@diegoaltoworks/talker 0.9.0 → 0.11.0

package/dist/index.mjs

@@ -48,13 +48,31 @@ var isTestEnv = process.env.NODE_ENV === "test" || typeof Bun !== "undefined" &&
 var isDebug = process.env.DEBUG === "true";
 var isSilent = isTestEnv && !isDebug;
 var timestamp = () => (/* @__PURE__ */ new Date()).toISOString();
+function redactPhone(phone) {
+  if (!phone || phone === "unknown") return phone;
+  const digits = phone.replace(/\D/g, "");
+  if (digits.length <= 4) return "***";
+  return `***${digits.slice(-4)}`;
+}
+function redactData(data) {
+  if (!data) return data;
+  const redacted = {};
+  for (const [key, value] of Object.entries(data)) {
+    if ((key === "phoneNumber" || key === "phone") && typeof value === "string") {
+      redacted[key] = redactPhone(value);
+    } else {
+      redacted[key] = value;
+    }
+  }
+  return redacted;
+}
 var log = (level, message, data) => {
   if (isSilent) return;
   const entry = {
     timestamp: timestamp(),
     level,
     message,
-    ...data
+    ...redactData(data)
   };
   console.log(JSON.stringify(entry));
 };
@@ -215,8 +233,35 @@ async function closeDbClient() {
 }
 
 // src/db/migrate.ts
-import { readFileSync } from "node:fs";
-import { join } from "node:path";
+var SCHEMA_STATEMENTS = [
+  `CREATE TABLE IF NOT EXISTS talker_sessions (
+    id TEXT PRIMARY KEY,
+    phone_number TEXT NOT NULL,
+    channel TEXT NOT NULL CHECK(channel IN ('call', 'sms')),
+    reason TEXT NOT NULL CHECK(reason IN ('ended', 'redirected')),
+    language TEXT NOT NULL,
+    started_at INTEGER NOT NULL,
+    ended_at INTEGER NOT NULL,
+    duration_ms INTEGER NOT NULL,
+    transfer_reason TEXT,
+    conversation_id TEXT,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+  )`,
+  `CREATE TABLE IF NOT EXISTS talker_messages (
+    id TEXT PRIMARY KEY,
+    session_id TEXT NOT NULL,
+    role TEXT NOT NULL CHECK(role IN ('user', 'assistant')),
+    content TEXT NOT NULL,
+    timestamp INTEGER NOT NULL,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    FOREIGN KEY (session_id) REFERENCES talker_sessions(id) ON DELETE CASCADE
+  )`,
+  "CREATE INDEX IF NOT EXISTS idx_talker_sessions_phone ON talker_sessions(phone_number)",
+  "CREATE INDEX IF NOT EXISTS idx_talker_sessions_created ON talker_sessions(created_at DESC)",
+  "CREATE INDEX IF NOT EXISTS idx_talker_messages_session ON talker_messages(session_id)",
+  "CREATE INDEX IF NOT EXISTS idx_talker_messages_ts ON talker_messages(timestamp)"
+];
 async function runMigrations() {
   const client2 = getDbClient();
   if (!client2) {
@@ -224,11 +269,8 @@ async function runMigrations() {
     return;
   }
   try {
-    const schemaPath = join(__dirname, "schema.sql");
-    const schema = readFileSync(schemaPath, "utf-8");
-    const statements = schema.split("\n").filter((line) => !line.trim().startsWith("--")).join("\n").split(";").map((s) => s.trim()).filter((s) => s.length > 0);
-    logger.info("running database migrations", { statementCount: statements.length });
-    for (const statement of statements) {
+    logger.info("running database migrations", { statementCount: SCHEMA_STATEMENTS.length });
+    for (const statement of SCHEMA_STATEMENTS) {
       await client2.execute(statement);
     }
     logger.info("database migrations completed");
@@ -241,7 +283,7 @@ async function runMigrations() {
 }
 
 // src/flows/registry.ts
-import { readFileSync as readFileSync3 } from "node:fs";
+import { readFileSync as readFileSync2 } from "node:fs";
 
 // src/flows/intent.ts
 var OPENAI_API_URL = "https://api.openai.com/v1/chat/completions";
@@ -330,8 +372,8 @@ Rules:
 }
 
 // src/flows/loader.ts
-import { existsSync, readFileSync as readFileSync2, readdirSync } from "node:fs";
-import { join as join2 } from "node:path";
+import { existsSync, readFileSync, readdirSync } from "node:fs";
+import { join } from "node:path";
 async function loadFlowsFromDirectory(flowsDir) {
   const flows = /* @__PURE__ */ new Map();
   if (!existsSync(flowsDir)) {
@@ -356,10 +398,10 @@ async function loadFlowsFromDirectory(flowsDir) {
   return flows;
 }
 async function loadFlow(flowsDir, flowName) {
-  const flowPath = join2(flowsDir, flowName);
-  const definitionPath = join2(flowPath, "flow.json");
-  const instructionsPath = join2(flowPath, "instructions.md");
-  const handlerPath = join2(flowPath, "handler.ts");
+  const flowPath = join(flowsDir, flowName);
+  const definitionPath = join(flowPath, "flow.json");
+  const instructionsPath = join(flowPath, "instructions.md");
+  const handlerPath = join(flowPath, "handler.ts");
   if (!existsSync(definitionPath)) {
     throw new Error(`flow.json not found for ${flowName}`);
   }
@@ -369,7 +411,7 @@ async function loadFlow(flowsDir, flowName) {
   if (!existsSync(handlerPath)) {
     throw new Error(`handler.ts not found for ${flowName}`);
   }
-  const definitionContent = readFileSync2(definitionPath, "utf-8");
+  const definitionContent = readFileSync(definitionPath, "utf-8");
   const definition = JSON.parse(definitionContent);
   if (definition.id !== flowName) {
     throw new Error(`Flow id mismatch: ${definition.id} !== ${flowName}`);
@@ -385,7 +427,7 @@ async function loadFlow(flowsDir, flowName) {
   if (typeof handler !== "function") {
     throw new Error(`Flow ${flowName} handler.ts must export an 'execute' function`);
   }
-  const prefillPath = join2(flowPath, "prefill.ts");
+  const prefillPath = join(flowPath, "prefill.ts");
   let prefill;
   if (existsSync(prefillPath)) {
     const prefillModule = await import(prefillPath);
@@ -471,7 +513,7 @@ var FlowRegistry = class {
     if (!flow) {
       throw new Error(`Flow ${flowName} not found`);
     }
-    return readFileSync3(flow.instructionsPath, "utf-8");
+    return readFileSync2(flow.instructionsPath, "utf-8");
   }
 };
 function testModeDetectIntent(message) {
@@ -485,6 +527,140 @@ function testModeDetectIntent(message) {
 // src/routes/call/index.ts
 import { Hono } from "hono";
 
+// src/middleware/input-sanitize.ts
+var DEFAULT_MAX_INPUT_LENGTH = 1e3;
+function truncateInput(input, maxLength) {
+  if (input.length <= maxLength) return input;
+  return input.substring(0, maxLength);
+}
+function inputSanitizeMiddleware(maxInputLength) {
+  const maxLen = maxInputLength ?? DEFAULT_MAX_INPUT_LENGTH;
+  return async (c, next) => {
+    const body = await c.req.parseBody();
+    let truncated = false;
+    if (typeof body.SpeechResult === "string" && body.SpeechResult.length > maxLen) {
+      logger.warn("input truncated: SpeechResult", {
+        original: body.SpeechResult.length,
+        max: maxLen
+      });
+      body.SpeechResult = truncateInput(body.SpeechResult, maxLen);
+      truncated = true;
+    }
+    if (typeof body.Body === "string" && body.Body.length > maxLen) {
+      logger.warn("input truncated: Body", {
+        original: body.Body.length,
+        max: maxLen
+      });
+      body.Body = truncateInput(body.Body, maxLen);
+      truncated = true;
+    }
+    if (truncated) {
+      c.set("sanitizedBody", body);
+    }
+    return next();
+  };
+}
+
+// src/middleware/rate-limit.ts
+var DEFAULT_MAX_REQUESTS = 30;
+var DEFAULT_WINDOW_MS = 6e4;
+var rateLimitStore = /* @__PURE__ */ new Map();
+var cleanupTimer2 = null;
+function ensureCleanup(windowMs) {
+  if (cleanupTimer2) return;
+  cleanupTimer2 = setInterval(() => {
+    const cutoff = Date.now() - windowMs * 2;
+    for (const [key, entry] of rateLimitStore) {
+      entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+      if (entry.timestamps.length === 0) {
+        rateLimitStore.delete(key);
+      }
+    }
+  }, windowMs);
+}
+function checkRateLimit(phoneNumber, maxRequests, windowMs) {
+  const now = Date.now();
+  const cutoff = now - windowMs;
+  let entry = rateLimitStore.get(phoneNumber);
+  if (!entry) {
+    entry = { timestamps: [] };
+    rateLimitStore.set(phoneNumber, entry);
+  }
+  entry.timestamps = entry.timestamps.filter((t) => t > cutoff);
+  if (entry.timestamps.length >= maxRequests) {
+    return false;
+  }
+  entry.timestamps.push(now);
+  return true;
+}
+function rateLimitMiddleware(config) {
+  const maxRequests = config?.maxRequests ?? DEFAULT_MAX_REQUESTS;
+  const windowMs = config?.windowMs ?? DEFAULT_WINDOW_MS;
+  ensureCleanup(windowMs);
+  return async (c, next) => {
+    const body = await c.req.parseBody();
+    const phoneNumber = (body.From || "unknown").trim();
+    if (!checkRateLimit(phoneNumber, maxRequests, windowMs)) {
+      logger.warn("rate limit exceeded", { phoneNumber, path: c.req.path });
+      const twiml = `<?xml version="1.0" encoding="UTF-8"?>
+<Response>
+    <Say>Please try again in a moment.</Say>
+</Response>`;
+      return c.text(twiml, 429, { "Content-Type": "text/xml" });
+    }
+    return next();
+  };
+}
+
+// src/middleware/twilio-signature.ts
+import { createHmac } from "node:crypto";
+function computeTwilioSignature(authToken, url, params) {
+  const sortedKeys = Object.keys(params).sort();
+  let data = url;
+  for (const key of sortedKeys) {
+    data += key + params[key];
+  }
+  return createHmac("sha1", authToken).update(data).digest("base64");
+}
+function validateTwilioSignature(authToken, signature, url, params) {
+  const expected = computeTwilioSignature(authToken, url, params);
+  if (expected.length !== signature.length) return false;
+  let mismatch = 0;
+  for (let i = 0; i < expected.length; i++) {
+    mismatch |= expected.charCodeAt(i) ^ signature.charCodeAt(i);
+  }
+  return mismatch === 0;
+}
+function twilioSignatureMiddleware(authToken, baseUrl) {
+  return async (c, next) => {
+    if (!authToken) {
+      return next();
+    }
+    const signature = c.req.header("x-twilio-signature");
+    if (!signature) {
+      logger.warn("rejected request: missing X-Twilio-Signature header", {
+        path: c.req.path
+      });
+      return c.text("", 403);
+    }
+    const requestUrl = baseUrl ? `${baseUrl.replace(/\/$/, "")}${c.req.path}` : c.req.url;
+    const body = await c.req.parseBody();
+    const params = {};
+    for (const [key, value] of Object.entries(body)) {
+      if (typeof value === "string") {
+        params[key] = value;
+      }
+    }
+    if (!validateTwilioSignature(authToken, signature, requestUrl, params)) {
+      logger.warn("rejected request: invalid Twilio signature", {
+        path: c.req.path
+      });
+      return c.text("", 403);
+    }
+    return next();
+  };
+}
+
 // src/core/errors.ts
 function getErrorMessage(error) {
   if (error instanceof Error) {
@@ -497,20 +673,69 @@ function getErrorMessage(error) {
 }
 
 // src/core/phrases.ts
-import { existsSync as existsSync2, readFileSync as readFileSync4 } from "node:fs";
-import { join as join3 } from "node:path";
+import { existsSync as existsSync2, readFileSync as readFileSync3 } from "node:fs";
+import { join as join2 } from "node:path";
 var phrasesCache = {};
+var ENGLISH_FALLBACK = {
+  greeting: "Hello! I'm your voice assistant. How can I help you today?",
+  didNotCatch: "I didn't catch that. Could you please repeat?",
+  didNotHear: "I didn't hear anything. Goodbye.",
+  didNotHearRetry: "Sorry, I didn't catch that. Could you try again?",
+  didNotHearFinal: "I'm really sorry but I cannot hear what you're saying. Please call again. Bye for now.",
+  transfer: "Let me connect you with someone directly.",
+  acknowledgment: "One moment please...",
+  farewell: {
+    morning: "You're welcome! Have a wonderful day. Goodbye!",
+    afternoon: "You're welcome! Have a lovely afternoon. Goodbye!",
+    evening: "You're welcome! Have a good evening. Goodbye!"
+  },
+  error: "Sorry, I encountered an error. Please try again later. Goodbye.",
+  timeout: "Sorry, I took too long to respond. Please try again. Goodbye.",
+  lostQuestion: "I'm sorry, I lost track of your question. Could you please repeat?",
+  flow: {
+    cancelled: "No problem! I've cancelled that. What else would you like to know?"
+  },
+  sms: {
+    greeting: "Hi! I'm your voice assistant. Ask me anything!",
+    greetingShort: "Hi! Ask me anything!",
+    callForHelp: "For more complex questions, feel free to call back or reach us directly.",
+    processingError: "I'm having trouble processing that. Please try texting again or call back.",
+    genericError: "Sorry, something went wrong. Please try again."
+  },
+  whatsapp: {
+    greeting: "Hi! I'm your assistant. Send me a message and I'll help you out!",
+    greetingShort: "Hi! How can I help?",
+    callForHelp: "For more complex questions, feel free to call us directly or reply here with more details.",
+    processingError: "I'm having trouble processing that. Please try sending your message again.",
+    genericError: "Sorry, something went wrong. Please try again."
+  }
+};
+function resolveBuiltinLanguageDir() {
+  const candidates = [
+    join2(__dirname, "../../language"),
+    // source: src/core/ -> language/
+    join2(__dirname, "../language")
+    // dist: dist/ -> language/
+  ];
+  for (const dir of candidates) {
+    if (existsSync2(dir)) {
+      return dir;
+    }
+  }
+  return void 0;
+}
 function loadPhrases(language, languageDir) {
   const cacheKey = `${languageDir || "default"}:${language}`;
   if (phrasesCache[cacheKey]) {
     return phrasesCache[cacheKey];
   }
-  const dirs = [languageDir, join3(__dirname, "../../language")].filter(Boolean);
+  const builtinDir = resolveBuiltinLanguageDir();
+  const dirs = [languageDir, builtinDir].filter(Boolean);
   for (const dir of dirs) {
-    const filePath = join3(dir, `${language}.json`);
+    const filePath = join2(dir, `${language}.json`);
     if (existsSync2(filePath)) {
       try {
-        const content = readFileSync4(filePath, "utf-8");
+        const content = readFileSync3(filePath, "utf-8");
         phrasesCache[cacheKey] = JSON.parse(content);
         return phrasesCache[cacheKey];
       } catch {
@@ -520,7 +745,8 @@ function loadPhrases(language, languageDir) {
   if (language !== "en") {
     return loadPhrases("en", languageDir);
   }
-  throw new Error("English phrase file not found in any search path");
+  phrasesCache[cacheKey] = ENGLISH_FALLBACK;
+  return ENGLISH_FALLBACK;
 }
 function getPhrase(language, key, languageDir) {
   const phrases = loadPhrases(language, languageDir);
@@ -545,6 +771,13 @@ function getSmsPhrase(language, key, languageDir) {
   const phrases = loadPhrases(language, languageDir);
   return phrases.sms[key];
 }
+function getWhatsAppPhrase(language, key, languageDir) {
+  const phrases = loadPhrases(language, languageDir);
+  if (phrases.whatsapp) {
+    return phrases.whatsapp[key];
+  }
+  return phrases.sms[key];
+}
 
 // src/core/voice.ts
 var DEFAULT_VOICES = {
@@ -1006,40 +1239,116 @@ async function callOpenAI(deps, systemPrompt, userMessage, context) {
 }
 
 // src/core/processing/prompts.ts
-import { existsSync as existsSync3, readFileSync as readFileSync5 } from "node:fs";
-import { join as join4 } from "node:path";
+import { existsSync as existsSync3, readFileSync as readFileSync4 } from "node:fs";
+import { join as join3 } from "node:path";
 var incomingPrompt = null;
 var outgoingPrompt = null;
 function loadPromptFile(filename, customPath) {
   if (customPath && existsSync3(customPath)) {
-    return readFileSync5(customPath, "utf-8");
-  }
-  const builtinPath = join4(__dirname, "../../../prompts", filename);
-  if (existsSync3(builtinPath)) {
-    return readFileSync5(builtinPath, "utf-8");
+    return readFileSync4(customPath, "utf-8");
+  }
+  const candidates = [
+    join3(__dirname, "../../../prompts", filename),
+    // source: src/core/processing/ -> prompts/
+    join3(__dirname, "../../prompts", filename),
+    // dist: dist/ -> prompts/
+    join3(__dirname, "../prompts", filename)
+    // flat dist
+  ];
+  for (const path of candidates) {
+    if (existsSync3(path)) {
+      return readFileSync4(path, "utf-8");
+    }
   }
-  throw new Error(`Prompt file not found: ${filename}`);
+  return void 0;
 }
+var DEFAULT_INCOMING_PROMPT = `# Incoming Message Processor
+
+You are a pre-processor for a voice assistant. Your job is to analyze incoming caller speech and determine three things:
+
+1. Should the caller be transferred to a human directly?
+2. What language is the caller speaking?
+3. What is the cleaned-up version of their message to send to the knowledge base?
+
+## IMPORTANT: Conversation Context
+
+You may receive conversation history along with the current message. **You MUST consider the context** when making decisions.
+
+## Language Detection
+
+Detect the language the caller is speaking. Supported: "en", "fr", "nl", "de", "es", "pt". Default: "en".
+
+## Transfer Detection
+
+Transfer if the caller expresses: "speak to someone", "talk to a person", "connect me", "real person", "human", frustration signals, or complex/personal matters.
+
+## End Call Detection
+
+End call if: "no thanks", "that's all", "goodbye", "bye", "I'm done", "nothing else". Only if clearly ending the conversation.
+
+## Response Format
+
+Respond with valid JSON:
+\`\`\`json
+{
+  "shouldTransfer": true or false,
+  "shouldEndCall": true or false,
+  "detectedLanguage": "en" or "fr" or "nl" or "de" or "es" or "pt",
+  "processedMessage": "the cleaned up message"
+}
+\`\`\`
+
+## Message Cleaning Rules
+
+- Fix obvious speech-to-text errors
+- Remove filler words (um, uh, like, you know)
+- Keep the core intent and original language intact`;
+var DEFAULT_OUTGOING_PROMPT = `# Outgoing Response Processor
+
+You are a post-processor for a voice assistant. Transform knowledge base responses into channel-appropriate messages.
+
+## Channel Type
+
+You will be told the channel: "call" (phone), "sms" (text message), or "whatsapp".
+
+**For CALL:** Spoken aloud by TTS. Convert numbers to words. Remove URLs. Max 2 sentences.
+**For SMS:** Read on phone screen. Keep digits. Max 160 chars. No markdown.
+**For WHATSAPP:** Read in chat. Keep digits and URLs. Can use *bold*, _italic_. Up to 500 chars.
+
+## Language Requirement
+
+You MUST respond in the specified language.
+
+## Rules
+
+1. Be concise - answer directly
+2. End with a follow-up question
+3. Always use third person
+4. Remove markdown, lists, technical jargon
+
+Return ONLY the transformed text. No JSON, no explanations.`;
 function getIncomingPrompt(deps) {
   if (!incomingPrompt) {
-    try {
-      incomingPrompt = loadPromptFile("incoming.md", deps.config.processing?.incomingPromptPath);
-      logger.info("incoming prompt loaded");
-    } catch (error) {
-      logger.error("failed to load incoming prompt", { error: getErrorMessage(error) });
-      incomingPrompt = "Return JSON with shouldTransfer (boolean), shouldEndCall (boolean), detectedLanguage (string), processedMessage (string)";
+    const loaded = loadPromptFile("incoming.md", deps.config.processing?.incomingPromptPath);
+    if (loaded) {
+      incomingPrompt = loaded;
+      logger.info("incoming prompt loaded from file");
+    } else {
+      incomingPrompt = DEFAULT_INCOMING_PROMPT;
+      logger.info("incoming prompt loaded (built-in default)");
     }
   }
   return incomingPrompt;
 }
 function getOutgoingPrompt(deps) {
   if (!outgoingPrompt) {
-    try {
-      outgoingPrompt = loadPromptFile("outgoing.md", deps.config.processing?.outgoingPromptPath);
-      logger.info("outgoing prompt loaded");
-    } catch (error) {
-      logger.error("failed to load outgoing prompt", { error: getErrorMessage(error) });
-      outgoingPrompt = "Make this response phone-friendly and brief.";
+    const loaded = loadPromptFile("outgoing.md", deps.config.processing?.outgoingPromptPath);
+    if (loaded) {
+      outgoingPrompt = loaded;
+      logger.info("outgoing prompt loaded from file");
+    } else {
+      outgoingPrompt = DEFAULT_OUTGOING_PROMPT;
+      logger.info("outgoing prompt loaded (built-in default)");
     }
   }
   return outgoingPrompt;
@@ -1133,10 +1442,10 @@ Respond in: ${language}`;
 }
 
 // src/flows/params.ts
-import { readFileSync as readFileSync6 } from "node:fs";
+import { readFileSync as readFileSync5 } from "node:fs";
 var OPENAI_API_URL3 = "https://api.openai.com/v1/chat/completions";
 async function extractParameters(deps, flow, phoneNumber, userMessage, existingParams) {
-  const instructions = readFileSync6(flow.instructionsPath, "utf-8");
+  const instructions = readFileSync5(flow.instructionsPath, "utf-8");
   const schema = flow.definition.schema;
   const properties = schema.properties || {};
   const required = schema.required || [];
@@ -1420,9 +1729,10 @@ async function processCall(deps, registry, phoneNumber, speechResult) {
         deps.config.voices
       );
       const transferNumber = deps.config.transferNumber || "";
+      const escapedFlowResponse = escapeXml(flowResult.response);
       return `<?xml version="1.0" encoding="UTF-8"?>
 <Response>
-    <Say voice="${voice}" language="${lang}">${flowResult.response}</Say>
+    <Say voice="${voice}" language="${lang}">${escapedFlowResponse}</Say>
     <Dial>${transferNumber}</Dial>
 </Response>`;
     }
@@ -1515,6 +1825,12 @@ async function handleStatus(c) {
 // src/routes/call/index.ts
 function callRoutes(deps, registry) {
   const app = new Hono();
+  app.use("/call/*", twilioSignatureMiddleware(deps.config.twilio?.authToken));
+  app.use("/call/*", rateLimitMiddleware(deps.config.rateLimit));
+  app.use("/call/*", inputSanitizeMiddleware(deps.config.maxInputLength));
+  app.post("/call", twilioSignatureMiddleware(deps.config.twilio?.authToken));
+  app.post("/call", rateLimitMiddleware(deps.config.rateLimit));
+  app.post("/call", inputSanitizeMiddleware(deps.config.maxInputLength));
   app.post("/call", (c) => handleInitialCall(c, deps.config));
   app.post("/call/respond", (c) => handleRespond(c, deps, registry));
   app.post("/call/answer", (c) => handleAnswer(c, deps.config));
@@ -1585,11 +1901,171 @@ async function handleIncomingSMS(c, deps, registry) {
 // src/routes/sms/index.ts
 function smsRoutes(deps, registry) {
   const app = new Hono2();
+  app.post("/sms", twilioSignatureMiddleware(deps.config.twilio?.authToken));
+  app.post("/sms", rateLimitMiddleware(deps.config.rateLimit));
+  app.post("/sms", inputSanitizeMiddleware(deps.config.maxInputLength));
   app.post("/sms", (c) => handleIncomingSMS(c, deps, registry));
   app.get("/sms", (c) => c.text("SMS endpoint active"));
   return app;
 }
 
+// src/routes/whatsapp/index.ts
+import { Hono as Hono3 } from "hono";
+
+// src/adapters/twilio.ts
+function stripWhatsAppPrefix(phoneNumber) {
+  return phoneNumber.replace(/^whatsapp:/, "");
+}
+async function sendSMS(config, to, message) {
+  if (!config.accountSid || !config.authToken || !config.phoneNumber) {
+    logger.warn("Twilio credentials not configured, skipping SMS send", { to });
+    return false;
+  }
+  try {
+    const auth = Buffer.from(`${config.accountSid}:${config.authToken}`).toString("base64");
+    const response = await fetch(
+      `https://api.twilio.com/2010-04-01/Accounts/${config.accountSid}/Messages.json`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Basic ${auth}`,
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+          From: config.phoneNumber,
+          To: to,
+          Body: message
+        })
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      logger.error("SMS send failed", { to, status: response.status, error });
+      return false;
+    }
+    const data = await response.json();
+    logger.info("SMS sent successfully", { to, messageSid: data.sid });
+    return true;
+  } catch (error) {
+    logger.error("SMS send error", {
+      to,
+      error: error instanceof Error ? error.message : "Unknown"
+    });
+    return false;
+  }
+}
+async function sendWhatsApp(config, to, message) {
+  if (!config.accountSid || !config.authToken || !config.phoneNumber) {
+    logger.warn("Twilio credentials not configured, skipping WhatsApp send", { to });
+    return false;
+  }
+  try {
+    const auth = Buffer.from(`${config.accountSid}:${config.authToken}`).toString("base64");
+    const whatsappTo = to.startsWith("whatsapp:") ? to : `whatsapp:${to}`;
+    const whatsappFrom = config.phoneNumber.startsWith("whatsapp:") ? config.phoneNumber : `whatsapp:${config.phoneNumber}`;
+    const response = await fetch(
+      `https://api.twilio.com/2010-04-01/Accounts/${config.accountSid}/Messages.json`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: `Basic ${auth}`,
+          "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+          From: whatsappFrom,
+          To: whatsappTo,
+          Body: message
+        })
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      logger.error("WhatsApp send failed", { to, status: response.status, error });
+      return false;
+    }
+    const data = await response.json();
+    logger.info("WhatsApp message sent successfully", { to, messageSid: data.sid });
+    return true;
+  } catch (error) {
+    logger.error("WhatsApp send error", {
+      to,
+      error: error instanceof Error ? error.message : "Unknown"
+    });
+    return false;
+  }
+}
+
+// src/routes/whatsapp/processor.ts
+async function processWhatsApp(deps, registry, phoneNumber, messageBody) {
+  const incoming = await processIncoming(deps, phoneNumber, messageBody, "whatsapp");
+  if (incoming.shouldTransfer) {
+    const message = getWhatsAppPhrase(
+      incoming.detectedLanguage,
+      "callForHelp",
+      deps.config.languageDir
+    );
+    return messageTwiml(message);
+  }
+  const flowResult = await processFlow(
+    deps,
+    registry,
+    phoneNumber,
+    incoming.processedMessage,
+    "whatsapp"
+  );
+  if (flowResult.isFlowActive || flowResult.flowCompleted) {
+    if (flowResult.flowCompleted && flowResult.flowSuccess === false) {
+      const message = getWhatsAppPhrase(
+        incoming.detectedLanguage,
+        "processingError",
+        deps.config.languageDir
+      );
+      return messageTwiml(message);
+    }
+    return messageTwiml(flowResult.response);
+  }
+  const botResponse = await chat(deps, phoneNumber, incoming.processedMessage);
+  const whatsappResponse = await processOutgoing(deps, phoneNumber, botResponse, "whatsapp");
+  return messageTwiml(whatsappResponse);
+}
+
+// src/routes/whatsapp/handle-incoming.ts
+async function handleIncomingWhatsApp(c, deps, registry) {
+  const body = await c.req.parseBody();
+  const rawFrom = (body.From || "unknown").trim();
+  const phoneNumber = stripWhatsAppPrefix(rawFrom);
+  const messageBody = body.Body || "";
+  logger.info("whatsapp message received", { phoneNumber, messageBody });
+  if (!messageBody.trim()) {
+    return c.text(messageTwiml(getWhatsAppPhrase("en", "greeting", deps.config.languageDir)), 200, {
+      "Content-Type": "text/xml"
+    });
+  }
+  try {
+    const twiml = await processWhatsApp(deps, registry, phoneNumber, messageBody);
+    persistSession(phoneNumber, "whatsapp");
+    return c.text(twiml, 200, { "Content-Type": "text/xml" });
+  } catch (error) {
+    logger.error("whatsapp processing error", {
+      phoneNumber,
+      error: getErrorMessage(error)
+    });
+    return c.text(
+      messageTwiml(getWhatsAppPhrase("en", "genericError", deps.config.languageDir)),
+      200,
+      { "Content-Type": "text/xml" }
+    );
+  }
+}
+
+// src/routes/whatsapp/index.ts
+function whatsappRoutes(deps, registry) {
+  const app = new Hono3();
+  app.post("/whatsapp", (c) => handleIncomingWhatsApp(c, deps, registry));
+  app.get("/whatsapp", (c) => c.text("WhatsApp endpoint active"));
+  return app;
+}
+
 // src/plugin.ts
 var DEFAULT_CONTEXT_TTL_MS = 30 * 60 * 1e3;
 var DEFAULT_CLEANUP_INTERVAL_MS = 5 * 60 * 1e3;
@@ -1623,6 +2099,7 @@ async function createTelephonyRoutes(app, chatterDeps, config) {
   const prefix = config.routePrefix || "";
   app.route(prefix, callRoutes(deps, registry));
   app.route(prefix, smsRoutes(deps, registry));
+  app.route(prefix, whatsappRoutes(deps, registry));
   logger.info("telephony routes mounted", {
     prefix: prefix || "/",
     hasFlows: !!config.flowsDir,
@@ -1632,7 +2109,7 @@ async function createTelephonyRoutes(app, chatterDeps, config) {
 }
 
 // src/standalone.ts
-import { Hono as Hono3 } from "hono";
+import { Hono as Hono4 } from "hono";
 var DEFAULT_CONTEXT_TTL_MS2 = 30 * 60 * 1e3;
 var DEFAULT_CLEANUP_INTERVAL_MS2 = 5 * 60 * 1e3;
 var DEFAULT_MODEL2 = "gpt-4o-mini";
@@ -1662,11 +2139,12 @@ async function createStandaloneServer(config) {
     config.contextTtlMs ?? DEFAULT_CONTEXT_TTL_MS2,
     config.cleanupIntervalMs ?? DEFAULT_CLEANUP_INTERVAL_MS2
   );
-  const app = new Hono3();
+  const app = new Hono4();
   app.get("/healthz", (c) => c.text("ok"));
   const prefix = config.routePrefix || "";
   app.route(prefix, callRoutes(deps, registry));
   app.route(prefix, smsRoutes(deps, registry));
+  app.route(prefix, whatsappRoutes(deps, registry));
   logger.info("standalone talker server ready", {
     prefix: prefix || "/",
     hasFlows: !!config.flowsDir,
@@ -1676,46 +2154,6 @@ async function createStandaloneServer(config) {
   });
   return app;
 }
-
-// src/adapters/twilio.ts
-async function sendSMS(config, to, message) {
-  if (!config.accountSid || !config.authToken || !config.phoneNumber) {
-    logger.warn("Twilio credentials not configured, skipping SMS send", { to });
-    return false;
-  }
-  try {
-    const auth = Buffer.from(`${config.accountSid}:${config.authToken}`).toString("base64");
-    const response = await fetch(
-      `https://api.twilio.com/2010-04-01/Accounts/${config.accountSid}/Messages.json`,
-      {
-        method: "POST",
-        headers: {
-          Authorization: `Basic ${auth}`,
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        body: new URLSearchParams({
-          From: config.phoneNumber,
-          To: to,
-          Body: message
-        })
-      }
-    );
-    if (!response.ok) {
-      const error = await response.text();
-      logger.error("SMS send failed", { to, status: response.status, error });
-      return false;
-    }
-    const data = await response.json();
-    logger.info("SMS sent successfully", { to, messageSid: data.sid });
-    return true;
-  } catch (error) {
-    logger.error("SMS send error", {
-      to,
-      error: error instanceof Error ? error.message : "Unknown"
-    });
-    return false;
-  }
-}
 export {
   FlowRegistry,
   acknowledgmentTwiml,
@@ -1744,8 +2182,10 @@ export {
   getPhrase,
   getSmsPhrase,
   getVoiceConfig,
+  getWhatsAppPhrase,
   incrementNoSpeechRetries,
   initDbClient,
+  inputSanitizeMiddleware,
   loadFlowsFromDirectory,
   loadPhrases,
   logger,
@@ -1755,10 +2195,13 @@ export {
   processFlow,
   processIncoming,
   processOutgoing,
+  rateLimitMiddleware,
+  redactPhone,
   resetNoSpeechRetries,
   runMigrations,
   sayTwiml,
   sendSMS,
+  sendWhatsApp,
   setActiveFlow,
   setDetectedLanguage,
   setLastPrompt,
@@ -1766,6 +2209,10 @@ export {
   smsRoutes,
   startCleanup,
   stopCleanup,
+  stripWhatsAppPrefix,
   transferTwiml,
-  updateFlowParams
+  twilioSignatureMiddleware,
+  updateFlowParams,
+  validateTwilioSignature,
+  whatsappRoutes
 };