fix(sms): mark missing-config errors as non-retryable; default bind to 127.0.0.1 (#16258)

[briandevans]

Summary

• Config-validation failures in SmsAdapter.connect() (missing SMS_WEBHOOK_URL, missing TWILIO_PHONE_NUMBER) now call _set_fatal_error(..., retryable=False) before returning False, so the reconnect watcher removes them from the retry queue immediately and never re-enqueues them.
• DEFAULT_WEBHOOK_HOST changed from 0.0.0.0 to 127.0.0.1 — aligns with the recommended Cloudflare Tunnel deployment model (tunnel routes to 127.0.0.1:<port>). Operators who need 0.0.0.0 can set SMS_WEBHOOK_HOST=0.0.0.0.

The bugs

Retry-after-giving-up loop: when SMS_WEBHOOK_URL is unset, connect() returned False without setting has_fatal_error. The reconnect watcher treated this as a transient failure, scheduled exponential back-off retries, and logged an error on every attempt — up to 20 times before finally logging "Giving up reconnecting sms after N attempts". For a permanent configuration error this cycle is pure log noise. After the fix, the gateway recognises the error as non-retryable on the first attempt and drops SMS from the retry queue immediately.

0.0.0.0 bind: the Twilio webhook listener bound to all interfaces by default, exposing it to other hosts on the same network even though Cloudflare Tunnel (the recommended public-facing setup) only routes to 127.0.0.1. Changing the default eliminates the unnecessary exposure; the env-var override path SMS_WEBHOOK_HOST is unchanged for operators who require the old behaviour.

The fix

gateway/platforms/sms.py:

• DEFAULT_WEBHOOK_HOST: "0.0.0.0" → "127.0.0.1" (+ module docstring)
• connect(): two return False paths that previously set no fatal-error state now call self._set_fatal_error("<code>", msg, retryable=False) before returning

tests/gateway/test_sms.py:

• test_default_host_is_all_interfaces renamed to test_default_host_is_localhost, assertion updated
• test_host_from_env updated to verify env-var override to 0.0.0.0 still works (was testing override to the new default, which added no coverage)
• Three new TestStartupGuard tests: test_missing_webhook_url_is_non_retryable, test_missing_phone_number_is_non_retryable, test_insecure_flag_does_not_set_fatal_error

Test plan

• Before: test_missing_webhook_url_is_non_retryable fails — has_fatal_error is False on the old code path
• After: 39 tests pass in tests/gateway/test_sms.py
• Regression guard: reverted both _set_fatal_error calls → both new non-retryable tests fail as expected; restored → 0 failures
• Adjacent suite (tests/gateway/) unchanged

Related

• Fixes SMS gateway: bind to 127.0.0.1 by default, fix retry-after-giving-up loop #16258

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Updates the SMS (Twilio) gateway adapter to treat missing required configuration as non-retryable failures (so the reconnect watcher drops SMS immediately), and tightens default webhook listener binding to localhost for safer Cloudflare Tunnel deployments.

Changes:

• Mark missing SMS_WEBHOOK_URL / TWILIO_PHONE_NUMBER startup failures as fatal + retryable=False in SmsAdapter.connect().
• Change the default webhook bind host from 0.0.0.0 to 127.0.0.1 (env override unchanged).
• Update/add tests to cover the new default bind and the non-retryable fatal-error behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
gateway/platforms/sms.py	Switch default webhook host to localhost and set non-retryable fatal errors for missing required config in connect().
tests/gateway/test_sms.py	Adjust host-default/override assertions and add startup-guard tests verifying non-retryable fatal errors.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In test_missing_phone_number_is_non_retryable, the patch.dict(os.environ, env, clear=False) allows a pre-existing TWILIO_PHONE_NUMBER (or SMS_WEBHOOK_URL) from the outer environment to leak into SmsAdapter.__init__(). That can make this test flaky (it may fail a different guard than intended or even try to start a real aiohttp listener). Use clear=True (and/or explicitly unset TWILIO_PHONE_NUMBER/SMS_WEBHOOK_URL) so the test deterministically exercises the missing-phone-number path.

Suggested change

	with patch.dict(os.environ, env, clear=False):
	with patch.dict(os.environ, env, clear=True):

[briandevans]

@copilot Finding addressed in commit 2f5c9ce3:

Finding (line 261 — env leak via clear=False): Added "TWILIO_PHONE_NUMBER": "" and "SMS_WEBHOOK_URL": "" to the env dict so both vars are explicitly cleared by patch.dict, regardless of what the host environment has set. This deterministically exercises the missing-phone-number guard path without risk of TWILIO_PHONE_NUMBER from the outer env leaking through and redirecting to the webhook-URL guard instead.

[teknium1]

Salvaged via #19745 onto current main. Test-file conflict had extra tests from your branch (insecure-flag regression and others); preserved them all. The sms.py changes weren't applied cleanly by the initial cherry-pick (silent file conflict), so I re-applied them manually and also updated the existing test_default_host_is_all_interfaces test assertion to match the new 127.0.0.1 default. Your authorship was preserved. Thanks @briandevans!