BJ-6: BitbucketAdapter + POST /webhooks/bitbucket route#

Problem#

The webhook pipeline only handled GitHub events. Bitbucket Cloud webhooks had no normalisation layer, blocking Atlassian integration tenants from using the AgentSDE pipeline.

Task / Link#

Closes #546 — BJ-6 (Atlassian Integration Wave 2)

Changes#

• Added BitbucketAdapter implementing PlatformAdapter for Bitbucket Cloud webhooks (secret query-param + optional IP allowlist auth)
• Added POST /webhooks/bitbucket controller handler that passes req.ip and req.query.secret to verifySignature
• Normalises 7 Bitbucket event keys (pullrequest:created, pullrequest:approved, pullrequest:changes_request_created, pullrequest:fulfilled, pullrequest:comment_created, pullrequest:updated, repo:push) into DispatchEvents
• Bot self-filter and /agentsde directive detection on pullrequest:comment_created
• Registered BitbucketAdapter in WebhookModule providers and onModuleInit()
• Added BITBUCKET_WEBHOOK_SECRET and BITBUCKET_WEBHOOK_IP_ALLOWLIST to config schema and .env.example

Notes#

• Bitbucket webhooks have no HMAC — auth is via ?secret= query param (timing-safe comparison) + optional source-IP allowlist
• IP allowlist is plain IP strings only (no CIDR) for v1; the env var is optional
• BITBUCKET_WEBHOOK_SECRET is optional in Joi schema — route returns 401 via verifySignature when unset
• Implementation delivered in PR #576 (feat/bj-6-bitbucket-adapter → rc/atlassian-integration, merged 2026-04-23)

Testing#

• Unit tests in bitbucket.adapter.spec.ts cover: valid/invalid/missing secret, IP allowlist hit/miss/unconfigured, all 7 event keys, unknown event key, bot self-filter, /agentsde directive
• npm run test passes; npm run lint passes (zero warnings)