Compare commits
1 Commits
79f897f8ac
...
codex/issu
| Author | SHA1 | Date | |
|---|---|---|---|
|
5b176851c8 |
@@ -7,9 +7,6 @@ REFRESH_INTERVAL_MINUTES=15
|
||||
AUTO_OPEN_BROWSER=false
|
||||
STALE_DATA_MAX_AGE_MINUTES=60
|
||||
SWEEP_TOKEN=
|
||||
TERMINAL_ACTIONS_ENABLED=true
|
||||
TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS=60000
|
||||
TERMINAL_ACTION_RATE_LIMIT_MAX=10
|
||||
BRIEF_VERBOSITY=standard
|
||||
|
||||
# LLM layer
|
||||
|
||||
18
README.md
18
README.md
@@ -136,9 +136,6 @@ REFRESH_INTERVAL_MINUTES=15
|
||||
AUTO_OPEN_BROWSER=false
|
||||
STALE_DATA_MAX_AGE_MINUTES=60
|
||||
SWEEP_TOKEN=
|
||||
TERMINAL_ACTIONS_ENABLED=true
|
||||
TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS=60000
|
||||
TERMINAL_ACTION_RATE_LIMIT_MAX=10
|
||||
BRIEF_VERBOSITY=standard
|
||||
|
||||
LLM_PROVIDER=openrouter
|
||||
@@ -190,21 +187,6 @@ LLM_MODEL=your-model
|
||||
|
||||
For Pangolin or another reverse proxy, forward HTTP traffic to `intelligence-terminal:3117` (or the `PORT` you set). Missing API keys do not crash sweeps; affected sources are reported as degraded in `/api/health`.
|
||||
|
||||
#### Terminal Action Exposure
|
||||
|
||||
`POST /api/action` and `POST /api/sweep` can trigger operational actions such as manual sweeps. The dashboard has a **SET TOKEN** control that stores your `SWEEP_TOKEN` in browser local storage and sends it as the `x-crucix-token` header; do not put action tokens in URLs.
|
||||
|
||||
Recommended settings:
|
||||
|
||||
| Deployment | Settings |
|
||||
| --- | --- |
|
||||
| Private local machine | `NODE_ENV=development`, optional `SWEEP_TOKEN`, optional `TERMINAL_ACTIONS_ENABLED=true`. Localhost can run actions without a token for development. |
|
||||
| Private LAN / Dockge | Set a strong `SWEEP_TOKEN`, keep `TERMINAL_ACTIONS_ENABLED=true`, expose only to trusted clients. |
|
||||
| Pangolin-authenticated reverse proxy | Set a strong `SWEEP_TOKEN`, keep Pangolin auth in front, use the dashboard **SET TOKEN** flow once per browser. |
|
||||
| Public internet | Do not expose Terminal Actions directly. If exposure is unavoidable, require `SWEEP_TOKEN`, keep proxy authentication enabled, lower `TERMINAL_ACTION_RATE_LIMIT_MAX`, and monitor server audit logs. |
|
||||
|
||||
Action endpoints reject cross-origin POST origins, apply a small in-memory per-IP rate limit, and write sanitized audit lines without logging the token.
|
||||
|
||||
#### Build And Publish Your Gitea Image
|
||||
|
||||
```bash
|
||||
|
||||
@@ -15,6 +15,31 @@ const API_BASE = 'https://acleddata.com/api/acled/read';
|
||||
// Session cache
|
||||
let sessionCache = { cookies: null, token: null, method: null, expires: 0 };
|
||||
|
||||
function acledCredentials() {
|
||||
return {
|
||||
email: process.env.ACLED_EMAIL || process.env.ACLED_USER || process.env.ACLED_USERNAME,
|
||||
password: process.env.ACLED_PASSWORD,
|
||||
};
|
||||
}
|
||||
|
||||
function sanitizeAuthHeaders(headers) {
|
||||
const safe = { ...headers };
|
||||
if (safe.Authorization) safe.Authorization = 'Bearer [redacted]';
|
||||
if (safe.Cookie) safe.Cookie = '[redacted]';
|
||||
return safe;
|
||||
}
|
||||
|
||||
function classifyAuthFailure(status, body = '') {
|
||||
if (status === 401 || status === 403) return 'auth_denied';
|
||||
if (status >= 500) return 'auth_endpoint_failed';
|
||||
if (/invalid|denied|unauthorized|forbidden/i.test(body)) return 'auth_denied';
|
||||
return 'auth_endpoint_failed';
|
||||
}
|
||||
|
||||
export function resetAcledSessionForTests() {
|
||||
sessionCache = { cookies: null, token: null, method: null, expires: 0 };
|
||||
}
|
||||
|
||||
// Strategy 1: Cookie-based session login (mirrors browser login)
|
||||
async function loginCookie(email, password) {
|
||||
const controller = new AbortController();
|
||||
@@ -43,11 +68,14 @@ async function loginCookie(email, password) {
|
||||
}
|
||||
|
||||
const errText = await res.text().catch(() => '');
|
||||
return { error: `Cookie login failed (HTTP ${res.status}): ${errText.slice(0, 200)}` };
|
||||
return {
|
||||
error: `Cookie login failed (HTTP ${res.status}): ${errText.slice(0, 200)}`,
|
||||
code: classifyAuthFailure(res.status, errText),
|
||||
};
|
||||
} catch (e) {
|
||||
clearTimeout(timer);
|
||||
const cause = e.cause ? ` → ${e.cause.message || e.cause.code || e.cause}` : '';
|
||||
return { error: `Cookie login error: ${e.message}${cause}` };
|
||||
return { error: `Cookie login error: ${e.message}${cause}`, code: 'auth_endpoint_failed' };
|
||||
}
|
||||
}
|
||||
|
||||
@@ -73,28 +101,30 @@ async function loginOAuth(email, password) {
|
||||
|
||||
if (!res.ok) {
|
||||
const errText = await res.text().catch(() => '');
|
||||
return { error: `OAuth failed (HTTP ${res.status}): ${errText.slice(0, 200)}` };
|
||||
return {
|
||||
error: `OAuth failed (HTTP ${res.status}): ${errText.slice(0, 200)}`,
|
||||
code: classifyAuthFailure(res.status, errText),
|
||||
};
|
||||
}
|
||||
|
||||
const data = await res.json();
|
||||
if (!data.access_token) {
|
||||
return { error: `OAuth response missing access_token: ${JSON.stringify(data).slice(0, 200)}` };
|
||||
return { error: `OAuth response missing access_token: ${JSON.stringify(data).slice(0, 200)}`, code: 'auth_endpoint_failed' };
|
||||
}
|
||||
|
||||
return { token: data.access_token };
|
||||
} catch (e) {
|
||||
clearTimeout(timer);
|
||||
const cause = e.cause ? ` → ${e.cause.message || e.cause.code || e.cause}` : '';
|
||||
return { error: `OAuth error: ${e.message}${cause}` };
|
||||
return { error: `OAuth error: ${e.message}${cause}`, code: 'auth_endpoint_failed' };
|
||||
}
|
||||
}
|
||||
|
||||
// Try both auth strategies
|
||||
async function authenticate() {
|
||||
const email = process.env.ACLED_EMAIL;
|
||||
const password = process.env.ACLED_PASSWORD;
|
||||
const { email, password } = acledCredentials();
|
||||
if (!email || !password) {
|
||||
return { error: 'No ACLED credentials. Set ACLED_EMAIL and ACLED_PASSWORD in .env.' };
|
||||
return { error: 'No ACLED credentials. Set ACLED_EMAIL or ACLED_USER and ACLED_PASSWORD in .env.', code: 'no_credentials' };
|
||||
}
|
||||
|
||||
// Return cached session if still valid
|
||||
@@ -108,7 +138,7 @@ async function authenticate() {
|
||||
// Try OAuth first (official programmatic method per ACLED docs)
|
||||
const oauthResult = await loginOAuth(email, password);
|
||||
if (oauthResult.token) {
|
||||
if (debug) console.error(`[ACLED DEBUG] OAuth OK — token: ${oauthResult.token.slice(0, 20)}...`);
|
||||
if (debug) console.error('[ACLED DEBUG] OAuth OK');
|
||||
sessionCache = { cookies: null, token: oauthResult.token, method: 'oauth', expires: Date.now() + 23 * 60 * 60 * 1000 };
|
||||
return sessionCache;
|
||||
}
|
||||
@@ -118,13 +148,14 @@ async function authenticate() {
|
||||
// Fall back to cookie-based session
|
||||
const cookieResult = await loginCookie(email, password);
|
||||
if (cookieResult.cookies) {
|
||||
if (debug) console.error(`[ACLED DEBUG] Cookie OK — cookies: ${cookieResult.cookies.slice(0, 80)}...`);
|
||||
if (debug) console.error('[ACLED DEBUG] Cookie OK');
|
||||
sessionCache = { cookies: cookieResult.cookies, token: null, method: 'cookie', expires: Date.now() + 12 * 60 * 60 * 1000 };
|
||||
return sessionCache;
|
||||
}
|
||||
errors.push(`Cookie: ${cookieResult.error}`);
|
||||
|
||||
return { error: `All ACLED auth methods failed.\n${errors.join('\n')}` };
|
||||
const code = [oauthResult.code, cookieResult.code].includes('auth_denied') ? 'auth_denied' : 'auth_endpoint_failed';
|
||||
return { error: `All ACLED auth methods failed.\n${errors.join('\n')}`, code };
|
||||
}
|
||||
|
||||
// Build headers based on auth method
|
||||
@@ -160,7 +191,7 @@ export async function getEvents(opts = {}) {
|
||||
} = opts;
|
||||
|
||||
const session = await authenticate();
|
||||
if (session.error) return { error: session.error };
|
||||
if (session.error) return { error: session.error, code: session.code || 'auth_failed' };
|
||||
|
||||
const params = new URLSearchParams({ _format: 'json', limit: String(limit) });
|
||||
if (eventDateStart && eventDateEnd) {
|
||||
@@ -177,7 +208,7 @@ export async function getEvents(opts = {}) {
|
||||
const hdrs = authHeaders(session);
|
||||
if (debug) {
|
||||
console.error(`[ACLED DEBUG] Data request: GET ${url}`);
|
||||
console.error(`[ACLED DEBUG] Headers: ${JSON.stringify(hdrs)}`);
|
||||
console.error(`[ACLED DEBUG] Headers: ${JSON.stringify(sanitizeAuthHeaders(hdrs))}`);
|
||||
}
|
||||
const controller = new AbortController();
|
||||
const timer = setTimeout(() => controller.abort(), 25000);
|
||||
@@ -201,25 +232,28 @@ export async function getEvents(opts = {}) {
|
||||
+ ' 3. Ensure your account has the "API" access group\n'
|
||||
+ ' Contact access@acleddata.com if issues persist.'
|
||||
: '';
|
||||
return { error: `ACLED data access denied (HTTP ${res.status}, auth method: ${session.method}). Response: ${errText.slice(0, 300)}${hint}` };
|
||||
return {
|
||||
error: `ACLED data access denied (HTTP ${res.status}, auth method: ${session.method}). Response: ${errText.slice(0, 300)}${hint}`,
|
||||
code: 'auth_denied',
|
||||
};
|
||||
}
|
||||
return { error: `HTTP ${res.status}: ${errText.slice(0, 200)}` };
|
||||
return { error: `HTTP ${res.status}: ${errText.slice(0, 200)}`, code: 'api_failed' };
|
||||
}
|
||||
|
||||
const data = await res.json();
|
||||
|
||||
// ACLED may return a 200 with an error status in the body
|
||||
if (data?.status && data.status !== 200) {
|
||||
return { error: `ACLED API error: status ${data.status} — ${data.message || 'Unknown error'}` };
|
||||
return { error: `ACLED API error: status ${data.status} - ${data.message || 'Unknown error'}`, code: 'api_failed' };
|
||||
}
|
||||
|
||||
return data;
|
||||
} catch (e) {
|
||||
if (e.name === 'AbortError') {
|
||||
return { error: 'ACLED data request timed out (25s)' };
|
||||
return { error: 'ACLED data request timed out (25s)', code: 'api_failed' };
|
||||
}
|
||||
const rootCause = e.cause ? `${e.cause.message || e.cause.code || e.cause}` : '';
|
||||
return { error: `ACLED data error: ${e.message}${rootCause ? ' → ' + rootCause : ''}` };
|
||||
return { error: `ACLED data error: ${e.message}${rootCause ? ' - ' + rootCause : ''}`, code: 'api_failed' };
|
||||
}
|
||||
}
|
||||
|
||||
@@ -237,12 +271,13 @@ function groupBy(events, field) {
|
||||
|
||||
// Briefing — last 7 days of global conflict events
|
||||
export async function briefing() {
|
||||
if (!process.env.ACLED_EMAIL || !process.env.ACLED_PASSWORD) {
|
||||
const { email, password } = acledCredentials();
|
||||
if (!email || !password) {
|
||||
return {
|
||||
source: 'ACLED',
|
||||
timestamp: new Date().toISOString(),
|
||||
status: 'no_credentials',
|
||||
message: 'Set ACLED_EMAIL and ACLED_PASSWORD in .env. Register at https://acleddata.com/user/register',
|
||||
message: 'Set ACLED_EMAIL or ACLED_USER and ACLED_PASSWORD in .env. Register at https://acleddata.com/user/register',
|
||||
};
|
||||
}
|
||||
|
||||
@@ -256,7 +291,8 @@ export async function briefing() {
|
||||
});
|
||||
|
||||
if (data?.error) {
|
||||
return { source: 'ACLED', timestamp: new Date().toISOString(), error: data.error };
|
||||
const status = data.code === 'auth_denied' ? 'auth_failed' : 'api_failed';
|
||||
return { source: 'ACLED', timestamp: new Date().toISOString(), status, error: data.error };
|
||||
}
|
||||
|
||||
let events = data?.data || [];
|
||||
@@ -300,6 +336,7 @@ export async function briefing() {
|
||||
return {
|
||||
source: 'ACLED',
|
||||
timestamp: new Date().toISOString(),
|
||||
status: 'live',
|
||||
period: { start, end },
|
||||
totalEvents: events.length,
|
||||
totalFatalities,
|
||||
@@ -307,6 +344,7 @@ export async function briefing() {
|
||||
byType,
|
||||
topCountries,
|
||||
deadliestEvents,
|
||||
message: events.length === 0 ? 'ACLED returned a valid empty event set for the requested period.' : undefined,
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
@@ -24,9 +24,6 @@ export default {
|
||||
autoOpenBrowser: boolEnv('AUTO_OPEN_BROWSER', false),
|
||||
staleDataMaxAgeMinutes: intEnv('STALE_DATA_MAX_AGE_MINUTES', 60),
|
||||
sweepToken: process.env.SWEEP_TOKEN || null,
|
||||
terminalActionsEnabled: boolEnv('TERMINAL_ACTIONS_ENABLED', !!process.env.SWEEP_TOKEN || process.env.NODE_ENV !== 'production'),
|
||||
terminalActionRateLimitWindowMs: intEnv('TERMINAL_ACTION_RATE_LIMIT_WINDOW_MS', 60_000),
|
||||
terminalActionRateLimitMax: intEnv('TERMINAL_ACTION_RATE_LIMIT_MAX', 10),
|
||||
|
||||
llm: {
|
||||
provider: process.env.LLM_PROVIDER || null, // anthropic | openai | gemini | codex | openrouter | minimax | mistral | ollama | grok
|
||||
|
||||
@@ -406,7 +406,6 @@ let layerModes = JSON.parse(localStorage.getItem('crucix_layer_modes') || '{}');
|
||||
let spaceDisplayMode = localStorage.getItem('crucix_space_display') || 'icons';
|
||||
let currentRegion = 'world';
|
||||
let flatSvg, flatProjection, flatPath, flatG, flatZoom, flatW, flatH;
|
||||
const terminalActionTokenKey = 'crucix_terminal_action_token';
|
||||
|
||||
const layerTypeMap = {
|
||||
air: ['air'],
|
||||
@@ -607,7 +606,6 @@ function renderTopbar(){
|
||||
const ts = new Date(D.meta.timestamp);
|
||||
const d = ts.toLocaleDateString('en-US',{month:'short',day:'numeric',year:'numeric'}).toUpperCase();
|
||||
const timeStr = ts.toLocaleTimeString('en-US',{hour:'2-digit',minute:'2-digit',hour12:true});
|
||||
const hasActionToken = !!getTerminalActionToken();
|
||||
document.getElementById('topbar').innerHTML=`
|
||||
<div class="top-left">
|
||||
<span class="brand">CRUCIX MONITOR</span>
|
||||
@@ -620,56 +618,12 @@ function renderTopbar(){
|
||||
<span class="meta-pill">${d} <span class="v">${timeStr}</span></span>
|
||||
<span class="meta-pill">${t('dashboard.sources','SOURCES')} <span class="v">${D.meta.sourcesOk}/${D.meta.sourcesQueried}</span></span>
|
||||
${D.delta?.summary ? `<span class="meta-pill">${t('dashboard.delta','DELTA')} <span class="v">${D.delta.summary.direction==='risk-off'?'▲ '+t('dashboard.riskOff','RISK-OFF'):D.delta.summary.direction==='risk-on'?'▼ '+t('dashboard.riskOn','RISK-ON'):'◆ '+t('dashboard.mixed','MIXED')}</span></span>` : ''}
|
||||
<button class="guide-btn" onclick="configureTerminalActionToken()" title="Configure SWEEP_TOKEN for protected terminal actions">${hasActionToken?'TOKEN SET':'SET TOKEN'}</button>
|
||||
<button class="guide-btn" onclick="runTerminalAction('status')" title="Check protected terminal action access">STATUS</button>
|
||||
<button class="guide-btn" onclick="runTerminalAction('sweep')" title="Trigger a protected intelligence sweep">SWEEP</button>
|
||||
<button class="guide-btn" onclick="openGlossary()">${t('dashboard.guideBtn','What Signals Mean')}</button>
|
||||
<span class="alert-badge">${t('dashboard.highAlert','HIGH ALERT')}</span>
|
||||
</div>`;
|
||||
renderRegionControls();
|
||||
}
|
||||
|
||||
function getTerminalActionToken(){
|
||||
return localStorage.getItem(terminalActionTokenKey) || '';
|
||||
}
|
||||
|
||||
function configureTerminalActionToken(){
|
||||
const next = window.prompt('Terminal action token (SWEEP_TOKEN). Leave empty to clear.', getTerminalActionToken());
|
||||
if(next === null) return;
|
||||
const clean = next.trim();
|
||||
if(clean) localStorage.setItem(terminalActionTokenKey, clean);
|
||||
else localStorage.removeItem(terminalActionTokenKey);
|
||||
renderTopbar();
|
||||
}
|
||||
|
||||
async function runTerminalAction(action){
|
||||
let token = getTerminalActionToken();
|
||||
if(!token && location.hostname !== 'localhost' && location.hostname !== '127.0.0.1'){
|
||||
configureTerminalActionToken();
|
||||
token = getTerminalActionToken();
|
||||
if(!token) return;
|
||||
}
|
||||
|
||||
const headers = {'Content-Type':'application/json'};
|
||||
if(token) headers['x-crucix-token'] = token;
|
||||
try{
|
||||
const response = await fetch('/api/action', {
|
||||
method:'POST',
|
||||
headers,
|
||||
body:JSON.stringify({action})
|
||||
});
|
||||
const payload = await response.json().catch(() => ({}));
|
||||
if(!response.ok) throw new Error(payload.error || `Action failed (${response.status})`);
|
||||
if(action === 'status'){
|
||||
window.alert(`Terminal actions OK. Health: ${payload.health?.status || 'unknown'}`);
|
||||
} else if(action === 'sweep'){
|
||||
window.alert(payload.status === 'accepted' ? 'Sweep accepted.' : `Sweep status: ${payload.status || 'unknown'}`);
|
||||
}
|
||||
}catch(err){
|
||||
window.alert(`Terminal action failed: ${err.message}`);
|
||||
}
|
||||
}
|
||||
|
||||
// === LEFT RAIL ===
|
||||
function layerMode(key){ return layerModes[key] || 'normal'; }
|
||||
function layerModeLabel(key){ return layerMode(key) === 'focus' ? 'focused' : layerMode(key) === 'hidden' ? 'hidden' : 'normal'; }
|
||||
|
||||
@@ -2,8 +2,9 @@
|
||||
|
||||
Provides conflict events, fatalities, event types, and locations.
|
||||
|
||||
- Auth: `ACLED_EMAIL` and `ACLED_PASSWORD`.
|
||||
- Auth: `ACLED_EMAIL` or `ACLED_USER`, plus `ACLED_PASSWORD`.
|
||||
- Flow: OAuth password grant is tried first, then cookie session fallback.
|
||||
- Failure modes: missing credentials, terms/profile not completed, expired token, account missing API access.
|
||||
- Failure modes: missing credentials (`no_credentials`), rejected credentials or access denied (`auth_failed`), token/API endpoint failure (`api_failed`), and valid empty event sets (`totalEvents: 0`).
|
||||
- Behavior: missing or rejected credentials produce degraded source health with the ACLED error text.
|
||||
- Debug logs redact bearer tokens and cookies.
|
||||
- Test: set credentials, run `node apis/sources/acled.mjs`, then check `/api/health`.
|
||||
|
||||
141
server.mjs
141
server.mjs
@@ -39,7 +39,6 @@ let sweepStartedAt = null; // Timestamp when current/last sweep started
|
||||
let sweepInProgress = false;
|
||||
const startTime = Date.now();
|
||||
const sseClients = new Set();
|
||||
const terminalActionBuckets = new Map();
|
||||
|
||||
// === Delta/Memory ===
|
||||
const memory = new MemoryManager(RUNS_DIR);
|
||||
@@ -290,34 +289,14 @@ app.get('/api/metrics', (req, res) => {
|
||||
});
|
||||
|
||||
app.post('/api/sweep', express.json(), (req, res) => {
|
||||
const guard = authorizeTerminalAction(req, res, 'sweep');
|
||||
if (!guard.ok) return;
|
||||
triggerSweepAction(req, res, 'sweep');
|
||||
});
|
||||
|
||||
app.post('/api/action', express.json(), (req, res) => {
|
||||
const action = String(req.body?.action || req.body?.command || '').trim().toLowerCase();
|
||||
const guard = authorizeTerminalAction(req, res, action || 'unknown');
|
||||
if (!guard.ok) return;
|
||||
|
||||
if (action === 'status') {
|
||||
auditTerminalAction(req, 'status', 'ok');
|
||||
return res.json({ status: 'ok', health: buildHealth() });
|
||||
}
|
||||
|
||||
if (action === 'brief') {
|
||||
if (!currentData) {
|
||||
auditTerminalAction(req, 'brief', 'rejected', 'no_data');
|
||||
return res.status(503).json({ error: 'No data yet - first sweep in progress' });
|
||||
}
|
||||
auditTerminalAction(req, 'brief', 'ok');
|
||||
return res.json({ status: 'ok', brief: buildBrief(currentData) });
|
||||
}
|
||||
|
||||
if (action === 'sweep') return triggerSweepAction(req, res, 'action:sweep');
|
||||
|
||||
auditTerminalAction(req, action || 'unknown', 'rejected', 'unknown_action');
|
||||
return res.status(400).json({ error: 'Unknown action', allowed: ['status', 'brief', 'sweep'] });
|
||||
const remote = req.ip || '';
|
||||
const local = remote.includes('127.0.0.1') || remote === '::1' || remote === '::ffff:127.0.0.1';
|
||||
const token = req.get('x-crucix-token') || req.query.token || req.body?.token;
|
||||
if (config.sweepToken && token !== config.sweepToken) return res.status(401).json({ error: 'Invalid sweep token' });
|
||||
if (!config.sweepToken && !local) return res.status(403).json({ error: 'Manual sweep is local-only unless SWEEP_TOKEN is set' });
|
||||
if (sweepInProgress) return res.status(409).json({ status: 'already_running', sweepStartedAt });
|
||||
runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
|
||||
res.status(202).json({ status: 'accepted' });
|
||||
});
|
||||
|
||||
// API: available locales
|
||||
@@ -348,108 +327,6 @@ function broadcast(data) {
|
||||
}
|
||||
}
|
||||
|
||||
function requestIp(req) {
|
||||
return req.ip || req.socket?.remoteAddress || 'unknown';
|
||||
}
|
||||
|
||||
function isLocalRequest(req) {
|
||||
const remote = requestIp(req);
|
||||
return remote === '::1'
|
||||
|| remote === '127.0.0.1'
|
||||
|| remote === '::ffff:127.0.0.1'
|
||||
|| remote.startsWith('127.')
|
||||
|| remote === 'localhost';
|
||||
}
|
||||
|
||||
function sameOriginPost(req) {
|
||||
const origin = req.get('origin');
|
||||
if (!origin) return true;
|
||||
try {
|
||||
const originUrl = new URL(origin);
|
||||
const host = req.get('host');
|
||||
return host && originUrl.host === host;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
function actionToken(req) {
|
||||
return req.get('x-crucix-token') || req.body?.token || null;
|
||||
}
|
||||
|
||||
function auditTerminalAction(req, action, outcome, detail = null) {
|
||||
const suffix = detail ? ` detail=${detail}` : '';
|
||||
console.log(`[Crucix][audit] terminal_action action=${action || 'unknown'} outcome=${outcome} ip=${requestIp(req)}${suffix}`);
|
||||
}
|
||||
|
||||
function rateLimitTerminalAction(req, action) {
|
||||
const now = Date.now();
|
||||
const windowMs = Math.max(1000, config.terminalActionRateLimitWindowMs || 60_000);
|
||||
const max = Math.max(1, config.terminalActionRateLimitMax || 10);
|
||||
const key = `${requestIp(req)}:${action}`;
|
||||
const bucket = terminalActionBuckets.get(key);
|
||||
if (!bucket || now > bucket.resetAt) {
|
||||
terminalActionBuckets.set(key, { count: 1, resetAt: now + windowMs });
|
||||
return { ok: true };
|
||||
}
|
||||
bucket.count += 1;
|
||||
if (bucket.count > max) {
|
||||
return { ok: false, retryAfterSeconds: Math.ceil((bucket.resetAt - now) / 1000) };
|
||||
}
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
function authorizeTerminalAction(req, res, action) {
|
||||
const rate = rateLimitTerminalAction(req, action);
|
||||
if (!rate.ok) {
|
||||
auditTerminalAction(req, action, 'rejected', 'rate_limited');
|
||||
res.set('Retry-After', String(rate.retryAfterSeconds));
|
||||
res.status(429).json({ error: 'Too many terminal actions', retryAfterSeconds: rate.retryAfterSeconds });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
if (!sameOriginPost(req)) {
|
||||
auditTerminalAction(req, action, 'rejected', 'csrf_origin');
|
||||
res.status(403).json({ error: 'Origin mismatch' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
const local = isLocalRequest(req);
|
||||
const token = actionToken(req);
|
||||
if (!config.terminalActionsEnabled) {
|
||||
auditTerminalAction(req, action, 'rejected', 'disabled');
|
||||
res.status(403).json({ error: 'Terminal actions are disabled' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
if (config.sweepToken) {
|
||||
if (token !== config.sweepToken) {
|
||||
auditTerminalAction(req, action, 'rejected', 'invalid_token');
|
||||
res.status(401).json({ error: 'Invalid terminal action token' });
|
||||
return { ok: false };
|
||||
}
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
if (!local) {
|
||||
auditTerminalAction(req, action, 'rejected', 'missing_token');
|
||||
res.status(403).json({ error: 'Terminal actions are local-only unless SWEEP_TOKEN is set' });
|
||||
return { ok: false };
|
||||
}
|
||||
|
||||
return { ok: true };
|
||||
}
|
||||
|
||||
function triggerSweepAction(req, res, auditAction) {
|
||||
if (sweepInProgress) {
|
||||
auditTerminalAction(req, auditAction, 'rejected', 'already_running');
|
||||
return res.status(409).json({ status: 'already_running', sweepStartedAt });
|
||||
}
|
||||
auditTerminalAction(req, auditAction, 'accepted');
|
||||
runSweepCycle().catch(err => console.error('[Crucix] API-triggered sweep failed:', err.message));
|
||||
return res.status(202).json({ status: 'accepted' });
|
||||
}
|
||||
|
||||
function dataAgeMs() {
|
||||
const ts = currentData?.meta?.timestamp || lastSuccessfulSweepTime || lastSweepTime;
|
||||
const ms = ts ? Date.now() - new Date(ts).getTime() : null;
|
||||
@@ -499,8 +376,6 @@ function buildHealth() {
|
||||
llm: getLLMStatus(),
|
||||
telegramEnabled: !!(config.telegram.botToken && config.telegram.chatId),
|
||||
discordEnabled: !!(config.discord?.botToken || config.discord?.webhookUrl),
|
||||
terminalActionsEnabled: config.terminalActionsEnabled,
|
||||
terminalActionsTokenRequired: !!config.sweepToken,
|
||||
refreshIntervalMinutes: config.refreshIntervalMinutes,
|
||||
language: currentLanguage,
|
||||
memory: intelligenceStore.status(),
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { readFileSync } from 'node:fs';
|
||||
import { safeFetch, safeFetchText, getFetchMetrics } from '../apis/utils/fetch.mjs';
|
||||
|
||||
test('safeFetch reports HTML as degraded JSON response', async () => {
|
||||
@@ -36,21 +35,128 @@ test('safeFetchText returns text and byte count', async () => {
|
||||
}
|
||||
});
|
||||
|
||||
test('terminal action endpoints avoid URL tokens and include hardening gates', () => {
|
||||
const server = readFileSync(new URL('../server.mjs', import.meta.url), 'utf8');
|
||||
assert.match(server, /app\.post\('\/api\/action'/);
|
||||
assert.match(server, /app\.post\('\/api\/sweep'/);
|
||||
assert.match(server, /x-crucix-token/);
|
||||
assert.match(server, /sameOriginPost/);
|
||||
assert.match(server, /rateLimitTerminalAction/);
|
||||
assert.match(server, /auditTerminalAction/);
|
||||
assert.doesNotMatch(server, /req\.query\.token/);
|
||||
function jsonResponse(payload, ok = true, status = 200) {
|
||||
return {
|
||||
ok,
|
||||
status,
|
||||
headers: { getSetCookie: () => [], get: () => 'application/json' },
|
||||
text: async () => JSON.stringify(payload),
|
||||
json: async () => payload,
|
||||
};
|
||||
}
|
||||
|
||||
function textResponse(text, ok = false, status = 500) {
|
||||
return {
|
||||
ok,
|
||||
status,
|
||||
headers: { getSetCookie: () => [], get: () => 'text/plain' },
|
||||
text: async () => text,
|
||||
json: async () => JSON.parse(text),
|
||||
};
|
||||
}
|
||||
|
||||
async function withAcledEnv(mockFetch, fn) {
|
||||
const originalFetch = globalThis.fetch;
|
||||
const saved = {
|
||||
ACLED_EMAIL: process.env.ACLED_EMAIL,
|
||||
ACLED_USER: process.env.ACLED_USER,
|
||||
ACLED_USERNAME: process.env.ACLED_USERNAME,
|
||||
ACLED_PASSWORD: process.env.ACLED_PASSWORD,
|
||||
};
|
||||
globalThis.fetch = mockFetch;
|
||||
delete process.env.ACLED_EMAIL;
|
||||
delete process.env.ACLED_USER;
|
||||
delete process.env.ACLED_USERNAME;
|
||||
delete process.env.ACLED_PASSWORD;
|
||||
const acled = await import('../apis/sources/acled.mjs');
|
||||
acled.resetAcledSessionForTests();
|
||||
try {
|
||||
return await fn(acled);
|
||||
} finally {
|
||||
globalThis.fetch = originalFetch;
|
||||
for (const [key, value] of Object.entries(saved)) {
|
||||
if (value === undefined) delete process.env[key];
|
||||
else process.env[key] = value;
|
||||
}
|
||||
acled.resetAcledSessionForTests();
|
||||
}
|
||||
}
|
||||
|
||||
test('ACLED credentialed OAuth success returns live events and supports ACLED_USER', async () => {
|
||||
const responses = [
|
||||
jsonResponse({ access_token: 'secret-token' }),
|
||||
jsonResponse({
|
||||
status: 200,
|
||||
data: [{
|
||||
event_date: '2026-05-17',
|
||||
event_type: 'Protests',
|
||||
sub_event_type: 'Peaceful protest',
|
||||
country: 'Example',
|
||||
region: 'Example Region',
|
||||
location: 'Example City',
|
||||
fatalities: '0',
|
||||
latitude: '1.23',
|
||||
longitude: '4.56',
|
||||
}],
|
||||
}),
|
||||
];
|
||||
|
||||
await withAcledEnv(async () => responses.shift(), async ({ briefing }) => {
|
||||
process.env.ACLED_USER = 'operator@example.test';
|
||||
process.env.ACLED_PASSWORD = 'password';
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'live');
|
||||
assert.equal(data.totalEvents, 1);
|
||||
assert.equal(data.topCountries.Example.count, 1);
|
||||
});
|
||||
});
|
||||
|
||||
test('dashboard exposes token configuration flow without devtools edits', () => {
|
||||
const html = readFileSync(new URL('../dashboard/public/jarvis.html', import.meta.url), 'utf8');
|
||||
assert.match(html, /configureTerminalActionToken/);
|
||||
assert.match(html, /crucix_terminal_action_token/);
|
||||
assert.match(html, /x-crucix-token/);
|
||||
assert.match(html, /SET TOKEN/);
|
||||
test('ACLED rejected credentials return auth_failed diagnostics', async () => {
|
||||
const responses = [
|
||||
textResponse('invalid credentials', false, 401),
|
||||
textResponse('forbidden', false, 403),
|
||||
];
|
||||
|
||||
await withAcledEnv(async () => responses.shift(), async ({ briefing }) => {
|
||||
process.env.ACLED_EMAIL = 'operator@example.test';
|
||||
process.env.ACLED_PASSWORD = 'wrong-password';
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'auth_failed');
|
||||
assert.match(data.error, /All ACLED auth methods failed/);
|
||||
});
|
||||
});
|
||||
|
||||
test('ACLED token endpoint failure returns api_failed diagnostics', async () => {
|
||||
const responses = [
|
||||
textResponse('temporary outage', false, 503),
|
||||
textResponse('temporary outage', false, 503),
|
||||
];
|
||||
|
||||
await withAcledEnv(async () => responses.shift(), async ({ briefing }) => {
|
||||
process.env.ACLED_EMAIL = 'operator@example.test';
|
||||
process.env.ACLED_PASSWORD = 'password';
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'api_failed');
|
||||
assert.match(data.error, /All ACLED auth methods failed/);
|
||||
});
|
||||
});
|
||||
|
||||
test('ACLED valid empty response is live with zero events', async () => {
|
||||
const responses = [
|
||||
jsonResponse({ access_token: 'secret-token' }),
|
||||
jsonResponse({ status: 200, data: [] }),
|
||||
];
|
||||
|
||||
await withAcledEnv(async () => responses.shift(), async ({ briefing }) => {
|
||||
process.env.ACLED_EMAIL = 'operator@example.test';
|
||||
process.env.ACLED_PASSWORD = 'password';
|
||||
const data = await briefing();
|
||||
|
||||
assert.equal(data.status, 'live');
|
||||
assert.equal(data.totalEvents, 0);
|
||||
assert.match(data.message, /valid empty/);
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user