Hex CI Integration

Overview

Set up CI/CD pipelines for Hex integrations with automated testing.

Prerequisites

• GitHub repository with Actions enabled
• Hex test API key
• npm/pnpm project configured

Instructions

Step 1: Create GitHub Actions Workflow

Create .github/workflows/hex-integration.yml:

name: Hex Integration Tests

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  HEX_API_KEY: ${{ secrets.HEX_API_KEY }}

jobs:
  test:
    runs-on: ubuntu-latest
    env:
      HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
      - run: npm ci
      - run: npm test -- --coverage
      - run: npm run test:integration

Step 2: Configure Secrets

gh secret set HEX_API_KEY --body "sk_test_***"

Step 3: Add Integration Tests

describe('Hex Integration', () => {
  it.skipIf(!process.env.HEX_API_KEY)('should connect', async () => {
    const client = getHexClient();
    const result = await client.healthCheck();
    expect(result.status).toBe('ok');
  });
});

Output

• Automated test pipeline
• PR checks configured
• Coverage reports uploaded
• Release workflow ready

Error Handling

Examples

Release Workflow

on:
  push:
    tags: ['v*']

jobs:
  release:
    runs-on: ubuntu-latest
    env:
      HEX_API_KEY: ${{ secrets.HEX_API_KEY_PROD }}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - name: Verify Hex production readiness
        run: npm run test:integration
      - run: npm run build
      - run: npm publish

Branch Protection

required_status_checks:
  - "test"
  - "hex-integration"

Resources

• GitHub Actions Documentation
• Hex CI Guide

Next Steps

For deployment patterns, see hex-deploy-integration.

Hex Common Errors

Overview

Quick reference for the top 10 most common Hex errors and their solutions.

Prerequisites

• Hex SDK installed
• API credentials configured
• Access to error logs

Instructions

Step 1: Identify the Error

Check error message and code in your logs or console.

Step 2: Find Matching Error Below

Match your error to one of the documented cases.

Step 3: Apply Solution

Follow the solution steps for your specific error.

Output

• Identified error cause
• Applied fix
• Verified resolution

Error Handling

Authentication Failed

Error Message:

Authentication error: Invalid API key

Cause: API key is missing, expired, or invalid.

Solution:

# Verify API key is set
echo $HEX_API_KEY

Rate Limit Exceeded

Error Message:

Rate limit exceeded. Please retry after X seconds.

Cause: Too many requests in a short period.

Solution:

Implement exponential backoff. See hex-rate-limits skill.

Network Timeout

Error Message:

Request timeout after 30000ms

Cause: Network connectivity or server latency issues.

Solution:

// Increase timeout
const client = new Client({ timeout: 60000 });

Examples

Quick Diagnostic Commands

# Check Hex status
curl -s https://status.hex.com

# Verify API connectivity
curl -I https://api.hex.com

# Check local configuration
env | grep HEX

Escalation Path

1. Collect evidence with hex-debug-bundle
2. Check Hex status page
3. Contact support with request ID

Resources

• Hex Status Page
• Hex Support
• Hex Error Codes

Next Steps

For comprehensive debugging, see hex-debug-bundle.

Hex Core Workflow A

Overview

Primary money-path workflow for Hex. This is the most common use case.

Prerequisites

• Completed hex-install-auth setup
• Understanding of Hex core concepts
• Valid API credentials configured

Instructions

Step 1: Initialize

// Step 1 implementation

Step 2: Execute

// Step 2 implementation

Step 3: Finalize

// Step 3 implementation

Output

• Completed Core Workflow A execution
• Expected results from Hex API
• Success confirmation or error details

Error Handling

Examples

Complete Workflow

// Complete workflow example

Common Variations

• Variation 1: Description
• Variation 2: Description

Resources

• Hex Documentation
• Hex API Reference

Next Steps

For secondary workflow, see hex-core-workflow-b.

Hex Core Workflow B

Overview

Secondary workflow for Hex. Complements the primary workflow.

Prerequisites

• Completed hex-install-auth setup
• Familiarity with hex-core-workflow-a
• Valid API credentials configured

Instructions

Step 1: Setup

// Step 1 implementation

Step 2: Process

// Step 2 implementation

Step 3: Complete

// Step 3 implementation

Output

• Completed Core Workflow B execution
• Results from Hex API
• Success confirmation or error details

Error Handling

Examples

Complete Workflow

// Complete workflow example

Error Recovery

// Error handling code

Resources

• Hex Documentation
• Hex API Reference

Next Steps

For common errors, see hex-common-errors.

Hex Cost Tuning

Overview

Optimize Hex costs through smart tier selection, sampling, and usage monitoring.

Prerequisites

• Access to Hex billing dashboard
• Understanding of current usage patterns
• Database for usage tracking (optional)
• Alerting system configured (optional)

Pricing Tiers

Cost Estimation

interface UsageEstimate {
  requestsPerMonth: number;
  tier: string;
  estimatedCost: number;
  recommendation?: string;
}

function estimateHexCost(requestsPerMonth: number): UsageEstimate {
  if (requestsPerMonth <= 1000) {
    return { requestsPerMonth, tier: 'Free', estimatedCost: 0 };
  }

  if (requestsPerMonth <= 100000) {
    return { requestsPerMonth, tier: 'Pro', estimatedCost: 99 };
  }

  const proOverage = (requestsPerMonth - 100000) * 0.001;
  const proCost = 99 + proOverage;

  return {
    requestsPerMonth,
    tier: 'Pro (with overage)',
    estimatedCost: proCost,
    recommendation: proCost > 500
      ? 'Consider Enterprise tier for volume discounts'
      : undefined,
  };
}

Usage Monitoring

class HexUsageMonitor {
  private requestCount = 0;
  private bytesTransferred = 0;
  private alertThreshold: number;

  constructor(monthlyBudget: number) {
    this.alertThreshold = monthlyBudget * 0.8; // 80% warning
  }

  track(request: { bytes: number }) {
    this.requestCount++;
    this.bytesTransferred += request.bytes;

    if (this.estimatedCost() > this.alertThreshold) {
      this.sendAlert('Approaching Hex budget limit');
    }
  }

  estimatedCost(): number {
    return estimateHexCost(this.requestCount).estimatedCost;
  }

  private sendAlert(message: string) {
    // Send to Slack, email, PagerDuty, etc.
  }
}

Cost Reduction Strategies

Step 1: Request Sampling

function shouldSample(samplingRate = 0.1): boolean {
  return Math.random() < samplingRate;
}

// Use for non-critical telemetry
if (shouldSample(0.1)) { // 10% sample
  await hexClient.trackEvent(event);
}

Step 2: Batching Requests

// Instead of N individual calls
await Promise.all(ids.map(id => hexClient.get(id)));

// Use batch endpoint (1 call)
await hexClient.batchGet(ids);

Step 3: Caching (from P16)

• Cache frequently accessed data
• Use cache invalidation webhooks
• Set appropria

Hex Debug Bundle

Overview

Collect all necessary diagnostic information for Hex support tickets.

Prerequisites

• Hex SDK installed
• Access to application logs
• Permission to collect environment info

Instructions

Step 1: Create Debug Bundle Script

#!/bin/bash
# hex-debug-bundle.sh

BUNDLE_DIR="hex-debug-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$BUNDLE_DIR"

echo "=== Hex Debug Bundle ===" > "$BUNDLE_DIR/summary.txt"
echo "Generated: $(date)" >> "$BUNDLE_DIR/summary.txt"

Step 2: Collect Environment Info

# Environment info
echo "--- Environment ---" >> "$BUNDLE_DIR/summary.txt"
node --version >> "$BUNDLE_DIR/summary.txt" 2>&1
npm --version >> "$BUNDLE_DIR/summary.txt" 2>&1
echo "HEX_API_KEY: ${HEX_API_KEY:+[SET]}" >> "$BUNDLE_DIR/summary.txt"

Step 3: Gather SDK and Logs

# SDK version
npm list @hex/sdk 2>/dev/null >> "$BUNDLE_DIR/summary.txt"

# Recent logs (redacted)
grep -i "hex" ~/.npm/_logs/*.log 2>/dev/null | tail -50 >> "$BUNDLE_DIR/logs.txt"

# Configuration (redacted - secrets masked)
echo "--- Config (redacted) ---" >> "$BUNDLE_DIR/summary.txt"
cat .env 2>/dev/null | sed 's/=.*/=***REDACTED***/' >> "$BUNDLE_DIR/config-redacted.txt"

# Network connectivity test
echo "--- Network Test ---" >> "$BUNDLE_DIR/summary.txt"
echo -n "API Health: " >> "$BUNDLE_DIR/summary.txt"
curl -s -o /dev/null -w "%{http_code}" https://api.hex.com/health >> "$BUNDLE_DIR/summary.txt"
echo "" >> "$BUNDLE_DIR/summary.txt"

Step 4: Package Bundle

tar -czf "$BUNDLE_DIR.tar.gz" "$BUNDLE_DIR"
echo "Bundle created: $BUNDLE_DIR.tar.gz"

Output

• hex-debug-YYYYMMDD-HHMMSS.tar.gz archive containing:
• summary.txt - Environment and SDK info
• logs.txt - Recent redacted logs
• config-redacted.txt - Configuration (secrets removed)

Error Handling

# Add Hex secrets to Vercel
vercel secrets add hex_api_key sk_live_***
vercel secrets add hex_webhook_secret whsec_***

# Link to project
vercel link

# Deploy preview
vercel

# Deploy production
vercel --prod

{
  "env": {
    "HEX_API_KEY": "@hex_api_key"
  },
  "functions": {
    "api/**/*.ts": {
      "maxDuration": 30
    }
  }
}

app = "my-hex-app"
primary_region = "iad"

[env]
  NODE_ENV = "production"

[http_service]
  internal_port = 3000
  force_https = true
  auto_stop_machines = true
  auto_start_machines = true

# Set Hex secrets
fly secrets set HEX_API_KEY=sk_live_***
fly secrets set HEX_WEBHOOK_SECRET=whsec_***

# Deploy
fly deploy

FROM node:20-slim
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
CMD ["npm", "start"]

#!/bin/bash
# deploy-cloud-run.sh

PROJECT_ID="${GOOGLE_CLOUD_PROJECT}"
SERVICE_NAME="hex-service"
REGION="us-central1"

# Build and push image
gcloud builds submit --tag gcr.io/$PROJECT_ID/$SERVICE_NAME

# Deploy to Cloud Run
gcloud run deploy $SERVICE_NAME \
  --image gcr.io/$PROJECT_ID/$SERVICE_NAME \
  --region $REGION \
  --platform managed \
  --allow-unauthenticated \
  --set-secrets=HEX_API_KEY=hex-api-key:latest

// config/hex.ts
interface HexConfig {
  apiKey: string;
  environment: 'development' | 'staging' | 'production';
  webhookSecret?: string;
}

export function getHexConfig(): HexConfig {
  const env = process.env.NODE_ENV || 'development';

  return {
    apiKey: process.env.HEX_API_KEY!,
    environment: env as HexConfig['environment'],
    webhookSecret: process.env.HEX_WEBHOOK_SECRET,
  };
}

// api/health.ts
export async function GET() {
  const hexStatus = await checkHexConnection();

  return Response.json({
    status: hexStatus ? 'healthy' : 'degraded',
    services: {
      hex: hexStatu

import { HexClient } from '@hex/sdk';

const client = new HexClient({
  apiKey: process.env.HEX_API_KEY,
});

async function main() {
  // Your first API call here
}

main().catch(console.error);

Success! Your Hex connection is working.

import { HexClient } from '@hex/sdk';

const client = new HexClient({
  apiKey: process.env.HEX_API_KEY,
});

async function main() {
  // Your first API call here
}

main().catch(console.error);

from hex import HexClient

client = HexClient()

# Your first API call here

# Node.js
npm install @hex/sdk

# Python
pip install hex

# Set environment variable
export HEX_API_KEY="your-api-key"

# Or create .env file
echo 'HEX_API_KEY=your-api-key' >> .env

// Test connection code here

import { HexClient } from '@hex/sdk';

const client = new HexClient({
  apiKey: process.env.HEX_API_KEY,
});

from hex import HexClient

client = HexClient(
    api_key=os.environ.get('HEX_API_KEY')
)

my-hex-project/
├── src/
│   ├── hex/
│   │   ├── client.ts       # Hex client wrapper
│   │   ├── config.ts       # Configuration management
│   │   └── utils.ts        # Helper functions
│   └── index.ts
├── tests/
│   └── hex.test.ts
├── .env.local              # Local secrets (git-ignored)
├── .env.example            # Template for team
└── package.json

# Copy environment template
cp .env.example .env.local

# Install dependencies
npm install

# Start development server
npm run dev

{
  "scripts": {
    "dev": "tsx watch src/index.ts",
    "test": "vitest",
    "test:watch": "vitest --watch"
  }
}

import { describe, it, expect, vi } from 'vitest';
import { HexClient } from '../src/hex/client';

describe('Hex Client', () => {
  it('should initialize with API key', () => {
    const client = new HexClient({ apiKey: 'test-key' });
    expect(client).toBeDefined();
  });
});

vi.mock('@hex/sdk', () => ({
  HexClient: vi.fn().mockImplementation(() => ({
    // Mock methods here
  })),
}));

# Enable verbose logging
DEBUG=HEX=* npm run dev

import { LRUCache } from 'lru-cache';

const cache = new LRUCache<string, any>({
  max: 1000,
  ttl: 60000, // 1 minute
  updateAgeOnGet: true,
});

async function cachedHexRequest<T>(
  key: string,
  fetcher: () => Promise<T>,
  ttl?: number
): Promise<T> {
  const cached = cache.get(key);
  if (cached) return cached as T;

  const result = await fetcher();
  cache.set(key, result, { ttl });
  return result;
}

import Redis from 'ioredis';

const redis = new Redis(process.env.REDIS_URL);

async function cachedWithRedis<T>(
  key: string,
  fetcher: () => Promise<T>,
  ttlSeconds = 60
): Promise<T> {
  const cached = await redis.get(key);
  if (cached) return JSON.parse(cached);

  const result = await fetcher();
  await redis.setex(key, ttlSeconds, JSON.stringify(result));
  return result;
}

import DataLoader from 'dataloader';

const hexLoader = new DataLoader<string, any>(
  async (ids) => {
    // Batch fetch from Hex
    const results = await hexClient.batchGet(ids);
    return ids.map(id => results.find(r => r.id === id) || null);
  },
  {
    maxBatchSize: 100,
    batchScheduleFn: callback => setTimeout(callback, 10),
  }
);

// Usage - automatically batched
const [item1, item2, item3] = await Promise.all([
  hexLoader.load('id-1'),
  hexLoader.load('id-2'),
  hexLoader.load('id-3'),
]);

import { Agent } from 'https';

// Keep-alive connection pooling
const agent = new Agent({
  keepAlive: true,
  maxSockets: 10,
  maxFreeSockets: 5,
  timeout: 30000,
});

const client = new HexClient({
  apiKey: process.env.HEX_API_KEY!,
  httpAgent: agent,
});

async function* paginatedHexList<T>(
  fetcher: (cursor?: string) => Promise<{ data: T[]; nextCursor?: string }>
): AsyncGenerator<T> {
  let cursor: string | undefined;

  do {
   

# Pre-flight checks
curl -f https://staging.example.com/health
curl -s https://status.hex.com

# Gradual rollout - start with canary (10%)
kubectl apply -f k8s/production.yaml
kubectl set image deployment/hex-integration app=image:new --record
kubectl rollout pause deployment/hex-integration

# Monitor canary traffic for 10 minutes
sleep 600
# Check error rates and latency before continuing

# If healthy, continue rollout to 50%
kubectl rollout resume deployment/hex-integration
kubectl rollout pause deployment/hex-integration
sleep 300

# Complete rollout to 100%
kubectl rollout resume deployment/hex-integration
kubectl rollout status deployment/hex-integration

async function healthCheck(): Promise<{ status: string; hex: any }> {
  const start = Date.now();
  try {
    await hexClient.pi

async function withExponentialBackoff<T>(
  operation: () => Promise<T>,
  config = { maxRetries: 5, baseDelayMs: 1000, maxDelayMs: 32000, jitterMs: 500 }
): Promise<T> {
  for (let attempt = 0; attempt <= config.maxRetries; attempt++) {
    try {
      return await operation();
    } catch (error: any) {
      if (attempt === config.maxRetries) throw error;
      const status = error.status || error.response?.status;
      if (status !== 429 && (status < 500 || status >= 600)) throw error;

      // Exponential delay with jitter to prevent thundering herd
      const exponentialDelay = config.baseDelayMs * Math.pow(2, attempt);
      const jitter = Math.random() * config.jitterMs;
      const delay = Math.min(exponentialDelay + jitter, config.maxDelayMs);

      console.log(`Rate limited. Retrying in ${delay.toFixed(0)}ms...`);
      await new Promise(r => setTimeout(r, delay));
    }
  }
  throw new Error('Unreachable');
}

import { v4 as uuidv4 } from 'uuid';
import crypto from 'crypto';

// Generate deterministic key from operation params (for safe retries)
function generateIdempotencyKey(operation: string, params: Record<string, any>): string {
  const data = JSON.stringify({ operation, params });
  return crypto.createHash('sha256').update(data).digest('hex');
}

async function idempotentRequest<T>(
  client: HexClient,
  params: Record<string, any>,
  idempotencyKey?: string  // Pass existing key for retries
): Promise<T> {
  // Use provided key (for retries) or generate deterministic key from params
  const key = idempotencyKey || generateIdempotencyKey(params.method || 'POST', params);
  return client.request({
    ...params,
    headers: { 'Idempotency-Key': key, ...params.headers },
  });
}

my-hex-project/
├── src/
│   ├── hex/
│   │   ├── client.ts           # Singleton client wrapper
│   │   ├── config.ts           # Environment configuration
│   │   ├── types.ts            # TypeScript types
│   │   ├── errors.ts           # Custom error classes
│   │   └── handlers/
│   │       ├── webhooks.ts     # Webhook handlers
│   │       └── events.ts       # Event processing
│   ├── services/
│   │   └── hex/
│   │       ├── index.ts        # Service facade
│   │       ├── sync.ts         # Data synchronization
│   │       └── cache.ts        # Caching layer
│   ├── api/
│   │   └── hex/
│   │       └── webhook.ts      # Webhook endpoint
│   └── jobs/
│       └── hex/
│           └── sync.ts         # Background sync job
├── tests/
│   ├── unit/
│   │   └── hex/
│   └── integration/
│       └── hex/
├── config/
│   ├── hex.development.json
│   ├── hex.staging.json
│   └── hex.production.json
└── docs/
    └── hex/
        ├── SETUP.md
        └── RUNBOOK.md

┌─────────────────────────────────────────┐
│             API Layer                    │
│   (Controllers, Routes, Webhooks)        │
├─────────────────────────────────────────┤
│           Service Layer                  │
│  (Business Logic, Orchestration)         │
├─────────────────────────────────────────┤
│          Hex Layer        │
│   (Client, Types, Error Handling)        │
├─────────────────────────────────────────┤
│         Infrastructure Layer             │
│    (Cache, Queue, Monitoring)            │
└─────────────────────────────────────────┘

// src/hex/client.ts
export class HexService {
  private client: HexClient;
  private cache: Cache;
  private monitor: Monitor;

  constructor(config: HexConfig) {
    this.client = new HexClient(config);
    this.cache = new Cache(config.cacheOptions);
    this.monitor = new Monitor('hex');
  }

  async get(id: string): Promise<Resource> {
    return this.cache.getOrFetch(id, () =>
      this.monitor.track('get', () => this.client.get(id))
    );
  }
}

// src/hex/errors.ts
export class HexServiceError extends Error {
  constructor(
    message: string,
    public readonly code: string,
    public readonly retryable: boolean,
    public readonly originalError?: Error
  ) {
    super(message);
    this.name = 'HexServiceError';
  }
}

export function wrapHexError(error: unknown): HexServiceError {
  // Transform SDK errors to 

// src/hex/client.ts
import { HexClient } from '@hex/sdk';

let instance: HexClient | null = null;

export function getHexClient(): HexClient {
  if (!instance) {
    instance = new HexClient({
      apiKey: process.env.HEX_API_KEY!,
      // Additional options
    });
  }
  return instance;
}

import { HexError } from '@hex/sdk';

async function safeHexCall<T>(
  operation: () => Promise<T>
): Promise<{ data: T | null; error: Error | null }> {
  try {
    const data = await operation();
    return { data, error: null };
  } catch (err) {
    if (err instanceof HexError) {
      console.error({
        code: err.code,
        message: err.message,
      });
    }
    return { data: null, error: err as Error };
  }
}

async function withRetry<T>(
  operation: () => Promise<T>,
  maxRetries = 3,
  backoffMs = 1000
): Promise<T> {
  for (let attempt = 1; attempt <= maxRetries; attempt++) {
    try {
      return await operation();
    } catch (err) {
      if (attempt === maxRetries) throw err;
      const delay = backoffMs * Math.pow(2, attempt - 1);
      await new Promise(r => setTimeout(r, delay));
    }
  }
  throw new Error('Unreachable');
}

const clients = new Map<string, HexClient>();

export function getClientForTenant(tenantId: string): HexClient {
  if (!clients.has(tenantId)) {
    const apiKey = getTenantApiKey(tenantId);
    clients.set(tenantId, new HexClient({ apiKey }));
  }
  return clients.get(tenantId)!;
}

# .env (NEVER commit to git)
HEX_API_KEY=sk_live_***
HEX_SECRET=***

# .gitignore
.env
.env.local
.env.*.local

# 1. Generate new key in Hex dashboard
# 2. Update environment variable
export HEX_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${HEX_API_KEY}" \
  https://api.hex.com/health

# 4. Revoke old key in dashboard

const clients = {
  reader: new HexClient({
    apiKey: process.env.HEX_READ_KEY,
  }),
  writer: new HexClient({
    apiKey: process.env.HEX_WRITE_KEY,
  }),
};

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entr

npm list @hex/sdk
npm view @hex/sdk version

open https://github.com/hex/sdk/releases

git checkout -b upgrade/hex-sdk-vX.Y.Z
npm install @hex/sdk@latest
npm test

// Before (v1.x)
import { Client } from '@hex/sdk';

// After (v2.x)
import { HexClient } from '@hex/sdk';

// Before (v1.x)
const client = new Client({ key: 'xxx' });

// After (v2.x)
const client = new HexClient({
  apiKey: 'xxx',
});

npm install @hex/sdk@1.x.x --save-exact

// Monitor for deprecation warnings in development
if (process.env.NODE_ENV === 'development') {
  process.on('warning', (warning) => {
    if (warning.name === 'DeprecationWarning') {
      console.warn('[Hex]', warning.message);
      // Log to tracking system for proactive updates
    }
  });
}

// Common deprecation patterns to watch for:
// - Renamed methods: client.oldMethod() -> client.newMethod()
// - Changed parameters: { key: 'x' } -> { apiKey: 'x' }
// - Removed features: Check release notes before upgrading

import express from 'express';
import crypto from 'crypto';

const app = express();

// IMPORTANT: Raw body needed for signature verification
app.post('/webhooks/hex',
  express.raw({ type: 'application/json' }),
  async (req, res) => {
    const signature = req.headers['x-hex-signature'] as string;
    const timestamp = req.headers['x-hex-timestamp'] as string;

    if (!verifyHexSignature(req.body, signature, timestamp)) {
      return res.status(401).json({ error: 'Invalid signature' });
    }

    const event = JSON.parse(req.body.toString());
    await handleHexEvent(event);

    res.status(200).json({ received: true });
  }
);

function verifyHexSignature(
  payload: Buffer,
  signature: string,
  timestamp: string
): boolean {
  const secret = process.env.HEX_WEBHOOK_SECRET!;

  // Reject old timestamps (replay attack protection)
  const timestampAge = Date.now() - parseInt(timestamp) * 1000;
  if (timestampAge > 300000) { // 5 minutes
    console.error('Webhook timestamp too old');
    return false;
  }

  // Compute expected signature
  const signedPayload = `${timestamp}.${payload.toString()}`;
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex');

  // Timing-safe comparison
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

type HexEventType = 'resource.created' | 'resource.updated' | 'resource.deleted';

interface HexEvent {
  id: string;
  type: HexEventType;
  data: Record<string, any>;
  created: string;
}

const eventHandlers: Record<HexEventType, (data: any) => Promise<void>> = {
  'resource.created': async (data) => { /* handle */ },
  'resource.updated': async (data) => { /* handle */ },
  'resource.deleted': async (data) => { /* handle */ }
};

async function handleHexEvent(event: HexEvent): Promise<void> {
  const handler = eventHandlers[event.type];

  if (!handler) {
    console.log(`Unhandled event type: ${event.type}`);
    return;
  }

  try {
    await handler(event.data);
    console.log(`Processed ${event.type}: ${event.id}`);
  } catch (error) {
    console.error(`Failed to process ${event.type}: ${event.id}`, error);
    throw error; // Ret