GitLab Webhook Audit

GitLab Webhook Audit

Purpose: Canonical inventory of GitLab webhook endpoints, owners, and configuration. Single source of truth for webhook routing and SOD.

Production Webhook Endpoints

Endpoint	Host	Owner	Events	Auth	Notes
`POST /webhook/gitlab`	orchestrator.blueflyagents.com:3014	platform-agents	Issue Hook, Merge Request Hook	X-Gitlab-Token, X-Gitlab-Signature	Production ingress; signature, idempotency, rate limit
`POST /webhooks/gitlab/group/:groupId`	mesh.bluefly.internal	agent-mesh	merge_requests, pipelines, notes	Secret token	Group-level; setup via setup-gitlab-webhooks.ts
`POST /api/webhooks/gitlab`	mesh.bluefly.internal	agent-mesh	(legacy)	Secret token	Legacy path
`POST /webhooks/gitlab/automate`	(agent-docker)	agent-docker	MR, pipeline, note	X-Gitlab-Token	Dedup, event normalisation
`POST /webhook/duo-comment-responder`	(duo-comment-responder)	platform-agents .agents	note	X-Gitlab-Token	Duo comment handling

Agent-Specific Webhooks (OSSA)

Agent	Path	Events
duo-comment-responder	/webhook/duo-comment-responder	note
mr-auto-fix	(via agent-mesh)	merge_requests, pipelines, notes
daily-code-scan	(via pipeline/webhook)	pipeline
version-analyzer	mesh.bluefly.internal/webhooks/version-analyzer	tag push

SOD and Ownership

platform-agents (src/services/orchestrator/): Production webhook ingress. Owns signature verification, idempotency (Idempotency-Key / X-Gitlab-Event-UUID), rate limiting, event routing.
agent-mesh: Group-level webhook registration; forwards to agent handlers.
agent-docker: Pipeline automation webhook (agent-controller).
BuildKit webhook: Dev-only; not production.

Configuration

GitLab group webhook URL: https://orchestrator.blueflyagents.com/webhook/gitlab (production)
n8n webhook: https://n8n.blueflyagents.com/webhook/<path> (Oracle; GitLab cannot reach NAS/local)
Register n8n webhook: buildkit gitlab webhook register-n8n --project <path>

Audit Date

2026-03-01