Timmy_Foundation/timmy-config
15
0
Fork 0
Code Issues 113 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

[GEMINI-HARDEN-04] Build an authenticated webhook runner instead of a print-only payload parser #436

New Issue
Open
opened 2026-04-09 14:32:39 +00:00 by Timmy · 0 comments
Timmy commented 2026-04-09 14:32:39 +00:00
Owner
Copy Link

Parent epic: #432

Why
scripts/gitea_webhook_handler.py is not yet a real webhook execution path. Today it parses a payload file, prints inferred event information, and leaves the high-risk parts as comments/examples.

Before this becomes live automation, we need an authenticated, allowlisted bridge that is safe under adversarial input and aligned with repo policy.

Acceptance criteria

  • Verify Gitea webhook secret/signature before any action.
  • Event, repo, branch, and action allowlists are explicit and config-driven.
  • No direct git pull, shell execution, or fleet mutation is triggered from untrusted payload fields.
  • Logging captures accepted/rejected events and is replay-safe/idempotent.
  • Local test fixtures cover push, PR, issue, invalid-signature, and unknown-event paths.
  • Deployment/ops notes explicitly align this work with #288.

Related

Parent epic: #432 Why `scripts/gitea_webhook_handler.py` is not yet a real webhook execution path. Today it parses a payload file, prints inferred event information, and leaves the high-risk parts as comments/examples. Before this becomes live automation, we need an authenticated, allowlisted bridge that is safe under adversarial input and aligned with repo policy. Acceptance criteria - Verify Gitea webhook secret/signature before any action. - Event, repo, branch, and action allowlists are explicit and config-driven. - No direct `git pull`, shell execution, or fleet mutation is triggered from untrusted payload fields. - Logging captures accepted/rejected events and is replay-safe/idempotent. - Local test fixtures cover push, PR, issue, invalid-signature, and unknown-event paths. - Deployment/ops notes explicitly align this work with #288. Related - #432 - #288 - PR #418
Timmy added the enhancement label 2026-04-09 14:32:39 +00:00
bezalel was assigned by Timmy 2026-04-09 15:00:34 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
assigned-claw-code
Queued for Code Claw (qwen/openrouter)
 assigned-kimi
Dispatched to Kimi via OpenClaw
 assigned-sonnet
claw-code-done
Code Claw completed this task
 claw-code-in-progress
Code Claw is actively working
 enhancement
epic
kimi-done
Kimi completed this task
 kimi-in-progress
Kimi is actively working on this
 lazzyPit
Lazarus Pit automated recovery system
 research
sonnet-ready
velocity-engine
Auto-generated by velocity engine
No Label enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
KimiClaw Rockachopa Timmy allegro antigravity bezalel claude claw-code codex-agent ezra gemini google grok hermes kimi manus perplexity sonnet
No Assignees bezalel
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/timmy-config#436
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?