mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00

Go to file

Elie Habib def94733a8 feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

* feat(agent-readiness): Agent Skills discovery index (#3310)

Closes #3310. Ships the Agent Skills Discovery v0.2.0 manifest at
/.well-known/agent-skills/index.json plus two real, useful skills.

Skills are grounded in real sebuf proto RPCs:
- fetch-country-brief → GetCountryIntelBrief (public).
- fetch-resilience-score → GetResilienceScore (Pro / API key).

Each SKILL.md documents endpoint, auth, parameters, response shape,
worked curl, errors, and when not to use the skill.

scripts/build-agent-skills-index.mjs walks every
public/.well-known/agent-skills/<name>/SKILL.md, sha256s the bytes,
and emits index.json. Wired into prebuild + every variant build so a
deploy can never ship an index whose digests disagree with served files.

tests/agent-skills-index.test.mjs asserts the index is up-to-date
via the script's --check mode and recomputes every sha256 against
the on-disk SKILL.md bytes.

Discovery wiring:
- public/.well-known/api-catalog: new anchor entry with the
  agent-skills-index rel per RFC 9727 linkset shape.
- vercel.json: adds agent-skills-index rel to the homepage +
  /index.html Link headers; deploy-config required-rels list updated.

Canonical URLs use the apex (worldmonitor.app) since #3322 fixed
the apex redirect that previously hid .well-known paths.

* fix(agent-readiness): correct auth header + harden frontmatter parser (#3310)

Addresses review findings on #3310.

## P1 — auth header was wrong in both SKILL.md files

The published skills documented `Authorization: Bearer wm_live_...`,
but WorldMonitor API keys must be sent in `X-WorldMonitor-Key`.
`Authorization: Bearer` is for MCP/OAuth or Clerk JWTs — not raw
`wm_live_...` keys. Agents that followed the SKILL.md verbatim would
have gotten 401s despite holding valid keys.

fetch-country-brief also incorrectly claimed the endpoint was
"public"; server-to-server callers without a trusted browser origin
are rejected by `validateApiKey`, so agents do need a key there too.
Fixed both SKILL.md files to document `X-WorldMonitor-Key` and
cross-link docs/usage-auth as the canonical auth matrix.

## P2 — frontmatter parser brittleness

The hand-rolled parser used `indexOf('\n---', 4)` as the closing
fence, which matched any body line that happened to start with `---`.
Swapped for a regex that anchors the fence to its own line, and
delegated value parsing to js-yaml (already a project dep) so future
catalog growth (quoted colons, typed values, arrays) does not trip
new edge cases.

Added parser-contract tests that lock in the new semantics:
body `---` does not terminate the block, values with colons survive
intact, non-mapping frontmatter throws, and no-frontmatter files
return an empty mapping.

Index.json rebuilt against the updated SKILL.md bytes.

2026-04-23 22:21:25 +04:00

.github

chore(api): enforce sebuf contract + migrate drifting endpoints (#3207 ) (#3242 )

2026-04-22 09:55:59 +03:00

.husky

chore(api): enforce sebuf contract + migrate drifting endpoints (#3207 ) (#3242 )

2026-04-22 09:55:59 +03:00

api

fix(agent-readiness): host-aware oauth-protected-resource endpoint (#3351 )

2026-04-23 21:17:32 +04:00

blog-site

feat(seo): BlogPosting schema, FAQPage JSON-LD, extensible author system (#2284 )

2026-03-26 12:48:56 +04:00

consumer-prices-core

fix(railway): tolerate Ubuntu apt mirror failures in NIXPACKS + Dockerfile builds (#3142 )

2026-04-17 08:35:20 +04:00

convex

refactor(emails): refresh Pro welcome email — surface WM Analyst, Widgets, MCP (#3300 )

2026-04-22 23:18:32 +04:00

data

feat(oref): Tzeva Adom as primary alert source + Hebrew translation dictionaries (#2863 )

2026-04-09 12:39:34 +04:00

deploy/nginx

Add Brotli-first API compression for sidecar and nginx

2026-02-20 08:41:22 +04:00

docker

fix(csp): allow Dodo payment frames + Google Pay permission (#2789 )

2026-04-07 20:26:50 +04:00

docs

fix(swf): move manifest next to its loader so Railway ships it (#3344 )

2026-04-23 19:47:10 +04:00

e2e

feat(auth): integrate clerk.dev (#1812 )

2026-03-26 13:47:22 +02:00

plans

perf(map): lazy supercluster init, memoize filterByTime, lazy static layers (#1985 )

2026-03-21 15:32:51 +04:00

pro-test

fix(checkout): implement checkout.redirect_requested — the Dodo handler we were missing (#3346 )

2026-04-23 20:15:46 +04:00

proto

feat(proto): unified OpenAPI bundle via sebuf v0.11.0 (#3341 )

2026-04-23 16:24:03 +03:00

public

feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

2026-04-23 22:21:25 +04:00

scripts

feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

2026-04-23 22:21:25 +04:00

server

fix(swf): move manifest next to its loader so Railway ships it (#3344 )

2026-04-23 19:47:10 +04:00

shared

fix(brief): category-gated context + RELEVANCE RULE to stop formulaic grounding (#3281 )

2026-04-22 08:21:01 +04:00

src

fix(checkout): merchant-side escape hatch for Dodo overlay deadlock (#3354 )

2026-04-23 21:53:01 +04:00

src-tauri

chore(api): enforce sebuf contract + migrate drifting endpoints (#3207 ) (#3242 )

2026-04-22 09:55:59 +03:00

tests

feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

2026-04-23 22:21:25 +04:00

todos

feat(digest-dedup): Phase A — embedding-based dedup scaffolding (no-op) (#3200 )

2026-04-19 13:49:48 +04:00

.dockerignore

feat: self-hosted Docker stack (#1521 )

2026-03-19 12:07:20 +04:00

.env.example

fix(email): route Intelligence Brief off the alerts@ mailbox (#3321 )

2026-04-23 08:51:27 +04:00

.gitignore

feat(agent-readiness): RFC 9727 API catalog + native openapi.yaml serve (#3343 )

2026-04-23 18:46:35 +04:00

.markdownlint-cli2.jsonc

refactor(sanctions): simplify handler to Redis-read-only, fix seed OOM risk (#1753 )

2026-03-17 12:20:10 +04:00

.npmrc

chore: suppress npm deprecation warnings via .npmrc loglevel=error (#1862 )

2026-03-19 09:48:23 +04:00

.nvmrc

fix(dx): add node_modules guard to pre-push hook and pin Node 22 (#1368 )

2026-03-10 08:27:44 +04:00

.vercelignore

feat: Arabic font support and HLS live streaming UI (#1020 )

2026-03-05 10:16:43 +04:00

AGENTS.md

feat(proto): unified OpenAPI bundle via sebuf v0.11.0 (#3341 )

2026-04-23 16:24:03 +03:00

ARCHITECTURE.md

feat: harness engineering P0 - linting, testing, architecture docs (#1587 )

2026-03-14 21:29:21 +04:00

biome.json

feat(supply-chain): Global Shipping Intelligence — Sprint 0 + Sprint 1 (#2870 )

2026-04-09 17:06:03 +04:00

brief-palette-playground.html

feat(brief): swap sienna rust for two-strength WM mint (Option B palette) (#3178 )

2026-04-18 20:50:16 +04:00

CHANGELOG.md

feat(proto): unified OpenAPI bundle via sebuf v0.11.0 (#3341 )

2026-04-23 16:24:03 +03:00

CODE_OF_CONDUCT.md

docs: add community guidelines (contributing, code of conduct, security) (#226 )

2026-02-22 16:26:13 +02:00

compound-engineering.local.md

feat(finance-panels): add 7 macro/market panels + Daily Brief context (issues #2245-#2253) (#2258 )

2026-03-26 08:03:09 +04:00

CONTRIBUTING.md

feat(proto): unified OpenAPI bundle via sebuf v0.11.0 (#3341 )

2026-04-23 16:24:03 +03:00

DEPLOYMENT-PLAN.md

feat(auth): integrate clerk.dev (#1812 )

2026-03-26 13:47:22 +02:00

docker-compose.yml

Revert "feat: seed orchestrator with auto-seeding, persistence, and managemen…" (#2060 )

2026-03-22 19:59:42 +04:00

Dockerfile

Revert "feat: seed orchestrator with auto-seeding, persistence, and managemen…" (#2060 )

2026-03-22 19:59:42 +04:00

Dockerfile.digest-notifications

feat(brief): route whyMatters through internal analyst-context endpoint (#3248 )

2026-04-21 14:03:27 +04:00

Dockerfile.relay

fix(relay): COPY missing _seed-envelope-source + _seed-contract — chokepointFlows stale 32h (#3132 )

2026-04-16 17:28:16 +04:00

Dockerfile.seed-bundle-portwatch-port-activity

feat(portwatch): split port-activity into standalone Railway cron + restore per-country shape (#3231 )

2026-04-20 15:21:43 +04:00

Dockerfile.seed-bundle-resilience-validation

fix(resilience): ship full scripts/ tree in validation Docker image (#3054 )

2026-04-13 15:43:55 +04:00

index.html

fix(csp): allow Stripe 3D Secure frames + consolidate Dodo CSP entries (#2806 )

2026-04-07 23:47:27 +04:00

LICENSE

chore: switch license to AGPL-3.0, externalize Sentry DSN

2026-02-19 07:24:47 +04:00

live-channels.html

feat(live): custom channel management with review fixes (#282 )

2026-02-23 22:51:44 +00:00

Makefile

feat(proto): unified OpenAPI bundle via sebuf v0.11.0 (#3341 )

2026-04-23 16:24:03 +03:00

middleware.ts

fix(brief): unblock whyMatters analyst endpoint (middleware 403) + DIGEST_ONLY_USER filter (#3255 )

2026-04-21 19:41:58 +04:00

nixpacks.toml

fix(railway): tolerate Ubuntu apt mirror failures in NIXPACKS + Dockerfile builds (#3142 )

2026-04-17 08:35:20 +04:00

package-lock.json

fix(deps): promote yaml from transitive peer to top-level dependency (#3333 )

2026-04-23 11:22:54 +04:00

package.json

feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

2026-04-23 22:21:25 +04:00

playwright.config.ts

test: add coverage for finance/trending/reload and stabilize map harness

2026-02-17 19:22:55 +04:00

README.md

docs(marketing): bump source-count claims from 435+ to 500+ (#3241 )

2026-04-20 22:39:42 +04:00

SECURITY.md

security: harden IPC, gate DevTools, isolate external windows, exempt /api/version (#348 )

2026-02-25 06:14:16 +00:00

SELF_HOSTING.md

feat: self-hosted Docker stack (#1521 )

2026-03-19 12:07:20 +04:00

settings.html

docs: expand AGPL-3.0 license section in README (#1143 )

2026-03-06 23:47:04 +04:00

tsconfig.api.json

fix(resilience): satisfy release gate validation (#2686 )

2026-04-04 19:31:02 +04:00

tsconfig.json

Add missing layers to DeckGLMap for feature parity with D3 Map

2026-01-25 07:21:33 +00:00

vercel.json

feat(agent-readiness): Agent Skills discovery index (#3310 ) (#3355 )

2026-04-23 22:21:25 +04:00

vite.config.ts

chore(api): enforce sebuf contract + migrate drifting endpoints (#3207 ) (#3242 )

2026-04-22 09:55:59 +03:00

vitest.config.mts

feat: Dodo Payments integration + entitlement engine & webhook pipeline (#2024 )

2026-04-03 00:25:18 +04:00

README.md

World Monitor

Real-time global intelligence dashboard — AI-powered news aggregation, geopolitical monitoring, and infrastructure tracking in a unified situational awareness interface.

Documentation · Releases · Contributing

What It Does

500+ curated news feeds across 15 categories, AI-synthesized into briefs
Dual map engine — 3D globe (globe.gl) and WebGL flat map (deck.gl) with 45 data layers
Cross-stream correlation — military, economic, disaster, and escalation signal convergence
Country Intelligence Index — composite risk scoring across 12 signal categories
Finance radar — 92 stock exchanges, commodities, crypto, and 7-signal market composite
Local AI — run everything with Ollama, no API keys required
5 site variants from a single codebase (world, tech, finance, commodity, happy)
Native desktop app (Tauri 2) for macOS, Windows, and Linux
21 languages with native-language feeds and RTL support

For the full feature list, architecture, data sources, and algorithms, see the documentation.

Quick Start

git clone https://github.com/koala73/worldmonitor.git
cd worldmonitor
npm install
npm run dev

Open localhost:5173. No environment variables required for basic operation.

For variant-specific development:

npm run dev:tech       # tech.worldmonitor.app
npm run dev:finance    # finance.worldmonitor.app
npm run dev:commodity  # commodity.worldmonitor.app
npm run dev:happy      # happy.worldmonitor.app

See the self-hosting guide for deployment options (Vercel, Docker, static).

Tech Stack

Category	Technologies
Frontend	Vanilla TypeScript, Vite, globe.gl + Three.js, deck.gl + MapLibre GL
Desktop	Tauri 2 (Rust) with Node.js sidecar
AI/ML	Ollama / Groq / OpenRouter, Transformers.js (browser-side)
API Contracts	Protocol Buffers (92 protos, 22 services), sebuf HTTP annotations
Deployment	Vercel Edge Functions (60+), Railway relay, Tauri, PWA
Caching	Redis (Upstash), 3-tier cache, CDN, service worker

Full stack details in the architecture docs.

Flight Data

Flight data provided gracefully by Wingbits, the most advanced ADS-B flight data solution.

Data Sources

WorldMonitor aggregates 65+ external data sources across geopolitics, finance, energy, climate, aviation, cyber, military, infrastructure, and news intelligence. See the full data sources catalog for providers, feed tiers, and collection methods.

Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.

npm run typecheck        # Type checking
npm run build:full       # Production build

License

AGPL-3.0 for non-commercial use. Commercial license required for any commercial use.

Use Case	Allowed?
Personal / research / educational	Yes
Self-hosted (non-commercial)	Yes, with attribution
Fork and modify (non-commercial)	Yes, share source under AGPL-3.0
Commercial use / SaaS / rebranding	Requires commercial license

See LICENSE for full terms. For commercial licensing, contact the maintainer.

Author

Elie Habib — GitHub

Contributors

Security Acknowledgments

We thank the following researchers for responsibly disclosing security issues:

Cody Richard — Disclosed three security findings covering IPC command exposure, renderer-to-sidecar trust boundary analysis, and fetch patch credential injection architecture (2026)

See our Security Policy for responsible disclosure guidelines.

worldmonitor.app · docs.worldmonitor.app · finance.worldmonitor.app · commodity.worldmonitor.app

Star History

Languages

TypeScript 49.1%

JavaScript 47%

CSS 2.9%

HTML 0.4%

Rust 0.3%

Other 0.1%