Skip to content

17.0#49

Open
arunrajiah wants to merge 19 commits intomainfrom
17.0
Open

17.0#49
arunrajiah wants to merge 19 commits intomainfrom
17.0

Conversation

@arunrajiah
Copy link
Copy Markdown
Owner

@arunrajiah arunrajiah commented Apr 27, 2026

Summary

Related issue

Closes #

Type of change

  • Bug fix
  • New feature
  • Refactor / cleanup
  • Docs / config only

Checklist

  • My code follows the project's style guide (ruff format passes)
  • I ran ruff check with no errors
  • All XML files are well-formed
  • I have tested my changes manually
  • I have added / updated relevant documentation if needed

Screenshots (if UI change)

@arunrajiah
sec(17.0.7.0.0): fix 4 critical issues raised in public security audit
cf11d78 
This release closes the issues reported on r/Odoo (jeconti's audit) and
is the recommended upgrade for everyone running 17.0.6.0.0 or earlier.

1. WhatsApp webhook now verifies Meta's X-Hub-Signature-256 (HMAC-SHA256
   of the raw body, keyed with the App Secret). Without a configured
   secret OR a valid signature, the endpoint returns 403. Closes the
   impersonation hole that let any internet attacker who guessed the
   webhook URL act as any linked WhatsApp user.

2. Telegram webhook secret is now mandatory. The Register-webhook action
   auto-generates a 32-byte URL-safe secret if one isn't set and registers
   it with Telegram. The endpoint rejects any request whose
   X-Telegram-Bot-Api-Secret-Token header doesn't match.

3. Confirmation callbacks are bound to a per-write nonce. Each staged
   write generates a fresh secrets.token_urlsafe(12) stored on the
   session row; the Yes/No payload carries it as confirm:yes:<nonce>
   and is verified in constant time before execution. Defends against
   prompt-injection that tries to swap the staged tool between staging
   and the user clicking Yes.

4. Magic-link tokens moved to a dedicated odoopilot.link.token model
   that stores SHA-256 digests only and consumes the row atomically
   on use. Hourly cron garbage-collects expired entries. Re-issuing
   a token for the same chat invalidates the previous one.

Migration: post-migration.py clears in-flight pending writes (pre-7.0
confirmations didn't carry a nonce) and removes legacy link-token
system parameters. Operators must re-register the Telegram webhook
once and paste their Meta App Secret into Settings.

Other changes:
- Tests: tests/test_security.py covers HMAC verify, nonce rotation,
  hashed token storage, and single-use consumption.
- ACL: new odoopilot.link.token row in ir.model.access.csv.
- Cron: ir_cron_gc_link_tokens runs hourly.
- Listing/README: removed all "vs competitor" / pricing-comparison
  framing per project direction; replaced with a Security model
  section and feature-only descriptions.

Version bumped 17.0.6.0.0 -> 17.0.7.0.0.
@arunrajiah
style: apply ruff format to security release files
0d5f7f5 
CI's ruff format --check step was failing on the 4 files added/modified
in 17.0.7.0.0. No behavioural change -- pure formatting.
@github-actions github-actions Bot added addon Changes to the Odoo addon docs Documentation xml XML file changes python Python code changes labels Apr 27, 2026
@arunrajiah
docs: add SECURITY.md with private disclosure policy
20202bf 
Mirror of the same file on main: GitHub Security Advisories as
the preferred private channel, supported-version table, scope
definitions, and a one-paragraph threat model.
@arunrajiah
sec(17.0.8.0.0): fix 5 issues from internal post-release audit
36466ca 
Mirror of main:8dfa511. Five additional findings surfaced after shipping
17.0.7.0.0:

1. Magic-link CSRF (High) — split GET (preview) / POST (consume) flow.
2. Identity hijack (High) — refuse to overwrite an existing different-user link.
3. Wildcard write-target hijack (High) — preflight resolves before staging.
4. Cost-amplification DoS (Medium) — rate limit + bounded worker pool.
5. Webhook delivery non-idempotency (Medium) — dedup table.

Regression tests for all five in tests/test_security.py.
@arunrajiah
sec(17.0.9.0.0): defence-in-depth pass — token scrub, sudo_env rename…
7482a73 
…, hygiene

Mirror of main:fb9b624. Closes four lower-impact findings from the
post-17.0.7 internal review:

* Bot token scrub in services/telegram.py error logs.
* hmac.compare_digest for WhatsApp verify_token.
* Rename dispatch env -> sudo_env with trust-boundary docstrings.
* Defensive else+log for malformed callback payloads.

Regression tests in tests/test_security.py.
@arunrajiah
docs(listing): redesign for the Odoo App Store HTML sanitiser
639c0e1 
Mirror of main:5c13d6f. Removes background/background-color and styled
<a> tags (both stripped by the sanitiser); uses plain URL text so the
auto-linker can emit clickable links.
@arunrajiah
feat(settings): expand author strip into 4-card community panel
7c131ba 
Mirror of main:8e4828b. Adds Sponsor / Feedback / Bug Report / Security
links + quick-reference row to the in-Odoo Settings -> OdooPilot page.
@arunrajiah
docs: reposition as employee-empowerment tool, not generic AI agent
4103f5c 
Mirror of main:aa820c3. Reframes the listing, manifest and README around
the killer use case: your internal team uses Odoo without logging in to
Odoo. Adds a 'day in the life' section with employee scenarios, an
adoption-gap before/after table, and an explicit 'not for customers'
callout.
@arunrajiah
release: 17.0.10.0.0 - repositioning + community panel + listing fix
2d64314 
Mirror of main:2db091d. Bumps manifest to 17.0.10.0.0 and adds the
CHANGELOG entry covering: four-card community panel in Settings,
listing redesign for the App Store sanitiser, and the marketing
repositioning around 'your team uses Odoo without logging in to Odoo'.
@arunrajiah
release: 17.0.11.0.0 - polish pass (banner, CI hardening, listing lin…
8f10324 
…ter)

Mirror of main:ccd9840. Banner regenerated for the new pitch, bandit +
semgrep added to CI as advisory scanners, and a new listing-renderable
job catches regressions of the three patterns the App Store sanitiser
breaks (background, white text, styled <a>).
@github-actions github-actions Bot added the ci CI/workflow changes label May 2, 2026
arunrajiah added 9 commits May 2, 2026 15:25
@arunrajiah
docs(readme): refresh to match the current 17.0.11 state, add banner
c72c710 
Mirror of main:f84664a. Adds the regenerated banner at the top, redraws
the architecture diagram for both channels, fixes the Quickstart for
auto-generated Telegram secret + mandatory WhatsApp App Secret, lists
the actual default LLM models from services/llm.py, expands Security
to cover every post-audit fix, replaces the stale roadmap with current
release status, and updates the sponsor block with the four GitHub links
that also appear in the in-Odoo settings panel.
@arunrajiah
feat(admin): redesign Linked Users + Audit Log views (17.0.12.0.0)
2b2e9e6 
Mirror of main:9de5126. Adds activity-summary computed fields on
odoopilot.identity (last_activity, message_count_7d, success_rate_7d)
read in batched read_group calls; rebuilds the Linked Users list view
with decoration, filters, group-bys and a smart-button form; rebuilds
the Audit Log view with failure-decoration, time/outcome/tool filters,
five group-bys, and a default 'last 7 days grouped by day' open. Seven
new regression tests in tests/test_admin_views.py.
@arunrajiah
chore: prep for 18.0 branch (CI trigger, SECURITY.md, CHANGELOG header)
d572cfe 
Mirror of main:ac4bb65. CI triggers on *.0 branches; SECURITY.md table
lists 18.0 as Alpha; CHANGELOG header notes the branch split.
@arunrajiah
sec(17.0.13.0.0): scope guard - refuse off-topic LLM requests
49c2da0 
Mirror of main:8420571. Adds services/scope_guard.py (regex pre-filter
catching prompt extraction, jailbreaks, role hijacks, delimiter
injection, code-gen, creative content, off-topic compute) and hardens
SYSTEM_PROMPT with explicit scope rules and trust boundary. Disable
flag at odoopilot.scope_guard_enabled. Tests pin 22 legitimate queries
as pass-through and 32 attack strings as blocked.
@arunrajiah
feat(17.0.14.0.0): employee-self-service tool sprint
5cb0716 
Mirror of main:20613ae. Adds find_partner (read) plus 5 write tools
(clock_in/out, submit_expense, submit_timesheet, create_calendar_event)
all flowing through the existing preflight + nonce + audit pipeline.
Tool count: 13 -> 19. New tests/test_employee_tools.py with registry-
hygiene + preflight-validation coverage.
@arunrajiah
docs(readme): elevate voice messages, add internal security audit as …
72e779c 
…next sprint

Mirror of main.
@arunrajiah
sec(17.0.15.0.0): internal audit fixes - 2 High, 2 Medium, 1 hygiene
2569b43 
Mirror of main:fee1391. Hardens scope guard against Unicode + foreign-
language bypasses, rebinds employee_id to env.uid in submit_expense
and submit_timesheet, caps find_partner limit at 25, opportunistic GC
of empty rate-limiter buckets, asserts -> RuntimeErrors.
@arunrajiah
docs(readme): add Sizing & capacity section
262e298 
Mirror of main.
@arunrajiah
docs: 18.0 listing live on Odoo App Store
772a4b3 
Mirror of main. Updates README install + status + roadmap and
SECURITY.md supported-versions table to reflect that the 18 series
is live at apps.odoo.com/apps/modules/18.0/odoopilot.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

addon Changes to the Odoo addon ci CI/workflow changes docs Documentation python Python code changes xml XML file changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arunrajiah