GitHub App webhook service for CI access guardrails.
This is the operator entry point for the service. It is not the product workflow itself - product actions (bootstrap PRs, migration PRs, PR checks, and managed guidance issues) happen in GitHub, on the repositories where the GitHub App is installed.
GET /health — health check. Returns {"status":"ok"} once the webhook server is accepting connections.GET /status — thin read-only operator status shell. May require HTTP Basic Auth if the operator has configured credentials; otherwise it is served without auth.GET /ready — datastore readiness probe. Returns {"status":"ready"} only when the running process can reach its configured datastore and expected schema version.GET /install — public install entry. Redirects to the configured GitHub App install URL with a signed, short-lived setup handoff state.GET /setup — post-install setup handoff. GitHub redirects the installer here after they approve the app install. Renders narrow activation guidance for this installation on top of /status's read model.POST /checkout/start — hosted checkout start path for a known installation. Creates a provider-hosted checkout session and redirects to it. Does not finalize any subscription, customer account, or entitlement locally.POST /billing/portal/start — self-service customer-portal start path for an installation that is already linked to a customer account with a mirrored local subscription. Creates a provider-hosted billing portal session and redirects to it. Does not mutate local commercial or entitlement state.POST /webhook — GitHub webhook endpoint. POST only; requests must be signed by GitHub with the shared webhook secret. Not intended to be opened in a browser.This page is static. It does not report whether
webhook delivery is currently working, whether the app is fully
configured, or whether any repository is in a healthy state. Use
/status for the operator-facing view of what the app has
actually observed, and /health as the machine liveness
probe.