Compare commits
34 Commits
090e90ea70
...
codex/issu
| Author | SHA1 | Date | |
|---|---|---|---|
| e0e408d1eb | |||
| c159c83a07 | |||
|
|
a1d415e449 | ||
|
|
0f5f9c5f91 | ||
| 096544f6e6 | |||
|
|
5a3dbc6252 | ||
| 9f2083a324 | |||
| dd08ecaf27 | |||
|
|
bc354e7bc5 | ||
| 1c2b48f588 | |||
|
|
a590bf62c2 | ||
| 6a9918bc98 | |||
|
|
4448f5931b | ||
| 9b15913049 | |||
|
|
331175ae3c | ||
| e288881c41 | |||
|
|
e4834cd3cd | ||
|
|
0fbd8640ca | ||
|
|
3069114ffd | ||
|
|
09df127e06 | ||
|
|
c102017b16 | ||
|
|
eefc1a4c77 | ||
| 49176b42fd | |||
| e70801ae98 | |||
| 703670e7a0 | |||
|
|
1423dca199 | ||
|
|
5b013947b4 | ||
|
|
5113e341b2 | ||
| d7f10bf545 | |||
|
|
2025ae09db | ||
|
|
446076cb84 | ||
|
|
6096a0ad03 | ||
|
|
d7df2e4aee | ||
|
|
b2f604b120 |
@@ -18,7 +18,7 @@ Production-ready Crucix fork for Docker, Dockge, Pangolin, local OSINT sweeps, s
|
||||
- `npm run test:unit`
|
||||
- `npm test`
|
||||
- `docker compose config`
|
||||
- `docker build -t git.wilkensxl.de/mrsphay/intelligence-terminal:latest .`
|
||||
- `docker build -t git.wilkensxl.de/code-inc/intelligence-terminal:latest .`
|
||||
|
||||
Heavy install/build/audit/release work should run on Gitea Ubuntu runners where possible. Local work should stay limited to targeted verification and Docker checks required for this deployment.
|
||||
|
||||
|
||||
@@ -10,10 +10,13 @@ STALE_ALERT_COOLDOWN_MINUTES=60
|
||||
DASHBOARD_URL=
|
||||
TERMINAL_ACTIONS_ENABLED=true
|
||||
SWEEP_TOKEN=
|
||||
SSE_HEARTBEAT_INTERVAL_MS=25000
|
||||
TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS=60000
|
||||
TERMINAL_ACTION_RATE_LIMIT_MAX=10
|
||||
BRIEF_VERBOSITY=standard
|
||||
|
||||
# LLM layer
|
||||
# Providers: openrouter | openai-compatible | lmstudio | ollama | openai | anthropic | gemini | mistral | minimax | grok | codex
|
||||
# Providers: litellm | openrouter | openai-compatible | lmstudio | ollama | openai | anthropic | gemini | mistral | minimax | grok | codex
|
||||
LLM_PROVIDER=openrouter
|
||||
LLM_BASE_URL=https://openrouter.ai/api/v1
|
||||
LLM_API_KEY=
|
||||
@@ -21,10 +24,11 @@ LLM_MODEL=openrouter/free
|
||||
LLM_TEMPERATURE=0.2
|
||||
LLM_MAX_TOKENS=2000
|
||||
LLM_TIMEOUT_MS=90000
|
||||
OPENROUTER_SITE_URL=https://git.wilkensxl.de/MrSphay/intelligence-terminal
|
||||
OPENROUTER_SITE_URL=https://git.wilkensxl.de/Code-Inc/intelligence-terminal
|
||||
OPENROUTER_APP_NAME=Intelligence Terminal
|
||||
|
||||
# Local OpenAI-compatible examples
|
||||
# LiteLLM: LLM_PROVIDER=litellm, LLM_BASE_URL=https://llm.example.com/v1, LLM_API_KEY=your-proxy-key, LLM_MODEL=your-model-alias
|
||||
# LM Studio: LLM_PROVIDER=lmstudio, LLM_BASE_URL=http://host.docker.internal:1234/v1, LLM_MODEL=local-model
|
||||
# Ollama: LLM_PROVIDER=ollama, LLM_BASE_URL=http://host.docker.internal:11434, LLM_MODEL=llama3.1:8b
|
||||
# Generic: LLM_PROVIDER=openai-compatible, LLM_BASE_URL=http://host.docker.internal:8000/v1, LLM_MODEL=your-model
|
||||
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
env:
|
||||
REGISTRY_HOST: git.wilkensxl.de
|
||||
REGISTRY_USERNAME: MrSphay
|
||||
REGISTRY_NAMESPACE: mrsphay
|
||||
REGISTRY_NAMESPACE: code-inc
|
||||
IMAGE_NAME: intelligence-terminal
|
||||
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
|
||||
steps:
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
docker build -t "${image}:${build_tag}" .
|
||||
|
||||
- name: Publish Docker image
|
||||
if: ${{ env.REGISTRY_TOKEN != '' }}
|
||||
if: ${{ env.REGISTRY_TOKEN != '' && github.event_name == 'push' && github.ref == 'refs/heads/codex/production-intelligence-terminal' }}
|
||||
shell: bash
|
||||
run: |
|
||||
image="${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/${IMAGE_NAME}"
|
||||
|
||||
@@ -18,8 +18,8 @@ Intelligence Terminal is a Docker-first Crucix fork for home-server OSINT, marke
|
||||
- Unit tests: `npm run test:unit`
|
||||
- Full tests: `npm test`
|
||||
- Compose validation: `docker compose config`
|
||||
- Docker image: `docker build -t git.wilkensxl.de/mrsphay/intelligence-terminal:latest .`
|
||||
- Docker image: `docker build -t git.wilkensxl.de/code-inc/intelligence-terminal:latest .`
|
||||
|
||||
## Release Target
|
||||
|
||||
Push source to `https://git.wilkensxl.de/MrSphay/intelligence-terminal.git` and publish the Docker image to `git.wilkensxl.de/mrsphay/intelligence-terminal`.
|
||||
Push source to `https://git.wilkensxl.de/Code-Inc/intelligence-terminal.git` and publish the Docker image to `git.wilkensxl.de/code-inc/intelligence-terminal`.
|
||||
|
||||
70
README.md
70
README.md
@@ -4,8 +4,8 @@
|
||||
|
||||
**Self-hosted intelligence dashboard. 27 open sources. Docker-first. No telemetry.**
|
||||
|
||||
[](https://git.wilkensxl.de/MrSphay/intelligence-terminal)
|
||||
[](https://git.wilkensxl.de/MrSphay/-/packages/container/intelligence-terminal/latest)
|
||||
[](https://git.wilkensxl.de/Code-Inc/intelligence-terminal)
|
||||
[](https://git.wilkensxl.de/Code-Inc/-/packages/container/intelligence-terminal/latest)
|
||||
|
||||
[](#quick-start)
|
||||
[](LICENSE)
|
||||
@@ -32,7 +32,7 @@
|
||||
|
||||
> **Supported deployment:** private home-server or lab deployment through Docker, Dockge, Pangolin, or local Node.js.
|
||||
> Runtime data stays in your configured `runs/` volume and API keys are operator-owned.
|
||||
> **Source:** [git.wilkensxl.de/MrSphay/intelligence-terminal](https://git.wilkensxl.de/MrSphay/intelligence-terminal)
|
||||
> **Source:** [git.wilkensxl.de/Code-Inc/intelligence-terminal](https://git.wilkensxl.de/Code-Inc/intelligence-terminal)
|
||||
> Pull the image or clone the repository to run Intelligence Terminal on your own infrastructure.
|
||||
|
||||
Intelligence Terminal pulls satellite fire detection, flight tracking, radiation monitoring, satellite constellation tracking, economic indicators, live market prices, conflict data, sanctions lists, and social sentiment from 27 open-source intelligence feeds in parallel, every 15 minutes, and renders everything on a single self-contained dashboard.
|
||||
@@ -66,7 +66,7 @@ It was built for anyone who wants to understand what's actually happening in the
|
||||
|
||||
```bash
|
||||
# 1. Clone the repo
|
||||
git clone https://git.wilkensxl.de/MrSphay/intelligence-terminal.git
|
||||
git clone https://git.wilkensxl.de/Code-Inc/intelligence-terminal.git
|
||||
cd intelligence-terminal
|
||||
|
||||
# 2. Install dependencies (just Express)
|
||||
@@ -92,7 +92,7 @@ The dashboard opens automatically at `http://localhost:3117` and immediately beg
|
||||
### Docker
|
||||
|
||||
```bash
|
||||
docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
docker pull git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
```
|
||||
|
||||
Dashboard at `http://localhost:3117`. Sweep data persists in `./runs/` via volume mount. The container disables browser auto-open by default, exposes `/api/health` and `/api/metrics`, and is suitable for Dockge/Pangolin.
|
||||
@@ -102,7 +102,7 @@ Dashboard at `http://localhost:3117`. Sweep data persists in `./runs/` via volum
|
||||
```yaml
|
||||
services:
|
||||
intelligence-terminal:
|
||||
image: git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
image: git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
container_name: intelligence-terminal
|
||||
env_file:
|
||||
- path: .env
|
||||
@@ -134,6 +134,9 @@ STALE_ALERT_COOLDOWN_MINUTES=60
|
||||
DASHBOARD_URL=https://intelligence.example.internal
|
||||
TERMINAL_ACTIONS_ENABLED=true
|
||||
SWEEP_TOKEN=
|
||||
SSE_HEARTBEAT_INTERVAL_MS=25000
|
||||
TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS=60000
|
||||
TERMINAL_ACTION_RATE_LIMIT_MAX=10
|
||||
BRIEF_VERBOSITY=standard
|
||||
|
||||
LLM_PROVIDER=openrouter
|
||||
@@ -143,7 +146,7 @@ LLM_MODEL=openrouter/free
|
||||
LLM_TEMPERATURE=0.2
|
||||
LLM_MAX_TOKENS=2000
|
||||
LLM_TIMEOUT_MS=90000
|
||||
OPENROUTER_SITE_URL=https://git.wilkensxl.de/MrSphay/intelligence-terminal
|
||||
OPENROUTER_SITE_URL=https://git.wilkensxl.de/Code-Inc/intelligence-terminal
|
||||
OPENROUTER_APP_NAME=Intelligence Terminal
|
||||
|
||||
FRED_API_KEY=
|
||||
@@ -166,6 +169,12 @@ DISCORD_WEBHOOK_URL=
|
||||
Local LLM examples:
|
||||
|
||||
```env
|
||||
# LiteLLM proxy (the URL must include the OpenAI-compatible /v1 path)
|
||||
LLM_PROVIDER=litellm
|
||||
LLM_BASE_URL=https://llm.example.com/v1
|
||||
LLM_API_KEY=your-litellm-api-key
|
||||
LLM_MODEL=your-model-alias
|
||||
|
||||
# LM Studio
|
||||
LLM_PROVIDER=lmstudio
|
||||
LLM_BASE_URL=http://host.docker.internal:1234/v1
|
||||
@@ -185,9 +194,22 @@ LLM_MODEL=your-model
|
||||
|
||||
For Pangolin or another reverse proxy, forward HTTP traffic to `intelligence-terminal:3117` (or the `PORT` you set). Missing API keys do not crash sweeps; affected sources are reported as degraded in `/api/health`.
|
||||
|
||||
When data remains stale past `STALE_DATA_MAX_AGE_MINUTES`, the server sends an operator alert through configured Telegram/Discord channels after failed or degraded sweep attempts. `STALE_ALERT_COOLDOWN_MINUTES` prevents repeated stale alerts from spamming every refresh interval. Set `DASHBOARD_URL` to the Pangolin/public URL you want included in those alerts.
|
||||
#### Terminal Action Exposure
|
||||
|
||||
The dashboard Terminal Actions panel can trigger `status`, `sweep`, and `brief` through `/api/action`. Leave `TERMINAL_ACTIONS_ENABLED=true` for a private home-server deployment. For an internet-exposed deployment, set `SWEEP_TOKEN` and pass it through trusted automation, or set `TERMINAL_ACTIONS_ENABLED=false` to disable browser-triggered actions. If you protect actions with `SWEEP_TOKEN`, the browser can send it from `localStorage.crucix_sweep_token`.
|
||||
`POST /api/action` and `POST /api/sweep` can trigger operational actions such as manual sweeps. The dashboard has a **SET TOKEN** control that stores your `SWEEP_TOKEN` in browser local storage and sends it as the `x-crucix-token` header; do not put action tokens in URLs.
|
||||
|
||||
Recommended settings:
|
||||
|
||||
| Deployment | Settings |
|
||||
| --- | --- |
|
||||
| Private local machine | `NODE_ENV=development`, optional `SWEEP_TOKEN`, optional `TERMINAL_ACTIONS_ENABLED=true`. Localhost can run actions without a token for development. |
|
||||
| Private LAN / Dockge | Set a strong `SWEEP_TOKEN`, keep `TERMINAL_ACTIONS_ENABLED=true`, expose only to trusted clients. |
|
||||
| Pangolin-authenticated reverse proxy | Set a strong `SWEEP_TOKEN`, keep Pangolin auth in front, use the dashboard **SET TOKEN** flow once per browser. |
|
||||
| Public internet | Do not expose Terminal Actions directly. If exposure is unavoidable, require `SWEEP_TOKEN`, keep proxy authentication enabled, lower `TERMINAL_ACTION_RATE_LIMIT_MAX`, and monitor server audit logs. |
|
||||
|
||||
Action endpoints reject cross-origin POST origins, apply a small in-memory per-IP rate limit, and write sanitized audit lines without logging the token.
|
||||
|
||||
When data remains stale past `STALE_DATA_MAX_AGE_MINUTES`, the server sends an operator alert through configured Telegram/Discord channels after failed or degraded sweep attempts. `STALE_ALERT_COOLDOWN_MINUTES` prevents repeated stale alerts from spamming every refresh interval. Set `DASHBOARD_URL` to the Pangolin/public URL you want included in those alerts.
|
||||
|
||||
#### Memory And Prediction Loop
|
||||
|
||||
@@ -219,6 +241,22 @@ Retention, backup, and privacy expectations:
|
||||
- Do not commit `runs/` or `.env`. API credentials stay in `.env`; memory stores derived observations, not secrets.
|
||||
- If you expose the dashboard through a reverse proxy, protect Terminal Actions and memory queries behind your normal authentication boundary.
|
||||
|
||||
#### Reverse Proxy SSE
|
||||
|
||||
The dashboard receives live sweep updates from `GET /events` using Server-Sent Events. The server sends `retry: 10000` reconnect guidance and lightweight heartbeat comments every `SSE_HEARTBEAT_INTERVAL_MS` milliseconds so reverse proxies do not close an otherwise idle stream between 15-minute sweeps.
|
||||
|
||||
Recommended proxy settings:
|
||||
|
||||
| Proxy | Setting |
|
||||
| --- | --- |
|
||||
| Pangolin / Traefik-style frontends | Keep response streaming enabled and set idle timeouts above `SSE_HEARTBEAT_INTERVAL_MS`. |
|
||||
| Nginx | Disable proxy buffering for `/events`, keep `proxy_read_timeout` above the heartbeat interval, and preserve `Connection: keep-alive`. |
|
||||
| Cloudflare-style proxies | Keep the heartbeat below common idle cutoffs; the default 25s is intentionally conservative. |
|
||||
|
||||
If you raise the heartbeat interval, keep it shorter than the lowest idle timeout in the proxy chain.
|
||||
|
||||
`/api/metrics` includes network health grouped by host and source/provider. Source modules should use `safeFetch(url, { source: 'SourceName' })`; when omitted, the shared helper infers a stable provider bucket from the URL host instead of grouping normal source traffic under `unknown`. Raw fetch exceptions are documented in [Source Fetch Instrumentation](docs/source-fetch-instrumentation.md).
|
||||
|
||||
#### Scenario Watchlist
|
||||
|
||||
Intelligence Terminal can track operator hypotheses across sweeps with a runtime scenario file at `runs/scenarios.json`. On first run, the server creates three disabled starter examples:
|
||||
@@ -256,10 +294,10 @@ Scenario states are `dormant`, `watching`, `building`, and `confirmed`. The dash
|
||||
|
||||
```bash
|
||||
docker login git.wilkensxl.de -u MrSphay
|
||||
docker build -t git.wilkensxl.de/mrsphay/intelligence-terminal:latest .
|
||||
docker tag git.wilkensxl.de/mrsphay/intelligence-terminal:latest git.wilkensxl.de/mrsphay/intelligence-terminal:20260516
|
||||
docker push git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
docker push git.wilkensxl.de/mrsphay/intelligence-terminal:20260516
|
||||
docker build -t git.wilkensxl.de/code-inc/intelligence-terminal:latest .
|
||||
docker tag git.wilkensxl.de/code-inc/intelligence-terminal:latest git.wilkensxl.de/code-inc/intelligence-terminal:YYYYMMDD
|
||||
docker push git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
docker push git.wilkensxl.de/code-inc/intelligence-terminal:YYYYMMDD
|
||||
```
|
||||
|
||||
Gitea Actions publishes the same image automatically when the repository secret `REGISTRY_TOKEN` is set with package read/write permissions. The workflow tags images as `latest`, the commit SHA, and a UTC `YYYYMMDD` release tag.
|
||||
@@ -348,7 +386,7 @@ Alerts are delivered as rich embeds with color-coded sidebars: red for FLASH, ye
|
||||
Connect cloud or local OpenAI-compatible LLM providers for enhanced analysis:
|
||||
- **AI trade ideas** — quantitative analyst producing 5-8 actionable ideas citing specific data
|
||||
- **Smarter alert evaluation** — LLM classifies signals into FLASH/PRIORITY/ROUTINE tiers with cross-domain correlation and confidence scoring
|
||||
- Providers: OpenRouter, OpenAI-compatible APIs, LM Studio, Ollama, OpenAI, Anthropic Claude, Google Gemini, OpenAI Codex, MiniMax, Mistral, Grok
|
||||
- Providers: LiteLLM, OpenRouter, OpenAI-compatible APIs, LM Studio, Ollama, OpenAI, Anthropic Claude, Google Gemini, OpenAI Codex, MiniMax, Mistral, Grok
|
||||
- Graceful fallback — when LLM is unavailable, a rule-based engine takes over alert evaluation. LLM failures never crash the sweep cycle.
|
||||
|
||||
Primary env keys:
|
||||
@@ -593,7 +631,7 @@ All settings are in `.env` with sensible defaults:
|
||||
| `STALE_DATA_MAX_AGE_MINUTES` | `60` | Data age threshold for stale health state |
|
||||
| `STALE_ALERT_COOLDOWN_MINUTES` | `60` | Minimum time between repeated operator stale-data alerts |
|
||||
| `DASHBOARD_URL` | local URL | Dashboard URL included in operator alerts |
|
||||
| `LLM_PROVIDER` | disabled | `anthropic`, `openai`, `gemini`, `codex`, `openrouter`, `minimax`, `mistral`, or `grok` |
|
||||
| `LLM_PROVIDER` | disabled | `litellm`, `openrouter`, `openai-compatible`, `lmstudio`, `ollama`, `anthropic`, `openai`, `gemini`, `codex`, `minimax`, `mistral`, or `grok` |
|
||||
| `LLM_API_KEY` | — | API key (not needed for codex) |
|
||||
| `LLM_MODEL` | per-provider default | Override model selection |
|
||||
| `TELEGRAM_BOT_TOKEN` | disabled | For Telegram alerts + bot commands |
|
||||
@@ -719,7 +757,7 @@ For contribution guidelines, review expectations, and source-add rules, see `CON
|
||||
|
||||
For bugs, feature requests, and integration ideas, use the Gitea issue tracker so discussion stays visible and actionable:
|
||||
|
||||
https://git.wilkensxl.de/MrSphay/intelligence-terminal/issues
|
||||
https://git.wilkensxl.de/Code-Inc/intelligence-terminal/issues
|
||||
|
||||
## Upstream And License
|
||||
|
||||
|
||||
@@ -59,7 +59,8 @@ export async function runSource(name, fn, ...args) {
|
||||
});
|
||||
const data = await Promise.race([dataPromise, timeoutPromise]);
|
||||
const hasError = Boolean(data?.error);
|
||||
const isDegraded = hasError || ['no_credentials', 'degraded', 'failed'].includes(data?.status);
|
||||
const degradedStatuses = ['no_credentials', 'no_key', 'disabled', 'degraded', 'failed', 'error'];
|
||||
const isDegraded = hasError || degradedStatuses.includes(data?.status);
|
||||
return {
|
||||
name,
|
||||
status: isDegraded ? 'degraded' : 'ok',
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
// ADS-B Exchange — Unfiltered Flight Tracking (including Military)
|
||||
// Unlike FlightRadar24/FlightAware, ADS-B Exchange does NOT filter military aircraft.
|
||||
// Public feed access varies; RapidAPI tier available for programmatic use.
|
||||
// This module attempts the public endpoints and falls back to a documented stub.
|
||||
// This module reports explicit disabled/degraded state instead of making
|
||||
// unavailable aircraft data look live.
|
||||
|
||||
import { safeFetch } from '../utils/fetch.mjs';
|
||||
|
||||
@@ -140,6 +141,7 @@ async function fetchViaRapidApi(apiKey) {
|
||||
// Get all military aircraft
|
||||
const data = await safeFetch(`${ENDPOINTS.rapidApi}/mil`, {
|
||||
timeout: 20000,
|
||||
source: 'adsb-rapidapi',
|
||||
headers: {
|
||||
'X-RapidAPI-Key': apiKey,
|
||||
'X-RapidAPI-Host': 'adsbexchange-com1.p.rapidapi.com',
|
||||
@@ -151,21 +153,26 @@ async function fetchViaRapidApi(apiKey) {
|
||||
|
||||
// Attempt to fetch from public feed
|
||||
async function fetchPublicFeed() {
|
||||
const data = await safeFetch(ENDPOINTS.publicFeed, { timeout: 15000 });
|
||||
const data = await safeFetch(ENDPOINTS.publicFeed, { timeout: 15000, source: 'adsb-public' });
|
||||
return data;
|
||||
}
|
||||
|
||||
// Get military aircraft from available sources
|
||||
export async function getMilitaryAircraft(apiKey) {
|
||||
async function getMilitaryAircraftResult(apiKey) {
|
||||
const failures = [];
|
||||
|
||||
// Try RapidAPI first if key available
|
||||
if (apiKey) {
|
||||
const data = await fetchViaRapidApi(apiKey);
|
||||
if (data && !data.error) {
|
||||
const aircraft = data.ac || data.aircraft || [];
|
||||
if (Array.isArray(aircraft)) {
|
||||
return aircraft.map(classifyAircraft).filter(a => a.isMilitary);
|
||||
return {
|
||||
provider: 'rapidapi',
|
||||
aircraft: aircraft.map(classifyAircraft).filter(a => a.isMilitary),
|
||||
};
|
||||
}
|
||||
}
|
||||
failures.push({ provider: 'rapidapi', error: data?.error || 'RapidAPI returned an unsupported payload' });
|
||||
}
|
||||
|
||||
// Try public feed
|
||||
@@ -173,11 +180,21 @@ export async function getMilitaryAircraft(apiKey) {
|
||||
if (pubData && !pubData.error) {
|
||||
const aircraft = pubData.ac || pubData.aircraft || pubData.states || [];
|
||||
if (Array.isArray(aircraft)) {
|
||||
return aircraft.map(classifyAircraft).filter(a => a.isMilitary);
|
||||
return {
|
||||
provider: 'public-feed',
|
||||
aircraft: aircraft.map(classifyAircraft).filter(a => a.isMilitary),
|
||||
};
|
||||
}
|
||||
}
|
||||
failures.push({ provider: 'public-feed', error: pubData?.error || 'Public feed returned an unsupported payload' });
|
||||
|
||||
return null; // all sources failed
|
||||
return { provider: null, aircraft: null, failures };
|
||||
}
|
||||
|
||||
// Get military aircraft from available sources
|
||||
export async function getMilitaryAircraft(apiKey) {
|
||||
const result = await getMilitaryAircraftResult(apiKey);
|
||||
return result.aircraft;
|
||||
}
|
||||
|
||||
// Get all aircraft in a geographic bounding box via RapidAPI
|
||||
@@ -208,7 +225,8 @@ export async function getAircraftInArea(lat, lon, radiusNm = 250, apiKey) {
|
||||
// Briefing — attempt to get military flight data, document what's available
|
||||
export async function briefing() {
|
||||
const apiKey = process.env.ADSB_API_KEY || process.env.RAPIDAPI_KEY || null;
|
||||
const militaryAircraft = await getMilitaryAircraft(apiKey);
|
||||
const result = await getMilitaryAircraftResult(apiKey);
|
||||
const militaryAircraft = result.aircraft;
|
||||
|
||||
// If we got data, analyze it
|
||||
if (militaryAircraft && militaryAircraft.length > 0) {
|
||||
@@ -255,6 +273,7 @@ export async function briefing() {
|
||||
source: 'ADS-B Exchange',
|
||||
timestamp: new Date().toISOString(),
|
||||
status: 'live',
|
||||
provider: result.provider,
|
||||
totalMilitary: militaryAircraft.length,
|
||||
byCountry,
|
||||
categories: {
|
||||
@@ -269,10 +288,18 @@ export async function briefing() {
|
||||
}
|
||||
|
||||
// No data available — return stub with integration documentation
|
||||
const status = apiKey ? 'degraded' : 'disabled';
|
||||
const error = apiKey
|
||||
? 'ADS-B providers returned no usable aircraft data'
|
||||
: 'ADSB_API_KEY or RAPIDAPI_KEY is not configured';
|
||||
|
||||
return {
|
||||
source: 'ADS-B Exchange',
|
||||
timestamp: new Date().toISOString(),
|
||||
status: apiKey ? 'error' : 'no_key',
|
||||
status,
|
||||
provider: result.provider,
|
||||
error,
|
||||
failures: result.failures,
|
||||
militaryAircraft: [],
|
||||
message: apiKey
|
||||
? 'ADS-B Exchange API returned no data. The endpoint may be temporarily unavailable.'
|
||||
|
||||
@@ -10,6 +10,44 @@ const fetchMetrics = {
|
||||
recent: [],
|
||||
};
|
||||
|
||||
const SOURCE_BY_HOST = [
|
||||
[/api\.bls\.gov$/i, 'BLS'],
|
||||
[/api\.fred\.stlouisfed\.org$/i, 'FRED'],
|
||||
[/api\.eia\.gov$/i, 'EIA'],
|
||||
[/api\.gdeltproject\.org$/i, 'GDELT'],
|
||||
[/api\.weather\.gov$/i, 'NOAA'],
|
||||
[/api\.open-notify\.org$/i, 'OpenNotify'],
|
||||
[/opensky-network\.org$/i, 'OpenSky'],
|
||||
[/firms\.modaps\.eosdis\.nasa\.gov$/i, 'FIRMS'],
|
||||
[/api\.acleddata\.com$/i, 'ACLED'],
|
||||
[/api\.reliefweb\.int$/i, 'ReliefWeb'],
|
||||
[/receiverbook\.de$/i, 'KiwiSDR'],
|
||||
[/safecast\.org$/i, 'Safecast'],
|
||||
[/api\.patentsview\.org$/i, 'PatentsView'],
|
||||
[/api\.trade\.gov$/i, 'Comtrade'],
|
||||
[/api\.usaspending\.gov$/i, 'USASpending'],
|
||||
[/api\.telegram\.org$/i, 'Telegram'],
|
||||
[/oauth\.reddit\.com$/i, 'Reddit'],
|
||||
[/reddit\.com$/i, 'Reddit'],
|
||||
[/api\.bsky\.app$/i, 'Bluesky'],
|
||||
[/api\.yahoo\.com$/i, 'YahooFinance'],
|
||||
[/query\d?\.finance\.yahoo\.com$/i, 'YahooFinance'],
|
||||
[/api\.cloudflare\.com$/i, 'CloudflareRadar'],
|
||||
[/api\.opensanctions\.org$/i, 'OpenSanctions'],
|
||||
[/home\.treasury\.gov$/i, 'Treasury'],
|
||||
[/fiscaldata\.treasury\.gov$/i, 'Treasury'],
|
||||
[/who\.int$/i, 'WHO'],
|
||||
];
|
||||
|
||||
export function inferFetchSource(url) {
|
||||
let host = 'unknown';
|
||||
try { host = new URL(url).host.toLowerCase(); } catch { return 'unknown'; }
|
||||
for (const [pattern, source] of SOURCE_BY_HOST) {
|
||||
if (pattern.test(host)) return source;
|
||||
}
|
||||
return host;
|
||||
}
|
||||
|
||||
function metricBucket(map, key) {
|
||||
if (!map[key]) map[key] = { requests: 0, ok: 0, failed: 0, bytes: 0, lastStatus: null, lastError: null, lastMs: 0 };
|
||||
return map[key];
|
||||
@@ -38,7 +76,7 @@ export function getFetchMetrics() {
|
||||
}
|
||||
|
||||
export async function safeFetch(url, opts = {}) {
|
||||
const { timeout = 15000, retries = 1, headers = {}, source = undefined } = opts;
|
||||
const { timeout = 15000, retries = 1, headers = {}, source = inferFetchSource(url) } = opts;
|
||||
let lastError;
|
||||
for (let i = 0; i <= retries; i++) {
|
||||
const started = Date.now();
|
||||
@@ -79,11 +117,11 @@ export async function safeFetch(url, opts = {}) {
|
||||
if (i < retries) await new Promise(r => setTimeout(r, 2000 * (i + 1)));
|
||||
}
|
||||
}
|
||||
return { error: lastError?.message || 'Unknown error', source: url };
|
||||
return { error: lastError?.message || 'Unknown error', source };
|
||||
}
|
||||
|
||||
export async function safeFetchText(url, opts = {}) {
|
||||
const { timeout = 15000, retries = 1, headers = {}, source = undefined } = opts;
|
||||
const { timeout = 15000, retries = 1, headers = {}, source = inferFetchSource(url) } = opts;
|
||||
let lastError;
|
||||
for (let i = 0; i <= retries; i++) {
|
||||
const started = Date.now();
|
||||
|
||||
@@ -26,17 +26,20 @@ export default {
|
||||
staleAlertCooldownMinutes: intEnv('STALE_ALERT_COOLDOWN_MINUTES', 60),
|
||||
dashboardUrl: process.env.DASHBOARD_URL || null,
|
||||
sweepToken: process.env.SWEEP_TOKEN || null,
|
||||
terminalActionsEnabled: boolEnv('TERMINAL_ACTIONS_ENABLED', true),
|
||||
terminalActionsEnabled: boolEnv('TERMINAL_ACTIONS_ENABLED', !!process.env.SWEEP_TOKEN || process.env.NODE_ENV !== 'production'),
|
||||
terminalActionRateLimitWindowMs: intEnv('TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS', 60_000),
|
||||
terminalActionRateLimitMax: intEnv('TERMINAL_ACTION_RATE_LIMIT_MAX', 10),
|
||||
sseHeartbeatIntervalMs: intEnv('SSE_HEARTBEAT_INTERVAL_MS', 25000),
|
||||
|
||||
llm: {
|
||||
provider: process.env.LLM_PROVIDER || null, // anthropic | openai | gemini | codex | openrouter | minimax | mistral | ollama | grok
|
||||
provider: process.env.LLM_PROVIDER || null, // litellm | openrouter | openai-compatible | lmstudio | ollama | other supported providers
|
||||
apiKey: process.env.LLM_API_KEY || null,
|
||||
model: process.env.LLM_MODEL || null,
|
||||
baseUrl: process.env.LLM_BASE_URL || process.env.OPENAI_BASE_URL || process.env.OLLAMA_BASE_URL || null,
|
||||
temperature: floatEnv('LLM_TEMPERATURE', 0.2),
|
||||
maxTokens: intEnv('LLM_MAX_TOKENS', 2000),
|
||||
timeoutMs: intEnv('LLM_TIMEOUT_MS', 90000),
|
||||
openRouterSiteUrl: process.env.OPENROUTER_SITE_URL || 'https://git.wilkensxl.de/MrSphay/intelligence-terminal',
|
||||
openRouterSiteUrl: process.env.OPENROUTER_SITE_URL || 'https://git.wilkensxl.de/Code-Inc/intelligence-terminal',
|
||||
openRouterAppName: process.env.OPENROUTER_APP_NAME || 'Intelligence Terminal',
|
||||
},
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -1,6 +1,6 @@
|
||||
services:
|
||||
intelligence-terminal:
|
||||
image: git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
image: git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile
|
||||
|
||||
@@ -1,6 +1,17 @@
|
||||
# Agent Handoff
|
||||
|
||||
Last updated: 2026-05-17
|
||||
Last updated: 2026-07-03
|
||||
|
||||
## Current Work
|
||||
|
||||
- Canonical repository: `https://git.wilkensxl.de/Code-Inc/intelligence-terminal`
|
||||
- Production baseline before this work: `c159c83a0768486c8c6f445b458b760dba4ba385`
|
||||
- Active branch: `codex/issue-47-litellm-provider`
|
||||
- Issue: `#47 Add first-class LiteLLM provider and publish updated image`
|
||||
- LiteLLM is implemented through the OpenAI-compatible `/chat/completions` API and requires `LLM_BASE_URL`, `LLM_API_KEY`, and `LLM_MODEL`.
|
||||
- The build workflow now targets `git.wilkensxl.de/code-inc/intelligence-terminal` and publishes only from the production branch, not from pull requests.
|
||||
- Runner build/test/image verification and the first `code-inc` registry publication must be recorded here after the branch is pushed and merged.
|
||||
- Related maintenance: issue #21 tracks the failing security scan, #45 tracks the dependency workflow, and #46 tracks remaining namespace/handoff cleanup.
|
||||
|
||||
## Repository State
|
||||
|
||||
@@ -15,7 +26,7 @@ C:\Users\MrSphay\Documents\Codex\Crucix\intelligence-terminal
|
||||
Remotes:
|
||||
|
||||
```text
|
||||
origin https://git.wilkensxl.de/MrSphay/intelligence-terminal.git
|
||||
origin https://git.wilkensxl.de/Code-Inc/intelligence-terminal.git
|
||||
upstream https://github.com/calesthio/Crucix.git
|
||||
```
|
||||
|
||||
@@ -25,23 +36,22 @@ Current branch tip:
|
||||
Run `git rev-parse HEAD` after clone/pull. This handoff was updated by the `docs: sync issue tracker and handoff` commit after the implementation commit below.
|
||||
```
|
||||
|
||||
Latest implementation commit before issue-sync documentation:
|
||||
Production baseline before the current LiteLLM work:
|
||||
|
||||
```text
|
||||
53470cc701ec322080a89d220aef449b25850590
|
||||
c159c83a0768486c8c6f445b458b760dba4ba385
|
||||
```
|
||||
|
||||
Both pushed branches currently point to this commit:
|
||||
The default production branch points to this commit before the current PR:
|
||||
|
||||
```text
|
||||
origin/codex/production-intelligence-terminal
|
||||
origin/main
|
||||
```
|
||||
|
||||
Gitea repository:
|
||||
|
||||
```text
|
||||
https://git.wilkensxl.de/MrSphay/intelligence-terminal
|
||||
https://git.wilkensxl.de/Code-Inc/intelligence-terminal
|
||||
```
|
||||
|
||||
Default branch observed through the Gitea API:
|
||||
@@ -79,7 +89,7 @@ Rules applied from the kit:
|
||||
- `docker-compose.yml` uses the Gitea Registry image by default:
|
||||
|
||||
```text
|
||||
git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
```
|
||||
|
||||
### API And Health
|
||||
@@ -226,32 +236,27 @@ README includes:
|
||||
|
||||
## Registry And Images
|
||||
|
||||
Registry image:
|
||||
Target registry image after the current production merge:
|
||||
|
||||
```text
|
||||
git.wilkensxl.de/mrsphay/intelligence-terminal
|
||||
git.wilkensxl.de/code-inc/intelligence-terminal
|
||||
```
|
||||
|
||||
Verified package tags through Gitea API:
|
||||
The legacy `mrsphay` package remains available. Verify these new `code-inc` tags after the current runner publication:
|
||||
|
||||
```text
|
||||
latest
|
||||
20260517
|
||||
e933586b220656a2858d2215b934b22d1f08a908
|
||||
53470cc701ec322080a89d220aef449b25850590
|
||||
YYYYMMDD
|
||||
<production-commit-sha>
|
||||
```
|
||||
|
||||
Successful pull test:
|
||||
Required pull verification after publication:
|
||||
|
||||
```bash
|
||||
docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
docker pull git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
```
|
||||
|
||||
Observed digest:
|
||||
|
||||
```text
|
||||
sha256:780a41413921bd9a676461eca1cd1372591f523be4b7c9513d9bc085cbe7922d
|
||||
```
|
||||
Record the resulting digest after the runner push.
|
||||
|
||||
## Gitea Actions
|
||||
|
||||
@@ -460,7 +465,7 @@ if ($env:GITEA_TOKEN) { "GITEA_TOKEN=set" } else { "GITEA_TOKEN=missing" }
|
||||
```bash
|
||||
npm run test:unit
|
||||
docker compose --env-file .env.example config
|
||||
docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
docker pull git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
```
|
||||
|
||||
6. Start with Dockge/Pangolin using the README compose example and a `.env` based on `.env.example`.
|
||||
@@ -479,11 +484,11 @@ docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
For deployment:
|
||||
|
||||
```bash
|
||||
docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:latest
|
||||
docker pull git.wilkensxl.de/code-inc/intelligence-terminal:latest
|
||||
```
|
||||
|
||||
For a pinned deployment:
|
||||
|
||||
```bash
|
||||
docker pull git.wilkensxl.de/mrsphay/intelligence-terminal:20260517
|
||||
docker pull git.wilkensxl.de/code-inc/intelligence-terminal:YYYYMMDD
|
||||
```
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
1. Confirm `.env.example`, README compose sample, and registry image name match.
|
||||
2. Run `npm run test:unit`.
|
||||
3. Run `docker compose config`.
|
||||
4. Build `git.wilkensxl.de/mrsphay/intelligence-terminal:latest`.
|
||||
4. Build `git.wilkensxl.de/code-inc/intelligence-terminal:latest`.
|
||||
5. Start the image and verify `/api/health`.
|
||||
6. Push branch to Gitea.
|
||||
7. Push `latest` and a dated image tag to the Gitea Registry.
|
||||
|
||||
21
docs/source-fetch-instrumentation.md
Normal file
21
docs/source-fetch-instrumentation.md
Normal file
@@ -0,0 +1,21 @@
|
||||
# Source Fetch Instrumentation
|
||||
|
||||
`safeFetch()` and `safeFetchText()` attribute requests to `/api/metrics.fetch.bySource`.
|
||||
|
||||
Rules:
|
||||
|
||||
- Prefer passing an explicit `source` option from source modules when the call has a clear Crucix source name.
|
||||
- If `source` is omitted, the shared helper infers a stable provider name from the request host.
|
||||
- Unknown hosts fall back to the lowercase host instead of the old `unknown` bucket.
|
||||
- Raw `fetch()` calls should be limited to cases where the shared helper cannot represent the protocol cleanly.
|
||||
|
||||
Current raw-fetch exceptions:
|
||||
|
||||
| Area | Reason |
|
||||
| --- | --- |
|
||||
| OAuth/session handshakes | Token exchange calls often need custom form bodies, credential headers, or status-specific diagnostics. |
|
||||
| Bot and alert delivery | Telegram/Discord alert calls are outbound operator notifications, not intelligence source health. |
|
||||
| LLM providers | Provider clients already track model/provider status separately from source fetch health. |
|
||||
| Dashboard browser calls | Browser-side `/api/*` and asset fetches are UI behavior, not source provider health. |
|
||||
|
||||
When adding a new intelligence source, use `safeFetch(url, { source: 'SourceName' })` unless there is a documented exception.
|
||||
@@ -16,4 +16,5 @@ Source docs:
|
||||
- [Telegram](telegram.md)
|
||||
- [FIRMS](firms.md)
|
||||
- [Maritime](maritime.md)
|
||||
- [ADS-B](adsb.md)
|
||||
- [Reddit](reddit.md)
|
||||
|
||||
24
docs/sources/adsb.md
Normal file
24
docs/sources/adsb.md
Normal file
@@ -0,0 +1,24 @@
|
||||
# ADS-B Source
|
||||
|
||||
ADS-B Exchange support is optional and intended for unfiltered aircraft and military-flight awareness.
|
||||
|
||||
- Source module: `apis/sources/adsb.mjs`
|
||||
- Preferred provider: ADS-B Exchange via RapidAPI
|
||||
- Credentials: `ADSB_API_KEY` or `RAPIDAPI_KEY`
|
||||
- Runtime status without credentials: `disabled`
|
||||
- Runtime status when providers fail: `degraded`
|
||||
- Runtime status with usable aircraft payloads: `live`
|
||||
|
||||
The source does not treat a missing key or unavailable public feed as normal live data. `/api/health` and `/api/metrics` surface the degraded source state through the sweep source summary.
|
||||
|
||||
Known failure modes:
|
||||
|
||||
- Missing `ADSB_API_KEY` / `RAPIDAPI_KEY`: source is disabled with operator guidance.
|
||||
- RapidAPI rejects or rate-limits the request: source is degraded and records provider failure detail.
|
||||
- Public feed is blocked, rate-limited, or changes shape: source remains degraded instead of returning stale-looking data.
|
||||
|
||||
Register for the provider documented in the README, then set:
|
||||
|
||||
```env
|
||||
ADSB_API_KEY=<rapidapi-key>
|
||||
```
|
||||
@@ -10,6 +10,7 @@ import { MistralProvider } from "./mistral.mjs";
|
||||
import { OllamaProvider } from "./ollama.mjs";
|
||||
import { GrokProvider } from "./grok.mjs";
|
||||
import { OpenAICompatibleProvider } from "./openai-compatible.mjs";
|
||||
import { LiteLLMProvider } from "./litellm.mjs";
|
||||
|
||||
export { LLMProvider } from "./provider.mjs";
|
||||
export { AnthropicProvider } from "./anthropic.mjs";
|
||||
@@ -22,6 +23,7 @@ export { MistralProvider } from "./mistral.mjs";
|
||||
export { OllamaProvider } from "./ollama.mjs";
|
||||
export { GrokProvider } from "./grok.mjs";
|
||||
export { OpenAICompatibleProvider } from "./openai-compatible.mjs";
|
||||
export { LiteLLMProvider } from "./litellm.mjs";
|
||||
|
||||
/**
|
||||
* Create an LLM provider based on config.
|
||||
@@ -66,6 +68,9 @@ export function createLLMProvider(llmConfig) {
|
||||
model: model || 'local-model',
|
||||
requiresApiKey: false,
|
||||
});
|
||||
case "litellm":
|
||||
case "lite-llm":
|
||||
return new LiteLLMProvider(common);
|
||||
case "openrouter":
|
||||
return new OpenRouterProvider(common);
|
||||
case "gemini":
|
||||
|
||||
32
lib/llm/litellm.mjs
Normal file
32
lib/llm/litellm.mjs
Normal file
@@ -0,0 +1,32 @@
|
||||
// LiteLLM proxy provider using the OpenAI-compatible chat completions API.
|
||||
|
||||
import { OpenAICompatibleProvider } from './openai-compatible.mjs';
|
||||
|
||||
export class LiteLLMProvider extends OpenAICompatibleProvider {
|
||||
constructor(config = {}) {
|
||||
const baseUrl = config.baseUrl?.replace(/\/+$/, '') || null;
|
||||
const model = config.model || null;
|
||||
|
||||
super({
|
||||
...config,
|
||||
name: 'litellm',
|
||||
baseUrl: baseUrl || 'http://localhost:4000/v1',
|
||||
model: model || 'unconfigured',
|
||||
requiresApiKey: true,
|
||||
});
|
||||
|
||||
this.baseUrl = baseUrl;
|
||||
this.model = model;
|
||||
}
|
||||
|
||||
get isConfigured() {
|
||||
return Boolean(this.baseUrl && this.apiKey && this.model);
|
||||
}
|
||||
|
||||
get status() {
|
||||
if (!this.baseUrl) return { state: 'misconfigured', reason: 'LLM_BASE_URL is required for LiteLLM' };
|
||||
if (!this.apiKey) return { state: 'misconfigured', reason: 'LLM_API_KEY is required for LiteLLM' };
|
||||
if (!this.model) return { state: 'misconfigured', reason: 'LLM_MODEL is required for LiteLLM' };
|
||||
return { state: 'configured', provider: this.name, model: this.model, baseUrl: this.baseUrl };
|
||||
}
|
||||
}
|
||||
@@ -12,7 +12,7 @@
|
||||
"brief:save": "node apis/save-briefing.mjs",
|
||||
"diag": "node diag.mjs",
|
||||
"test": "npm run test:unit",
|
||||
"test:unit": "node --test test/llm-openrouter.test.mjs test/llm-ollama.test.mjs test/llm-openai-compatible.test.mjs test/fetch-utils.test.mjs test/reddit-source.test.mjs test/acled-source.test.mjs test/mojibake-text.test.mjs test/dashboard-geotagging.test.mjs",
|
||||
"test:unit": "node --test test/llm-openrouter.test.mjs test/llm-ollama.test.mjs test/llm-openai-compatible.test.mjs test/llm-litellm.test.mjs test/fetch-utils.test.mjs test/reddit-source.test.mjs test/acled-source.test.mjs test/mojibake-text.test.mjs test/adsb.test.mjs test/dashboard-geotagging.test.mjs",
|
||||
"compose:config": "docker compose config",
|
||||
"clean": "node scripts/clean.mjs",
|
||||
"fresh-start": "npm run clean && npm start"
|
||||
|
||||
176
server.mjs
176
server.mjs
@@ -41,6 +41,7 @@ let sweepStartedAt = null; // Timestamp when current/last sweep started
|
||||
let sweepInProgress = false;
|
||||
const startTime = Date.now();
|
||||
const sseClients = new Set();
|
||||
const terminalActionBuckets = new Map();
|
||||
const staleAlertState = {};
|
||||
|
||||
// === Delta/Memory ===
|
||||
@@ -292,7 +293,9 @@ app.get('/api/metrics', (req, res) => {
|
||||
});
|
||||
|
||||
app.get('/api/memory/search', (req, res) => {
|
||||
if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Memory queries disabled or unauthorized' });
|
||||
const guard = authorizeTerminalAction(req, res, 'memory:search');
|
||||
if (!guard.ok) return;
|
||||
auditTerminalAction(req, 'memory:search', 'ok');
|
||||
res.json(intelligenceStore.queryMemory({
|
||||
q: req.query.q || '',
|
||||
limit: req.query.limit || 25,
|
||||
@@ -300,7 +303,9 @@ app.get('/api/memory/search', (req, res) => {
|
||||
});
|
||||
|
||||
app.get('/api/memory/predictions', (req, res) => {
|
||||
if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Memory queries disabled or unauthorized' });
|
||||
const guard = authorizeTerminalAction(req, res, 'memory:predictions');
|
||||
if (!guard.ok) return;
|
||||
auditTerminalAction(req, 'memory:predictions', 'ok');
|
||||
res.json(intelligenceStore.listPredictions({
|
||||
state: req.query.state || null,
|
||||
limit: req.query.limit || 25,
|
||||
@@ -308,24 +313,33 @@ app.get('/api/memory/predictions', (req, res) => {
|
||||
});
|
||||
|
||||
app.post('/api/sweep', express.json(), (req, res) => {
|
||||
if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Terminal actions disabled or unauthorized' });
|
||||
triggerSweep(res);
|
||||
const guard = authorizeTerminalAction(req, res, 'sweep');
|
||||
if (!guard.ok) return;
|
||||
triggerSweepAction(req, res, 'sweep');
|
||||
});
|
||||
|
||||
app.post('/api/action', express.json(), async (req, res) => {
|
||||
if (!canRunTerminalAction(req)) return res.status(403).json({ error: 'Terminal actions disabled or unauthorized' });
|
||||
const action = String(req.body?.action || req.query.action || '').toLowerCase();
|
||||
app.post('/api/action', express.json(), (req, res) => {
|
||||
const action = String(req.body?.action || req.body?.command || '').trim().toLowerCase();
|
||||
const guard = authorizeTerminalAction(req, res, action || 'unknown');
|
||||
if (!guard.ok) return;
|
||||
|
||||
if (action === 'status') {
|
||||
return res.json({ ok: true, action, health: buildHealth() });
|
||||
auditTerminalAction(req, 'status', 'ok');
|
||||
return res.json({ ok: true, action, status: 'ok', health: buildHealth() });
|
||||
}
|
||||
|
||||
if (action === 'brief') {
|
||||
if (!currentData) return res.status(503).json({ ok: false, action, error: 'No data yet — first sweep in progress' });
|
||||
return res.json({ ok: true, action, text: buildBrief(currentData) });
|
||||
if (!currentData) {
|
||||
auditTerminalAction(req, 'brief', 'rejected', 'no_data');
|
||||
return res.status(503).json({ ok: false, action, error: 'No data yet - first sweep in progress' });
|
||||
}
|
||||
auditTerminalAction(req, 'brief', 'ok');
|
||||
const brief = buildBrief(currentData);
|
||||
return res.json({ ok: true, action, status: 'ok', brief, text: brief });
|
||||
}
|
||||
|
||||
if (action === 'memory') {
|
||||
auditTerminalAction(req, 'memory', 'ok');
|
||||
return res.json({
|
||||
ok: true,
|
||||
action,
|
||||
@@ -335,11 +349,10 @@ app.post('/api/action', express.json(), async (req, res) => {
|
||||
});
|
||||
}
|
||||
|
||||
if (action === 'sweep') {
|
||||
return triggerSweep(res);
|
||||
}
|
||||
if (action === 'sweep') return triggerSweepAction(req, res, 'action:sweep');
|
||||
|
||||
res.status(400).json({ ok: false, error: 'Unknown action', actions: ['status', 'brief', 'memory', 'sweep'] });
|
||||
auditTerminalAction(req, action || 'unknown', 'rejected', 'unknown_action');
|
||||
return res.status(400).json({ ok: false, error: 'Unknown action', allowed: ['status', 'brief', 'memory', 'sweep'], actions: ['status', 'brief', 'memory', 'sweep'] });
|
||||
});
|
||||
|
||||
// API: available locales
|
||||
@@ -357,10 +370,24 @@ app.get('/events', (req, res) => {
|
||||
'Cache-Control': 'no-cache',
|
||||
'Connection': 'keep-alive',
|
||||
'Access-Control-Allow-Origin': '*',
|
||||
'X-Accel-Buffering': 'no',
|
||||
});
|
||||
res.write('retry: 10000\n');
|
||||
res.write('data: {"type":"connected"}\n\n');
|
||||
const heartbeatMs = Math.max(5000, config.sseHeartbeatIntervalMs || 25000);
|
||||
const heartbeat = setInterval(() => {
|
||||
try {
|
||||
res.write(`: heartbeat ${new Date().toISOString()}\n\n`);
|
||||
} catch {
|
||||
clearInterval(heartbeat);
|
||||
sseClients.delete(res);
|
||||
}
|
||||
}, heartbeatMs);
|
||||
sseClients.add(res);
|
||||
req.on('close', () => sseClients.delete(res));
|
||||
req.on('close', () => {
|
||||
clearInterval(heartbeat);
|
||||
sseClients.delete(res);
|
||||
});
|
||||
});
|
||||
|
||||
function broadcast(data) {
|
||||
@@ -370,26 +397,114 @@ function broadcast(data) {
|
||||
}
|
||||
}
|
||||
|
||||
function requestIp(req) {
|
||||
return req.ip || req.socket?.remoteAddress || 'unknown';
|
||||
}
|
||||
|
||||
function isLocalRequest(req) {
|
||||
const remote = requestIp(req);
|
||||
return remote === '::1'
|
||||
|| remote === '127.0.0.1'
|
||||
|| remote === '::ffff:127.0.0.1'
|
||||
|| remote.startsWith('127.')
|
||||
|| remote === 'localhost';
|
||||
}
|
||||
|
||||
function sameOriginPost(req) {
|
||||
const origin = req.get('origin');
|
||||
if (!origin) return true;
|
||||
try {
|
||||
const originUrl = new URL(origin);
|
||||
const host = req.get('host');
|
||||
return host && originUrl.host === host;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function actionToken(req) {
|
||||
return req.get('x-crucix-token') || req.body?.token || null;
|
||||
}
|
||||
|
||||
function auditTerminalAction(req, action, outcome, detail = null) {
|
||||
const suffix = detail ? ` detail=${detail}` : '';
|
||||
console.log(`[Crucix][audit] terminal_action action=${action || 'unknown'} outcome=${outcome} ip=${requestIp(req)}${suffix}`);
|
||||
}
|
||||
|
||||
function rateLimitTerminalAction(req, action) {
|
||||
const now = Date.now();
|
||||
const windowMs = Math.max(1000, config.terminalActionRateLimitWindowMs || 60_000);
|
||||
const max = Math.max(1, config.terminalActionRateLimitMax || 10);
|
||||
const key = `${requestIp(req)}:${action}`;
|
||||
const bucket = terminalActionBuckets.get(key);
|
||||
if (!bucket || now > bucket.resetAt) {
|
||||
terminalActionBuckets.set(key, { count: 1, resetAt: now + windowMs });
|
||||
return { ok: true };
|
||||
}
|
||||
bucket.count += 1;
|
||||
if (bucket.count > max) {
|
||||
return { ok: false, retryAfterSeconds: Math.ceil((bucket.resetAt - now) / 1000) };
|
||||
}
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
function authorizeTerminalAction(req, res, action) {
|
||||
const rate = rateLimitTerminalAction(req, action);
|
||||
if (!rate.ok) {
|
||||
auditTerminalAction(req, action, 'rejected', 'rate_limited');
|
||||
res.set('Retry-After', String(rate.retryAfterSeconds));
|
||||
res.status(429).json({ error: 'Too many terminal actions', retryAfterSeconds: rate.retryAfterSeconds });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
if (!sameOriginPost(req)) {
|
||||
auditTerminalAction(req, action, 'rejected', 'csrf_origin');
|
||||
res.status(403).json({ error: 'Origin mismatch' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
const local = isLocalRequest(req);
|
||||
const token = actionToken(req);
|
||||
if (!config.terminalActionsEnabled) {
|
||||
auditTerminalAction(req, action, 'rejected', 'disabled');
|
||||
res.status(403).json({ error: 'Terminal actions are disabled' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
if (config.sweepToken) {
|
||||
if (token !== config.sweepToken) {
|
||||
auditTerminalAction(req, action, 'rejected', 'invalid_token');
|
||||
res.status(401).json({ error: 'Invalid terminal action token' });
|
||||
return { ok: false };
|
||||
}
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
if (!local) {
|
||||
auditTerminalAction(req, action, 'rejected', 'missing_token');
|
||||
res.status(403).json({ error: 'Terminal actions are local-only unless SWEEP_TOKEN is set' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
function triggerSweepAction(req, res, auditAction) {
|
||||
if (sweepInProgress) {
|
||||
auditTerminalAction(req, auditAction, 'rejected', 'already_running');
|
||||
return res.status(409).json({ ok: true, status: 'already_running', sweepStartedAt });
|
||||
}
|
||||
auditTerminalAction(req, auditAction, 'accepted');
|
||||
runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
|
||||
return res.status(202).json({ ok: true, status: 'accepted' });
|
||||
}
|
||||
|
||||
function dataAgeMs() {
|
||||
const ts = currentData?.meta?.timestamp || lastSuccessfulSweepTime || lastSweepTime;
|
||||
const ms = ts ? Date.now() - new Date(ts).getTime() : null;
|
||||
return Number.isFinite(ms) ? ms : null;
|
||||
}
|
||||
|
||||
function canRunTerminalAction(req) {
|
||||
const remote = req.ip || '';
|
||||
const local = remote.includes('127.0.0.1') || remote === '::1' || remote === '::ffff:127.0.0.1';
|
||||
const token = req.get('x-crucix-token') || req.query.token || req.body?.token;
|
||||
if (config.sweepToken) return token === config.sweepToken;
|
||||
return Boolean(config.terminalActionsEnabled || local);
|
||||
}
|
||||
|
||||
function triggerSweep(res) {
|
||||
if (sweepInProgress) return res.status(409).json({ ok: true, status: 'already_running', sweepStartedAt });
|
||||
runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
|
||||
return res.status(202).json({ ok: true, status: 'accepted' });
|
||||
}
|
||||
|
||||
function getLLMStatus() {
|
||||
if (!config.llm.provider) return { state: 'disabled' };
|
||||
if (!llmProvider) return { state: 'misconfigured', provider: config.llm.provider };
|
||||
@@ -433,7 +548,8 @@ function buildHealth() {
|
||||
llm: getLLMStatus(),
|
||||
telegramEnabled: !!(config.telegram.botToken && config.telegram.chatId),
|
||||
discordEnabled: !!(config.discord?.botToken || config.discord?.webhookUrl),
|
||||
terminalActionsEnabled: Boolean(config.terminalActionsEnabled || config.sweepToken),
|
||||
terminalActionsEnabled: config.terminalActionsEnabled,
|
||||
terminalActionsTokenRequired: !!config.sweepToken,
|
||||
refreshIntervalMinutes: config.refreshIntervalMinutes,
|
||||
language: currentLanguage,
|
||||
memory: intelligenceStore.status(),
|
||||
|
||||
82
test/adsb.test.mjs
Normal file
82
test/adsb.test.mjs
Normal file
@@ -0,0 +1,82 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
|
||||
async function withFetch(mockFetch, fn) {
|
||||
const originalFetch = globalThis.fetch;
|
||||
const originalAdsbKey = process.env.ADSB_API_KEY;
|
||||
const originalRapidKey = process.env.RAPIDAPI_KEY;
|
||||
globalThis.fetch = mockFetch;
|
||||
delete process.env.ADSB_API_KEY;
|
||||
delete process.env.RAPIDAPI_KEY;
|
||||
try {
|
||||
return await fn();
|
||||
} finally {
|
||||
globalThis.fetch = originalFetch;
|
||||
if (originalAdsbKey === undefined) delete process.env.ADSB_API_KEY;
|
||||
else process.env.ADSB_API_KEY = originalAdsbKey;
|
||||
if (originalRapidKey === undefined) delete process.env.RAPIDAPI_KEY;
|
||||
else process.env.RAPIDAPI_KEY = originalRapidKey;
|
||||
}
|
||||
}
|
||||
|
||||
function jsonResponse(payload, ok = true, status = 200) {
|
||||
return {
|
||||
ok,
|
||||
status,
|
||||
headers: { get: () => 'application/json' },
|
||||
text: async () => JSON.stringify(payload),
|
||||
};
|
||||
}
|
||||
|
||||
test('ADS-B reports disabled when no key is configured and public feed fails', async () => {
|
||||
await withFetch(async () => jsonResponse({ error: 'blocked' }, false, 403), async () => {
|
||||
const { briefing } = await import('../apis/sources/adsb.mjs');
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'disabled');
|
||||
assert.match(data.error, /ADSB_API_KEY|RAPIDAPI_KEY/);
|
||||
assert.equal(data.militaryAircraft.length, 0);
|
||||
});
|
||||
});
|
||||
|
||||
test('ADS-B reports degraded when RapidAPI and public feed fail', async () => {
|
||||
await withFetch(async () => jsonResponse({ error: 'unavailable' }, false, 503), async () => {
|
||||
process.env.ADSB_API_KEY = 'test-key';
|
||||
const { briefing } = await import('../apis/sources/adsb.mjs');
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'degraded');
|
||||
assert.match(data.error, /providers returned no usable/);
|
||||
assert.equal(data.failures.length, 2);
|
||||
});
|
||||
});
|
||||
|
||||
test('ADS-B returns live RapidAPI military aircraft payloads', async () => {
|
||||
await withFetch(async () => jsonResponse({
|
||||
ac: [{
|
||||
hex: 'AE1234',
|
||||
flight: 'RCH123',
|
||||
t: 'KC135',
|
||||
lat: 50,
|
||||
lon: 8,
|
||||
mil: true,
|
||||
}],
|
||||
}), async () => {
|
||||
process.env.ADSB_API_KEY = 'test-key';
|
||||
const { briefing } = await import('../apis/sources/adsb.mjs');
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'live');
|
||||
assert.equal(data.provider, 'rapidapi');
|
||||
assert.equal(data.totalMilitary, 1);
|
||||
assert.equal(data.militaryAircraft[0].callsign, 'RCH123');
|
||||
});
|
||||
});
|
||||
|
||||
test('runSource treats disabled source status as degraded health', async () => {
|
||||
const { runSource } = await import('../apis/briefing.mjs');
|
||||
const result = await runSource('ADS-B', async () => ({ status: 'disabled', message: 'missing key' }));
|
||||
|
||||
assert.equal(result.status, 'degraded');
|
||||
assert.equal(result.error, null);
|
||||
});
|
||||
@@ -1,7 +1,7 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { readFileSync } from 'node:fs';
|
||||
import { safeFetch, safeFetchText, getFetchMetrics } from '../apis/utils/fetch.mjs';
|
||||
import { safeFetch, safeFetchText, getFetchMetrics, inferFetchSource } from '../apis/utils/fetch.mjs';
|
||||
import { formatStaleAlert, shouldSendStaleAlert } from '../lib/stale-alerts.mjs';
|
||||
|
||||
test('safeFetch reports HTML as degraded JSON response', async () => {
|
||||
@@ -101,6 +101,42 @@ test('safeFetchText returns text and byte count', async () => {
|
||||
}
|
||||
});
|
||||
|
||||
test('safeFetch attributes unlabelled requests to a stable provider source', async () => {
|
||||
const originalFetch = globalThis.fetch;
|
||||
globalThis.fetch = async () => ({
|
||||
ok: true,
|
||||
status: 200,
|
||||
headers: { get: () => 'application/json' },
|
||||
text: async () => '{"observations":[]}',
|
||||
});
|
||||
try {
|
||||
const data = await safeFetch('https://api.fred.stlouisfed.org/fred/series/observations?series_id=VIXCLS', { retries: 0 });
|
||||
assert.deepEqual(data, { observations: [] });
|
||||
const bucket = getFetchMetrics().bySource.FRED;
|
||||
assert.ok(bucket.requests >= 1);
|
||||
assert.equal(bucket.lastStatus, 200);
|
||||
} finally {
|
||||
globalThis.fetch = originalFetch;
|
||||
}
|
||||
});
|
||||
|
||||
test('inferFetchSource returns provider names and host fallback', () => {
|
||||
assert.equal(inferFetchSource('https://api.bls.gov/publicAPI/v2/timeseries/data/CPI'), 'BLS');
|
||||
assert.equal(inferFetchSource('https://query1.finance.yahoo.com/v8/finance/chart/%5EGSPC'), 'YahooFinance');
|
||||
assert.equal(inferFetchSource('https://unknown.example.test/path'), 'unknown.example.test');
|
||||
});
|
||||
|
||||
test('SSE endpoint sends reconnect guidance and clears heartbeat timer', () => {
|
||||
const server = readFileSync(new URL('../server.mjs', import.meta.url), 'utf8');
|
||||
const config = readFileSync(new URL('../crucix.config.mjs', import.meta.url), 'utf8');
|
||||
assert.match(config, /sseHeartbeatIntervalMs/);
|
||||
assert.match(server, /retry: 10000\\n/);
|
||||
assert.match(server, /setInterval\(\(\) =>/);
|
||||
assert.match(server, /: heartbeat/);
|
||||
assert.match(server, /clearInterval\(heartbeat\)/);
|
||||
assert.match(server, /X-Accel-Buffering/);
|
||||
});
|
||||
|
||||
test('intelligence store defines durable memory and prediction lifecycle tables', () => {
|
||||
const store = readFileSync(new URL('../lib/intelligence-store.mjs', import.meta.url), 'utf8');
|
||||
assert.match(store, /CREATE TABLE IF NOT EXISTS events/);
|
||||
@@ -122,6 +158,43 @@ test('server exposes memory-backed query APIs and dashboard memory action', () =
|
||||
assert.match(html, /runTerminalAction\('memory'\)/);
|
||||
});
|
||||
|
||||
test('terminal action endpoints avoid URL tokens and include hardening gates', () => {
|
||||
const server = readFileSync(new URL('../server.mjs', import.meta.url), 'utf8');
|
||||
assert.match(server, /app\.post\('\/api\/action'/);
|
||||
assert.match(server, /app\.post\('\/api\/sweep'/);
|
||||
assert.match(server, /x-crucix-token/);
|
||||
assert.match(server, /sameOriginPost/);
|
||||
assert.match(server, /rateLimitTerminalAction/);
|
||||
assert.match(server, /auditTerminalAction/);
|
||||
assert.doesNotMatch(server, /req\.query\.token/);
|
||||
});
|
||||
|
||||
test('dashboard exposes token configuration flow without devtools edits', () => {
|
||||
const html = readFileSync(new URL('../dashboard/public/jarvis.html', import.meta.url), 'utf8');
|
||||
assert.match(html, /configureTerminalActionToken/);
|
||||
assert.match(html, /crucix_sweep_token/);
|
||||
assert.match(html, /x-crucix-token/);
|
||||
assert.match(html, /SET TOKEN/);
|
||||
});
|
||||
|
||||
test('server dashboard shell does not embed an operational snapshot', () => {
|
||||
const html = readFileSync(new URL('../dashboard/public/jarvis.html', import.meta.url), 'utf8');
|
||||
assert.match(html, /let D = createDashboardShellData\(\);/);
|
||||
assert.doesNotMatch(html, /2026-04-03T16:18:10\.188Z/);
|
||||
assert.doesNotMatch(html, /Trump announced new strikes on Iran/);
|
||||
});
|
||||
|
||||
test('server dashboard fetches api data before initialization', () => {
|
||||
const html = readFileSync(new URL('../dashboard/public/jarvis.html', import.meta.url), 'utf8');
|
||||
const serverMode = html.indexOf('if (canProbeApi)');
|
||||
const apiFetch = html.indexOf("fetch('/api/data')");
|
||||
const firstInitAfterServerMode = html.indexOf('init();', serverMode);
|
||||
|
||||
assert.ok(serverMode > -1);
|
||||
assert.ok(apiFetch > serverMode);
|
||||
assert.ok(firstInitAfterServerMode > apiFetch);
|
||||
});
|
||||
|
||||
test('stale alert is skipped for fresh health and resets active key', () => {
|
||||
const state = { lastStaleAlertKey: 'old', lastStaleAlertAt: 100 };
|
||||
const decision = shouldSendStaleAlert({ stale: false }, state, { now: 200 });
|
||||
|
||||
76
test/llm-litellm.test.mjs
Normal file
76
test/llm-litellm.test.mjs
Normal file
@@ -0,0 +1,76 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { LiteLLMProvider } from '../lib/llm/litellm.mjs';
|
||||
import { createLLMProvider } from '../lib/llm/index.mjs';
|
||||
|
||||
test('factory creates a configured LiteLLM provider', () => {
|
||||
const provider = createLLMProvider({
|
||||
provider: 'litellm',
|
||||
baseUrl: 'https://llm.example.test/v1/',
|
||||
apiKey: 'proxy-key',
|
||||
model: 'private-model',
|
||||
});
|
||||
|
||||
assert.ok(provider instanceof LiteLLMProvider);
|
||||
assert.equal(provider.baseUrl, 'https://llm.example.test/v1');
|
||||
assert.equal(provider.isConfigured, true);
|
||||
assert.deepEqual(provider.status, {
|
||||
state: 'configured',
|
||||
provider: 'litellm',
|
||||
model: 'private-model',
|
||||
baseUrl: 'https://llm.example.test/v1',
|
||||
});
|
||||
});
|
||||
|
||||
test('LiteLLM requires base URL, API key, and model', () => {
|
||||
const missingBaseUrl = new LiteLLMProvider({ apiKey: 'key', model: 'model' });
|
||||
assert.equal(missingBaseUrl.isConfigured, false);
|
||||
assert.equal(missingBaseUrl.status.reason, 'LLM_BASE_URL is required for LiteLLM');
|
||||
|
||||
const missingKey = new LiteLLMProvider({ baseUrl: 'https://llm.example.test/v1', model: 'model' });
|
||||
assert.equal(missingKey.status.reason, 'LLM_API_KEY is required for LiteLLM');
|
||||
|
||||
const missingModel = new LiteLLMProvider({ baseUrl: 'https://llm.example.test/v1', apiKey: 'key' });
|
||||
assert.equal(missingModel.status.reason, 'LLM_MODEL is required for LiteLLM');
|
||||
});
|
||||
|
||||
test('LiteLLM sends bearer-authenticated OpenAI-compatible requests', async () => {
|
||||
const provider = new LiteLLMProvider({
|
||||
baseUrl: 'https://llm.example.test/v1',
|
||||
apiKey: 'proxy-key',
|
||||
model: 'private-model',
|
||||
temperature: 0.15,
|
||||
maxTokens: 512,
|
||||
});
|
||||
const originalFetch = globalThis.fetch;
|
||||
|
||||
globalThis.fetch = async (url, options) => {
|
||||
assert.equal(url, 'https://llm.example.test/v1/chat/completions');
|
||||
assert.equal(options.headers.Authorization, 'Bearer proxy-key');
|
||||
assert.deepEqual(JSON.parse(options.body), {
|
||||
model: 'private-model',
|
||||
temperature: 0.15,
|
||||
messages: [
|
||||
{ role: 'system', content: 'system' },
|
||||
{ role: 'user', content: 'user' },
|
||||
],
|
||||
max_tokens: 512,
|
||||
});
|
||||
return {
|
||||
ok: true,
|
||||
json: async () => ({
|
||||
choices: [{ message: { content: 'response' } }],
|
||||
usage: { prompt_tokens: 7, completion_tokens: 11 },
|
||||
model: 'private-model',
|
||||
}),
|
||||
};
|
||||
};
|
||||
|
||||
try {
|
||||
const result = await provider.complete('system', 'user');
|
||||
assert.equal(result.text, 'response');
|
||||
assert.deepEqual(result.usage, { inputTokens: 7, outputTokens: 11 });
|
||||
} finally {
|
||||
globalThis.fetch = originalFetch;
|
||||
}
|
||||
});
|
||||
Reference in New Issue
Block a user