Complete API collection for Dront Review / MR Analytics & AI Review Assistant. ## Setup 1. Set collection variables: - `baseUrl` → http://localhost:3500 (or production URL) - `appId` → dront_vault - `secret` → change-me-existing-portal-secret - `userEmail` → your-email@company.com - `gitlabWebhookSecret` → (from GITLAB_WEBHOOK_SECRET in .env) 2. All endpoints (except /health and /webhooks/gitlab) are auto-signed with HMAC-SHA256 via the collection pre-request script. 3. Admin endpoints require the user to have the `admin` app role assigned. ## HMAC Signing ``` HMAC_KEY = SHA256(plain_secret) // hex PAYLOAD = METHOD + \n + PATH_WITH_QUERY + \n + TIMESTAMP + \n + USER_EMAIL SIGNATURE = HMAC-SHA256(HMAC_KEY, PAYLOAD) // hex ``` Headers: X-App-Id, X-User-Email, X-Timestamp, X-Signature