fix: capture raw body for HMAC before express.json() middleware

Made-with: Cursor

dist/server.js

@@ -47,6 +47,8 @@ const agent_runner_1 = require("./agent-runner");
 const agents_1 = require("./agents");
 const app = (0, express_1.default)();
 app.use((0, cors_1.default)());
+// Raw body capture for webhook HMAC — must come before express.json()
+app.use('/webhook/gitea', express_1.default.raw({ type: '*/*' }));
 app.use(express_1.default.json());
 const PORT = process.env.PORT || 3333;
 // ---------------------------------------------------------------------------
@@ -159,8 +161,7 @@ app.get('/api/jobs', (req, res) => {
     res.json((0, job_store_1.listJobs)(limit));
 });
 // Gitea webhook endpoint — triggers agent from an issue event
-// Must use raw body for HMAC verification — register before express.json()
+app.post('/webhook/gitea', (req, res) => {
-app.post('/webhook/gitea', express_1.default.raw({ type: 'application/json' }), (req, res) => {
     const event = req.headers['x-gitea-event'];
     const rawBody = req.body;
     // Verify HMAC-SHA256 signature

src/server.ts

@@ -11,6 +11,10 @@ import { ToolContext } from './tools';
 
 const app = express();
 app.use(cors());
+
+// Raw body capture for webhook HMAC — must come before express.json()
+app.use('/webhook/gitea', express.raw({ type: '*/*' }));
+
 app.use(express.json());
 
 const PORT = process.env.PORT || 3333;
@@ -138,8 +142,7 @@ app.get('/api/jobs', (req: Request, res: Response) => {
 });
 
 // Gitea webhook endpoint — triggers agent from an issue event
-// Must use raw body for HMAC verification — register before express.json()
+app.post('/webhook/gitea', (req: Request, res: Response) => {
-app.post('/webhook/gitea', express.raw({ type: 'application/json' }), (req: Request, res: Response) => {
     const event = req.headers['x-gitea-event'] as string;
     const rawBody = req.body as Buffer;