eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2f19d9635736d54e8fcc50e4ed23acb2b2dcc385
worldmonitor/tests/brief-llm-core.test.mjs
Elie Habib 2f19d96357 feat(brief): route whyMatters through internal analyst-context endpoint (#3248) 
* feat(brief): route whyMatters through internal analyst-context endpoint

The brief's "why this is important" callout currently calls Gemini on
only {headline, source, threatLevel, category, country} with no live
state. The LLM can't know whether a ceasefire is on day 2 or day 50,
that IMF flagged >90% gas dependency in UAE/Qatar/Bahrain, or what
today's forecasts look like. Output is generic prose instead of the
situational analysis WMAnalyst produces when given live context.

This PR adds an internal Vercel edge endpoint that reuses a trimmed
variant of the analyst context (country-brief, risk scores, top-3
forecasts, macro signals, market data — no GDELT, no digest-search)
and ships it through a one-sentence LLM call with the existing
WHY_MATTERS_SYSTEM prompt. The endpoint owns its own Upstash cache
(v3 prefix, 6h TTL), supports a shadow mode that runs both paths in
parallel for offline diffing, and is auth'd via RELAY_SHARED_SECRET.

Three-layer graceful degradation (endpoint → legacy Gemini-direct →
stub) keeps the brief shipping on any failure.

Env knobs:
- BRIEF_WHY_MATTERS_PRIMARY=analyst|gemini (default: analyst; typo → gemini)
- BRIEF_WHY_MATTERS_SHADOW=0|1 (default: 1; only '0' disables)
- BRIEF_WHY_MATTERS_SHADOW_SAMPLE_PCT=0..100 (default: 100)
- BRIEF_WHY_MATTERS_ENDPOINT_URL (Railway, optional override)

Cache keys:
- brief:llm:whymatters:v3:{hash16} — envelope {whyMatters, producedBy,
  at}, 6h TTL. Endpoint-owned.
- brief:llm:whymatters:shadow:v1:{hash16} — {analyst, gemini, chosen,
  at}, 7d TTL. Fire-and-forget.
- brief:llm:whymatters:v2:{hash16} — legacy. Cron's fallback path
  still reads/writes during the rollout window; expires in ≤24h.

Tests: 6022 pass (existing 5915 + 12 core + 36 endpoint + misc).
typecheck + typecheck:api + biome on changed files clean.

Plan (Codex-approved after 4 rounds):
docs/plans/2026-04-21-001-feat-brief-why-matters-analyst-endpoint-plan.md

* fix(brief): address /ce:review round 1 findings on PR #3248

Fixes 5 findings from multi-agent review, 2 of them P1:

- #241 P1: `.gitignore !api/internal/**` was too broad — it re-included
  `.env`, `.env.local`, and any future secret file dropped into that
  directory. Narrowed to explicit source extensions (`*.ts`, `*.js`,
  `*.mjs`) so parent `.env` / secrets rules stay in effect inside
  api/internal/.

- #242 P1: `Dockerfile.digest-notifications` did not COPY
  `shared/brief-llm-core.js` + `.d.ts`. Cron would have crashed at
  container start with ERR_MODULE_NOT_FOUND. Added alongside
  brief-envelope + brief-filter COPY lines.

- #243 P2: Cron dropped the endpoint's source/producedBy ground-truth
  signal, violating PR #3247's own round-3 memory
  (feedback_gate_on_ground_truth_not_configured_state.md). Added
  structured log at the call site: `[brief-llm] whyMatters source=<src>
  producedBy=<pb> hash=<h>`. Endpoint response now includes `hash` so
  log + shadow-record pairs can be cross-referenced.

- #244 P2: Defense-in-depth prompt-injection hardening. Story fields
  flowed verbatim into both LLM prompts, bypassing the repo's
  sanitizeForPrompt convention. Added sanitizeStoryFields helper and
  applied in both analyst and gemini paths.

- #245 P2: Removed redundant `validate` option from callLlmReasoning.
  With only openrouter configured in prod, a parse-reject walked the
  provider chain, then fell through to the other path (same provider),
  then the cron's own fallback (same model) — 3x billing on one reject.
  Post-call parseWhyMatters check already handles rejection cleanly.

Deferred to P3 follow-ups (todos 246-248): singleflight, v2 sunset,
misc polish (country-normalize LOC, JSDoc pruning, shadow waitUntil,
auto-sync mirror, context-assembly caching).

Tests: 6022 pass. typecheck + typecheck:api clean.

* fix(brief-why-matters): ctx.waitUntil for shadow write + sanitize legacy fallback

Two P2 findings on PR #3248:

1. Shadow record was fire-and-forget without ctx.waitUntil on an Edge
   function. Vercel can terminate the isolate after response return,
   so the background redisPipeline write completes unreliably — i.e.
   the rollout-validation signal the shadow keys were supposed to
   provide was flaky in production.

   Fix: accept an optional EdgeContext 2nd arg. Build the shadow
   promise up front (so it starts executing immediately) then register
   it with ctx.waitUntil when present. Falls back to plain unawaited
   execution when ctx is absent (local harness / tests).

2. scripts/lib/brief-llm.mjs legacy fallback path called
   buildWhyMattersPrompt(story) on raw fields with no sanitization.
   The analyst endpoint sanitizes before its own prompt build, but
   the fallback is exactly what runs when the endpoint misses /
   errors — so hostile headlines / sources reached the LLM verbatim
   on that path.

   Fix: local sanitizeStoryForPrompt wrapper imports sanitizeForPrompt
   from server/_shared/llm-sanitize.js (existing pattern — see
   scripts/seed-digest-notifications.mjs:41). Wraps story fields
   before buildWhyMattersPrompt. Cache key unchanged (hash is over raw
   story), so cache parity with the analyst endpoint's v3 entries is
   preserved.

Regression guard: new test asserts the fallback prompt strips
"ignore previous instructions", "### Assistant:" line prefixes, and
`<|im_start|>` tokens when injection-crafted fields arrive.

Typecheck + typecheck:api clean. 6023 / 6023 data tests pass.

* fix(digest-cron): COPY server/_shared/llm-sanitize into digest-notifications image

Reviewer P1 on PR #3248: my previous commit (4eee22083) added
`import sanitizeForPrompt from server/_shared/llm-sanitize.js` to
scripts/lib/brief-llm.mjs, but Dockerfile.digest-notifications cherry-
picks server/_shared/* files and doesn't copy llm-sanitize. Import is
top-level/static — the container would crash at module load with
ERR_MODULE_NOT_FOUND the moment seed-digest-notifications.mjs pulls in
scripts/lib/brief-llm.mjs. Not just on fallback — every startup.

Fix: add `COPY server/_shared/llm-sanitize.js server/_shared/llm-sanitize.d.ts`
next to the existing brief-render COPY line. Module is pure string
manipulation with zero transitive imports — nothing else needs to land.

Cites feedback_validation_docker_ship_full_scripts_dir.md in the comment
next to the COPY; the cherry-pick convention keeps biting when new
cross-dir imports land in scripts/lib/ or scripts/shared/.

Can't regression-test at build time from this branch without a
docker-build CI job, but the symptom is deterministic — local runs
remain green (they resolve against the live filesystem); only the
container crashes. Post-merge, Railway redeploy of seed-digest-
notifications should show a clean `Starting Container` log line
instead of the MODULE_NOT_FOUND crash my prior commit would have caused.
2026-04-21 14:03:27 +04:00

143 lines
4.9 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
/**
* Pinned regression tests for shared/brief-llm-core.js.
*
* The module replaces the pre-extract sync `hashBriefStory` (which used
* `node:crypto.createHash`) with a Web Crypto `crypto.subtle.digest`
* implementation. A drift in either the hash algorithm, the joining
* delimiter ('||'), or the field ordering would silently invalidate
* every cached `brief:llm:whymatters:*` entry at deploy time.
*
* These fixtures were captured from the pre-extract implementation and
* pinned here so any future refactor must ship a cache-version bump
* alongside.
*/
import { describe, it } from 'node:test';
import assert from 'node:assert/strict';
import { createHash } from 'node:crypto';
import {
WHY_MATTERS_SYSTEM,
buildWhyMattersUserPrompt,
hashBriefStory,
parseWhyMatters,
} from '../shared/brief-llm-core.js';
// Pre-extract sync impl, kept inline so the parity test can't drift from
// what the cron used to emit.
function legacyHashBriefStory(story) {
const material = [
story.headline ?? '',
story.source ?? '',
story.threatLevel ?? '',
story.category ?? '',
story.country ?? '',
].join('||');
return createHash('sha256').update(material).digest('hex').slice(0, 16);
}
const FIXTURE = {
headline: 'Iran closes Strait of Hormuz',
source: 'Reuters',
threatLevel: 'critical',
category: 'Geopolitical Risk',
country: 'IR',
};
describe('hashBriefStory — Web Crypto parity with legacy node:crypto', () => {
it('returns the exact hash the pre-extract implementation emitted', async () => {
const expected = legacyHashBriefStory(FIXTURE);
const actual = await hashBriefStory(FIXTURE);
assert.equal(actual, expected);
});
it('is 16 hex chars, case-insensitive match', async () => {
const h = await hashBriefStory(FIXTURE);
assert.equal(h.length, 16);
assert.match(h, /^[0-9a-f]{16}$/);
});
it('is stable across multiple invocations', async () => {
const a = await hashBriefStory(FIXTURE);
const b = await hashBriefStory(FIXTURE);
const c = await hashBriefStory(FIXTURE);
assert.equal(a, b);
assert.equal(b, c);
});
it('differs when any hash-material field differs', async () => {
const baseline = await hashBriefStory(FIXTURE);
for (const field of ['headline', 'source', 'threatLevel', 'category', 'country']) {
const mutated = { ...FIXTURE, [field]: `${FIXTURE[field]}!` };
const h = await hashBriefStory(mutated);
assert.notEqual(h, baseline, `${field} must be part of the cache identity`);
}
});
it('treats missing fields as empty strings (backcompat)', async () => {
const partial = { headline: FIXTURE.headline };
const expected = legacyHashBriefStory(partial);
const actual = await hashBriefStory(partial);
assert.equal(actual, expected);
});
});
describe('WHY_MATTERS_SYSTEM — pinned editorial voice', () => {
it('is a non-empty string with the one-sentence contract wording', () => {
assert.equal(typeof WHY_MATTERS_SYSTEM, 'string');
assert.ok(WHY_MATTERS_SYSTEM.length > 100);
assert.match(WHY_MATTERS_SYSTEM, /ONE concise sentence \(1830 words\)/);
assert.match(WHY_MATTERS_SYSTEM, /One sentence only\.$/);
});
});
describe('buildWhyMattersUserPrompt — shape', () => {
it('emits the exact 5-line format pinned by the cache-identity contract', () => {
const { system, user } = buildWhyMattersUserPrompt(FIXTURE);
assert.equal(system, WHY_MATTERS_SYSTEM);
assert.equal(
user,
[
'Headline: Iran closes Strait of Hormuz',
'Source: Reuters',
'Severity: critical',
'Category: Geopolitical Risk',
'Country: IR',
'',
'One editorial sentence on why this matters:',
].join('\n'),
);
});
});
describe('parseWhyMatters — pure sentence validator', () => {
it('rejects non-strings, empty, whitespace-only', () => {
assert.equal(parseWhyMatters(null), null);
assert.equal(parseWhyMatters(undefined), null);
assert.equal(parseWhyMatters(42), null);
assert.equal(parseWhyMatters(''), null);
assert.equal(parseWhyMatters(' '), null);
});
it('rejects too-short (<30) and too-long (>400)', () => {
assert.equal(parseWhyMatters('Too brief.'), null);
assert.equal(parseWhyMatters('x'.repeat(401)), null);
});
it('strips smart-quotes and takes the first sentence', () => {
const input = '"Closure would spike oil markets and force a naval response." Secondary clause.';
const out = parseWhyMatters(input);
assert.equal(out, 'Closure would spike oil markets and force a naval response.');
});
it('rejects the stub echo', () => {
const stub = 'Story flagged by your sensitivity settings. Open for context.';
assert.equal(parseWhyMatters(stub), null);
});
it('preserves a valid one-sentence output verbatim', () => {
const s = 'Closure of the Strait of Hormuz would spike global oil prices and force a US naval response.';
assert.equal(parseWhyMatters(s), s);
});
});
Reference in New Issue View Git Blame Copy Permalink