feat(triggers): add Twilio SMS, Clerk, incident.io, Rootly, RevenueCat, Loops, and Sentry webhook triggers by waleedlatif1 · Pull Request #5230 · simstudioai/sim

waleedlatif1 · 2026-06-27T00:52:52Z

Summary

Add inbound webhook triggers for seven existing integrations: Twilio SMS, Clerk, incident.io, Rootly, RevenueCat, Loops, and Sentry
Each trigger's event types, payload fields, and signature scheme were verified against the provider's official webhook docs (no guessed schemas); outputs and formatInput are 1:1 aligned
Rootly and RevenueCat auto-provision and tear down their webhook via the provider API (createSubscription/deleteSubscription) — the user only supplies an API key. The other five use signed manual setup because the provider exposes no clean webhook-management API (dashboard-only, destructive resource-overwrite, or undocumented/org-admin-scoped)
All triggers verify signatures (Svix / HMAC-SHA1 / HMAC-SHA256 / Authorization header) with safeCompare, fail closed where the provider always signs, and use stable timestamp-free idempotency keys

Triggers

Twilio SMS — inbound message + status callback (X-Twilio-Signature, HMAC-SHA1; form-encoded)
Clerk — user / session / organization lifecycle (Svix)
incident.io — incident created/updated/status-updated + alert created (Svix)
Rootly — incident created/updated/resolved + alert created (HMAC-SHA256); auto-registers
RevenueCat — initial purchase / renewal / cancellation / expiration / non-renewing / product change (Authorization header); auto-registers via v2 API
Loops — email delivered/opened/clicked/bounced + campaign/loop/transactional sent (Svix-compatible)
Sentry — issue created/resolved, error, issue alert, metric alert (Sentry-Hook-Signature, HMAC-SHA256, fail-closed)

Type of Change

New feature

Testing

75 provider-handler unit tests across the seven services (signature verify, event matching, formatInput ↔ outputs alignment, idempotency, and auto-register create/delete for Rootly + RevenueCat) — all passing
tsc --noEmit clean; biome check clean

Checklist

Code follows project style guidelines
Self-reviewed my changes
Tests added/updated and passing
No new warnings introduced
I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

…t, Loops, Sentry webhook triggers Adds inbound webhook triggers for seven existing integrations, each verified against the provider's official webhook docs (event types, payload fields, signature scheme) and aligned with Sim's trigger conventions. - Twilio SMS: inbound message + status callback (X-Twilio-Signature, HMAC-SHA1) - Clerk: user/session/organization lifecycle (Svix) - incident.io: incident created/updated/status + alert created (Svix) - Rootly: incident created/updated/resolved + alert created (HMAC-SHA256); auto-registers and tears down the webhook via the Rootly API - RevenueCat: purchase/renewal/cancellation/expiration/product-change (Authorization header); auto-registers via the RevenueCat v2 API - Loops: email lifecycle + campaign/loop/transactional sent (Svix-compatible) - Sentry: issue/error/issue-alert/metric-alert (Sentry-Hook-Signature, fail-closed) Clerk, incident.io, Loops, Twilio, and Sentry use manual signing-secret setup where the provider exposes no clean webhook-management API; Rootly and RevenueCat auto-provision so the user only supplies an API key.

vercel · 2026-06-27T00:52:59Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Jun 27, 2026 1:42am

cursor · 2026-06-27T00:53:02Z

PR Summary

Medium Risk
New public webhook ingress paths and auth/idempotency logic must be correct to avoid forged events or missed/duplicate runs; RevenueCat/Rootly auto-provisioning adds deploy-time API side effects with stored secrets.

Overview
This PR turns on webhook-based workflow triggers for Clerk, incident.io, Loops, RevenueCat, Rootly, Sentry, and Twilio SMS by registering many new trigger IDs, wiring them into the matching integration blocks (triggers.enabled, getTrigger(...).subBlocks), and adding provider handlers in the webhook registry.

Each new handler implements fail-closed auth (Svix-style signatures for Clerk/incident.io/Loops, HMAC for Rootly/Sentry, Authorization header for RevenueCat, existing Twilio signature verification), trigger-scoped matchEvent, normalized formatInput, and stable idempotency keys. RevenueCat and Rootly also gain createSubscription / deleteSubscription so Sim registers and removes remote webhook endpoints on deploy/undeploy; the other providers rely on dashboard setup plus pasted signing secrets.

Twilio SMS is extended beyond verification-only: it now splits inbound vs status callbacks, maps form payloads to workflow inputs (including MMS media), and dedupes status updates by SID + delivery state. A few blocks mark sensitive API fields as paramVisibility: 'user-only'. Broad unit test coverage accompanies the new providers and Twilio behavior changes.

^{Reviewed by Cursor Bugbot for commit f5af963. Configure here.}

greptile-apps · 2026-06-27T00:55:31Z

Greptile Summary

This PR adds webhook triggers for several existing integrations. The main changes are:

New inbound webhook triggers for Twilio SMS, Clerk, incident.io, Rootly, RevenueCat, Loops, and Sentry.
Provider-specific signature checks and event matching for the new webhook handlers.
Auto-provisioned webhook subscriptions for Rootly and RevenueCat.
Trigger subBlocks wired into the existing integration block configs.

Confidence Score: 5/5

This looks safe to merge.

No blocking issues found in the changed code.

Important Files Changed

Filename	Overview
apps/sim/blocks/blocks/revenuecat.ts	Adds RevenueCat trigger subBlocks and keeps the shared API key user-only.
apps/sim/blocks/blocks/rootly.ts	Adds Rootly trigger subBlocks and keeps the shared API key user-only.
apps/sim/blocks/blocks/twilio.ts	Adds Twilio SMS trigger subBlocks and keeps the auth token user-only.
apps/sim/lib/webhooks/providers/revenuecat.ts	Rejects RevenueCat webhook requests when the stored auth secret is missing.
apps/sim/lib/webhooks/providers/rootly.ts	Rejects Rootly webhook requests when the stored signing secret is missing.

_{Reviews (6): Last reviewed commit: "fix(triggers): mark shared block-level A..." | Re-trigger Greptile}

…ing, user-only secrets - Twilio: add matchEvent so inbound-SMS and status-callback triggers don't cross-fire on a shared webhook URL (inbound = SmsStatus 'received') - Rootly + RevenueCat: verifyAuth now fails closed (401) when the signing secret is absent from provider config (both auto-register, so it is always present after deploy) instead of skipping verification - Mark every user-provided credential field paramVisibility 'user-only' (Clerk, incident.io, RevenueCat, Sentry, Twilio) so secrets are never exposed as LLM-visible trigger params - Sentry: correct metric_alert web_url description per docs

waleedlatif1 · 2026-06-27T01:10:49Z

@greptile

waleedlatif1 · 2026-06-27T01:10:50Z

@cursor review

…tency Twilio sends multiple delivery callbacks per message (sent -> delivered -> ...) sharing one MessageSid; keying idempotency on the SID alone dropped every status after the first. Status callbacks now key on SID + delivery status so each state is distinct (while still deduping Twilio's retries of the same status); inbound messages still key by SID since they fire once.

waleedlatif1 · 2026-06-27T01:18:46Z

@greptile

waleedlatif1 · 2026-06-27T01:18:46Z

@cursor review

Previously an empty MessageStatus/SmsStatus was treated as a status callback, so an ambiguous or partial payload could match twilio_sms_status (or skip twilio_sms_received). Both triggers now require a positive signal — inbound needs status 'received', status callbacks need a non-'received' status — so a payload missing both fields matches neither rather than misrouting.

waleedlatif1 · 2026-06-27T01:24:40Z

@greptile

waleedlatif1 · 2026-06-27T01:24:40Z

@cursor review

…allbacks are verified The Account SID / Auth Token fields were only on the primary trigger, so deploying twilio_sms_status alone never captured authToken into providerConfig and signature verification was silently skipped. Following the incident.io / Rootly / RevenueCat pattern, the auth fields are now added to each trigger conditioned on its own selectedTriggerId; the shared inner subBlock IDs keep the values persisted across trigger types.

waleedlatif1 · 2026-06-27T01:33:26Z

@greptile

waleedlatif1 · 2026-06-27T01:33:27Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 3625f27. Configure here.}

…trigger secrets The trigger credential fields (RevenueCat/Rootly apiKey, Twilio authToken) are user-only, but the same-id tool-level block fields were not, so the stored secret stayed reachable as an LLM-visible block parameter. Mark those block credential fields paramVisibility 'user-only' too (matching instantly.ts) so the secret is user-only on every path. accountSid is an identifier, not a secret, so it is left as-is.

waleedlatif1 · 2026-06-27T01:42:14Z

@greptile

waleedlatif1 · 2026-06-27T01:42:15Z

@cursor review

cursor

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f5af963. Configure here.}