FIX-1.1: Enforce outbound allowlist for explicit WhatsApp sends - Added allowlist validation in explicit mode in resolveTarget - Added --allow-unlisted CLI flag for emergency overrides - Groups always allowed (no allowlist check needed) FIX-1.4: Heartbeat delivery hard-gating - Added requireExplicitTarget config option for heartbeat - When enabled, heartbeat delivery requires explicit to parameter - Returns channel: 'none' with reason: 'require-explicit' otherwise FIX-3.2: Delivery context trust boundary - Added isSenderTrustedForDeliveryContext() helper - Only update delivery context from allowlisted senders - Prevents untrusted inbound from setting routing targets Tests: All new tests passing (targets: 25/25, delivery-context: 10/10) |
||
|---|---|---|
| .. | ||
| src | ||
| clawdbot.plugin.json | ||
| index.ts | ||
| package.json | ||