Authoring spec — webhook-architecture.com expansion phase

You are writing/upgrading Eleventy markdown pages under content/. Every page is an index.md whose URL is its folder path. Match the existing site’s dense, expert, production-grade tone (read a sibling file first). All code uses Python for delivery/retry/ops topics and TypeScript for schema/validation/security topics, consistent within a page.

File anatomy (EVERY page, in this exact order)

1. YAML frontmatter — only a title:

   ---
   title: "Concise Page Title (< 60 chars, no site name)"
   ---
   

2. Inline JSON-LD <script type="application/ld+json"> with an @graph containing:
   • Article (headline, description, author/publisher = Organization “Engineering Architecture Team”, mainEntityOfPage @id = the page URL)
   • TechArticle (proficiencyLevel: "Expert" for pillar+cluster, "Intermediate" for long-tail; dependencies = relevant tech list)
   • BreadcrumbList built from the REAL URL hierarchy: Home / → each path segment as a ListItem with real item URLs (e.g. position1 Home /, position2 pillar URL, position3 cluster URL, position4 this page). Use human names.
   • HowTo ONLY on pages that contain a numbered implementation checklist; its steps must match that section exactly. Keep JSON valid (no trailing commas). Use relative URLs like /webhook-security-signing-validation/.
3. # H1 Title — a fuller title than the frontmatter one.
4. Lead paragraph(s) with the required up-link (see Interlinking).
5. Body sections per the page-type blueprint below. Use ##/### headings that NAME the specific technical concept (never “Introduction”/“Conclusion”/“Overview” alone).
6. One custom inline SVG diagram (see SVG rules) placed where it explains the hardest concept — usually right after the lead or inside the architecture section.
7. ## Related block at the very end: a markdown bullet list of 3–5 links (see Interlinking).

Page-type blueprints

Pillar (~1500-1900 words): lead defining the domain + up-link to home /; an architecture/lifecycle section (carry the overview SVG here); 3 core-concept sections with trade-offs; a numbered “Production Implementation Checklist” (mirror it in HowTo JSON-LD); a failure-mode table (mode | impact | mitigation, ≥4 rows); one runnable annotated code block; an operational/observability section; Related block = 4–6 links to child clusters + 1–2 cross-pillar links.

Cluster (~1200-1600 words): lead with narrow problem + up-link to parent pillar IN THE FIRST SENTENCE; 2–4 named implementation patterns with trade-offs; a security/validation section; an operational/CI-CD section; failure-mode table (≥4 rows); one runnable code block; a debugging checklist (markdown task list - [ ]); Related = 2–3 sibling clusters + 1–2 child long-tails + up-link to pillar.

Long-tail (~1100-1500 words): lead framing ONE specific scenario + up-link to parent cluster + cross-link to one sibling; a Prerequisites list; numbered step-by-step with runnable code at each critical step; a Verification/testing section (unit test, curl, or log assertion); a “Failure modes and gotchas” section (2–4 specific pitfalls + fixes); Related = 2–3 sibling long-tails + up-link to cluster.

Every table needs a header row + ≥4 data rows.

Interlinking (mandatory)

Inline-link the FIRST mention of any concept that has its own page, woven into prose (not footnotes). Use the link map below. Cluster pages link back to their pillar in the first sentence; long-tail pages link to their cluster and ≥2 sibling long-tails. End every page with a ## Related bullet list.

Term hygiene (CI-enforced)

NEVER use the words pillar, cluster (in the IA sense), long-tail, hub-and-spoke, supporting page, content silo, internal linking structure in reader-facing prose. “Kafka cluster”/“DB cluster” is fine.

SVG rules (CI-enforced — read carefully, broken SVGs fail the build)

Wrap each diagram:

<figure class="diagram">
<svg viewBox="0 0 760 360" role="img" aria-label="short description" xmlns="http://www.w3.org/2000/svg">
  <title>Short title</title>
  <desc>One-sentence description.</desc>
  ... shapes ...
</svg>
<figcaption>Caption naming what the diagram shows.</figcaption>
</figure>

HARD REQUIREMENTS so it survives the headless render check:

• NO BLANK LINES anywhere inside the <figure>/<svg> markup. markdown-it ends a raw-HTML block at the first blank line, which splits the diagram and breaks rendering (the QA render check does NOT reliably catch this). Keep every SVG line contiguous — use comments or nothing between groups, never an empty line.
• ALWAYS include viewBox; never a fixed pixel width/height on <svg> (the CSS sizes it).
• On EVERY <text> element set an explicit small font-size (e.g. font-size="14") and font-family="Inter, sans-serif". Without this the page font leaks in and overflows — an automatic FAIL.
• Keep every <text> comfortably INSIDE its shape and inside the viewBox (leave ~12px padding). Use short labels. Use text-anchor="middle" for centered labels. Don’t let text run past the right/bottom edge.
• Use the palette via hex (theme is light): dusk #274c77, steel #6096ba, icy #a3cef1, platinum #e7ecef, text #1f2a37, white #ffffff. Stroke weight ~1.5–2. Rounded corners (rx ~8).
• Make it ORIGINAL to the page (a real data-flow / state / sequence / comparison diagram), not decorative.
• Pillars should carry a top-level overview diagram. Every new/uplifted page gets exactly one strong diagram.
• Give each <defs>/gradient/marker a UNIQUE id per page (e.g. arrow-<slug>) to avoid collisions — but ids only need to be unique within the page.

Link map (slug → URL). Use these exact URLs when interlinking.

PILLARS:

• Fundamentals → /webhook-architecture-fundamentals-design-patterns/
• Security → /webhook-security-signing-validation/
• Resilience → /resilient-delivery-retry-strategies/
• Testing & Local Development (NEW) → /webhook-testing-and-local-development/

FUNDAMENTALS children:

• event-schema-design → /webhook-architecture-fundamentals-design-patterns/event-schema-design/
  • best-practices-for-webhook-payload-versioning → …/event-schema-design/best-practices-for-webhook-payload-versioning/
  • schema-registry-for-webhook-events (NEW) → …/event-schema-design/schema-registry-for-webhook-events/
• idempotency-in-webhooks → /webhook-architecture-fundamentals-design-patterns/idempotency-in-webhooks/
  • how-to-design-idempotent-webhook-consumers → …/idempotency-in-webhooks/how-to-design-idempotent-webhook-consumers/
  • idempotency-keys-vs-deduplication-windows (NEW) → …/idempotency-in-webhooks/idempotency-keys-vs-deduplication-windows/
• message-ordering-guarantees → /webhook-architecture-fundamentals-design-patterns/message-ordering-guarantees/
  • implementing-strict-ordering-for-financial-webhooks → …/message-ordering-guarantees/implementing-strict-ordering-for-financial-webhooks/
  • at-least-once-vs-exactly-once-delivery-trade-offs (NEW) → …/message-ordering-guarantees/at-least-once-vs-exactly-once-delivery-trade-offs/
• sync-vs-async-webhooks → /webhook-architecture-fundamentals-design-patterns/sync-vs-async-webhooks/
  • when-to-use-synchronous-callbacks-vs-async-webhooks → …/sync-vs-async-webhooks/when-to-use-synchronous-callbacks-vs-async-webhooks/
  • designing-webhook-fan-out-architectures (NEW) → …/sync-vs-async-webhooks/designing-webhook-fan-out-architectures/
• webhook-observability-monitoring (NEW cluster) → /webhook-architecture-fundamentals-design-patterns/webhook-observability-monitoring/
  • instrumenting-webhooks-with-opentelemetry (NEW) → …/webhook-observability-monitoring/instrumenting-webhooks-with-opentelemetry/
  • defining-slos-for-webhook-delivery (NEW) → …/webhook-observability-monitoring/defining-slos-for-webhook-delivery/
  • alerting-on-webhook-delivery-failures (NEW) → …/webhook-observability-monitoring/alerting-on-webhook-delivery-failures/

SECURITY children:

• hmac-signature-verification → /webhook-security-signing-validation/hmac-signature-verification/
  • step-by-step-hmac-webhook-validation-in-nodejs → …/hmac-signature-verification/step-by-step-hmac-webhook-validation-in-nodejs/
  • hmac-sha256-vs-rsa-asymmetric-webhook-signatures (NEW) → …/hmac-signature-verification/hmac-sha256-vs-rsa-asymmetric-webhook-signatures/
• jwt-based-webhook-auth → /webhook-security-signing-validation/jwt-based-webhook-auth/
  • validating-jwt-tokens-in-webhook-payloads → …/jwt-based-webhook-auth/validating-jwt-tokens-in-webhook-payloads/
  • rotating-jwt-signing-keys-with-jwks (NEW) → …/jwt-based-webhook-auth/rotating-jwt-signing-keys-with-jwks/
• key-rotation-strategies → /webhook-security-signing-validation/key-rotation-strategies/
  • how-to-implement-secure-key-rotation-for-webhooks → …/key-rotation-strategies/how-to-implement-secure-key-rotation-for-webhooks/
  • zero-downtime-webhook-secret-rotation (NEW) → …/key-rotation-strategies/zero-downtime-webhook-secret-rotation/
• replay-attack-prevention → /webhook-security-signing-validation/replay-attack-prevention/
  • preventing-webhook-replay-attacks-with-timestamps → …/replay-attack-prevention/preventing-webhook-replay-attacks-with-timestamps/
  • nonce-based-replay-protection-with-redis (NEW) → …/replay-attack-prevention/nonce-based-replay-protection-with-redis/
• mutual-tls-for-webhooks (NEW cluster) → /webhook-security-signing-validation/mutual-tls-for-webhooks/
  • configuring-mtls-for-webhook-endpoints (NEW) → …/mutual-tls-for-webhooks/configuring-mtls-for-webhook-endpoints/

RESILIENCE children:

• circuit-breaker-patterns → /resilient-delivery-retry-strategies/circuit-breaker-patterns/
  • per-endpoint-circuit-breaker-state-machines (NEW) → …/circuit-breaker-patterns/per-endpoint-circuit-breaker-state-machines/
• dead-letter-queue-architecture → /resilient-delivery-retry-strategies/dead-letter-queue-architecture/
  • building-a-dead-letter-queue-for-failed-webhooks → …/dead-letter-queue-architecture/building-a-dead-letter-queue-for-failed-webhooks/
  • replaying-events-from-a-dead-letter-queue (NEW) → …/dead-letter-queue-architecture/replaying-events-from-a-dead-letter-queue/
• delivery-guarantee-levels → /resilient-delivery-retry-strategies/delivery-guarantee-levels/
  • choosing-a-webhook-delivery-guarantee-level (NEW) → …/delivery-guarantee-levels/choosing-a-webhook-delivery-guarantee-level/
• exponential-backoff-algorithms → /resilient-delivery-retry-strategies/exponential-backoff-algorithms/
  • implementing-exponential-backoff-in-python-webhook-handlers → …/exponential-backoff-algorithms/implementing-exponential-backoff-in-python-webhook-handlers/
  • adding-jitter-to-webhook-retry-backoff (NEW) → …/exponential-backoff-algorithms/adding-jitter-to-webhook-retry-backoff/
• webhook-rate-limiting-and-backpressure (NEW cluster) → /resilient-delivery-retry-strategies/webhook-rate-limiting-and-backpressure/
  • applying-backpressure-to-webhook-consumers (NEW) → …/webhook-rate-limiting-and-backpressure/applying-backpressure-to-webhook-consumers/

TESTING & LOCAL DEV (NEW pillar) children:

• local-webhook-development-with-tunnels (NEW cluster) → /webhook-testing-and-local-development/local-webhook-development-with-tunnels/
  • testing-webhooks-locally-with-ngrok-and-tunnels (NEW) → …/local-webhook-development-with-tunnels/testing-webhooks-locally-with-ngrok-and-tunnels/
• webhook-contract-testing (NEW cluster) → /webhook-testing-and-local-development/webhook-contract-testing/
  • consumer-driven-contract-tests-for-webhooks (NEW) → …/webhook-contract-testing/consumer-driven-contract-tests-for-webhooks/
• load-testing-webhook-endpoints (NEW cluster) → /webhook-testing-and-local-development/load-testing-webhook-endpoints/
  • simulating-webhook-traffic-spikes (NEW) → …/load-testing-webhook-endpoints/simulating-webhook-traffic-spikes/
• inspecting-and-replaying-webhook-deliveries (NEW cluster) → /webhook-testing-and-local-development/inspecting-and-replaying-webhook-deliveries/
  • debugging-failed-webhook-deliveries (NEW) → …/inspecting-and-replaying-webhook-deliveries/debugging-failed-webhook-deliveries/