ROOH/openclaw_oauth_sync
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: merge Gitea webhook security into setup wizard (closes #2) #3

Merged
ROOH merged 1 commits from feature/webhook-security-integration into main 2026-03-01 13:54:23 +01:00
Conversation 0 Commits 1 Files Changed 16 +1960 -2
sol commented 2026-03-01 09:43:36 +01:00
Collaborator
Copy Link

Summary

Integrates the 5-layer Gitea webhook security system from sol/clawgravity-hook-security (v2.0) into the ROOH/openclaw_oauth_sync setup wizard. Users now get a single ./setup.sh that configures both OAuth token sync AND webhook security in one interactive flow.

Closes #2

What's New

New files

  • scripts/webhook-security/gitea-hmac-verify.js (njs HMAC-SHA256 module)
  • scripts/webhook-security/gitea-approve-repo (allowlist helper)
  • scripts/webhook-security/rotate-webhook-secret.sh (monthly rotation, templated)
  • scripts/webhook-security/webhook-audit-alert.sh (daily audit, templated)
  • scripts/webhook-security/ntfy-blocked-pickup.sh (real-time alerts, templated)
  • templates/webhook-security/nginx-site.conf.example
  • templates/webhook-security/nginx.conf.example
  • templates/webhook-security/gitea-repo-allowlist.json.example
  • docs/WEBHOOK-SECURITY.md (full documentation)
  • docs/SECURITY-AUDIT.md (35-case test matrix)
  • tests/test-webhook-security.sh (48 offline tests)

Modified files

  • setup.sh: Step 11 added (fully skippable webhook security wizard)
  • scripts/uninstall.sh: webhook security cleanup with confirmation
  • README.md: Webhook Security section added
  • Makefile: test target runs test-webhook-security.sh
  • .secret-scan-allowlist: docs/SECURITY-AUDIT.md (all-zeros test fixture)

Security Layers

  1. IP allowlisting (nginx)
  2. Rate limiting 10 req/s burst 20 (nginx)
  3. Payload size 1MB (nginx)
  4. HMAC-SHA256 signature verification (njs)
  5. Per-repository allowlist (njs)

All layers fail-closed.

make check

  • prettier: PASS
  • secret-scan: PASS
  • tests: 48/48 PASS
## Summary Integrates the 5-layer Gitea webhook security system from sol/clawgravity-hook-security (v2.0) into the ROOH/openclaw_oauth_sync setup wizard. Users now get a single ./setup.sh that configures both OAuth token sync AND webhook security in one interactive flow. Closes #2 ## What's New ### New files - scripts/webhook-security/gitea-hmac-verify.js (njs HMAC-SHA256 module) - scripts/webhook-security/gitea-approve-repo (allowlist helper) - scripts/webhook-security/rotate-webhook-secret.sh (monthly rotation, templated) - scripts/webhook-security/webhook-audit-alert.sh (daily audit, templated) - scripts/webhook-security/ntfy-blocked-pickup.sh (real-time alerts, templated) - templates/webhook-security/nginx-site.conf.example - templates/webhook-security/nginx.conf.example - templates/webhook-security/gitea-repo-allowlist.json.example - docs/WEBHOOK-SECURITY.md (full documentation) - docs/SECURITY-AUDIT.md (35-case test matrix) - tests/test-webhook-security.sh (48 offline tests) ### Modified files - setup.sh: Step 11 added (fully skippable webhook security wizard) - scripts/uninstall.sh: webhook security cleanup with confirmation - README.md: Webhook Security section added - Makefile: test target runs test-webhook-security.sh - .secret-scan-allowlist: docs/SECURITY-AUDIT.md (all-zeros test fixture) ## Security Layers 1. IP allowlisting (nginx) 2. Rate limiting 10 req/s burst 20 (nginx) 3. Payload size 1MB (nginx) 4. HMAC-SHA256 signature verification (njs) 5. Per-repository allowlist (njs) All layers fail-closed. ## make check - prettier: PASS - secret-scan: PASS - tests: 48/48 PASS
sol added 1 commit 2026-03-01 09:43:37 +01:00 
Integrates the 5-layer Gitea webhook security system from
sol/clawgravity-hook-security (v2.0) into the setup wizard.

## What's added

### New files (from clawgravity-hook-security v2.0)
- scripts/webhook-security/gitea-hmac-verify.js    -- njs HMAC-SHA256 module
- scripts/webhook-security/gitea-approve-repo       -- allowlist helper
- scripts/webhook-security/rotate-webhook-secret.sh -- monthly secret rotation (templated)
- scripts/webhook-security/webhook-audit-alert.sh   -- daily audit summaries (templated)
- scripts/webhook-security/ntfy-blocked-pickup.sh   -- blocked webhook alerts (templated)
- templates/webhook-security/nginx-site.conf.example
- templates/webhook-security/nginx.conf.example
- templates/webhook-security/gitea-repo-allowlist.json.example
- docs/WEBHOOK-SECURITY.md   -- full documentation
- docs/SECURITY-AUDIT.md     -- 35-case test matrix
- tests/test-webhook-security.sh  -- 48 offline tests

### Modified files
- setup.sh: Step 11 (webhook security wizard with 6 sub-sections)
- scripts/uninstall.sh: webhook security cleanup section
- README.md: Webhook Security section after Quick Start
- Makefile: test target now runs test-webhook-security.sh
- .secret-scan-allowlist: allowlist docs/SECURITY-AUDIT.md (test fixture)

## Security layers
1. IP allowlisting (nginx)
2. Rate limiting 10 req/s burst 20 (nginx)
3. Payload size 1MB (nginx)
4. HMAC-SHA256 signature verification (njs)
5. Per-repository allowlist (njs)

## make check
- prettier: PASS
- secret-scan: PASS
- tests: 48/48 PASS

Closes #2
ROOH merged commit 81b4bbe960 into main 2026-03-01 13:54:23 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ROOH/openclaw_oauth_sync#3
No description provided.
Delete Branch "feature/webhook-security-integration"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?