{"id":44652868,"url":"https://github.com/nuetzliches/hookaido","last_synced_at":"2026-04-21T12:04:22.963Z","repository":{"id":337640862,"uuid":"1149847374","full_name":"nuetzliches/hookaido","owner":"nuetzliches","description":"🪝 Durable webhook gateway with Caddyfile-style config. Receive → queue → deliver (pull, push, or exec). HMAC auth, retries, DLQ, hot reload. ","archived":false,"fork":false,"pushed_at":"2026-04-15T10:51:48.000Z","size":1713,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-15T12:25:11.283Z","etag":null,"topics":["dead-letter-queue","event-driven","golang","grpc","mcp","message-queue","webhook","webhook-proxy","webhook-relay","webhooks"],"latest_commit_sha":null,"homepage":"https://nuetzliches.github.io/hookaido/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nuetzliches.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-04T15:37:45.000Z","updated_at":"2026-04-15T10:51:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nuetzliches/hookaido","commit_stats":null,"previous_names":["nuetzliches/hookaido"],"tags_count":16,"template":false,"template_full_name":null,"purl":"pkg:github/nuetzliches/hookaido","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuetzliches%2Fhookaido","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuetzliches%2Fhookaido/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuetzliches%2Fhookaido/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuetzliches%2Fhookaido/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nuetzliches","download_url":"https://codeload.github.com/nuetzliches/hookaido/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuetzliches%2Fhookaido/sbom","scorecard":{"id":1243182,"data":{"date":"2026-02-10T16:33:08Z","repo":{"name":"github.com/nuetzliches/hookaido","commit":"942131e707b8480b62b5783d95fb365eb9226e2b"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":5.6,"checks":[{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/17 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: docs/security.md:1","Info: Found linked content: docs/security.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: docs/security.md:1","Info: Found text in security policy: docs/security.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/container.yml:10","Warn: topLevel 'packages' permission set to 'write': .github/workflows/container.yml:11","Warn: topLevel 'contents' permission set to 'write': .github/workflows/dependabot-auto-merge.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-health.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:12","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:11","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/container.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/container.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-auto-merge.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/dependabot-auto-merge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-health.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/dependency-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-health.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/dependency-health.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/nuetzliches/hookaido/release.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:4: pin your Docker image by updating golang:1.25-alpine to golang:1.25-alpine@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced","Warn: containerImage not pinned by hash: Dockerfile:17: pin your Docker image by updating alpine:3.23 to alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659","Warn: goCommand not pinned by hash: .github/workflows/dependency-health.yml:40","Warn: pipCommand not pinned by hash: .github/workflows/docs.yml:29","Info:   3 out of  19 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   8 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned","Info:   0 out of   1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":8,"reason":"4 out of the last 4 releases have a total of 4 signed artifacts.","details":["Info: signed release artifact: hookaido_v1.0.3_checksums.txt.sig: https://github.com/nuetzliches/hookaido/releases/tag/v1.0.3","Info: signed release artifact: hookaido_v1.0.2_checksums.txt.sig: https://github.com/nuetzliches/hookaido/releases/tag/v1.0.2","Info: signed release artifact: hookaido_v1.0.1_checksums.txt.sig: https://github.com/nuetzliches/hookaido/releases/tag/v1.0.1","Info: signed release artifact: hookaido_v1.0.0_checksums.txt.sig: https://github.com/nuetzliches/hookaido/releases/tag/v1.0.0","Warn: release artifact v1.0.3 does not have provenance: https://api.github.com/repos/nuetzliches/hookaido/releases/284838012","Warn: release artifact v1.0.2 does not have provenance: https://api.github.com/repos/nuetzliches/hookaido/releases/284828553","Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/nuetzliches/hookaido/releases/284818974","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/nuetzliches/hookaido/releases/284741478"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/container.yml:16"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"CI-Tests","score":10,"reason":"1 out of 1 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: found contributions from: nuetzliches, nützliche.it"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]},"last_synced_at":"2026-02-10T20:56:23.174Z","repository_id":337640862,"created_at":"2026-02-10T20:56:23.174Z","updated_at":"2026-02-10T20:56:23.174Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31886937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-16T11:36:10.202Z","status":"ssl_error","status_checked_at":"2026-04-16T11:36:09.652Z","response_time":69,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dead-letter-queue","event-driven","golang","grpc","mcp","message-queue","webhook","webhook-proxy","webhook-relay","webhooks"],"created_at":"2026-02-14T21:16:33.612Z","updated_at":"2026-04-16T13:02:16.314Z","avatar_url":"https://github.com/nuetzliches.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hookaido\n\n[![CI](https://github.com/nuetzliches/hookaido/actions/workflows/ci.yml/badge.svg)](https://github.com/nuetzliches/hookaido/actions/workflows/ci.yml)\n[![Release](https://github.com/nuetzliches/hookaido/actions/workflows/release.yml/badge.svg)](https://github.com/nuetzliches/hookaido/actions/workflows/release.yml)\n[![Container](https://img.shields.io/badge/container-ghcr.io-2496ED?logo=docker\u0026logoColor=white)](https://github.com/nuetzliches/hookaido/pkgs/container/hookaido)\n[![License](https://img.shields.io/github/license/nuetzliches/hookaido)](LICENSE)\n[![Latest Release](https://img.shields.io/github/v/release/nuetzliches/hookaido?include_prereleases\u0026sort=semver)](https://github.com/nuetzliches/hookaido/releases)\n\n**Webhook infrastructure that just works.** Single binary. Zero runtime dependencies. Production-ready defaults.\n\nHookaido receives webhooks at the edge, queues them durably, and delivers them to your services — with retries, dead-letter queues, and cryptographic verification built in. Think of it as Caddy for webhooks: a compact config file, sensible defaults, and instant reloads.\n\nDocs: https://nuetzliches.github.io/hookaido/\n\n---\n\n## Why Hookaido?\n\n| Problem                                                     | Hookaido                                                                     |\n| ----------------------------------------------------------- | ---------------------------------------------------------------------------- |\n| Webhooks hit your app directly — downtime means lost events | Durable SQLite/WAL or PostgreSQL queue absorbs traffic; your services consume when ready   |\n| Retry logic scattered across services                       | Exponential backoff, jitter, DLQ, and lease-based delivery — configured once |\n| DMZ security headaches                                      | Pull mode by default: internal services fetch from the DMZ, no inbound holes |\n| Complex multi-service deployment                            | Single binary, one config file, `go build` and run                           |\n| Webhook signature verification is error-prone               | Built-in HMAC-SHA256 verification with replay protection and secret rotation |\n\n## Who Is It For?\n\n- **SaaS integrators** receiving webhooks from GitHub, Stripe, Shopify, or any HTTP callback provider\n- **Platform engineers** building DMZ-safe webhook ingestion without opening inbound firewall rules\n- **DevOps teams** triggering local deploy scripts, CI jobs, or automation from webhook events\n- **Event-driven architectures** that need a durable queue as lightweight middleware between producers and consumers\n\n## Key Features\n\n### Core\n\n- **Durable queue** — SQLite/WAL or PostgreSQL persistence with at-least-once delivery. In-memory mode for development.\n- **Pull, push \u0026 exec** — Pull API for DMZ-safe consumption, push dispatcher with concurrency control, subprocess execution for local scripts.\n- **Hot reload** — Change config, send `SIGHUP` or use `--watch`. No restarts for most changes.\n- **Channel types** — `inbound` (edge webhooks), `outbound` (API-published queues), `internal` (job queues).\n\n### Security\n\n- **Ingress auth** — HMAC signature verification with replay protection, Basic auth, forward auth callouts, rate limiting. Provider-compatible mode for GitHub and Gitea/Forgejo webhooks.\n- **Outbound signing** — HMAC-SHA256 on push delivery with multi-secret rotation windows and custom outbound headers.\n- **Secret management** — Env vars, files, Vault refs, and raw literals. Placeholder interpolation keeps secrets out of config.\n\n### Operations\n\n- **Dead-letter queue** — Failed messages land in the DLQ with full attempt history. Requeue or inspect via API.\n- **Admin API** — Health checks, queue inspection, backlog trends, publish/cancel/requeue operations.\n- **Observability** — Structured JSON logs, Prometheus metrics, OpenTelemetry tracing (OTLP).\n- **MCP server** — AI tooling integration with role-gated config inspection, queue diagnostics, and mutations.\n- **VS Code extension** — Syntax highlighting and snippets for Hookaidofile (`editors/vscode/`).\n\n## Quick Start\n\n**Download a binary** from the [latest release](https://github.com/nuetzliches/hookaido/releases) — no Go required.\n\n**Or build from source** (requires Go 1.25+):\n\n```bash\ngo build ./cmd/hookaido\n```\n\n**Or use Docker (official GHCR image):**\n\n```bash\ndocker pull ghcr.io/nuetzliches/hookaido:latest\ndocker run -p 8080:8080 -p 9443:9443 \\\n  -e HOOKAIDO_PULL_TOKEN=mytoken \\\n  -v $(pwd)/Hookaidofile:/app/Hookaidofile:ro \\\n  -v hookaido-data:/app/.data \\\n  ghcr.io/nuetzliches/hookaido:latest\n```\n\nFor immutable deployments, pin to a release tag (for example `:v2.0.0`) or digest.\n\n**Run locally:**\n\n```bash\nexport HOOKAIDO_PULL_TOKEN=\"mytoken\"\n./hookaido run --config Hookaidofile --db ./.data/hookaido.db\n```\n\nIngress on `:8080`, Pull API on `:9443`, Admin on `127.0.0.1:2019` — ready to receive webhooks.\n\n## Configuration\n\nA Hookaidofile is all you need. Caddy-inspired syntax, designed for readability:\n\n**Receive \u0026 pull (DMZ-safe):**\n\n```hcl\ningress {\n  listen :8080\n}\n\npull_api {\n  auth token env:HOOKAIDO_PULL_TOKEN\n}\n\n/webhooks/github {\n  auth hmac env:HOOKAIDO_INGRESS_SECRET\n  pull { path /pull/github }\n}\n```\n\n**Receive \u0026 push (direct delivery):**\n\n```hcl\n/webhooks/stripe {\n  auth hmac env:STRIPE_SIGNING_SECRET\n  deliver \"https://billing.internal/stripe\" {\n    retry exponential max 8 base 2s cap 2m jitter 0.2\n    timeout 10s\n  }\n}\n```\n\n**Deliver via subprocess (no HTTP server needed):**\n\n```hcl\n/webhooks/github {\n  auth hmac { provider github; secret env:GITHUB_SECRET }\n  deliver exec \"/opt/hooks/deploy.sh\" {\n    timeout 30s\n    env DEPLOY_ENV production\n  }\n}\n```\n\nPlaceholders keep secrets out of config: `{$VAR}`, `{env.VAR}`, `{file./run/secrets/key}`, `{vars.NAME}`.\nSecret refs for auth/signing support `env:`, `file:`, `vault:`, and `raw:` schemes.\n\nFull DSL reference and more examples: [DESIGN.md](DESIGN.md) | [Recipes](docs/recipes.md)\n\n## Architecture\n\n```mermaid\ngraph LR\n    subgraph Providers\n        GH[GitHub]\n        ST[Stripe]\n        WH[Any Webhook]\n    end\n    subgraph DMZ\n        ING[Ingress :8080]\n        Q[(SQLite / Postgres Queue)]\n        ING --\u003e Q\n    end\n    subgraph Internal Network\n        SVC[Your Service]\n    end\n    GH \u0026 ST \u0026 WH --\u003e|POST| ING\n    SVC --\u003e|pull /pull/…| Q\n    Q --\u003e|push deliver| SVC\n```\n\n**Default: `dmz-queue pull`** — Hookaido sits in the DMZ. Internal workers pull over HTTPS. No inbound firewall rules needed.\n\n## Admin API\n\n`GET /healthz?details=1` — queue diagnostics, backlog trends, operator action playbooks.\n\n`POST /messages/publish` — inject messages programmatically.\n\n`GET /dlq` / `POST /dlq/requeue` — inspect and recover dead-lettered messages.\n\n`GET /backlog/trends` — time-series backlog analysis with derived signals.\n\nFull endpoint list → [DESIGN.md](DESIGN.md)\n\n## Observability\n\n```hcl\nobservability {\n  access_log  { output stderr; format json }\n  runtime_log { level info; output stderr; format json }\n  metrics     { listen \":9900\"; prefix \"/metrics\" }\n  tracing     { collector \"https://otel.example.com/v1/traces\" }\n}\n```\n\nPrometheus counters for ingress, adaptive backpressure (`reason`-labeled), pull (`dequeue`/`ack`/`nack`/conflicts/leases), and push delivery, plus queue depth gauges and SQLite store contention metrics (write/dequeue/checkpoint durations, busy/retry, tx commit/rollback). OpenTelemetry traces with full OTLP/HTTP configuration.\n\n## MCP Server (AI Integration)\n\n```bash\n./hookaido mcp serve --config Hookaidofile --db ./.data/hookaido.db --role read\n```\n\nExposes queue state, config inspection, health diagnostics, and backlog analysis as structured tools for AI assistants. Role-gated access: `read`, `operate`, `admin`.\n\n## Release Verification\n\nReleases ship with signed checksums (Ed25519), SPDX SBOM, and GitHub provenance attestations:\n\n```bash\n./hookaido verify-release --checksums hookaido_v2.0.0_checksums.txt \\\n  --public-key release-signing-key.pub \\\n  --require-provenance\n```\n\n## Requirements\n\n- Pre-built binaries: no dependencies (download from [Releases](https://github.com/nuetzliches/hookaido/releases))\n- Build from source: Go 1.25+\n- Docker: use the official image `ghcr.io/nuetzliches/hookaido` (or build locally), see [Docker quickstart](docs/docker.md)\n- No external runtime dependencies\n\n## Documentation\n\n| Document                           | Purpose                                                                      |\n| ---------------------------------- | ---------------------------------------------------------------------------- |\n| [docs/](docs/index.md)            | User-facing documentation (getting started, configuration, APIs, deployment) |\n| [DESIGN.md](DESIGN.md)            | Canonical DSL and API specification                                          |\n| [CONTRIBUTING.md](CONTRIBUTING.md) | Contribution workflow, development setup, and maintainer notes               |\n| [CHANGELOG.md](CHANGELOG.md)      | User-visible changes per release                                             |\n| [SECURITY.md](SECURITY.md)        | Vulnerability reporting and security response policy                         |\n| [SUPPORT.md](SUPPORT.md)          | Support channels and issue quality guidance                                  |\n\n## License\n\nApache-2.0 — see [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuetzliches%2Fhookaido","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnuetzliches%2Fhookaido","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuetzliches%2Fhookaido/lists"}