# Webhook Runner Configuration — GEMINI-HARDEN-04
# Placed alongside scripts/webhook_runner.py
# Environment variables override these values.

webhook:
  # Network binding
  host: 127.0.0.1
  port: 7777

  # Shared secret with Gitea (REQUIRED in production)
  # Set via WEBHOOK_SECRET env var or replace here
  secret: null

  # Allowlists
  allowed_events:
    - push
    - pull_request
    - issues
    - issue_comment

  # Repository allowlist — patterns: "org/repo" or "org/*"
  allowed_repos:
    - "Timmy_Foundation/*"

  # Branches allowed for push events (pattern match against full ref)
  allowed_branches:
    - main
    - master
    - develop

  # PR/issue actions allowed
  allowed_actions:
    - opened
    - closed
    - synchronize
    - reopened
    - created
    - edited

  # Idempotency — prevents double-processing on retries
  idempotency:
    state_file: .webhook_idempotency.json
    max_entries: 10000
    ttl_days: 30

  # Structured logging
  logging:
    level: INFO
    file: null   # null → stdout

  # Safe dispatch rules — only pre-approved actions
  dispatch:
    push:
      refs/heads/main:
        allowed: true
        action: log_and_ack
        comment: Main push — logged, no auto-deploy
      refs/heads/:
        allowed: true
        action: log_and_ack
        comment: Non-main branch push — logged
    pull_request:
      opened:
        allowed: true
        action: log_and_ack
        comment: PR opened — logged
      synchronize:
        allowed: true
        action: log_and_ack
        comment: PR updated — logged
    issues:
      opened:
        allowed: true
        action: log_and_ack
        comment: Issue opened — logged