Show webhook outcomes on admin page

[shootingallday]

Refs #316

What changed:

• Added a read-only recent webhook delivery outcomes section to the browser /admin page.
• Uses the existing admin cookie auth flow via /admin; the existing admin-token-only API path is unchanged.
• Supports webhook_status filtering and a bounded webhook_limit selector.
• Renders only safe fields: delivery id, event type, processed status, payload hash, and created-at time.
• Keeps payload bodies and token values out of the admin UI.
• Added regression coverage for admin-only rendering, processed-status filtering, limit bounds, and safe displayed fields.

Maintainer impact:

• Admins can quickly scan recent paid, missing submitter, bounty not found, and other webhook outcomes from the browser without using curl or log access.

Validation:

• uv run --with pytest pytest tests/test_security.py::test_admin_bounty_form_requires_csrf_for_cookie_auth tests/test_security.py::test_admin_page_renders_safe_webhook_events_for_cookie_admin tests/test_security.py::test_admin_webhook_events_api_lists_and_filters_processing_outcomes -q -> 3 passed.
• uv run --with ruff ruff check app/main.py tests/test_security.py -> passed.
• uv run --with ruff ruff format --check app/main.py tests/test_security.py -> passed.
• uv run --with mypy mypy app -> success.
• git diff --check -> clean.

No private keys, seed material, secrets, private vulnerability details, deployment credentials, webhook payload bodies, token values, payout details, or MRWK price claims are included.

Summary by CodeRabbit

• New Features
  • Added webhook event viewer to the admin dashboard with filtering and sorting capabilities.
  • Filter webhook events by processing status and configure result limits (1-100 results per page).
  • View recent webhook deliveries displaying event type, processing status, payload information, and creation timestamp.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d69a0cbe-48ae-4411-acba-19c288168c56

📥 Commits

Reviewing files that changed from the base of the PR and between 4b8baf7 and d09e38a.

📒 Files selected for processing (3)

• app/main.py
• app/templates/admin.html
• tests/test_security.py

---

📝 Walkthrough

Walkthrough

The PR adds webhook event display and filtering to the admin page. The /admin route handler now accepts webhook_status and webhook_limit query parameters, queries the database for filtered WebhookEvent records, and passes them to a new template section that renders a filterable webhook events table or an empty state. Tests validate the filtering behavior and safe rendering of event data.

Changes

Admin Webhook Event Display and Filtering

Layer / File(s)	Summary
Admin handler webhook query parameters and database logic app/main.py	The /admin route handler signature now includes webhook_status and webhook_limit query parameters with validation constraints (status optional, limit 1–100 default 25). The handler normalizes the status filter, queries WebhookEvent rows filtered by processed_status when provided, orders by most recent created_at/delivery_id, applies the limit, and passes normalized parameters plus the result list to the template.
Admin template webhook filtering and display app/templates/admin.html	A new "Webhooks" section is added to the admin page with a GET-based filter form accepting webhook_status and webhook_limit parameters, and conditional rendering that displays either a table of recent webhook events (delivery id, event type, processed status, payload hash, created timestamp) or a "No webhook events found" message.
Tests for webhook event filtering and safe rendering tests/test_security.py	The existing test_admin_bounty_form_requires_csrf_for_cookie_auth now calls create_schema() to initialize the database. A new test test_admin_page_renders_safe_webhook_events_for_cookie_admin verifies cookie-authenticated admin access, seeds multiple WebhookEvent records, validates filtering by status and limit query parameters, confirms expected event identifiers appear while sensitive payload-derived strings do not, checks that the rendered row count matches the limit, and asserts that an excessive webhook_limit returns HTTP 422.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ramimbo/mergework#309: Adds webhook-event filtering and limiting to /api/v1/admin/webhook-events endpoint with similar query-parameter behavior and test coverage for filtering.

Suggested reviewers

• g8rr5dg2p7-svg
• weilixiong

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding webhook outcomes visibility to the admin page.
Description check	✅ Passed	The description is comprehensive, covering changes, functionality, testing validation, and security considerations. All key template sections are addressed with sufficient detail.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[aunysillyme]

No blockers from my review of the admin webhook outcomes page.

Evidence checked:

• Inspected app/main.py; the /admin route remains behind the existing admin cookie login path, adds bounded webhook_limit validation, normalizes optional webhook_status, and queries only WebhookEvent rows ordered by recent delivery data.
• Inspected app/templates/admin.html; the new admin table renders delivery id, event type, processed status, payload hash, and created timestamp, while avoiding webhook payload bodies, token values, and payout secrets.
• Inspected tests/test_security.py; the regression seeds multiple webhook outcomes, verifies unauthenticated admin access redirects, checks status filtering and limit behavior, asserts oversized limits return 422, and confirms a secret-like delivery string is not rendered from payload content.
• Checked live PR metadata: hosted quality check is green, CodeRabbit reports no actionable findings, and the PR is mergeable.

I did not find a blocker. The change is focused on admin-only operational visibility and does not expose private keys, webhook payload bodies, deployment credentials, private vulnerability details, payout credentials, or MRWK price claims.

[ayskobtw-lil]

No blockers from my review.

Evidence checked:

• Inspected the PR diff for app/main.py, app/templates/admin.html, and tests/test_security.py via GitHub's PR patch to avoid stale local-base noise.
• Verified /admin remains behind the existing admin cookie/OAuth path before any webhook event query is run.
• Checked the new query path: webhook_status is trimmed/lowercased before filtering, webhook_limit is bounded by FastAPI validation, and events are ordered by recent created_at / delivery_id with only WebhookEvent safe summary fields selected for display.
• Inspected the template: it renders delivery id, event type, processed status, payload hash, and created timestamp only; it does not expose raw webhook payloads, token values, request bodies, or payout secrets.
• Reviewed the regression: it covers unauthenticated redirect, admin-only rendering, status filtering, limit behavior, safe hash display, and absence of a sentinel payload-body string.

Validation run on current PR head d09e38a:

• python -m pytest tests/test_security.py::test_admin_bounty_form_requires_csrf_for_cookie_auth tests/test_security.py::test_admin_page_renders_safe_webhook_events_for_cookie_admin -q -> 2 passed
• python -m ruff check app/main.py tests/test_security.py -> All checks passed!
• python -m ruff format --check app/main.py tests/test_security.py -> 2 files already formatted