- Update sender ID construction to prioritize user ID while maintaining username for allowlist compatibility.
- Improve allowlist checking in BaseChannel to support sender IDs with multiple parts separated by '|'.
The HEARTBEAT_OK_TOKEN comparison was broken because the token
itself ("HEARTBEAT_OK" with underscore) was being compared against
a response string that had underscores removed. This made the
condition always fail, preventing the heartbeat service from
recognizing "no tasks" responses.
Now both sides of the comparison remove underscores consistently,
allowing proper matching of the HEARTBEAT_OK token.
Add URL validation and redirect limits to web_fetch tool to prevent potential security issues:
- Add _validate_url() function to validate URLs before fetching
- Only allow http:// and https:// schemes (prevent file://, ftp://, etc.)
- Verify URL has valid scheme and domain
- Return descriptive error messages for invalid URLs
- Limit HTTP redirects to 5 (down from default 20) to prevent DoS attacks
- Add MAX_REDIRECTS constant for easy configuration
- Explicitly configure httpx.AsyncClient with max_redirects parameter
- Improve error handling with JSON error responses for validation failures
This addresses security concerns identified in code review where web_fetch
had no URL validation or redirect limits, potentially allowing:
- Unsafe URL schemes (file://, etc.)
- Redirect-based DoS attacks
- Invalid URL formats causing unclear errors
Skip API key validation for bedrock/ model prefix since AWS Bedrock
uses IAM credentials instead of API keys.
Fixes#20
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add a Dockerfile using the official uv Python image (python3.12-bookworm-slim)
for fast dependency installation. Includes Node.js 20 for the WhatsApp bridge,
dependency layer caching, and exposes the gateway port (18790).
https://claude.ai/code/session_011C1h1NERqqZp4ht3Pqpwkc
- Update configuration schema to include Gemini provider
- Modify API key retrieval priority to include Gemini
- Enhance CLI status command to display Gemini API status
- Update LiteLLMProvider to support Gemini integration
- Add vllm provider configuration in config schema
- Auto-detect vLLM endpoints and use hosted_vllm/ prefix for LiteLLM
- Pass api_base directly to acompletion for custom endpoints
- Add vLLM status display in CLI status command
- Add vLLM setup documentation in README
