Integration Adapter

WebhookAdapter is the integration seam.

Current state:

• HttpWebhookAdapter is used for production-shaped HTTP delivery.
• MockWebhookAdapter remains for explicit tests/local compatibility.
• Delivery attempts and statuses are persisted.
• Delivery events are audited.
• Idempotency keys are deterministic.
• Retry scheduling is durable and DB-driven through the delivery state machine.
• Dead-lettered outbox state is implemented.
• HMAC signing headers are supported and required by default outside local/dev/test.
• Tenant-scoped integration_destinations, integration_credentials, and integration_delivery_policy tables are implemented.
• Credential reads are redacted; runtime delivery resolves credential references through SecretProvider only at adapter execution time.
• Local/dev/test secret refs are supported through LocalDevSecretProvider.
• Production-shaped Kubernetes Secret refs are supported through KubernetesSecretProvider; cloud-specific secret managers should sync into Kubernetes Secrets outside the app.

Next production-shaped work:

• External Secrets Operator/CSI/Vault Agent sync manifests and exact secret RBAC resourceNames.
• Dedicated DLQ browser/tooling for parked and dead-lettered deliveries.
• Receiver replay-window guidance and verification fixtures for timestamp/idempotency replay protection.

Internal ticketing is contract-designed separately. External ticketing products must use adapters later; they are not the canonical OneProtect ticket store.

Intune / M365 Endpoint Manager is implemented in OP-056 as a tenant-scoped API integration for posture and inventory reads. It uses SecretProvider-backed credentials, redacted provider references, sync-run audit, and integration.intune.sync_completed. Native mobile agents and Intune device-control actions are not Phase 1 adapter work.

Source architecture notes: docs/architecture/integration-credentials.md, docs/architecture/integration-secrets-backend.md, and docs/architecture/delivery-state-machine.md.