feat: per-repo issue tracker, Gitea support, PR review pipeline (#10)

compliance-agent/src/webhooks/gitea.rs

@@ -0,0 +1,138 @@
+use std::sync::Arc;
+
+use axum::body::Bytes;
+use axum::extract::{Extension, Path};
+use axum::http::{HeaderMap, StatusCode};
+use hmac::{Hmac, Mac};
+use sha2::Sha256;
+
+use compliance_core::models::ScanTrigger;
+
+use crate::agent::ComplianceAgent;
+
+type HmacSha256 = Hmac<Sha256>;
+
+pub async fn handle_gitea_webhook(
+    Extension(agent): Extension<Arc<ComplianceAgent>>,
+    Path(repo_id): Path<String>,
+    headers: HeaderMap,
+    body: Bytes,
+) -> StatusCode {
+    // Look up the repo to get its webhook secret
+    let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
+        Ok(oid) => oid,
+        Err(_) => return StatusCode::NOT_FOUND,
+    };
+    let repo = match agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "_id": oid })
+        .await
+    {
+        Ok(Some(repo)) => repo,
+        _ => {
+            tracing::warn!("Gitea webhook: repo {repo_id} not found");
+            return StatusCode::NOT_FOUND;
+        }
+    };
+
+    // Verify HMAC-SHA256 signature using the per-repo secret
+    if let Some(secret) = &repo.webhook_secret {
+        let signature = headers
+            .get("x-gitea-signature")
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+
+        if !verify_signature(secret, &body, signature) {
+            tracing::warn!("Gitea webhook: invalid signature for repo {repo_id}");
+            return StatusCode::UNAUTHORIZED;
+        }
+    }
+
+    let event = headers
+        .get("x-gitea-event")
+        .and_then(|v| v.to_str().ok())
+        .unwrap_or("");
+
+    let payload: serde_json::Value = match serde_json::from_slice(&body) {
+        Ok(v) => v,
+        Err(e) => {
+            tracing::warn!("Gitea webhook: invalid JSON: {e}");
+            return StatusCode::BAD_REQUEST;
+        }
+    };
+
+    match event {
+        "push" => {
+            let agent_clone = (*agent).clone();
+            let repo_id = repo_id.clone();
+            tokio::spawn(async move {
+                tracing::info!("Gitea push webhook: triggering scan for {repo_id}");
+                if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                    tracing::error!("Webhook-triggered scan failed: {e}");
+                }
+            });
+            StatusCode::OK
+        }
+        "pull_request" => handle_pull_request(agent, &repo_id, &payload).await,
+        _ => {
+            tracing::debug!("Gitea webhook: ignoring event '{event}'");
+            StatusCode::OK
+        }
+    }
+}
+
+async fn handle_pull_request(
+    agent: Arc<ComplianceAgent>,
+    repo_id: &str,
+    payload: &serde_json::Value,
+) -> StatusCode {
+    let action = payload["action"].as_str().unwrap_or("");
+    if action != "opened" && action != "synchronized" {
+        return StatusCode::OK;
+    }
+
+    let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
+    let head_sha = payload["pull_request"]["head"]["sha"]
+        .as_str()
+        .unwrap_or("");
+    let base_sha = payload["pull_request"]["base"]["sha"]
+        .as_str()
+        .unwrap_or("");
+
+    if pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
+        tracing::warn!("Gitea PR webhook: missing required fields");
+        return StatusCode::BAD_REQUEST;
+    }
+
+    let repo_id = repo_id.to_string();
+    let head_sha = head_sha.to_string();
+    let base_sha = base_sha.to_string();
+    let agent_clone = (*agent).clone();
+    tokio::spawn(async move {
+        tracing::info!("Gitea PR webhook: reviewing PR #{pr_number} on {repo_id}");
+        if let Err(e) = agent_clone
+            .run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
+            .await
+        {
+            tracing::error!("PR review failed for #{pr_number}: {e}");
+        }
+    });
+
+    StatusCode::OK
+}
+
+fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
+    // Gitea sends raw hex (no sha256= prefix)
+    let sig_bytes = match hex::decode(signature) {
+        Ok(b) => b,
+        Err(_) => return false,
+    };
+
+    let mut mac = match HmacSha256::new_from_slice(secret.as_bytes()) {
+        Ok(m) => m,
+        Err(_) => return false,
+    };
+    mac.update(body);
+    mac.verify_slice(&sig_bytes).is_ok()
+}

compliance-agent/src/webhooks/github.rs

@@ -1,10 +1,9 @@
 use std::sync::Arc;
 
 use axum::body::Bytes;
-use axum::extract::Extension;
+use axum::extract::{Extension, Path};
 use axum::http::{HeaderMap, StatusCode};
 use hmac::{Hmac, Mac};
-use secrecy::ExposeSecret;
 use sha2::Sha256;
 
 use compliance_core::models::ScanTrigger;
@@ -15,18 +14,37 @@ type HmacSha256 = Hmac<Sha256>;
 
 pub async fn handle_github_webhook(
     Extension(agent): Extension<Arc<ComplianceAgent>>,
+    Path(repo_id): Path<String>,
     headers: HeaderMap,
     body: Bytes,
 ) -> StatusCode {
-    // Verify HMAC signature
-    if let Some(secret) = &agent.config.github_webhook_secret {
+    // Look up the repo to get its webhook secret
+    let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
+        Ok(oid) => oid,
+        Err(_) => return StatusCode::NOT_FOUND,
+    };
+    let repo = match agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "_id": oid })
+        .await
+    {
+        Ok(Some(repo)) => repo,
+        _ => {
+            tracing::warn!("GitHub webhook: repo {repo_id} not found");
+            return StatusCode::NOT_FOUND;
+        }
+    };
+
+    // Verify HMAC-SHA256 signature using the per-repo secret
+    if let Some(secret) = &repo.webhook_secret {
         let signature = headers
             .get("x-hub-signature-256")
             .and_then(|v| v.to_str().ok())
             .unwrap_or("");
 
-        if !verify_signature(secret.expose_secret(), &body, signature) {
-            tracing::warn!("GitHub webhook: invalid signature");
+        if !verify_signature(secret, &body, signature) {
+            tracing::warn!("GitHub webhook: invalid signature for repo {repo_id}");
             return StatusCode::UNAUTHORIZED;
         }
     }
@@ -45,8 +63,18 @@ pub async fn handle_github_webhook(
     };
 
     match event {
-        "push" => handle_push(agent, &payload).await,
-        "pull_request" => handle_pull_request(agent, &payload).await,
+        "push" => {
+            let agent_clone = (*agent).clone();
+            let repo_id = repo_id.clone();
+            tokio::spawn(async move {
+                tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
+                if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                    tracing::error!("Webhook-triggered scan failed: {e}");
+                }
+            });
+            StatusCode::OK
+        }
+        "pull_request" => handle_pull_request(agent, &repo_id, &payload).await,
         _ => {
             tracing::debug!("GitHub webhook: ignoring event '{event}'");
             StatusCode::OK
@@ -54,43 +82,9 @@ pub async fn handle_github_webhook(
     }
 }
 
-async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
-    let repo_url = payload["repository"]["clone_url"]
-        .as_str()
-        .or_else(|| payload["repository"]["html_url"].as_str())
-        .unwrap_or("");
-
-    if repo_url.is_empty() {
-        return StatusCode::BAD_REQUEST;
-    }
-
-    // Find matching tracked repository
-    let repo = agent
-        .db
-        .repositories()
-        .find_one(mongodb::bson::doc! { "git_url": repo_url })
-        .await
-        .ok()
-        .flatten();
-
-    if let Some(repo) = repo {
-        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
-        let agent_clone = (*agent).clone();
-        tokio::spawn(async move {
-            tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
-            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
-                tracing::error!("Webhook-triggered scan failed: {e}");
-            }
-        });
-    } else {
-        tracing::debug!("GitHub push webhook: no tracked repo for {repo_url}");
-    }
-
-    StatusCode::OK
-}
-
 async fn handle_pull_request(
-    _agent: Arc<ComplianceAgent>,
+    agent: Arc<ComplianceAgent>,
+    repo_id: &str,
     payload: &serde_json::Value,
 ) -> StatusCode {
     let action = payload["action"].as_str().unwrap_or("");
@@ -98,21 +92,37 @@ async fn handle_pull_request(
         return StatusCode::OK;
     }
 
-    let repo_url = payload["repository"]["clone_url"].as_str().unwrap_or("");
     let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
+    let head_sha = payload["pull_request"]["head"]["sha"]
+        .as_str()
+        .unwrap_or("");
+    let base_sha = payload["pull_request"]["base"]["sha"]
+        .as_str()
+        .unwrap_or("");
 
-    if repo_url.is_empty() || pr_number == 0 {
+    if pr_number == 0 || head_sha.is_empty() || base_sha.is_empty() {
         return StatusCode::BAD_REQUEST;
     }
 
-    tracing::info!("GitHub PR webhook: PR #{pr_number} {action} on {repo_url}");
-    // PR review scan would be triggered here - runs incremental SAST on diff
-    // and posts review comments via the GitHub tracker
+    let repo_id = repo_id.to_string();
+    let head_sha = head_sha.to_string();
+    let base_sha = base_sha.to_string();
+    let agent_clone = (*agent).clone();
+    tokio::spawn(async move {
+        tracing::info!("GitHub PR webhook: reviewing PR #{pr_number} on {repo_id}");
+        if let Err(e) = agent_clone
+            .run_pr_review(&repo_id, pr_number, &base_sha, &head_sha)
+            .await
+        {
+            tracing::error!("PR review failed for #{pr_number}: {e}");
+        }
+    });
 
     StatusCode::OK
 }
 
 fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
+    // GitHub sends sha256=<hex>
     let sig = signature.strip_prefix("sha256=").unwrap_or(signature);
     let sig_bytes = match hex::decode(sig) {
         Ok(b) => b,

compliance-agent/src/webhooks/gitlab.rs

@@ -1,9 +1,8 @@
 use std::sync::Arc;
 
 use axum::body::Bytes;
-use axum::extract::Extension;
+use axum::extract::{Extension, Path};
 use axum::http::{HeaderMap, StatusCode};
-use secrecy::ExposeSecret;
 
 use compliance_core::models::ScanTrigger;
 
@@ -11,18 +10,37 @@ use crate::agent::ComplianceAgent;
 
 pub async fn handle_gitlab_webhook(
     Extension(agent): Extension<Arc<ComplianceAgent>>,
+    Path(repo_id): Path<String>,
     headers: HeaderMap,
     body: Bytes,
 ) -> StatusCode {
-    // Verify GitLab token
-    if let Some(secret) = &agent.config.gitlab_webhook_secret {
+    // Look up the repo to get its webhook secret
+    let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
+        Ok(oid) => oid,
+        Err(_) => return StatusCode::NOT_FOUND,
+    };
+    let repo = match agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "_id": oid })
+        .await
+    {
+        Ok(Some(repo)) => repo,
+        _ => {
+            tracing::warn!("GitLab webhook: repo {repo_id} not found");
+            return StatusCode::NOT_FOUND;
+        }
+    };
+
+    // GitLab sends the secret token in X-Gitlab-Token header (plain text comparison)
+    if let Some(secret) = &repo.webhook_secret {
         let token = headers
             .get("x-gitlab-token")
             .and_then(|v| v.to_str().ok())
             .unwrap_or("");
 
-        if token != secret.expose_secret() {
-            tracing::warn!("GitLab webhook: invalid token");
+        if token != secret {
+            tracing::warn!("GitLab webhook: invalid token for repo {repo_id}");
             return StatusCode::UNAUTHORIZED;
         }
     }
@@ -38,8 +56,18 @@ pub async fn handle_gitlab_webhook(
     let event_type = payload["object_kind"].as_str().unwrap_or("");
 
     match event_type {
-        "push" => handle_push(agent, &payload).await,
-        "merge_request" => handle_merge_request(agent, &payload).await,
+        "push" => {
+            let agent_clone = (*agent).clone();
+            let repo_id = repo_id.clone();
+            tokio::spawn(async move {
+                tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
+                if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                    tracing::error!("Webhook-triggered scan failed: {e}");
+                }
+            });
+            StatusCode::OK
+        }
+        "merge_request" => handle_merge_request(agent, &repo_id, &payload).await,
         _ => {
             tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
             StatusCode::OK
@@ -47,40 +75,9 @@ pub async fn handle_gitlab_webhook(
     }
 }
 
-async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
-    let repo_url = payload["project"]["git_http_url"]
-        .as_str()
-        .or_else(|| payload["project"]["web_url"].as_str())
-        .unwrap_or("");
-
-    if repo_url.is_empty() {
-        return StatusCode::BAD_REQUEST;
-    }
-
-    let repo = agent
-        .db
-        .repositories()
-        .find_one(mongodb::bson::doc! { "git_url": repo_url })
-        .await
-        .ok()
-        .flatten();
-
-    if let Some(repo) = repo {
-        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
-        let agent_clone = (*agent).clone();
-        tokio::spawn(async move {
-            tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
-            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
-                tracing::error!("Webhook-triggered scan failed: {e}");
-            }
-        });
-    }
-
-    StatusCode::OK
-}
-
 async fn handle_merge_request(
-    _agent: Arc<ComplianceAgent>,
+    agent: Arc<ComplianceAgent>,
+    repo_id: &str,
     payload: &serde_json::Value,
 ) -> StatusCode {
     let action = payload["object_attributes"]["action"]
@@ -91,7 +88,31 @@ async fn handle_merge_request(
     }
 
     let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
-    tracing::info!("GitLab MR webhook: MR !{mr_iid} {action}");
+    let head_sha = payload["object_attributes"]["last_commit"]["id"]
+        .as_str()
+        .unwrap_or("");
+    let base_sha = payload["object_attributes"]["diff_refs"]["base_sha"]
+        .as_str()
+        .unwrap_or("");
+
+    if mr_iid == 0 || head_sha.is_empty() || base_sha.is_empty() {
+        tracing::warn!("GitLab MR webhook: missing required fields");
+        return StatusCode::BAD_REQUEST;
+    }
+
+    let repo_id = repo_id.to_string();
+    let head_sha = head_sha.to_string();
+    let base_sha = base_sha.to_string();
+    let agent_clone = (*agent).clone();
+    tokio::spawn(async move {
+        tracing::info!("GitLab MR webhook: reviewing MR !{mr_iid} on {repo_id}");
+        if let Err(e) = agent_clone
+            .run_pr_review(&repo_id, mr_iid, &base_sha, &head_sha)
+            .await
+        {
+            tracing::error!("MR review failed for !{mr_iid}: {e}");
+        }
+    });
 
     StatusCode::OK
 }

compliance-agent/src/webhooks/mod.rs

@@ -1,3 +1,4 @@
+pub mod gitea;
 pub mod github;
 pub mod gitlab;
 pub mod server;

compliance-agent/src/webhooks/server.rs

@@ -5,12 +5,23 @@ use axum::{Extension, Router};
 
 use crate::agent::ComplianceAgent;
 use crate::error::AgentError;
-use crate::webhooks::{github, gitlab};
+use crate::webhooks::{gitea, github, gitlab};
 
 pub async fn start_webhook_server(agent: &ComplianceAgent) -> Result<(), AgentError> {
     let app = Router::new()
-        .route("/webhook/github", post(github::handle_github_webhook))
-        .route("/webhook/gitlab", post(gitlab::handle_gitlab_webhook))
+        // Per-repo webhook URLs: /webhook/{platform}/{repo_id}
+        .route(
+            "/webhook/github/{repo_id}",
+            post(github::handle_github_webhook),
+        )
+        .route(
+            "/webhook/gitlab/{repo_id}",
+            post(gitlab::handle_gitlab_webhook),
+        )
+        .route(
+            "/webhook/gitea/{repo_id}",
+            post(gitea::handle_gitea_webhook),
+        )
         .layer(Extension(Arc::new(agent.clone())));
 
     let addr = "0.0.0.0:3002";