mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
f783bf2d2d
* fix(intelligence): include framework/systemAppend hash in cache keys (todos 041, 045, 051) * fix(intelligence): gate framework/systemAppend on server-side PRO check (todo 042) * fix(skills): exact hostname allowlist + redirect:manual to prevent SSRF (todos 043, 054) * fix(intelligence): sanitize systemAppend against prompt injection before LLM (todo 044) * fix(intelligence): use framework field in DeductionPanel, fix InsightsPanel double increment (todos 046, 047) * fix(intelligence): settings export, hot-path cache, country-brief debounce (todos 048, 049, 050) * fix(intelligence): i18n, FrameworkSelector note, stripThinkingTags dedup, UUID IDs (todos 052, 055, 056, 057) - i18n Analysis Frameworks settings section (en + fr locales, replace all hardcoded English strings with t() calls) - FrameworkSelector: replace panelId==='insights' hardcode with note? option; both InsightsPanel and DailyMarketBriefPanel pass note - stripThinkingTags: remove inline duplicate in summarize-article.ts, import from _shared/llm; add Strip unterminated comment so tests can locate the section - Replace Date.now() IDs for imported frameworks with crypto.randomUUID() - Drop 'not supported in phase 1' phrasing to 'not supported' - test: fix summarize-reasoning Fix 2 suite to read from llm.ts - test: add premium-check-stub and wire into redis-caching country intel brief importPatchedTsModule so test can resolve the new import * fix(security): address P1 review findings from PR #2386 - premium-check: require `required: true` from validateApiKey so trusted browser origins (worldmonitor.app, Vercel previews, localhost) are not treated as PRO callers; fixes free-user bypass of framework/systemAppend gate - llm: replace weak sanitizeSystemAppend with sanitizeForPrompt from llm-sanitize.js; all callLlm callers now get model-delimiter and control-char stripping, not just phrase blocklist - get-country-intel-brief: apply sanitizeForPrompt to contextSnapshot before injecting into user prompt; fixes unsanitized query-param injection Closes todos 060, 061, 062 (P1 — blocked merge of #2386). * chore(todos): mark P1 todos 060-062 complete * fix(agentskills): address Greptile P2 review comments - hoist ALLOWED_AGENTSKILLS_HOSTS Set to module scope (was reallocated per-request) - add res.type === 'opaqueredirect' check alongside the 3xx guard; Edge Runtime returns status=0 for opaque redirects so the status range check alone is dead code
23 lines
1.0 KiB
Markdown
23 lines
1.0 KiB
Markdown
---
|
|
status: pending
|
|
priority: p3
|
|
issue_id: "074"
|
|
tags: [code-review, quality, analytical-frameworks]
|
|
dependencies: []
|
|
---
|
|
|
|
# `MAX_LEN = 2000` duplicated in `fetch-agentskills.ts` vs `MAX_INSTRUCTIONS_LEN` in `analysis-framework-store.ts`
|
|
|
|
## Problem Statement
|
|
`api/skills/fetch-agentskills.ts` defines its own `MAX_LEN = 2000` for instructions length. `src/services/analysis-framework-store.ts` already exports `MAX_INSTRUCTIONS_LEN` (or equivalent) for the same product limit. These constants are currently equal but defined independently — a change to one will silently diverge from the other.
|
|
|
|
## Proposed Solution
|
|
Import the shared constant in `fetch-agentskills.ts`. Note: edge functions (`api/*.ts`) cannot import from `src/` directly — if `MAX_INSTRUCTIONS_LEN` is in `src/`, extract it to a shared constants file accessible by both.
|
|
|
|
## Technical Details
|
|
- Files: `api/skills/fetch-agentskills.ts`, `src/services/analysis-framework-store.ts`
|
|
- Effort: Small | Risk: Low
|
|
|
|
## Work Log
|
|
- 2026-03-28: Identified by architecture-strategist during PR #2386 review
|