Skip to content

fix(sms): mark missing-config errors as non-retryable; default bind to 127.0.0.1#19745

Merged
teknium1 merged 1 commit into
mainfrom
hermes/hermes-8c54fd4a
May 4, 2026
Merged

fix(sms): mark missing-config errors as non-retryable; default bind to 127.0.0.1#19745
teknium1 merged 1 commit into
mainfrom
hermes/hermes-8c54fd4a

Conversation

@teknium1

@teknium1 teknium1 commented May 4, 2026

Copy link
Copy Markdown
Contributor

Salvage of #16278 by @briandevans onto current main.

Summary

Two security-adjacent fixes for the SMS adapter:

  1. Default bind to 127.0.0.1 instead of 0.0.0.0. The SMS webhook receiver shouldn't be exposed to external networks by default. Users who need external exposure can still set SMS_WEBHOOK_HOST=0.0.0.0, but the default is now localhost-only.

  2. Config-validation failures are non-retryable. When TWILIO_PHONE_NUMBER or SMS_WEBHOOK_URL is missing, connect() returned False without marking the error non-retryable. The reconnect watcher kept retrying a config error that will never resolve. Call _set_fatal_error("sms_missing_*", msg, retryable=False) so the watcher removes the adapter from the retry rotation.

Conflict resolution during salvage

Test file picked up additional tests from main; preserved both sets. The original PR's cherry-pick didn't apply the sms.py changes cleanly (silent conflict), so the code changes were re-applied manually. Also updated the existing test_default_host_is_all_interfaces test to match the new 127.0.0.1 default.

Changes

  • gateway/platforms/sms.py: default bind change + fatal-error on config-validation failure (+8/-4)
  • tests: regressions for missing webhook URL / phone number + default-host assertion update

Validation

scripts/run_tests.sh tests/gateway/test_sms.py -> 39 passed

Original PR: #16278
Fixes: #16258

@briandevans @claude @teknium1
test(sms): use clear=True in test_missing_phone_number_is_non_retryable
5d882e3 
Prevents pre-existing TWILIO_PHONE_NUMBER or SMS_WEBHOOK_URL values in
the outer test environment from leaking into the assertion context.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@teknium1 teknium1 merged commit ce22301 into main May 4, 2026
7 of 10 checks passed
@teknium1 teknium1 deleted the hermes/hermes-8c54fd4a branch May 4, 2026 12:25
@teknium1 teknium1 mentioned this pull request May 4, 2026
Closed
4 tasks
@alt-glitch alt-glitch added type/security Security vulnerability or hardening comp/gateway Gateway runner, session dispatch, delivery platform/sms SMS (Twilio) adapter P2 Medium — degraded but workaround exists labels May 4, 2026
This was referenced May 4, 2026
Open
Open
@egilewski egilewski mentioned this pull request May 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

comp/gateway Gateway runner, session dispatch, delivery P2 Medium — degraded but workaround exists platform/sms SMS (Twilio) adapter type/security Security vulnerability or hardening

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SMS gateway: bind to 127.0.0.1 by default, fix retry-after-giving-up loop

3 participants

@teknium1 @alt-glitch @briandevans