eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-05-13 18:46:21 +02:00
Code Issues Packages Projects Releases Wiki Activity
930 Commits 167 Branches 48 Tags
cfbd1ad8a1f2d792f7dbba9560de61ba8522bb76
Commit Graph

5 Commits

Author SHA1 Message Date
Elie Habib
c353cf2070 Reduce egress costs, add PWA support, fix Polymarket and Railway relay 
Egress optimization:
- Add s-maxage + stale-while-revalidate to all API endpoints for Vercel CDN caching
- Add vercel.json with immutable caching for hashed assets
- Add gzip compression to sidecar responses >1KB
- Add gzip to Railway RSS responses (4 paths previously uncompressed)
- Increase polling intervals: markets/crypto 60s→120s, ETF/macro/stablecoins 60s→180s
- Remove hardcoded Railway URL from theater-posture.js (now env-var only)

PWA / Service Worker:
- Add vite-plugin-pwa with autoUpdate strategy
- Cache map tiles (CacheFirst), fonts (StaleWhileRevalidate), static assets
- NetworkOnly for all /api/* routes (real-time data must be fresh)
- Manual SW registration (web only, skip Tauri)
- Add offline fallback page
- Replace manual manifest with plugin-generated manifest

Polymarket fix:
- Route dev proxy through production Vercel (bypasses JA3 blocking)
- Add 4th fallback tier: production URL as absolute fallback

Desktop/Sidecar:
- Dual-backend cache (_upstash-cache.js): Redis cloud + in-memory+file desktop
- Settings window OK/Cancel redesign
- Runtime config and secret injection improvements
 2026-02-14 19:53:04 +04:00
Elie Habib
14c67ff592 Optimize proxy usage with AIS snapshots, Upstash caching, and telemetry 2026-02-11 19:06:00 +04:00
Elie Habib
f7119b9ed6 Harden CORS, XSS, and input validation across all API endpoints and components 
- Add CORS origin allowlist (api/_cors.js) replacing Access-Control-Allow-Origin: *
- Add isDisallowedOrigin guard to all API endpoints (acled, cloudflare-outages, finnhub, fred-data, hackernews, wingbits)
- Gut debug-env endpoint to return 404
- Tighten sanitizeUrl() with escapeAttr output and strict relative URL validation
- Add sanitizeUrl() adoption in CountryIntelModal, InsightsPanel, PredictionPanel, RegulationPanel, TechEventsPanel
- Comprehensive escapeHtml() hardening in MapPopup (cables, flights, vessels, clusters)
- Bound HackerNews concurrent fetches (MAX_CONCURRENCY=10), validate story type and limit params
- Add wingbits cache eviction (MAX_LOCAL_CACHE_ENTRIES=2000, sweep on TTL + LRU)
- Fix arxiv http→https, og-story parseInt safety with Number.isFinite + clamping
 2026-02-11 14:35:07 +04:00
Elie Habib
b4d4cd6041 Fix ACLED API endpoint URL and update docs 
- Change ACLED API URL from api.acleddata.com to acleddata.com/api
- Update README to reflect Finnhub as primary stock data source
 2026-01-11 15:00:38 +04:00
Elie Habib
5650ba59ec Fix ACLED token exposure - move to server-side proxy 
Security fix: ACLED API token was embedded in client bundle

Changes:
- Create api/acled.js serverless proxy with token kept server-side
- Add 10-minute cache to reduce API calls
- Add rate limiting (10 req/min per IP)
- Return only needed fields to client
- Update protests.ts to use proxy instead of direct API calls
- Rename env var: VITE_ACLED_ACCESS_TOKEN -> ACLED_ACCESS_TOKEN

The token is now only accessible server-side (no VITE_ prefix).
 2026-01-11 11:13:26 +04:00