Adds new integration [wizz666/homeassistant-openrouter-bridge]

[wizz666]

Checklist

• I've read the publishing documentation.
• I've added the HACS action to my repository.
• (For integrations only) I've added the hassfest action to my repository.
• The actions are passing without any disabled checks in my repository.
• I've added a link to the action run on my repository below in the links section.
• I've created a new release of the repository after the validation actions were run successfully.

Links

Link to current release: https://github.com/wizz666/homeassistant-openrouter-bridge/releases/tag/v1.0.1
Link to successful HACS action (without the ignore key): https://github.com/wizz666/homeassistant-openrouter-bridge/actions/runs/23425220322/job/68138501515
Link to successful hassfest action (if integration): https://github.com/wizz666/homeassistant-openrouter-bridge/actions/runs/23425220322/job/68138501506

[hacs-bot]

Thank you for submitting your repository to HACS (Home Assistant Community Store).

Your submission is in the review queue:
Your repository is waiting to be reviewed and included in HACS.

You can view the current queue here. Pull requests are processed in the order they were created, oldest first.

What to avoid during review:
To help reviewers work efficiently, don't do the following:

• Comment on the pull request - The reviewer will contact you when they have feedback or questions.
• Open a new pull request - This won't speed up the process and creates duplicate work.
• Ask followers to comment on the pull request - This won't speed up the process and may delay your review.
• Merge in the default branch - Only do this if a maintainer asks you to resolve a merge conflict.

If you need to make changes:
You can continue updating your repository while waiting for review. Changes to your repository will be reflected when the reviewer examines it. Only comment on the pull request if you need to withdraw your submission or have critical information for reviewers.

About draft pull requests:
Draft pull requests aren't included in the review queue. Your pull request may be marked as draft by a reviewer if issues need to be addressed. Once you've resolved all issues, mark it as ready for review to re-enter the queue.

What happens next:
Once a reviewer examines your submission, they'll either:

• Approve and merge your pull request if everything meets the requirements
• Request changes or ask questions if adjustments are needed

[frenck]

Hi @wizz666, thanks for the submission and for the careful documentation. 👋

Before this can go into the HACS default catalog, the integration has some serious security issues that need to be addressed.

Every HomeAssistantView registered by the integration sets requires_auth = False. That includes:

• /api/openrouter_bridge/v1/messages (api.py line 430) — proxies to OpenRouter with the user's API key
• /api/openrouter_bridge/v1/models (api.py line 589)
• /api/openrouter_bridge (api.py line 639)
• /api/openrouter_bridge/terminal (terminal.py line 126)
• /api/openrouter_bridge/terminal/ws (terminal.py line 143)

The terminal WebSocket is the most serious one. It opens a PTY backed by subprocess.Popen([_CLAUDE_BIN]) (terminal.py lines 209-215) and forwards bytes from the WebSocket straight into the PTY via os.write(master_fd, data) (lines 240-247). Combined with requires_auth = False, this means anyone who can reach the Home Assistant HTTP server can open that WebSocket and get an interactive Claude CLI session running as the HA user, with HOME=/root and cwd=/config/claude_workspace. That's effectively unauthenticated remote command execution. "Trusted local network" is not a safe assumption here. HA instances are routinely reachable from the public internet through Nabu Casa, reverse proxies, or port forwarding, and the rest of HA's HTTP surface is auth-protected for exactly this reason.

The proxy endpoints have the same problem on a smaller scale: anyone on the network can hit /v1/messages and burn the user's OpenRouter credits.

Please remove requires_auth = False from every view, or replace it with HA's existing per-view auth mechanisms (long-lived access tokens, the auth_required flow, or scoped tokens). The terminal feature specifically also needs a hard look at whether exposing a PTY-backed CLI process inside HA at all is appropriate, even with auth on the endpoint, since it sidesteps HA's regular service/script model and gives the connected client far more capability than a typical integration.

I'll close this review for now. Once the authentication is in place and the terminal surface has been reconsidered, feel free to re-request review (or open a fresh PR if this one ends up closed).

../Frenck

                       

Blogging my personal ramblings at frenck.dev

[wizz666]

Hi @frenck, thank you for the thorough security review!

All issues have been addressed in v1.0.2:

• requires_auth = False removed from all three proxy views (/v1/messages, /v1/models, /api/openrouter_bridge). All views now use the default requires_auth = True.
• Terminal endpoint removed entirely (/api/openrouter_bridge/terminal and the WebSocket). I agree that a PTY-backed subprocess is not appropriate inside HA regardless of auth — it has been removed from the integration.

Release: https://github.com/wizz666/homeassistant-openrouter-bridge/releases/tag/v1.0.2

Requesting re-review. 🙏

[wizz666]

Hi @frenck — both security issues from your review are fixed in v1.0.2 (released 2026-05-16).

1. requires_auth = False on all views → Changed to requires_auth = True on every HomeAssistantView (/api/openrouter_bridge/v1/messages, /api/openrouter_bridge/v1/models, /api/openrouter_bridge).

2. Terminal PTY endpoint → The entire terminal feature has been removed. Both terminal.py views (/api/openrouter_bridge/terminal and /api/openrouter_bridge/terminal/ws) are gone. The file and its registrations in __init__.py are deleted.

Links:

• Release: https://github.com/wizz666/homeassistant-openrouter-bridge/releases/tag/v1.0.2
• HACS Action: https://github.com/wizz666/homeassistant-openrouter-bridge/actions/runs/26007984443/job/76442957655
• Hassfest: https://github.com/wizz666/homeassistant-openrouter-bridge/actions/runs/26007984443/job/76442957656

Re-requesting your review — thank you!