Add WhatsApp Business Integration

[sumitramanga]

Description 📝

• Purpose: Add WhatsApp Business API integration to enable automated messaging capabilities through Autohive workflows
• Approach: Implements a complete integration using Meta's Graph API v18.0 with support for text messages, template messages, media sharing, and phone number health monitoring

Type of change

• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Updates
👉 Added WhatsApp Business integration with 4 core actions: send_message, send_template_message, send_media_message, and get_phone_number_health
👉 Implemented phone number validation using E.164 format and proper error handling for API failures
👉 Created test suite with validation for message sending, template functionality, media handling, and phone number health checks

Screenshots 📷

Agent chat

Results in WhatsApp

Test plan 🧪

Provide guidance for how to QA your proposed changes. This is not only for a test but also useful for a reviewer.

1. Setup Testing Environment:

   • Configure WhatsApp Business Account through Meta Business Manager
   • Generate access token with required permissions (whatsapp_business_messaging, whatsapp_business_management)
   • Update test constants in whatsapp/tests/test_whatsapp.py with valid credentials

2. Test Message Sending:

   • Run python tests/test_whatsapp.py test_send_message to verify basic text messaging
   • Verify message delivery to test phone number
   • Check error handling for invalid phone numbers

3. Test Template Messages:

   • Run python tests/test_whatsapp.py test_send_template_message with approved template
   • Verify template parameter substitution works correctly
   • Test with different language codes

4. Test Media Messages:

   • Run python tests/test_whatsapp.py test_send_media_message to test image sending
   • Test different media types (document, audio, video) with valid URLs
   • Verify caption and filename handling

5. Test Phone Number Health:

   • Run python tests/test_whatsapp.py test_get_phone_number_health
   • Verify status and quality rating retrieval

6. Test Validation:

   • Run python tests/test_whatsapp.py test_phone_validation
   • Verify proper rejection of invalid phone number formats

Author(s) to check 👓

• Project and all contained modules builds successfully
• Self-/dev-tested
• Unit/UI/Automation/Integration tests provided where applicable
• Code is written to standards
• Appropriate documentation written (code comments, internal docs)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3cb787af98

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[phillip-haydon]

🤖 Automated Code Review - WhatsApp Business Integration

📊 Review Summary

Overall Assessment: The WhatsApp Business integration is well-structured and follows Autohive integration patterns. However, 1 High Severity security issue and 2 High Severity general issues require attention before merging.

Reviewers: General Code Review, Security Review, Performance Review, Memory Review

---

🔴 High Priority Issues

[P0] Path Traversal Vulnerability in phone_number_id Parameter

File: whatsapp/whatsapp.py (Lines 56, 117, 184, 228)
Type: Security - Improper Input Validation (CWE-20)

The phone_number_id parameter is used directly in URL construction without validation, allowing potential path traversal attacks.

Vulnerable Code:

response = await context.fetch(
    f"https://graph.facebook.com/v18.0/{phone_number_id}/messages",
    ...
)

Attack Scenario:

• Input: phone_number_id = "me" → URL becomes /v18.0/me/messages (accesses token owner's personal messages)
• Input: phone_number_id = "12345/messages?limit=100&" → URL manipulation

Fix:

if not phone_number_id.isdigit():
    return ActionResult(data={
        "success": False,
        "error": "Invalid phone_number_id. Must contain only digits."
    })

---

[P0] Credential Extraction Leaks Auth Structure

File: whatsapp/whatsapp.py (Line 12)
Type: Information Disclosure

The error message in get_whatsapp_creds() exposes internal auth payload structure:

Current Code:

if not access_token:
    keys = list(auth.keys())
    raise ValueError(f"Missing access_token in auth context. Available keys: {keys}")

Issue: Logs/errors can disclose auth field names and structure.

Fix:

if not access_token:
    raise ValueError("Missing access_token in auth context")

---

[P0] Output Schema Violation - Required message_id on Failure

File: whatsapp/config.json
Type: Schema Design Issue

All send actions mark message_id as required in output schema, but code returns empty string "" on failure.

Impact: Downstream systems may treat empty string as valid ID; schema doesn't match semantic contract.

Fix: Remove message_id from required fields in config.json, or return null instead of "" on failure.

---

🟡 Medium Priority Issues

[P1] Weak Media URL Validation

File: whatsapp/whatsapp.py (Line 27)

Current:

def validate_media_url(url: str) -> bool:
    return url.startswith("https://")

Issue: Accepts malformed URLs like "https://" with no host.

Fix:

from urllib.parse import urlparse

def validate_media_url(url: str) -> bool:
    try:
        u = urlparse(url)
        return u.scheme == "https" and bool(u.netloc)
    except Exception:
        return False

---

[P1] Insufficient Error Handling for Non-JSON Responses

File: whatsapp/whatsapp.py (Lines 44, 100, 166, 228)

Code assumes context.fetch() always returns a dict without handling HTTP error status patterns explicitly.

Impact: Non-dict responses or HTTP errors may result in confusing "Unknown error" messages.

Fix: Add explicit error handling for HTTP status codes and non-JSON responses.

---

[P2] Tests Don't Fail CI Reliably

File: whatsapp/tests/test_whatsapp.py

Tests catch all exceptions and print them instead of failing:

try:
    # test code
except Exception as e:
    print(f"Error: {e}")

Impact: CI will pass even when integration is broken.

Fix: Convert to proper unit tests with mocking and remove broad try/except blocks.

---

🟢 Low Priority Issues

[P3] README Examples Missing Required phone_number_id

File: whatsapp/README.md

README examples omit the required phone_number_id parameter that's defined in config.json.

Fix: Update all examples to include phone_number_id.

---

[P3] Missing Trailing Newlines

Files: README.md, config.json, tests/context.py

Fix: Add trailing newline to affected files.

---

[P3] Potential Information Leakage in Generic Exception Handling

File: whatsapp/whatsapp.py (Lines 93, 154, 213, 247)

Generic except Exception as e returns str(e) which could leak internal details.

Fix: Log full exception internally, return sanitized user-friendly message.

---

✅ Positive Findings

Performance ⚡

• Single API call per action - Optimal efficiency
• Fail-fast validation - Validates inputs before network requests
• Proper async/await usage - All I/O operations are non-blocking
• Selective field retrieval - Uses fields parameter to minimize payload size

Memory Management 💾

• Stateless handlers - No instance state accumulation
• Request-scoped allocations - All objects are GC-eligible after request
• SDK-managed resources - HTTP connections properly handled
• No memory leaks detected

Code Quality 📝

• Follows Autohive integration patterns
• Clean separation of concerns
• Comprehensive action coverage

---

📋 Overall Correctness Verdict

Patch is INCORRECT - The High Severity security vulnerability (path traversal via phone_number_id) and schema violation issues must be fixed before merging.

Confidence Score: 0.95

---

🎯 Recommended Actions

1. MUST FIX (P0):

   • Add digit-only validation for phone_number_id
   • Remove auth structure from error messages
   • Fix output schema for message_id (make optional or return null on failure)

2. SHOULD FIX (P1):

   • Improve media URL validation with proper parsing
   • Add explicit HTTP error handling
   • Convert tests to proper unit tests with mocking

3. NICE TO HAVE (P2-P3):

   • Update README examples with all required parameters
   • Add trailing newlines to files
   • Sanitize exception messages

---

This is an automated review from Mrs. Reviewer in Autohive. The review was conducted by specialized AI agents focusing on general code quality, security, performance, and memory management.

[TheRealAgentK]

Some comments from classic review.

[TheRealAgentK]

@sumitramanga and I talked about the icon situation. This is a temporary solution until design is back.

[TheRealAgentK]

Re the philbot comments, this is what I'd suggest:

The first two P0s are valid and should be addressed from a sec point of view.
The 3rd P0 is a semantic comment and probably also a good idea to clean that one up.

The two P1s, I would look at, too.
The P2, ignore
The first P3, check if that's actually missing or a hallucination, but if it is missing, please fix.
The other P3s, ignore.

[TheRealAgentK]

I think this looks good now, @sumitramanga