# rc-notifications-bun

Bun HTTP proxy for RingCentral webhook notifications. Replaces the previous
`rc-notifications-proxy` Cloudflare Worker. Runs on the Hetzner VM behind
Tailscale Funnel.

## What it does

- Listens on port `18803` (default).
- Handles the RingCentral webhook validation handshake by echoing the
  `Validation-Token` header back in both the response body and header.
- Forwards every other POST request to `RC_DOWNSTREAM_URL` verbatim (body +
  headers).
- Optionally signs the forwarded body with HMAC-SHA256 when
  `RC_WEBHOOK_SECRET` is set, attaching the digest as `X-RC-Webhook-Signature`.
- Exposes `/health` for liveness probes.

## Environment

See `.env.example`.

| Variable                          | Required | Description                                                                                                                |
| --------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------- |
| `RC_DOWNSTREAM_URL`               | yes      | Full URL to POST RC webhook payloads to.                                                                                   |
| `RC_EXPECTED_VERIFICATION_TOKEN`  | rec.     | Static token RC sends as `Verification-Token` on every delivery. When set, mismatched requests are rejected with 401.      |
| `RC_WEBHOOK_SECRET`               | no       | If set, body is HMAC-SHA256 signed and forwarded as `X-RC-Webhook-Signature`.                                              |
| `PORT`                            | no       | Listen port (default `18803`).                                                                                             |

The endpoint is publicly reachable via Tailscale Funnel, so configuring
`RC_EXPECTED_VERIFICATION_TOKEN` is strongly recommended — without it the
proxy will forward any well-formed POST to `RC_DOWNSTREAM_URL`. Bodies
larger than 1 MiB and downstream calls longer than 30s are rejected.

## Running

```bash
bun server.ts
```

In production it's supervised by `~/run-rc-notifications.sh`, which writes
logs to `/tmp/rc-notifications.log` and restarts the process on crash.

## Public URL

Tailscale Funnel mounts this at:

```
https://claude-cloud.tail053faf.ts.net/rc
```

So RingCentral's webhook delivery URL is the above, and the health check is
`https://claude-cloud.tail053faf.ts.net/rc/health`.
