fix: capture raw body for HMAC before express.json() middleware

Made-with: Cursor

src/server.ts

@@ -11,6 +11,10 @@ import { ToolContext } from './tools';
 
 const app = express();
 app.use(cors());
+
+// Raw body capture for webhook HMAC — must come before express.json()
+app.use('/webhook/gitea', express.raw({ type: '*/*' }));
+
 app.use(express.json());
 
 const PORT = process.env.PORT || 3333;
@@ -138,8 +142,7 @@ app.get('/api/jobs', (req: Request, res: Response) => {
 });
 
 // Gitea webhook endpoint — triggers agent from an issue event
-// Must use raw body for HMAC verification — register before express.json()
-app.post('/webhook/gitea', express.raw({ type: 'application/json' }), (req: Request, res: Response) => {
+app.post('/webhook/gitea', (req: Request, res: Response) => {
     const event = req.headers['x-gitea-event'] as string;
     const rawBody = req.body as Buffer;