Diogo Ortega
|
fc379a1332
|
security: WhatsApp incident remediation fixes
FIX-1.1: Enforce outbound allowlist for explicit WhatsApp sends
- Added allowlist validation in explicit mode in resolveTarget
- Added --allow-unlisted CLI flag for emergency overrides
- Groups always allowed (no allowlist check needed)
FIX-1.4: Heartbeat delivery hard-gating
- Added requireExplicitTarget config option for heartbeat
- When enabled, heartbeat delivery requires explicit to parameter
- Returns channel: 'none' with reason: 'require-explicit' otherwise
FIX-3.2: Delivery context trust boundary
- Added isSenderTrustedForDeliveryContext() helper
- Only update delivery context from allowlisted senders
- Prevents untrusted inbound from setting routing targets
Tests: All new tests passing (targets: 25/25, delivery-context: 10/10)
|
2026-01-27 12:23:31 +00:00 |
|