common/hermes
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
db50af910be6b4171ea9cf54f4cc38be27ac1da6
hermes/gateway
History
ygd58 db50af910b fix(telegram): enforce TELEGRAM_ALLOWED_USERS allowlist on inbound messages 
TELEGRAM_ALLOWED_USERS was only checked for callback/inline-button
actions but not for inbound messages. Unauthorized users triggered an
'Unauthorized user' log warning but their messages were still processed
by the agent — a P0 security bypass (issue #23778).

Fix: add allowlist check in _should_process_message() which is called
for all message types (text, command, media, location). If the sender
is not in TELEGRAM_ALLOWED_USERS, the message is dropped immediately
with a warning log. Empty TELEGRAM_ALLOWED_USERS continues to allow
all users (existing behavior).

Fixes #23778
2026-05-18 22:05:58 -07:00
..
assets
fix: improve telegram topic mode setup
2026-05-04 12:07:17 -07:00
builtin_hooks
remove: BOOT.md built-in hook (#17093)
2026-04-28 09:50:27 -07:00
platforms
fix(telegram): enforce TELEGRAM_ALLOWED_USERS allowlist on inbound messages
2026-05-18 22:05:58 -07:00
__init__.py
docs(gateway): mention Weixin in gateway help and docstrings
2026-05-12 17:08:51 -07:00
channel_directory.py
feat: complete plugin platform parity — all 12 integration points
2026-04-29 21:56:51 -07:00
config.py
fix(telegram): default streaming transport to edit
2026-05-18 21:51:39 -07:00
delivery.py
fix(gateway): preserve case-sensitive chat IDs in DeliveryTarget.parse
2026-05-01 14:01:26 -07:00
display_config.py
chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937)
2026-05-11 11:13:25 -07:00
hooks.py
fix(plugins): register dynamically-loaded modules in sys.modules before exec
2026-04-29 23:34:35 -07:00
memory_monitor.py
Port from cline/cline#10343: periodic gateway memory logging (#27102)
2026-05-16 12:55:23 -07:00
mirror.py
fix(gateway): avoid cross-user mirror writes in per-user group sessions
2026-04-26 18:31:24 -07:00
pairing.py
fix(pairing): enforce lockout on approve_code, not just generate_code (#10195) (#21325)
2026-05-07 07:18:21 -07:00
platform_registry.py
refactor(plugins): add apply_yaml_config_fn registry hook
2026-05-13 22:20:30 -07:00
restart.py
fix(gateway): address restart review feedback
2026-04-10 21:18:34 -07:00
run.py
fix(gateway): route background-process notifications into Telegram DM topics
2026-05-18 22:03:12 -07:00
runtime_footer.py
feat(gateway): opt-in runtime-metadata footer on final replies (#17026)
2026-04-28 06:50:04 -07:00
session_context.py
fix(gateway): route background-process notifications into Telegram DM topics
2026-05-18 22:03:12 -07:00
session.py
fix(session): persist auto-reset state across gateway restarts
2026-05-15 01:25:42 -07:00
shutdown_forensics.py
chore: ruff auto-fixes — collapsible-else-if, if-stmt-min-max, dict.fromkeys (#23926)
2026-05-11 11:03:29 -07:00
slash_access.py
feat(gateway): per-platform admin/user split for slash commands (salvage of #4443) (#23373)
2026-05-10 12:33:54 -07:00
status.py
fix: gateway PID detection fails on Windows (two issues)
2026-05-13 23:10:57 -07:00
sticker_cache.py
chore: remove ~100 unused imports across 55 files (#3016)
2026-03-25 15:02:03 -07:00
stream_consumer.py
fix(telegram): default streaming transport to edit
2026-05-18 21:51:39 -07:00
whatsapp_identity.py
fix(whatsapp_identity): pin identifier regex to ASCII, clarify it's defense-in-depth
2026-04-26 20:48:31 -07:00