From a73a4100998e638e8ba8cf64b4cf47532c3a6766 Mon Sep 17 00:00:00 2001
From: Hammer <hammer7839283@gmail.com>
Date: Thu, 29 Jan 2026 02:05:55 +0000
Subject: [PATCH] fix: enforce HTTPS for webhook, no hardcoded defaults (HQ-20)

- Webhook URL must be set via env var (no fallback)
- Webhook URL must start with https:// or it's rejected
- Both URL and token required, skip silently if missing
---
 backend/src/routes/tasks.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/src/routes/tasks.ts b/backend/src/routes/tasks.ts
index 7d8f8df..aede984 100644
--- a/backend/src/routes/tasks.ts
+++ b/backend/src/routes/tasks.ts
@@ -5,13 +5,17 @@ import { eq, asc, desc, sql, inArray, or } from "drizzle-orm";
 import { auth } from "../lib/auth";
 
 const BEARER_TOKEN = process.env.API_BEARER_TOKEN || "hammer-dev-token";
-const CLAWDBOT_HOOK_URL = process.env.CLAWDBOT_HOOK_URL || "https://hooks.donovankelly.xyz/hooks/agent";
+const CLAWDBOT_HOOK_URL = process.env.CLAWDBOT_HOOK_URL || "";
 const CLAWDBOT_HOOK_TOKEN = process.env.CLAWDBOT_HOOK_TOKEN || "";
 
 // Fire webhook to Clawdbot when a task is activated
 async function notifyTaskActivated(task: { id: string; title: string; description: string | null; source: string; priority: string }) {
-  if (!CLAWDBOT_HOOK_TOKEN) {
-    console.warn("CLAWDBOT_HOOK_TOKEN not set — skipping webhook");
+  if (!CLAWDBOT_HOOK_URL || !CLAWDBOT_HOOK_TOKEN) {
+    console.warn("CLAWDBOT_HOOK_URL or CLAWDBOT_HOOK_TOKEN not set — skipping webhook");
+    return;
+  }
+  if (!CLAWDBOT_HOOK_URL.startsWith("https://")) {
+    console.warn("CLAWDBOT_HOOK_URL must use HTTPS — skipping webhook");
     return;
   }
   try {