TrogonStack
diff --git a/‎devops/docker/compose/.env.example‎
Lines changed: 7 additions & 0 deletions b/‎devops/docker/compose/.env.example‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎devops/docker/compose/services/trogon-gateway/README.md‎
Lines changed: 10 additions & 1 deletion b/‎devops/docker/compose/services/trogon-gateway/README.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎rsworkspace/Cargo.lock‎
Lines changed: 21 additions & 0 deletions b/‎rsworkspace/Cargo.lock‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎rsworkspace/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎rsworkspace/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎rsworkspace/crates/trogon-gateway/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎rsworkspace/crates/trogon-gateway/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎rsworkspace/crates/trogon-gateway/README.md‎
Lines changed: 7 additions & 1 deletion b/‎rsworkspace/crates/trogon-gateway/README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎rsworkspace/crates/trogon-gateway/src/config.rs‎
Lines changed: 129 additions & 0 deletions b/‎rsworkspace/crates/trogon-gateway/src/config.rs‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎rsworkspace/crates/trogon-gateway/src/http.rs‎
Lines changed: 11 additions & 0 deletions b/‎rsworkspace/crates/trogon-gateway/src/http.rs‎
Lines changed: 11 additions & 0 deletions
@@ -63,6 +63,13 @@
 # TROGON_SOURCE_TELEGRAM_STREAM_MAX_AGE_SECS=604800
 # TROGON_SOURCE_TELEGRAM_NATS_ACK_TIMEOUT_SECS=10
 
+# --- Twitter/X Source ---
+# TROGON_SOURCE_TWITTER_CONSUMER_SECRET=
+# TROGON_SOURCE_TWITTER_SUBJECT_PREFIX=twitter
+# TROGON_SOURCE_TWITTER_STREAM_NAME=TWITTER
+# TROGON_SOURCE_TWITTER_STREAM_MAX_AGE_SECS=604800
+# TROGON_SOURCE_TWITTER_NATS_ACK_TIMEOUT_SECS=10
+
 # --- Slack Source ---
 # TROGON_SOURCE_SLACK_SIGNING_SECRET=
 # TROGON_SOURCE_SLACK_SUBJECT_PREFIX=slack
 
@@ -12,6 +12,7 @@ prefix:
 | GitHub | `/github/webhook` | `TROGON_SOURCE_GITHUB_WEBHOOK_SECRET` |
 | Slack | `/slack/webhook` | `TROGON_SOURCE_SLACK_SIGNING_SECRET` |
 | Telegram | `/telegram/webhook` | `TROGON_SOURCE_TELEGRAM_WEBHOOK_SECRET` |
+| Twitter/X | `/twitter/webhook` | `TROGON_SOURCE_TWITTER_CONSUMER_SECRET` |
 | GitLab | `/gitlab/webhook` | `TROGON_SOURCE_GITLAB_WEBHOOK_SECRET` |
 | incident.io | `/incidentio/webhook` | `TROGON_SOURCE_INCIDENTIO_SIGNING_SECRET` |
 | Linear | `/linear/webhook` | `TROGON_SOURCE_LINEAR_WEBHOOK_SECRET` |
@@ -60,6 +61,13 @@ contain only resource IDs rather than full objects. The gateway forwards the raw
 verified payload to NATS and leaves any enrichment or reordering to downstream
 consumers.
 
+## Twitter/X webhooks
+
+X uses the app consumer secret for both the `GET /twitter/webhook` CRC challenge
+response and the `POST /twitter/webhook` `x-twitter-webhooks-signature`
+verification. Configure `TROGON_SOURCE_TWITTER_CONSUMER_SECRET` before you
+register the webhook URL with X.
+
 ## Notion webhooks
 
 Notion signs webhook payloads with the subscription `verification_token`.
@@ -83,7 +91,8 @@ docker compose --profile dev up
 
 This starts ngrok alongside the gateway. Check `docker compose logs ngrok`
 for the public URL. Append the source prefix path when configuring each
-platform's webhook settings (e.g. `https://<ngrok-url>/github/webhook`).
+platform's webhook settings (e.g. `https://<ngrok-url>/github/webhook` or
+`https://<ngrok-url>/twitter/webhook`).
 
 ## Verify
 
 
@@ -24,6 +24,7 @@ trogon-source-notion = { path = "crates/trogon-source-notion" }
 trogon-source-sentry = { path = "crates/trogon-source-sentry" }
 trogon-source-slack = { path = "crates/trogon-source-slack" }
 trogon-source-telegram = { path = "crates/trogon-source-telegram" }
+trogon-source-twitter = { path = "crates/trogon-source-twitter" }
 trogon-std = { path = "crates/trogon-std" }
 
 # ACP
 
@@ -30,6 +30,7 @@ trogon-source-notion = { workspace = true }
 trogon-source-sentry = { workspace = true }
 trogon-source-slack = { workspace = true }
 trogon-source-telegram = { workspace = true }
+trogon-source-twitter = { workspace = true }
 trogon-std = { workspace = true, features = ["clap", "telemetry-http"] }
 
 [dev-dependencies]
 
@@ -36,6 +36,7 @@ All webhook sources share one HTTP port (`TROGON_GATEWAY_PORT`, default `8080`)
 | GitHub | `/github/webhook` |
 | Slack | `/slack/webhook` |
 | Telegram | `/telegram/webhook` |
+| Twitter/X | `/twitter/webhook` |
 | GitLab | `/gitlab/webhook` |
 | Linear | `/linear/webhook` |
 
@@ -49,6 +50,7 @@ A source is enabled only when its required setting is present:
 | Discord | `TROGON_SOURCE_DISCORD_BOT_TOKEN` |
 | Slack | `TROGON_SOURCE_SLACK_SIGNING_SECRET` |
 | Telegram | `TROGON_SOURCE_TELEGRAM_WEBHOOK_SECRET` |
+| Twitter/X | `TROGON_SOURCE_TWITTER_CONSUMER_SECRET` |
 | GitLab | `TROGON_SOURCE_GITLAB_WEBHOOK_SECRET` |
 | Linear | `TROGON_SOURCE_LINEAR_WEBHOOK_SECRET` |
 
@@ -69,7 +71,7 @@ NATS auth is resolved in this priority order:
 Per-source optional tuning (with defaults):
 
 - `TROGON_SOURCE_<SOURCE>_SUBJECT_PREFIX` (defaults: `github`, `discord`, `slack`, `telegram`, `gitlab`, `linear`)
-- `TROGON_SOURCE_<SOURCE>_STREAM_NAME` (defaults: `GITHUB`, `DISCORD`, `SLACK`, `TELEGRAM`, `GITLAB`, `LINEAR`)
+- `TROGON_SOURCE_<SOURCE>_STREAM_NAME` (defaults: `GITHUB`, `DISCORD`, `SLACK`, `TELEGRAM`, `TWITTER`, `GITLAB`, `LINEAR`)
 - `TROGON_SOURCE_<SOURCE>_STREAM_MAX_AGE_SECS` (default: `604800`)
 - `TROGON_SOURCE_<SOURCE>_NATS_ACK_TIMEOUT_SECS` (default: `10`)
 
@@ -78,6 +80,7 @@ Source-specific extras:
 - `TROGON_SOURCE_DISCORD_GATEWAY_INTENTS`
 - `TROGON_SOURCE_SLACK_TIMESTAMP_MAX_DRIFT_SECS` (default: `300`)
 - `TROGON_SOURCE_LINEAR_TIMESTAMP_TOLERANCE_SECS` (default: `60`, `0` disables tolerance)
+- `TROGON_SOURCE_TWITTER_CONSUMER_SECRET` is used for both CRC responses and `x-twitter-webhooks-signature` validation
 
 ## Config file shape
 
@@ -107,6 +110,9 @@ signing_secret = "slack-secret"
 [sources.telegram]
 webhook_secret = "telegram-secret"
 
+[sources.twitter]
+consumer_secret = "twitter-consumer-secret"
+
 [sources.gitlab]
 webhook_secret = "gitlab-secret"
 
 
@@ -18,6 +18,7 @@ use trogon_source_notion::NotionVerificationToken;
 use trogon_source_sentry::SentryClientSecret;
 use trogon_source_slack::config::SlackSigningSecret;
 use trogon_source_telegram::config::TelegramWebhookSecret;
+use trogon_source_twitter::config::TwitterConsumerSecret;
 use trogon_std::{NonZeroDuration, ZeroDuration};
 
 use crate::source_status::SourceStatus;
@@ -198,6 +199,8 @@ struct SourcesConfig {
     #[config(nested)]
     telegram: TelegramConfig,
     #[config(nested)]
+    twitter: TwitterConfig,
+    #[config(nested)]
     gitlab: GitlabConfig,
     #[config(nested)]
     incidentio: IncidentioConfig,
@@ -277,6 +280,22 @@ struct TelegramConfig {
     nats_ack_timeout_secs: u64,
 }
 
+#[derive(Config)]
+struct TwitterConfig {
+    #[config(env = "TROGON_SOURCE_TWITTER_STATUS")]
+    status: Option<String>,
+    #[config(env = "TROGON_SOURCE_TWITTER_CONSUMER_SECRET")]
+    consumer_secret: Option<String>,
+    #[config(env = "TROGON_SOURCE_TWITTER_SUBJECT_PREFIX", default = "twitter")]
+    subject_prefix: String,
+    #[config(env = "TROGON_SOURCE_TWITTER_STREAM_NAME", default = "TWITTER")]
+    stream_name: String,
+    #[config(env = "TROGON_SOURCE_TWITTER_STREAM_MAX_AGE_SECS", default = 604_800)]
+    stream_max_age_secs: u64,
+    #[config(env = "TROGON_SOURCE_TWITTER_NATS_ACK_TIMEOUT_SECS", default = 10)]
+    nats_ack_timeout_secs: u64,
+}
+
 #[derive(Config)]
 struct GitlabConfig {
     #[config(env = "TROGON_SOURCE_GITLAB_STATUS")]
@@ -382,6 +401,7 @@ pub struct ResolvedConfig {
     pub discord: Option<trogon_source_discord::DiscordConfig>,
     pub slack: Option<trogon_source_slack::SlackConfig>,
     pub telegram: Option<trogon_source_telegram::TelegramSourceConfig>,
+    pub twitter: Option<trogon_source_twitter::TwitterConfig>,
     pub gitlab: Option<trogon_source_gitlab::GitlabConfig>,
     pub incidentio: Option<trogon_source_incidentio::IncidentioConfig>,
     pub linear: Option<trogon_source_linear::LinearConfig>,
@@ -395,6 +415,7 @@ impl ResolvedConfig {
             || self.discord.is_some()
             || self.slack.is_some()
             || self.telegram.is_some()
+            || self.twitter.is_some()
             || self.gitlab.is_some()
             || self.incidentio.is_some()
             || self.linear.is_some()
@@ -424,6 +445,7 @@ fn resolve(cfg: GatewayConfig, nats_overrides: &NatsArgs) -> Result<ResolvedConf
     let discord = resolve_discord(cfg.sources.discord, &mut errors);
     let slack = resolve_slack(cfg.sources.slack, &mut errors);
     let telegram = resolve_telegram(cfg.sources.telegram, &mut errors);
+    let twitter = resolve_twitter(cfg.sources.twitter, &mut errors);
     let gitlab = resolve_gitlab(cfg.sources.gitlab, &mut errors);
     let incidentio = resolve_incidentio(cfg.sources.incidentio, &mut errors);
     let linear = resolve_linear(cfg.sources.linear, &mut errors);
@@ -456,6 +478,7 @@ fn resolve(cfg: GatewayConfig, nats_overrides: &NatsArgs) -> Result<ResolvedConf
         discord,
         slack,
         telegram,
+        twitter,
         gitlab,
         incidentio,
         linear,
@@ -798,6 +821,84 @@ fn resolve_telegram(
     })
 }
 
+fn resolve_twitter(
+    section: TwitterConfig,
+    errors: &mut Vec<ConfigValidationError>,
+) -> Option<trogon_source_twitter::TwitterConfig> {
+    if !resolve_source_status("twitter", section.status.as_deref(), errors) {
+        return None;
+    }
+
+    let secret_str = section.consumer_secret?;
+    let consumer_secret = match TwitterConsumerSecret::new(secret_str) {
+        Ok(secret) => secret,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid(
+                "twitter",
+                "consumer_secret",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let subject_prefix = match NatsToken::new(section.subject_prefix) {
+        Ok(token) => token,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid_subject_token(
+                "twitter",
+                "subject_prefix",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let stream_name = match NatsToken::new(section.stream_name) {
+        Ok(token) => token,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid_subject_token(
+                "twitter",
+                "stream_name",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let nats_ack_timeout = match NonZeroDuration::from_secs(section.nats_ack_timeout_secs) {
+        Ok(duration) => duration,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid(
+                "twitter",
+                "nats_ack_timeout_secs",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    let stream_max_age = match StreamMaxAge::from_secs(section.stream_max_age_secs) {
+        Ok(age) => age,
+        Err(error) => {
+            errors.push(ConfigValidationError::invalid(
+                "twitter",
+                "stream_max_age_secs",
+                error,
+            ));
+            return None;
+        }
+    };
+
+    Some(trogon_source_twitter::TwitterConfig {
+        consumer_secret,
+        subject_prefix,
+        stream_name,
+        stream_max_age,
+        nats_ack_timeout,
+    })
+}
+
 fn resolve_gitlab(
     section: GitlabConfig,
     errors: &mut Vec<ConfigValidationError>,
@@ -1305,6 +1406,15 @@ webhook_secret = "{secret}"
         )
     }
 
+    fn twitter_toml(secret: &str) -> String {
+        format!(
+            r#"
+[sources.twitter]
+consumer_secret = "{secret}"
+"#
+        )
+    }
+
     fn gitlab_toml(secret: &str) -> String {
         format!(
             r#"
@@ -1536,6 +1646,25 @@ webhook_secret = "telegram-webhook-secret"
         assert!(cfg.telegram.is_none());
     }
 
+    #[test]
+    fn twitter_resolves_with_valid_consumer_secret() {
+        let f = write_toml(&twitter_toml("twitter-consumer-secret"));
+        let cfg = load(Some(f.path())).expect("load failed");
+        assert!(cfg.twitter.is_some());
+    }
+
+    #[test]
+    fn twitter_disabled_returns_none() {
+        let toml = r#"
+[sources.twitter]
+status = "disabled"
+consumer_secret = "twitter-consumer-secret"
+"#;
+        let f = write_toml(toml);
+        let cfg = load(Some(f.path())).expect("load failed");
+        assert!(cfg.twitter.is_none());
+    }
+
     #[test]
     fn gitlab_resolves_with_valid_secret() {
         let f = write_toml(&gitlab_toml("gitlab-webhook-secret"));
 
@@ -46,6 +46,14 @@ where
         info!(source = "telegram", "mounted at /telegram");
     }
 
+    if let Some(ref cfg) = config.twitter {
+        app = app.nest(
+            "/twitter",
+            trogon_source_twitter::router(publisher.clone(), cfg),
+        );
+        info!(source = "twitter", "mounted at /twitter");
+    }
+
     if let Some(ref cfg) = config.gitlab {
         app = app.nest(
             "/gitlab",
@@ -134,6 +142,9 @@ signing_secret = "slack-secret"
 [sources.telegram]
 webhook_secret = "tg-secret"
 
+[sources.twitter]
+consumer_secret = "twitter-consumer-secret"
+
 [sources.gitlab]
 webhook_secret = "gl-secret"