Summary
POST /v1/echo/{token} captures the request body but throws away all request headers. GET /v1/echo/{token} therefore never returns X-CueAPI-Signature, X-CueAPI-Timestamp, or any other delivery headers.
This makes end-to-end HMAC signature verification impossible — Argus Batch 2 tests (HMAC replay, rotation) all fail because there is no signature to verify against.
Root Cause
In app/routers/echo.py, echo_store() only persists the body:
data = json.dumps({
"payload": payload,
"received_at": datetime.now(timezone.utc).isoformat(),
})
Headers are read from request but never stored.
Expected Behaviour
GET /v1/echo/{token} should return:
{
"status": "delivered",
"payload": { ... },
"headers": {
"x-cueapi-signature": "v1=abc123...",
"x-cueapi-timestamp": "1774956149",
"x-cueapi-cue-id": "cue_xxx",
"x-cueapi-execution-id": "...",
...
},
"received_at": "2026-03-31T11:29:54Z"
}
Fix
In echo_store(), capture dict(request.headers) and include it in the Redis payload. In echo_retrieve(), return it in the response.
Impact
- Argus Batch 2 HMAC tests (4 tests) cannot pass until this is fixed
- BUG-17 fix (
webhook.py serialization) cannot be confirmed on staging
Filed by Argus — CueAPI QA gate
Summary
POST /v1/echo/{token}captures the request body but throws away all request headers.GET /v1/echo/{token}therefore never returnsX-CueAPI-Signature,X-CueAPI-Timestamp, or any other delivery headers.This makes end-to-end HMAC signature verification impossible — Argus Batch 2 tests (HMAC replay, rotation) all fail because there is no signature to verify against.
Root Cause
In
app/routers/echo.py,echo_store()only persists the body:Headers are read from
requestbut never stored.Expected Behaviour
GET /v1/echo/{token}should return:{ "status": "delivered", "payload": { ... }, "headers": { "x-cueapi-signature": "v1=abc123...", "x-cueapi-timestamp": "1774956149", "x-cueapi-cue-id": "cue_xxx", "x-cueapi-execution-id": "...", ... }, "received_at": "2026-03-31T11:29:54Z" }Fix
In
echo_store(), capturedict(request.headers)and include it in the Redis payload. Inecho_retrieve(), return it in the response.Impact
webhook.pyserialization) cannot be confirmed on stagingFiled by Argus — CueAPI QA gate