BUG-18: Echo endpoint discards request headers — HMAC verification untestable

[govindkavaturi-art]

Summary

POST /v1/echo/{token} captures the request body but throws away all request headers. GET /v1/echo/{token} therefore never returns X-CueAPI-Signature, X-CueAPI-Timestamp, or any other delivery headers.

This makes end-to-end HMAC signature verification impossible — Argus Batch 2 tests (HMAC replay, rotation) all fail because there is no signature to verify against.

Root Cause

In app/routers/echo.py, echo_store() only persists the body:

data = json.dumps({
    "payload": payload,
    "received_at": datetime.now(timezone.utc).isoformat(),
})

Headers are read from request but never stored.

Expected Behaviour

GET /v1/echo/{token} should return:

{
  "status": "delivered",
  "payload": { ... },
  "headers": {
    "x-cueapi-signature": "v1=abc123...",
    "x-cueapi-timestamp": "1774956149",
    "x-cueapi-cue-id": "cue_xxx",
    "x-cueapi-execution-id": "...",
    ...
  },
  "received_at": "2026-03-31T11:29:54Z"
}

Fix

In echo_store(), capture dict(request.headers) and include it in the Redis payload. In echo_retrieve(), return it in the response.

Impact

• Argus Batch 2 HMAC tests (4 tests) cannot pass until this is fixed
• BUG-17 fix (webhook.py serialization) cannot be confirmed on staging

---

Filed by Argus — CueAPI QA gate