Add Alexa skill integration and preserve env vars

[claudio-pi]

Summary

• Adds Alexa skill integration as a voice-to-Telegram relay (/alexa endpoint)
• Alexa requests are validated (cert chain, timestamp, skill ID) before relaying as synthetic Telegram webhooks
• Fixes claudio_save_env silently deleting unmanaged env vars (like HASS_TOKEN, ALEXA_SKILL_ID)

Security review (CISO)

• Signature verification uses cryptography lib when available
• Cert URL validated against Amazon's expected pattern
• Timestamp checked within 150s tolerance
• Skill ID whitelisted via env var

Test plan

• Invoke Alexa skill, verify message arrives in Telegram
• Verify multi-turn Alexa session (say two things, then "no")
• Change model via /model command, verify HASS_TOKEN and ALEXA_SKILL_ID survive in service.env
• Test without cryptography installed — verify fallback validation works
• Verify /alexa rejects requests with invalid/missing skill ID

[gemini-code-assist]

Summary of Changes

Hello @claudio-pi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application by adding a new Alexa skill integration, enabling users to send messages to Telegram via voice commands. It includes robust security validations for incoming Alexa requests to ensure authenticity and integrity. Additionally, a critical fix was implemented to prevent the unintended deletion of unmanaged environment variables, improving the stability and configurability of the system.

Highlights

• Alexa Skill Integration: Introduced a new '/alexa' endpoint to integrate with Alexa skills, allowing voice commands to be relayed as messages to Telegram.
• Robust Alexa Request Validation: Implemented comprehensive security measures for Alexa requests, including certificate chain validation, timestamp checks, and whitelisting of Alexa Skill IDs. This validation gracefully falls back to basic checks if the 'cryptography' library is not available.
• Environment Variable Preservation: Fixed an issue in 'claudio_save_env' where unmanaged environment variables (like 'HASS_TOKEN' or 'ALEXA_SKILL_ID') were inadvertently deleted. The system now correctly preserves these variables across configuration saves.

Changelog

• lib/config.sh
  • Modified 'claudio_save_env' to identify and preserve unmanaged environment variables (e.g., 'HASS_TOKEN', 'ALEXA_SKILL_ID') by collecting them before overwriting the environment file and re-adding them.
  • Introduced a 'managed_keys' array to explicitly list environment variables that are managed by the system.
• lib/server.py
  • Added necessary imports for 'base64', 'hashlib', 'datetime', 'timezone', and conditional imports for 'cryptography' library components.
  • Introduced 'ALEXA_SKILL_ID' as a new environment variable.
  • Refactored request body reading into a new '_read_body' helper method.
  • Implemented a new '/alexa' endpoint within 'do_POST' to handle Alexa skill requests.
  • Developed '_handle_alexa' to process various Alexa request types ('LaunchRequest', 'SessionEndedRequest', 'IntentRequest'), including built-in intents and a custom 'SendMessageIntent'.
  • Integrated '_verify_alexa_request' for comprehensive Alexa request validation, covering certificate chain, timestamp, and skill ID checks.
  • Added '_respond_alexa' to format and send Alexa-compatible JSON responses, including support for Spanish phrases.
  • Created '_enqueue_alexa_message' to convert Alexa voice messages into synthetic Telegram webhook bodies for processing.
  • Implemented '_verify_alexa_request' with logic for validating Alexa's 'SignatureCertChainUrl', 'Signature', and request timestamp, with a fallback if 'cryptography' is not installed.
  • Introduced '_alexa_cert_cache' and '_ALEXA_CERT_CACHE_TTL' for caching Alexa signing certificates.
  • Added '_verify_alexa_signature' for full cryptographic verification of Alexa request signatures, including SAN validation of the certificate.
• lib/telegram.sh
  • Enhanced 'telegram_send_message' with an additional retry mechanism: if sending a message fails after the markdown fallback, it will now attempt to send without 'reply_to_message_id' to accommodate synthetic message IDs (e.g., from Alexa).

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a significant new feature, Alexa skill integration, and also fixes a bug related to preserving environment variables. All identified issues, including a critical security flaw where signature verification is bypassed if the cryptography library is missing, and logging of sensitive information (full request bodies, PII, and potentially sensitive headers) within the new Alexa endpoint, remain paramount concerns. Additionally, suggestions for improving code quality and consistency in lib/server.py, such as simplifying header access and modernizing string formatting for logs, are still relevant.

[cubic-dev-ai]

3 issues found across 3 files

Confidence score: 1/5

• Critical auth bypass in lib/server.py: when cryptography is missing, signature verification returns True, allowing spoofed Alexa requests
• Several user-impacting issues (missing TELEGRAM_CHAT_ID causing crashes, logging full request bodies leaking PII) make this a high-risk merge despite limited file scope
• Pay close attention to lib/server.py - authentication fallback, config guarding, and sensitive logging

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="lib/server.py">

<violation number="1" location="lib/server.py:261">
P2: Logging the full Alexa request body exposes PII and sensitive user data to the logs. This can lead to data leakage and should be removed or limited to non-sensitive fields only.</violation>

<violation number="2" location="lib/server.py:361">
P1: `int(TELEGRAM_CHAT_ID)` will raise `ValueError` if `TELEGRAM_CHAT_ID` is not set (empty string default). Add a guard at the start of `_handle_alexa` or `_enqueue_alexa_message` to reject early when `TELEGRAM_CHAT_ID` is unconfigured.</violation>

<violation number="3" location="lib/server.py:428">
P0: Critical authentication bypass: When the `cryptography` library is not installed, this returns `True`, effectively skipping signature verification for Alexa requests. An attacker could spoof Alexa requests by simply providing a valid-looking Amazon certificate URL and a recent timestamp. The application should fail securely by returning `False` if proper verification cannot be performed.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[edgarjs]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces Alexa skill integration. A critical security vulnerability exists in the Alexa endpoint's request validation: signature verification is silently bypassed if the cryptography library is not installed, which is the default. This allows unauthorized attackers to send messages and potentially execute arbitrary commands via LLM tools. It is strongly recommended to make signature verification mandatory and update installation scripts to include the necessary dependencies, removing the insecure fallback. Additionally, there are important suggestions to enhance the robustness and security of the Alexa request validation logic, including proper header handling, consistent import usage, and comprehensive certificate validity checks.

[claudio-pi]

All review comments addressed in 99ccaa7:

• P0 auth bypass: _verify_alexa_request now returns False when cryptography is missing (fail-secure)
• PII logging: Removed full request body log, replaced response log with metadata only, removed raw header dump
• TELEGRAM_CHAT_ID guard: Early return in _enqueue_alexa_message when unconfigured
• Certificate validation: Added expiry check (not_valid_before_utc/not_valid_after_utc)
• Signature header: Only accepts Signature-256 now (dropped deprecated SHA-1 fallback)
• Code cleanup: Removed redundant header fallbacks, local urllib.parse import, unused hashlib import

Tests pass (9/9).

[claudio-pi]

All review comments addressed in 99ccaa7. P0 auth bypass fixed (fail-secure), PII logging removed, TELEGRAM_CHAT_ID guard added, cert expiry validation added, deprecated SHA-1 header dropped, code cleanup done. Tests pass (9/9).

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="lib/server.py">

<violation number="1" location="lib/server.py:104">
P2: Calling the webhook handler without a timeout can leave the per-chat queue thread blocked forever if Claude hangs. This will stall all later messages for that chat and can prevent graceful shutdown. Reintroduce a bounded timeout and timeout cleanup logic.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[edgarjs]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces Alexa skill integration, allowing voice commands to be relayed to Claude Code via Telegram. It also includes a fix for preserving unmanaged environment variables during configuration saves. The new Alexa endpoint incorporates robust security measures, including signature verification, certificate chain validation, and timestamp checks. The changes enhance the system's functionality and security posture, with clear documentation for the new feature and its associated risks.