zeph-gateway

HTTP gateway for webhook ingestion with bearer auth for Zeph.

Overview

Exposes an axum 0.8 HTTP server that accepts incoming webhooks, validates bearer tokens, and forwards payloads into the agent loop. Includes a /health endpoint for liveness probes. Feature-gated behind gateway.

Key Modules

• server — GatewayServer startup and graceful shutdown
• handlers — request handlers for webhook and health routes
• router — axum router construction with auth middleware
• error — GatewayError error types

Activation

GatewayServer starts automatically in daemon mode when the gateway feature is enabled and [gateway] is configured:

[gateway]
bind = "0.0.0.0:8090"
auth_token = "your-secret-token"   # optional, see authentication below

cargo run --features gateway -- --daemon   # starts agent + gateway server

The gateway is wired via src/gateway_spawn.rs into both daemon.rs and runner.rs. A background drain task logs incoming webhook payloads; agent loopback forwarding is a planned follow-up.

Authentication

GatewayServer supports bearer token authentication via the with_auth() builder method. When auth_token is None, the server emits a tracing::warn! at startup indicating that the endpoint is unauthenticated.

GatewayServer::new(addr, sender)
    .with_auth(Some("secret-token".to_string()))
    .serve()
    .await?;

Token comparison uses subtle::ConstantTimeEq to prevent timing attacks.

Installation

cargo add zeph-gateway

Enabled via the gateway feature flag on the root zeph crate.

License

MIT