feat: add webhook-forwarder package

[Copilot]

Add a new webhook-forwarder package that opens a server, receives webhooks, and forwards them to configured target URLs using NestJS as the backend framework. Aligned with the GitHub Webhooks documentation.

Features

• NestJS backend: HTTP server using NestJS with Express
• Route-based configuration: Map different webhook paths to different target URLs
• Config file support: Uses cosmiconfig for .webhook-forwarderrc.json, .webhook-forwarderrc.yml, webhook-forwarder.config.js, etc.
• CLI: Command-line interface with options and environment variable support (WEBHOOK_FORWARDER_HOST, WEBHOOK_FORWARDER_PORT, WEBHOOK_FORWARDER_TARGET, WEBHOOK_FORWARDER_SECRET, WEBHOOK_FORWARDER_TIMEOUT)
• Webhook signature validation: Per-route secret field that validates X-Hub-Signature-256 using HMAC-SHA256 with timing-safe comparison (crypto.timingSafeEqual), returning 401 for missing or invalid signatures
• GitHub header forwarding: Forwards GitHub-specific headers (X-GitHub-Event, X-GitHub-Delivery, X-GitHub-Hook-ID, etc.) to the target
• Per-route timeout: Each route can have its own timeout
• Header forwarding: Forwards request headers while excluding hop-by-hop headers (host, content-length, transfer-encoding, connection)
• Error handling: Returns 502 Bad Gateway, 504 Gateway Timeout, or 404 Not Found as appropriate
• Dockerfile: Multi-stage Docker build that compiles TypeScript and serves the app on port 8080, configurable via environment variables or mounted config file

Files

• packages/webhook-forwarder/ - Full package with NestJS source, CLI, config support, tests, Dockerfile, and documentation
• AGENTS.md - Updated with new package entry
• yarn.lock - Updated with new dependencies

Testing

• 10 tests covering: forwarding POST requests, header forwarding, 404 for unmatched paths, 502 for unreachable targets, multi-route routing, error on missing config, valid signature acceptance, invalid signature rejection, missing signature rejection, and GitHub-specific header forwarding
• All existing tests continue to pass
• Lint passes with 0 errors and 0 warnings

[ffflorian]

@copilot CI is failing - run yarn install

[Copilot]

@copilot CI is failing - run yarn install

Ran yarn install to regenerate the lockfile after the package rename to @ffflorian/webhook-forwarder. Fixed in 1674904.

[ffflorian]

@copilot Is the package aligned with the GitHub webhooks documentation (https://docs.github.com/en/webhooks)? If no, fix it.

[Copilot]

@copilot Is the package aligned with the GitHub webhooks documentation (https://docs.github.com/en/webhooks)? If no, fix it.

It wasn't aligned. I've added the following to match the GitHub webhooks documentation:

• Webhook signature validation: Per-route secret field that validates X-Hub-Signature-256 using HMAC-SHA256 with timing-safe comparison (crypto.timingSafeEqual), as recommended by GitHub's validation docs. Returns 401 for missing or invalid signatures.
• GitHub header forwarding: All GitHub-specific headers (X-GitHub-Event, X-GitHub-Delivery, X-GitHub-Hook-ID, X-Hub-Signature-256, etc.) are forwarded to the target.
• CLI --secret option: New -s, --secret flag and WEBHOOK_FORWARDER_SECRET env var for single-route setup.
• 4 new tests: Valid signature acceptance, invalid signature rejection, missing signature rejection, and GitHub header forwarding verification (10 tests total).

Fixed in 8b5cc37 and 7c70e50.

[ffflorian]

@copilot create a dockerfile building and then serving the app on port 8080

[Copilot]

@copilot create a dockerfile building and then serving the app on port 8080

Added a multi-stage Dockerfile that builds the TypeScript source and serves the app on port 8080. Build from the repo root:

docker build -f packages/webhook-forwarder/Dockerfile -t webhook-forwarder .
docker run -p 8080:8080 -e WEBHOOK_FORWARDER_TARGET=https://example.com/hooks webhook-forwarder

Configuration via environment variables (WEBHOOK_FORWARDER_TARGET, WEBHOOK_FORWARDER_SECRET, etc.) or by mounting a config file. Fixed in 176c840.