LiteLLM expects the 'zai/' provider prefix for Zhipu AI (Z.ai) models,
not 'zhipu/'. This was causing 'LLM Provider NOT provided' errors when
users configured models like 'glm-4.7' without an explicit prefix.
According to LiteLLM docs, the correct format is:
- model='zai/glm-4.7' (correct)
- NOT model='zhipu/glm-4.7' (incorrect)
This fix ensures auto-prefixed models use the correct 'zai/' format.
Fixes: Error when using Zhipu AI models with shorthand names like 'glm-4.7'
The status command was ignoring the workspace setting from the
configuration file and always displaying the default path
(~/.nanobot/workspace). This fix loads the config first and uses
config.workspace_path when available, falling back to the default
only when no config exists.
This brings the status command in line with other commands that
correctly use config.workspace_path.
Previously, the `nanobot channels status` command only displayed
WhatsApp channel status, completely omitting Telegram despite it
being fully implemented in the codebase.
Changes:
- Added Telegram channel status display
- Renamed "Bridge URL" column to "Configuration" for better generality
- Show Telegram token (first 10 chars) or "not configured" message
- Added comments to distinguish WhatsApp and Telegram sections
Fixes the issue where users couldn't see Telegram channel status
via CLI, even though the feature was working correctly.
- Implement Discord channel functionality with websocket integration.
- Update configuration schema to include Discord settings.
- Enhance README with setup instructions for Discord integration.
- Modify channel manager to initialize Discord channel if enabled.
- Update CLI status command to display Discord channel status.
- Update sender ID construction to prioritize user ID while maintaining username for allowlist compatibility.
- Improve allowlist checking in BaseChannel to support sender IDs with multiple parts separated by '|'.
The HEARTBEAT_OK_TOKEN comparison was broken because the token
itself ("HEARTBEAT_OK" with underscore) was being compared against
a response string that had underscores removed. This made the
condition always fail, preventing the heartbeat service from
recognizing "no tasks" responses.
Now both sides of the comparison remove underscores consistently,
allowing proper matching of the HEARTBEAT_OK token.
Add URL validation and redirect limits to web_fetch tool to prevent potential security issues:
- Add _validate_url() function to validate URLs before fetching
- Only allow http:// and https:// schemes (prevent file://, ftp://, etc.)
- Verify URL has valid scheme and domain
- Return descriptive error messages for invalid URLs
- Limit HTTP redirects to 5 (down from default 20) to prevent DoS attacks
- Add MAX_REDIRECTS constant for easy configuration
- Explicitly configure httpx.AsyncClient with max_redirects parameter
- Improve error handling with JSON error responses for validation failures
This addresses security concerns identified in code review where web_fetch
had no URL validation or redirect limits, potentially allowing:
- Unsafe URL schemes (file://, etc.)
- Redirect-based DoS attacks
- Invalid URL formats causing unclear errors
Skip API key validation for bedrock/ model prefix since AWS Bedrock
uses IAM credentials instead of API keys.
Fixes#20
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
