hermes-agent/gateway/platforms
teknium1 ea1372d2af fix(security): wire session-id sanitizer into artifact paths + API boundary
Defense-in-depth on top of _safe_session_filename_component (#5958):

Sink (makes the bad write impossible regardless of entry point):
- run_agent._save_session_log: sanitize session_id before building the
  session_{sid}.json snapshot path.
- agent_runtime_helpers.dump_api_request_debug: sanitize before building
  the request_dump_{sid}_{ts}.json path.

Boundary (clean 400 instead of a silently-hashed filename):
- api_server rejects path-traversal-shaped X-Hermes-Session-Id on the
  session-continuation path and the explicit /api/sessions create path,
  reusing gateway.session._is_path_unsafe (mirrors the native gateway's
  entry-boundary guard). Also enforces the session-header length cap on
  the continuation path.

Tests: traversal session_id stays contained at the write site; sanitizer
always yields a traversal-free segment; the API header rejects
../, absolute, and Windows-traversal IDs with 400.
2026-06-29 04:25:45 -07:00
..
qqbot fix(qqbot): stop 100% CPU spin when WebSocket is closed but not None (#31193, #31771) (#40574) 2026-06-06 18:44:44 -07:00
__init__.py perf(gateway): defer QQAdapter and YuanbaoAdapter imports via PEP 562 (#22790) 2026-05-09 13:17:48 -07:00
_http_client_limits.py fix(gateway): tighten httpx keepalive and close whatsapp typing-response leak (#18451) 2026-05-02 02:23:37 -07:00
ADDING_A_PLATFORM.md feat(whatsapp): add WhatsApp Business Cloud API adapter 2026-05-23 01:07:01 -04:00
api_server.py fix(security): wire session-id sanitizer into artifact paths + API boundary 2026-06-29 04:25:45 -07:00
base.py fix(gateway): log error-notification failures instead of silently swallowing (#54472) 2026-06-28 18:52:51 -07:00
bluebubbles.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
helpers.py refactor: extract shared GFM table→bullet helpers into helpers.py 2026-06-27 03:57:24 +05:30
msgraph_webhook.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
signal.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
signal_format.py fix(signal): share markdown formatting across send paths 2026-06-20 13:47:14 +05:30
signal_rate_limit.py feat(gateway/signal): add support for multiple images sending 2026-04-30 04:28:08 -07:00
webhook.py fix(gateway): sanitize agent error messages, validate webhook gh args 2026-06-28 18:53:26 -07:00
weixin.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
whatsapp_cloud.py fix(whatsapp_cloud): resolve reply-to text so the agent sees reply context (#52957) 2026-06-26 01:05:05 -07:00
whatsapp_common.py fix(whatsapp): resolve phone↔LID aliases in adapter DM/group allowlist (#53588) 2026-06-27 04:17:12 -07:00
yuanbao.py fix(telegram): preserve Bot API update queue on watcher reconnect 2026-06-25 21:29:57 -07:00
yuanbao_media.py fix(security): SSRF guard yuanbao media download_url (#54470) 2026-06-28 15:29:59 -07:00
yuanbao_proto.py feat(Yuanbao): support wechat forward msg (#43508) 2026-06-12 02:06:47 -07:00
yuanbao_sticker.py yuanbao platform (#16298) 2026-04-26 18:50:49 -07:00