Add a new 'finance' site variant (finance.worldmonitor.app) following the
same pattern as the existing tech variant. Includes:
- Finance-specific RSS feeds: markets, forex, bonds, commodities, crypto,
central banks, economic data, IPOs/M&A, derivatives, fintech, regulation,
institutional investors, and market analysis (all free/open RSS sources)
- Finance-focused panels with trading-themed labels (Market Headlines,
Live Markets, Forex & Currencies, Fixed Income, etc.)
- Geographic data for stock exchanges (30+), financial centers (20+),
central banks (14), and commodity hubs (10) worldwide
- Four new map layers: stockExchanges, financialCenters, centralBanks,
commodityHubs with tier-based icons and zoom-dependent labels
- Map popup rendering for all finance marker types
- Variant switcher updated with FINANCE tab in header
- Search modal with finance-specific sources and icons
- Vite HTML variant plugin metadata for SEO
- Build scripts (dev:finance, build:finance, test:e2e:finance)
- Tauri desktop config for Finance Monitor app
https://claude.ai/code/session_01CCmkws2EYuUHjYDonzXEtY
Add CREATE_NO_WINDOW (0x08000000) creation flag to the sidecar
Command::new() spawn on Windows. Without this, node.exe inherits
a visible console window that overlays the Tauri GUI.
- Add Panel.showConfigError() with amber styling and desktop Settings link
- Propagate `skipped` flag from Finnhub and FIRMS API responses
- Show "API key not configured" on Markets/Heatmap/Commodities/FIRMS panels
when sidecar returns skipped (missing API key)
- ETF, Stablecoin, MacroSignals panels detect upstream API unavailability
and show retry message instead of generic "Failed to fetch"
- RuntimeConfigPanel auto-hides when all features are configured
- Bump version to 2.3.5
Tauri resource_dir() on Windows returns \\?\ extended-length paths that
Node.js module resolution cannot handle, causing EISDIR: lstat 'C:'.
Strip the prefix before passing to Node.js, set current_dir to the
sidecar directory, and add package.json with "type": "module" to prevent
ESM scope walk-up to drive root.
keyring v3 ships with NO default platform backends — API keys were
stored in-memory only, lost on every app restart. Add apple-native
and windows-native features to use real OS credential stores.
- Save keys that pass verification even when others fail (was all-or-nothing)
- Capture un-blurred input values before render to prevent loss on checkbox toggle
- Fix missing isDisallowedOrigin import in PIZZINT endpoints
- Show "Staged" status/pill for buffered secrets instead of "Missing"
- Add macOS Edit menu (Cmd+C/V/X/Z) for WKWebView clipboard support
- Raise settings window when main gains focus (prevent hide-behind)
- Fix Cloudflare verification to probe Radar API (not token/verify)
- Fix EIA verification URL to valid v2 endpoint
- Force IPv4 globally: monkey-patch fetch() to avoid IPv6 ETIMEDOUT
on government APIs (EIA, NASA FIRMS) with broken AAAA records
- Soft-pass on network errors during secret verification (don't block save)
- Add desktopRequiredSecrets to skip relay URLs on desktop
- Cross-window sync for secrets and feature toggles via localStorage events
- Add @tauri-apps/cli devDependency
Major security hardening: CORS enforcement on all API endpoints,
sidecar auth bypass fix, postMessage origin validation, CSP
tightening, and service worker stale cache fix.
- Expand SUPPRESSED_TRENDING_TERMS from 13 to ~170 entries to filter
common English words (department, state, news, etc.) from intelligence
findings
- Move sidecar admin endpoints (debug-toggle, traffic-log, env-update,
local-status) before LOCAL_API_TOKEN auth gate — settings window sends
bare fetch without token, causing silent 401 failures
- Restore Market Radar and Economic Indicators panels to tech variant
- Remove stale Documentation section from README
- Clean up .env.example cyber threat keys (handled internally)
- Bump v2.2.6
Replace Access-Control-Allow-Origin: * with shared getCorsHeaders()
across 20 API edge functions to restrict access to worldmonitor.app,
tech.worldmonitor.app, and authorized Vercel preview URLs.
Version bump to 2.2.5 across package.json, tauri.conf.json, Cargo.toml.
Plot live botnet C2 servers, malware distribution nodes, and malicious IPs
on the globe using free abuse.ch APIs (Feodo Tracker + URLhaus).
- Vercel edge API with triple-layer caching (Redis → memory → stale fallback)
- IP geolocation via ipwho.is + ipapi.co (HTTPS-compatible with Edge runtime)
- Severity-based color coding (critical=red, high=orange, medium=amber, low=yellow)
- Feature-gated behind VITE_ENABLE_CYBER_LAYER=true env var
- Frontend circuit breaker, data sanitization, 10min auto-refresh
- Tauri desktop support: 3 new secret keys (URLHAUS, OTX, AbuseIPDB)
- Full test suite (6 unit tests), e2e harness updates, popup + tooltip rendering
- Make open_settings_window_command async to prevent WebView2 deadlock on Windows
- Create settings window with visible(false) to avoid white flash before content loads
- Remove menu bar from settings window on Windows/Linux (macOS uses screen-level menu)
- Frontend calls plugin:window|show + set_focus after init completes
- Add worldmonitor.app to frame-src CSP in index.html (was only in
tauri.conf.json, causing iframe block)
- Add devtools feature and Help > Toggle Developer Tools menu item
- Try native YouTube JS API first, fall back to cloud bridge on Error 153
- Add pause-then-play workaround for WKWebView channel switching
Prevents unauthorized local processes from accessing the sidecar on
localhost:46123. Token is generated at Tauri startup using RandomState
hasher, injected into sidecar env, and lazy-loaded by the frontend
fetch patch via get_local_api_token command.
Service-status endpoint remains public for health checks.
Co-authored-by: RinZ27 <RinZ27@users.noreply.github.com>
- Fix YouTube Error 153 by serving embed bridge from cloud URL (origin match)
- Fix channel switching when playerContainer detached from DOM
- Fix Fires panel infinite spinner when API returns 0 or fails
- Make TECH variant button open web URL instead of being disabled
- Fix circuit breaker caching empty results as success in 6 services
(polymarket, wingbits, military-flights, outages, conflicts, protests)
- Improve sidecar: cloud-preferred routing, failed import caching, log dedup
- Add FINNHUB_API_KEY and NASA_FIRMS_API_KEY to Tauri secret keys
- Add early 503 for missing ACLED token in risk-scores
### Motivation
- Provide a local backend for the Tauri desktop app so core
functionality (news, summarization, markets, telemetry, status) does not
require Vercel edge functions and can run offline or with reduced cloud
dependency.
- Minimize frontend changes by exposing the same `/api/*` paths locally
and failing over to the cloud when handlers are missing or local
execution fails.
### Description
- Add a Node sidecar local API server at
`src-tauri/sidecar/local-api-server.mjs` that dispatches `/api/*` to
existing `api/*.js` handlers when present and proxies to the cloud
(`https://worldmonitor.app`) as a fallback.
- Start/stop the sidecar with the Tauri app lifecycle by launching it
from `src-tauri/src/main.rs` and managing the child process state.
- Update Tauri configuration in `src-tauri/tauri.conf.json` to allow the
local API origin (`http://127.0.0.1:46123`) in the CSP and to include
`../api` and `sidecar/local-api-server.mjs` as bundle resources.
- Desktop runtime routing changes in `src/services/runtime.ts`: default
desktop API base set to `http://127.0.0.1:46123`, added
`getRemoteApiBaseUrl()` and an `installRuntimeFetchPatch()` function
that patches `fetch` to route `/api/*` to the local sidecar with
automatic cloud fallback.
- Enable the runtime fetch patch at app start by calling
`installRuntimeFetchPatch()` from `src/main.ts`.
- Update `ServiceStatusPanel` (`src/components/ServiceStatusPanel.ts`)
to render local backend status and to show clear messaging when the
local backend is unavailable and the UI is using the cloud fallback.
- Add documentation `docs/local-backend-audit.md` listing prioritized
`/api/*` endpoints for desktop parity and describing the localization
strategy.
- Minor formatting run via `cargo fmt` adjusted `src-tauri/build.rs`.
### Testing
- `npm run typecheck` (`tsc --noEmit`) passed successfully.
- `cargo fmt` completed successfully and reformatted
`src-tauri/build.rs` where needed.
- `cargo check` failed in this environment due to network restrictions
while downloading crates index (environment-specific HTTP 403); this is
unrelated to the code changes themselves.
- Local sidecar smoke tests (automated invocation): launched `node
src-tauri/sidecar/local-api-server.mjs` and verified `GET
/api/local-status` and `GET /api/service-status` returned expected JSON
responses (local status included), demonstrating the sidecar dispatch
and health endpoints work in this environment.
- Playwright screenshot attempt failed because the dev server was not
reachable from the test environment (`net::ERR_EMPTY_RESPONSE`), so UI
screenshot validation could not be completed here.
------
[Codex
Task](https://chatgpt.com/codex/tasks/task_e_698ead50f548833398717fa3b8c92230)
