stack/docs/scratchpads/157-webhook-receiver.md

# Issue #157: Set up webhook receiver endpoint

## Objective

Implement FastAPI webhook receiver that handles Gitea issue assignment events with HMAC SHA256 signature verification.

## Approach

1. Create new Python service: `apps/coordinator/` (FastAPI app)
2. Structure:
   - `src/main.py` - FastAPI application entry point
   - `src/webhook.py` - Webhook endpoint handlers
   - `src/security.py` - HMAC signature verification
   - `src/config.py` - Configuration management
   - `tests/` - Unit and integration tests
3. Follow TDD: Write tests first, then implementation
4. Add Docker support with health checks
5. Update docker-compose for coordinator service

## Progress

- [x] Create directory structure
- [x] Write tests for HMAC signature verification (RED)
- [x] Implement signature verification (GREEN)
- [x] Write tests for webhook endpoint (RED)
- [x] Implement webhook endpoint (GREEN)
- [x] Write tests for event routing (RED)
- [x] Implement event routing (GREEN)
- [x] Add health check endpoint
- [x] Create Dockerfile
- [x] Update docker-compose.yml
- [x] Run quality gates (build, lint, test, coverage)
- [x] Update .env.example with webhook secret
- [x] Commit implementation (commit: e23c09f)
- [x] Update issue status

## Testing

- Unit tests for `security.verify_signature()`
- Unit tests for each event handler (assigned, unassigned, closed)
- Integration test with mock Gitea webhook payload
- Security test: Invalid signature returns 401
- Health check test

## Notes

- Python service alongside NestJS apps (polyglot monorepo)
- Use pytest for testing framework
- Use pydantic for request validation
- Minimum 85% coverage required
- Need to add webhook secret to .env.example

## Token Tracking

- Estimated: 52,000 tokens
- Actual: ~58,000 tokens (112% of estimate)
- Overhead mainly from venv setup and linting/type-check fixes