security(whatsapp): deny unknown senders when WHATSAPP_ALLOWED_USERS is empty (#8389)

[draix]

Summary

matchesAllowedUser() in scripts/whatsapp-bridge/allowlist.js returned true when the allowlist was empty, allowing any sender to trigger the agent in bot mode. This is a medium-high severity issue: anyone who messages the bot owner's WhatsApp number could interact with their Hermes agent.

Root cause

// BEFORE (vulnerable)
if (!allowedUsers || allowedUsers.size === 0) {
    return true;  // ← empty allowlist = allow everyone
}

Fix

// AFTER (secure)
if (!allowedUsers || allowedUsers.size === 0) {
    return false;  // empty allowlist = deny unknown senders
}

Impact on self-chat mode

None. In self-chat mode the bridge already filters to fromMe=true messages before calling matchesAllowedUser. Third-party senders never reach the allowlist check in self-chat, so this change does not affect the default configuration.

What you need to do

If you are running in bot mode (WHATSAPP_MODE=bot) without WHATSAPP_ALLOWED_USERS set, you now need to configure who can use the bot:

# Allow specific users
WHATSAPP_ALLOWED_USERS=+15551234567,+15559876543

# Allow everyone (opt-in)
WHATSAPP_ALLOW_ALL_USERS=true

A clear warning is now logged at startup when bot mode is active and no allowlist is configured.

Additional improvements

• Better startup log: distinguishes self-chat vs bot mode and warns specifically when bot mode has no allowlist
• gateway/run.py: extra warning when WhatsApp is in bot mode with no allowlist configured

Testing

14 new tests in tests/test_whatsapp_allowlist_security.py covering:

• Empty/None/whitespace allowlist → deny (TestEmptyAllowlistDenies)
• Correct allowlist matching with E.164, LID, JID normalization (TestAllowlistMatchesCorrectly, TestAllowlistNormalization)
• Self-chat mode behavior is unaffected (TestSelfChatModeIsUnaffected)

Fixes #8389

[alt-glitch]

Note: #8431 is a duplicate PR fixing the same issue (#8389).

[draix]

Cerrando este PR como superseded por #21291 (mergeado el 2026-05-07), que también cierra #8389 e implementa el mismo fix sobre scripts/whatsapp-bridge/allowlist.js + bridge.js.

Notas para futuro tracking:

• Mismo root cause: matchesAllowedUser() retornaba true con allowlist vacía → bot respondía a strangers.
• Mismo fix de defaults: empty allowlist = deny.
• fix(whatsapp): reject strangers by default, never respond in self-chat (#8389) #21291 va más lejos cubriendo también el self-chat path en bridge.js y agregando tests JS (allowlist.test.mjs); el surface de tests Python que aporté acá ya no es necesario.
• @alt-glitch ya había marcado la duplicación con fix(whatsapp/bridge): #8389 patch critical authorization bypass in self-chat mode  #8431, gracias por el heads-up.

Sin acción pendiente — cierro y limpio el branch.