Webhook idempotency proof.

A redacted or synthetic proof that checks inbound events before any downstream write. Safe rows become an accepted event ledger; duplicate ids, invalid signatures, unsupported event types, tenant mismatches, inactive tenants, and missing fields are blocked visibly. No client data, credentials, APIs, or live writes are used.

Accepted Events CSV Blocked Events CSV Error Log CSV Webhook Events CSV Tenant Registry CSV Runbook Source Script

Input

Eight mock webhook events and three mock tenants for a multi-tenant event-ingestion path.

Accepted

One signed event for an active tenant passes idempotency and tenant-boundary checks.

Blocked

Six unsafe events and one hard error are visible before any handler could run.

HMAC Gate

Unsigned or invalid events stop before the event log, handler, or any customer-facing action.

Supabase Event Log

Accepted, blocked, and error rows stay queryable so replay decisions are based on evidence.

Restaurant Boundary

The event tenant and payload restaurant_id must match an active tenant before work continues.

Event	Status	Issue	Evidence	Reviewer Action
evt-7001	accepted	safe booking event	signature, idempotency claim, and tenant match all pass.	Send to the approved handler.
evt-7001 replay	blocked	duplicate idempotency key	Event id was already claimed earlier in the run.	Ignore side effects unless payload differs.
evt-7003	blocked	invalid signature	signature_valid=false in mock event source.	Reject and investigate source credentials.
evt-7005	blocked	tenant boundary mismatch	Payload restaurant id disagrees with the event tenant.	Resolve tenant mapping before replay.