Wirehook

Wirehook is a webhook gateway for agentic systems: it ingests, verifies, stores, and routes webhooks across trust boundaries with an MCP-first admin interface.

Note: Use simple English in this project (docs, comments, messages).

Features

• Webhook ingestion: POST /in/:endpoint_id
• Event storage in SQLite
• Routing to destinations
• Cron schedules sending JSON payloads to destinations
• MCP admin tools (HTTP/SSE)
• CLI for admin tasks

Architecture

Wirehook follows a light hexagonal architecture:

• src/domain: business models and types
• src/app: use cases and ports (traits)
• src/infrastructure: SQLite repositories, forwarders, mappers
• src/adapters: HTTP server and MCP transport

Quick start (local)

1. Run the server:

cargo run -- serve

2. Create an endpoint:

cargo run -- endpoint create --name "jira" --description "Jira automation" --method POST --auth-type none

3. Create a destination:

cargo run -- destination create --name "internal" --type http --config-json '{"url":"http://internal"}'

4. Create a route:

cargo run -- route create --endpoint-id <ENDPOINT_ID> --destination-id <DESTINATION_ID> --priority 10

5. Send a webhook:

curl -X POST http://127.0.0.1:3000/in/<ENDPOINT_ID> \
  -H 'content-type: application/json' \
  -d '{"status":"ok"}'

HTTP API

• POST /in/:endpoint_id: ingest webhook (JSON body)
• POST /test: returns 200 OK
• GET /mcp/sse: MCP SSE endpoint (admin only)
• POST /mcp/messages/{session_id}: MCP messages (admin only)

CLI

See docs/cli.md.

MCP

See docs/mcp.md.

Docker

Build and run with Compose (includes Vault):

docker compose up --build

Auto rebuild on code changes:

docker compose watch

Releases

• Versioning follows SemVer with tags like v1.2.3.
• CI builds and publishes Docker images to GHCR on release tags.
• See RELEASING.md for details.

Security notes

• MCP endpoints require Authorization: Bearer <ADMIN_TOKEN>.
• Set the admin token with WIREHOOK_ADMIN_TOKEN (or --admin-token).
• For production, use TLS and secure Vault configuration.
• HMAC signatures: set endpoint auth_type to hmac_sha256 and send X-Wirehook-Signature: sha256=<hex>.
• For HMAC endpoints you must set secret_id (create a secret first).
• Signature headers and base string are configurable via signature set.

Database configuration

• SQLite is the default (file wirehook.db).
• To use Postgres, set WIREHOOK_DATABASE_URL or DATABASE_URL.
• When the Postgres env var is set, the --db path is ignored.

SQLite (default)

By default Wirehook uses a local SQLite file.

WIREHOOK_DATABASE_URL is not set
wirehook.db is created next to the binary

Override the file path with:

cargo run -- --db /path/to/wirehook.db serve

Postgres (env-based)

Set one of the env vars below:

export WIREHOOK_DATABASE_URL=postgres://user:<DB_PASSWORD>@host:5432/dbname
# or
export DATABASE_URL=postgres://user:<DB_PASSWORD>@host:5432/dbname

When set, Wirehook uses Postgres and ignores --db.

Logging

Wirehook logs JSON lines (Datadog-friendly). Configure with env vars:

• WIREHOOK_LOG_LEVEL (default: info)
• WIREHOOK_LOG_SERVICE (default: wirehook)
• WIREHOOK_LOG_ENV (optional)
• WIREHOOK_LOG_VERSION (optional)
• WIREHOOK_LOG_DDTAGS (optional, comma-separated)

Each HTTP request logs request_id, method, path, status, and latency_ms.

Limits and scheduler

• WIREHOOK_BODY_LIMIT_BYTES (default: 1048576, set 0 to disable)
• WIREHOOK_SCHEDULE_TICK_SECONDS (default: 30, set 0 to disable the scheduler loop)

Tests

cargo test

License

Wirehook is licensed under either of:

• Apache License, Version 2.0
• MIT License

You may choose either license. See LICENSE-APACHE and LICENSE-MIT.