docs: address PR #757 bot review comments

- Fix empty-state text from "Created manually — no capture provenance." to
  "No capture provenance available." (actual CardModal.vue text) across
  STATUS.md, IMPLEMENTATION_MASTERPLAN.md, and MANUAL_TEST_CHECKLIST.md
- Fix logical contradiction in MANUAL_TEST_CHECKLIST.md flash-regression check
- Fix webhook header from X-Taskdeck-Signature to X-Taskdeck-Webhook-Signature
  (+ X-Taskdeck-Webhook-Timestamp) in TESTING_GUIDE.md manual validation step
- Update telemetry event name examples from old snake_case to canonical noun.verb
  format matching docs/product/TELEMETRY_TAXONOMY.md
- Replace non-existent OutboundWebhookConnectCallbackTests and
  OutboundWebhookDeliveryWorkerReliabilityTests with actual webhook test file
  listing (78 tests across 9 files, not 161 across 4)
- Correct test count inconsistency: 78 total webhook tests (not 161);
  net new from wave 3 ~50+; fix API integration breakdown arithmetic
- Reconcile STATUS.md SSRF claims with what is actually present in the
  checked-in test suite (drop CGNAT/cloud-metadata/dynamic-DNS specifics
  since ConnectCallback tests were not merged)

Author: Chris0Jeky

docs/IMPLEMENTATION_MASTERPLAN.md

@@ -601,13 +601,13 @@ Delivered in the latest cycle:
     - 9 issues from `#721` tracker plus product telemetry taxonomy, two bug fixes, and six frontend regression test additions
     - product telemetry taxonomy delivered (`#341`/`#741`): `docs/product/TELEMETRY_TAXONOMY.md` with 35+ named events, privacy-first bucketing, and R1/R2/R3 launch gate anchors; opt-in, not yet implemented
     - board header presence label bug fixed (`#683`/`#744`): username/email flip resolved with `normalizePresenceMembers()` in `BoardView.vue`; adversarial review confirmed no edge cases; 3 new tests
-    - manual card provenance empty state fixed (`#680`/`#754`): 3 bugs caught and fixed by adversarial review (overly broad 404 swallow, global Axios log regression, empty-state flash); `CardModal.vue` now shows "Created manually — no capture provenance." correctly; 4 new tests
+    - manual card provenance empty state fixed (`#680`/`#754`): 3 bugs caught and fixed by adversarial review (overly broad 404 swallow, global Axios log regression, empty-state flash); `CardModal.vue` now shows "No capture provenance available." correctly; 4 new tests
     - WIP-limit toast dedup regression tests (`#686`/`#745`): 7 tests in `boardStore.wipLimit.spec.ts` for `createCard` and `moveCard`
     - auth-flow toast lifecycle tests (`#685`/`#742`): 20 tests in `sessionStore.authToast.spec.ts`; adversarial review fixed timer leak, mock isolation, inverted assertion
     - router auth guard + workspace stability tests (`#687`/`#748`): `authGuard.spec.ts` and `workspaceRouteStability.spec.ts` with 12-route exhaustive guard table; pre-existing `AuthControllerEdgeCaseTests.cs` compile error fixed
     - inbox triage action visibility tests (`#688`/`#743`): 21 new tests in `InboxView.spec.ts` for single-item triage and bulk action bar visibility
     - webhook HMAC verification tests (`#726`/`#750`): 11 tests in `OutboundWebhookHmacDeliveryTests.cs` for header format, round-trip, wrong-key, secret rotation, timing-safe comparison
-    - webhook delivery reliability + SSRF boundary tests (`#710`/`#756`): 161 total webhook tests across 4 files; socket-level SSRF for all private IP ranges, CGNAT, cloud metadata, dynamic DNS; retry/backoff/dead-letter reliability; `HttpClient` resource leak fixed in tests
+    - webhook delivery reliability + SSRF boundary tests (`#710`/`#756`): 78 total webhook tests across 7 files; SSRF coverage via `OutboundWebhookEndpointGuardTests` for private IP ranges; retry/backoff/dead-letter reliability; `HttpClient` resource leak fixed in tests
     - TST-32–TST-57 wave progress updated: 17 of 22 issues now delivered; remaining open: `#705`, `#711`, `#712`, `#716`, `#717`; frontend suite at 1592 passing (up from 1496)
 
 ## Current Planning Pivot (2026-03-07)

docs/MANUAL_TEST_CHECKLIST.md

@@ -153,10 +153,10 @@ Manual-only checks (non-automatable in generic local script):
 
 **Manual card provenance empty state (PR #754):**
 - Open a card that was created manually (not via capture/inbox).
-  - Expected: card detail shows "Created manually — no capture provenance." in the provenance area. No error shown. No blank/broken provenance section.
+  - Expected: card detail shows "No capture provenance available." in the provenance area. No error shown. No blank/broken provenance section.
 - Open a card created via the capture/inbox flow.
-  - Expected: card detail shows full capture provenance (source, timestamp, original capture text). The "Created manually" message does NOT appear for captured cards.
-- If card was created manually, verify the provenance empty state does not flash "Created manually" during the initial load of a captured card's modal.
+  - Expected: card detail shows full capture provenance (source, timestamp, original capture text). The "No capture provenance available." message does NOT appear for captured cards.
+- For captured cards, verify the provenance empty state does not flash during the initial load of the captured card's modal.
   - Expected: empty state is only shown after load completes and provenance is confirmed absent.
 
 11. Edit title/description, set due date, block with reason, assign labels.

docs/STATUS.md

@@ -81,13 +81,13 @@ Current constraints are mostly hardening and consistency:
 - Post-adversarial-review hardening and test expansion wave (2026-04-04, PRs `#741`–`#756`, 9 issues):
   - **Product telemetry taxonomy** (`#341`/`#741`): `docs/product/TELEMETRY_TAXONOMY.md` defines 35+ named events across 7 categories (Capture, Proposal/Review, Board, Auth, Navigation, Agent, Error) with `noun.verb` naming convention, universal envelope, privacy guardrails (bucketed counts, no PII), and R1/R2/R3 launch gate anchors; telemetry is opt-in and not yet implemented
   - **Board header presence label fixed** (`#683`/`#744`): `normalizePresenceMembers()` in `BoardView.vue` now replaces current user's SignalR `displayName` with locally-known username, eliminating email/username flip on card open; 3 new tests
-  - **Manual card provenance empty state** (`#680`/`#754`): `cardsApi.getCardProvenance()` now returns null only for "Capture provenance not found" 404s (not all 404s); CardModal shows "Created manually — no capture provenance." with `loadedCaptureProvenanceCardId` guard against flash; 4 new tests; adversarial review caught and fixed 3 bugs (overly broad 404 catch, global Axios log-level regression, empty-state flash)
+  - **Manual card provenance empty state** (`#680`/`#754`): `cardsApi.getCardProvenance()` now returns null only for "Capture provenance not found" 404s (not all 404s); CardModal shows "No capture provenance available." with `loadedCaptureProvenanceCardId` guard against flash; 4 new tests; adversarial review caught and fixed 3 bugs (overly broad 404 catch, global Axios log-level regression, empty-state flash)
   - **WIP-limit duplicate toast regression** (`#686`/`#745`): 7 regression tests in `boardStore.wipLimit.spec.ts` guard against future double-toast on WIP limit violations for createCard and moveCard
   - **Auth-flow toast regression coverage** (`#685`/`#742`): 20 tests in `sessionStore.authToast.spec.ts` covering login/register/OAuth failure and success toast lifecycle, isolation, and auto-removal; adversarial review fixed timer leak, mock isolation, and inverted assertion
   - **Route and workspace-state stability** (`#687`/`#748`): `authGuard.spec.ts` (auth guard decision table) and `workspaceRouteStability.spec.ts` (mode persistence, hydration drift, resetForLogout) with 12-route exhaustive guard table; also fixed pre-existing `AuthControllerEdgeCaseTests.cs` compile error
   - **Inbox triage action visibility** (`#688`/`#743`): 21 new tests in `InboxView.spec.ts` covering single-item triage action states and bulk action bar visibility with DOM-level assertions
   - **Webhook HMAC signature verification** (`#726`/`#750`): 11 tests in `OutboundWebhookHmacDeliveryTests.cs` covering header format, HMAC round-trip, wrong-key rejection, secret rotation, large payload, and timing-safe comparison; adversarial review fixed rotation test and replaced BCL-testing stubs with real domain property tests
-  - **Webhook delivery reliability and SSRF boundary** (`#710`/`#756`): 161 webhook tests across 4 files; SSRF coverage includes all private IPv4/IPv6 ranges, CGNAT, cloud metadata endpoint (169.254.169.254), dynamic DNS embedding (nip.io/sslip.io), fail-closed DNS; delivery reliability covers retry/backoff, dead-letter, concurrent delivery, HMAC at worker boundary; `HttpClient` resource leak fixed in tests
+  - **Webhook delivery reliability and SSRF boundary** (`#710`/`#756`): 78 webhook tests across 7 files (endpoint guard, service, signature, delivery worker, HMAC delivery, repository, domain); SSRF coverage via `OutboundWebhookEndpointGuardTests` includes private IPv4/IPv6 ranges; delivery reliability covers retry/backoff, dead-letter, concurrent delivery, HMAC at worker boundary; `HttpClient` resource leak fixed in tests
 
 Target experience metrics for the capture direction:
 - capture action to saved artifact should feel under 10 seconds in normal use

docs/TESTING_GUIDE.md

@@ -12,22 +12,22 @@ Companion Active Docs:
 
 ## Current Verified Totals (2026-04-04)
 
-- Backend: ~3010+ passing (estimated based on ~300 new tests from PRs `#732`–`#739` + ~586 new tests from PRs `#740`–`#755` + ~60-80 net new tests from PRs `#750`/`#756`)
+- Backend: ~2990+ passing (estimated based on ~300 new tests from PRs `#732`–`#739` + ~586 new tests from PRs `#740`–`#755` + ~50+ net new webhook tests from PRs `#750`/`#756`)
   - Domain: ~620+ (174 new entity state machine tests + 45 archive lifecycle domain tests)
   - Application: ~1500+ (101 LLM edge cases + 64 export/import + 51 metrics accuracy tests)
-  - API integration: ~830+ (5 ChangePassword + 38 data isolation + 24 worker + 67 controller + 44 auth + 7 golden-path + 42 MCP + 19 SignalR + 57 error contract + 29 archive lifecycle + 10 metrics controller + 36 notification tests + 11 webhook HMAC + 30+ SSRF/delivery reliability)
+  - API integration: ~810+ (5 ChangePassword + 38 data isolation + 24 worker + 67 controller + 44 auth + 7 golden-path + 42 MCP + 19 SignalR + 57 error contract + 29 archive lifecycle + 10 metrics controller + 36 notification tests + 11 webhook HMAC + 22 webhook SSRF/delivery/repository)
   - CLI contract: 4
   - Architecture boundaries: 8
 - Frontend unit: 1592/1592 passing (134+ test files)
 - Frontend E2E (smoke + automation/ops + capture loop + starter-pack fixtures + concurrency harness): default required lane passing
 - Combined automated total: ~4600+ passing (backend ~3010+ + frontend unit 1592 + E2E)
 
 Verification note:
-- backend totals are estimated after three 2026-04-04 waves; wave 1 (`#732`–`#739`, ~300 new tests), wave 2 (`#740`–`#755`, ~586 new tests with adversarial review), and wave 3 (`#750`/`#756`, ~60-80 net new webhook tests); each PR verified green individually; full-suite recertification needed
+- backend totals are estimated after three 2026-04-04 waves; wave 1 (`#732`–`#739`, ~300 new tests), wave 2 (`#740`–`#755`, ~586 new tests with adversarial review), and wave 3 (`#750`/`#756`, ~50+ net new webhook tests: 11 HMAC + endpoint guard extensions + service/signature/worker/domain tests); each PR verified green individually; full-suite recertification needed
 - frontend unit totals: **1592 passing** as of 2026-04-04 post-wave 3 (up from 1496 pre-wave); verified via `npx vitest --run` after adversarial review fixes
 - significant test growth in 2026-04-04 wave 1: ChangePassword fix (5 tests), golden-path integration (7), cross-user isolation (38), worker integration (24), controller HTTP (67), proposal lifecycle (74), OAuth/auth edge cases (44), MCP full inventory (42)
 - significant test growth in 2026-04-04 wave 2: domain state machines (174), SignalR integration (19), LLM tool-calling edge cases (101), export/import round-trip (64), API error contract (57), archive lifecycle (74), board metrics accuracy (61), notification delivery (36); all 8 PRs received two rounds of adversarial review with 47 review-fix commits addressing false-positive tests, weak assertions, and missing edge cases
-- significant test growth in 2026-04-04 wave 3 (PRs `#741`–`#756`, 9 issues): webhook HMAC verification (11 backend tests, `#726`/`#750`), webhook SSRF/delivery reliability (161 total webhook tests across 4 files, `#710`/`#756`), frontend regression suite expansion (+96 tests: `#744` +3, `#754` +4, `#745` +7, `#742` +20, `#748` +route/workspace tests, `#743` +21)
+- significant test growth in 2026-04-04 wave 3 (PRs `#741`–`#756`, 9 issues): webhook HMAC verification (11 backend tests, `#726`/`#750`), webhook SSRF/delivery reliability (78 total webhook tests across 9 files including pre-existing, `#710`/`#756`), frontend regression suite expansion (+96 tests: `#744` +3, `#754` +4, `#745` +7, `#742` +20, `#748` +route/workspace tests, `#743` +21)
 
 ## Product-Coherence Testing Priorities (2026-03-07)
 
@@ -52,7 +52,7 @@ High-signal additions and delivered guardrails:
 Telemetry and release-gate follow-through from the expanded blueprint:
 
 - product telemetry/event taxonomy delivered in `#341`/`#741` — see `docs/product/TELEMETRY_TAXONOMY.md`; reuses `#77` as baseline; `#328` provides the delivered first-run guardrail
-- keep event names privacy-safe and product-shaped (for example `home_loaded`, `today_loaded`, `capture_created`, `proposal_opened`, `proposal_approved`, `board_action_capture_here_clicked`, `workspace_mode_changed`, `agent_run_started`, `agent_run_completed`, `agent_run_failed`)
+- keep event names privacy-safe and product-shaped using the canonical `noun.verb` format from `docs/product/TELEMETRY_TAXONOMY.md` (for example `capture.modal_opened`, `capture.submitted`, `proposal.approved`, `proposal.dismissed`, `card.created`, `board.loaded`, `auth_session.started`, `agent_run.completed`, `agent_run.failed`)
 - treat launch framing as evidence gates, not marketing labels:
   - `R1` novice-first beta -> coherent `Home -> capture -> review -> execute -> board` path
   - `R2` agent foundation alpha -> inspectable runs, policies, and bounded templates
@@ -156,7 +156,7 @@ Security finding during audit: `#722` (SEC-20) — `ChangePassword` endpoint doe
 - ~~**Board metrics accuracy**~~: **RESOLVED** — 61 tests delivered (`#718`/`#749`): 51 service + 10 controller covering throughput, cycle time, WIP, blocked cards, done-column heuristic
 - ~~**Notification delivery**~~: **RESOLVED** — 36 tests delivered (`#719`/`#746`) covering all 5 types, deduplication, preference filtering, cross-user isolation, batch operations
 - ~~**Webhook HMAC signature verification**~~: **RESOLVED** — 11 tests delivered (`#726`/`#750`) covering header format, HMAC round-trip, wrong-key rejection, secret rotation, timing-safe comparison
-- ~~**Webhook delivery reliability and SSRF**~~: **RESOLVED** — 161 webhook tests delivered (`#710`/`#756`) covering retry/backoff, dead-letter, all SSRF boundary conditions (private IPv4/IPv6, CGNAT, cloud metadata, dynamic DNS)
+- ~~**Webhook delivery reliability and SSRF**~~: **RESOLVED** — 78 webhook tests across 9 files delivered (`#710`/`#756`) covering retry/backoff, dead-letter, SSRF boundary conditions (private IPv4/IPv6 ranges via `OutboundWebhookEndpointGuardTests`)
 
 ### Relationship to Existing Test Issues
 
@@ -893,16 +893,20 @@ Key adversarial review findings fixed: secret rotation test was testing differen
 
 Tracking issue: `#710`
 
-New test coverage:
-- `OutboundWebhookConnectCallbackTests` (new): socket-level SSRF using real `SocketsHttpHandler` + `ConnectCallback`; covers private IPv4 (10.x, 172.16-31.x, 192.168.x, CGNAT 100.64-127.x), IPv6 loopback (`::1`), IPv4-mapped IPv6 (`::ffff:10.x`), cloud metadata (169.254.169.254), non-resolvable hostname fail-closed, error message hygiene
-- `OutboundWebhookDeliveryWorkerReliabilityTests` (new): successful 2xx delivery, HTTP 5xx/429 retry scheduling, network timeout retry, max-retries dead-letter, SSRF guard at worker boundary (no dispatch for private IPs), HMAC value verification, delivery/subscription ID headers, concurrent delivery independence
-- `OutboundWebhookEndpointGuardTests` (extended): 30+ new cases including all private ranges, CGNAT, IPv6 link-local/unique-local, dynamic DNS (nip.io/sslip.io), blocked hostname suffixes, public IP allowlist, mixed-DNS resolution contract, error message hygiene
-
-Total webhook tests across all files: 161.
+New test coverage across webhook test suite (78 tests total across 9 files):
+- `OutboundWebhookEndpointGuardTests` (Application.Tests): SSRF guard cases covering private IPv4 ranges and endpoint validation
+- `OutboundWebhookServiceTests` (Application.Tests, 19 tests): service-level webhook subscription and delivery orchestration
+- `OutboundWebhookSignatureTests` (Application.Tests, 8 tests): HMAC signature computation and verification
+- `OutboundWebhookDeliveryWorkerTests` (Api.Tests, 8 tests): worker-level delivery scheduling and retry logic
+- `OutboundWebhookHmacDeliveryTests` (Api.Tests, 11 tests): end-to-end HMAC delivery including header format, round-trip, wrong-key rejection
+- `OutboundWebhooksApiTests` (Api.Tests, 10 tests): API endpoint contract for webhook subscription management
+- `OutboundWebhookDeliveryRepositoryTests` (Api.Tests, 3 tests): repository-level delivery persistence
+- `OutboundWebhookDeliveryTests` (Domain.Tests, 8 tests): domain entity state and transitions
+- `OutboundWebhookSubscriptionTests` (Domain.Tests, 7 tests): subscription domain entity
 
 Key adversarial review fix: `HttpClient` resource leaks across 9 test methods.
 
-Manual validation recommended: configure a webhook endpoint with a known secret and verify that (a) the `X-Taskdeck-Signature` header is present and verifiable with HMAC-SHA256, and (b) a webhook targeting `http://localhost/` or `http://10.0.0.1/` is rejected at the SSRF guard.
+Manual validation recommended: configure a webhook endpoint with a known secret and verify that (a) the `X-Taskdeck-Webhook-Signature` header (alongside `X-Taskdeck-Webhook-Timestamp`) is present and verifiable with HMAC-SHA256, and (b) a webhook targeting `http://localhost/` or `http://10.0.0.1/` is rejected at the SSRF guard.
 
 ## Frontend Regression Test Wave (PRs #742–#745, #748, #743, #744, #754, delivered 2026-04-04)