diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 000000000..68f3e5731 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,119 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in the +World Monitor community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Scope + +This Code of Conduct applies within all community spaces (GitHub issues, pull +requests, discussions, and any associated communication channels) and also +applies when an individual is officially representing the community in public +spaces. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the project maintainer at **[GitHub Issues](https://github.com/koala73/worldmonitor/issues)** or by contacting the +repository owner directly through GitHub. + +All complaints will be reviewed and investigated promptly and fairly. The project +team is obligated to maintain confidentiality with regard to the reporter of an +incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..debce79db --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,301 @@ +# Contributing to World Monitor + +Thank you for your interest in contributing to World Monitor! This project thrives on community contributions — whether it's code, data sources, documentation, or bug reports. + +## Table of Contents + +- [Architecture Overview](#architecture-overview) +- [Getting Started](#getting-started) +- [Development Setup](#development-setup) +- [How to Contribute](#how-to-contribute) +- [Pull Request Process](#pull-request-process) +- [AI-Assisted Development](#ai-assisted-development) +- [Coding Standards](#coding-standards) +- [Working with Sebuf (RPC Framework)](#working-with-sebuf-rpc-framework) +- [Adding Data Sources](#adding-data-sources) +- [Adding RSS Feeds](#adding-rss-feeds) +- [Reporting Bugs](#reporting-bugs) +- [Feature Requests](#feature-requests) +- [Code of Conduct](#code-of-conduct) + +## Architecture Overview + +World Monitor is a real-time OSINT dashboard built with **Vanilla TypeScript** (no UI framework), **MapLibre GL + deck.gl** for map rendering, and a custom Proto-first RPC framework called **Sebuf** for all API communication. + +### Key Technologies + +| Technology | Purpose | +|---|---| +| **TypeScript** | All code — frontend, edge functions, and handlers | +| **Vite** | Build tool and dev server | +| **Sebuf** | Proto-first HTTP RPC framework for typed API contracts | +| **Protobuf / Buf** | Service and message definitions across 17 domains | +| **MapLibre GL** | Base map rendering (tiles, globe mode, camera) | +| **deck.gl** | WebGL overlay layers (scatterplot, geojson, arcs, heatmaps) | +| **d3** | Charts, sparklines, and data visualization | +| **Vercel Edge Functions** | Serverless API gateway | +| **Tauri v2** | Desktop app (Windows, macOS, Linux) | +| **Convex** | Minimal backend (beta interest registration only) | +| **Playwright** | End-to-end and visual regression testing | + +### Variant System + +The codebase produces three app variants from the same source, each targeting a different audience: + +| Variant | Command | Focus | +|---|---|---| +| `full` | `npm run dev` | Geopolitics, military, conflicts, infrastructure | +| `tech` | `npm run dev:tech` | Startups, AI/ML, cloud, cybersecurity | +| `finance` | `npm run dev:finance` | Markets, trading, central banks, commodities | + +Variants share all code but differ in default panels, map layers, and RSS feeds. Variant configs live in `src/config/variants/`. + +### Directory Structure + +| Directory | Purpose | +|---|---| +| `src/components/` | UI components — Panel subclasses, map, modals (~50 panels) | +| `src/services/` | Data fetching modules — sebuf client wrappers, AI, signal analysis | +| `src/config/` | Static data and variant configs (feeds, geo, military, pipelines, ports) | +| `src/generated/` | Auto-generated sebuf client + server stubs (**do not edit by hand**) | +| `src/types/` | TypeScript type definitions | +| `src/locales/` | i18n JSON files (14 languages) | +| `src/workers/` | Web Workers for analysis | +| `server/` | Sebuf handler implementations for all 17 domain services | +| `api/` | Vercel Edge Functions (sebuf gateway + legacy endpoints) | +| `proto/` | Protobuf service and message definitions | +| `data/` | Static JSON datasets | +| `docs/` | Documentation + generated OpenAPI specs | +| `src-tauri/` | Tauri v2 Rust app + Node.js sidecar for desktop builds | +| `e2e/` | Playwright end-to-end tests | +| `scripts/` | Build and packaging scripts | + +## Getting Started + +1. **Fork** the repository on GitHub +2. **Clone** your fork locally: + ```bash + git clone https://github.com//worldmonitor.git + cd worldmonitor + ``` +3. **Create a branch** for your work: + ```bash + git checkout -b feature/your-feature-name + ``` + +## Development Setup + +```bash +# Install everything (buf CLI, sebuf plugins, npm deps, Playwright browsers) +make install + +# Start the development server (full variant, default) +npm run dev + +# Start other variants +npm run dev:tech +npm run dev:finance + +# Run type checking +npm run typecheck + +# Run tests +npm run test:data # Data integrity tests +npm run test:e2e # Playwright end-to-end tests + +# Production build (per variant) +npm run build # full +npm run build:tech +npm run build:finance +``` + +The dev server runs at `http://localhost:3000`. Run `make help` to see all available make targets. + +### Environment Variables (Optional) + +For full functionality, copy `.env.example` to `.env.local` and fill in the API keys you need. The app runs without any API keys — external data sources will simply be unavailable. + +See [API Dependencies](docs/DOCUMENTATION.md#api-dependencies) for the full list. + +## How to Contribute + +### Types of Contributions We Welcome + +- **Bug fixes** — found something broken? Fix it! +- **New data layers** — add new geospatial data sources to the map +- **RSS feeds** — expand our 100+ feed collection with quality sources +- **UI/UX improvements** — make the dashboard more intuitive +- **Performance optimizations** — faster loading, better caching +- **Documentation** — improve docs, add examples, fix typos +- **Accessibility** — make the dashboard usable by everyone +- **Internationalization** — help make World Monitor available in more languages +- **Tests** — add unit or integration tests + +### What We're Especially Looking For + +- New data layers (see [Adding Data Sources](#adding-data-sources)) +- Feed quality improvements and new RSS sources +- Mobile responsiveness improvements +- Performance optimizations for the map rendering pipeline +- Better anomaly detection algorithms + +## Pull Request Process + +1. **Update documentation** if your change affects the public API or user-facing behavior +2. **Run type checking** before submitting: `npm run typecheck` +3. **Test your changes** locally with at least the `full` variant, and any other variant your change affects +4. **Keep PRs focused** — one feature or fix per pull request +5. **Write a clear description** explaining what your PR does and why +6. **Link related issues** if applicable + +### PR Title Convention + +Use a descriptive title that summarizes the change: + +- `feat: add earthquake magnitude filtering to map layer` +- `fix: resolve RSS feed timeout for Al Jazeera` +- `docs: update API dependencies section` +- `perf: optimize marker clustering at low zoom levels` +- `refactor: extract threat classifier into separate module` + +### Review Process + +- All PRs require review from a maintainer before merging +- Maintainers may request changes — this is normal and collaborative +- Once approved, a maintainer will merge your PR + +## AI-Assisted Development + +We fully embrace AI-assisted development. Many of our own PRs are labeled with the LLM that helped produce them (e.g., `claude`, `codex`, `cursor`), and contributors are welcome to use any AI tools they find helpful. + +That said, **all code is held to the same quality bar regardless of how it was written**. AI-generated code will be reviewed with the same scrutiny as human-written code. Contributors are responsible for understanding and being able to explain every line they submit. Blindly pasting LLM output without review is discouraged — treat AI as a collaborator, not a replacement for your own judgement. + +## Coding Standards + +### TypeScript + +- Use TypeScript for all new code +- Avoid `any` types — use proper typing or `unknown` with type guards +- Export interfaces/types for public APIs +- Use meaningful variable and function names + +### Code Style + +- Follow the existing code style in the repository +- Use `const` by default, `let` when reassignment is needed +- Prefer functional patterns (map, filter, reduce) over imperative loops +- Keep functions focused — one responsibility per function +- Add JSDoc comments for exported functions and complex logic + +### File Organization + +- Static layer/geo data and variant configs go in `src/config/` +- Sebuf handler implementations go in `server/worldmonitor/{domain}/v1/` +- Edge function gateway and legacy endpoints go in `api/` +- UI components (panels, map, modals) go in `src/components/` +- Service modules (data fetching, client wrappers) go in `src/services/` +- Proto definitions go in `proto/worldmonitor/{domain}/v1/` + +## Working with Sebuf (RPC Framework) + +Sebuf is the project's custom Proto-first HTTP RPC framework — a lightweight alternative to gRPC-Web. All API communication between client and server uses Sebuf. + +### How It Works + +1. **Proto definitions** in `proto/worldmonitor/{domain}/v1/` define services and messages +2. **Code generation** (`make generate`) produces: + - TypeScript clients in `src/generated/client/` (e.g., `MarketServiceClient`) + - Server route factories in `src/generated/server/` (e.g., `createMarketServiceRoutes`) +3. **Handlers** in `server/worldmonitor/{domain}/v1/handler.ts` implement the service interface +4. **Gateway** in `api/[domain]/v1/[rpc].ts` registers all handlers and routes requests +5. **Clients** in `src/services/{domain}/index.ts` wrap the generated client for app use + +### Adding a New RPC Method + +1. Add the method to the `.proto` service definition +2. Run `make generate` to regenerate client/server stubs +3. Implement the handler method in the domain's `handler.ts` +4. The client stub is auto-generated — use it from `src/services/{domain}/` + +Use `make lint` to lint proto files and `make breaking` to check for breaking changes against main. + +### Proto Conventions + +- **Time fields**: Use `int64` (Unix epoch milliseconds), not `google.protobuf.Timestamp` +- **int64 encoding**: Apply `[(sebuf.http.int64_encoding) = INT64_ENCODING_NUMBER]` on time fields so TypeScript receives `number` instead of `string` +- **HTTP annotations**: Every RPC method needs `option (sebuf.http.config) = { path: "...", method: POST }` + +### Proto Codegen Requirements + +Run `make install` to install everything automatically, or install individually: + +```bash +make install-buf # Install buf CLI (requires Go) +make install-plugins # Install sebuf protoc-gen plugins (requires Go) +``` + +## Adding Data Sources + +To add a new data layer to the map: + +1. **Define the data source** — identify the API or dataset you want to integrate +2. **Add the proto service** (if the data needs a backend proxy) — define messages and RPC methods in `proto/worldmonitor/{domain}/v1/` +3. **Generate stubs** — run `make generate` +4. **Implement the handler** in `server/worldmonitor/{domain}/v1/` +5. **Register the handler** in `api/[domain]/v1/[rpc].ts` and `vite.config.ts` (for local dev) +6. **Create the service module** in `src/services/{domain}/` wrapping the generated client +7. **Add the layer config** and implement the map renderer following existing layer patterns +8. **Add to layer toggles** — make it toggleable in the UI +9. **Document the source** — add it to `docs/DOCUMENTATION.md` + +For endpoints that deal with non-JSON payloads (XML feeds, binary data, HTML embeds), you can add a standalone Edge Function in `api/` instead of Sebuf. For anything returning JSON, prefer Sebuf — the typed contracts are always worth it. + +### Data Source Requirements + +- Must be freely accessible (no paid-only APIs for core functionality) +- Must have a permissive license or be public government data +- Should update at least daily for real-time relevance +- Must include geographic coordinates or be geo-locatable + +## Adding RSS Feeds + +To add new RSS feeds: + +1. Verify the feed is reliable and actively maintained +2. Assign a **source tier** (1-4) based on editorial reliability +3. Flag any **state affiliation** or **propaganda risk** +4. Categorize the feed (geopolitics, defense, energy, tech, etc.) +5. Test that the feed parses correctly through the RSS proxy + +## Reporting Bugs + +When filing a bug report, please include: + +- **Description** — clear description of the issue +- **Steps to reproduce** — how to trigger the bug +- **Expected behavior** — what should happen +- **Actual behavior** — what actually happens +- **Screenshots** — if applicable +- **Browser/OS** — your environment details +- **Console errors** — any relevant browser console output + +Use the [Bug Report issue template](https://github.com/koala73/worldmonitor/issues/new/choose) when available. + +## Feature Requests + +We welcome feature ideas! When suggesting a feature: + +- **Describe the problem** it solves +- **Propose a solution** with as much detail as possible +- **Consider alternatives** you've thought about +- **Provide context** — who would benefit from this feature? + +Use the [Feature Request issue template](https://github.com/koala73/worldmonitor/issues/new/choose) when available. + +## Code of Conduct + +This project follows the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. Please report unacceptable behavior through GitHub issues or by contacting the repository owner. + +--- + +Thank you for helping make World Monitor better! 🌍 diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..f28241d48 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,100 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| main | :white_check_mark: | + +Only the latest version on the `main` branch is actively maintained and receives security updates. + +## Reporting a Vulnerability + +**Please do NOT report security vulnerabilities through public GitHub issues.** + +If you discover a security vulnerability in World Monitor, please report it responsibly: + +1. **GitHub Private Vulnerability Reporting**: Use [GitHub's private vulnerability reporting](https://github.com/koala73/worldmonitor/security/advisories/new) to submit your report directly through the repository. + +2. **Direct Contact**: Alternatively, reach out to the repository owner [@koala73](https://github.com/koala73) directly through GitHub. + +### What to Include + +- A description of the vulnerability and its potential impact +- Steps to reproduce the issue +- Affected components (edge functions, client-side code, data layers, etc.) +- Any potential fixes or mitigations you've identified + +### Response Timeline + +- **Acknowledgment**: Within 48 hours of your report +- **Initial Assessment**: Within 1 week +- **Fix/Patch**: Depending on severity, critical issues will be prioritized + +### What to Expect + +- You will receive an acknowledgment of your report +- We will work with you to understand and validate the issue +- We will keep you informed of progress toward a fix +- Credit will be given to reporters in the fix commit (unless you prefer anonymity) + +## Security Considerations + +World Monitor is a client-side intelligence dashboard that aggregates publicly available data. Here are the key security areas: + +### API Keys & Secrets + +- All API keys are stored server-side in Vercel Edge Functions +- No API keys should ever be committed to the repository +- Environment variables (`.env.local`) are gitignored +- The RSS proxy uses domain allowlisting to prevent SSRF + +### Edge Functions & Sebuf Handlers + +- All 17 domain APIs are served through Sebuf (a Proto-first RPC framework) via Vercel Edge Functions +- Edge functions and handlers should validate/sanitize all input +- CORS headers are configured per-function +- Rate limiting and circuit breakers protect against abuse + +### Client-Side Security + +- No sensitive data is stored in localStorage or sessionStorage +- External content (RSS feeds, news) is sanitized before rendering +- Map data layers use trusted, vetted data sources + +### Data Sources + +- World Monitor aggregates publicly available OSINT data +- No classified or restricted data sources are used +- State-affiliated sources are flagged with propaganda risk ratings +- All data is consumed read-only — the platform does not modify upstream sources + +## Scope + +The following are **in scope** for security reports: + +- Vulnerabilities in the World Monitor codebase +- Edge function security issues (SSRF, injection, auth bypass) +- XSS or content injection through RSS feeds or external data +- API key exposure or secret leakage +- Dependency vulnerabilities with a viable attack vector + +The following are **out of scope**: + +- Vulnerabilities in third-party services we consume (report to the upstream provider) +- Social engineering attacks +- Denial of service attacks +- Issues in forked copies of the repository +- Security issues in user-provided environment configurations + +## Best Practices for Contributors + +- Never commit API keys, tokens, or secrets +- Use environment variables for all sensitive configuration +- Sanitize external input in edge functions +- Keep dependencies updated — run `npm audit` regularly +- Follow the principle of least privilege for API access + +--- + +Thank you for helping keep World Monitor and its users safe! 🔒