[codex] fix(gateway): default webhook listener to loopback#35206
Open
egilewski wants to merge 1 commit into
Open
[codex] fix(gateway): default webhook listener to loopback#35206egilewski wants to merge 1 commit into
egilewski wants to merge 1 commit into
Conversation
The generic webhook adapter defaulted to 0.0.0.0, so enabling the platform exposed configured routes on every interface unless operators noticed and overrode the bind address. Default to 127.0.0.1 so network exposure is explicit through platforms.webhook.extra.host. Preserve explicit public binds for deployments that intentionally expose the webhook listener behind a tunnel, proxy, or firewall. Also correct SMS docs to match its existing loopback default. Fixes NousResearch#4260.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
127.0.0.1platforms.webhook.extra.host: "0.0.0.0"Why
The webhook adapter previously defaulted to
0.0.0.0, so enabling the platform exposed configured webhook routes on every interface unless operators noticed and overrode the bind address. A loopback default makes direct network exposure an explicit deployment choice while still supporting tunnels, proxies, and intentionally public listeners.Maintainer History
After opening this PR, I found the earlier rejected PR #4267. That PR changed both the SMS and generic Webhook adapters to default to
127.0.0.1; the Webhook hunk in this PR is materially the same default-host change. Teknium closed #4267 because SMS and Webhook adapters are inbound receivers for external services, and localhost defaults can break the out-of-the-box use case unless users run a tunnel or reverse proxy.There is also later history in the other direction for SMS specifically: #19745 merged the SMS adapter default-host change to
127.0.0.1, preservingSMS_WEBHOOK_HOST=0.0.0.0as the opt-in public-bind override. That later merged change covers SMS only. I did not find an equivalent later merged change for the generic Webhook adapter.Given that history, this PR is intentionally explicit about the tradeoff: it asks whether the later SMS decision should also apply to the generic Webhook adapter, but it may still be rejected if maintainers consider #4267's Webhook rationale unchanged.
Fixes #4260.
Validation
git diff --check HEAD~1 HEAD/home/mac/hermes-agent/.venv/bin/python -m py_compile gateway/platforms/webhook.py gateway/platforms/sms.py tests/gateway/test_webhook_adapter.py tests/gateway/test_sms.py tests/gateway/test_bluebubbles.py127.0.0.1and explicit0.0.0.0is preservedcoderabbit review --agent --type committedreported 0 findingsFocused pytest collection for the webhook/SMS tests is blocked in this local venv because
aiohttpis not installed.