feat(webhook): per-forge webhook ingress + signature verification (MF-3) #307

Closed

dev wants to merge 2 commits from dev/294 into main

pull from: dev/294

merge into: charles:main

charles:main

charles:chore/sync-pre-push-from-forge-base

charles:fix/flows-yaml-dispatch-identity

charles:feat/board-tap-to-assign

charles:dev/1107

charles:code-lead/1106

charles:code-lead/1108

charles:dev/1104

charles:code-lead/1103

charles:code-lead/1080

charles:dev/1087

charles:feat/flows-yaml-ci-events

charles:chore/board-drop-stalled-and-density-controls

charles:fix/flows-yaml-routes-always-register

charles:flows-yaml/api-defaults

charles:dev/1023

charles:fix/event-log-history-bleed

charles:fix/janitor-fix-ci-logs-and-cap

charles:dev/1022

charles:fix/board-card-provider

charles:code-lead/1036

charles:dev/1025

charles:code-lead/1020

charles:dev/1017

charles:code-lead/1026

charles:feat/web-shortcut-registry-1018

charles:dev/1015

charles:code-lead/1009

charles:code-lead/1008

charles:dev/975

charles:dev/969

charles:dev/973

charles:dev/967

charles:code-lead/968

charles:code-lead/953

charles:dev/970

charles:dev/976

charles:code-lead/966

charles:code-lead/956

charles:code-lead/951

charles:dev/962

charles:dev/963

charles:dev/977

charles:dev/955

charles:dev/983

charles:dev/961

charles:dev/974

charles:code-lead/950

charles:code-lead/939

charles:dev/941

charles:dev/940

charles:dev/937

charles:dev/938

charles:dev/936

charles:dev/935

charles:feat/web-i18n-fr-locale

charles:feat/spec-editor-ui-polish

charles:chore/drop-legacy-compat

charles:fix/skills-drop-preview-pane

charles:fix/882-skills-safety-rail

charles:dev/911

charles:dev/909

charles:dev/923

charles:dev/917

charles:dev/915

charles:feat/879-sr11-m2-drop-legacy-skill

charles:code-lead/873

charles:dev/881

charles:code-lead/869

charles:dev/867

charles:code-lead/845

charles:code-lead/843

charles:code-lead/844

charles:dev/837

charles:dev/861

charles:dev/849

charles:code-lead/837

charles:code-lead/842

charles:fix/dedup-rebase-inflight

charles:dev/838

charles:code-lead/847

charles:dev/833

charles:code-lead/848

charles:pr/838

charles:code-lead/841

charles:feat/settings-save-bar/836

charles:code-lead/840

charles:dev/846

charles:code-lead/839

charles:dev/832

charles:fix/board-sse-stale-cache

charles:dev/834

charles:dev/835

charles:feat/settings-breadcrumbs

charles:feat/forge-oauth-credentials

charles:refactor/service-config-consolidation

charles:feat/agent-tokens-to-secrets

charles:feat/gitlab-oauth-to-db

charles:feat/authelia-rip-and-voice-fixes

charles:fix/rebase-storm-and-dead-letter

charles:code-lead/797

charles:code-lead/796

charles:dev/811

charles:code-lead/798

charles:dev/810

charles:code-lead/795

charles:dev/808

charles:code-lead/794

charles:dev/805

charles:dev/802

charles:dev/803

charles:feat/avatar-menu-settings-entry

charles:feat/per-agent-token-tracking

charles:dev/793

charles:dev/747

charles:dev/752

charles:code-lead/790

charles:code-lead/759

charles:dev/756

charles:dev/760

charles:dev/741

charles:dev/767

charles:dev/740

charles:dev/709

charles:dev/644

charles:dev/637

charles:boss/614

charles:dev/600

charles:dev/611

charles:dev/585

charles:fix/login-bonus-fixes

charles:boss/544

charles:dev/542

charles:refactor/api-prefix-and-session-gate

charles:dev/489

charles:boss/531

charles:boss/518

charles:dev/499

charles:boss/516

charles:dev/530

charles:dev/517

charles:dev/519

charles:dev/515

charles:dev/522

charles:dev/503

charles:dev/471

charles:boss/329

charles:dev/417

charles:dev/418

charles:dev/402

charles:boss/327

charles:dev/334

charles:dev/332

charles:boss/326

charles:boss/325

charles:dev/331

charles:boss/324

charles:boss/323

charles:boss/322

charles:test/s11-task-analytics

charles:dev/262

charles:boss/270

charles:dev/268

charles:foreman/ui-consolidation-spec

charles:dev/234

charles:boss/196

charles:boss/176

charles:boss/164

charles:fix/124-session-persist-bind

charles:boss/52

charles:dev/87

charles:boss/73

charles:dev/77

charles:dev/81

charles:dev/82

charles:boss/79

charles:dev/42

charles:dev/35

charles:boss/7

Conversation 1 Commits 2 Files changed 6 +1911 -2

dev commented 2026-04-23 23:53:22 +00:00

Collaborator

Copy link

Three new routes /webhooks/forgejo, /webhooks/github, /webhooks/gitlab with forge-specific signature verification (HMAC-SHA256 for Forgejo/GitHub, static token equality for GitLab). Legacy /webhooks alias kept indefinitely. Unknown events return 204; signature failures return 403.

New ForgeEvent discriminated union in @claude-hooks/shared covers all events the Forgejo dispatch currently handles. Pure normaliser functions (normalizeForgejoPayload, normalizeGitHubPayload, normalizeGitLabPayload) in webhook-normalize.ts translate forge-specific payloads to this shared shape. The existing Forgejo handler is unchanged; GitHub/GitLab routes normalise then dispatch through dispatchForgeEvent using the same handler set.

Test plan

• just qa passes — typecheck + Biome lint/format clean
• 51 normaliser tests pass (webhook-normalize.test.ts) — all three forges produce identical ForgeEvent for equivalent actions; signature-fail scenarios per forge return 403; unknown events return 204; unknown repos return 404
• Existing 48 webhook tests unchanged

Closes #294

Three new routes `/webhooks/forgejo`, `/webhooks/github`, `/webhooks/gitlab` with forge-specific signature verification (HMAC-SHA256 for Forgejo/GitHub, static token equality for GitLab). Legacy `/webhooks` alias kept indefinitely. Unknown events return `204`; signature failures return `403`. New `ForgeEvent` discriminated union in `@claude-hooks/shared` covers all events the Forgejo dispatch currently handles. Pure normaliser functions (`normalizeForgejoPayload`, `normalizeGitHubPayload`, `normalizeGitLabPayload`) in `webhook-normalize.ts` translate forge-specific payloads to this shared shape. The existing Forgejo handler is unchanged; GitHub/GitLab routes normalise then dispatch through `dispatchForgeEvent` using the same handler set. ## Test plan - [ ] `just qa` passes — typecheck + Biome lint/format clean - [ ] 51 normaliser tests pass (`webhook-normalize.test.ts`) — all three forges produce identical `ForgeEvent` for equivalent actions; signature-fail scenarios per forge return `403`; unknown events return `204`; unknown repos return `404` - [ ] Existing 48 webhook tests unchanged Closes #294

dev added 1 commit 2026-04-23 23:53:22 +00:00

feat(webhook): per-forge webhook ingress + signature verification (MF-3) ... 056899c8b2

Three new routes /webhooks/forgejo, /webhooks/github, /webhooks/gitlab with
forge-specific signature verification (HMAC-SHA256 for Forgejo/GitHub,
static token for GitLab). Legacy /webhooks alias kept for back-compat.

Adds ForgeEvent discriminated union in @claude-hooks/shared and pure
normaliser functions (normalizeForgejoPayload, normalizeGitHubPayload,
normalizeGitLabPayload) in webhook-normalize.ts. Unknown events return
204; signature failures return 403.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

dev requested review from reviewer 2026-04-24 00:06:21 +00:00

charles referenced this pull request from a commit 2026-04-24 00:16:12 +00:00

fix(webhook): address review for per-forge ingress (#307 follow-up)

charles added 1 commit 2026-04-24 00:16:12 +00:00

fix(webhook): address review for per-forge ingress (#307 follow-up) ... de81c718aa

Minor hygiene + doc pass on top of the per-forge webhook ingress:

- Drop unused `afterEach` / `mock` imports from webhook-normalize.test.ts
  (Biome doesn't catch these but they misrepresent the test harness).
- Expand the `label_updated` comment in `normalizeForgejoPayload` so
  callers know the first-label pick is deterministic-but-lossy and they
  must iterate `issue.labels` themselves if per-label routing matters
  (matches the semantic the existing Forgejo dispatch switch in
  webhook.ts already uses).

No behaviour change. All 99 webhook + normalize tests still pass;
pre-existing theme / session-pruning / foreman failures unrelated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

code-lead closed this pull request 2026-04-24 08:47:47 +00:00

code-lead commented 2026-04-24 08:47:54 +00:00

Collaborator

Copy link

Closed as duplicate of #305. Per MF-3 review: #305 uses per-forge webhook secrets (githubSecret/gitlabSecret) which satisfies spec § MF-3 requirement that per-forge secrets be unique to limit blast radius. #307 reuses cfg.secret across all three forges — a leaked Forgejo HMAC would double as a GitLab-webhook impersonation token.

Closed as duplicate of #305. Per MF-3 review: #305 uses per-forge webhook secrets (githubSecret/gitlabSecret) which satisfies spec § MF-3 requirement that per-forge secrets be unique to limit blast radius. #307 reuses cfg.secret across all three forges — a leaked Forgejo HMAC would double as a GitLab-webhook impersonation token.

All checks were successful

Hide all checks

qa / qa (pull_request) Successful in 3m37s

Required

Details

qa / dockerfile (pull_request) Successful in 7s

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

reviewer

Labels

Clear labels   

area:agents

Agent types, pool scheduling, per-instance config

  

area:dashboard

Dashboard UI and observability surfaces

  

area:database

DB layer — schema, migrations, ORM, raw SQL

  

area:design

UI/UX mockup work — routes to designer agent

  

area:design-review

Design review dispatch — routes to design-reviewer agent

  

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

  

area:infra

Deployment, isolation, containers, systemd units

  

area:meta

Tracking, scaffolding, project setup

  

area:security

Security — routes to reviewer-security (opus)

  

area:sessions

Session-id store, Claude SDK resume logic

  

area:webhook

Forgejo webhook routing and handlers

  

area:workdir

Clone cache, worktrees, git identity

  

security

Security-sensitive issue

  

type:bug

Bug

  

type:chore

Chore

  

type:meta

Tracking or decisions, not implementation work

  

type:user-story

User story

No labels

area:agents

area:dashboard

area:database

area:design

area:design-review

area:flows

area:infra

area:meta

area:security

area:sessions

area:webhook

area:workdir

security

type:bug

type:chore

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

3 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks!307

No description provided.