name validate-trigger description Audit an existing Sim webhook trigger against the service's webhook API docs and repository conventions, then report and fix issues across trigger definitions, provider handler, output alignment, registration, and security. Use when validating or repairing a trigger under `apps/sim/triggers/{service}/` or `apps/sim/lib/webhooks/providers/{service}.ts`.
Validate Trigger
You are an expert auditor for Sim webhook triggers. Your job is to validate that an existing trigger implementation is correct, complete, secure, and aligned across all layers.
Your Task
Read the service's webhook/API documentation (via WebFetch)
Read every trigger file, provider handler, and registry entry
Cross-reference against the API docs and Sim conventions
Report all issues grouped by severity (critical, warning, suggestion)
Fix all issues after reporting them
Step 1: Gather All Files
Read every file for the trigger — do not skip any:
apps/sim/triggers/{service}/ # All trigger files, utils.ts, index.ts
apps/sim/lib/webhooks/providers/{service}.ts # Provider handler (if exists)
apps/sim/lib/webhooks/providers/registry.ts # Handler registry
apps/sim/triggers/registry.ts # Trigger registry
apps/sim/blocks/blocks/{service}.ts # Block definition (trigger wiring)
Also read for reference:
apps/sim/lib/webhooks/providers/types.ts # WebhookProviderHandler interface
apps/sim/lib/webhooks/providers/utils.ts # Shared helpers (createHmacVerifier, etc.)
apps/sim/lib/webhooks/provider-subscription-utils.ts # Subscription helpers
apps/sim/lib/webhooks/processor.ts # Central webhook processor
Step 2: Pull API Documentation
Fetch the service's official webhook documentation. This is the source of truth for:
Webhook event types and payload shapes
Signature/auth verification method (HMAC algorithm, header names, secret format)
Challenge/verification handshake requirements
Webhook subscription API (create/delete endpoints, if applicable)
Retry behavior and delivery guarantees
Hard Rule: No Guessed Webhook Payload Schemas
If the official docs do not clearly show the webhook payload JSON for an event, you MUST tell the user instead of guessing.
Do NOT invent payload field names
Do NOT infer nested payload paths without evidence
Do NOT treat likely event shapes as verified
Do NOT accept formatInput mappings that are not backed by docs or live payloads
If a payload schema is unknown, validation must explicitly recommend:
sample webhook payloads,
a live test webhook source, or
trimming the trigger to only documented outputs.
Step 3: Validate Trigger Definitions
utils.ts
Trigger Files
Trigger ↔ Provider Alignment (CRITICAL)
Step 4: Validate Provider Handler
Auth Verification
Event Matching
formatInput (CRITICAL)
Idempotency
Challenge Handling (if applicable)
Step 5: Validate Automatic Subscription Lifecycle
If the service supports programmatic webhook creation:
createSubscription
deleteSubscription
Orchestration Isolation
Step 6: Validate Registration and Block Wiring
Trigger Registry (triggers/registry.ts)
Provider Handler Registry (providers/registry.ts)
Block Wiring (blocks/blocks/{service}.ts)
Step 7: Validate Security
Step 8: Report and Fix
Report Format
Group findings by severity:
Critical (runtime errors, security issues, or data loss):
Wrong HMAC algorithm or header name
formatInput keys don't match trigger outputs
Missing verifyAuth when the service sends signed webhooks
matchEvent returns non-boolean values
Provider-specific logic leaking into shared orchestration files
Trigger IDs mismatch between trigger files, registry, and block
createSubscription calling wrong API endpoint
Auth comparison using === instead of safeCompare
Warning (convention violations or usability issues):
Missing extractIdempotencyId when the service provides delivery IDs
Timestamps in idempotency keys (breaks dedup on retries)
Missing challenge handling when the service requires URL verification
Output schema missing fields that formatInput returns (undiscoverable data)
Overly tight timestamp skew window that rejects legitimate retries
matchEvent not filtering challenge/verification events
Setup instructions missing important steps
Suggestion (minor improvements):
More specific output field descriptions
Additional output fields that could be exposed
Better error messages in createSubscription
Logging improvements
Fix All Issues
After reporting, fix every critical and warning issue. Apply suggestions where they don't add unnecessary complexity.
Validation Output
After fixing, confirm:
bun run type-check passes
Re-read all modified files to verify fixes are correct
Provider handler tests pass (if they exist): bun test {service}
Any remaining unknown webhook payload schemas were explicitly reported to the user instead of guessed
Checklist Summary
Read all trigger files, provider handler, types, registries, and block
Pulled and read official webhook/API documentation
Validated trigger definitions: options, instructions, extra fields, outputs
Validated primary/secondary trigger distinction (includeDropdown)
Validated provider handler: auth, matchEvent, formatInput, idempotency
Validated output alignment: every outputs key ↔ every formatInput key
Validated subscription lifecycle: createSubscription, deleteSubscription, no shared-file edits
Validated registration: trigger registry, handler registry, block wiring
Validated security: safe comparison, no secret logging, replay protection
Reported all issues grouped by severity
Fixed all critical and warning issues
bun run type-check passes after fixes