I was wondering how to encrypt or sign sstp messages
So that ghost authors can use their own external events without worrying about security
Firstly I think the ghost side needs a public key and the server side needs a private key
This means that a purely local browser running a js program cannot communicate securely with ghost, after all you can't let the user's browser get the private key.
Secondly you might need to sign the time to make the sstp message time-sensitive in case a malicious person records the message sent from the server. 
Oh I'm a dumb.
Just make ssp provide the origin of the message in the external sstp and you can let ghost restrict the source of the message itself
That way we could even allow all js software running in the user's browser!
I'm not sure if a malicious person could forge http messages like running a fake browser locally on the user's machine and then sending http messages with an incorrect origin.
Oh why would he go to the trouble of calling sstp when he's running locally on the user's machine.