From fae7b3be20adc74fe8b27d31a7f9bf5a57da66dc Mon Sep 17 00:00:00 2001
From: dave <futurechimp@users.noreply.github.com>
Date: Wed, 25 Mar 2026 14:08:00 +0000
Subject: [PATCH] storkit: create
 388_story_whatsapp_webhook_hmac_signature_verification

---
 .../388_story_whatsapp_webhook_hmac_signature_verification.md    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
index 2f4fb09..82c13b2 100644
--- a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
+++ b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
@@ -17,6 +17,7 @@ As a bot operator, I want incoming WhatsApp webhook requests to be cryptographic
 - [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
 - [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
 - [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
+- [ ] MUST use audited crypto crates (hmac, sha2, sha1, base64) — no hand-rolled cryptographic primitives
 
 ## Out of Scope