Menu
Deploy applications that integrate with Lindy AI agents. Use when deploying webhook receivers, callback handlers, or applications connected to Lindy agents. Trigger with phrases like "deploy lindy", "lindy deployment", "lindy production deploy", "release lindy integration".
| name | lindy-deploy-integration |
| description | Deploy applications that integrate with Lindy AI agents. Use when deploying webhook receivers, callback handlers, or applications connected to Lindy agents. Trigger with phrases like "deploy lindy", "lindy deployment", "lindy production deploy", "release lindy integration". |
| allowed-tools | Read, Write, Edit, Bash(gh:*), Bash(docker:*), Bash(npm:*) |
| version | 1.0.0 |
| license | MIT |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| tags | ["saas","lindy","deployment"] |
| compatibility | Designed for Claude Code, also compatible with Codex and OpenClaw |
Lindy agents run on Lindy's managed infrastructure. Deployment focuses on your integration layer: webhook receivers, callback handlers, and application code that Lindy agents interact with via HTTP Request actions and webhook triggers.
// src/server.ts — Production-ready Lindy webhook receiver
import express from 'express';
import helmet from 'helmet';
const app = express();
app.use(helmet());
app.use(express.json({ limit: '1mb' }));
// Health check for load balancer
app.get('/health', (req, res) => {
res.json({
status: 'ok',
timestamp: new Date().toISOString(),
version: process.env.APP_VERSION || 'unknown',
});
});
// Lindy webhook receiver with auth verification
app.post('/lindy/callback', (req, res) => {
const auth = req.headers.authorization;
if (auth !== `Bearer ${process.env.LINDY_WEBHOOK_SECRET}`) {
return res.status(401).json({ error: 'Unauthorized' });
}
// Respond immediately, process async
res.json({ received: true });
// Async processing
processWebhook(req.body).catch(err => {
console.error('Webhook processing error:', err);
});
});
async function processWebhook(payload: any) {
const { taskId, status, result } = payload;
// Your business logic here
console.log(`Task ${taskId}: ${status}`, result);
}
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => console.log(`Listening on :${PORT}`));
# Dockerfile
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY dist/ ./dist/
EXPOSE 3000
ENV NODE_ENV=production
HEALTHCHECK --interval=30s --timeout=3s \
CMD wget -qO- http://localhost:3000/health || exit 1
CMD ["node", "dist/server.js"]
# Build and run
docker build -t lindy-integration .
docker run -d \
-p 3000:3000 \
-e LINDY_API_KEY="$LINDY_API_KEY" \
-e LINDY_WEBHOOK_SECRET="$LINDY_WEBHOOK_SECRET" \
--name lindy-app \
lindy-integration
# Install Vercel CLI
npm i -g vercel
# Set secrets
vercel secrets add lindy-api-key "$LINDY_API_KEY"
vercel secrets add lindy-webhook-secret "$LINDY_WEBHOOK_SECRET"
# Deploy
vercel --prod
// vercel.json
{
"env": {
"LINDY_API_KEY": "@lindy-api-key",
"LINDY_WEBHOOK_SECRET": "@lindy-webhook-secret"
}
}
After deployment, update all Lindy agents with production URLs:
In Lindy dashboard, open each agent with a webhook trigger
Navigate to the HTTP Request action (if agent calls your API)
Update URL from dev/staging to production:
OLD: https://abc123.ngrok.io/lindy/callback
NEW: https://api.yourapp.com/lindy/callback
For webhook triggers, callers need the Lindy-generated URL (unchanged)
Test with a sample webhook to verify end-to-end
#!/bin/bash
echo "=== Post-Deploy Verification ==="
PROD_URL="https://api.yourapp.com"
# Health check
echo "[1/3] Health check..."
curl -sf "$PROD_URL/health" | jq .
# Webhook endpoint reachable
echo "[2/3] Webhook endpoint..."
STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$PROD_URL/lindy/callback" \
-H "Authorization: Bearer $LINDY_WEBHOOK_SECRET" \
-H "Content-Type: application/json" \
-d '{"test": true}')
echo "Webhook endpoint: HTTP $STATUS (expect 200)"
# Trigger a test agent run
echo "[3/3] Agent trigger test..."
curl -s -X POST "https://public.lindy.ai/api/v1/webhooks/YOUR_ID" \
-H "Authorization: Bearer $LINDY_WEBHOOK_SECRET" \
-H "Content-Type: application/json" \
-d '{"event": "deploy.verify", "env": "production"}'
echo "Agent triggered — check Tasks tab in Lindy dashboard"
# If deployment fails, rollback:
# Vercel
vercel rollback
# Docker
docker stop lindy-app
docker run -d --name lindy-app-rollback \
-e LINDY_API_KEY="$LINDY_API_KEY" \
-e LINDY_WEBHOOK_SECRET="$LINDY_WEBHOOK_SECRET" \
lindy-integration:previous-tag
# Update Lindy agents back to previous URLs if needed
| Step | Verification |
|---|---|
| Build passes | npm run build exits 0 |
| Tests pass | npm test all green |
| Secrets configured | API key + webhook secret in platform |
| Health check responds | GET /health returns 200 |
| Webhook auth works | POST with valid token returns 200 |
| Webhook auth rejects | POST without token returns 401 |
| Lindy agent URLs updated | HTTP Request actions point to prod |
| End-to-end test | Trigger agent, receive callback |
| Issue | Cause | Solution |
|---|---|---|
| Webhook 502 | App crashed/not running | Check container logs, restart |
| Webhook timeout | Slow processing | Respond 200 immediately, process async |
| Wrong URL in Lindy | Not updated post-deploy | Update HTTP Request action URLs |
| SSL error | Certificate issue | Verify HTTPS cert is valid |
| Secret mismatch | Dev secret in prod | Verify production secrets match Lindy config |
See lindy-webhooks-events for advanced webhook patterns.
Audit a Node.js project's installed npm dependency tree for known CVEs by wrapping the npm audit JSON output and emitting findings in the canonical penetration-tester schema. Detects direct AND transitive vulnerabilities, normalizes npm's severity scale (info/low/moderate/ high/critical) to the shared Severity enum, and parses both v1 and v2 audit output formats so the skill works against npm 6 and npm 7+ lockfiles. Use when: pre-merge gate on a Node project, post-incident sweep after a transitive package compromise (e.g. event-stream, ua-parser, node-ipc, color.js), SOC2 vendor-management evidence collection, or auditing an inherited or acquired Node codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit npm deps", "npm vulnerability scan", "check node packages for CVEs", "npm audit".
Audit a Python project's installed dependencies for known CVEs by wrapping pip-audit (PyPA's official vulnerability auditor) and emitting findings in the canonical penetration-tester schema. Detects vulnerable direct AND transitive packages, normalizes pip-audit's severity output via OSV severity bands, falls back to pip list --outdated when pip-audit isn't installed, and supports requirements.txt, pyproject.toml (PEP 621), Pipfile.lock, and poetry.lock as input sources. Use when: pre-merge gate on a Python project, post-incident sweep after a PyPI compromise (e.g. ctx, request-toolbelt typosquats, ultralytics 8.3.42 compromise), SOC2 evidence collection, or inheriting an unfamiliar Python codebase. Threshold: any HIGH or CRITICAL CVE in the resolved dependency tree. MODERATE / LOW reported informationally. Trigger with: "audit python deps", "pip vulnerability scan", "check pypi packages for CVEs", "pip-audit run".
Audit a project's dependency licenses against an explicit policy (allow-list / deny-list / review-required) and flag incompatibilities before they ship to production. Reads SPDX license identifiers from npm package manifests, Python METADATA / PKG-INFO files, and pyproject.toml; classifies each license by family (permissive, weak-copyleft, strong-copyleft, proprietary, unknown); detects copyleft contamination and SPDX-incompatible license combinations. Use when: pre-release legal review, M&A code-audit due diligence, preparing an OSS attribution NOTICE file, or switching a project's own license. Threshold: any GPL-family license in a project declaring MIT or Apache-2.0; any UNKNOWN-license package; any metadata-vs-source license mismatch. Trigger with: "check licenses", "license compliance audit", "SPDX scan", "GPL contamination check".
Read findings JSONL files from cluster 1-4 skills, deduplicate by fingerprint, group by severity, and compose a deliverable- grade markdown vulnerability report with per-finding sections (title, severity, target, detail, remediation, evidence) and a top-level summary table. The canonical written artifact a customer receives at engagement close; precise, reproducible, machine- checkable against source findings. Use when: closing an engagement, generating an interim report, regenerating after CVE or OWASP enrichment, or producing the input for generating-executive-summary. Threshold: findings missing required fields are dropped. HIGH and CRITICAL findings highlighted in the summary section. Trigger with: "compose vuln report", "write pentest report", "generate vulnerability deliverable", "render findings to report".
Verify that a penetration test has explicit, written, signed authorization before any scanning begins. Reads a Rules-of- Engagement (ROE) attestation file, validates required fields (authorizer, in-scope targets, time window, emergency contact, signature), checks the signer against an allowlist, and emits a CRITICAL finding if anything is missing. Designed as the first skill the orchestrator routes to. Use when: starting a new engagement, after a scope change, or before any cluster 1-4 scan skill runs. Threshold: any missing or unsigned ROE field; any time-window expiry; any in-scope target outside the authorized list. Trigger with: "confirm authorization", "verify ROE", "check pentest authz", "pre-flight authorization".
Parse the ROE scope definition, enumerate every in-scope target (hostnames, IPs, CIDRs, URLs, cloud accounts, SaaS tenants), validate syntax, detect overlap with out-of-scope or known third-party SaaS ranges, and emit a normalized target list plus IP allowlist for scanning tools. Runs after confirming-pentest- authorization and before any cluster 1-4 scan. Use when: starting an engagement, expanding scope mid-engagement, validating that a target list matches the ROE, or generating an allowlist for an external scanner. Threshold: malformed syntax, in-scope overlap with out-of-scope, reserved or third-party SaaS ranges without acknowledgement. Trigger with: "define scope", "enumerate targets", "validate target list", "generate IP allowlist".