[Enhancement] Integration / API: Webhook delivery API hides the receiver's response body and request payload

Area: Integration / API (audit p13) · Surface: mobieusAPI / webhooks · Dimension: feature-to-improve · Severity: minor

Stripe's and Svix's webhook dashboards (the bar for webhook DX) show, per attempt, both the exact request body sent and the receiver's response body/status, which is how integrators debug a failing endpoint. Mobieus captures the response body in the DB but the API surfaces only a numeric status and a truncated error string, and offers no way to see the actual JSON payload that was signed and sent. Integrators debugging a 400 from their own handler can't see what came back. The data already exists; it just isn't returned.

Evidence

WebhookDelivery model stores last_response_body (platform/src/Models/WebhookDelivery.php:75,97,117,137) but WebhooksController@deliveries (platform/src/Controllers/Api/V1/WebhooksController.php:90-106) returns only status/attempt_count/last_status_code/last_latency_ms/last_error — it omits last_response_body and never exposes the signed request payload that was sent.

Suggested fix. Extend the deliveries endpoint (and add a per-attempt sub-resource) to include the captured request payload and last_response_body (size-capped), matching the existing admin delivery-log view; this is read-only exposure of already-stored columns.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.