mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
f783bf2d2d
* fix(intelligence): include framework/systemAppend hash in cache keys (todos 041, 045, 051) * fix(intelligence): gate framework/systemAppend on server-side PRO check (todo 042) * fix(skills): exact hostname allowlist + redirect:manual to prevent SSRF (todos 043, 054) * fix(intelligence): sanitize systemAppend against prompt injection before LLM (todo 044) * fix(intelligence): use framework field in DeductionPanel, fix InsightsPanel double increment (todos 046, 047) * fix(intelligence): settings export, hot-path cache, country-brief debounce (todos 048, 049, 050) * fix(intelligence): i18n, FrameworkSelector note, stripThinkingTags dedup, UUID IDs (todos 052, 055, 056, 057) - i18n Analysis Frameworks settings section (en + fr locales, replace all hardcoded English strings with t() calls) - FrameworkSelector: replace panelId==='insights' hardcode with note? option; both InsightsPanel and DailyMarketBriefPanel pass note - stripThinkingTags: remove inline duplicate in summarize-article.ts, import from _shared/llm; add Strip unterminated comment so tests can locate the section - Replace Date.now() IDs for imported frameworks with crypto.randomUUID() - Drop 'not supported in phase 1' phrasing to 'not supported' - test: fix summarize-reasoning Fix 2 suite to read from llm.ts - test: add premium-check-stub and wire into redis-caching country intel brief importPatchedTsModule so test can resolve the new import * fix(security): address P1 review findings from PR #2386 - premium-check: require `required: true` from validateApiKey so trusted browser origins (worldmonitor.app, Vercel previews, localhost) are not treated as PRO callers; fixes free-user bypass of framework/systemAppend gate - llm: replace weak sanitizeSystemAppend with sanitizeForPrompt from llm-sanitize.js; all callLlm callers now get model-delimiter and control-char stripping, not just phrase blocklist - get-country-intel-brief: apply sanitizeForPrompt to contextSnapshot before injecting into user prompt; fixes unsanitized query-param injection Closes todos 060, 061, 062 (P1 — blocked merge of #2386). * chore(todos): mark P1 todos 060-062 complete * fix(agentskills): address Greptile P2 review comments - hoist ALLOWED_AGENTSKILLS_HOSTS Set to module scope (was reallocated per-request) - add res.type === 'opaqueredirect' check alongside the 3xx guard; Edge Runtime returns status=0 for opaque redirects so the status range check alone is dead code
77 lines
2.9 KiB
TypeScript
77 lines
2.9 KiB
TypeScript
export const config = { runtime: 'edge' };
|
|
|
|
// @ts-expect-error -- JS module, no declaration file
|
|
import { getCorsHeaders } from '../_cors.js';
|
|
|
|
const ALLOWED_AGENTSKILLS_HOSTS = new Set(['agentskills.io', 'www.agentskills.io', 'api.agentskills.io']);
|
|
|
|
export default async function handler(req: Request): Promise<Response> {
|
|
const corsHeaders = getCorsHeaders(req) as Record<string, string>;
|
|
|
|
if (req.method === 'OPTIONS') {
|
|
return new Response(null, { status: 204, headers: { ...corsHeaders } });
|
|
}
|
|
|
|
if (req.method !== 'POST') {
|
|
return Response.json({ error: 'Method not allowed' }, { status: 405, headers: corsHeaders });
|
|
}
|
|
|
|
let body: { url?: string; id?: string };
|
|
try {
|
|
body = await req.json() as { url?: string; id?: string };
|
|
} catch {
|
|
return Response.json({ error: 'Invalid JSON body' }, { status: 400, headers: corsHeaders });
|
|
}
|
|
|
|
const rawUrl = body.url ?? (body.id ? `https://agentskills.io/skills/${body.id}` : null);
|
|
if (!rawUrl) {
|
|
return Response.json({ error: 'Provide url or id' }, { status: 400, headers: corsHeaders });
|
|
}
|
|
|
|
let skillUrl: URL;
|
|
try {
|
|
skillUrl = new URL(rawUrl);
|
|
} catch {
|
|
return Response.json({ error: 'Invalid URL' }, { status: 400, headers: corsHeaders });
|
|
}
|
|
|
|
if (!ALLOWED_AGENTSKILLS_HOSTS.has(skillUrl.hostname)) {
|
|
return Response.json({ error: 'Only agentskills.io URLs are supported.' }, { status: 400, headers: corsHeaders });
|
|
}
|
|
|
|
let skillData: Record<string, unknown>;
|
|
try {
|
|
const res = await fetch(skillUrl.toString(), {
|
|
headers: { 'Accept': 'application/json', 'User-Agent': 'WorldMonitor/1.0' },
|
|
redirect: 'manual',
|
|
signal: AbortSignal.timeout(8_000),
|
|
});
|
|
if (res.type === 'opaqueredirect' || (res.status >= 300 && res.status < 400)) {
|
|
return Response.json({ error: 'Redirects are not allowed.' }, { status: 400, headers: corsHeaders });
|
|
}
|
|
if (!res.ok) {
|
|
return Response.json({ error: 'Could not reach agentskills.io. Check your connection.' }, { status: 502, headers: corsHeaders });
|
|
}
|
|
skillData = await res.json() as Record<string, unknown>;
|
|
} catch {
|
|
return Response.json({ error: 'Could not reach agentskills.io. Check your connection.' }, { status: 502, headers: corsHeaders });
|
|
}
|
|
|
|
const instructions = typeof skillData.instructions === 'string' ? skillData.instructions : null;
|
|
if (!instructions) {
|
|
return Response.json({ error: "This skill has no instructions — it may use tools only (not supported)." }, { status: 422, headers: corsHeaders });
|
|
}
|
|
|
|
const MAX_LEN = 2000;
|
|
const truncated = instructions.length > MAX_LEN;
|
|
const name = typeof skillData.name === 'string' ? skillData.name : 'Imported Skill';
|
|
const description = typeof skillData.description === 'string' ? skillData.description : '';
|
|
|
|
return Response.json({
|
|
name,
|
|
description,
|
|
instructions: truncated ? instructions.slice(0, MAX_LEN) : instructions,
|
|
truncated,
|
|
}, { headers: corsHeaders });
|
|
}
|