From 775b9ac7e3f4f54023e89f13ce213bd2d917861b Mon Sep 17 00:00:00 2001
From: dave <futurechimp@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:07:37 +0000
Subject: [PATCH] storkit: create
 388_story_whatsapp_webhook_hmac_signature_verification

---
 ...app_webhook_hmac_signature_verification.md | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 .storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md

diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
new file mode 100644
index 0000000..2f4fb09
--- /dev/null
+++ b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
@@ -0,0 +1,23 @@
+---
+name: "WhatsApp webhook HMAC signature verification"
+retry_count: 3
+blocked: true
+---
+
+# Story 388: WhatsApp webhook HMAC signature verification
+
+## User Story
+
+As a bot operator, I want incoming WhatsApp webhook requests to be cryptographically verified, so that forged requests from unauthorized sources are rejected.
+
+## Acceptance Criteria
+
+- [ ] Meta webhooks: validate X-Hub-Signature-256 HMAC-SHA256 header using the app secret before processing
+- [ ] Twilio webhooks: validate request signature using the auth token before processing
+- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
+- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
+- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
+
+## Out of Scope
+
+- TBD