markus41/Linear Webhooks (Verify, Replay, DLQ)
plugins/linear-orchestrator/skills/linear-webhooks/SKILL.md
This skill should be used when registering, verifying, or processing Linear webhooks — HMAC signatures, replay protection, idempotency, dead-letter queues. Activates on "linear webhook", "webhook signature", "Linear-Signature", "webhook secret".
$ install --global
skillsauthnpx skillsauth add markus41/claude Linear Webhooks (Verify, Replay, DLQ)Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 7, 2026, 7:40 AM131.1s1 file scanned
SKILL.md
- name:
- Linear Webhooks (Verify, Replay, DLQ)
- description:
- This skill should be used when registering, verifying, or processing Linear webhooks — HMAC signatures, replay protection, idempotency, dead-letter queues. Activates on "linear webhook", "webhook signature", "Linear-Signature", "webhook secret".
- version:
- 1.0.0
Linear Webhooks
Reference: https://linear.app/developers/webhooks
Signature verification
Linear signs every delivery with HMAC-SHA256:
Linear-Signature: <hex digest>
Verify in constant time:
import { createHmac, timingSafeEqual } from "node:crypto";
export function verifyLinearSignature(rawBody: Buffer, signature: string, secret: string): boolean {
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
const a = Buffer.from(signature, "hex");
const b = Buffer.from(expected, "hex");
if (a.length !== b.length) return false;
return timingSafeEqual(a, b);
}
Always read the raw body bytes, not the parsed JSON. Express:
app.use("/linear/webhook", express.raw({ type: "application/json" }));
Replay protection
Each delivery has a webhookTimestamp field in the JSON body (Unix ms). Reject events older than 5 minutes:
if (Math.abs(Date.now() - body.webhookTimestamp) > 5 * 60_000) reject();
Idempotency
Linear may re-deliver. Each event has:
delivery.id— unique per delivery (use this!)data.id— entity ID
Store seen delivery.id in Redis with 7-day TTL; ignore duplicates.
Resource types
Issue, IssueLabel, Comment, Cycle, Project, ProjectUpdate, Initiative, InitiativeUpdate, Customer, CustomerNeed, Reaction, Attachment, Document.
Subscribe selectively — fewer types means smaller event volume.
Action types
create | update | remove. Some resources support more; consult the schema.
Body shape
{
"action": "update",
"actor": { "id": "...", "name": "..." },
"createdAt": "2026-04-30T12:00:00.000Z",
"data": { /* the resource */ },
"type": "Issue",
"url": "https://linear.app/...",
"webhookTimestamp": 1714478400000,
"webhookId": "...",
"delivery": { "id": "..." }
}
Re-fetch on demand
Don't trust webhook payload state for reads. Linear may send out-of-order events. After receiving an Issue update, re-fetch via GraphQL using the id to get the canonical state.
Dead-Letter Queue
Implementation in lib/webhook-dlq.ts:
- After 3 failed processings, write to DLQ table with: delivery ID, payload, error, attempts
/linear:webhook dlqlists;/linear:webhook replay --since 24hretries from DLQ- Alert (Slack / PagerDuty) when DLQ depth > 10
Local testing
Use ngrok http 3000 and set the public URL as the webhook URL. Linear has no built-in test-replay UI; use webhookTest mutation if available, or the DLQ replay path.
Webhook security checklist
- [x] HTTPS only
- [x] Signature verified before any body parsing beyond raw read
- [x] 5-minute timestamp window
- [x]
delivery.ididempotency - [x] Re-fetch authoritative state via GraphQL
- [x] DLQ with bounded retry
- [x] Webhook secret rotated yearly
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026