fix(feishu): fail-closed on missing encrypt_key and empty card-action token

[Subway2023]

fix(feishu): fail-closed on missing encrypt_key and empty card-action token

What does this PR do?

Feishu webhook mode had two fail-open authentication paths that allowed unauthenticated requests to reach command dispatch:

1. Webhook signature bypass: _handle_webhook_request only ran signature verification when self._encrypt_key was truthy. When FEISHU_ENCRYPT_KEY was unset (defaulting to ""), the entire check was short-circuited, accepting any request. Additionally, _is_webhook_signature_valid did not guard against an empty key, meaning an attacker who knew the key was absent could craft a valid HMAC over an empty string and still pass if the guard was ever reached.

2. Card-action empty token accepted: _handle_card_action_event guarded the dedup check with if token and …, so a card-action callback with an empty token bypassed deduplication entirely and proceeded to command dispatch.

This PR makes both paths fail-closed:

• _is_webhook_signature_valid now returns False immediately when encrypt_key is empty.
• The call-site condition is changed from if self._encrypt_key and not … to if not …, so verification always runs.
• _handle_card_action_event now explicitly drops events with a missing or empty token before the dedup check.

Related Issue

Fixes #

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• gateway/platforms/feishu.py: add early if not self._encrypt_key: return False guard at the top of _is_webhook_signature_valid
• gateway/platforms/feishu.py: change if self._encrypt_key and not self._is_webhook_signature_valid(…) → if not self._is_webhook_signature_valid(…) in _handle_webhook_request
• gateway/platforms/feishu.py: add if not token: return before the dedup check in _handle_card_action_event
• tests/gateway/test_feishu.py: add TestWebhookFailClosed (2 cases) and TestCardActionSecurity (3 cases) covering the new fail-closed behaviour
• tests/gateway/test_feishu.py: update test_webhook_request_uses_same_message_dispatch_path to supply a valid signature, as it previously relied on the fail-open behaviour

How to Test

1. Start Hermes with FEISHU_ENCRYPT_KEY unset and webhook mode enabled.
2. Send a POST to the webhook endpoint with a valid JSON body but no signature headers — expect HTTP 401.
3. Send a card-action callback with "token": "" — confirm the event is dropped and no command is dispatched.
4. Run the test suite: pytest tests/gateway/test_feishu.py -q — all tests should pass.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform:

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

# Before fix — no encrypt_key set, request accepted
HTTP 200 OK

# After fix — no encrypt_key set, request rejected
WARNING [Feishu] Webhook rejected: invalid signature from 127.0.0.1
HTTP 401 Invalid signature

pytest tests/gateway/test_feishu.py -q
194 passed, 96 warnings in 5.25s