Webhooks that cannot lose deliveries.

Every outbound dispatch is a WebhookDelivery row. ClaimedBy/ClaimedAt cleared on every transition out of Claimed — so retry-scheduled rows remain eligible for future scans (anti-pattern #50).

Per-try record. Status code, response body, latency, error class. Auditable history — operators see exactly what happened on every attempt.

ComputeBackoffSeconds adds 0-50% random jitter to base exponential backoff. Synchronized retry storms across instances are prevented by construction.

WebhookPayloadSigner operates on ReadOnlySpan<byte>. Key material never becomes a string. Format: t={unix},v1={hex}. Verifiable by every standard webhook receiver.

Signing keys live in the key ring. SecretKeyRingId never appears in API projections, logs, traces, exception messages. Anti-pattern #49 codified.

Replaces the legacy glob string EventTypeFilter. 15 typed operators, depth-bounded validator, deterministic serializer, fail-closed evaluator. Filter expressions are first-class.

Globally-unique ULID identifying the inbound route. Path uniqueness is platform-wide, not scoped by tenant — receivers can be discovered, validated, rotated independently.

Pending / Succeeded / Failed lifecycle. PlannedOutboxEventKey links to the canonical event for crash recovery reconciliation. Same payload twice yields the same canonical event once.

Same WebhookPayloadSigner verifies inbound signatures. Timing-safe comparison. Reject before parsing. Anti-pattern #76 codified — never trust a payload before its signature checks.