- Add tests for buildGatewayAuthConfig with trusted-proxy mode
- Test all trusted-proxy options (userHeader, requiredHeaders, allowUsers)
- Test minimal trusted-proxy config (userHeader only)
- Test preserving allowTailscale when switching to trusted-proxy
- Test error when trustedProxy config missing
- Test dropping token/password when switching to trusted-proxy
- Add integration tests for interactive gateway prompting flow
- Test trusted-proxy with all options and with minimal options
Test coverage:
- 5 new tests in configure.gateway-auth.test.ts
- 2 new tests in configure.gateway.test.ts
All tests verify proper handling of the new trusted-proxy auth mode.
- Explain when to use and when not to use
- Configuration reference with examples
- Pomerium, Caddy, nginx, and Traefik setup guides
- Security checklist
- Troubleshooting guide
Closes#1560
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Test trusted-proxy mode flagged as critical
- Test missing trustedProxies finding
- Test missing userHeader finding
- Test empty allowUsers warning
- Fix env isolation for bind_no_auth test
Part of #1560
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Test valid request from trusted proxy
- Test rejection of untrusted source
- Test missing user header handling
- Test missing required headers
- Test user allowlist enforcement
- Test Pomerium-style headers
- Test whitespace trimming
Part of #1560
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add critical finding when trusted-proxy auth is enabled
- Flag missing trustedProxies configuration
- Flag missing userHeader configuration
- Warn when allowUsers is empty (allows any authenticated user)
Part of #1560
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Allow non-loopback bind with trusted-proxy auth mode
- Reject trusted-proxy + loopback combination (nonsensical)
- Require trustedProxies to be configured for trusted-proxy mode
Part of #1560
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- src/channels/dock.ts: core channel dock fallback
- src/auto-reply/reply/reply-routing.test.ts: test expectation
- docs/zh-CN/channels/telegram.md: Chinese docs reference
Comprehensive grep confirms no remaining Telegram-specific "first"
defaults after this commit.
In 2026.2.13, the combination of implicit reply threading (#14976) and
the existing Telegram default replyToMode="first" causes every bot
response in DMs to be sent as a native Telegram reply (quoted message
bubble), even for simple exchanges like "Hi" → "Hey".
This is a UX regression: prior to 2026.2.13, reply threading was less
consistent so the "first" default rarely produced visible quote bubbles
in DMs. Now that implicit threading works reliably, the default
effectively means every first message in a response gets quoted —
which feels noisy and unexpected in 1:1 conversations.
Changing the default to "off" restores the pre-2026.2.13 DM experience.
Users who want reply threading can still opt in via config:
channels.telegram.replyToMode: "first" | "all"
Tested by toggling replyToMode on a live 2026.2.13 instance:
- replyToMode="first" → every response quotes the user message
- replyToMode="off" → clean responses without quote bubbles
No test changes needed: existing tests explicitly set replyToMode
rather than relying on the default.
Add support for NVIDIA's API (https://integrate.api.nvidia.com/v1) with three models:
- nvidia/llama-3.1-nemotron-70b-instruct (default)
- nvidia/llama-3.3-70b-instruct
- nvidia/mistral-nemo-minitron-8b-8k-instruct
Users can configure via NVIDIA_API_KEY environment variable or auth profiles.
Co-authored-by: thesomewhatyou <162917831+thesomewhatyou@users.noreply.github.com>
