Bun.serve) defined in packages/core/src/gateway/server.ts. It normalizes incoming webhooks from five sources into a unified Signal format stored in the signals table for the Forge to process.
Endpoints
| Method | Path | Integration |
|---|---|---|
GET | /health | Health check, returns { status: 'ok' } |
POST | /hooks/inbound | Generic inbound signal (HMAC-verified via GATEWAY_SECRET) |
POST | /hooks/telegram | Telegram Bot API updates |
POST | /hooks/discord | Discord interactions (Ed25519 signature verification) |
POST | /hooks/google-calendar | Google Calendar push notifications |
POST | /hooks/whatsapp | WhatsApp Cloud API (HMAC-SHA256 signature verification) |
GET /hooks/whatsapp for the webhook verification challenge.
Signature Verification
Discord
Discord uses Ed25519 signatures verified with the Web Crypto API:DISCORD_PUBLIC_KEY. Requests failing verification return 401.
WhatsApp Cloud API
WhatsApp signs payloads with HMAC-SHA256 using the app secret:Telegram
Telegram does not sign individual payloads. The bot token in the webhook URL path acts as the secret.Signal Normalization
gateway/normalize.ts converts each platform’s payload into a unified Signal:
signals table and consumed by the Forge daemon on its next tick.
Configuration
| Variable | Description |
|---|---|
GATEWAY_PORT | Port to listen on (default: 3001) |
GATEWAY_SECRET | HMAC secret for /hooks/inbound |
TELEGRAM_BOT_TOKEN | Telegram bot token |
DISCORD_PUBLIC_KEY | Discord app public key for Ed25519 |
WHATSAPP_APP_SECRET | WhatsApp app secret for HMAC |
GOOGLE_CALENDAR_WEBHOOK_TOKEN | Token for calendar push verification |
Adding a New Webhook Source
- Add a new endpoint case in
gateway/server.ts - Implement signature verification if required
- Add a normalizer in
gateway/normalize.ts - Handle the new signal type in
forge/engine.ts