#22470: feat(wati): add WATI WhatsApp Business channel provider

## Summary Adds a new WATI (WhatsApp Business API) channel provider, following the same patterns as existing channels (Telegram, Signal, Line, etc.). ## What's included **Core modules** (`src/wati/`): - `api.ts` — shared HTTP client with Bearer auth - `webhook.ts` — HTTP webhook server with GET verification and POST message handling - `send.ts` — text and template message sending via WATI v3 API - `probe.ts` — health check endpoint - `monitor.ts` — lifecycle manager with graceful shutdown - `accounts.ts` — multi-account resolution with env var fallback - `types.ts` — shared type definitions **Config** (`src/config/`): - `types.wati.ts` — TypeScript types for WATI config - Zod schemas in `zod-schema.providers-core.ts` with sensitive field registration and dmPolicy validation **Channel plugins** (`src/channels/plugins/`): - Onboarding wizard - Phone-number normalization (E.164) - Status issue detection (missing token, webhook URL, port conflicts) **Registry integration**: - Added to channel order, meta, aliases, dock, plugin-sdk exports, and runtime types **Extension plugin** (`extensions/wati/`): - Standalone plugin package with full `ChannelPlugin` implementation covering config, pairing, outbound, status, gateway, setup, security, groups, threading, messaging, and directory adapters ## Testing - TypeScript compiles cleanly (zero errors) - All 8455 tests pass (980 test files) - ESLint passes with zero errors <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds a new WATI (WhatsApp Business API) channel provider following OpenClaw's established patterns. The implementation includes core modules (`api.ts`, `webhook.ts`, `send.ts`, `probe.ts`, `monitor.ts`, `accounts.ts`), configuration schemas with sensitive field registration, channel plugins (onboarding, normalization, status detection), and a complete extension plugin with full `ChannelPlugin` adapter coverage. The code follows existing channel patterns (similar to Telegram, Signal, Line) and integrates cleanly into the registry, dock, and plugin-sdk exports. TypeScript compiles without errors and all 8455 tests pass. ## Critical Security Issue The webhook implementation (`src/wati/webhook.ts`) accepts incoming POST requests without validating the `webhookSecret`, creating a **webhook forgery vulnerability**. While `webhookSecret` is defined in the config schema and passed through the monitor, it's never actually used to authenticate requests. This differs from Telegram's implementation which enforces `webhookSecret` validation (see `src/config/zod-schema.providers-core.ts:186-195` for Telegram's pattern). **Impact**: Anyone who discovers the webhook endpoint URL can send forged messages that will be processed as legitimate WATI messages. **Fix needed**: 1. Add `webhookSecret` validation in `handleIncoming()` to verify request signatures 2. Add Zod schema validation requiring `webhookSecret` when `webhookUrl` is configured (similar to Telegram's pattern) 3. Update webhook startup to reject when `webhookUrl` is set without `webhookSecret` ## Other Observations - Multi-account support correctly handles token resolution with env var fallback for default account only - Phone number normalization follows E.164 standard - Status issue detection includes port conflict checking across accounts - The bluebubbles test mock update correctly adds the `wati` channel stub to prevent type errors <h3>Confidence Score: 2/5</h3> - Not safe to merge due to critical webhook authentication vulnerability - Score reflects a well-structured implementation that follows existing patterns, with clean code organization and passing tests. However, the webhook security vulnerability is critical: the implementation accepts unauthenticated webhook requests, allowing anyone who discovers the endpoint to send forged messages. This is a security regression compared to Telegram's implementation which enforces webhook secret validation. The issue affects all WATI webhook deployments and requires fixes before merge. - Pay close attention to `src/wati/webhook.ts` (missing webhook authentication), `src/config/zod-schema.providers-core.ts` (missing webhookSecret validation), and `src/wati/monitor.ts` (webhook startup security checks) _{Last reviewed commit: 41208e6} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->