Manual sync is fine during development but not the demo target.
GitHub already pushes events on issue open / edit / close; we need
an endpoint that accepts those, verifies them, and turns them into
a sync call.
Scope
- New route
POST /workspaces/:ws/sources/:sourceId/webhook/github.
- HMAC verification via
X-Hub-Signature-256 against a per-source
secret stored under <workspaceRoot>/.braid-secrets/
(gitignored).
- Valid signature → invoke the existing source-sync path → return
202. Sync emits source.synced, which the reactor already
consumes.
- Studio workspace-details panel surfaces, per github source:
webhook URL + a "rotate secret" button.
Out of scope
- GitHub App / OAuth installation flow. v0 is "copy URL and secret
into the repo's webhook settings".
- In-server scheduler / cron fallback. Users without webhook
access keep clicking sync manually.
- Multi-tenant secret management.
Acceptance
- Route test: bad signature → 401; valid signature → sync
invoked.
- Dogfood: configure webhook on this repo pointing at a local
server (ngrok or similar). Open a new issue. Within 30s the
workspace's pending proposal list grows by one without any
manual sync.
Depends on: #29.
Manual sync is fine during development but not the demo target.
GitHub already pushes events on issue open / edit / close; we need
an endpoint that accepts those, verifies them, and turns them into
a sync call.
Scope
POST /workspaces/:ws/sources/:sourceId/webhook/github.X-Hub-Signature-256against a per-sourcesecret stored under
<workspaceRoot>/.braid-secrets/(gitignored).
202. Sync emits
source.synced, which the reactor alreadyconsumes.
webhook URL + a "rotate secret" button.
Out of scope
into the repo's webhook settings".
access keep clicking sync manually.
Acceptance
invoked.
server (ngrok or similar). Open a new issue. Within 30s the
workspace's pending proposal list grows by one without any
manual sync.
Depends on: #29.