From d4dad1d556ca80b7a4a2c7c924ef11c118d9f4de Mon Sep 17 00:00:00 2001 From: dave Date: Wed, 25 Mar 2026 01:34:08 +0000 Subject: [PATCH] storkit: accept 384_story_whatsapp_markdown_to_whatsapp_formatting_conversion --- ...app_webhook_hmac_signature_verification.md | 21 ------------------- ...pp_phone_number_allowlist_authorization.md | 21 ------------------- ...kdown_to_whatsapp_formatting_conversion.md | 0 3 files changed, 42 deletions(-) delete mode 100644 .storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md delete mode 100644 .storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md rename .storkit/work/{5_done => 6_archived}/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md (100%) diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md deleted file mode 100644 index 36c2587..0000000 --- a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: "WhatsApp webhook HMAC signature verification" ---- - -# Story 388: WhatsApp webhook HMAC signature verification - -## User Story - -As a bot operator, I want incoming WhatsApp webhook requests to be cryptographically verified, so that forged requests from unauthorized sources are rejected. - -## Acceptance Criteria - -- [ ] Meta webhooks: validate X-Hub-Signature-256 HMAC-SHA256 header using the app secret before processing -- [ ] Twilio webhooks: validate request signature using the auth token before processing -- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden -- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected -- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification) - -## Out of Scope - -- TBD diff --git a/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md b/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md deleted file mode 100644 index 3379a2a..0000000 --- a/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: "WhatsApp phone number allowlist authorization" ---- - -# Story 389: WhatsApp phone number allowlist authorization - -## User Story - -As a bot operator, I want to restrict which phone numbers can interact with the bot, so that only authorized users can send commands. - -## Acceptance Criteria - -- [ ] New optional allowed_phones list in bot.toml for WhatsApp (similar to Matrix allowed_users) -- [ ] When configured, only messages from listed phone numbers are processed; all others are silently ignored -- [ ] When not configured (empty or absent), all phone numbers are allowed (backwards compatible) -- [ ] Unauthorized senders are logged but receive no response -- [ ] The allowlist applies to all message types: commands, LLM conversations, and async commands (htop, delete) - -## Out of Scope - -- TBD diff --git a/.storkit/work/5_done/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md b/.storkit/work/6_archived/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md similarity index 100% rename from .storkit/work/5_done/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md rename to .storkit/work/6_archived/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md