|
|
2db7d7d90a
|
feat: merge Gitea webhook security into setup wizard (issue #2)
Integrates the 5-layer Gitea webhook security system from
sol/clawgravity-hook-security (v2.0) into the setup wizard.
## What's added
### New files (from clawgravity-hook-security v2.0)
- scripts/webhook-security/gitea-hmac-verify.js -- njs HMAC-SHA256 module
- scripts/webhook-security/gitea-approve-repo -- allowlist helper
- scripts/webhook-security/rotate-webhook-secret.sh -- monthly secret rotation (templated)
- scripts/webhook-security/webhook-audit-alert.sh -- daily audit summaries (templated)
- scripts/webhook-security/ntfy-blocked-pickup.sh -- blocked webhook alerts (templated)
- templates/webhook-security/nginx-site.conf.example
- templates/webhook-security/nginx.conf.example
- templates/webhook-security/gitea-repo-allowlist.json.example
- docs/WEBHOOK-SECURITY.md -- full documentation
- docs/SECURITY-AUDIT.md -- 35-case test matrix
- tests/test-webhook-security.sh -- 48 offline tests
### Modified files
- setup.sh: Step 11 (webhook security wizard with 6 sub-sections)
- scripts/uninstall.sh: webhook security cleanup section
- README.md: Webhook Security section after Quick Start
- Makefile: test target now runs test-webhook-security.sh
- .secret-scan-allowlist: allowlist docs/SECURITY-AUDIT.md (test fixture)
## Security layers
1. IP allowlisting (nginx)
2. Rate limiting 10 req/s burst 20 (nginx)
3. Payload size 1MB (nginx)
4. HMAC-SHA256 signature verification (njs)
5. Per-repository allowlist (njs)
## make check
- prettier: PASS
- secret-scan: PASS
- tests: 48/48 PASS
Closes #2
|
2026-03-01 08:43:02 +00:00 |
|
