Blame: api/rss-proxy.js - koala73/worldmonitor

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

								import { getCorsHeaders, isDisallowedOrigin } from './_cors.js';

							

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

								import { validateApiKey } from './_api-key.js';

							

refactor(api): extract shared relay helper into _relay.js (#782) DRY 7 edge functions that duplicated relay proxy boilerplate (~80% identical: CORS, origin check, OPTIONS, relay URL construction, auth headers, fetchWithTimeout, error handling). - New `api/_relay.js` exports createRelayHandler factory + getRelayBaseUrl, getRelayHeaders, fetchWithTimeout utilities - Convert ais-snapshot, polymarket, opensky, oref-alerts, telegram-feed to ~15-25 line config objects via createRelayHandler - Refactor youtube/live.js and rss-proxy.js to import shared utils only (complex handlers not suited for factory pattern) - 30 unit/behavior tests in tests/relay-helper.test.mjs Net: -501 lines removed, +72 added across 7 prod files. Relay utility functions exist in 1 place instead of 7.

2026-03-02 19:28:31 +04:00

								import { getRelayBaseUrl, getRelayHeaders, fetchWithTimeout } from './_relay.js';

							

perf(rss): route RSS direct to Railway, skip Vercel middleman (#961) * perf(rss): route RSS direct to Railway, skip Vercel middleman Vercel /api/rss-proxy has 65% error rate (207K failed invocations/12h). Route browser RSS requests directly to Railway (proxy.worldmonitor.app) via Cloudflare CDN, eliminating Vercel as middleman. - Add VITE_RSS_DIRECT_TO_RELAY feature flag (default off) for staged rollout - Centralize RSS proxy URL in rssProxyUrl() with desktop/dev/prod routing - Make Railway /rss public (skip auth, keep rate limiting with CF-Connecting-IP) - Add wildcard *.worldmonitor.app CORS + always emit Vary: Origin on /rss - Extract ~290 RSS domains to shared/rss-allowed-domains.cjs (single source of truth) - Convert Railway domain check to Set for O(1) lookups - Remove rss-proxy from KEYED_CLOUD_API_PATTERN (no longer needs API key header) - Add edge function test for shared domain list import * fix(edge): replace node:module with JSON import for edge-compatible RSS domains api/_rss-allowed-domains.js used createRequire from node:module which is unsupported in Vercel Edge Runtime, breaking all edge functions (including api/gpsjam). Replaced with JSON import attribute syntax that works in both esbuild (Vercel build) and Node.js 22+ (tests). Also fixed middleware.ts TS18048 error where VARIANT_OG[variant] could be undefined. * test(edge): add guard against node: built-in imports in api/ files Scans ALL api/*.js files (including _ helpers) for node: module imports which are unsupported in Vercel Edge Runtime. This would have caught the createRequire(node:module) bug before it reached Vercel. * fix(edge): inline domain array and remove NextResponse reference - Replace `import ... with { type: 'json' }` in _rss-allowed-domains.js with inline array — Vercel esbuild doesn't support import attributes - Replace `NextResponse.next()` with bare `return` in middleware.ts — NextResponse was never imported * ci(pre-push): add esbuild bundle check and edge function tests The pre-push hook now catches Vercel build failures locally: - esbuild bundles each api/*.js entrypoint (catches import attribute syntax, missing modules, and other bundler errors) - runs edge function test suite (node: imports, module isolation)

2026-03-04 18:42:00 +04:00

								import RSS_ALLOWED_DOMAINS from './_rss-allowed-domains.js';

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								import { jsonResponse } from './_json-response.js';

							

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

								export const config = { runtime: 'edge' };

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

// Domains that consistently block Vercel edge IPs — skip direct fetch,

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								const DIRECT_FETCH_HEADERS = Object.freeze({

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								async function fetchViaRailway(feedUrl, timeoutMs) {

							

perf(rss): route RSS direct to Railway, skip Vercel middleman (#961) * perf(rss): route RSS direct to Railway, skip Vercel middleman Vercel /api/rss-proxy has 65% error rate (207K failed invocations/12h). Route browser RSS requests directly to Railway (proxy.worldmonitor.app) via Cloudflare CDN, eliminating Vercel as middleman. - Add VITE_RSS_DIRECT_TO_RELAY feature flag (default off) for staged rollout - Centralize RSS proxy URL in rssProxyUrl() with desktop/dev/prod routing - Make Railway /rss public (skip auth, keep rate limiting with CF-Connecting-IP) - Add wildcard *.worldmonitor.app CORS + always emit Vary: Origin on /rss - Extract ~290 RSS domains to shared/rss-allowed-domains.cjs (single source of truth) - Convert Railway domain check to Set for O(1) lookups - Remove rss-proxy from KEYED_CLOUD_API_PATTERN (no longer needs API key header) - Add edge function test for shared domain list import * fix(edge): replace node:module with JSON import for edge-compatible RSS domains api/_rss-allowed-domains.js used createRequire from node:module which is unsupported in Vercel Edge Runtime, breaking all edge functions (including api/gpsjam). Replaced with JSON import attribute syntax that works in both esbuild (Vercel build) and Node.js 22+ (tests). Also fixed middleware.ts TS18048 error where VARIANT_OG[variant] could be undefined. * test(edge): add guard against node: built-in imports in api/ files Scans ALL api/*.js files (including _ helpers) for node: module imports which are unsupported in Vercel Edge Runtime. This would have caught the createRequire(node:module) bug before it reached Vercel. * fix(edge): inline domain array and remove NextResponse reference - Replace `import ... with { type: 'json' }` in _rss-allowed-domains.js with inline array — Vercel esbuild doesn't support import attributes - Replace `NextResponse.next()` with bare `return` in middleware.ts — NextResponse was never imported * ci(pre-push): add esbuild bundle check and edge function tests The pre-push hook now catches Vercel build failures locally: - esbuild bundles each api/*.js entrypoint (catches import attribute syntax, missing modules, and other bundler errors) - runs edge function test suite (node: imports, module isolation)

2026-03-04 18:42:00 +04:00

								// Allowed RSS feed domains — shared source of truth (shared/rss-allowed-domains.js)

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								function isAllowedDomain(hostname) {

							

Triage security alerts (#1903) * fix(cors): use ACAO: * for bootstrap to fix CF cache origin pinning CF ignores Vary: Origin and pins the first request's ACAO header on the cached response. Preview deployments from *.vercel.app got ACAO: worldmonitor.app from CF's cache, blocking CORS. Bootstrap data is fully public (world events, market prices, seismic data) so ACAO: * is safe and allows CF to cache one entry valid for all origins. isDisallowedOrigin() still gates non-cache paths. * chore: finish security triage * fix(aviation): update isArray callback signature for fast-xml-parser 5.5.x fast-xml-parser bumped from 5.4.2 to 5.5.7 changed the isArray callback's second parameter type from string to unknown. Guard with typeof check before calling .test() to satisfy the new type contract. * docs: fix MD032 blank lines around lists in tradingview-screener-integration * fix(security): address code review findings from PR #1903 - api/_json-response.js: add recursion depth limit (20) to sanitizeJsonValue and strip Error.cause chain alongside stack/stackTrace - scripts/ais-relay.cjs: extract WORLD_BANK_COUNTRY_ALLOWLIST to module level to eliminate duplicate; clamp years param to [1,30] to prevent unbounded World Bank date ranges - src-tauri/sidecar/local-api-server.mjs: use JSON.stringify for vq value in inline JS, consistent with safeVideoId/safeOrigin handling - src/services/story-share.ts: simplify sanitizeStoryType to use typed array instead of repeated as-casts * fix(desktop): use parent window origin for YouTube embed postMessage Sidecar youtube-embed route was targeting the iframe's own localhost origin for all window.parent.postMessage calls, so browsers dropped yt-ready/ yt-state/yt-error on Tauri builds where the parent is tauri://localhost or asset://localhost. LiveNewsPanel and LiveWebcamsPanel already pass parentOrigin=window.location.origin in the embed URL; the sidecar now reads, validates, and uses it as the postMessage target for all player event messages. The YT API playerVars origin/widget_referrer continue to use the sidecar's own localhost origin which YouTube requires. Also restore World Bank relay to a generic proxy: replace TECH_INDICATORS membership check with a format-only regex so any valid indicator code (NY.GDP.MKTP.CD etc.) is accepted, not just the 16 tech-sector codes.

2026-03-20 12:37:24 +04:00

								function isGoogleNewsFeedUrl(feedUrl) {

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

								export default async function handler(req) {

							

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

								  const corsHeaders = getCorsHeaders(req, 'GET, OPTIONS');

							

Add CORS support for Vercel preview domains in RSS proxy

2026-01-25 12:32:27 +04:00

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

								  if (isDisallowedOrigin(req)) {

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    return jsonResponse({ error: 'Origin not allowed' }, 403, corsHeaders);

							

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

Add CORS support for Vercel preview domains in RSS proxy

2026-01-25 12:32:27 +04:00

  // Handle CORS preflight

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

								  if (req.method !== 'GET') {

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    return jsonResponse({ error: 'Method not allowed' }, 405, corsHeaders);

							

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    return jsonResponse({ error: keyCheck.error }, 401, corsHeaders);

							

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

Add CORS support for Vercel preview domains in RSS proxy

2026-01-25 12:32:27 +04:00

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

								  const requestUrl = new URL(req.url);

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    return jsonResponse({ error: 'Missing url parameter' }, 400, corsHeaders);

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

fix: Linux AppImage crashes, RSS proxy 403s, and console noise (#395) Linux AppImage (#370, #257): - Upgrade CI from Ubuntu 22.04 to 24.04 (GLib 2.80 fixes g_task_set_static_name symbol mismatch) - Set GDK_BACKEND=wayland,x11 when WAYLAND_DISPLAY detected (fixes GTK init on niri/river) - Disable WebKit bubblewrap sandbox in AppImage context (FUSE mount breaks it → blank screen) - Set GTK_IM_MODULE to built-in simple context in AppImage (prevents host module conflicts) RSS proxy: - Add 32 missing domains to allowlist (EuroNews lang variants, international news feeds) - Normalize www prefix in domain validation (prevents entire class of www/non-www mismatch 403s) Console cleanup: - TrendingKeywords: console.log → console.debug for suppressed terms (30+ noisy log lines) - PostHog: add ui_host for reverse proxy setup (fixes /ingest/ 404s)

2026-02-26 09:37:26 +04:00

    // Security: Check if domain is allowed (normalize www prefix)

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								    if (!isAllowedDomain(hostname)) {

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								      return jsonResponse({ error: 'Domain not allowed' }, 403, corsHeaders);

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								    const isRelayOnly = RELAY_ONLY_DOMAINS.has(hostname);

							

Increase RSS proxy timeouts for Google News - Google News feeds: 20s timeout (often slow) - Other feeds: 12s timeout - Use more realistic browser User-Agent

2026-01-11 10:21:59 +04:00

    // Google News is slow - use longer timeout

Triage security alerts (#1903) * fix(cors): use ACAO: * for bootstrap to fix CF cache origin pinning CF ignores Vary: Origin and pins the first request's ACAO header on the cached response. Preview deployments from *.vercel.app got ACAO: worldmonitor.app from CF's cache, blocking CORS. Bootstrap data is fully public (world events, market prices, seismic data) so ACAO: * is safe and allows CF to cache one entry valid for all origins. isDisallowedOrigin() still gates non-cache paths. * chore: finish security triage * fix(aviation): update isArray callback signature for fast-xml-parser 5.5.x fast-xml-parser bumped from 5.4.2 to 5.5.7 changed the isArray callback's second parameter type from string to unknown. Guard with typeof check before calling .test() to satisfy the new type contract. * docs: fix MD032 blank lines around lists in tradingview-screener-integration * fix(security): address code review findings from PR #1903 - api/_json-response.js: add recursion depth limit (20) to sanitizeJsonValue and strip Error.cause chain alongside stack/stackTrace - scripts/ais-relay.cjs: extract WORLD_BANK_COUNTRY_ALLOWLIST to module level to eliminate duplicate; clamp years param to [1,30] to prevent unbounded World Bank date ranges - src-tauri/sidecar/local-api-server.mjs: use JSON.stringify for vq value in inline JS, consistent with safeVideoId/safeOrigin handling - src/services/story-share.ts: simplify sanitizeStoryType to use typed array instead of repeated as-casts * fix(desktop): use parent window origin for YouTube embed postMessage Sidecar youtube-embed route was targeting the iframe's own localhost origin for all window.parent.postMessage calls, so browsers dropped yt-ready/ yt-state/yt-error on Tauri builds where the parent is tauri://localhost or asset://localhost. LiveNewsPanel and LiveWebcamsPanel already pass parentOrigin=window.location.origin in the embed URL; the sidecar now reads, validates, and uses it as the postMessage target for all player event messages. The YT API playerVars origin/widget_referrer continue to use the sidecar's own localhost origin which YouTube requires. Also restore World Bank relay to a generic proxy: replace TECH_INDICATORS membership check with a format-only regex so any valid indicator code (NY.GDP.MKTP.CD etc.) is accepted, not just the 16 tech-sector codes.

2026-03-20 12:37:24 +04:00

								    const isGoogleNews = isGoogleNewsFeedUrl(feedUrl);

							

Increase RSS proxy timeouts for Google News - Google News feeds: 20s timeout (often slow) - Other feeds: 12s timeout - Use more realistic browser User-Agent

2026-01-11 10:21:59 +04:00

								    const timeout = isGoogleNews ? 20000 : 12000;

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								    const fetchDirect = async () => {

							

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								        headers: DIRECT_FETCH_HEADERS,

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								        redirect: 'manual',

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								      if (response.status >= 300 && response.status < 400) {

							

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

								          const redirectUrl = new URL(location, feedUrl);

							

fix(api): harden IP extraction, input validation, redirect SSRF check, and origin-pattern parity (#1013) - register-interest.js: coerce source/appVersion to string with a 100-char cap before forwarding to Convex. Non-string values (objects, arrays) are truthy so the previous || 'unknown' guard passed them through, causing Convex to throw a type-validation error and surface a 500 to the caller. Also fixes unbounded metadata strings filling the registrations table cheaply. - rss-proxy.js: apply the same www-normalization used by the initial domain check to the 301-redirect hostname check. The old bare ALLOWED_DOMAINS.includes(hostname) call rejected canonical redirects (e.g. bbc.co.uk -> www.bbc.co.uk) even when one form is allowlisted, breaking several feeds silently. - _api-key.js: align BROWSER_ORIGIN_PATTERNS Vercel-preview regex with the narrower pattern already enforced by _cors.js (worldmonitor-*-elie-*.vercel.app). The broader worldmonitor-*.vercel.app pattern was dead code because _cors.js rejects those origins before _api-key.js is reached.

2026-03-05 08:48:59 +05:30

          // Apply the same www-normalization as the initial domain check so that

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								          if (!isAllowedDomain(rHost)) {

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								            throw new Error('Redirect to disallowed domain');

							

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								          return fetchWithTimeout(redirectUrl.href, {

							

refactor: dedupe rss proxy domain and header checks (#1612)

2026-03-15 02:22:28 +04:00

								            headers: DIRECT_FETCH_HEADERS,

							

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

								          }, timeout);

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								      response = await fetchViaRailway(feedUrl, timeout);

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								      if (!response) throw new Error(`Railway relay unavailable for relay-only domain: ${hostname}`);

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								      if (!response.ok && !usedRelay) {

							

feat: harness engineering P0 - linting, testing, architecture docs (#1587) * feat: harness engineering P0 - linting, testing, architecture docs Add foundational infrastructure for agent-first development: - AGENTS.md: agent entry point with progressive disclosure to deeper docs - ARCHITECTURE.md: 12-section system reference with source-file refs and ownership rule - Biome 2.4.7 linter with project-tuned rules, CI workflow (lint-code.yml) - Architectural boundary lint enforcing forward-only dependency direction (lint-boundaries.mjs) - Unit test CI workflow (test.yml), all 1083 tests passing - Fixed 9 pre-existing test failures (bootstrap sync, deploy-config headers, globe parity, redis mocks, geometry URL, import.meta.env null safety) - Fixed 12 architectural boundary violations (types moved to proper layers) - Added 3 missing cache tier entries in gateway.ts - Synced cache-keys.ts with bootstrap.js - Renamed docs/architecture.mdx to "Design Philosophy" with cross-references - Deprecated legacy docs/Docs_To_Review/ARCHITECTURE.md - Harness engineering roadmap tracking doc * fix: address PR review feedback on harness-engineering-p0 - countries-geojson.test.mjs: skip gracefully when CDN unreachable instead of failing CI on network issues - country-geometry-overrides.test.mts: relax timing assertion (250ms -> 2000ms) for constrained CI environments - lint-boundaries.mjs: implement the documented api/ boundary check (was documented but missing, causing false green) * fix(lint): scan api/ .ts files in boundary check The api/ boundary check only scanned .js/.mjs files, missing the 25 sebuf RPC .ts edge functions. Now scans .ts files with correct rules: - Legacy .js: fully self-contained (no server/ or src/ imports) - RPC .ts: may import server/ and src/generated/ (bundled at deploy), but blocks imports from src/ application code * fix(lint): detect import() type expressions in boundary lint - Move AppContext back to app/app-context.ts (aggregate type that references components/services/utils belongs at the top, not types/) - Move HappyContentCategory and TechHQ to types/ (simple enums/interfaces) - Boundary lint now catches import('@/layer') expressions, not just from '@/layer' imports - correlation-engine imports of AppContext marked boundary-ignore (type-only imports of top-level aggregate)

2026-03-14 21:29:21 +04:00

								        if (relayResponse?.ok) {

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								          response = relayResponse;

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist

2026-02-15 20:33:20 +04:00

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

								    const data = await response.text();

							

feat(news): server-side feed aggregation to reduce edge invocations by ~95% (#622) Phase 1: Force CDN caching on rss-proxy (s-maxage=300 for 2xx, short TTL for errors) — fixes bug where upstream no-cache headers were passed through verbatim, defeating Vercel CDN. Phase 2: Add ListFeedDigest RPC that aggregates all feeds server-side into a single Redis-cached response. Client makes 1 request instead of ~90 per cycle. Includes circuit breaker with persistent cache fallback, per-feed AI reclassification, and headline ingestion parity. Phase 3: Increase polling interval from 5min to 7min to offset CDN cache alignment. New files: - proto/worldmonitor/news/v1/list_feed_digest.proto - server/worldmonitor/news/v1/{_feeds,_classifier,list-feed-digest}.ts - src/services/ai-classify-queue.ts (extracted from rss.ts)

2026-03-01 05:13:54 +04:00

								    const isSuccess = response.status >= 200 && response.status < 300;

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

    // Relay-only feeds are slow-updating institutional sources — cache longer

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

								    return new Response(data, {

							

Harden Railway relay auth, caching, and proxy routing (#320)

2026-02-24 16:24:20 +00:00

								        'Content-Type': response.headers.get('content-type') || 'application/xml',

							

feat(news): server-side feed aggregation to reduce edge invocations by ~95% (#622) Phase 1: Force CDN caching on rss-proxy (s-maxage=300 for 2xx, short TTL for errors) — fixes bug where upstream no-cache headers were passed through verbatim, defeating Vercel CDN. Phase 2: Add ListFeedDigest RPC that aggregates all feeds server-side into a single Redis-cached response. Client makes 1 request instead of ~90 per cycle. Includes circuit breaker with persistent cache fallback, per-feed AI reclassification, and headline ingestion parity. Phase 3: Increase polling interval from 5min to 7min to offset CDN cache alignment. New files: - proto/worldmonitor/news/v1/list_feed_digest.proto - server/worldmonitor/news/v1/{_feeds,_classifier,list-feed-digest}.ts - src/services/ai-classify-queue.ts (extracted from rss.ts)

2026-03-01 05:13:54 +04:00

								        'Cache-Control': isSuccess

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								          ? `public, max-age=${browserTtl}, s-maxage=${cdnTtl}, stale-while-revalidate=${swr}, stale-if-error=${sie}`

							

Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes

2026-03-01 11:53:20 +04:00

								          : 'public, max-age=15, s-maxage=60, stale-while-revalidate=120',

							

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts

2026-03-03 00:25:26 +04:00

								        ...(isSuccess && { 'CDN-Cache-Control': `public, s-maxage=${cdnTtl}, stale-while-revalidate=${swr}, stale-if-error=${sie}` }),

							

Add CORS support for Vercel preview domains in RSS proxy

2026-01-25 12:32:27 +04:00

								        ...corsHeaders,

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

},

Fix API timeouts and reduce OpenSky requests - Add explicit timeouts to OpenSky (12s) and RSS (8s) proxies - Consolidate 10 military hotspots into 4 larger regions - Increase military refresh interval from 2 to 5 minutes - Switch OpenAI feed to Google News (OpenAI blocks proxies)

2026-01-11 08:50:19 +04:00

								    const isTimeout = error.name === 'AbortError';

							

Fix PizzINT routes with explicit endpoint files - Replace catch-all route with explicit files - api/pizzint/dashboard-data.js for /api/pizzint/dashboard-data - api/pizzint/gdelt/batch.js for /api/pizzint/gdelt/batch - Improve rss-proxy error handling with more details

2026-01-11 10:21:13 +04:00

								    console.error('RSS proxy error:', feedUrl, error.message);

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    return jsonResponse({

							

Fix PizzINT routes with explicit endpoint files - Replace catch-all route with explicit files - api/pizzint/dashboard-data.js for /api/pizzint/dashboard-data - api/pizzint/gdelt/batch.js for /api/pizzint/gdelt/batch - Improve rss-proxy error handling with more details

2026-01-11 10:21:13 +04:00

								      error: isTimeout ? 'Feed timeout' : 'Failed to fetch feed',

							

refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import.

2026-03-16 11:52:56 +04:00

								    }, isTimeout ? 504 : 502, corsHeaders);

							

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-11 07:34:57 +04:00

fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`import { getCorsHeaders, isDisallowedOrigin } from './_cors.js';`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`import { validateApiKey } from './_api-key.js';`
			`import { checkRateLimit } from './_rate-limit.js';`
refactor(api): extract shared relay helper into _relay.js (#782) DRY 7 edge functions that duplicated relay proxy boilerplate (~80% identical: CORS, origin check, OPTIONS, relay URL construction, auth headers, fetchWithTimeout, error handling). - New `api/_relay.js` exports createRelayHandler factory + getRelayBaseUrl, getRelayHeaders, fetchWithTimeout utilities - Convert ais-snapshot, polymarket, opensky, oref-alerts, telegram-feed to ~15-25 line config objects via createRelayHandler - Refactor youtube/live.js and rss-proxy.js to import shared utils only (complex handlers not suited for factory pattern) - 30 unit/behavior tests in tests/relay-helper.test.mjs Net: -501 lines removed, +72 added across 7 prod files. Relay utility functions exist in 1 place instead of 7. 2026-03-02 19:28:31 +04:00			`import { getRelayBaseUrl, getRelayHeaders, fetchWithTimeout } from './_relay.js';`
perf(rss): route RSS direct to Railway, skip Vercel middleman (#961) * perf(rss): route RSS direct to Railway, skip Vercel middleman Vercel /api/rss-proxy has 65% error rate (207K failed invocations/12h). Route browser RSS requests directly to Railway (proxy.worldmonitor.app) via Cloudflare CDN, eliminating Vercel as middleman. - Add VITE_RSS_DIRECT_TO_RELAY feature flag (default off) for staged rollout - Centralize RSS proxy URL in rssProxyUrl() with desktop/dev/prod routing - Make Railway /rss public (skip auth, keep rate limiting with CF-Connecting-IP) - Add wildcard .worldmonitor.app CORS + always emit Vary: Origin on /rss - Extract ~290 RSS domains to shared/rss-allowed-domains.cjs (single source of truth) - Convert Railway domain check to Set for O(1) lookups - Remove rss-proxy from KEYED_CLOUD_API_PATTERN (no longer needs API key header) - Add edge function test for shared domain list import fix(edge): replace node:module with JSON import for edge-compatible RSS domains api/_rss-allowed-domains.js used createRequire from node:module which is unsupported in Vercel Edge Runtime, breaking all edge functions (including api/gpsjam). Replaced with JSON import attribute syntax that works in both esbuild (Vercel build) and Node.js 22+ (tests). Also fixed middleware.ts TS18048 error where VARIANT_OG[variant] could be undefined. * test(edge): add guard against node: built-in imports in api/ files Scans ALL api/.js files (including _ helpers) for node: module imports which are unsupported in Vercel Edge Runtime. This would have caught the createRequire(node:module) bug before it reached Vercel. fix(edge): inline domain array and remove NextResponse reference - Replace `import ... with { type: 'json' }` in _rss-allowed-domains.js with inline array — Vercel esbuild doesn't support import attributes - Replace `NextResponse.next()` with bare `return` in middleware.ts — NextResponse was never imported * ci(pre-push): add esbuild bundle check and edge function tests The pre-push hook now catches Vercel build failures locally: - esbuild bundles each api/*.js entrypoint (catches import attribute syntax, missing modules, and other bundler errors) - runs edge function test suite (node: imports, module isolation) 2026-03-04 18:42:00 +04:00			`import RSS_ALLOWED_DOMAINS from './_rss-allowed-domains.js';`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`import { jsonResponse } from './_json-response.js';`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`export const config = { runtime: 'edge' };`

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			`// Domains that consistently block Vercel edge IPs — skip direct fetch,`
			`// go straight to Railway relay to avoid wasted invocation + timeout.`
			`const RELAY_ONLY_DOMAINS = new Set([`
			`'rss.cnn.com',`
			`'www.defensenews.com',`
			`'layoffs.fyi',`
			`'news.un.org',`
			`'www.cisa.gov',`
			`'www.iaea.org',`
			`'www.who.int',`
			`'www.crisisgroup.org',`
			`'english.alarabiya.net',`
			`'www.arabnews.com',`
			`'www.timesofisrael.com',`
			`'www.scmp.com',`
			`'kyivindependent.com',`
			`'www.themoscowtimes.com',`
			`'feeds.24.com',`
			`'feeds.capi24.com',`
			`'islandtimes.org',`
			`'www.atlanticcouncil.org',`
			`]);`

refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`const DIRECT_FETCH_HEADERS = Object.freeze({`
			`'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',`
			`'Accept': 'application/rss+xml, application/xml, text/xml, /',`
			`'Accept-Language': 'en-US,en;q=0.9',`
			`});`

Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`async function fetchViaRailway(feedUrl, timeoutMs) {`
			`const relayBaseUrl = getRelayBaseUrl();`
			`if (!relayBaseUrl) return null;`
			const relayUrl = `${relayBaseUrl}/rss?url=${encodeURIComponent(feedUrl)}`;
			`return fetchWithTimeout(relayUrl, {`
			`headers: getRelayHeaders({`
			`'Accept': 'application/rss+xml, application/xml, text/xml, /',`
			`'User-Agent': 'WorldMonitor-RSS-Proxy/1.0',`
			`}),`
			`}, timeoutMs);`
			`}`

perf(rss): route RSS direct to Railway, skip Vercel middleman (#961) * perf(rss): route RSS direct to Railway, skip Vercel middleman Vercel /api/rss-proxy has 65% error rate (207K failed invocations/12h). Route browser RSS requests directly to Railway (proxy.worldmonitor.app) via Cloudflare CDN, eliminating Vercel as middleman. - Add VITE_RSS_DIRECT_TO_RELAY feature flag (default off) for staged rollout - Centralize RSS proxy URL in rssProxyUrl() with desktop/dev/prod routing - Make Railway /rss public (skip auth, keep rate limiting with CF-Connecting-IP) - Add wildcard .worldmonitor.app CORS + always emit Vary: Origin on /rss - Extract ~290 RSS domains to shared/rss-allowed-domains.cjs (single source of truth) - Convert Railway domain check to Set for O(1) lookups - Remove rss-proxy from KEYED_CLOUD_API_PATTERN (no longer needs API key header) - Add edge function test for shared domain list import fix(edge): replace node:module with JSON import for edge-compatible RSS domains api/_rss-allowed-domains.js used createRequire from node:module which is unsupported in Vercel Edge Runtime, breaking all edge functions (including api/gpsjam). Replaced with JSON import attribute syntax that works in both esbuild (Vercel build) and Node.js 22+ (tests). Also fixed middleware.ts TS18048 error where VARIANT_OG[variant] could be undefined. * test(edge): add guard against node: built-in imports in api/ files Scans ALL api/.js files (including _ helpers) for node: module imports which are unsupported in Vercel Edge Runtime. This would have caught the createRequire(node:module) bug before it reached Vercel. fix(edge): inline domain array and remove NextResponse reference - Replace `import ... with { type: 'json' }` in _rss-allowed-domains.js with inline array — Vercel esbuild doesn't support import attributes - Replace `NextResponse.next()` with bare `return` in middleware.ts — NextResponse was never imported * ci(pre-push): add esbuild bundle check and edge function tests The pre-push hook now catches Vercel build failures locally: - esbuild bundles each api/*.js entrypoint (catches import attribute syntax, missing modules, and other bundler errors) - runs edge function test suite (node: imports, module isolation) 2026-03-04 18:42:00 +04:00			`// Allowed RSS feed domains — shared source of truth (shared/rss-allowed-domains.js)`
			`const ALLOWED_DOMAINS = RSS_ALLOWED_DOMAINS;`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00
refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`function isAllowedDomain(hostname) {`
			`const bare = hostname.replace(/^www\./, '');`
			const withWww = hostname.startsWith('www.') ? hostname : `www.${hostname}`;
			`return ALLOWED_DOMAINS.includes(hostname) \|\| ALLOWED_DOMAINS.includes(bare) \|\| ALLOWED_DOMAINS.includes(withWww);`
			`}`

Triage security alerts (#1903) * fix(cors): use ACAO: * for bootstrap to fix CF cache origin pinning CF ignores Vary: Origin and pins the first request's ACAO header on the cached response. Preview deployments from .vercel.app got ACAO: worldmonitor.app from CF's cache, blocking CORS. Bootstrap data is fully public (world events, market prices, seismic data) so ACAO: is safe and allows CF to cache one entry valid for all origins. isDisallowedOrigin() still gates non-cache paths. * chore: finish security triage * fix(aviation): update isArray callback signature for fast-xml-parser 5.5.x fast-xml-parser bumped from 5.4.2 to 5.5.7 changed the isArray callback's second parameter type from string to unknown. Guard with typeof check before calling .test() to satisfy the new type contract. * docs: fix MD032 blank lines around lists in tradingview-screener-integration * fix(security): address code review findings from PR #1903 - api/_json-response.js: add recursion depth limit (20) to sanitizeJsonValue and strip Error.cause chain alongside stack/stackTrace - scripts/ais-relay.cjs: extract WORLD_BANK_COUNTRY_ALLOWLIST to module level to eliminate duplicate; clamp years param to [1,30] to prevent unbounded World Bank date ranges - src-tauri/sidecar/local-api-server.mjs: use JSON.stringify for vq value in inline JS, consistent with safeVideoId/safeOrigin handling - src/services/story-share.ts: simplify sanitizeStoryType to use typed array instead of repeated as-casts * fix(desktop): use parent window origin for YouTube embed postMessage Sidecar youtube-embed route was targeting the iframe's own localhost origin for all window.parent.postMessage calls, so browsers dropped yt-ready/ yt-state/yt-error on Tauri builds where the parent is tauri://localhost or asset://localhost. LiveNewsPanel and LiveWebcamsPanel already pass parentOrigin=window.location.origin in the embed URL; the sidecar now reads, validates, and uses it as the postMessage target for all player event messages. The YT API playerVars origin/widget_referrer continue to use the sidecar's own localhost origin which YouTube requires. Also restore World Bank relay to a generic proxy: replace TECH_INDICATORS membership check with a format-only regex so any valid indicator code (NY.GDP.MKTP.CD etc.) is accepted, not just the 16 tech-sector codes. 2026-03-20 12:37:24 +04:00			`function isGoogleNewsFeedUrl(feedUrl) {`
			`try {`
			`return new URL(feedUrl).hostname === 'news.google.com';`
			`} catch {`
			`return false;`
			`}`
			`}`

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`export default async function handler(req) {`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`const corsHeaders = getCorsHeaders(req, 'GET, OPTIONS');`
Add CORS support for Vercel preview domains in RSS proxy 2026-01-25 12:32:27 +04:00
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`if (isDisallowedOrigin(req)) {`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({ error: 'Origin not allowed' }, 403, corsHeaders);`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`}`

Add CORS support for Vercel preview domains in RSS proxy 2026-01-25 12:32:27 +04:00			`// Handle CORS preflight`
			`if (req.method === 'OPTIONS') {`
			`return new Response(null, { status: 204, headers: corsHeaders });`
			`}`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`if (req.method !== 'GET') {`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({ error: 'Method not allowed' }, 405, corsHeaders);`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`}`

			`const keyCheck = validateApiKey(req);`
			`if (keyCheck.required && !keyCheck.valid) {`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({ error: keyCheck.error }, 401, corsHeaders);`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`}`

			`const rateLimitResponse = await checkRateLimit(req, corsHeaders);`
			`if (rateLimitResponse) return rateLimitResponse;`
Add CORS support for Vercel preview domains in RSS proxy 2026-01-25 12:32:27 +04:00
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`const requestUrl = new URL(req.url);`
			`const feedUrl = requestUrl.searchParams.get('url');`

			`if (!feedUrl) {`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({ error: 'Missing url parameter' }, 400, corsHeaders);`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`}`

			`try {`
			`const parsedUrl = new URL(feedUrl);`

fix: Linux AppImage crashes, RSS proxy 403s, and console noise (#395) Linux AppImage (#370, #257): - Upgrade CI from Ubuntu 22.04 to 24.04 (GLib 2.80 fixes g_task_set_static_name symbol mismatch) - Set GDK_BACKEND=wayland,x11 when WAYLAND_DISPLAY detected (fixes GTK init on niri/river) - Disable WebKit bubblewrap sandbox in AppImage context (FUSE mount breaks it → blank screen) - Set GTK_IM_MODULE to built-in simple context in AppImage (prevents host module conflicts) RSS proxy: - Add 32 missing domains to allowlist (EuroNews lang variants, international news feeds) - Normalize www prefix in domain validation (prevents entire class of www/non-www mismatch 403s) Console cleanup: - TrendingKeywords: console.log → console.debug for suppressed terms (30+ noisy log lines) - PostHog: add ui_host for reverse proxy setup (fixes /ingest/ 404s) 2026-02-26 09:37:26 +04:00			`// Security: Check if domain is allowed (normalize www prefix)`
			`const hostname = parsedUrl.hostname;`
refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`if (!isAllowedDomain(hostname)) {`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({ error: 'Domain not allowed' }, 403, corsHeaders);`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`}`

perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			`const isRelayOnly = RELAY_ONLY_DOMAINS.has(hostname);`

Increase RSS proxy timeouts for Google News - Google News feeds: 20s timeout (often slow) - Other feeds: 12s timeout - Use more realistic browser User-Agent 2026-01-11 10:21:59 +04:00			`// Google News is slow - use longer timeout`
Triage security alerts (#1903) * fix(cors): use ACAO: * for bootstrap to fix CF cache origin pinning CF ignores Vary: Origin and pins the first request's ACAO header on the cached response. Preview deployments from .vercel.app got ACAO: worldmonitor.app from CF's cache, blocking CORS. Bootstrap data is fully public (world events, market prices, seismic data) so ACAO: is safe and allows CF to cache one entry valid for all origins. isDisallowedOrigin() still gates non-cache paths. * chore: finish security triage * fix(aviation): update isArray callback signature for fast-xml-parser 5.5.x fast-xml-parser bumped from 5.4.2 to 5.5.7 changed the isArray callback's second parameter type from string to unknown. Guard with typeof check before calling .test() to satisfy the new type contract. * docs: fix MD032 blank lines around lists in tradingview-screener-integration * fix(security): address code review findings from PR #1903 - api/_json-response.js: add recursion depth limit (20) to sanitizeJsonValue and strip Error.cause chain alongside stack/stackTrace - scripts/ais-relay.cjs: extract WORLD_BANK_COUNTRY_ALLOWLIST to module level to eliminate duplicate; clamp years param to [1,30] to prevent unbounded World Bank date ranges - src-tauri/sidecar/local-api-server.mjs: use JSON.stringify for vq value in inline JS, consistent with safeVideoId/safeOrigin handling - src/services/story-share.ts: simplify sanitizeStoryType to use typed array instead of repeated as-casts * fix(desktop): use parent window origin for YouTube embed postMessage Sidecar youtube-embed route was targeting the iframe's own localhost origin for all window.parent.postMessage calls, so browsers dropped yt-ready/ yt-state/yt-error on Tauri builds where the parent is tauri://localhost or asset://localhost. LiveNewsPanel and LiveWebcamsPanel already pass parentOrigin=window.location.origin in the embed URL; the sidecar now reads, validates, and uses it as the postMessage target for all player event messages. The YT API playerVars origin/widget_referrer continue to use the sidecar's own localhost origin which YouTube requires. Also restore World Bank relay to a generic proxy: replace TECH_INDICATORS membership check with a format-only regex so any valid indicator code (NY.GDP.MKTP.CD etc.) is accepted, not just the 16 tech-sector codes. 2026-03-20 12:37:24 +04:00			`const isGoogleNews = isGoogleNewsFeedUrl(feedUrl);`
Increase RSS proxy timeouts for Google News - Google News feeds: 20s timeout (often slow) - Other feeds: 12s timeout - Use more realistic browser User-Agent 2026-01-11 10:21:59 +04:00			`const timeout = isGoogleNews ? 20000 : 12000;`

Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`const fetchDirect = async () => {`
			`const response = await fetchWithTimeout(feedUrl, {`
refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`headers: DIRECT_FETCH_HEADERS,`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`redirect: 'manual',`
			`}, timeout);`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`if (response.status >= 300 && response.status < 400) {`
			`const location = response.headers.get('location');`
			`if (location) {`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`const redirectUrl = new URL(location, feedUrl);`
fix(api): harden IP extraction, input validation, redirect SSRF check, and origin-pattern parity (#1013) - register-interest.js: coerce source/appVersion to string with a 100-char cap before forwarding to Convex. Non-string values (objects, arrays) are truthy so the previous \|\| 'unknown' guard passed them through, causing Convex to throw a type-validation error and surface a 500 to the caller. Also fixes unbounded metadata strings filling the registrations table cheaply. - rss-proxy.js: apply the same www-normalization used by the initial domain check to the 301-redirect hostname check. The old bare ALLOWED_DOMAINS.includes(hostname) call rejected canonical redirects (e.g. bbc.co.uk -> www.bbc.co.uk) even when one form is allowlisted, breaking several feeds silently. - _api-key.js: align BROWSER_ORIGIN_PATTERNS Vercel-preview regex with the narrower pattern already enforced by _cors.js (worldmonitor--elie-.vercel.app). The broader worldmonitor-*.vercel.app pattern was dead code because _cors.js rejects those origins before _api-key.js is reached. 2026-03-05 08:48:59 +05:30			`// Apply the same www-normalization as the initial domain check so that`
			`// canonical redirects (e.g. bbc.co.uk → www.bbc.co.uk) are not`
			`// incorrectly rejected when only one form is in the allowlist.`
			`const rHost = redirectUrl.hostname;`
refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`if (!isAllowedDomain(rHost)) {`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`throw new Error('Redirect to disallowed domain');`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`}`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`return fetchWithTimeout(redirectUrl.href, {`
refactor: dedupe rss proxy domain and header checks (#1612) 2026-03-15 02:22:28 +04:00			`headers: DIRECT_FETCH_HEADERS,`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`}, timeout);`
			`}`
			`}`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00
			`return response;`
			`};`

			`let response;`
			`let usedRelay = false;`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00
			`if (isRelayOnly) {`
			`// Skip direct fetch entirely — these domains block Vercel IPs`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`response = await fetchViaRailway(feedUrl, timeout);`
			`usedRelay = !!response;`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			if (!response) throw new Error(`Railway relay unavailable for relay-only domain: ${hostname}`);
			`} else {`
			`try {`
			`response = await fetchDirect();`
			`} catch (directError) {`
			`response = await fetchViaRailway(feedUrl, timeout);`
			`usedRelay = !!response;`
			`if (!response) throw directError;`
			`}`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			`if (!response.ok && !usedRelay) {`
			`const relayResponse = await fetchViaRailway(feedUrl, timeout);`
feat: harness engineering P0 - linting, testing, architecture docs (#1587) * feat: harness engineering P0 - linting, testing, architecture docs Add foundational infrastructure for agent-first development: - AGENTS.md: agent entry point with progressive disclosure to deeper docs - ARCHITECTURE.md: 12-section system reference with source-file refs and ownership rule - Biome 2.4.7 linter with project-tuned rules, CI workflow (lint-code.yml) - Architectural boundary lint enforcing forward-only dependency direction (lint-boundaries.mjs) - Unit test CI workflow (test.yml), all 1083 tests passing - Fixed 9 pre-existing test failures (bootstrap sync, deploy-config headers, globe parity, redis mocks, geometry URL, import.meta.env null safety) - Fixed 12 architectural boundary violations (types moved to proper layers) - Added 3 missing cache tier entries in gateway.ts - Synced cache-keys.ts with bootstrap.js - Renamed docs/architecture.mdx to "Design Philosophy" with cross-references - Deprecated legacy docs/Docs_To_Review/ARCHITECTURE.md - Harness engineering roadmap tracking doc * fix: address PR review feedback on harness-engineering-p0 - countries-geojson.test.mjs: skip gracefully when CDN unreachable instead of failing CI on network issues - country-geometry-overrides.test.mts: relax timing assertion (250ms -> 2000ms) for constrained CI environments - lint-boundaries.mjs: implement the documented api/ boundary check (was documented but missing, causing false green) * fix(lint): scan api/ .ts files in boundary check The api/ boundary check only scanned .js/.mjs files, missing the 25 sebuf RPC .ts edge functions. Now scans .ts files with correct rules: - Legacy .js: fully self-contained (no server/ or src/ imports) - RPC .ts: may import server/ and src/generated/ (bundled at deploy), but blocks imports from src/ application code * fix(lint): detect import() type expressions in boundary lint - Move AppContext back to app/app-context.ts (aggregate type that references components/services/utils belongs at the top, not types/) - Move HappyContentCategory and TechHQ to types/ (simple enums/interfaces) - Boundary lint now catches import('@/layer') expressions, not just from '@/layer' imports - correlation-engine imports of AppContext marked boundary-ignore (type-only imports of top-level aggregate) 2026-03-14 21:29:21 +04:00			`if (relayResponse?.ok) {`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			`response = relayResponse;`
			`}`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`}`
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 - Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing - Move sidecar /api/local-env-update behind token auth + add key allowlist - Add postMessage origin/source validation in LiveNewsPanel - Replace postMessage wildcard '*' targetOrigin with specific origin - Add isDisallowedOrigin() check to 25 API endpoints missing it - Migrate gdelt-geo & EIA from custom CORS to shared _cors.js - Add CORS to firms-fires, stock-index, youtube/live endpoints - Tighten youtube/embed.js ALLOWED_ORIGINS regex - Remove 'unsafe-inline' from CSP script-src - Add iframe sandbox attribute to YouTube embed - Validate meta-tags URL query params with regex allowlist 2026-02-15 20:33:20 +04:00			`}`

Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`const data = await response.text();`
feat(news): server-side feed aggregation to reduce edge invocations by ~95% (#622) Phase 1: Force CDN caching on rss-proxy (s-maxage=300 for 2xx, short TTL for errors) — fixes bug where upstream no-cache headers were passed through verbatim, defeating Vercel CDN. Phase 2: Add ListFeedDigest RPC that aggregates all feeds server-side into a single Redis-cached response. Client makes 1 request instead of ~90 per cycle. Includes circuit breaker with persistent cache fallback, per-feed AI reclassification, and headline ingestion parity. Phase 3: Increase polling interval from 5min to 7min to offset CDN cache alignment. New files: - proto/worldmonitor/news/v1/list_feed_digest.proto - server/worldmonitor/news/v1/{_feeds,_classifier,list-feed-digest}.ts - src/services/ai-classify-queue.ts (extracted from rss.ts) 2026-03-01 05:13:54 +04:00			`const isSuccess = response.status >= 200 && response.status < 300;`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			`// Relay-only feeds are slow-updating institutional sources — cache longer`
			`const cdnTtl = isRelayOnly ? 3600 : 900;`
			`const swr = isRelayOnly ? 7200 : 1800;`
			`const sie = isRelayOnly ? 14400 : 3600;`
			`const browserTtl = isRelayOnly ? 600 : 180;`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`return new Response(data, {`
			`status: response.status,`
			`headers: {`
Harden Railway relay auth, caching, and proxy routing (#320) 2026-02-24 16:24:20 +00:00			`'Content-Type': response.headers.get('content-type') \|\| 'application/xml',`
feat(news): server-side feed aggregation to reduce edge invocations by ~95% (#622) Phase 1: Force CDN caching on rss-proxy (s-maxage=300 for 2xx, short TTL for errors) — fixes bug where upstream no-cache headers were passed through verbatim, defeating Vercel CDN. Phase 2: Add ListFeedDigest RPC that aggregates all feeds server-side into a single Redis-cached response. Client makes 1 request instead of ~90 per cycle. Includes circuit breaker with persistent cache fallback, per-feed AI reclassification, and headline ingestion parity. Phase 3: Increase polling interval from 5min to 7min to offset CDN cache alignment. New files: - proto/worldmonitor/news/v1/list_feed_digest.proto - server/worldmonitor/news/v1/{_feeds,_classifier,list-feed-digest}.ts - src/services/ai-classify-queue.ts (extracted from rss.ts) 2026-03-01 05:13:54 +04:00			`'Cache-Control': isSuccess`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			? `public, max-age=${browserTtl}, s-maxage=${cdnTtl}, stale-while-revalidate=${swr}, stale-if-error=${sie}`
Cost/traffic hardening, runtime fallback controls, and PostHog removal (#638) - Remove PostHog analytics runtime and configuration - Add API rate limiting (api/_rate-limit.js) - Harden traffic controls across edge functions - Add runtime fallback controls and data-loader improvements - Add military base data scripts (fetch-mirta-bases, fetch-osm-bases) - Gitignore large raw data files - Settings playground prototypes 2026-03-01 11:53:20 +04:00			`: 'public, max-age=15, s-maxage=60, stale-while-revalidate=120',`
perf(rss-proxy): skip wasted direct fetch for Vercel-blocked domains (#815) Domains like UN, WHO, IAEA, SCMP etc. consistently block Vercel edge IPs. Previously every cache miss triggered a doomed direct fetch (12s timeout) before falling back to Railway relay. - Add RELAY_ONLY_DOMAINS Set at module scope matching Railway relay's allowedDomains — these skip fetchDirect() entirely - Bump CDN TTLs for relay-only feeds (60min vs 15min) since they are slow-updating institutional sources - Saves ~12s latency per cache miss on 18 feeds, ~75% fewer wasted upstream fetch attempts 2026-03-03 00:25:26 +04:00			...(isSuccess && { 'CDN-Cache-Control': `public, s-maxage=${cdnTtl}, stale-while-revalidate=${swr}, stale-if-error=${sie}` }),
Add CORS support for Vercel preview domains in RSS proxy 2026-01-25 12:32:27 +04:00			`...corsHeaders,`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`},`
			`});`
			`} catch (error) {`
Fix API timeouts and reduce OpenSky requests - Add explicit timeouts to OpenSky (12s) and RSS (8s) proxies - Consolidate 10 military hotspots into 4 larger regions - Increase military refresh interval from 2 to 5 minutes - Switch OpenAI feed to Google News (OpenAI blocks proxies) 2026-01-11 08:50:19 +04:00			`const isTimeout = error.name === 'AbortError';`
Fix PizzINT routes with explicit endpoint files - Replace catch-all route with explicit files - api/pizzint/dashboard-data.js for /api/pizzint/dashboard-data - api/pizzint/gdelt/batch.js for /api/pizzint/gdelt/batch - Improve rss-proxy error handling with more details 2026-01-11 10:21:13 +04:00			`console.error('RSS proxy error:', feedUrl, error.message);`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`return jsonResponse({`
Fix PizzINT routes with explicit endpoint files - Replace catch-all route with explicit files - api/pizzint/dashboard-data.js for /api/pizzint/dashboard-data - api/pizzint/gdelt/batch.js for /api/pizzint/gdelt/batch - Improve rss-proxy error handling with more details 2026-01-11 10:21:13 +04:00			`error: isTimeout ? 'Feed timeout' : 'Failed to fetch feed',`
			`details: error.message,`
			`url: feedUrl`
refactor: dedupe edge api json response assembly (#1702) * refactor: dedupe edge api json response assembly * refactor: expand jsonResponse helper to all edge functions Roll out jsonResponse() from _json-response.js to 16 files (14 handlers + 2 shared helpers), eliminating 55 instances of the new Response(JSON.stringify(...)) boilerplate. Only exception: health.js uses JSON.stringify(body, null, indent) for pretty-print mode, which is incompatible with the helper signature. Replaced local jsonResponse/json() definitions in contact.js, register-interest.js, and cache-purge.js with the shared import. 2026-03-16 11:52:56 +04:00			`}, isTimeout ? 504 : 502, corsHeaders);`
Replace corsproxy.io with Vercel serverless proxies - Add /api/yahoo-finance.js for stock quotes - Add /api/coingecko.js for crypto prices - Add /api/polymarket.js for prediction markets - Add /api/rss-proxy.js for RSS feeds (with domain allowlist) - Add /api/earthquakes.js for USGS data - Update feeds.ts to use direct URLs with RSS proxy - Simplify proxy.ts (no external CORS proxy needed) - Update earthquakes.ts and polymarket.ts to use new endpoints Eliminates dependency on unreliable third-party CORS proxy. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-11 07:34:57 +04:00			`}`
			`}`