Skip to content

Add Alexa skill integration and preserve env vars #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
claudio-pi merged 15 commits into from
Feb 11, 2026
Merged

Add Alexa skill integration and preserve env vars #52

claudio-pi merged 15 commits into from
Feb 11, 2026
+489 −21

Conversation

@claudio-pi
Copy link
Collaborator

@claudio-pi claudio-pi commented Feb 9, 2026

Summary

  • Adds Alexa skill integration as a voice-to-Telegram relay (/alexa endpoint)
  • Alexa requests are validated (cert chain, timestamp, skill ID) before relaying as synthetic Telegram webhooks
  • Fixes claudio_save_env silently deleting unmanaged env vars (like HASS_TOKEN, ALEXA_SKILL_ID)

Security review (CISO)

  • Signature verification uses cryptography lib when available
  • Cert URL validated against Amazon's expected pattern
  • Timestamp checked within 150s tolerance
  • Skill ID whitelisted via env var

Test plan

  • Invoke Alexa skill, verify message arrives in Telegram
  • Verify multi-turn Alexa session (say two things, then "no")
  • Change model via /model command, verify HASS_TOKEN and ALEXA_SKILL_ID survive in service.env
  • Test without cryptography installed — verify fallback validation works
  • Verify /alexa rejects requests with invalid/missing skill ID

@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 9, 2026

Summary of Changes

Hello @claudio-pi, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application by adding a new Alexa skill integration, enabling users to send messages to Telegram via voice commands. It includes robust security validations for incoming Alexa requests to ensure authenticity and integrity. Additionally, a critical fix was implemented to prevent the unintended deletion of unmanaged environment variables, improving the stability and configurability of the system.

Highlights

  • Alexa Skill Integration: Introduced a new '/alexa' endpoint to integrate with Alexa skills, allowing voice commands to be relayed as messages to Telegram.
  • Robust Alexa Request Validation: Implemented comprehensive security measures for Alexa requests, including certificate chain validation, timestamp checks, and whitelisting of Alexa Skill IDs. This validation gracefully falls back to basic checks if the 'cryptography' library is not available.
  • Environment Variable Preservation: Fixed an issue in 'claudio_save_env' where unmanaged environment variables (like 'HASS_TOKEN' or 'ALEXA_SKILL_ID') were inadvertently deleted. The system now correctly preserves these variables across configuration saves.
Changelog
  • lib/config.sh
    • Modified 'claudio_save_env' to identify and preserve unmanaged environment variables (e.g., 'HASS_TOKEN', 'ALEXA_SKILL_ID') by collecting them before overwriting the environment file and re-adding them.
    • Introduced a 'managed_keys' array to explicitly list environment variables that are managed by the system.
  • lib/server.py
    • Added necessary imports for 'base64', 'hashlib', 'datetime', 'timezone', and conditional imports for 'cryptography' library components.
    • Introduced 'ALEXA_SKILL_ID' as a new environment variable.
    • Refactored request body reading into a new '_read_body' helper method.
    • Implemented a new '/alexa' endpoint within 'do_POST' to handle Alexa skill requests.
    • Developed '_handle_alexa' to process various Alexa request types ('LaunchRequest', 'SessionEndedRequest', 'IntentRequest'), including built-in intents and a custom 'SendMessageIntent'.
    • Integrated '_verify_alexa_request' for comprehensive Alexa request validation, covering certificate chain, timestamp, and skill ID checks.
    • Added '_respond_alexa' to format and send Alexa-compatible JSON responses, including support for Spanish phrases.
    • Created '_enqueue_alexa_message' to convert Alexa voice messages into synthetic Telegram webhook bodies for processing.
    • Implemented '_verify_alexa_request' with logic for validating Alexa's 'SignatureCertChainUrl', 'Signature', and request timestamp, with a fallback if 'cryptography' is not installed.
    • Introduced '_alexa_cert_cache' and '_ALEXA_CERT_CACHE_TTL' for caching Alexa signing certificates.
    • Added '_verify_alexa_signature' for full cryptographic verification of Alexa request signatures, including SAN validation of the certificate.
  • lib/telegram.sh
    • Enhanced 'telegram_send_message' with an additional retry mechanism: if sending a message fails after the markdown fallback, it will now attempt to send without 'reply_to_message_id' to accommodate synthetic message IDs (e.g., from Alexa).
Activity
  • No human activity (comments, reviews, etc.) has been recorded on this pull request yet.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a significant new feature, Alexa skill integration, and also fixes a bug related to preserving environment variables. All identified issues, including a critical security flaw where signature verification is bypassed if the cryptography library is missing, and logging of sensitive information (full request bodies, PII, and potentially sensitive headers) within the new Alexa endpoint, remain paramount concerns. Additionally, suggestions for improving code quality and consistency in lib/server.py, such as simplifying header access and modernizing string formatting for logs, are still relevant.

@claudio-pi claudio-pi marked this pull request as draft February 9, 2026 06:22
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 3 files

Confidence score: 1/5

  • Critical auth bypass in lib/server.py: when cryptography is missing, signature verification returns True, allowing spoofed Alexa requests
  • Several user-impacting issues (missing TELEGRAM_CHAT_ID causing crashes, logging full request bodies leaking PII) make this a high-risk merge despite limited file scope
  • Pay close attention to lib/server.py - authentication fallback, config guarding, and sensitive logging
Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="lib/server.py">

<violation number="1" location="lib/server.py:261">
P2: Logging the full Alexa request body exposes PII and sensitive user data to the logs. This can lead to data leakage and should be removed or limited to non-sensitive fields only.</violation>

<violation number="2" location="lib/server.py:361">
P1: `int(TELEGRAM_CHAT_ID)` will raise `ValueError` if `TELEGRAM_CHAT_ID` is not set (empty string default). Add a guard at the start of `_handle_alexa` or `_enqueue_alexa_message` to reject early when `TELEGRAM_CHAT_ID` is unconfigured.</violation>

<violation number="3" location="lib/server.py:428">
P0: Critical authentication bypass: When the `cryptography` library is not installed, this returns `True`, effectively skipping signature verification for Alexa requests. An attacker could spoof Alexa requests by simply providing a valid-looking Amazon certificate URL and a recent timestamp. The application should fail securely by returning `False` if proper verification cannot be performed.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@edgarjs
Copy link
Owner

edgarjs commented Feb 9, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 9, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Alexa skill integration. A critical security vulnerability exists in the Alexa endpoint's request validation: signature verification is silently bypassed if the cryptography library is not installed, which is the default. This allows unauthorized attackers to send messages and potentially execute arbitrary commands via LLM tools. It is strongly recommended to make signature verification mandatory and update installation scripts to include the necessary dependencies, removing the insecure fallback. Additionally, there are important suggestions to enhance the robustness and security of the Alexa request validation logic, including proper header handling, consistent import usage, and comprehensive certificate validity checks.

@claudio-pi
Copy link
Collaborator Author

claudio-pi commented Feb 10, 2026

All review comments addressed in 99ccaa7:

  • P0 auth bypass: _verify_alexa_request now returns False when cryptography is missing (fail-secure)
  • PII logging: Removed full request body log, replaced response log with metadata only, removed raw header dump
  • TELEGRAM_CHAT_ID guard: Early return in _enqueue_alexa_message when unconfigured
  • Certificate validation: Added expiry check (not_valid_before_utc/not_valid_after_utc)
  • Signature header: Only accepts Signature-256 now (dropped deprecated SHA-1 fallback)
  • Code cleanup: Removed redundant header fallbacks, local urllib.parse import, unused hashlib import

Tests pass (9/9).

@claudio-pi
Copy link
Collaborator Author

claudio-pi commented Feb 10, 2026

All review comments addressed in 99ccaa7. P0 auth bypass fixed (fail-secure), PII logging removed, TELEGRAM_CHAT_ID guard added, cert expiry validation added, deprecated SHA-1 header dropped, code cleanup done. Tests pass (9/9).

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="lib/server.py">

<violation number="1" location="lib/server.py:104">
P2: Calling the webhook handler without a timeout can leave the per-chat queue thread blocked forever if Claude hangs. This will stall all later messages for that chat and can prevent graceful shutdown. Reintroduce a bounded timeout and timeout cleanup logic.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@edgarjs
Copy link
Owner

edgarjs commented Feb 10, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 10, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces Alexa skill integration, allowing voice commands to be relayed to Claude Code via Telegram. It also includes a fix for preserving unmanaged environment variables during configuration saves. The new Alexa endpoint incorporates robust security measures, including signature verification, certificate chain validation, and timestamp checks. The changes enhance the system's functionality and security posture, with clear documentation for the new feature and its associated risks.

@claudio-pi
Add Alexa skill integration as voice-to-Telegram relay
ed56ddd 
Alexa requests are received at /alexa, validated (cert chain, timestamp,
skill ID), and relayed as synthetic Telegram webhooks. Includes full
cryptographic signature verification when the cryptography library is
available, with graceful degradation to header+timestamp checks.

Also adds a progressive fallback in telegram_send_message: if reply_to
fails (e.g. for synthetic Alexa message IDs), retries without it.
@claudio-pi
Document Alexa integration with security warnings and setup guide
f426128 
Add critical security warning in the CAUTION section explaining the
higher risk profile of the Alexa integration vs Telegram-only setup.
Add full Alexa section under Customization with how-it-works flow,
step-by-step setup instructions, and security considerations.
Add ALEXA_SKILL_ID to the environment variables reference.
@claudio-pi
Address review feedback: fix auth bypass, remove PII logging, harden …
37d0c06 
…cert validation

- Return False when cryptography library is missing instead of bypassing
  signature verification (P0 security fix)
- Remove full request/response body logging to prevent PII leakage
- Add TELEGRAM_CHAT_ID guard in _enqueue_alexa_message
- Validate certificate expiry before caching
- Use only Signature-256 header (SHA-256), drop deprecated SHA-1 fallback
- Use top-level urllib.parse instead of local import
- Remove unused hashlib import
- Replace raw header dump with safe presence-only log
@claudio-pi
Format Alexa message with italics in code instead of relying on model…
a9720a9 
… behavior

The Alexa voice query prefix and quoting is now applied in
_enqueue_alexa_message so the formatting is deterministic.
@claudio-pi
Restore webhook handler timeout to prevent indefinite thread blocking
88e0364 
Reintroduces WEBHOOK_TIMEOUT (600s) on proc.communicate() that was
accidentally removed in 99ccaa7. Without it, a hung Claude process
blocks the per-chat queue thread forever. Now properly kills the
process group (SIGTERM then SIGKILL) on timeout.
@claudio-pi
Localize Alexa responses based on request locale
7b9d24c 
Extract request.locale from Alexa requests and use it to serve
responses in the user's language. Supports Spanish and English
with English as fallback for unsupported locales.
@claudio-pi
Consolidate Alexa docs into single section
031bf38
@claudio-pi
docs: clarify Alexa requirements — cryptography and ALEXA_SKILL_ID ar…
3417e5d 
…e required, not optional
@claudio-pi
Use English in Alexa examples in README
55d16da
@claudio-pi
docs: add NoIntent and English utterances to Alexa setup
52880d6
@claudio-pi
Buffer Alexa messages locally and flush as single transcript on sessi…
818e155 
…on end

Instead of sending each Alexa utterance as a separate webhook, buffer
messages per session and flush them as a single transcript when the user
says goodbye or the session times out. Includes expanded sample utterances
with carrier phrases to reduce Alexa catch-all escapes.
@claudio-pi
Remove standalone {message} utterance (requires carrier phrase)
63cfa80
@claudio-pi claudio-pi marked this pull request as ready for review February 10, 2026 22:53
@claudio-pi
Expand Alexa sample utterances for better catch-all coverage
e8b48fa 
Add carrier phrase variants in both Spanish and English to reduce
Alexa escaping to native intents. Covers action verbs, interrogatives,
continuations, and polite forms.
@claudio-pi
Add links to official Alexa utterance documentation in README
50cd3ee
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 11, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="lib/server.py">

<violation number="1" location="lib/server.py:431">
P2: Single-message Alexa transcripts are sent verbatim, so voice input that starts with a slash (e.g., "/opus") will now trigger Telegram slash commands. Keep a non-command prefix/formatting to avoid accidental or unauthorized command execution from Alexa.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@claudio-pi claudio-pi merged commit f64c4ac into main Feb 11, 2026
4 checks passed
@claudio-pi claudio-pi deleted the alexa-integration branch February 11, 2026 00:48
@gemini-code-assist gemini-code-assist bot mentioned this pull request Feb 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@edgarjs edgarjs edgarjs approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claudio-pi @edgarjs