# SCM/CI Webhook Connector Service (Signals Module)

## Module
Signals

## Status
VERIFIED

## Description
Complete SCM/CI webhook connector subsystem in the Signals module with provider-specific webhook signature validators (GitHub HMAC-SHA256, GitLab token, Gitea HMAC), event mappers normalizing repo/pipeline/artifact events into NormalizedScmEvent, and trigger service dispatching scan/SBOM triggers to Orchestrator. Supports GitHub, GitLab, and Gitea with extensible IWebhookSignatureValidator and IScmEventMapper interfaces.

## Implementation Details
- **Modules**: `src/Signals/StellaOps.Signals/Scm/`
- **Key Classes**:
  - `ScmWebhookService` (`src/Signals/StellaOps.Signals/Scm/Services/ScmWebhookService.cs`) - processes incoming webhooks, validates signatures, maps events, and dispatches triggers
  - `ScmWebhookEndpoints` (`src/Signals/StellaOps.Signals/Scm/ScmWebhookEndpoints.cs`) - minimal API endpoints for receiving webhook payloads
  - `GiteaWebhookValidator` (`src/Signals/StellaOps.Signals/Scm/Webhooks/GiteaWebhookValidator.cs`) - Gitea HMAC webhook signature validator
- **Interfaces**: `IScmWebhookService`, `IWebhookSignatureValidator` (`src/Signals/StellaOps.Signals/Scm/Webhooks/IWebhookSignatureValidator.cs`), `IScmEventMapper` (`src/Signals/StellaOps.Signals/Scm/Webhooks/IScmEventMapper.cs`)
- **Source**: SPRINT_20251229_013_SIGNALS_scm_ci_connectors.md

## E2E Test Plan
- [ ] Send a GitHub webhook with valid HMAC-SHA256 signature and verify it is accepted and processed
- [ ] Send a Gitea webhook with valid HMAC signature via `GiteaWebhookValidator` and verify validation
- [ ] Send a webhook with invalid signature and verify it is rejected
- [ ] Verify event normalization: send provider-specific push/PR events and confirm they are mapped to `NormalizedScmEvent`
- [ ] Verify trigger dispatch: send a push event and confirm a scan trigger is dispatched to the Orchestrator