eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
feat/phase-19-barrel-elimination
worldmonitor/api
History
Elie Habib 13446a2170 fix(seed-contract-probe): send Origin header so /api/bootstrap boundary check doesn't 401 (#3100) 
* fix(seed-contract-probe): send Origin header so /api/bootstrap boundary check doesn't 401

Production probe returned {boundary: [{endpoint: '/api/bootstrap', pass: false,
status: 401, reason: 'status:401'}]}. Root cause: checkPublicBoundary's
self-fetch had no Origin header, so /api/bootstrap's validateApiKey() treated
it as a non-browser caller and required an API key.

Fix: set Origin: https://worldmonitor.app on the boundary self-fetch. This
takes the trusted-browser path without needing to embed an API key in the
probe. The probe runs edge-side with x-probe-secret internal auth; emulating
a trusted browser is only for boundary response-shape verification.

Tests still 17/17.

* fix(seed-contract-probe): explicit User-Agent on boundary self-fetch

Per AGENTS.md, server-side fetches must include a UA. middleware.ts:138
returns 403 for !ua || ua.length < 10 on non-public paths, and
/api/bootstrap is not in PUBLIC_API_PATHS — the probe works today only
because Vercel Edge implicitly adds a UA. Making it explicit.

Addresses greptile P2 on PR #3100.
2026-04-15 15:34:38 +04:00
..
aviation/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
climate/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
conflict/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
consumer-prices/v1
feat(consumer-prices): add basket price monitoring domain (#1901)
2026-03-20 17:08:22 +04:00
cyber/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
data
Proto-first API rebuild: sebuf contracts, handlers, gateway, and generated docs (#106)
2026-02-21 03:39:56 +04:00
discord/oauth
feat(notifications): gate all endpoints behind PRO entitlement (#2852)
2026-04-09 09:18:19 +04:00
displacement/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
economic/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
eia
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7
2026-02-15 20:33:20 +04:00
enrichment
refactor(enrichment): dedupe domain/org normalization helpers (#1707)
2026-03-16 08:51:15 +04:00
forecast/v1
feat(forecast): AI Forecasts prediction module (#1579)
2026-03-15 01:42:04 +04:00
giving/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
health/v1
feat(panels): Disease Outbreaks, Shipping Stress, Social Velocity, nuclear test site enrichment (#2375)
2026-03-27 22:33:45 +04:00
imagery/v1
feat(map): add NOTAM overlay + satellite imagery integration (#1356)
2026-03-10 07:19:02 +04:00
infrastructure/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
intelligence/v1
fix(llm): pin LLM edge functions to US/EU regions to prevent geo-block 403s (#2541)
2026-03-30 11:08:14 +04:00
maritime/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
market/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
military/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
natural/v1
feat: move EONET/GDACS to server-side with Redis caching (#983)
2026-03-04 15:02:03 +04:00
news/v1
fix(llm): pin LLM edge functions to US/EU regions to prevent geo-block 403s (#2541)
2026-03-30 11:08:14 +04:00
oauth
feat(mcp): live airspace + maritime tools; fix OAuth consent UI (#2442)
2026-03-28 23:59:47 +04:00
positive-events/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
prediction/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
radiation/v1
feat: add Radiation Watch with seeded anomaly intelligence, map layers, and country exposure (#1735)
2026-03-17 09:18:06 +04:00
research/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
resilience/v1
feat(resilience): add service proto and stub handlers (#2657)
2026-04-04 08:04:46 +04:00
sanctions/v1
feat(sanctions): add OFAC sanctions pressure intelligence (#1739)
2026-03-17 11:52:32 +04:00
scenario/v1
feat(supply-chain): Sprint C — scenario engine (templates, job API, Railway worker, map activation) (#2890)
2026-04-10 14:44:14 +04:00
seismology/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
skills
fix(intelligence): analytical frameworks follow-up — P1 security + P2 correctness fixes (#2386)
2026-03-28 01:10:02 +04:00
slack/oauth
feat(notifications): gate all endpoints behind PRO entitlement (#2852)
2026-04-09 09:18:19 +04:00
supply-chain
fix(country-brief): display bugs — slugs, self-imports, N/A, HS labels (#3032)
2026-04-12 22:41:44 +04:00
thermal/v1
Add thermal escalation seeded service (#1747)
2026-03-17 14:24:26 +04:00
trade/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
unrest/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
v2/shipping
feat(supply-chain): Sprint D — GetSectorDependency RPC + vendor route-intelligence API + webhooks (#2905)
2026-04-10 17:12:29 +04:00
webcam/v1
feat(webcams): add webcam map layer with Windy API integration (#1540) (#1540)
2026-03-14 09:34:54 +04:00
wildfire/v1
perf(api): split monolithic edge function into per-domain functions (#753)
2026-03-02 14:13:34 +04:00
youtube
fix: resolve YouTube 'sign in to confirm' bot-check in embed panels (#1284)
2026-03-10 07:00:07 +04:00
_api-key.js
feat: Dodo Payments integration + entitlement engine & webhook pipeline (#2024)
2026-04-03 00:25:18 +04:00
_cors.js
fix(cors): add X-Widget-Key + X-Pro-Key to _cors.js; reduce Max-Age 86400→3600 (#2321)
2026-03-27 00:51:09 +04:00
_cors.test.mjs
Fix Tauri desktop runtime reliability and settings UX
2026-02-13 23:05:51 +04:00
_crypto.js
feat(mcp): full OAuth 2.1 compliance — Authorization Code + PKCE + DCR (#2432)
2026-03-28 18:40:53 +04:00
_email-validation.js
feat(email): add deliverability guards to reduce waitlist bounces (#2819)
2026-04-08 11:21:40 +04:00
_github-release.js
refactor: dedupe github latest release fetch wiring (#1704)
2026-03-16 08:59:33 +04:00
_ip-rate-limit.js
refactor(api): dedupe in-memory IP rate limiter (#1740)
2026-03-17 08:32:49 +04:00
_json-response.js
Triage security alerts (#1903)
2026-03-20 12:37:24 +04:00
_oauth-token.js
refactor: consolidate Upstash helpers and extract DeckGL color config (#2465)
2026-03-29 10:38:43 +04:00
_product-fallback-prices.js
fix(catalog): update prices to match Dodo catalog via API (#2678)
2026-04-04 15:05:00 +04:00
_rate-limit.js
feat(mcp): OAuth 2.0 Authorization Server for claude.ai connector (#2418)
2026-03-28 14:53:32 +04:00
_relay.js
fix(relay): add authorization guard to api/_relay.js and dedupe military baseUrl call (#1992)
2026-03-21 16:37:43 +04:00
_rss-allowed-domains.js
feat(commodity): gold layer enhancements (#2464)
2026-03-29 11:13:40 +04:00
_seed-envelope.js
feat(seed-contract): PR 1 foundation — envelope + contract + conformance test (#3095)
2026-04-14 22:11:56 +04:00
_sentry-edge.js
fix(edge): fire-and-forget Sentry, 2s timeout, response check (#2559)
2026-03-31 07:28:35 +04:00
_turnstile.js
refactor: share edge Turnstile helper (#1628)
2026-03-15 09:21:22 +04:00
_turnstile.test.mjs
refactor: share edge Turnstile helper (#1628)
2026-03-15 09:21:22 +04:00
_upstash-json.js
feat(seed-contract): PR 2a — runSeed envelope dual-write + 91 seeders migrated (#3097)
2026-04-15 09:16:27 +04:00
ais-snapshot.js
refactor(api): extract shared relay helper into _relay.js (#782)
2026-03-02 19:28:31 +04:00
bootstrap.js
feat(seed-contract): PR 2a — runSeed envelope dual-write + 91 seeders migrated (#3097)
2026-04-15 09:16:27 +04:00
cache-purge.js
refactor: consolidate Upstash helpers and extract DeckGL color config (#2465)
2026-03-29 10:38:43 +04:00
chat-analyst.ts
feat(analyst): topic-aware digest search fixes hallucination on niche queries (#2677)
2026-04-04 15:11:50 +04:00
contact.js
fix: update contact email to elie@worldmonitor.app (#2623)
2026-04-02 20:13:33 +04:00
create-checkout.ts
feat(checkout): in-page checkout on /pro + dashboard migration to edge endpoint (#2668)
2026-04-04 12:35:23 +04:00
download.js
refactor: dedupe github latest release fetch wiring (#1704)
2026-03-16 08:59:33 +04:00
fwdstart.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
geo.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
gpsjam.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
health.js
feat(seed-contract): PR 1 foundation — envelope + contract + conformance test (#3095)
2026-04-14 22:11:56 +04:00
loaders-xml-wms-regression.test.mjs
Build/runtime hardening and dependency security updates (#286)
2026-02-24 08:21:03 +00:00
mcp-proxy.js
fix(mcp): SSE transport support for /sse MCP servers (#1848)
2026-03-19 03:42:48 +04:00
mcp.ts
fix(seeds): upstream API drift — SPDR XLSX + IMF IRFCL + IMF-External BX/BM drop (#3076)
2026-04-14 08:19:47 +04:00
military-flights.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
notification-channels.ts
fix(notifications): move entitlement check to POST-only, allow GET without gating (#2898)
2026-04-10 15:12:30 +04:00
notify.ts
feat(notifications): gate all endpoints behind PRO entitlement (#2852)
2026-04-09 09:18:19 +04:00
og-story.js
fix(security): prevent Host header injection in story.js (#2102)
2026-03-23 08:44:25 +04:00
og-story.test.mjs
fix(api): sanitize og-story level input (#219)
2026-02-22 03:19:01 +04:00
opensky.js
refactor(api): extract shared relay helper into _relay.js (#782)
2026-03-02 19:28:31 +04:00
oref-alerts.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
polymarket.js
refactor(api): extract shared relay helper into _relay.js (#782)
2026-03-02 19:28:31 +04:00
product-catalog.js
feat(seed-contract): PR 2a — runSeed envelope dual-write + 91 seeders migrated (#3097)
2026-04-15 09:16:27 +04:00
register-interest.js
feat(email): add deliverability guards to reduce waitlist bounces (#2819)
2026-04-08 11:21:40 +04:00
reverse-geocode.js
refactor: consolidate Upstash helpers and extract DeckGL color config (#2465)
2026-03-29 10:38:43 +04:00
rss-proxy.js
Triage security alerts (#1903)
2026-03-20 12:37:24 +04:00
sanctions-entity-search.js
feat(sanctions): entity lookup index + OpenSanctions search (#2042) (#2085)
2026-03-23 19:38:11 +04:00
satellites.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
seed-contract-probe.ts
fix(seed-contract-probe): send Origin header so /api/bootstrap boundary check doesn't 401 (#3100)
2026-04-15 15:34:38 +04:00
seed-health.js
feat(market): Hyperliquid perp positioning flow as leading indicator (#3074)
2026-04-14 08:05:40 +04:00
story.js
fix(security): prevent Host header injection in story.js (#2102)
2026-03-23 08:44:25 +04:00
telegram-feed.js
fix(api): remove double URL-encoding in telegram-feed relay (#2108)
2026-03-23 09:14:40 +04:00
user-prefs.ts
feat(prefs): Phase 2 — frontend preferences sync (#2507)
2026-03-29 16:46:12 +04:00
version.js
refactor: dedupe edge api json response assembly (#1702)
2026-03-16 11:52:56 +04:00
widget-agent.ts
test(auth): cover widget-agent fallback cleanup (#2354)
2026-03-27 11:49:01 +04:00