CCM-16073 - Enhanced callbacks

[rhyscoxnhs]

Description

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

Introduces enhanced callback delivery security and operational controls by adding mTLS + certificate pinning configuration to callback targets, and shifting delivery from direct EventBridge API Destinations to an SQS + per-client HTTPS delivery Lambda model (with Redis-backed gating for rate limiting/circuit breaking).

Changes:

• Add mtls, certPinning, and delivery fields to callback target model + schema validation, and update fixtures/tests accordingly.
• Add CLI commands to manage mTLS, certificate pinning enable/disable, and SPKI hash extraction/storage for targets.
• Add new https-client-lambda (delivery, signing, retries, DLQ handling, Redis/Lua gate) and new shared config-cache package; update Terraform to provision per-client delivery infra (SQS/Lambda/ElastiCache) and mock mTLS ALB.

Reviewed changes

Copilot reviewed 104 out of 107 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
tools/client-subscriptions-management/src/entrypoint/cli/targets-set-pinning.ts	New CLI command to enable/disable certificate pinning for a target.
tools/client-subscriptions-management/src/entrypoint/cli/targets-set-mtls.ts	New CLI command to enable/disable mTLS for a target.
tools/client-subscriptions-management/src/entrypoint/cli/targets-set-certificate.ts	New CLI command to extract/store SPKI hash from PEM for a target.
tools/client-subscriptions-management/src/entrypoint/cli/clients-put.ts	Minor cleanup in CLI file handling comment.
tools/client-subscriptions-management/src/domain/client-subscription-builder.ts	Adds default mtls/certPinning and emits security warnings when building targets.
tools/client-subscriptions-management/src/tests/helpers/client-subscription-fixtures.ts	Updates test target fixtures with required mtls/certPinning fields.
tools/client-subscriptions-management/src/tests/entrypoint/cli/targets-set-pinning.test.ts	Unit tests for targets-set-pinning CLI behavior.
tools/client-subscriptions-management/src/tests/entrypoint/cli/targets-set-mtls.test.ts	Unit tests for targets-set-mtls CLI behavior.
tools/client-subscriptions-management/src/tests/entrypoint/cli/targets-set-certificate.test.ts	Unit tests for targets-set-certificate CLI behavior.
tools/client-subscriptions-management/src/tests/domain/client-subscription-builder.test.ts	Adds tests around security warning emission in target builder.
tools/client-subscriptions-management/package.json	Adds picocolors dependency for warning output.
tests/integration/helpers/mock-client-config.ts	Adds a new integration fixture key for an mTLS-enabled mock client.
tests/integration/helpers/event-factories.ts	Adds factory for delivery messages compatible with the new delivery flow.
tests/integration/fixtures/subscriptions/mock-client-rate-limit.json	New integration fixture including required mtls/certPinning.
tests/integration/fixtures/subscriptions/mock-client-mtls.json	New integration fixture for mTLS + pinning enabled target.
tests/integration/fixtures/subscriptions/mock-client-circuit-breaker.json	New integration fixture including delivery circuit breaker configuration.
tests/integration/fixtures/subscriptions/mock-client-2.json	Updates existing integration fixture targets to include mtls/certPinning.
tests/integration/fixtures/subscriptions/mock-client-1.json	Updates existing integration fixture targets to include mtls/certPinning.
src/models/src/client-config.ts	Extends callback target type with mtls, certPinning, and optional delivery.
src/models/src/client-config-schema.ts	Adds Zod validation for mtls, certPinning (incl. SPKI hash constraints), and delivery.
src/models/src/tests/client-config-schema.test.ts	Adds/updates schema tests for new target fields and constraints.
src/config-cache/tsconfig.json	New package tsconfig for config-cache workspace.
src/config-cache/src/index.ts	Exports ConfigCache from new workspace package.
src/config-cache/src/config-cache.ts	Implements TTL-based in-memory config cache.
src/config-cache/src/tests/config-cache.test.ts	Unit tests for ConfigCache TTL and behaviors.
src/config-cache/package.json	New workspace package definition for config-cache.
src/config-cache/jest.config.ts	Jest config for config-cache package.
scripts/config/pre-commit.yaml	Adjusts pre-commit detect-private-key exclusions for a test file.
pnpm-workspace.yaml	Adds workspace catalog entries for @redis/client, picocolors, and Secrets Manager SDK.
lambdas/mock-webhook-lambda/src/index.ts	Adds ALB mTLS client-cert header validation for mock webhook endpoint.
lambdas/mock-webhook-lambda/src/tests/index.test.ts	Adds unit tests for ALB mTLS certificate verification flow.
lambdas/https-client-lambda/tsconfig.json	New lambda workspace tsconfig.
lambdas/https-client-lambda/src/services/ssm-applications-map.ts	Loads and caches clientId→applicationId map from SSM.
lambdas/https-client-lambda/src/services/sqs-visibility.ts	SQS ChangeMessageVisibility helper.
lambdas/https-client-lambda/src/services/record-result.lua	Redis Lua script to update circuit breaker state.
lambdas/https-client-lambda/src/services/payload-signer.ts	Adjusts payload signer function signature (parameter order).
lambdas/https-client-lambda/src/services/logger.ts	Re-exports shared logger for lambda local imports.
lambdas/https-client-lambda/src/services/endpoint-gate.ts	Redis admission + circuit-breaker integration (EVALSHA/EVAL Lua execution).
lambdas/https-client-lambda/src/services/dlq-sender.ts	DLQ send helper.
lambdas/https-client-lambda/src/services/delivery/tls-agent-factory.ts	Builds TLS agent with optional mTLS material and SPKI pinning.
lambdas/https-client-lambda/src/services/delivery/retry-policy.ts	Retry/backoff and Retry-After parsing helpers.
lambdas/https-client-lambda/src/services/delivery/https-client.ts	HTTPS delivery client + result classification.
lambdas/https-client-lambda/src/services/delivery-metrics.ts	Embedded metrics emission for delivery and circuit-breaker events.
lambdas/https-client-lambda/src/services/config-loader.ts	Loads client config/targets from S3 with TTL caching and schema validation.
lambdas/https-client-lambda/src/services/admit.lua	Redis Lua script for token-bucket rate limiting + CB admission.
lambdas/https-client-lambda/src/lua.d.ts	Type declaration for importing .lua as text.
lambdas/https-client-lambda/src/index.ts	Lambda entrypoint delegating to record processor.
lambdas/https-client-lambda/src/handler.ts	Main SQS batch handler: load config, sign, gate, deliver, retry/DLQ, metrics.
lambdas/https-client-lambda/src/tests/tls-agent-factory.test.ts	Unit tests for TLS agent factory behavior (S3/SecretsManager/pinning).
lambdas/https-client-lambda/src/tests/ssm-applications-map.test.ts	Unit tests for SSM applications map loading/caching/errors.
lambdas/https-client-lambda/src/tests/sqs-visibility.test.ts	Unit tests for SQS visibility changes.
lambdas/https-client-lambda/src/tests/retry-policy.test.ts	Unit tests for retry policy helpers.
lambdas/https-client-lambda/src/tests/payload-signer.test.ts	Unit tests for payload signing.
lambdas/https-client-lambda/src/tests/index.test.ts	Unit test for lambda entrypoint wiring.
lambdas/https-client-lambda/src/tests/https-client.test.ts	Unit tests for delivery HTTP behavior classification.
lambdas/https-client-lambda/src/tests/handler.test.ts	Unit tests for SQS record processing paths (DLQ/retry/gate/CB).
lambdas/https-client-lambda/src/tests/endpoint-gate.test.ts	Unit tests for Redis Lua invocation paths and client creation.
lambdas/https-client-lambda/src/tests/dlq-sender.test.ts	Unit tests for DLQ sender.
lambdas/https-client-lambda/src/tests/delivery-metrics.test.ts	Unit tests for embedded metrics behavior.
lambdas/https-client-lambda/src/tests/config-loader.test.ts	Unit tests for S3 config loading + TTL cache.
lambdas/https-client-lambda/package.json	New lambda workspace package definition.
lambdas/https-client-lambda/lua-transform.js	Jest transform to load .lua scripts as strings.
lambdas/https-client-lambda/jest.config.ts	Jest config enabling .lua transform.
lambdas/client-transform-filter-lambda/src/services/observability.ts	Removes callback signing observability (signing moved downstream).
lambdas/client-transform-filter-lambda/src/services/config-loader.ts	Switches to shared config-cache package import.
lambdas/client-transform-filter-lambda/src/services/config-loader-service.ts	Switches to shared config-cache package import.
lambdas/client-transform-filter-lambda/src/index.ts	Removes ApplicationsMapService wiring from handler creation.
lambdas/client-transform-filter-lambda/src/handler.ts	Removes per-target signatures from output; outputs deliverable payload + subscriptions only.
lambdas/client-transform-filter-lambda/src/tests/services/payload-signer.test.ts	Removes tests for payload signing in transform-filter lambda.
lambdas/client-transform-filter-lambda/src/tests/services/config-update.component.test.ts	Updates imports to new config-cache package.
lambdas/client-transform-filter-lambda/src/tests/services/config-loader.test.ts	Updates imports to new config-cache package.
lambdas/client-transform-filter-lambda/src/tests/services/config-cache.test.ts	Updates imports to new config-cache package.
lambdas/client-transform-filter-lambda/src/tests/index.test.ts	Updates tests to reflect removal of signatures and apps map dependency.
lambdas/client-transform-filter-lambda/src/tests/index.component.test.ts	Updates component tests to reflect new payload shape and removed SSM dependency.
lambdas/client-transform-filter-lambda/src/tests/helpers/client-subscription-fixtures.ts	Updates target fixtures to include required mtls/certPinning.
lambdas/client-transform-filter-lambda/package.json	Adds config-cache workspace dependency.
knip.ts	Updates Knip workspace config (new workspaces and integration entrypoints).
infrastructure/terraform/modules/client-destination/variables.tf	Removes legacy API Destination-based module.
infrastructure/terraform/modules/client-destination/module_target_dlq.tf	Removes legacy per-target DLQ module.
infrastructure/terraform/modules/client-destination/locals.tf	Removes legacy locals for old module.
infrastructure/terraform/modules/client-destination/iam_role_api_target_role.tf	Removes legacy IAM role/policy for API destinations.
infrastructure/terraform/modules/client-destination/cloudwatch_event_rule_main.tf	Removes legacy EventBridge rule/target to API destination setup.
infrastructure/terraform/modules/client-destination/cloudwatch_event_connection_main.tf	Removes legacy EventBridge Connection resources.
infrastructure/terraform/modules/client-destination/cloudwatch_event_api_destination_this.tf	Removes legacy API Destination resources.
infrastructure/terraform/modules/client-destination/README.md	Removes docs for legacy module.
infrastructure/terraform/modules/client-delivery/variables.tf	Adds new per-client delivery module variables.
infrastructure/terraform/modules/client-delivery/outputs.tf	Adds outputs for per-client queues and lambda details.
infrastructure/terraform/modules/client-delivery/module_sqs_per_client.tf	Provisions per-client delivery SQS queue.
infrastructure/terraform/modules/client-delivery/module_https_client_lambda.tf	Provisions per-client https-client lambda + SQS event source mapping.
infrastructure/terraform/modules/client-delivery/module_dlq_per_client.tf	Provisions per-client DLQ + DLQ depth alarm.
infrastructure/terraform/modules/client-delivery/locals.tf	Defines naming/tagging locals for per-client module.
infrastructure/terraform/modules/client-delivery/iam_role_sqs_target.tf	IAM policy for https-client lambda (SQS/S3/SSM/KMS and optional SecretsManager/S3 cert).
infrastructure/terraform/modules/client-delivery/cloudwatch_event_rule_per_subscription.tf	Defines EventBridge rules/targets routing to per-client SQS delivery queue.
infrastructure/terraform/modules/client-delivery/README.md	Adds docs for new per-client delivery module.
infrastructure/terraform/components/callbacks/variables.tf	Enables X-Ray by default and adds mTLS-related component variables.
infrastructure/terraform/components/callbacks/pipes_pipe_main.tf	Removes signatures from Pipe output template.
infrastructure/terraform/components/callbacks/module_mock_webhook_alb_mtls.tf	Adds internal ALB + ACM import + passthrough mTLS wiring for mock webhook.
infrastructure/terraform/components/callbacks/module_client_destination.tf	Removes legacy client_destination module usage.
infrastructure/terraform/components/callbacks/module_client_delivery.tf	Adds per-client delivery module instantiation.
infrastructure/terraform/components/callbacks/locals.tf	Reworks locals for per-client subscriptions/targets and mTLS mock endpoint selection.
infrastructure/terraform/components/callbacks/elasticache_delivery_state.tf	Adds ElastiCache Serverless Redis for delivery state + security groups/alarms.
infrastructure/terraform/components/callbacks/cloudwatch_metric_alarm_dlq_depth.tf	Removes legacy per-target DLQ alarm (replaced by per-client alarms).
infrastructure/terraform/components/callbacks/cloudwatch_eventbus_main.tf	Adds EventBridge archive for 7-day retention.
infrastructure/terraform/components/callbacks/README.md	Updates docs to reflect new modules, variables, and defaults.
eslint.config.mjs	Ignores lua-transform.js and expands rule scope to include src workspaces.
.gitleaksignore	Adds ignore for test private key fixture in tls-agent-factory tests.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aidenvaines-cgi]

the TF stuff all looks cool from an rough check

[mjewildnhs]

As far as reviewing the terraform

[mjewildnhs]

Done transform filter lambda changes - in middle of http lambda

[mjewildnhs]

Middle of http client lambda review - done with the handler, client, retry policy

[mjewildnhs]

Reviewed the http-lambda (minus unit tests)

[Copilot]

Copilot wasn't able to review this pull request because it exceeds the maximum number of lines (20,000). Try reducing the number of changed lines and requesting a review from Copilot again.