Feat/explicit http url + direct webhook public key

[thedevyashsaini]

No description provided.

[greptile-apps]

Greptile Summary

This PR replaces the internally-derived httpUrl (previously computed from baseURL via buildHttpUrl) with an explicit httpUrl constructor parameter, and adds an optional webhookPublicKey that pre-seeds the public-key cache so the first webhook() call avoids an extra HTTP round-trip.

• httpUrl is now a required field in both the Scrawn constructor and ScrawnInitConfig; the old buildHttpUrl helper is removed and a runtime guard is added to validate it.
• webhookPublicKey is an optional constructor option that, when provided, bypasses the lazy GET /api/v1/internals/webhook-endpoint/public-key fetch.
• scrawn.test.ts was updated with several copy-paste errors: multiple duplicate httpUrl keys in the same object literal (a TypeScript compile error) and one test fixture that is missing the now-required field entirely.

Confidence Score: 3/5

The core logic change is sound, but the test file has TypeScript compilation errors (duplicate keys + missing required field) and the changeset version bump is misclassified for what is a user-facing breaking change.

Making httpUrl required breaks every existing caller that relied on baseURL alone — this is a backward-incompatible API change shipped as a patch, so users on a patch-update policy will get runtime errors without warning. Separately, scrawn.test.ts has duplicate object-literal keys across five test cases, which TypeScript strict mode rejects as compile errors, meaning the test suite will fail tsc --noEmit.

packages/scrawn/tests/unit/scrawn/scrawn.test.ts has multiple duplicate keys and a missing required field; .changeset/ready-horses-punch.md has the wrong bump type for a breaking change.

Important Files Changed

Filename	Overview
.changeset/ready-horses-punch.md	New changeset for the feature, but incorrectly classifies a breaking required-field addition as a patch instead of minor/major.
examples/scrawn/biller.ts	Adds httpUrl and webhookPublicKey from environment variables; straightforward usage update, no issues.
packages/scrawn/src/core/auth/apiKeyAuth.ts	Exports isValidApiKey and validateApiKey for external use; no logic changes, safe.
packages/scrawn/src/core/scrawn.ts	httpUrl is now a required constructor parameter (passed directly instead of derived) and webhookPublicKey seeds the cache; breaking change with no format validation on the key.
packages/scrawn/tests/unit/scrawn/middleware.test.ts	Correctly adds the single httpUrl field to each test fixture; no issues.
packages/scrawn/tests/unit/scrawn/scrawn.test.ts	Multiple test cases contain 2–3 duplicate httpUrl keys in the same object literal (TypeScript compile error), and the config-validation test is missing the now-required httpUrl field.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[scrawn constructor called] --> B{apiKey valid?}
    B -- No --> C[throw ScrawnConfigError]
    B -- Yes --> D{baseURL valid?}
    D -- No --> C
    D -- Yes --> E{httpUrl valid? new check}
    E -- No --> C
    E -- Yes --> F[this.httpUrl = config.httpUrl direct assignment]
    F --> G{webhookPublicKey provided? new option}
    G -- Yes --> H[this.cachedPublicKey = webhookPublicKey skips HTTP fetch]
    G -- No --> I[cachedPublicKey stays null fetched lazily]
    H --> J[GrpcClient initialized with baseURL]
    I --> J
    J --> K[ApiKeyAuth registered]

    subgraph webhook[biller.webhook request]
        L{cachedPublicKey null?} -- No --> N[verifyWebhook with cached key]
        L -- Yes --> M[GET /api/v1/internals/webhook-endpoint/public-key]
        M --> N
    end

    K -.-> L

Loading

Comments Outside Diff (1)

1. packages/scrawn/tests/unit/scrawn/scrawn.test.ts, line 112-116 (link)

   The validates constructor config test calls scrawn without the now-required httpUrl field. TypeScript will flag this as a type error since ScrawnInitConfig.httpUrl is no longer optional. The test still passes at runtime because the apiKey: "" validation fires first, but it will fail tsc --noEmit checks.

_{Reviews (1): Last reviewed commit: "chore: release" | Re-trigger Greptile}

[greptile-apps]

Duplicate object keys cause TypeScript compilation errors

The same httpUrl key appears two or three times inside a single object literal in several test cases (lines 62-64, 83-84, 101-102, 122-123, 136-137). TypeScript's strict mode treats duplicate object literal keys as a compile-time error (An object literal cannot have multiple properties with the same name). Even in lenient environments the last value silently wins, which is confusing and masks intent. These duplicate entries should be collapsed to a single httpUrl property in each object.

This pattern repeats across at least five test cases in this file.

[greptile-apps]

Adding httpUrl as a required constructor argument is a breaking change: any existing caller that does not pass httpUrl will now receive a ScrawnConfigError at runtime. Under semantic versioning this requires at least a minor bump; if the library is already at a stable major version it may warrant a major bump. A patch release communicates bug fixes or non-breaking additions, which does not describe this change.

Suggested change

	---
	"@scrawn/core": patch
	---
	---
	"@scrawn/core": minor
	---

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

No validation of the supplied webhookPublicKey

The key is cached as-is without any format check. If a caller pastes a malformed or empty-after-trim key, verifyWebhook will use it silently and every webhook verification will fail — with no indication at construction time that the supplied key is wrong. A basic format guard (e.g., minimum length, expected PEM prefix) would surface the misconfiguration immediately.