Commit Graph

5 Commits

Author SHA1 Message Date
Diogo Ortega
fc379a1332 security: WhatsApp incident remediation fixes
FIX-1.1: Enforce outbound allowlist for explicit WhatsApp sends
- Added allowlist validation in explicit mode in resolveTarget
- Added --allow-unlisted CLI flag for emergency overrides
- Groups always allowed (no allowlist check needed)

FIX-1.4: Heartbeat delivery hard-gating
- Added requireExplicitTarget config option for heartbeat
- When enabled, heartbeat delivery requires explicit to parameter
- Returns channel: 'none' with reason: 'require-explicit' otherwise

FIX-3.2: Delivery context trust boundary
- Added isSenderTrustedForDeliveryContext() helper
- Only update delivery context from allowlisted senders
- Prevents untrusted inbound from setting routing targets

Tests: All new tests passing (targets: 25/25, delivery-context: 10/10)
2026-01-27 12:23:31 +00:00
Peter Steinberger
458e731f8b fix: newline chunking across channels 2026-01-25 04:11:36 +00:00
Adam Holt
c07949a99c Channels: add per-group tool policies 2026-01-24 05:49:39 +00:00
Peter Steinberger
ee6e534ccb refactor: route channel runtime via plugin api 2026-01-18 11:01:16 +00:00
Peter Steinberger
c5e19f5c67 refactor: migrate messaging plugins to sdk 2026-01-18 08:54:00 +00:00