cruxstack
diff --git a/‎AGENTS.md‎
Lines changed: 2 additions & 2 deletions b/‎AGENTS.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 4 additions & 3 deletions b/‎README.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎cmd/lambda/README.md‎
Lines changed: 11 additions & 7 deletions b/‎cmd/lambda/README.md‎
Lines changed: 11 additions & 7 deletions
diff --git a/‎cmd/lambda/main.go‎
Lines changed: 30 additions & 107 deletions b/‎cmd/lambda/main.go‎
Lines changed: 30 additions & 107 deletions
diff --git a/‎cmd/server/main.go‎
Lines changed: 30 additions & 28 deletions b/‎cmd/server/main.go‎
Lines changed: 30 additions & 28 deletions
diff --git a/‎cmd/verify/README.md‎
Lines changed: 10 additions & 7 deletions b/‎cmd/verify/README.md‎
Lines changed: 10 additions & 7 deletions
@@ -10,8 +10,8 @@
   - `cmd/verify/main.go` - Integration tests with HTTP mock servers
   - `cmd/sample/main.go` - **DO NOT RUN** (requires live credentials)
 - **Packages**:
-  - `internal/app/` - Core logic, configuration, and HTTP handlers (no AWS
-    dependencies)
+  - `internal/app/` - Core logic and unified request handling via
+    `HandleRequest()` (no AWS dependencies)
   - `internal/github/` - API client, webhooks, PR checks, team mgmt, auth
   - `internal/okta/` - API client, group sync
   - `internal/notifiers/` - Slack formatting for events and reports
 
@@ -122,9 +122,10 @@ APP_GITHUB_WEBHOOK_SECRET=arn:aws:ssm:us-east-1:123456789012:parameter/github-bo
 
 ### Other
 
-| Variable                 | Description                        |
-|--------------------------|------------------------------------|
-| `APP_DEBUG_ENABLED`      | Verbose logging (default: `false`) |
+| Variable                 | Description                                    |
+|--------------------------|------------------------------------------------|
+| `APP_DEBUG_ENABLED`      | Verbose logging (default: `false`)             |
+| `APP_BASE_PATH`          | URL prefix to strip (e.g., `/api/v1`)          |
 
 ### Okta Sync Rules
 
 
@@ -6,10 +6,10 @@ alternatives like standard HTTP servers.
 
 ## Overview
 
-The Lambda adapter translates AWS-specific events into standard application
-calls:
-- **API Gateway** (webhooks) → HTTP handlers
-- **EventBridge** (scheduled sync) → `ProcessScheduledEvent()`
+The Lambda adapter translates AWS-specific events into the unified
+`app.HandleRequest()` interface:
+- **API Gateway** (webhooks, status, config) → `app.Request{Type: HTTP}`
+- **EventBridge** (scheduled sync) → `app.Request{Type: Scheduled}`
 
 ## Build
 
@@ -83,15 +83,19 @@ Create an EventBridge rule:
 
 ### Universal Handler
 
-The Lambda function uses a universal handler that detects event types:
+The Lambda function uses a universal handler that detects event types and
+converts them to the unified `app.Request` format:
 
 ```go
 func UniversalHandler(ctx context.Context, event json.RawMessage) (any, error)
 ```
 
 **Supported Events**:
-- `APIGatewayV2HTTPRequest` → Routes to webhook/status/config handlers
-- `CloudWatchEvent` (EventBridge) → Routes to scheduled event processor
+- `APIGatewayV2HTTPRequest` → Converts to `app.Request{Type: HTTP}`
+- `CloudWatchEvent` (EventBridge) → Converts to `app.Request{Type: Scheduled}`
+
+All requests are then processed by `app.HandleRequest()` which routes based on
+request type and path.
 
 ### Endpoints
 
 
@@ -1,6 +1,3 @@
-// Package main provides the AWS Lambda entry point for the GitHub bot.
-// This Lambda handler supports API Gateway HTTP API (v2.0) and EventBridge
-// (scheduled sync) events.
 package main
 
 import (
@@ -15,7 +12,6 @@ import (
 	"github.com/aws/aws-lambda-go/lambda"
 	"github.com/cruxstack/github-ops-app/internal/app"
 	"github.com/cruxstack/github-ops-app/internal/config"
-	"github.com/cruxstack/github-ops-app/internal/github"
 )
 
 var (
@@ -25,8 +21,6 @@ var (
 	initErr  error
 )
 
-// initApp initializes the application instance once using sync.Once.
-// stores any initialization error in the initErr global variable.
 func initApp() {
 	initOnce.Do(func() {
 		logger = config.NewLogger()
@@ -40,9 +34,7 @@ func initApp() {
 	})
 }
 
-// APIGatewayHandler processes incoming API Gateway HTTP API (v2.0) requests.
-// handles GitHub webhook events, status checks, and config endpoints.
-// validates webhook signatures before processing events.
+// APIGatewayHandler converts API Gateway requests to unified app.Request.
 func APIGatewayHandler(ctx context.Context, req awsevents.APIGatewayV2HTTPRequest) (awsevents.APIGatewayV2HTTPResponse, error) {
 	initApp()
 	if initErr != nil {
@@ -66,108 +58,29 @@ func APIGatewayHandler(ctx context.Context, req awsevents.APIGatewayV2HTTPReques
 		}
 	}
 
-	if path == "/server/status" {
-		return handleServerStatus(ctx, req)
+	headers := make(map[string]string)
+	for key, value := range req.Headers {
+		headers[strings.ToLower(key)] = value
 	}
 
-	if path == "/server/config" {
-		return handleServerConfig(ctx, req)
+	appReq := app.Request{
+		Type:    app.RequestTypeHTTP,
+		Method:  req.RequestContext.HTTP.Method,
+		Path:    path,
+		Headers: headers,
+		Body:    []byte(req.Body),
 	}
 
-	if req.RequestContext.HTTP.Method != "POST" {
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 405,
-			Body:       "method not allowed",
-		}, nil
-	}
-
-	eventType := req.Headers["x-github-event"]
-	signature := req.Headers["x-hub-signature-256"]
-
-	if err := github.ValidateWebhookSignature(
-		[]byte(req.Body),
-		signature,
-		appInst.Config.GitHubWebhookSecret,
-	); err != nil {
-		logger.Warn("webhook signature validation failed", slog.String("error", err.Error()))
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 401,
-			Body:       "unauthorized",
-		}, nil
-	}
-
-	if err := appInst.ProcessWebhook(ctx, []byte(req.Body), eventType); err != nil {
-		logger.Error("webhook processing failed",
-			slog.String("event_type", eventType),
-			slog.String("error", err.Error()))
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 500,
-			Body:       "webhook processing failed",
-		}, nil
-	}
+	resp := appInst.HandleRequest(ctx, appReq)
 
 	return awsevents.APIGatewayV2HTTPResponse{
-		StatusCode: 200,
-		Body:       "ok",
+		StatusCode: resp.StatusCode,
+		Headers:    resp.Headers,
+		Body:       string(resp.Body),
 	}, nil
 }
 
-// handleServerStatus returns the application status and feature flags.
-// responds with JSON containing configuration state and enabled features.
-func handleServerStatus(ctx context.Context, req awsevents.APIGatewayV2HTTPRequest) (awsevents.APIGatewayV2HTTPResponse, error) {
-	if req.RequestContext.HTTP.Method != "GET" {
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 405,
-			Body:       "method not allowed",
-		}, nil
-	}
-
-	status := appInst.GetStatus()
-	body, err := json.Marshal(status)
-	if err != nil {
-		logger.Error("failed to marshal status response", slog.String("error", err.Error()))
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 500,
-			Body:       "failed to generate status response",
-		}, nil
-	}
-
-	return awsevents.APIGatewayV2HTTPResponse{
-		StatusCode: 200,
-		Headers:    map[string]string{"Content-Type": "application/json"},
-		Body:       string(body),
-	}, nil
-}
-
-// handleServerConfig returns the application configuration with secrets
-// redacted. useful for debugging and verifying environment settings.
-func handleServerConfig(ctx context.Context, req awsevents.APIGatewayV2HTTPRequest) (awsevents.APIGatewayV2HTTPResponse, error) {
-	if req.RequestContext.HTTP.Method != "GET" {
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 405,
-			Body:       "method not allowed",
-		}, nil
-	}
-
-	redacted := appInst.Config.Redacted()
-	body, err := json.Marshal(redacted)
-	if err != nil {
-		logger.Error("failed to marshal config response", slog.String("error", err.Error()))
-		return awsevents.APIGatewayV2HTTPResponse{
-			StatusCode: 500,
-			Body:       "failed to generate config response",
-		}, nil
-	}
-
-	return awsevents.APIGatewayV2HTTPResponse{
-		StatusCode: 200,
-		Headers:    map[string]string{"Content-Type": "application/json"},
-		Body:       string(body),
-	}, nil
-}
-
-// EventBridgeHandler processes EventBridge scheduled events.
-// typically handles scheduled Okta group sync operations.
+// EventBridgeHandler converts EventBridge events to unified app.Request.
 func EventBridgeHandler(ctx context.Context, evt awsevents.CloudWatchEvent) error {
 	initApp()
 	if initErr != nil {
@@ -185,23 +98,33 @@ func EventBridgeHandler(ctx context.Context, evt awsevents.CloudWatchEvent) erro
 		return err
 	}
 
-	return appInst.ProcessScheduledEvent(ctx, detail)
+	req := app.Request{
+		Type:            app.RequestTypeScheduled,
+		ScheduledAction: detail.Action,
+		ScheduledData:   detail.Data,
+	}
+
+	resp := appInst.HandleRequest(ctx, req)
+
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("scheduled event failed: %s", string(resp.Body))
+	}
+
+	return nil
 }
 
-// UniversalHandler detects the event type and routes to the appropriate
-// handler. supports API Gateway HTTP API (v2.0) and EventBridge events.
+// UniversalHandler detects event type and routes to the appropriate handler.
 func UniversalHandler(ctx context.Context, event json.RawMessage) (any, error) {
+	initApp()
 	if initErr != nil {
 		return nil, initErr
 	}
 
-	// try API Gateway HTTP API (v2.0)
 	var apiGatewayReq awsevents.APIGatewayV2HTTPRequest
 	if err := json.Unmarshal(event, &apiGatewayReq); err == nil && apiGatewayReq.RequestContext.HTTP.Method != "" {
 		return APIGatewayHandler(ctx, apiGatewayReq)
 	}
 
-	// try EventBridge
 	var eventBridgeEvent awsevents.CloudWatchEvent
 	if err := json.Unmarshal(event, &eventBridgeEvent); err == nil && eventBridgeEvent.DetailType != "" {
 		return nil, EventBridgeHandler(ctx, eventBridgeEvent)
 
@@ -1,15 +1,13 @@
-// Package main provides a standard HTTP server entry point for the GitHub bot.
-// runs as a long-lived HTTP server suitable for deployment on any VPS, container,
-// or Kubernetes cluster.
 package main
 
 import (
 	"context"
-	"encoding/json"
+	"io"
 	"log/slog"
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -39,10 +37,7 @@ func main() {
 	}
 
 	mux := http.NewServeMux()
-	mux.HandleFunc("/webhooks", appInst.WebhookHandler)
-	mux.HandleFunc("/server/status", appInst.StatusHandler)
-	mux.HandleFunc("/server/config", appInst.ConfigHandler)
-	mux.HandleFunc("/scheduled/okta-sync", scheduledOktaSyncHandler)
+	mux.HandleFunc("/", httpHandler)
 
 	port := os.Getenv("PORT")
 	if port == "" {
@@ -86,34 +81,41 @@ func main() {
 	logger.Info("server stopped")
 }
 
-// scheduledOktaSyncHandler handles HTTP-triggered Okta sync operations.
-// can be invoked by external cron services or schedulers.
-func scheduledOktaSyncHandler(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+// httpHandler converts http.Request to app.Request and handles the response.
+func httpHandler(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		http.Error(w, "failed to read request body", http.StatusBadRequest)
 		return
 	}
+	defer r.Body.Close()
 
-	evt := app.ScheduledEvent{
-		Action: "okta-sync",
+	headers := make(map[string]string)
+	for key, values := range r.Header {
+		if len(values) > 0 {
+			headers[strings.ToLower(key)] = values[0]
+		}
 	}
 
-	if err := appInst.ProcessScheduledEvent(r.Context(), evt); err != nil {
-		logger.Error("scheduled event processing failed",
-			slog.String("action", evt.Action),
-			slog.String("error", err.Error()))
-		http.Error(w, "event processing failed", http.StatusInternalServerError)
-		return
+	req := app.Request{
+		Type:    app.RequestTypeHTTP,
+		Method:  r.Method,
+		Path:    r.URL.Path,
+		Headers: headers,
+		Body:    body,
 	}
 
-	response := map[string]string{
-		"status":  "success",
-		"message": "okta sync completed",
+	resp := appInst.HandleRequest(r.Context(), req)
+
+	for key, value := range resp.Headers {
+		w.Header().Set(key, value)
+	}
+	if resp.ContentType != "" && w.Header().Get("Content-Type") == "" {
+		w.Header().Set("Content-Type", resp.ContentType)
 	}
 
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusOK)
-	if err := json.NewEncoder(w).Encode(response); err != nil {
-		logger.Error("failed to encode response", slog.String("error", err.Error()))
+	w.WriteHeader(resp.StatusCode)
+	if len(resp.Body) > 0 {
+		w.Write(resp.Body)
 	}
 }
@@ -90,15 +90,18 @@ Path matching supports wildcards (`*`) for dynamic segments like org names, repo
 ## Architecture
 
 ```
-Event → App Logic → SDK Client → Mock Server (localhost:9001-9003)
-                                       ↓
-                                  Record Request
-                                       ↓
-                                  Return Mock Response
-                                       ↓
-                            Validate Expected Calls Made
+Test Scenario → app.HandleRequest() → SDK Client → Mock Server (localhost:9001-9003)
+                                                          ↓
+                                                     Record Request
+                                                          ↓
+                                                     Return Mock Response
+                                                          ↓
+                                               Validate Expected Calls Made
 ```
 
+Tests use the unified `app.HandleRequest()` interface, ensuring the same code
+paths are exercised as production deployments.
+
 Base URLs configured via environment (all HTTPS with self-signed certs):
 - `APP_GITHUB_BASE_URL` → `https://localhost:9001/`
 - `APP_OKTA_BASE_URL` → `https://localhost:9002/`