-marked.

Scope remains the webhook payload redaction/minimization guard, not API rate-limit contract or retry/backoff work. This PR covers event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions.

The reviewer packet, deterministic artifacts, validation commands, and claim marker are already in place. I do not see a contributor-side blocker for review/reward decision.

[taherdhanera]

Visibility update after PR #411: this existing /claim #19 remains open, non-draft, CLEAN, bounty-labeled, and claim-marked.

Scope remains the webhook payload redaction/minimization guard, separate from the newer enterprise dashboard accessibility readiness slice. This PR covers event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions.

The reviewer packet, deterministic artifacts, validation commands, and claim marker are already in place. I do not see a contributor-side blocker for review/reward decision.

[taherdhanera]

Status refresh after the latest issue #19 external claim follow-up: PR #383 remains open, non-draft, mergeable, bounty-labeled, and claim-marked for the existing #19 submission. No code changes are needed from my side unless reviewers request revisions.

[taherdhanera]

Status refresh after the newer same-issue PR #445 activity: PR #383 remains open, non-draft, mergeable/CLEAN, bounty-labeled, and claim-marked for issue #19.

The submitted scope remains the webhook payload redaction/minimization guard: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions before institutional webhook/API payload delivery.

This is distinct from PR #445's webhook delivery failure guard, enterprise admin dashboard accessibility readiness, API rate-limit contract work, vendor-DPA/subprocessor review, and the other #19 slices.

[taherdhanera]

Status refresh after the newer same-issue PR #411 hardening activity: PR #383 remains open, non-draft, mergeable/CLEAN, bounty-labeled, and claim-marked for issue #19.

The submitted scope remains the webhook payload redaction/minimization guard: event schema allowlists, private project fields, PII/direct identifiers, private storage URLs, data-residency destinations, signature metadata, unsafe signing algorithms, and event-level deliver/redact/block decisions before institutional webhook/API payload delivery.

This is distinct from PR #411's enterprise admin dashboard accessibility readiness guard and hardening update, PR #445's webhook delivery failure guard, API rate-limit contract work, vendor-DPA/subprocessor review, and other #19 enterprise tooling slices. No contributor-side code changes are pending unless reviewers request revisions.