Webhook-Triggered Rocky Workflows
Webhooks let Rocky respond when another system changes. The safest pattern is to treat the webhook as a trigger, not as permission to publish or mutate everything it mentions.
Good webhook candidates
- Form submissions that should create a draft response or task summary.
- Monitoring alerts that need triage notes.
- CRM or project events that should update a public-safe dashboard.
- Content intake events that should become drafts after sanitization.
Design the boundary first
- Define the minimum payload Rocky needs.
- Strip private fields before storing public artifacts.
- Use a route-specific secret or platform signature check where available.
- Keep side effects explicit: draft, notify, ticket, deploy, or no action.
- Use official Hermes webhook docs for current commands: https://hermes-agent.nousresearch.com/docs/user-guide/features/webhooks.
Pitfalls
- Do not let arbitrary webhook text become a shell command or public article without review.
- Do not log full customer payloads into public build artifacts.
- Do not treat a 200 response as proof the downstream work succeeded; verify the created artifact or session output.
Verification steps
- Send a synthetic test payload with non-sensitive sample data.
- Confirm the request was received and routed to the intended workflow.
- Verify the generated output is public-safe before publishing.
- Record the exact live endpoint health check and the artifact URL, not the secret.
