storkit: accept 384_story_whatsapp_markdown_to_whatsapp_formatting_conversion

.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md

@@ -1,21 +0,0 @@
----
-name: "WhatsApp webhook HMAC signature verification"
----
-
-# Story 388: WhatsApp webhook HMAC signature verification
-
-## User Story
-
-As a bot operator, I want incoming WhatsApp webhook requests to be cryptographically verified, so that forged requests from unauthorized sources are rejected.
-
-## Acceptance Criteria
-
-- [ ] Meta webhooks: validate X-Hub-Signature-256 HMAC-SHA256 header using the app secret before processing
-- [ ] Twilio webhooks: validate request signature using the auth token before processing
-- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
-- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
-- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
-
-## Out of Scope
-
-- TBD

.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md

@@ -1,21 +0,0 @@
----
-name: "WhatsApp phone number allowlist authorization"
----
-
-# Story 389: WhatsApp phone number allowlist authorization
-
-## User Story
-
-As a bot operator, I want to restrict which phone numbers can interact with the bot, so that only authorized users can send commands.
-
-## Acceptance Criteria
-
-- [ ] New optional allowed_phones list in bot.toml for WhatsApp (similar to Matrix allowed_users)
-- [ ] When configured, only messages from listed phone numbers are processed; all others are silently ignored
-- [ ] When not configured (empty or absent), all phone numbers are allowed (backwards compatible)
-- [ ] Unauthorized senders are logged but receive no response
-- [ ] The allowlist applies to all message types: commands, LLM conversations, and async commands (htop, delete)
-
-## Out of Scope
-
-- TBD