feat: enhance WhatsApp interface with new tools, security hardening, and tests

- Rewrite WhatsAppTools with 9 sync-only tools and enable/disable flags
- Add send_reply_buttons, send_list_message, send_image, send_document,
  send_location, send_reaction, and mark_as_read tools
- Harden security: remove dev mode bypass, add replay protection (5-min window)
- Handle interactive replies, location, reaction, contacts, sticker messages
- Replace requests with httpx in utils
- Add Pydantic response models and operation IDs to router
- Add 48 unit tests covering tools, security, and router

Author: Mustafa-Esoofally

libs/agno/agno/os/interfaces/whatsapp/router.py

@@ -1,55 +1,44 @@
 import hashlib
 import hmac
 import os
+import time
 from typing import Optional
 
 from agno.utils.log import log_warning
 
 
-def is_development_mode() -> bool:
-    """Check if the application is running in development mode."""
-    return os.getenv("APP_ENV", "development").lower() == "development"
-
-
 def get_app_secret() -> str:
-    """
-    Get the WhatsApp app secret from environment variables.
-    In development mode, returns a dummy secret if WHATSAPP_APP_SECRET is not set.
-    """
     app_secret = os.getenv("WHATSAPP_APP_SECRET")
-
     if not app_secret:
-        raise ValueError("WHATSAPP_APP_SECRET environment variable is not set in production mode")
-
+        raise ValueError("WHATSAPP_APP_SECRET environment variable is not set")
     return app_secret
 
 
-def validate_webhook_signature(payload: bytes, signature_header: Optional[str]) -> bool:
-    """
-    Validate the webhook payload using SHA256 signature.
-    In development mode, signature validation can be bypassed.
+def validate_webhook_signature(
+    payload: bytes, signature_header: Optional[str], timestamp: Optional[int] = None
+) -> bool:
+    """Validate the webhook payload using SHA256 signature.
 
     Args:
         payload: The raw request payload bytes
         signature_header: The X-Hub-Signature-256 header value
+        timestamp: Optional Unix timestamp from the message for replay protection
 
     Returns:
-        bool: True if signature is valid or in development mode, False otherwise
+        bool: True if signature is valid and timestamp is within 5-minute window
     """
-    # In development mode, we can bypass signature validation
-    if is_development_mode():
-        log_warning("Bypassing signature validation in development mode")
-        return True
+    if timestamp is not None:
+        if abs(time.time() - timestamp) > 300:
+            log_warning("Rejecting webhook: timestamp too old (possible replay attack)")
+            return False
 
     if not signature_header or not signature_header.startswith("sha256="):
         return False
 
     app_secret = get_app_secret()
     expected_signature = signature_header.split("sha256=")[1]
 
-    # Calculate signature
     hmac_obj = hmac.new(app_secret.encode("utf-8"), payload, hashlib.sha256)
     calculated_signature = hmac_obj.hexdigest()
 
-    # Compare signatures using constant-time comparison
     return hmac.compare_digest(calculated_signature, expected_signature)