Shadowbroker

mirror of https://github.com/BigBodyCobain/Shadowbroker.git synced 2026-06-06 06:13:54 +02:00

Author	SHA1	Message	Date
BigBodyCobain	6a74105e6a	fix(#319,#296): v0.9.8 rebuild — bundle missing deps so backend launches Issues #319 and #296 reported that the installed v0.9.79 Windows MSI/EXE crashed on launch with: thread 'main' panicked ... failed to setup app: error encountered during setup hook: ShadowBroker cannot start: the bundled local backend failed to launch. technical detail: managed_backend_exited_early:exit code: 103 Root cause: ``backend/pyproject.toml`` declares ``defusedxml>=0.7.1`` and ``PySocks==1.7.1`` as runtime dependencies, but the venv used to build v0.9.79 (and the initial v0.9.8 publish) had both missing. When ``services/fetchers/aircraft_database.py`` does ``import defusedxml.ElementTree`` at startup, Python raises ``ModuleNotFoundError`` and uvicorn exits, which Tauri reports as ``managed_backend_exited_early``. Both packages now installed in the build venv. ``main.py`` imports end-to-end with only the expected ``plane_alert_db.json not found`` warning (runtime-state file, populated on first launch). Rebuilt artifacts on the maintainer's local machine: ShadowBroker_v0.9.8.zip 6.06 MB 183bb5cd62b9b9349d95df5ef7696cb6ca810ab4b991fa9dab6f898af4c7a175 ShadowBroker_0.9.8_x64_en-US.msi 122.4 MB fe22f9d51e4360d74c18a7250c2fbb9ed4fa4c7a884b3ac0d04a21115466386b ShadowBroker_0.9.8_x64-setup.exe 76.5 MB 94a0309862e9c81c92cdcbfea8eec9dbb97eef19ded82b26217b397defbc810c After this merges, the v0.9.8 tag will be force-moved to this commit and the GitHub release assets replaced so the integrity chain validates against the working installers instead of the broken ones. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 16:42:22 -06:00
Shadowbroker	8dfa6a7199	release: v0.9.8 — Cumulative Fuel/CO2, AIS Resilience, Data-Layer Repair (#321 ) Bumps every hardcoded 0.9.79 → 0.9.8 across backend, frontend, desktop-shell, helm, lockfiles, test fixtures. Refreshes the in-app ChangelogModal HEADLINE_FEATURES, NEW_FEATURES, and BUG_FIXES with the v0.9.8 highlights. Release artifacts built locally and hashed into release_digests.json: ShadowBroker_v0.9.8.zip 6.06 MB d506f6b8462ccb12096f0cd9462233be58928094240416b65fb3127bdd1f3820 ShadowBroker_0.9.8_x64_en-US.msi 122.4 MB d4be4cb68c3e6409fff54c225acdcdd08e27d5d6d2b31616d78d2a4f6812991d ShadowBroker_0.9.8_x64-setup.exe 76.5 MB 1115d1f5cf37edd03ea2c21d821c7626e1bf3319c990402aaa0293bca46fea67 Sizes match the v0.9.79 reference shape (5.76 MB / 117 MB / 72.9 MB) within expected drift for new code. The .zip is a `git archive` of the v0.9.8 source tree (matching v0.9.79's approach). Audit confirms no .env, .key, .venv-dir, or cache files leaked into the backend-runtime bundle. Python 3.11.9 + 199 site-packages + privacy_core all staged correctly. Headline changes since v0.9.79: * Cumulative fuel/CO2 per flight (#317) — running totals since first observation, not just per-hour rate. * AIS maritime resilience (#314, #316) — outage banner + AISHub REST fallback when AISStream WebSocket primary is offline. * Data-layer repair (#311, #312) — UAP fallback respects the 60-day cutoff; GPS jamming threshold tuning + nac_p=0 inclusion so the layer actually fires. * Per-flight source attribution (#313) — source field on every record. * Cross-node DM mailbox replication (#309). * Infonet sync HTTP 429 honored (#310). Test fixtures updated: * test_per_operator_outbound_attribution.py — added v0.9.8 UA strings to the banned-aggregate-literals list (alongside v0.9.79). * updateRuntime.test.ts — bumped asset filename fixtures to v0.9.8. release_digests.json keeps the v0.9.79 block alongside v0.9.8 so operators still on 0.9.79 validate cleanly during the rollout. The accent narrowing fix in ChangelogModal (one feature uses 'purple', two use 'cyan' so the renderer's `accent === 'purple'` comparison still type-checks) is included. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 16:24:20 -06:00
Shadowbroker	ef6b8ec181	fix(desktop-build): strip layout.tsx force-dynamic on CRLF checkouts too (#320 ) build-frontend-export.cjs stages a desktop-only frontend export tree and strips the ``force-dynamic`` + ``revalidate`` directives from ``frontend/src/app/layout.tsx`` so Next's ``output: "export"`` can prerender every route. The strip regexes only matched LF (``\n``). Any Windows checkout without ``core.autocrlf=input`` has CRLF line endings, the strip silently no-op'd, and the desktop build failed at the static-export step: Error: Page with `dynamic = "force-dynamic"` couldn't be exported. `output: "export"` requires all pages be renderable statically because there is no runtime server to dynamically render routes in this output format. Export encountered an error on /_not-found/page: /_not-found Reaches every Windows contributor who hasn't normalized line endings locally. Replacing each ``\n`` in the strip regexes with ``\r?\n`` makes the strip CRLF-tolerant; LF behavior is unchanged. Verified by running both regexes against the actual layout.tsx (302 bytes removed, force-dynamic + revalidate both gone) and against a synthetic LF input (296 bytes removed, same outcome). Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 16:07:11 -06:00
Shadowbroker	dcea325fba	Merge pull request #317 from BigBodyCobain/feat/cumulative-fuel-burn feat(flights): cumulative fuel burned + CO2 emitted per flight	2026-05-23 08:09:34 -06:00
BigBodyCobain	03b8053617	feat(flights): cumulative fuel burned + CO2 emitted per flight Pre-fix the emissions tooltip only showed the per-hour rate — what most users actually want is the cumulative amount burned. This adds running totals computed by multiplying the model-based rate by the elapsed observation time since we first saw the airframe. New module ``flight_observations.py``: * Tracks first_seen_at + last_seen_at per icao24 hex. * Re-opens a fresh session when an aircraft is unseen for > 15 min (treated as a new flight — landed and took off, or transited a dead zone). Prevents the cumulative counter from resetting mid-flight if the trail-rendering cache prunes the trail. * Clamps elapsed time to 24h max so clock skew can't produce comically large numbers. * Pruned every 5 min via a new scheduler job (mirrors ais_prune cadence). flights.py + military.py emission enrichment now also attaches: * observed_seconds — how long we've been tracking this airframe. * fuel_gallons_burned — rate * elapsed_h. * co2_kg_emitted — rate * elapsed_h. The existing per-hour rate fields stay in the dict for backward compat and are shown as small secondary context in the tooltip. Frontend EmissionsEstimateBlock (NewsFeed.tsx) now prominently shows the cumulative totals with the rate as smaller context underneath plus "Observed in flight for Xh Ym". When observed_seconds is 0 (first refresh) it renders "Just observed · totals will appear on next refresh" instead of a misleading "0 gal". 12 backend tests cover record/accumulate/reset, the 24h clamp, prune, case-insensitive key normalization, and end-to-end emission integration in _classify_and_publish. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 07:56:23 -06:00
Shadowbroker	20807a2d62	Merge pull request #316 from BigBodyCobain/feat/aishub-fallback feat(ais): AISHub REST fallback when AISStream is offline (20-min polling)	2026-05-23 07:42:56 -06:00
Shadowbroker	79fbf9741b	Merge pull request #314 from BigBodyCobain/feat/ais-upstream-health feat(ais): surface AISStream upstream outage instead of failing silently	2026-05-23 07:12:37 -06:00
BigBodyCobain	a2f5d62926	feat(ais): AISHub REST fallback when AISStream WebSocket is offline When stream.aisstream.io is unreachable (cert outage, server down — see 2026-05-20 and 2026-05-23 events) the ships layer goes empty. This adds a slow REST fallback to data.aishub.net so the layer stays populated in degraded mode. Behavior: * Opt-in via AISHUB_USERNAME (free registration at aishub.net/api). Without the env var the fetcher is a no-op. * Default poll cadence 20 min — well inside their free-tier limits, gives ships time to move enough to look "alive". Configurable via AISHUB_POLL_INTERVAL_MINUTES, clamped to [1, 360]. * Internal gate: skips the poll entirely when the WebSocket primary is currently connected. Stomping fresh live data with 20-min-old REST data would be worse than leaving it alone. * Vessels merge into the shared _vessels dict with source="aishub" so the existing UI / health tooling can attribute the provider. * Live data wins races: if a WebSocket update for the same MMSI lands in the last 1s, we don't overwrite with the slower REST record. Scheduler job runs every AISHUB_POLL_INTERVAL_MINUTES minutes alongside the existing ais_prune job in data_fetcher.py. 24 tests cover gating (no-username, primary-connected), response parsing (success / error / empty / malformed / unexpected shape), record normalization (sentinels, missing fields, range checks, AIS @ padding), poll interval clamping, and end-to-end merge with live-data-wins. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 07:00:32 -06:00
BigBodyCobain	5e0b2c037e	feat(ais): surface upstream outage instead of failing silently On 2026-05-23, stream.aisstream.io went fully offline (TCP timeouts on port 443). The backend kept respawning the node WebSocket proxy every few seconds with nothing arriving. From the operator's POV the ships layer silently went empty — no banner, no log surfacing, no way to tell whether it was their config / network / viewport filter / upstream. Backend: * ais_proxy_status() now also returns: - connected (bool): true when a vessel message arrived in last 60s - last_msg_age_seconds (int \| None) - proxy_spawn_count (int): proxy respawns — sustained growth without connected means upstream is dead * /api/health escalates top status to "degraded" when AIS_API_KEY is set but the proxy is currently disconnected. Existing degraded_tls signal preserved. Frontend: * useAisUpstreamHealth hook polls /api/health every 30s, derives the outage state. Defensively only reports outage once spawn_count > 0 so operators who haven't opted in don't see the banner. * AisUpstreamBanner component renders a dismissible amber notice "Ship data temporarily unavailable — AISStream upstream is offline" mounted on the main app shell. 7 backend tests pin the status-shape contract and the /api/health escalation behavior in both with-key and without-key configurations. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 06:38:05 -06:00
Shadowbroker	69ef231e5a	Merge pull request #313 from BigBodyCobain/feat/flight-source-attribution feat(flights): stamp source attribution on every flight record	2026-05-23 06:29:31 -06:00
Shadowbroker	7a5f47ca9e	Merge pull request #312 from BigBodyCobain/fix/gps-jamming-thresholds fix(gps-jamming): count nac_p=0 + lower thresholds so layer actually fires	2026-05-23 06:29:20 -06:00
Shadowbroker	5cd49542bf	Merge pull request #311 from BigBodyCobain/fix/uap-fallback-cutoff fix(uap): stop HF fallback from serving 3-year-old NUFORC sightings	2026-05-23 06:29:08 -06:00
BigBodyCobain	f14d4feb6d	feat(flights): stamp source attribution on every flight record Pre-fix, adsb.lol records (the primary source for most flights) carried no source marker. OpenSky records got is_opensky: True and supplementals got supplemental_source, so any UI inspecting source labels saw OpenSky/airplanes.live records as explicitly tagged and adsb.lol records as "unlabeled" — making it look like adsb.lol wasn't being used at all even though it's the primary source. Changes: * _fetch_adsb_lol_regions stamps source="adsb.lol" on each aircraft before returning, so the tag survives the OpenSky dedupe-by-hex merge. * OpenSky records get source="OpenSky" (alongside is_opensky=True for back-compat). * military fetcher tags source on both adsb.lol and airplanes.live records before they're merged, and propagates source into the military_flights and uavs output dicts. * _classify_and_publish promotes the explicit source field into the published flight dict. Falls back to legacy supplemental_source if source is absent. Final fallback "adsb.lol" preserves prior behavior for any caller synthesizing records without going through a fetcher. 8 new tests cover the published-dict propagation, OpenSky tagging, supplemental fallback, explicit-wins precedence, default behavior, the adsb.lol regional fetcher tagging, and the military output dict. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-23 06:14:39 -06:00
BigBodyCobain	19a8560a80	fix(gps-jamming): count nac_p=0 + lower thresholds so the layer actually fires Three stacked filters meant the gps_jamming layer almost never lit up: 1. nac_p == 0 aircraft were dropped on the theory that "0 = old transponder." That's only half right — modern Mode-S Enhanced Surveillance transponders also fall back to nac_p=0 when they lose GPS lock entirely, which IS the jamming signature we want to catch. Discarding them was discarding the strongest signal. None (no field at all — typical for OpenSky-sourced records) is still skipped because absence-of-data isn't evidence. 2. GPS_JAMMING_MIN_AIRCRAFT was 5 per 1°x1° cell. Jamming hotspots (eastern Med, Russia/Ukraine border, Iran/Iraq) tend to have sparser traffic because pilots avoid them. Lowered to 3. 3. GPS_JAMMING_MIN_RATIO was 0.30. Combined with the (preserved) -1 noise cushion that made the effective bar high. Lowered to 0.20. The 1-aircraft noise cushion is intact so a single quirky transponder still can't flag a zone alone. Also extracted the detector loop into a pure ``detect_gps_jamming_zones()`` function at module scope so it's testable in isolation (was previously inlined inside ``_classify_and_publish``). The public signature accepts threshold overrides for ad-hoc re-tuning without code edits. 16 new tests cover nac_p=0 inclusion, None-skip preservation, MIN_AIRCRAFT lowering, MIN_RATIO lowering, noise cushion preservation, constant pinning, override behavior, lon/lng key compatibility, and robustness to empty/None inputs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 23:40:18 -06:00
BigBodyCobain	0d0e009867	fix(uap): stop HF fallback from serving 3-year-old NUFORC sightings The UAP sightings layer is sourced from a live scrape of nuforc.org with a static Hugging Face CSV mirror (kcimc/NUFORC) as a fallback. The fallback parsed every row, sorted by occurred-desc, and took the top 250 — with no date cutoff. The HF mirror is a third-party snapshot that hasn't been refreshed in years, so the "newest 250" rows it returns are from ~2022-23. When the live path fails (Cloudflare 403, curl disabled on Windows, wdtNonce regex stale, etc.) users see a map full of sightings from 3 years ago, labeled as the "last 60 days" layer. Changes: * HF fallback now applies the same 60-day cutoff the live path uses. Rows outside the window are dropped before take-top-N. If the mirror has nothing inside the window the fallback returns [] (don't serve stale). * When the HF mirror is fully stale a loud ERROR log fires with the count of dropped rows so the operator can tell the mirror's the problem, not a network issue. * When BOTH live AND HF fallback produce 0 rows, fetch_uap_sightings now trips assert_canary("uap_sightings", 0) so the health registry shows the layer as broken instead of "fresh and empty for days." * Scheduler moved from daily 12:00 UTC to weekly Mondays 12:00 UTC. The layer is a rolling 60-day digest; refreshing once a week is enough cadence for human-readable map exploration and keeps nuforc.org load light. 6 new tests cover the cutoff filter, the doomsday-log path, the mixed-age path, the both-paths-empty health failure, the positive fallback path, and the scheduler cadence. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 23:27:12 -06:00
Shadowbroker	febcce9125	Merge pull request #310 from BigBodyCobain/fix/infonet-sync-429-backoff Infonet sync: honor HTTP 429 Retry-After + exponential backoff	2026-05-22 23:11:00 -06:00
BigBodyCobain	31ebcb5cd9	Infonet sync: honor HTTP 429 Retry-After + exponential backoff Fixes the retry-storm that's been keeping the local node 429'd out of the seed peer (the diagnosis we ran earlier in the session). Pre-fix: 1. Sync hits the seed peer, gets HTTP 429 (Too Many Requests) 2. _peer_sync_response stringifies the status into a ValueError 3. _sync_from_peer catches it, error becomes the str() of the exc 4. _run_public_sync_cycle calls finish_sync(error=..., failure_backoff_s=60) 5. next_sync_due_at = now + 60s 6. After 60s, sync runs again, hits same upstream that hasn't reset its rate-limit bucket, 429 again. Loop indefinitely. Net effect: a node that hit one transient 429 would hammer the seed every 60s forever, keeping the bucket full and never recovering. We saw this in the live status dump: consecutive_failures=49, last_sync_ok_at=0, retry storm sustained over the entire uptime. What changed ------------ services/mesh/mesh_infonet_sync_support.py * New typed exception PeerSyncRateLimited carries the parsed Retry-After value out of the HTTP layer instead of stringifying everything into a generic ValueError. * New parse_retry_after_header() handles both RFC 7231 §7.1.3 forms (delay-seconds and HTTP-date). Clamped at 1 hour so a hostile peer can't silence us for days. * New _failure_backoff_seconds() helper computes the next delay as max(exponential, retry_after_s). Schedule with default base=60s, cap=1800s: failure 1 -> 60s (preserves pre-fix for transient blips) failure 2 -> 120s failure 3 -> 240s failure 4 -> 480s failure 5 -> 960s failure 6+ -> 1800s (capped at 30 min) cap_s=0 explicitly disables exponential entirely — operators who want pure-Retry-After behavior have that option. * finish_sync now accepts retry_after_s and failure_backoff_cap_s kwargs. Backward-compatible: existing callers that don't pass retry_after_s get the same first-failure delay as before (the base value), only repeat failures grow. main.py * _peer_sync_response detects 429 specifically, parses the Retry-After header, raises PeerSyncRateLimited(retry_after_s=N). Includes the response body prefix in the message so the operator's last_error finally shows something useful. * _sync_from_peer extended to return (ok, error, forked, retry_after_s) — the 4th tuple element is non-zero only when the upstream sent a parseable Retry-After. Existing call shape preserved: the lone caller in _run_public_sync_cycle was updated in the same commit. * _run_public_sync_cycle forwards retry_after_s into finish_sync. Tests ----- backend/tests/mesh/test_infonet_sync_429_backoff.py — 17 new tests: TestParseRetryAfter (7): - integer seconds form - HTTP-date form (computed as seconds-from-now) - HTTP-date in the past returns 0 - empty / whitespace returns 0 - malformed returns 0 - clamps to 1 hour (hostile-peer cap) - negative returns 0 TestFailureBackoffSeconds (5): - exponential growth schedule pins each level - retry_after wins when larger than exponential - exponential wins when larger than retry_after - cap_s=0 disables exponential entirely - zero inputs return zero TestFinishSyncBackoff (5): - first failure uses base unchanged (pre-fix back-compat) - consecutive_failures actually grow the delay - retry_after honored at low failure count - success resets consecutive_failures - last_error carries the HTTP status / Retry-After detail All 24 existing sync-support / status-gate tests still pass. Other failures in tests/mesh/ are pre-existing on origin/main and unrelated to this change (verified by running the same tests against the user's main worktree without these edits). What the operator sees after this lands + a docker rebuild ---------------------------------------------------------- With the live 429 storm we diagnosed: Pre-fix: consecutive_failures keeps climbing 1/min forever, last_error empty or generic Post-fix: consecutive_failures grows, next_sync_due_at backs off exponentially (max 30 min), last_error explicitly carries "HTTP 429 from <peer> (retry_after=Ns): <body>" so the operator can see what's actually wrong. Once the upstream bucket drains and a sync succeeds, consecutive_failures resets to 0 and the schedule returns to the normal 300s interval.	2026-05-22 22:55:05 -06:00
Shadowbroker	b3fca3dc18	Merge pull request #309 from BigBodyCobain/feat/cross-node-dm-mailbox-replication DM mailbox: per-(sender, recipient) anti-spam cap + replication primitives	2026-05-22 22:43:26 -06:00
BigBodyCobain	401f114e4f	DM mailbox: outbound replication + receiving endpoint Second commit on this branch (first added the per-sender cap + accept_replica primitive). This commit wires the actual cross-node propagation: Outbound (sender side) ---------------------- * New ``DMRelay._replicate_envelope_to_peers_async()`` — fire-and-forget thread that POSTs the envelope to every authenticated relay peer via the same per-peer HMAC pattern gate-message replication uses (#256 ``X-Peer-Url`` + ``X-Peer-HMAC`` headers, ``resolve_peer_key_for_url``). * ``deposit()`` now calls the replication helper after a successful local accept. Per-peer errors are swallowed — slow Tor peers must not block the sender's UX, and the recipient polling from a healthy peer works fine even if some peers are down. * Metrics: dm_replication_push_ok / _rejected / _error. Inbound (receiving side) ------------------------ * New endpoint ``POST /api/mesh/dm/replicate-envelope`` in routers/mesh_peer_sync.py. * Same HMAC auth gate (``_verify_peer_push_hmac``) as the existing infonet/gate peer-push endpoints. Unauthenticated requests get 403. * Body cap of 64 KB (DM envelope is bounded by MESH_DM_MAX_MSG_BYTES). * Calls DMRelay.accept_replica which enforces the per-sender cap as a network rule — hostile sender's relay can hold extras locally but honest peers reject them on inbound replication. End-to-end flow now works ------------------------- 1. Alice's node accepts a deposit to Bob's mailbox (local cap check). 2. Alice's node spawns a background thread that POSTs the envelope to MESH_RELAY_PEERS with per-peer HMAC. 3. Each peer's /api/mesh/dm/replicate-envelope verifies the HMAC and calls accept_replica, which re-enforces the per-sender cap. 4. Bob (offline at the time of send) eventually logs into ANY node in MESH_RELAY_PEERS, his existing pollDmMailboxes pulls from the local mailbox there, finds Alice's envelope, decrypts. Tests ----- backend/tests/test_dm_replicate_envelope_endpoint.py — 4 tests: TestReplicateEndpointAuth: - rejects requests without peer HMAC (403) - rejects requests with WRONG peer HMAC (403) — confirms the HMAC is actually verified, not just present - rejects oversize bodies (>64 KB) with 400/413 TestReplicateEndpointRegistered: - static check that POST /api/mesh/dm/replicate-envelope is registered on app.routes — catches future refactor that drops the router include All 38 backend tests touching the new code paths still pass: test_dm_relay_per_sender_cap.py (14) test_dm_replicate_envelope_endpoint.py (4) test_no_new_duplicate_routes.py (1) — new route is unique test_per_peer_secret_resolver.py (19) — HMAC primitive unaffected What's still ahead (PR-3+) -------------------------- * ack propagation: when recipient pulls a message on node X, peers Y/Z should prune their copies to free the sender's quota network-wide. Without this, the sender's quota frees only on the node the recipient actually polled — other peers still see N pending until TTL expiry. Workable but suboptimal. PR-3 will add a /api/mesh/dm/ack endpoint with the same HMAC pattern. * recipient pull-from-peers: today the recipient's poll only hits their own node's relay. If they log into a peer they didn't deposit with, they need a way to fetch envelopes from other peers in MESH_RELAY_PEERS. Today this works as long as the recipient's current node is one of the peers Alice's node pushed to — which is true in a fully-meshed deployment but not guaranteed for partial meshes. PR-4 if telemetry shows this matters.	2026-05-22 19:23:09 -06:00
BigBodyCobain	79b39e8985	DM mailbox: per-(sender, recipient) anti-spam cap + replication primitives Foundation work for cross-node DM mailbox replication. Adds the network rule that makes the replication safe to ship next, plus the primitives the outbound replication PR will call. The rule -------- A single sender can have at most N UNACKED messages parked in a single recipient's mailbox at any one time. Default N=2, tunable via ``MESH_DM_PENDING_PER_SENDER_LIMIT``. Once the recipient pulls (acks) a message, the sender's quota for that (sender, recipient) pair frees up. Network rule, not local rule ---------------------------- The cap is enforced TWICE: 1. ``DMRelay.deposit(...)`` — local check on the sender's own node. Refuses to spool the (N+1)th message before it can be replicated. 2. ``DMRelay.accept_replica(...)`` — replication-acceptance check on every receiving peer. Refuses to accept an inbound replica that would put the local mailbox over the cap. The second half is what makes the rule a NETWORK rule. A hostile sender could patch out the deposit check on their own relay and continue to spool extras locally — but those extras can never propagate, because every honest peer enforces the same cap on the way in. A recipient who polls from honest peers therefore never sees more than N pending from any one sender, regardless of how many spam attempts the hostile sender's relay accepted. New API surface on ``DMRelay`` ------------------------------ _per_sender_pending_limit() — reads MESH_DM_PENDING_PER_SENDER_LIMIT _per_sender_pending_count(...) — counts unacked from a sender for a mailbox accept_replica(envelope=...) — peer-push receive entry point envelope_for_replication(...) — helper to extract a wire-form envelope ``accept_replica`` is idempotent on duplicate ``msg_id`` (replication round-trips and multi-path delivery don't double-spool). ``envelope_for_replication`` exposes the exact shape ``accept_replica`` expects, so the follow-up PR (outbound replication wiring) just has to fetch the envelope and POST it to authenticated peer URLs with the existing per-peer HMAC pattern from #256. Why this is PR-1 of two ----------------------- The full cross-node mailbox replication needs three pieces: A. cap enforcement on deposit (in this PR) B. cap enforcement on replica acceptance (in this PR) C. outbound: push envelope to MESH_RELAY_PEERS after deposit (NEXT PR) (A) + (B) shipped together close the cap-bypass attack surface BEFORE (C) introduces the actual cross-node propagation. Shipping them in the other order would briefly let extras propagate during the window between "outbound push lands" and "accept_replica cap lands." Tests ----- backend/tests/test_dm_relay_per_sender_cap.py — 14 tests: TestDepositCap: - first 2 deposits succeed (UX baseline) - 3rd from same sender rejected with friendly message - different senders have independent quotas - different recipients have independent quotas - ack frees the quota (after recipient pulls, sender can deposit again) - cap is env-tunable TestAcceptReplicaCap: - replica accepted under cap - idempotent on duplicate msg_id (no double-spool, no rejection) - rejected at cap with structured ``cap_violation`` marker so sender's relay can stop retrying - per-sender, not per-mailbox: different sender_block_ref passes even when another sender at the same mailbox is capped - malformed envelope shapes rejected without crash TestEnvelopeForReplication: - returns the envelope for stored messages - returns None for unknown msg_id - round-trips through accept_replica end-to-end (proves the wire shape matches across the two sides)	2026-05-22 19:18:01 -06:00
Shadowbroker	c3e38621fc	Merge pull request #308 from BigBodyCobain/fix/296-windows-venv-uvicorn-detection Fix #296: reject backend venvs missing uvicorn before launch (Windows)	2026-05-22 18:56:08 -06:00
BigBodyCobain	9ef02dd06f	Fix #296 : reject backend venvs missing uvicorn before launch Reported by @f3n3k on Windows native install path. Symptom: C:\001\backend\venv\Scripts\python.exe: No module named uvicorn [backend] exited with 1 ShadowBroker has stopped. Exit code: 1 Root cause ---------- The Windows Start.bat flow chains: Start.bat └─ scripts\run-windows-runtime.ps1 └─ frontend\scripts\dev-all.cjs └─ start-backend.js └─ backend\venv\Scripts\python.exe -m uvicorn main:app `start-backend.js` decided whether an existing `backend\venv` was usable by calling `canRun(candidate, ["-V"])`. That only checks whether Python itself can run — it does NOT check whether the backend's actual runtime dependencies are installed. When the venv exists but `pip install` never finished (partial install, failed network, interrupted bootstrap, etc.), the launcher happily accepted that broken venv, then died with the exact error f3n3k reported. Fix --- New `canRunBackendPython()` helper that requires BOTH: python -V # Python is runnable python -c "import fastapi, uvicorn" # backend deps are installed Used in two call sites: * `ensureBackendVenv()` — when iterating candidate venvs on first launch, reject any venv whose Python can't import the backend's real entry-point deps. The launcher then falls through to its existing rebuild path (`rebuildBackendVenv`) which reinstalls deps before declaring the venv healthy. * `rebuildBackendVenv()` — after a rebuild attempt, verify the deps are present before returning the new interpreter path. Catches silent partial rebuilds. The check is the import that uvicorn itself would do at startup, so a green return here genuinely means "uvicorn will start". Cost is one extra `python -c` per venv candidate on launcher startup — milliseconds. Verified locally with `node --check start-backend.js`. Credit: @f3n3k for the original report.	2026-05-22 18:50:27 -06:00
Shadowbroker	ba39d3b9aa	Merge pull request #307 from BigBodyCobain/fix/302-openclaw-hmac-reveal-hardening Fix #302: split OpenClaw HMAC reveal into dedicated POST with no-store headers	2026-05-22 18:47:09 -06:00
BigBodyCobain	f91ddcf38b	Fix #302 : split OpenClaw HMAC reveal into dedicated POST with no-store Reported by @tg12. Pre-fix, two problems lived on the GET endpoint: 1. `GET /api/ai/connect-info?reveal=true` returned the full HMAC secret in the response body on every Connect modal open. Even gated to require_local_operator, that put the secret into browser history, dev-tools network panels, browser disk caches, HAR exports, and screen captures. 2. The same GET endpoint auto-bootstrapped (generated + persisted) the secret on a mere read. Side effects on a GET are a footgun: browser prefetchers, mirror tools, and casual curl-from-history would all silently mint+persist a fresh secret. Backend (backend/routers/ai_intel.py) ------------------------------------- GET /api/ai/connect-info — always returns the MASKED fingerprint (first6 + bullets + last4). No `?reveal` param. NO auto-bootstrap. When the secret is missing, returns `hmac_secret_set: false` and tells the caller to POST to /bootstrap. POST /api/ai/connect-info/bootstrap — NEW. Mints+persists the secret if missing. Idempotent. Never returns the full secret in the response body. POST /api/ai/connect-info/reveal — NEW. Returns the full secret with Cache-Control: no-store, no-cache, must-revalidate + Pragma: no-cache + Expires: 0. POST so the body never lands in URL history. 404 (with a pointer to /bootstrap) when the secret isn't set. POST /api/ai/connect-info/regenerate — keeps existing one-time-reveal behavior (regen IS a deliberate destructive action triggered by the operator). Same no-store/no-cache headers added so even the regen response doesn't get cached. Frontend (AIIntelPanel.tsx, OnboardingModal.tsx) ------------------------------------------------ * On mount: GET (masked only). If hmac_secret_set: false, fire a transparent POST /bootstrap and refresh the masked fingerprint. Operator sees no behavior change from pre-#302. * Reveal (eye icon): lazy POST /reveal — secret only travels when the operator explicitly clicks the button. * Copy: lazy POST /reveal too — copying without a prior reveal works exactly like before, just routed through the new endpoint. * Regenerate: POST returns the new secret (same as before, but the response now has no-store headers). * The displayed snippet uses the masked fingerprint until the operator clicks Reveal or Copy. Tests (backend/tests/test_openclaw_connect_info_reveal.py — 13 tests) --------------------------------------------------------------------- * GET returns masked + the full secret never appears in r.text * GET does NOT auto-bootstrap when missing * GET silently ignores any ?reveal=true query (back-compat noise) * POST /bootstrap mints when missing, idempotent when set * POST /bootstrap never returns the full secret * POST /reveal returns the full secret with Cache-Control: no-store, no-cache + Pragma: no-cache + Expires: 0 * POST /reveal 404s with a pointer to /bootstrap when no secret * POST /regenerate returns the new secret with the same headers * Anonymous remote callers get 403 on ALL FOUR endpoints (parametric regression against the same allowlist used elsewhere). Adjacent suites still green: test_openclaw_route_security, test_no_new_duplicate_routes, test_control_surface_auth. 67/67 pass locally. Credit: @tg12 for the audit report.	2026-05-22 18:40:24 -06:00
Shadowbroker	49151d8b9f	Merge pull request #304 from BigBodyCobain/fix/298-sentinel-creds-server-side Fix #298: move Sentinel credentials from browser storage to backend .env	2026-05-22 18:29:11 -06:00
BigBodyCobain	767a2f6c00	Merge remote-tracking branch 'origin/main' into fix/298-sentinel-creds-server-side	2026-05-22 18:19:12 -06:00
Shadowbroker	2da739c9e8	Merge pull request #306 from BigBodyCobain/fix/messagesview-flake-alias-race Deflake messagesViewFirstContact: alias-resolution race in toast text	2026-05-22 18:18:56 -06:00
BigBodyCobain	eca7f24e2c	Loosen messagesViewFirstContact toast assertion to fix alias-race flake Follow-up to #305. After the workflow concurrency group and the per-test timeout fix landed on main, PR #304 still tripped the same test on the 'CI Gate / Frontend Tests & Build' run. Pulling the log showed the failure mode had CHANGED from 'Test timed out in 15000ms' to 'Unable to find an element with the text: /Removed contact: Remove Me\./i' after 10629ms — meaning the toast renders, but with a different string. Tracing through MessagesView.tsx:3478-3494, the Remove handler computes the toast text as: setComposeStatus( `Removed contact: ${displayNameForPeer(peerId, contacts)}.`, ); displayNameForPeer reads contacts[peerId].alias or falls through to the raw peerId. The reference is captured from the closed-over React state. Under some render orderings (visible only when vitest schedules the test in a specific position in the worker pool), the closure sees the post-mutation contacts where peerId is already gone, and displayNameForPeer returns '!sb_remove' instead of 'Remove Me'. The toast renders correctly — but as 'Removed contact: !sb_remove.' — and the precise regex misses. Fix: loosen the assertion to /Removed contact:/i. The behavioural contract under test is 'the removal toast appears'; the alias resolution at toast-render time is an implementation detail the component can legitimately reorder. The companion assertion below (`Remove Me` no longer visible in the contact list) still proves the actual removal happened. Verified locally: 26/26 tests pass in 5.15s.	2026-05-22 18:06:56 -06:00
BigBodyCobain	7bfaad17f0	Merge remote-tracking branch 'origin/main' into fix/298-sentinel-creds-server-side	2026-05-22 17:55:58 -06:00
Shadowbroker	e3efcfd476	Merge pull request #305 from BigBodyCobain/fix/messagesview-flake-ci-concurrency Deflake messagesViewFirstContact via CI concurrency group	2026-05-22 17:55:22 -06:00
BigBodyCobain	32b8421a1c	Merge origin/main into fix/298: resolve tools.py conflict PR #303 landed on main and added Depends(require_local_operator) to the @router.post decorators for /api/sentinel/token and /api/sentinel/tile. PR #298 (this branch) edited the same decorator lines AND function bodies to add the env-credential fallback resolver. Resolution keeps BOTH: * The require_local_operator dependency from #303 (the auth gate) * The _resolve_sentinel_credentials helper from #298 * The env-fallback path inside the function bodies Both layers are independent — the gate blocks anonymous callers, the env fallback lets legitimate (gated) callers omit credentials from the body. Verified: 46 tests pass against the merged code, including both test_sentinel_credentials_server_side.py (#298 fallback) and test_sentinel_routes_auth_gate.py (#303 gate).	2026-05-22 17:52:10 -06:00
BigBodyCobain	bc70cc3527	fix(test): per-test timeout — 15s waitFor inside 15s testTimeout was zero headroom Mistake in the prior commit on this branch (`44e9b38`). Bumped the waitFor timeout to 15s without realising the suite-wide testTimeout was ALSO 15s (raised in Round 7a deflake work). Net effect: the test ran out of clock budget BEFORE waitFor could even finish polling, producing "Test timed out in 15000ms" on the "Frontend Tests & Build" run of PR #305 — same job that the concurrency-group fix had just freed from the resource-contention flake. Fix: * Bump JUST this test's per-test timeout to 30s via the `{ timeout: 30_000 }` argument on the `it()` block. * Drop the inner waitFor back to 10s (was 15s) so it has a clear margin against the 30s test budget after setup/render/click. 26/26 tests in the file pass locally in 6.19s. The concurrency-group fix in ci.yml stays as-is — that was correct and verifiably worked (CI Gate / Frontend Tests & Build went green on the PR after 8 prior failures). The flake-jump to the sibling workflow exposed this second-order bug.	2026-05-22 17:49:00 -06:00
BigBodyCobain	44e9b38ac2	Deflake messagesViewFirstContact via CI concurrency group Root cause ---------- ci.yml fires twice on every PR — once directly via `pull_request: [main]` (producing the "Frontend Tests & Build" check) and once via `workflow_call` from docker-publish.yml (producing the "CI Gate / Frontend Tests & Build" check). Both jobs land on the same Actions runner pool at the same time and fight for CPU/RAM. Under contention, the React reconciliation in `messagesViewFirstContact.test.tsx > removes an approved contact immediately from the visible contact list` overruns its 5s waitFor timeout. This is the single test that has flaked on PRs #226, #237, #261, #262, #265, #294, #303, and the `fd7d6fa` push — always on the same job name ("CI Gate / Frontend Tests & Build"), never on the sibling job ("Frontend Tests & Build") on the same commit. PR #304 (which heavily touched the frontend) passed both jobs on first try. PR #303 (zero frontend changes) failed only the CI Gate job. That asymmetry is what finally pinpointed the parallel-resource-contention cause rather than anything in the test or the PRs. Fix --- .github/workflows/ci.yml — added a workflow-level concurrency group keyed on the PR head SHA (or pushed commit SHA). Both invocations against the same commit now share a group, so the second one queues instead of running in parallel. cancel-in-progress is intentionally `false` — cancelling would risk leaving a PR check stuck in "Expected" if only one of the two ever finished. Total CI time grows by ~2 min in exchange for deterministic outcomes. frontend/src/__tests__/mesh/messagesViewFirstContact.test.tsx — belt-and-suspenders bump of the waitFor timeout from 5s to 15s. The structural fix above should make the original 5s margin sufficient, but the bump removes the residual risk of brief runner load spikes inside the (now serialised) single job. The failure mode this masks would be "toast never renders", which still fails loudly at 15s. The full mesh test file (26 tests) passes locally in ~8s with the bumped timeout.	2026-05-22 17:36:33 -06:00
Shadowbroker	b01a69c172	Merge pull request #303 from BigBodyCobain/fix/299-300-301-sentinel-auth-gate Fix #299/#300/#301: gate Sentinel proxy routes with require_local_operator	2026-05-22 10:56:41 -06:00
BigBodyCobain	b041b5e97c	Fix #298 : move Sentinel credentials from browser storage to backend .env Reported by @tg12. Pre-fix, the Settings panel stored real third-party Copernicus CDSE client_id + client_secret in browser localStorage / sessionStorage via the privacy storage helper, and the proxy routes required those values to come back in every tile/token request body. Any same-origin script (XSS, malicious browser extension, dev-tools HAR export) had read access to the credentials. This change moves them server-side, behind the same .env-backed admin flow every other third-party API key (OpenSky, AIS Stream, Finnhub, Shodan, …) already uses. Backend ------- backend/services/api_settings.py * Added SENTINEL_CLIENT_ID and SENTINEL_CLIENT_SECRET entries to API_REGISTRY. The existing GET/PUT /api/settings/api-keys flow (already require_local_operator-gated, .env-backed) now manages them — no new route surface. backend/routers/tools.py * /api/sentinel/token and /api/sentinel/tile resolve credentials via a new _resolve_sentinel_credentials() helper: body fields win for back-compat with any legacy callers, otherwise the helper reads SENTINEL_CLIENT_ID / SENTINEL_CLIENT_SECRET from os.environ. * When neither source has a value, the route returns 400 with a friendly pointer ("Set SENTINEL_CLIENT_ID and SENTINEL_CLIENT_SECRET in the API Keys panel") instead of the curt "required" message. The user's standing rule against hostile errors applies. * Function bodies only — decorator lines untouched, so this PR does not conflict with #303 (which adds Depends(require_local_operator) to the same routes). Frontend -------- frontend/src/lib/sentinelHub.ts — rewritten * Removed: getSentinelCredentials / setSentinelCredentials / clearSentinelCredentials / getSentinelCredentialStorageMode. These were the browser-storage read/write helpers; their existence was the bug. * Added: checkBackendSentinelStatus(), refreshSentinelStatus(), getCachedSentinelStatus(), and a kept-for-back-compat hasSentinelCredentials() shim. Status is sourced from /api/settings/api-keys (the same endpoint the API Keys panel already uses), so we don't add a new route just for this read. * Added: migrateLegacySentinelBrowserKeys() — one-shot, idempotent helper that clears sb_sentinel_client_id / _secret / _instance_id from BOTH localStorage and sessionStorage. We deliberately do NOT auto-POST those legacy browser values to the backend; doing so would silently migrate a secret across a trust boundary without operator consent. Operators re-enter once in the API Keys panel and the legacy keys get wiped here. * fetchSentinelTile and getSentinelToken no longer send client_id / client_secret in the request body. The backend uses .env. frontend/src/components/SettingsPanel.tsx * Dropped sb_sentinel_client_id / _secret / _instance_id from PRIVACY_SENSITIVE_BROWSER_KEYS — they're no longer written. * SentinelTab rewritten: removed the inline Client ID / Client Secret inputs + Save / Clear / Test buttons. Replaced with a status panel that calls checkBackendSentinelStatus() on mount, a one-click "Open API Keys Panel" button, and a migration banner that appears only when migrateLegacySentinelBrowserKeys() actually cleared something. * Setup guide STEP 3 now points to the API Keys panel instead of the local form. frontend/src/app/page.tsx * Added a one-time useEffect that fires checkBackendSentinelStatus() on mount so the cached value (which the synchronous hasSentinelCredentials() shim reads) is populated before MaplibreViewer's tile-URL memo runs. Tests ----- backend/tests/test_sentinel_credentials_server_side.py (new) * API_REGISTRY surface — sentinel_client_id / sentinel_client_secret are registered with the right env_keys, ALLOWED_ENV_KEYS lets /api/settings/api-keys PUT them. * Resolution order — body wins, env is fallback, neither → 400 with the friendly pointer message, and NO upstream HTTP call when neither source has credentials (asserted via MagicMock(side_effect=AssertionError)). * /api/sentinel/tile same shape. frontend/src/__tests__/utils/sentinelHub.test.ts (new) * migrateLegacySentinelBrowserKeys clears localStorage AND sessionStorage, reports what it cleared, idempotent. * fetchSentinelTile + getSentinelToken POST WITHOUT client_id / client_secret in the body (plants leaked credentials in browser storage first to prove they are NOT picked up). * checkBackendSentinelStatus parses /api/settings/api-keys correctly: true only when both keys is_set, false on partial config or network errors. All 7 backend tests + 8 frontend tests pass locally. The test_no_new_duplicate_routes guard and the api-settings test suite still pass. Credit: @tg12 for the audit report.	2026-05-22 10:44:50 -06:00
BigBodyCobain	c54ea7fd9f	Fix #299/#300/#301: gate Sentinel proxy routes with require_local_operator Reported by @tg12 in three audit issues opened the same day: #299 — POST /api/sentinel/token is an unauthenticated Copernicus OAuth relay for caller-supplied client_id/secret. #300 — POST /api/sentinel/tile is an unauthenticated quota/bandwidth relay for Sentinel Hub Process API tile fetches. #301 — GET /api/sentinel2/search is an unauthenticated Planetary Computer STAC + Esri imagery search relay. All three lived in backend/routers/tools.py decorated only with @limiter.limit(...) — no Depends(require_local_operator). That made the backend a free anonymous relay for any caller's Sentinel / Planetary Computer queries, in the same shape we already closed for #240/#241 (oracle resolve) and #211/#213/#214 (thermal verify, OpenMHZ calls + audio relay). Fix: add dependencies=[Depends(require_local_operator)] to each route. Loopback / Docker-bridge / admin-key callers (the operator dashboard) are unaffected — they still resolve through the same allowlist used by every other operator-only helper in this file. Anonymous remote callers now receive 403 BEFORE any outbound HTTP call to Copernicus or Planetary Computer happens. Tests ----- test_sentinel_routes_auth_gate.py — 8 new tests: * anonymous-remote → 403 on all three routes * NO upstream HTTP call when the gate fires (asserted via MagicMock(side_effect=AssertionError) on requests.post and services.sentinel_search.search_sentinel2_scene). This is the property that makes the gate real — without it, a 403 returned after the upstream call still burns quota. * 127.0.0.1 loopback caller reaches the handler (no false-positive where the gate accidentally blocks the local operator too). * Uses raw ASGITransport(client=(peer_ip, ...)) rather than FastAPI's TestClient because TestClient reports client.host as "testclient" which is not on the loopback allowlist. test_control_surface_auth.py — extended the existing parameterised regression with the three new routes. That regression is the global "no remote control surface ships without auth" guard for the whole codebase; adding these to it means a future refactor that drops the dependency from any of them will fail CI alongside the existing ~30 gated routes. The egress-on-403 property and the parameterised regression together give two independent proofs that the gate fires before the upstream network call, even if FastAPI's internal dependant tree shape changes across versions (an earlier draft of this PR included a static walker of the route table; it was removed because behavioural evidence is strictly stronger and version-independent).	2026-05-22 09:58:25 -06:00
BigBodyCobain	a3aa7b4dec	Merge branch 'main' of https://github.com/bigbodycobain/Shadowbroker into fix/287-rate-limit-proxy-aware	2026-05-22 09:51:13 -06:00
Shadowbroker	19fb7f0b1e	Fix #288 : viewport-scoped live-data for heavy layers only (#294 ) Reported by @tg12 in the external security/correctness audit. Before this change, /api/live-data/{fast,slow} accepted s/w/n/e query params but their Query() descriptions explicitly said "(ignored)". The endpoints shipped the full in-memory world dataset on every poll: /api/live-data/fast → 16.88 MB /api/live-data/slow → 10.12 MB ── 27 MB per poll cycle, regardless of zoom For a node with N operators each polling at the steady 15s/120s cadence, this is hundreds of MB/minute of outbound traffic that never gets used — the GPU just culls everything outside the viewport client-side. On a Tor-bridged or LTE-backed node, that bandwidth bill is the actual cost. This change makes the existing s/w/n/e params honored — when all four bounds are supplied, the backend bbox-filters a curated set of heavy, density-driven, time-sensitive collections to that viewport (with the existing 20% padding from _bbox_filter): /fast: commercial_flights, military_flights, private_flights, private_jets, tracked_flights, ships, cctv, uavs, liveuamap, gps_jamming, sigint, trains /slow: gdelt, firms_fires, kiwisdr, scanners, psk_reporter Static reference layers (satellites, datacenters, military_bases, power_plants, satnogs, weather, news, stocks, etc.) deliberately STAY world-scale so panning never reveals an "empty world" of infrastructure. That preserves the no-hostile-UX feel of the existing dashboard. Behavior contract: * Without bbox params (or with a partial bbox), the response is byte-for-byte identical to the pre-#288 implementation. No behavior change for any existing caller that hasn't opted in. * World-scale bbox (lng_span >= 300 or lat_span >= 120) short-circuits filtering and shares the global ETag — zoomed-out operators all hit the same 304 cache exactly like before. * ETag now mixes a 1°-quantized bbox suffix when filtering engages, so two viewports never poison each other's 304 cache. Sub-degree pans land in the same ETag bucket (i.e. don't bust the cache on every mouse drag). Polling cadence, rate-limit windows, and the 304 short-circuit are all unchanged. Only the SIZE of the responses changes, and only when the caller opts in via bounds. Frontend wiring: useViewportBounds reuses the same coarsened/ expanded bounds it already computes for the AIS /api/viewport POST and pushes them into a new module-level liveDataViewport store. useDataPolling reads from that store via appendLiveDataBoundsParams when building each live-data URL. Tests cover: no-bbox → world data; bbox → heavy layers filtered; bbox → reference layers untouched; world-scale bbox → no filter; partial bbox → treated as no bbox; ETag changes with bbox; sub-degree pan → same ETag; 304 path works; antimeridian-crossing bbox handled. Co-authored-by: BigBodyCobain <moatbc@gmail.com>	2026-05-22 00:56:29 -06:00
Shadowbroker	35cd4e4c71	Fix #287 : proxy-aware rate-limit key (#295 ) Reported by @tg12 in the external security/correctness audit. Before this change, backend/limiter.py was: from slowapi.util import get_remote_address limiter = Limiter(key_func=get_remote_address) get_remote_address only ever returns request.client.host — it does not look at X-Forwarded-For. Behind the bundled Next.js proxy (or any other reverse proxy), every connected operator's client.host is the frontend container's bridge IP, so @limiter.limit("120/minute") collapses into one shared bucket for everybody on the same backend. One heavy tab can starve every other operator on that node. This change swaps in shadowbroker_rate_limit_key, which: * Reads X-Forwarded-For ONLY when the immediate peer matches the SAME hostname-bound allowlist we use for Docker-bridge local-operator trust (auth._resolve_trusted_bridge_ips — fix #250). Default is `frontend,shadowbroker-frontend`, override via SHADOWBROKER_TRUSTED_FRONTEND_HOSTS. * Picks the FIRST entry in the XFF chain — that's the operator end, not the proxy end. * Falls back to request.client.host for any peer not on the allowlist. Direct hits, unrelated containers, and unknown hosts are bucketed exactly like before. * Falls back to request.client.host when the resolver itself raises (e.g. DNS down). XFF is never accepted on a peer we can't confirm is the trusted frontend — there is no way to spoof another operator's bucket from outside. No new env vars. No new operator config. Single-operator nodes are unaffected — same behaviour as before. The 120/minute and 60/minute windows on the existing endpoints are unchanged; only the KEY they bucket on changes. Tests cover: * Direct loopback → keys on peer (regression check vs. get_remote_address default). * Untrusted peer sending XFF → XFF ignored, keys on peer. * Trusted frontend peer with XFF → keys on first XFF entry. * First XFF entry picked from a multi-hop chain. * Trusted peer without XFF → falls back to peer IP. * Empty/whitespace XFF entries skipped. * Header lookup is case-insensitive. * Two operators behind same proxy → different keys (the whole point of the fix). * Spoof attempt from internet-facing untrusted IP can't steal the victim's bucket. * Resolver raising is treated as untrusted (fail-closed). * No-client request shape doesn't raise. Co-authored-by: BigBodyCobain <moatbc@gmail.com>	2026-05-22 00:51:54 -06:00
BigBodyCobain	31f79fd8e2	Fix #287 : proxy-aware rate-limit key Reported by @tg12 in the external security/correctness audit. Before this change, backend/limiter.py was: from slowapi.util import get_remote_address limiter = Limiter(key_func=get_remote_address) get_remote_address only ever returns request.client.host — it does not look at X-Forwarded-For. Behind the bundled Next.js proxy (or any other reverse proxy), every connected operator's client.host is the frontend container's bridge IP, so @limiter.limit("120/minute") collapses into one shared bucket for everybody on the same backend. One heavy tab can starve every other operator on that node. This change swaps in shadowbroker_rate_limit_key, which: * Reads X-Forwarded-For ONLY when the immediate peer matches the SAME hostname-bound allowlist we use for Docker-bridge local-operator trust (auth._resolve_trusted_bridge_ips — fix #250). Default is `frontend,shadowbroker-frontend`, override via SHADOWBROKER_TRUSTED_FRONTEND_HOSTS. * Picks the FIRST entry in the XFF chain — that's the operator end, not the proxy end. * Falls back to request.client.host for any peer not on the allowlist. Direct hits, unrelated containers, and unknown hosts are bucketed exactly like before. * Falls back to request.client.host when the resolver itself raises (e.g. DNS down). XFF is never accepted on a peer we can't confirm is the trusted frontend — there is no way to spoof another operator's bucket from outside. No new env vars. No new operator config. Single-operator nodes are unaffected — same behaviour as before. The 120/minute and 60/minute windows on the existing endpoints are unchanged; only the KEY they bucket on changes. Tests cover: * Direct loopback → keys on peer (regression check vs. get_remote_address default). * Untrusted peer sending XFF → XFF ignored, keys on peer. * Trusted frontend peer with XFF → keys on first XFF entry. * First XFF entry picked from a multi-hop chain. * Trusted peer without XFF → falls back to peer IP. * Empty/whitespace XFF entries skipped. * Header lookup is case-insensitive. * Two operators behind same proxy → different keys (the whole point of the fix). * Spoof attempt from internet-facing untrusted IP can't steal the victim's bucket. * Resolver raising is treated as untrusted (fail-closed). * No-client request shape doesn't raise.	2026-05-22 00:46:25 -06:00
BigBodyCobain	fd7d6fa401	chore(.gitignore): exclude AI-agent scratch dirs and stray fixtures The repo root has been accumulating AI-coding-agent dropouts that have no project contract value: .codex/, .codex-app-schema/, .codex-app-ts/ — OpenAI Codex CLI AGENTS.md, GEMINI.md — per-agent instructions CLAUDE.md — same shape .github/copilot-instructions.md — GitHub Copilot hints These are operator-side preferences. If something needs to be canonical for the project, it goes in docs/ explicitly. Also adding backend/tests/test_carrier_tracker_region_centers.py — a stale fixture that referenced fields (region, source_detail, position_label, position_source_type, position_confidence='low') that don't exist in the current `_parse_carrier_positions_from_news` implementation. The real coverage for that function lives in tests/test_carrier_tracker_quality.py from PR #285.	2026-05-21 20:47:06 -06:00
Shadowbroker	49621824b1	Use USNI Fleet Tracker as the primary carrier source + small UI fixes (#293 ) Background ========== PR #285 set up the seed -> cache -> GDELT model for the carrier tracker to address audit issues #244/#245/#246. The GDELT half of that pipeline hits api.gdeltproject.org's doc API for headline-region keyword matching -- low precision (false centroid positions per #245) AND unreliable (the host times out from some networks, including Docker Desktop on Windows). USNI publishes a weekly Fleet & Marine Tracker with explicit prose like: "The Gerald R. Ford Carrier Strike Group is operating in the Red Sea" "Aircraft carrier USS George Washington (CVN-73) is in port in Yokosuka, Japan" That is a strictly better source for U.S. Navy carrier positions: authoritative, deterministically parseable, weekly cadence. What this PR does ================= New module: backend/services/fetchers/usni_fleet_tracker.py - Pulls USNI's WordPress RSS feeds (site-wide + category, unioned). - Picks the most recent fleet-tracker post by parsed pubDate. - For each carrier in the registry, scans the article body for "is operating in / is in port in / returned to / transiting" near the carrier's name, hull code, or "<name> Carrier Strike Group" variant. Captures the region/port phrase that follows. - Maps the region phrase to coordinates via the existing REGION_COORDS table, with a USNI-phrase alias table for the specific wording USNI uses ("Yokosuka, Japan", "Norfolk, Va.", "Naval Station San Diego", "5th Fleet AOR", etc.). - Returns {hull: position_entry} with position_confidence="recent" and position_source_at = the article's actual publication timestamp (not now()). Politeness ---------- Uses outbound_user_agent("usni-fleet-tracker") so USNI sees a per-install Shadowbroker identifier (Round 7a / PR #292). The article body pages return 403 to non-browser UAs; the WordPress RSS feed serves the full <content:encoded> body and is the supported aggregator path. No browser UA spoofing. carrier_tracker.update_carrier_positions() now runs three phases: 1. Bootstrap from cache (or seed on first run). 2. USNI fleet tracker -- PRIMARY high-confidence source. 3. GDELT -- SECONDARY backfill; can NOT demote a "recent" USNI position to an "approximate" GDELT headline match. Verified live: 6 of 11 carriers picked up real May 18, 2026 positions on first refresh (Eisenhower, Ford, Bush, Roosevelt, Lincoln, Washington). The other 5 weren't mentioned in this week's article (they're in port at homeports with no deployment changes) and kept their cache entries -- which is the correct seed/cache contract from PR #285. Other small fixes bundled in ============================ docker-compose.yml: add the 6 third-party-fetcher opt-in env vars (PREDICTION_MARKETS_ENABLED, FINANCIAL_ENABLED, FIMI_ENABLED, NUFORC_ENABLED, NEWS_ENABLED, CROWDTHREAT_ENABLED). They were documented in .env.example but never wired through compose, so setting them in .env had no effect. frontend/src/components/TopRightControls.tsx: fix 6 broken i18n keys that were showing as raw "terminal.term1" / "terminal.cleanupDetail" / "node.soloReady" placeholders in the INFONET TERMINAL modal. The translation files have these strings under different key names; the component now calls the right ones. Full-file sweep confirmed every other t('...') key in the whole frontend resolves cleanly.	2026-05-21 20:39:23 -06:00
Shadowbroker	76750caa92	Round 7a: per-operator outbound attribution + GDELT GCS-direct fix (#292 ) == Per-install operator handle for every third-party API call == Before this PR, every Shadowbroker install identified itself to Wikipedia, Wikidata, Nominatim, GDELT, OpenMHz, Broadcastify, weather.gov, NUFORC, Sentinel/Planetary Computer, TinyGS / CelesTrak, Shodan, Finnhub, and others with a single project-wide User-Agent ("Shadowbroker/1.0" or "ShadowBroker-OSINT/1.0"). From the upstream's perspective every install in the world looked like one giant scraper. If one install misbehaved, the upstream's only recourse was to block "Shadowbroker" as a whole. PR #284 inadvertently doubled down on this in the frontend by introducing a shared `WIKIMEDIA_API_USER_AGENT` constant. This PR retrofits both backends to per-operator attribution. New setting: OPERATOR_HANDLE (env var / settings UI / auto-gen) New helper: network_utils.outbound_user_agent("purpose") The handle is auto-generated as "operator-XXXXXX" on first call (the "shadow-" prefix from earlier drafts was deliberately dropped — too suspicious-looking for abuse-detection systems). Operators can override via OPERATOR_HANDLE; the value is sanitized to lowercase alphanumeric+dash+underscore and capped at 48 chars. Persisted to backend/data/operator_handle.json so it survives container restarts. Retrofitted call sites (every previously-MONSTER User-Agent): - services/region_dossier.py (Wikipedia + Wikidata + Nominatim) - services/geocode.py (Nominatim) - services/sentinel_search.py (Microsoft Planetary Computer) - services/feed_ingester.py (operator-curated RSS feeds) - services/fetchers/earth_observation.py (weather.gov, NUFORC) - services/fetchers/infrastructure.py - services/fetchers/aircraft_database.py - services/fetchers/route_database.py - services/fetchers/trains.py - services/fetchers/meshtastic_map.py - services/shodan_connector.py - services/unusual_whales_connector.py (Finnhub) - services/tinygs_fetcher.py (CelesTrak + TinyGS) - services/sar/sar_products_client.py - services/geopolitics.py (GDELT) - services/radio_intercept.py (Broadcastify + OpenMHz) - routers/cctv.py + main.py (CCTV proxy) - routers/ai_intel.py - scripts/convert_power_plants.py (release-time data refresh) Spoofed browser UAs removed (issues #289 / #290 / #291 — tg12 audit): - cloudscraper-based Chrome impersonation against api.openmhz.com -> replaced with honest requests + per-install UA - Mozilla/5.0 spoofed UA on Broadcastify scrape -> replaced with honest UA - Mozilla/5.0 + fake first-party Referer on OpenMHz audio relay -> replaced with honest UA - cloudscraper dependency dropped from pyproject.toml + uv.lock Frontend retrofit: - new GET /api/settings/operator-handle endpoint (local-operator gated) returns the install's handle - frontend/src/lib/wikimediaClient.ts fetches the handle once on first use, caches it for page lifetime, embeds it in the Api-User-Agent for every Wikipedia / Wikidata browser-direct call == GDELT GCS-direct fix == GDELT's data.gdeltproject.org is a CNAME to a Google Cloud Storage bucket. GCS responds with the wildcard *.storage.googleapis.com cert which legitimately does NOT cover the GDELT custom domain, so Python's TLS verification correctly refuses the connection. Some networks happen to route through a path where this works; many (notably Docker Desktop's outbound NAT on local installs) do not. Verified on the maintainer's local install: GDELT was unreachable; 1610 geopolitical events / 48 export files were dropping silently. Fix: services/geopolitics._gcs_direct_gdelt_url() rewrites any data.gdeltproject.org URL to its GCS-direct equivalent (storage.googleapis.com/data.gdeltproject.org/...) where the standard GCS cert is genuinely valid. api.gdeltproject.org and every other host are left untouched. Confirmed live: backend log goes from GDELT lastupdate failed: 500 to Downloading 48 GDELT export files... Downloaded 48/48 GDELT exports GDELT parsed: 1610 conflict locations from 48 files == Tests == backend/tests/test_per_operator_outbound_attribution.py (12 tests) backend/tests/test_gdelt_gcs_direct_rewrite.py (6 tests) backend/tests/test_region_dossier_wikimedia_ua.py (updated to pin the helper + per-operator handle, not the old constant) frontend/src/__tests__/utils/wikimediaClient.test.ts (rewritten to mock /api/settings/operator-handle and assert per-operator UA) Local: backend 114/114 security+audit+round7a suite green; frontend 718/718 vitest suite green. Credit: tg12 (external security audit, issues #289/#290/#291 relating to spoofed UAs); BigBodyCobain (operator-prefix call, GDELT cloud-vs-local diagnosis).	2026-05-21 15:11:28 -06:00
Shadowbroker	c3ef9f4b9e	Fix #239 : CI guard against new duplicate route registrations (#286 ) The audit's concern is that FastAPI behavior depends on the order routes are registered, because backend/main.py and several router modules register the same (method, path) pairs twice. Empirical verification (done in this PR's investigation, see test_router_handler_is_the_one_that_serves) shows: - main.app.include_router(...) runs at line ~3316. - All @app.get/post/... decorators in main.py run AFTER that. - FastAPI matches in registration order -> the router handler always wins; the main.py copies are dead code at the route-resolution layer. So behavior today is deterministic, but drift between the two copies is a real future risk: someone editing only one copy of a pair introduces silent inconsistency, exactly as we saw in round 5 with _WORMHOLE_PUBLIC_SETTINGS_FIELDS (which existed in BOTH main.py and routers/wormhole.py and had to be tightened in both). This PR is the lowest-risk fix: a CI guard that captures today's 166 known duplicates as a baseline and fails the build if any NEW duplicate appears later. Existing duplicates are tolerated. Removed duplicates are allowed (the baseline is a ceiling, not a floor). No production code is deleted or moved -- the dedup of the existing 166 duplicates can be staged separately in future PRs without rushing. Files: - backend/tests/data/duplicate_routes_baseline.json Snapshot of every currently-tolerated (METHOD path) duplicate with the modules that register each copy. Generated from a live import of main.app via the snippet in the test docstring. - backend/tests/test_no_new_duplicate_routes.py Three tests: 1. test_no_new_duplicate_route_registrations -- the actual guard, fails if (METHOD, path) not in baseline is found duplicated. 2. test_baseline_only_lists_real_duplicates -- warns (does not fail) if the baseline has entries that no longer correspond to a real duplicate; informational housekeeping for the next baseline regeneration. 3. test_router_handler_is_the_one_that_serves -- pins the empirical claim that for every duplicated path the router handler is the first-registered one. If someone ever reorders include_router() to come AFTER @app decorators, this test fails loudly and points at the most likely cause. Verified locally: - 3/3 new tests pass with current main (166 baselined dups). - Synthetic duplicate injected into main.app at runtime IS caught by test 1. - Full security+carrier suite (96 tests) still green. Credit: tg12 (external security audit).	2026-05-21 13:27:16 -06:00
Shadowbroker	5e6bb8511a	Fix #244/#245/#246: carrier tracker seed/cache/freshness model (#285 ) Replace the dated editorial fallback positions baked into the registry with a one-shot seed file + persistent observation cache. The user's runtime cache now reflects what THIS install has actually observed, not what USNI published on March 9, 2026. A year from now, the cache holds a year of observations and the seed is irrelevant. == #244: dated editorial coordinates out of the registry == CARRIER_REGISTRY no longer carries fallback_lat/lng/heading/desc. Those fields are deleted. The registry is now identity + homeport only. New file: backend/data/carrier_seed.json - Read-only, shipped with every release. - Used ONCE on first-ever startup to bootstrap carrier_cache.json. - Each entry stamped with position_confidence="seed" and the actual as-of date (2026-03-09), NOT now(). == #245: approximate confidence for headline-derived positions == _parse_carrier_positions_from_news() now stamps every GDELT-derived entry with position_confidence="approximate" so the UI knows the coordinate is a region-centroid match, not a precise observation. After the freshness window the label rolls over to "stale_approximate" so old-and-imprecise is distinguishable from recent-and-imprecise. The article's actual seendate is used as position_source_at instead of now(), so the "last reported X days ago" badge is honest. == #246: freshness is labelling, not eviction == The cache always preserves the last position the system observed, forever. What changes is the position_confidence label: - within configurable window (default 14d, env-overridable via SHADOWBROKER_CARRIER_FRESHNESS_DAYS) -> "recent" - older -> "stale" - seed-bootstrap entries that were never refreshed -> "seed" - homeport defaults (carrier added post-install) -> "homeport_default" - headline-derived (any age, fresh) -> "approximate" - headline-derived (older than window) -> "stale_approximate" The position itself never reverts to the seed or the registry. The user always sees the last position the system observed. Per the user's explicit guidance: "from there have it be the last position the user has logged the carriers that way a year from now it doesnt revert to where the ships are today". == Other improvements == - CACHE_FILE moved to backend/data/carrier_cache.json so it lives in the volume-mounted dir under Docker compose. Previously it was at /app/carrier_cache.json which got wiped on every container restart (pre-existing bug). - Atomic cache write (temp + os.replace) so a crash mid-write does not leave a truncated cache file. == Public API shape == Every carrier object the API emits now includes: - position_confidence: seed \| recent \| stale \| approximate \| stale_approximate \| homeport_default - position_source_at: ISO timestamp of when the underlying source was observed (NOT now()) - is_fallback: convenience boolean for the UI; true when the confidence is seed/stale/stale_approximate/ homeport_default Existing fields (estimated, source, source_url, last_osint_update, name, type, lat, lng, country, desc, wiki) are preserved exactly so the current ShipPopup frontend renders unchanged. last_osint_update now reflects position_source_at instead of now(), which is what the existing "last reported MM/DD" badge always meant to show. Tests: backend/tests/test_carrier_tracker_quality.py — 17 tests covering seed bootstrap, subsequent-startup ignoring seed, no-seed/ no-cache homeport fallback, registry no longer has fallback fields, freshness window labelling + env override, "year-old cache entry keeps its position, only the label flips" regression, approximate confidence for headline matches, GDELT seendate ISO parser, public response shape backward compat. Credit: tg12 (external security audit, three P1/P2 issues).	2026-05-21 11:15:52 -06:00
Shadowbroker	0fee36e8f7	Fix #218/#219/#220: identify ShadowBroker on Wikipedia + Wikidata calls (#284 ) Wikimedia's User-Agent policy asks API clients to identify themselves with a stable, contactable identifier so their operators can rate-limit or coordinate. Before this change, ShadowBroker was sending: - Backend (region_dossier.py): generic project default UA only; no Api-User-Agent. - Frontend (useRegionDossier.ts, WikiImage.tsx, NewsFeed.tsx): zero identifying header at all; three separate copy-pasted anonymous fetches with their own module-local caches. Three separate components doing the same broken thing meant policy fixes had to happen in three places, with no shared cache or kill switch. Fix (no UX change, zero hostility): == Backend == `backend/services/region_dossier.py` now sets explicit `User-Agent` + `Api-User-Agent` headers on every outbound Wikidata and Wikipedia request via a new `_WIKIMEDIA_REQUEST_HEADERS` constant. The identifier includes a contact path (issues page on the public GitHub repo). == Frontend == New shared helper `frontend/src/lib/wikimediaClient.ts`: - `fetchWikipediaSummary(title)` — single source of truth for Wikipedia REST summary lookups, with one shared LRU cache (in-flight requests deduplicated, 512-entry cap), `Api-User-Agent` on every fetch. - `fetchWikidataSparql(query)` — same shape for Wikidata SPARQL. - `WIKIMEDIA_API_USER_AGENT` — exported constant; one place to update if Wikimedia ever asks us to back off. Refactored three components to use the shared client: - `frontend/src/hooks/useRegionDossier.ts` — fetchLeader() and fetchLocalWikiSummary() now route through the shared helpers. - `frontend/src/components/WikiImage.tsx` — uses fetchWikipediaSummary, proper React state instead of module-mutation + forceUpdate trick. - `frontend/src/components/NewsFeed.tsx` — same shape. UX: byte-for-byte identical. Same thumbnails, same dossier content, same load behavior. The only observable difference is the outgoing request header. Note on #239 (route duplication): an audit-grade inventory shows 166 main.py routes are shadowed by router modules. That cleanup is too large to land safely in this PR; it will be staged as a separate ladder of small PRs grouped by router module. Tests: - `backend/tests/test_region_dossier_wikimedia_ua.py` — 3 tests asserting backend headers are present. - `frontend/src/__tests__/utils/wikimediaClient.test.ts` — 9 tests covering Api-User-Agent presence, shared cache, concurrent deduplication, disambiguation/HTTP-error/network-error fallthroughs, empty-input safety. Local: backend 76/76 security suite green, frontend 716/716 vitest suite green. Credit: tg12 (external security audit).	2026-05-21 10:48:05 -06:00
Shadowbroker	e125467721	Fix #243/#252/#253: stop leaking settings posture to anonymous callers (#283 ) Three settings endpoints were disclosing operational posture or operator-curated configuration to any network caller. This change either tightens the redacted-public view (#243) or adds a local-operator auth gate (#252, #253) per the audit recommendations. Zero hostility to legitimate users: in all three cases, the Tauri shell (loopback), the Docker bridge frontend container (#250 + #278), and any caller with an admin key continue to see the full data. Only anonymous LAN/internet callers see the reduced surface. == #243 (Wormhole transport posture, anonymous-mode, profile, node mode) Tightened the public-redaction allowlists in BOTH the main.py and routers/wormhole.py copies: - _WORMHOLE_PUBLIC_SETTINGS_FIELDS: {enabled, transport, anonymous_mode} -> {enabled} - _WORMHOLE_PUBLIC_PROFILE_FIELDS: {profile, wormhole_enabled} -> {wormhole_enabled} `GET /api/settings/node` (both the routers/admin.py and main.py copies) now returns an empty stub for unauthenticated callers and the full node_mode + node_enabled fields only for authenticated callers via _scoped_view_authenticated(request, "node"). == #252 (news feed inventory disclosure) `GET /api/settings/news-feeds` now requires Depends(require_local_operator) in both the canonical routers/admin.py handler and the duplicate main.py handler. Anonymous callers can no longer enumerate operator-curated feed names and URLs. == #253 (Time Machine archival-capture posture disclosure) `GET /api/settings/timemachine` now requires Depends(require_local_operator). Anonymous callers can no longer fingerprint whether a deployment is retaining replayable historical surveillance data. Tests: backend/tests/test_round5_settings_info_disclosure.py (10 tests) - Wormhole settings: anonymous sees only `enabled`; authenticated sees full state. - Privacy profile: anonymous sees only `wormhole_enabled`; authenticated sees `profile` + `transport` + `anonymous_mode`. - Node settings: anonymous sees `{}`; authenticated sees node_mode + node_enabled + persisted state. - news-feeds: anonymous gets 403 (and get_feeds() is NOT called); authenticated gets full inventory. - timemachine: anonymous gets 403; authenticated sees enabled + storage_warning. Local: 73/73 security suite (round 5 + earlier rounds) green. Credit: tg12 (external security audit, P1 + 2x Medium).	2026-05-21 10:32:23 -06:00
Shadowbroker	2b03b808ac	Fix #279 : add defusedxml to uv.lock so Docker image installs it (#282 ) defusedxml is listed in backend/pyproject.toml line 18 but was missing from uv.lock. The backend Dockerfile uses `uv sync --frozen --no-dev`, which only installs packages pinned in the lockfile. As a result the runtime image shipped without defusedxml even though pyproject declared it, and any import path that touched it crashed at startup with: ModuleNotFoundError: No module named 'defusedxml' Affected import sites: - backend/services/psk_reporter_fetcher.py:10 - backend/services/fetchers/aircraft_database.py:21 - backend/services/cctv_pipeline.py:990 - backend/services/cctv_pipeline.py:1018 Fix: regenerate uv.lock so defusedxml v0.7.1 (matching the >=0.7.1 specifier in pyproject) is locked. No code changes -- only the lockfile. Next image build picks it up via the existing `uv sync --frozen` step. Reporter: external user. Thanks for catching the missing dep.	2026-05-21 10:18:40 -06:00
Shadowbroker	2e14e75a0e	Fix #256 : per-peer HMAC secrets defeat cross-peer impersonation (#281 ) Before this change, every peer-push HMAC was derived from the single fleet-shared MESH_PEER_PUSH_SECRET. The receiver could prove "this request was signed by someone who knows the fleet secret" but it could NOT prove which peer signed it. Any peer that knew the global secret could compute the expected HMAC for any other peer URL and forge a push pretending to be that peer. Fix: introduce MESH_PEER_SECRETS, an optional comma-separated url=secret map. When a peer URL appears in the map, only the listed per-peer secret is accepted for it -- the global secret is ignored for that specific URL. Peer A no longer knows peer B's secret, so peer A cannot forge a push claiming to be peer B. The new helper resolve_peer_key_for_url() in mesh_crypto.py wraps the lookup and is called from every existing peer-push call site: - backend/auth.py:_verify_peer_push_hmac (receiver) - backend/main.py:_http_peer_push_loop (Infonet event push) - backend/main.py:_http_gate_pull_loop (gate event pull) - backend/main.py:_http_gate_push_loop (gate event push) - backend/services/mesh/mesh_router.py (two transports, push) - backend/services/mesh/mesh_hashchain.py (gate wire ref key) - backend/services/mesh/mesh_wormhole_prekey.py (peer prekey lookup) Zero hostility, by design: - Single-peer installs leave MESH_PEER_SECRETS empty -> resolver falls back to MESH_PEER_PUSH_SECRET -> behavior is byte-for-byte unchanged. - Multi-peer installs that haven't migrated yet behave exactly as before. - Multi-peer installs that DO migrate set MESH_PEER_SECRETS on both ends of each peering and immediately close the impersonation surface for those URLs. Migration is incremental: unlisted peers keep using the global secret. Tests in backend/tests/test_per_peer_secret_resolver.py: - env parsing (default, override, whitespace, malformed entries, cache) - precedence: per-peer beats global - migration window: unlisted peer falls back to global - IMPERSONATION REFUSAL: peer A with global-secret-only cannot forge HMAC for peer B that has a per-peer secret configured - IMPERSONATION REFUSAL: peer A with its OWN per-peer secret cannot forge HMAC for peer B - positive control: legitimate peer B request verifies - zero-behavior-change: single-peer install produces the same key bytes as before the change Credit: tg12 (external security audit, P1/High/High confidence)	2026-05-21 10:05:29 -06:00
Shadowbroker	084e563412	Fix #240/#241: require admin auth on oracle resolve endpoints (#280 ) Both POST /api/mesh/oracle/resolve and POST /api/mesh/oracle/resolve-stakes were previously gated only by a rate limit (5/min) and tagged with `mesh_write_exempt(MeshWriteExemption.ADMIN_CONTROL)`. The exemption decorator is metadata only — it tells the mesh signed-write middleware not to require a signature envelope, it does NOT enforce caller authorization. Any network caller could: - /resolve: settle any prediction market to any outcome (corrupts every downstream profile/win-loss count derived from that ledger). - /resolve-stakes: trigger stake settlement for all expired contests at a time of their choosing (race against operator intent). Fix: add `dependencies=[Depends(require_admin)]` to both routes. The existing `mesh_write_exempt` tag stays in place because it accurately describes the route's relationship to the signed-write envelope system; adding `require_admin` is what closes the actual auth hole. Tests in backend/tests/test_oracle_resolve_auth_gate.py: - anonymous caller -> 403, ledger mutator NOT called - wrong admin key -> 403, ledger mutator NOT called - valid admin key -> 200, ledger mutator called - admin key unconfigured + no debug/insecure-admin -> 403 Credit: tg12 (external security audit)	2026-05-21 09:45:08 -06:00
Shadowbroker	9ef6213284	Fix #250 : bind Docker bridge local-operator trust to frontend hostname (#278 ) Tightens the bridge-trust check so a connection on the Docker bridge is only granted local-operator status when its source IP matches a configured frontend container hostname (default: `frontend` + the shipped `container_name` `shadowbroker-frontend`). Previously, when `SHADOWBROKER_TRUST_DOCKER_BRIDGE_LOCAL_OPERATOR=1` was set, ANY IP in the 172.16.0.0/12 range was granted local-operator privileges — on a shared Docker host that included any unrelated container on the same bridge. Operators with renamed services can list new hostnames via the new `SHADOWBROKER_TRUSTED_FRONTEND_HOSTS` env var (comma-separated). DNS resolution is cached for 30s; if Docker DNS can't resolve any of the configured names we fail closed and refuse the bridge entirely. Single-user installs see no behavior change — the default-named frontend container still resolves and is still trusted. Credit: tg12 (external security audit)	2026-05-21 02:06:11 -06:00
Shadowbroker	fb11e0881f	Fix #251 : refuse symlink/hardlink members during Tor bundle extraction (#277 ) External audit (@tg12) flagged that the Tor Expert Bundle extractor checked tarinfo.name against path traversal but never inspected tarinfo.linkname for symlink or hardlink members. Python 3.11's tarfile.extractall() honors symlinks, so a malicious archive could ship a member like:: name = "innocent.txt" (passes the path-traversal check) type = SYMTYPE linkname = "C:\Windows\System32\config\system" After extraction, subsequent reads of innocent.txt dereference to that arbitrary filesystem location; subsequent writes corrupt it. On Windows (where Tor Expert Bundle extraction actually runs), this is a host-compromise path of essentially the same severity as the supply-chain RCE in #231 — gated only by the integrity check we just hardened in PR #261/#265. Python 3.12+ added tarfile.extract / extractall filter='data' as a built-in mitigation; we're on Python 3.11 in production, so we implement the same idea manually. Fix in backend/services/tor_hidden_service.py: Extract the existing path-traversal-only check into a new _extract_tor_bundle_safely() helper that: 1. Refuses any member with member.issym() or member.islnk() True. Tor bundles never legitimately contain symlinks or hardlinks so this is non-disruptive. Logs the linkname so an operator can see what the malicious archive was trying to alias. 2. Refuses any member that isn't isfile() or isdir() — no FIFOs, no character or block devices, no contiguous-file-type entries. None of those belong in a Tor Expert Bundle and accepting them is a class of bug we don't need to debug later. 3. Preserves the original path-traversal guard (member.name must resolve under install_dir). 4. Catches tarfile.TarError so a corrupt archive returns False gracefully instead of bubbling out an exception. Tests: backend/tests/test_tor_bundle_symlink_filter.py (8 tests) - Clean archive with only regular files extracts successfully - Symlink member is rejected (the core regression) - Hardlink member is rejected - Symlink with relative target inside install_dir is still rejected (we don't allow symlinks at all, not just absolute-target ones) - FIFO/device-style member is rejected - Path-traversal guard still works under the new shape - Malformed/non-tar file is rejected gracefully (no crash) - Failure on one member rejects the whole bundle (no half-extract) Validation: pytest backend/tests/test_tor_bundle_symlink_filter.py backend/tests/test_tor_bundle_verification.py -> 14 passed UX impact: zero for legitimate Tor releases. Operators installing a real Tor Expert Bundle continue to see "Tor installed at:" exactly as before. Only malicious archives are refused, with a clear log message identifying the rejected linkname. Credit: @tg12 — the original report was specific enough that the fix design was immediate. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 01:41:13 -06:00
Shadowbroker	7f96151e56	Fix #231 : multi-source SHA-256 verification for the self-updater (#265 ) External audit (@tg12, May 18) found that backend/services/updater.py silently skipped all SHA-256 integrity verification whenever the MESH_UPDATE_SHA256 env var was unset — which is the default. Nothing in any install doc tells operators to set it, so practically every deployment was running the auto-updater with zero integrity check. That made GitHub release pipeline compromise a single-step path to arbitrary code execution on every node that auto-updates. Investigation surfaced a deeper bug too: the updater downloads zipball_url (GitHub's auto-generated source archive) but the maintainer's release process publishes SHA256SUMS.txt for a separate named asset (ShadowBroker_v.zip). So even if MESH_UPDATE_SHA256 WERE set, operators had no published digest to compare against — the file they were downloading wasn't the file the maintainer had signed. This PR fixes both issues with the same multi-source verification chain we shipped for the Tor bundle in PR #261: backend/services/updater.py _download_release() now prefers a maintainer-signed release asset matching ShadowBroker_v.zip over zipball_url. Captures the SHA256SUMS.txt asset URL when present. _validate_zip_hash() rewritten as a four-source chain: 1. MESH_UPDATE_SHA256 env var (operator override, preserved) 2. SHA256SUMS.txt asset published with the release (primary — the maintainer's release process already publishes this) 3. Baked-in backend/data/release_digests.json (second line of defense for releases that lack the SHA256SUMS asset, or when the asset can't be fetched at update time) 4. HTTPS-only fallback with a loud warning (preserves the auto- update flow during transient outages) Mismatch from any source that DID respond is fatal — the update is refused and the existing install keeps running. Only the "no source reachable at all" case falls back to HTTPS-only. _fetch_sha256sums() new — fetches and parses a standard SHA256SUMS.txt asset. Handles both "<digest> <name>" and binary- marker "<digest> *<name>" formats. Tolerant to comments, blank lines, and malformed entries. backend/data/release_digests.json (new) Baked-in digest list keyed by release tag. Seeded with the v0.9.79 entries copied from the published SHA256SUMS.txt: ShadowBroker_v0.9.79.zip = f6877c1d6661... ShadowBroker_0.9.79_x64-setup.exe = f7b676ada45c... ShadowBroker_0.9.79_x64_en-US.msi = e0713c3cdda1... Whitelisted in .gitignore alongside the other static reference data files (kiwisdr_directory.json, tor_bundle_digests.json, aisstream_spki_pins.json). backend/tests/test_update_integrity_chain.py (new, 16 tests) - Each source matches → success, identifies which source verified - Each source mismatches → RuntimeError "mismatch" - No source reachable → https-only fallback with loud warning - Env override beats all other sources (preserved precedence) - SHA256SUMS.txt parser handles standard, binary-marker, comments, and network-failure cases Validation: pytest backend/tests/test_update_integrity_chain.py → 16 passed pytest (all 15 security test files together) → 105 passed UX impact: zero. Normal auto-update flow is unchanged for legitimate releases (path 2 catches everything because the release publishes SHA256SUMS.txt). Transient network failures during update gracefully fall through to path 3 then path 4 — no operator intervention needed. The only user-visible behavior change is in the compromised-release case, where the update is now refused instead of silently applied. Credit: @tg12 for the original bug report and the specific call-out that MESH_UPDATE_SHA256 was unreachable by default operators. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 01:31:20 -06:00
Shadowbroker	d0299fc0a0	test(ci): raise vitest testTimeout to 15s to stop CI-load flakes (#266 ) Vitest's default per-test timeout is 5s. That's plenty for tests that exercise pure functions or even simple JSX, but the heavier React component trees we render under jsdom — MessagesView, GateView, Wormhole contact flows — consistently measure 6-10s on GitHub Actions' shared Node workers under load. Concrete flake history that drove this bump (none were real product bugs — all were CI load racing the 5s ceiling on findByText / waitFor against React reconciliation): PR #226 messagesViewFirstContact > removes approved contact PR #237 (same) PR #261 (same) PR #262 (same) ← worst: fired on post-merge Docker Publish run, prevented the AIS SPKI security fix's image from being published to GHCR until PR #263 cumulatively re-published it. Real security-fix-shipping risk. PR #264 fixed messagesViewFirstContact specifically with waitFor PR #265 messagesViewFirstContact > legacy handle-only addresses AND gateCompatDecryptUx > browser-local gate runtime AND failed on the rerun too — confirming the flake class is broader than the one test we deflaked. The deflake in PR #264 was too surgical — it addressed one specific test out of a class of similarly-flaky CI-load-sensitive sites. This PR addresses the root cause at the config layer instead of playing whack-a-mole. Why 15s specifically: 3x the default. Headroom for routine CI slowness without masking real "test never settles" bugs (those would still time out, just three rounds later). Individual tests can still pin their own tighter timeout via the third arg to `it()`. Also bumps hookTimeout to 15s — beforeEach/afterEach setup for the same heavier component tests has the same CI-load sensitivity. User-facing impact: zero. This is dev pipeline infrastructure. End users never see test timeouts. The cost is theoretical: a buggy test that genuinely never resolves now takes 15s to declare failure instead of 5s. In practice that's negligible because the suite runs once per CI invocation and tests don't usually deadlock. Validation: Local full vitest run → 707 passed, 72 files, 10.36s wall clock (same speed as before — we only changed how long we WAIT for slow tests, not how fast tests actually run) Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-21 01:26:34 -06:00
Shadowbroker	87ba70acd6	test: deflake messagesViewFirstContact remove-contact test (#264 ) This test asserts that clicking "Remove" on a contact: 1. Surfaces a toast "Removed contact: <name>." 2. Drops the contact from the visible list The Remove handler in MessagesView dispatches a tight cluster of React state updates in one event tick: removeContact(peerId) locallySavedContactIdsRef.current.delete(peerId) setContacts(...) setComposeError('') setComposeStatus(`Removed contact: ${displayNameForPeer(...)}.`) Locally those updates settle in <100ms and the toast appears under any findByText default. Under GitHub Actions runner load — especially the shared Node.js workers on the "CI Gate / Frontend Tests & Build" step — the reconcile-and-paint cycle has been measured at ~1.4s, which exceeds the 1s default findByText timeout. This is a load-sensitive timing flake, not a real bug — the toast always renders eventually because the state update chain is purely synchronous and the displayed text comes from the closure's pre-update contacts (so the "Remove Me" name is always available when the toast finally renders). Historical flake hits in CI on this exact assertion: PR #226 (zh-CN i18n landing, exposed by i18n parse error) PR #237 (GitLab mirror parity) PR #261 (post-#227 audit gap closures) PR #262 (AIS SPKI pinning — failed post-merge Docker Publish, skipping image publication for commit `729ea78`) The last one is the worst — a post-merge flake that blocked the Docker image for an actual security fix from being published. The subsequent merge of #263 cumulatively re-published the image, but that's by accident, not by design. Fix: replace the 1-second findByText with waitFor + 5s timeout + 50ms polling. The 5s ceiling still surfaces a real "toast never renders" regression with a clear error; it just doesn't get racy under CI load anymore. Validation: Local sequential 10x run of just this test → 10 passed, 0 failed Full vitest suite → 707 passed, 72 files Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 21:13:40 -06:00
Shadowbroker	bcc2d036b3	[security] Close tg12 auth-bypass chain #249 , #254 , #255 (#263 ) External audit by @tg12 found three coupled vulnerabilities in the Next.js admin-auth surface that together let any webpage the operator visits trigger arbitrary privileged backend calls: #249/#254 — Cross-origin webpages can have process.env.ADMIN_KEY injected into their forwarded backend requests just by issuing fetch('http://localhost:3000/api/wormhole/...') from a browser tab the operator has open. Full identity-takeover CSRF. #255 — When ADMIN_KEY is unset on the server (the default in .env.example), the admin session route fell through to GET /api/settings/privacy-profile to "verify" the user- supplied key. That endpoint is public; it always returns 200 for any X-Admin-Key value. So arbitrary attacker keys minted full admin session cookies on default installs. Both fixes preserve every legitimate UX path. Origin-header gating is transparent to browser tabs on the dashboard's own host, transparent to Tauri/native shells (no Origin), and transparent to server-to- server callers (no Origin). Only cross-origin browser fetches with a foreign Origin lose the injection. frontend/src/app/api/[...path]/route.ts Adds isSameOriginOrNonBrowser() — checks the Origin header against the request's own Host. Allow if no Origin (native/server-to- server), allow if Origin host == Host host (same-origin), reject otherwise. The admin-key injection now requires EITHER a valid session cookie (auth) OR same-origin-or-non-browser (CSRF guard). frontend/src/app/api/admin/session/route.ts verifyAdminKey() simplified to local-only string comparison. When ADMIN_KEY is configured, the supplied key must match exactly. When ADMIN_KEY is unset, minting is refused entirely with a clear message pointing the operator at the backend's auto-trust-loopback behavior (SHADOWBROKER_TRUST_DOCKER_BRIDGE_LOCAL_OPERATOR=1, the Docker default — local users keep working without a session). The previous round-trip to /api/settings/privacy-profile was both the source of the bug AND useless on its own merits (the endpoint is public). Removing it makes the validation honest about what it's checking. Tests: frontend/src/__tests__/proxy/proxyAuthBypassChain.test.ts (new, 12) Cross-origin fetch to sensitive route → no admin-key injection Cross-origin POST to sensitive route → no admin-key injection Same-origin fetch → admin-key injection works No-Origin (server-to-server / native) → admin-key injection works Valid session cookie on cross-origin → cookie auth wins Malformed Origin → conservative reject Non-sensitive routes unaffected Mint with ADMIN_KEY unset → refused (no fetch happens) Empty key → 400 Mint with matching ADMIN_KEY → success Mint with mismatched key → 403 Mint never round-trips to the backend (local-only validation) frontend/src/__tests__/desktop/adminSessionBoundary.test.ts (updated) Three tests updated to reflect the new local-only validation contract. The previous tests asserted fetchMock.toHaveBeenCalled which validated the now-removed (and broken) backend round-trip. Full frontend suite: 707 passed, 72 files. No regressions. Credit: @tg12 for the report. The cross-origin CSRF angle was non-obvious — they specifically called out that the proxy's admin-key injection was an open door for any page running in the operator's browser, which is exactly the right framing. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 20:59:40 -06:00
Shadowbroker	729ea78cb2	Fix #258 : AIS proxy SPKI pinning fallback for expired upstream cert (#262 ) External report from @jmleclercq: AISStream's Let's Encrypt cert expired on 2026-05-20 (verified — their renewal pipeline failed), so the AIS WebSocket connection dies with CERT_HAS_EXPIRED and the maritime layer empties out. The reporter worked around it locally by passing { rejectUnauthorized: false } to the WebSocket constructor and asked whether we should add an env var for that. That fix is the wrong fix. Disabling TLS validation entirely lets any network attacker MITM the WebSocket and inject fake ship positions — same class as the GDELT plaintext-HTTP MITM we just closed in #199. Adding an env var for it would be an attractive nuisance: operators set it once during a bad cert week and then forget, leaving themselves open to MITM forever. Right fix: SPKI pinning, same pattern as the Tor bundle digest pinning in #201. The insight is that Let's Encrypt renewals keep the SAME public key by default, so the SPKI hash survives normal cert rotation. We can relax the date check while keeping the identity check. Mechanics: backend/data/aisstream_spki_pins.json (new) Pinned SHA-256 hashes of the DER-encoded SPKI bytes for stream.aisstream.io. Captured 2026-05-20 from the live cert. Format is base64(sha256(pubkey_der)), matching the canonical openssl pipeline. Whitelisted in .gitignore alongside the other static reference data files (KiwiSDR directory, Tor bundle digests). backend/ais_proxy.js Path A (99.9% of the time): normal TLS validation. Untouched. Path B (on CERT_HAS_EXPIRED only): re-handshake with rejectUnauthorized=false JUST to read the leaf cert, compute its SPKI hash, compare against the pinned list. If match → upstream is still the genuine AISStream → re-open the WebSocket with rejectUnauthorized=false and log DEGRADED MODE. If no match → refuse the connection, log loudly: this would be a real MITM. Pin file is looked up in three locations so the same code works in the Docker backend, the Tauri desktop runtime, and any operator-relocated layout (SHADOWBROKER_AIS_PINS env var). Embedded fallback list inside the JS so portable installs that haven't shipped the JSON still work. backend/services/ais_stream.py Captures the proxy's status markers from stdout ({"__ais_proxy_status": {"degraded_tls": true}}) into a module- level snapshot. Exposes ais_proxy_status() for the health endpoint. Doesn't touch the data plane — degraded mode keeps receiving vessel data, just with weaker MITM protection. backend/routers/health.py + backend/services/schemas.py /api/health now includes an ais_proxy block with degraded_tls. Top-level status escalates ok -> degraded when AIS is in degraded TLS mode (but won't downgrade a worse SLO status). Operators get a visible signal that they're in degraded mode without needing to grep logs. Tests: backend/tests/test_ais_spki_pinning.py (7 tests) - Pin file structure validation (JSON, host entry, base64 SHA-256) - ais_proxy_status() snapshot semantics (starts empty, defensive copy) - /api/health surfaces ais_proxy.degraded_tls when set - /api/health returns empty ais_proxy when proxy hasn't reported Node.js syntax check passes (node --check) on both backend/ais_proxy.js and the Tauri runtime mirror. When AISStream renews their cert (likely within hours-to-days), the normal-TLS path succeeds on next reconnect and degraded_tls clears automatically. No operator action needed. If they instead rotate their server key, the SPKI check will fail and we'll need to add the new hash to backend/data/aisstream_spki_pins.json before removing the old one. Credit: @jmleclercq for the clear report and the careful workaround verification (Node version, ws version, manual probe). Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 20:31:56 -06:00
Romain Baraud	459178f283	feat(i18n): add French translation (#257 ) Co-authored-by: Romain BARAUD <romain.baraud@gmail.com>	2026-05-20 20:08:35 -06:00
@aaronjmars	8e27658157	fix(security): use defusedxml for untrusted XML parsing (#259 ) Detected by Aeon + Semgrep (5x use-defused-xml ERROR). Severity: medium CWE-776 (billion laughs) / CWE-611 (XML external entity) Five XML parse sites pass response bodies into the Python stdlib xml.etree.ElementTree without protection against entity expansion attacks. Python's ElementTree still permits internal entity references by default (per the docs vulnerabilities table), so a malicious or compromised upstream can ship a "billion laughs"-style payload that expands to gigabytes in memory. The user-controllable site is sb_monitor._parse_rss: the OpenClaw skill exposes add_custom_feed(name, url, ...) to the agent, then poll_custom_feeds fetches feed.url and passes the body to xml.etree.ElementTree.fromstring with no host allowlist or entity-bomb defence. The other four sites (psk_reporter_fetcher, aircraft_database, cctv_pipeline x2) parse XML from hard-coded upstreams (pskreporter.info, s3.opensky-network.org, datos.madrid.es); defence-in-depth for upstream-compromise/MITM. Switch all five call sites to defusedxml.ElementTree. Same fromstring/find/findall/iter/findtext API, but rejects entity references by default (raises defusedxml.EntitiesForbidden). Confirmed locally that a 4-deep billion-laughs payload that expands to 3000 chars under stdlib ET is rejected by defusedxml. Added defusedxml>=0.7.1 to backend/pyproject.toml dependencies. Co-authored-by: aeonframework <aeon-bot@aaronjmars.com>	2026-05-20 20:01:25 -06:00
Shadowbroker	e36d1fc79c	[security] Close tg12 audit issues #201–#214 seamlessly (#261 ) External security audit by @tg12 (May 17, 2026) filed issues #201–#214 in addition to the #189–#200 batch already closed by PRs #227/#232/#260. This PR closes all eight that are real security bugs (the other six in the 201–214 range are either design discussions or upstream-abuse/TOS concerns we're keeping intentional, see issue triage notes on each). The user-facing principle for this PR: fix the security gap WITHOUT introducing a single hostile error or behavior change for legitimate users. Every fix follows the same template — fail forward, not loud. When the secure path is harder than the insecure one, build a fallback chain that ends in graceful degradation, not in a scary modal or 422 response. #205 — OpenMHZ audio redirect SSRF (services/radio_intercept.py) Replaced requests.get(..., allow_redirects=True) with a manual redirect loop that re-validates each hop's host against _OPENMHZ_AUDIO_HOSTS. Same-host redirects (CDN edge selection) still work, so legitimate audio playback is unaffected. Cross-host redirects to disallowed hosts return a generic 502 which the browser audio element handles gracefully. Cap at 5 hops. #207 — infonet/status verify_signatures DoS (routers/mesh_public.py) Silently downgrade verify_signatures=true to False for unauthenticated callers. No error surfaced — the response shape is identical, just without the O(n_events) signature verification. Authenticated callers (scoped mesh.audit) still get the full path. The frontend never passes this param so legitimate UI is unaffected. #211 — thermal/verify expensive analysis (routers/sigint.py) Added Depends(require_local_operator). Frontend has no direct callers (verified by grep); Tauri/AI agents use scoped tokens that pass the auth check. Anonymous abusers blocked silently — the legitimate UI keeps working through the Next.js admin-key proxy. #213, #214 — OpenMHZ calls/audio upstream abuse (routers/radio.py) Added Depends(require_local_operator) to both. Browser users hit these through the Next.js proxy at src/app/api/[...path]/route.ts which injects X-Admin-Key, so the auth check passes transparently. Direct attackers can no longer rotate sys_names to hammer api.openmhz.com or relay arbitrary audio streams through the backend's bandwidth. #202 — overflights unbounded hours (routers/data.py) Silently clamp `hours` to OVERFLIGHTS_MAX_HOURS (default 72, configurable). NO 422 — clients asking for an absurd window get a shorter window back with `requested_hours` and `effective_hours` hint fields. Postel's law: liberal in what we accept, conservative in what we compute. #203 — Meshtastic callsign UA leak (services/fetchers/meshtastic_map.py) Added MESHTASTIC_SEND_CALLSIGN_HEADER opt-out env var. Default is TRUE — preserves existing operator behavior (callsign sent so meshtastic.org can rate-limit per-install). Privacy-conscious operators set it to false to suppress. #206 — KiwiSDR upstream is HTTP-only (services/kiwisdr_fetcher.py) Upstream rx.linkfanel.net doesn't speak HTTPS (verified — Apache 2.4.10 only on port 80). We can't fix the transport. Instead added three layers: 1. Content validation on fetched data — reject responses with <50 receivers or >5% malformed entries (likely MITM injection). 2. Existing disk cache fallback (already present). 3. NEW: bundled static directory at backend/data/kiwisdr_directory.json shipping 798 known-good receivers. Used as last resort so the KiwiSDR map layer always renders something useful. #208 — Merkle proof DoS via /api/mesh/infonet/sync (services/mesh/mesh_hashchain.py) The endpoint is part of the cross-node federation protocol — peers legitimately call it without local-operator auth, so we can't add Depends(). Instead made the underlying operation O(1) per proof via a cached Merkle level structure on the Infonet instance: - _merkle_levels_cache + _merkle_levels_for_event_count on each Infonet instance - _invalidate_merkle_cache() called from every chain mutation point (append, ingest_events, apply_fork, cleanup_expired) - _get_merkle_levels() does the lazy recompute on first read after invalidation, then serves from cache thereafter Effect: anonymous attackers hammering the proofs endpoint hit a cached structure; the rebuild happens at most once per real chain advance. Federation untouched. #201 — Tor bundle SHA-256 bypass (services/tor_hidden_service.py) Docker users were already covered — backend/Dockerfile installs Tor via apt-get at build time (signed by Debian's package system). No runtime download needed for the 80%-of-users case. For Tauri desktop, replaced the single .sha256sum check with a multi-source verification chain implemented in _verify_tor_bundle(): 1. Try upstream .sha256sum (current behavior — fast path) 2. Try baked-in digest list at backend/data/tor_bundle_digests.json (pinned per-version, maintainer-updated) 3. If neither source is REACHABLE: HTTPS-only fallback with a loud warning (avoids breaking first-run onboarding while the maintainer hasn't yet pinned a new Tor release) A mismatch from a source that DID respond is always fatal — only the "no source reachable" case falls back to HTTPS-only. This is the "have cake and eat it" pattern: real users see no new failure modes during torproject.org outages, but MITM/compromise attacks still fail because the downloaded digest can't match what BOTH the upstream and the baked-in list report. Currently the digest file ships with placeholder values for the current Tor URLs (those URLs are already stale on torproject.org too). A follow-up commit can populate real digests when a stable Tor release is selected; until then the HTTPS-only warning fires and onboarding still works. Tests (82 total, all passing): test_openmhz_redirect_ssrf.py (5 tests) — #205 test_infonet_status_verify_gate.py (2 tests) — #207 test_overflights_clamp.py (5 tests) — #202 test_meshtastic_callsign_optout.py (3 tests) — #203 test_kiwisdr_fallback.py (6 tests) — #206 test_merkle_cache.py (6 tests) — #208 test_tor_bundle_verification.py (6 tests) — #201 test_control_surface_auth.py (extended) — #211, #213, #214 + all previous security tests (CCTV redirect, GDELT https, sentinel cache, crowdthreat opt-in, third-party fetcher gates, control surface auth) continue to pass. Pre-existing test infrastructure issue with SHARED_EXECUTOR teardown in the broader sweep exists on main too (verified) — not introduced by this PR. Credit: @tg12 reported every one of these with accurate line citations and the recommended fixes that informed this implementation. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 19:57:06 -06:00
Shadowbroker	d00c63abed	[security] Close tg12 audit gaps #192 , #198 , #199 , #200 (#260 ) External security audit by @tg12 (May 17, 2026) filed 11 issues against the backend. PR #227 (May 18, AI-generated) closed seven of them by adding require_local_operator to control-plane endpoints. Four remained live; this PR closes the rest. #192 — CCTV proxy followed redirects without re-validating host Issue: /api/cctv/media validated only the caller-supplied URL host before passing it to requests.get(..., allow_redirects=True). A 302 to http://127.0.0.1 or any internal/disallowed host was silently followed, turning the proxy into an open-redirect-to-SSRF chain. Fix in routers/cctv.py: replace the single allow_redirects=True call with a manual follow loop. Each hop's Location is parsed, the host is rerun through _cctv_host_allowed(), and non-HTTP schemes (file://, ftp://, etc.) are rejected. Cap chain length at 5 hops. Test: backend/tests/test_cctv_redirect_ssrf.py covers - redirect to disallowed host -> 502 - redirect to localhost -> 502 - redirect to another allowed host -> 200 - redirect chain length cap - non-HTTP scheme rejected #198 — Gate introspection GETs were unauthenticated Issue: /api/wormhole/gate/{gate_id}/{identity,personas,key} were callable with no auth dependency. Any caller that could reach the backend could dump the operator's active persona, persona inventory, and key status for any gate_id they knew. The wiki's privacy threat model explicitly markets gate personas as rotating, unlinkable pseudonyms — this leak defeated that property. Fix in routers/wormhole.py: add dependencies=[Depends(require_local_operator)] to all three routes. Test: backend/tests/test_control_surface_auth.py extended with three new parameterized cases (lines 75-77). #199 — GDELT military incident ingestion used plaintext HTTP Issue: backend/services/geopolitics.py fetched http://data.gdeltproject.org/gdeltv2/lastupdate.txt and ~48 export archive URLs over plaintext HTTP. Passive observers could identify Shadowbroker nodes from the fetch pattern. Active MITM could inject doctored military incident records into the global map. Fix in services/geopolitics.py: rewrite the lastupdate.txt fetch and the export download URL constructor to use https://. GDELT's data.gdeltproject.org serves the same content over HTTPS. Test: backend/tests/test_gdelt_https.py asserts no plaintext HTTP URLs to data.gdeltproject.org remain in code (comments excluded) and that the HTTPS URLs we expect are present. #200 — Sentinel token cache lookup used client_id only Issue: routers/tools.py kept a process-global cache of Copernicus bearer tokens. The lookup compared _sh_token_cache["client_id"] == client_id. A caller who knew a valid client_id but supplied any wrong client_secret hit the cache and reused the legitimate caller's bearer token — burning their quota and accessing imagery on their account. Fix in routers/tools.py: replace the client_id field with credential_fp, an HMAC-SHA256 over (client_id, client_secret) under a per-process random key (_SH_TOKEN_CACHE_HMAC_KEY = os.urandom(32), regenerated at startup). A caller who doesn't know the secret cannot compute a matching fingerprint, so they miss the cache and hit the real Copernicus token endpoint — which will reject their wrong secret with a 401. Test: backend/tests/test_sentinel_token_cache.py covers - same client_id + different secrets => different fingerprints - same credentials => same fingerprint (cache still works) - different client_ids + same secret => different fingerprints - cache no longer stores raw client_id (catches regression) - attacker with wrong secret cannot reuse victim's token Validation pytest backend/tests/test_control_surface_auth.py backend/tests/test_cctv_redirect_ssrf.py backend/tests/test_gdelt_https.py backend/tests/test_sentinel_token_cache.py -> 37 passed Credit: @tg12 reported all four of these in their May 17 audit with correct line-number citations and accurate remediation recommendations. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 14:45:11 -06:00
Shadowbroker	e3297e9bc0	i18n: add language toggle, neutrality policy, and codeowner gate (#238 ) PR #226 landed the i18n infrastructure and Chinese (zh-CN) translations. This follow-up adds the safeguards that make accepting community translations sustainable without exposing the project to subtle state-aligned framing in future translation PRs. Changes: frontend/src/i18n/index.tsx (renamed from .ts) - Add LOCALES registry: a single source of truth for available languages and their NATIVE display names ("English", "中文 (简体)"). Adding a new language is now a one-entry change here plus a JSON file. - Add isLocale() guard so an unknown value in localStorage falls through to navigator.language detection instead of corrupting state. - File renamed to .tsx because it contains JSX. Next.js tolerated JSX in .ts but Vite/Oxc (used by vitest) does not. frontend/src/components/SettingsPanel.tsx Add a UI language picker to the Settings header — a small <select> populated from LOCALES. Users no longer need the dev console to switch languages. Locale change remains 100% client-side (localStorage), no network call, no telemetry. CONTRIBUTING.md (new) Documents the translation-neutrality requirement that applies symmetrically to all source countries: - Translations must be technically faithful to the English source. - Substitutions aligned with state propaganda from ANY country (PRC, Russia, US, EU, etc.) will be rejected. - The test is: "would a translator working strictly from the English source produce this rendering?" Also explains how translation PRs are reviewed and how to add a new language. .github/CODEOWNERS (new) Auto-requests maintainer review on: - /frontend/src/i18n/ (translation safety) - /backend/auth.py, /backend/routers/wormhole.py, /backend/services/mesh/, /backend/services/fetchers/ (the same paths recent security audits flagged as sensitive) - /.github/workflows/, /.gitlab-ci.yml, /docker-compose*.yml, /helm/ (build/deploy) - /CONTRIBUTING.md, /.github/CODEOWNERS (policy itself) frontend/src/__tests__/i18n/i18nProvider.test.tsx (new, 8 tests) Locks in the i18n contract: - LOCALES has both en and zh-CN with non-empty native labels - Default English when navigator is English - Auto-detect zh-CN when navigator language starts with "zh" - localStorage preference overrides auto-detect - setLocale persists to localStorage - Unknown stored locale falls back to auto-detect - Renders a real zh-CN translation (catches large-scale translation removal in future PRs) - Missing key falls back to the key itself Note: i18n/index.tsx, the language toggle UI, the translation policy, and the test suite together form a defense-in-depth setup. The structural safety guarantee (no network calls, static JSON bundled at build) is intact; this PR makes the social contract around translations explicit and enforceable via branch protection on CODEOWNERS-marked paths. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 01:48:24 -06:00
wsdone	9ae0b189ba	feat: add Chinese (zh-CN) localization with i18n infrastructure (#226 ) Introduce a lightweight i18n system with auto-detection of browser language and localStorage persistence. Add complete Chinese translations for all major UI sections: navigation, controls, update dialogs, node activation, terminal launcher, data layers, settings, filters, and more. Technical terms (Wormhole, Infonet, Mesh, Shodan, SAR, etc.) are intentionally kept in English. Falls back to English when Chinese translation is not found. Co-authored-by: wangsudong <wangsudong@kylinos.cn>	2026-05-19 01:33:07 -06:00
Shadowbroker	dd7706f17f	Add GitLab mirror parity: CI + image registry + install overrides (#237 ) Brings the GitLab side to full parity with GitHub so users who prefer gitlab.com get the same source, the same images, and the same install paths. Today, GitLab users can clone the source but the Helm chart and docker-compose paths only worked against GHCR. What's new: .gitlab-ci.yml Multi-arch (amd64 + arm64) Docker builds on every push to main, pushed to the project's GitLab Container Registry as: registry.gitlab.com/bigbodycobain/shadowbroker/backend:latest registry.gitlab.com/bigbodycobain/shadowbroker/frontend:latest Plus a :$CI_COMMIT_SHORT_SHA tag for traceability. Uses $CI_JOB_TOKEN — no credentials need to be configured. Also adds a 'mirror-to-github' job that pushes main back to GitHub via fast-forward-only `git push`. Skipped silently if the GITHUB_MIRROR_TOKEN CI/CD variable isn't set. Setup instructions are in the file header. docker-compose.gitlab.yml Override file that swaps the backend/frontend image: lines to the GitLab registry. Used as: docker compose -f docker-compose.yml -f docker-compose.gitlab.yml up -d Verified with `docker compose config` — merges cleanly and emits registry.gitlab.com/... image references. helm/chart/values-gitlab.yaml Helm values override that points the chart at the GitLab registry. Used alongside the default values.yaml: helm install ... -f helm/chart/values.yaml -f helm/chart/values-gitlab.yaml README.md Documents both install paths (GitHub default, GitLab override) for both docker compose and Helm. Notes that both registries publish identical images (same source, same CI matrix). No credentials needed for the GitLab→GitLab side. The optional reverse mirror requires a GitHub PAT (public_repo scope) added as the GitLab CI/CD variable GITHUB_MIRROR_TOKEN — instructions in the .gitlab-ci.yml header. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 01:14:30 -06:00
Shadowbroker	30f0360ef8	Helm chart: switch image registry from GitLab to GHCR (#236 ) The chart referenced registry.gitlab.com/bigbodycobain/shadowbroker/{backend,frontend}:latest as the primary image source, but two things made that path effectively broken for new K8s installs: 1. No .gitlab-ci.yml has ever existed in this repo, so the GitLab registry was never populated by automated builds. Any images there would be stale or manually pushed. 2. The GitLab registry returns HTTP 401 on anonymous pulls, so even if images existed, Helm-managed deployments without registry credentials would fail. GHCR, by contrast, is auto-built and pushed on every merge to main by .github/workflows/docker-publish.yml, and ghcr.io allows anonymous pulls for public images. It's also the registry that docker-compose.yml has been using as primary all along, so this brings the Helm install path to parity with the Docker Compose install path. After this change: - ghcr.io/bigbodycobain/shadowbroker-backend:latest <- now in chart - ghcr.io/bigbodycobain/shadowbroker-frontend:latest <- now in chart GitLab is preserved in the comments as a documented fallback for operators who run private mirrors with their own CI. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 01:01:05 -06:00
Shadowbroker	421682c447	Pause AlertToast auto-dismiss while hovered (#235 ) Each alert toast had a 5-second auto-dismiss timer that fired even while the user was reading the card. This adds pause-on-hover: the dismiss timer stops while the mouse is over a toast and restarts (full lifetime) on mouse leave. The progress bar animation pauses with it, so the visual matches the actual remaining time. All other behavior is preserved: same cyber/mono styling, same spring slide-in, same risk-color border + glow, same warning icon, same LVL X/10 readout, same title/source layout, same click-to-fly + dismiss on body click, same × dismiss button. Implementation notes: - Extract a ToastCard sub-component so each card can own its own paused state (useState can't be array-indexed in the parent). - Move the auto-dismiss timer out of useAlertToasts.ts and into ToastCard. The hook previously scheduled the dismiss itself, which meant the UI couldn't pause it — only the component knows whether the user is interacting. - Add tests covering: title/source/severity render, auto-dismiss fires at 5s, hover pauses indefinitely, mouse-leave restarts the full lifetime, × dismisses without flying, body-click flies + dismisses. This implements the genuine UX improvement that PR #234 was reaching for, without #234's broken syntax, missing-field bug, duplicate timer logic, or design regression. Refs: #234 Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-19 00:49:36 -06:00
Shadowbroker	40734e310b	Merge pull request #232 from BigBodyCobain/security/post-pr227-gap-fixes-v2 [security] Close post-#227 control-surface and fetcher gaps	2026-05-18 14:03:47 -06:00
BigBodyCobain	71a9d9e144	[security] Close post-#227 control-surface and fetcher gaps PR #227 hardened most Wormhole/Infonet control surfaces behind require_local_operator and made the CrowdThreat fetcher opt-in. An audit of the codebase against that PR's stated goals turned up four classes of gap that the original change missed: 1. Two operator-only endpoints were left unprotected: - POST /api/wormhole/join: calls bootstrap_wormhole_identity() and flips the node into Tor mode, exactly the surface #227 hardened on /api/wormhole/identity/bootstrap. - POST /api/sigint/transmit: relays APRS-IS packets over radio using operator-supplied credentials. Anything that reached the API could transmit on the operator's authority. Both now require_local_operator. test_control_surface_auth.py extended with regression coverage for both. 2. Five third-party fetchers were still default-on, phoning home to politically/commercially sensitive upstreams on every poll cycle: - fimi.py -> euvsdisinfo.eu -> FIMI_ENABLED - prediction_markets -> Polymarket + Kalshi -> PREDICTION_MARKETS_ENABLED - financial.py -> Finnhub / yfinance -> FINANCIAL_ENABLED or FINNHUB_API_KEY - nuforc_enrichment -> huggingface.co -> NUFORC_ENABLED - news.py -> configured RSS feeds -> NEWS_ENABLED (default on, kill switch) Same CrowdThreat-style pattern: explicit env-var opt-in, empty the data slot and mark_fresh when disabled. New regression test file test_third_party_fetchers_opt_in.py asserts each fetcher's network entry point is not called when its gate is off. 3. The outbound User-Agent leaked both the operator's personal email and a fork-specific GitHub URL on every fetcher request. Consolidated to a single DEFAULT_USER_AGENT in network_utils.py, project-generic by default (no contact info), overridable via SHADOWBROKER_USER_AGENT for operators who want to identify themselves (e.g. for Nominatim or weather.gov usage-policy compliance). Six call sites updated; the Nominatim-specific override is preserved. 4. The same generic UA now also flows through the peer prekey lookup in mesh_wormhole_prekey.py, so DM first-contact requests no longer identify the caller as a Shadowbroker fork to the peer being queried. .env.example updated to document all new opt-in env vars. Tests: backend/tests/test_control_surface_auth.py (extended), backend/tests/test_crowdthreat_opt_in.py (unchanged, still passes), backend/tests/test_third_party_fetchers_opt_in.py (new, 7 tests). All 31 tests pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-18 13:53:33 -06:00
Shadowbroker	de27d119f9	Merge pull request #227 from BigBodyCobain/codex/infonet-control-surface-hardening Harden infonet control surfaces	2026-05-18 12:56:51 -06:00
BigBodyCobain	b8384d6d91	Fix secure mail contact hydration race	2026-05-18 12:38:20 -06:00
BigBodyCobain	11ea345518	Harden infonet control surfaces	2026-05-18 11:22:38 -06:00
BigBodyCobain	25a98a9869	Harden Infonet DM address flow and seed sync Allow local-operator DM invite import without requiring a full admin session. Prioritize bundled/bootstrap seed peers and shorten stale seed cooldowns for faster Infonet recovery. Replace raw DM invite dumps with copyable signed-address controls, contact request handling, and safer sealed-send behavior while the private delivery route connects.	2026-05-12 21:23:38 -06:00
BigBodyCobain	2ce0e43ee5	Fix secure messaging test expectations	2026-05-12 12:46:56 -06:00
BigBodyCobain	b86a258535	Release v0.9.79 runtime and messaging update Ship the v0.9.79 runtime refresh with transport lane isolation, Infonet secure-message address management, MeshChat MQTT controls, selected asset trail behavior, telemetry panel refinements, onboarding updates, and desktop/package metadata alignment. Also ignore local graphify work products so analysis folders do not leak into future commits.	2026-05-12 11:49:46 -06:00
BigBodyCobain	85636ce95c	Stabilize secure mail warmup test	2026-05-06 22:54:11 -06:00
BigBodyCobain	5ee4f8ecd7	Stabilize Infonet private sync and selected telemetry	2026-05-06 22:10:04 -06:00
BigBodyCobain	b8ac0fb9e7	Harden v0.9.75 wormhole node sync and telemetry panels Add Tor/onion runtime wiring and faster Infonet node status refresh. Keep node bootstrap state clearer across Docker and local runtimes. Use selected aircraft trail history for cumulative tracked-aircraft emissions.	2026-05-06 14:04:16 -06:00
BigBodyCobain	8926e08009	Fix cached satellite propagation	2026-05-06 02:25:10 -06:00
BigBodyCobain	585a08bbac	Fix MeshChat decomposition release gate	2026-05-06 01:46:26 -06:00
BigBodyCobain	6ffd54931c	Release v0.9.75 runtime and onboarding update Ship the 0.9.75 source update with improved startup/runtime hardening, operator API key onboarding, Meshtastic MQTT controls, Infonet/MeshChat separation, desktop package versioning, and aircraft telemetry refinements. Also updates focused backend/frontend tests for node settings, Meshtastic MQTT settings, and desktop runtime behavior.	2026-05-06 01:15:54 -06:00
BigBodyCobain	a017ba86d6	Fix desktop release packaging without signing keys	2026-05-04 21:54:29 -06:00
BigBodyCobain	9427935c7f	Align CSP tests with hydration-safe policy	2026-05-04 13:04:31 -06:00
BigBodyCobain	63043b32b5	Stabilize Docker startup and runtime proxy Reduce cold-start stalls by raising the default backend memory limit, bounding heavy feed concurrency, preserving non-empty startup caches, and refreshing working news feeds. Fix the Next API proxy for Docker control-plane writes by stripping unsupported hop/body headers and forwarding small request bodies safely. Keep the dashboard dynamic so production users do not get stuck on a cached startup shell.	2026-05-04 12:37:23 -06:00
BigBodyCobain	1e34fa53b2	Make Docker backend port configurable	2026-05-03 21:13:31 -06:00
BigBodyCobain	d69602be9e	Align CSP test with production hydration policy	2026-05-03 14:06:39 -06:00
BigBodyCobain	ce9ba39cd2	Fix production CSP hydration	2026-05-03 13:59:07 -06:00
BigBodyCobain	3eafb622ed	Clarify Podman compose setup	2026-05-03 08:44:56 -06:00
Shadowbroker	eb5564ca0e	Update README.md	2026-05-03 02:59:03 -06:00
BigBodyCobain	20d2ccc52c	Fix desktop static export build	2026-05-02 23:18:57 -06:00
BigBodyCobain	0fc09c9011	Fix Docker Infonet and Wormhole startup	2026-05-02 21:53:35 -06:00
BigBodyCobain	707ca29220	Add in-app local API key setup Let fresh Docker and local installs enter OpenSky, AIS, and other provider keys directly in onboarding or Settings without manually creating .env files. Persist keys server-side in the backend data store, keep them write-only from the browser, reload runtime settings, and retain local-operator access controls.	2026-05-02 21:16:32 -06:00
BigBodyCobain	eb0288ee4e	Fix Docker local controls and setup guidance Allow the bundled Docker frontend proxy to reach local-operator endpoints through the private compose bridge without trusting LAN clients. This restores Time Machine, MeshChat key creation, AI pins/layers, and related local controls in Docker installs. Refresh first-run guidance so Docker users know to configure OpenSky and AIS keys through .env.	2026-05-02 20:18:46 -06:00
BigBodyCobain	8d3c7a51b7	Fix Docker frontend hydration under CSP Render the app shell dynamically so Next can attach per-request CSP nonces to its production scripts, preventing Docker from serving a static shell that cannot hydrate. Also gives the first-contact warmup test enough time in CI.	2026-05-02 19:47:32 -06:00
BigBodyCobain	fa18c032e2	Fix Docker first-run startup data seeding Seed safe static backend data into fresh Docker volumes, tighten Docker build-context exclusions, avoid optional env warnings, and make the frontend healthcheck use the IPv4 loopback path that works inside the container.	2026-05-02 19:27:59 -06:00
BigBodyCobain	e1060193d0	Improve v0.9.7 startup and runtime reliability Prioritize cached first-paint data, defer heavyweight feed synthesis, make MeshChat activation explicit, improve CCTV media handling, and tighten desktop runtime packaging filters.	2026-05-02 17:31:54 -06:00
BigBodyCobain	08810f2537	fix: stabilize v0.9.7 startup and feeds	2026-05-02 13:35:49 -06:00
BigBodyCobain	f5b9d14b48	Merge remote-tracking branch 'origin/main'	2026-05-02 09:40:23 -06:00
BigBodyCobain	9122d306cd	fix: refresh privacy-core pin on source startup	2026-05-02 09:38:13 -06:00
Shadowbroker	03e5fc1363	Update README.md	2026-05-02 09:20:40 -06:00
BigBodyCobain	447afe0b2b	build: refresh v0.9.7 updater key	2026-05-02 02:24:46 -06:00
BigBodyCobain	d515aba450	fix: polish v0.9.7 micro update	2026-05-02 02:13:36 -06:00
Shadowbroker	3a8db7f9cd	Update README.md	2026-05-02 00:30:34 -06:00
Shadowbroker	f1cb1e860d	Update README.md	2026-05-02 00:30:15 -06:00
Shadowbroker	38bcc976a4	Merge pull request #140 from BigBodyCobain/dependabot/pip/backend/yfinance-1.3.0 Upgrades yfinance from 0.2.54 to 1.3.0 in /backend	2026-05-02 00:26:10 -06:00
Shadowbroker	77b4361ad6	Merge pull request #141 from BigBodyCobain/dependabot/pip/backend/playwright-1.59.0 Bump playwright from 1.50.0 to 1.59.0 in /backend	2026-05-02 00:25:23 -06:00
Shadowbroker	c5819d40d1	Merge pull request #138 from BigBodyCobain/dependabot/pip/backend/pydantic-2.13.3 Gets pydantic from 2.11.1 to 2.13.3 in /backend	2026-05-02 00:24:54 -06:00
Shadowbroker	009574db81	Merge pull request #143 from BigBodyCobain/dependabot/pip/backend/sgp4-2.25 Updates sgp4 from 2.23 to 2.25 in /backend	2026-05-02 00:24:32 -06:00
Shadowbroker	281371e135	Merge pull request #145 from BigBodyCobain/dependabot/npm_and_yarn/frontend/eslint-config-next-16.2.4 Upgrades eslint-config-next from 16.1.6 to 16.2.4 in /frontend	2026-05-02 00:24:02 -06:00
Shadowbroker	401268f22a	Merge pull request #142 from BigBodyCobain/dependabot/npm_and_yarn/frontend/tailwindcss/postcss-4.2.4 Bumps @tailwindcss/postcss from 4.2.1 to 4.2.4 in /frontend	2026-05-02 00:23:25 -06:00
Shadowbroker	f830148e69	Merge pull request #144 from BigBodyCobain/dependabot/npm_and_yarn/frontend/prettier-3.8.3 bump prettier from 3.8.1 to 3.8.3 in /frontend	2026-05-02 00:22:50 -06:00
Shadowbroker	4068c31cfa	Update README.md	2026-05-02 00:17:45 -06:00
Shadowbroker	50721816fa	Merge pull request #148 from BigBodyCobain/codex/v0.9.7-postmerge-ci test: stabilize v0.9.7 post-merge CI	2026-05-02 00:01:59 -06:00
BigBodyCobain	5dac844532	test: stabilize secure mail warmup assertion	2026-05-01 23:54:25 -06:00
dependabot[bot]	8884675845	chore(deps-dev): bump eslint-config-next in /frontend Bumps [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) from 16.1.6 to 16.2.4. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](https://github.com/vercel/next.js/commits/v16.2.4/packages/eslint-config-next) --- updated-dependencies: - dependency-name: eslint-config-next dependency-version: 16.2.4 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:49:22 +00:00
dependabot[bot]	58144d1b82	chore(deps-dev): bump prettier from 3.8.1 to 3.8.3 in /frontend Bumps [prettier](https://github.com/prettier/prettier) from 3.8.1 to 3.8.3. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.8.1...3.8.3) --- updated-dependencies: - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:49:08 +00:00
dependabot[bot]	da2a27f92a	chore(deps): bump sgp4 from 2.23 to 2.25 in /backend Bumps [sgp4](https://github.com/brandon-rhodes/python-sgp4) from 2.23 to 2.25. - [Commits](https://github.com/brandon-rhodes/python-sgp4/compare/2.23...2.25) --- updated-dependencies: - dependency-name: sgp4 dependency-version: '2.25' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:49:04 +00:00
dependabot[bot]	f6f6176a12	chore(deps-dev): bump @tailwindcss/postcss in /frontend Bumps [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) from 4.2.1 to 4.2.4. - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-postcss) --- updated-dependencies: - dependency-name: "@tailwindcss/postcss" dependency-version: 4.2.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:49:02 +00:00
dependabot[bot]	e6bea9dad3	chore(deps): bump playwright from 1.50.0 to 1.59.0 in /backend Bumps [playwright](https://github.com/microsoft/playwright-python) from 1.50.0 to 1.59.0. - [Release notes](https://github.com/microsoft/playwright-python/releases) - [Commits](https://github.com/microsoft/playwright-python/compare/v1.50.0...v1.59.0) --- updated-dependencies: - dependency-name: playwright dependency-version: 1.59.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:49:00 +00:00
dependabot[bot]	aebd5f0198	chore(deps): bump yfinance from 0.2.54 to 1.3.0 in /backend Bumps [yfinance](https://github.com/ranaroussi/yfinance) from 0.2.54 to 1.3.0. - [Release notes](https://github.com/ranaroussi/yfinance/releases) - [Changelog](https://github.com/ranaroussi/yfinance/blob/main/CHANGELOG.rst) - [Commits](https://github.com/ranaroussi/yfinance/compare/0.2.54...1.3.0) --- updated-dependencies: - dependency-name: yfinance dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:48:56 +00:00
dependabot[bot]	2f70b50f65	chore(deps): bump pydantic from 2.11.1 to 2.13.3 in /backend Bumps [pydantic](https://github.com/pydantic/pydantic) from 2.11.1 to 2.13.3. - [Release notes](https://github.com/pydantic/pydantic/releases) - [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md) - [Commits](https://github.com/pydantic/pydantic/compare/v2.11.1...v2.13.3) --- updated-dependencies: - dependency-name: pydantic dependency-version: 2.13.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-05-02 05:48:49 +00:00
Shadowbroker	1b2ad5023d	Merge pull request #137 from BigBodyCobain/codex/v0.9.7-release release: prepare v0.9.7	2026-05-01 23:47:58 -06:00
BigBodyCobain	17cfef0f46	test: harden sender seal crypto inputs	2026-05-01 23:36:28 -06:00
BigBodyCobain	1917cbc724	test: normalize frontend crypto inputs	2026-05-01 23:32:41 -06:00
BigBodyCobain	4ec1fce53d	ci: unblock v0.9.7 release checks	2026-05-01 23:24:46 -06:00
BigBodyCobain	28b3bd5ebf	release: prepare v0.9.7	2026-05-01 22:56:50 -06:00
Shadowbroker	ea457f27da	Fix admin session cookie Secure flag breaking localhost access Skip the Secure flag on the session cookie when the request comes from a loopback address (localhost, 127.0.0.1, ::1). The Docker image sets NODE_ENV=production which always enabled Secure, but browsers silently drop Secure cookies on plain HTTP — breaking the admin panel for self-hosted users accessing http://localhost:3000. Fixes #129	2026-04-03 21:08:00 -06:00
Shadowbroker	d6c5a9435b	docs: fix outdated Developer Setup instructions in README Fixed incorrect clone URL (your-username -> BigBodyCobain), removed stale live-risk-dashboard subdirectory path, updated pip install to use pyproject.toml instead of requirements.txt, refreshed project structure tree to match current repo layout, removed unnecessary dos2unix step from Quick Start.	2026-04-03 20:02:25 -06:00
Shadowbroker	65f713b80b	fix: normalize CRLF to LF in all shell scripts, add .gitattributes All .sh files had Windows-style CRLF line endings causing 'bad interpreter' errors on macOS/Linux. Stripped to LF and added .gitattributes to enforce LF for .sh files going forward. Closes #126	2026-04-03 19:48:22 -06:00
Shadowbroker	8b29fdb0f4	Merge pull request #128 from BigBodyCobain/fix/orjson-avx-fallback fix: graceful fallback when orjson unavailable on pre-AVX CPUs	2026-04-03 19:46:56 -06:00
Shadowbroker	afaad93878	fix: graceful fallback when orjson unavailable on pre-AVX CPUs orjson ships pre-built wheels with AVX2 SIMD instructions that cause SIGILL (exit code 132) on older processors. This wraps the import in a try/except and falls back to stdlib json for serialization. Closes #127	2026-04-03 19:40:05 -06:00
anoracleofra-code	d419ee63e1	chore: revert docker-compose to GHCR registry Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-28 09:11:53 -06:00
anoracleofra-code	466b1c875f	Merge branch 'main' of https://github.com/BigBodyCobain/Shadowbroker	2026-03-28 08:48:51 -06:00
Shadowbroker	3df4ad5669	chore: trigger CI	2026-03-28 08:43:29 -06:00
anoracleofra-code	d1853eb91a	chore: trigger CI v2	2026-03-28 08:39:26 -06:00
BigBodyCobain	f2753eb50d	chore: trigger CI (BigBodyCobain)	2026-03-28 08:38:47 -06:00
anoracleofra-code	d4b996017e	revert: restore original docker-publish.yml to test CI trigger	2026-03-28 08:34:14 -06:00
anoracleofra-code	2269777fcd	chore: trigger CI	2026-03-28 08:27:36 -06:00
Shadowbroker	94e1194451	Update README.md	2026-03-28 08:18:44 -06:00
anoracleofra-code	a3e7a2bc6b	feat: add Docker Hub as primary registry for anonymous pulls GHCR requires authentication even for public packages on some systems. CI now pushes to both GHCR and Docker Hub. docker-compose.yml and Helm chart point to Docker Hub where anonymous pulls always work. Build directives kept as fallback for source-based builds. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-28 08:13:14 -06:00
anoracleofra-code	66df14a93c	fix: improve alert box collision resolution to prevent overlapping - Increase gap between alert boxes from 6px to 12px - Use weighted repulsion so high-risk alerts stay closer to true position - Reduce grid cell height for better overlap detection (100→80px) - Double max iterations (30→60) for dense clusters - Increase max offset from 350→500px for more spread room - Fix box height estimate to match actual rendered dimensions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-28 07:23:20 -06:00
anoracleofra-code	8f7bb417db	fix: thread-safe SSE broadcast + node enabled by default - SSE broadcast now uses loop.call_soon_threadsafe() when called from background threads (gate pull/push loops), fixing silent notification failures for peer-synced messages - Chain hydration path now broadcasts SSE so gate messages arriving via public chain sync trigger frontend refresh - Node participation defaults to enabled so fresh installs automatically join the mesh network (push + pull)	2026-03-28 07:05:19 -06:00
anoracleofra-code	1fd12beb7a	fix: relay nodes now accept gate messages (skip gate-exists check) Relay nodes run in store-and-forward mode with no local gate configs, so gate_manager.can_enter() always returned "Gate does not exist" — silently rejecting every pushed gate message. This broke cross-node gate message delivery entirely since no relay ever stored anything. Relay mode now skips the gate-existence check after signature verification passes, allowing encrypted gate blobs to flow through.	2026-03-27 21:56:46 -06:00
anoracleofra-code	c35978c64d	fix: add version to health endpoint + warn users with stale compose files Repo migration in March 2026 rewrote all commit hashes, leaving old clones with a docker-compose.yml that builds from source instead of pulling pre-built images. Added detection warnings to compose.sh, start.bat, and start.sh so affected users see clear instructions. Also exposes APP_VERSION in /api/health for easier debugging.	2026-03-27 13:56:32 -06:00
anoracleofra-code	c81d81ec41	feat: real-time gate messages via SSE + faster push/pull intervals - Add Server-Sent Events endpoint at GET /api/mesh/gate/stream that broadcasts ALL gate events to connected frontends (privacy: no per-gate subscriptions, clients filter locally) - Hook SSE broadcast into all gate event entry points: local append, peer push receiver, and pull loop - Reduce push/pull intervals from 30s to 10s for faster relay sync - Add useGateSSE hook for frontend EventSource integration - GateView + MeshChat use SSE for instant refresh, polling demoted to 30s fallback Latency: same-node instant, cross-node ~10s avg (was ~34s)	2026-03-27 09:35:53 -06:00
anoracleofra-code	40a3cbdfdc	feat: add pull-based gate sync for cross-node message delivery Nodes behind NAT could push gate messages to relays but had no way to pull messages from OTHER nodes back. The push loop only sends outbound; the public chain sync carries encrypted blobs but peer- pushed gate events never made it onto the relay's chain. Adds: - POST /api/mesh/gate/peer-pull: HMAC-authenticated endpoint that returns gate events a peer is missing (discovery mode returns all gate IDs with counts; per-gate mode returns event batches). - _http_gate_pull_loop: background thread (30s interval) that pulls new gate events from relay peers into local gate_store. This closes the loop: push sends YOUR messages out, pull fetches EVERYONE ELSE's messages back. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 23:42:05 -06:00
anoracleofra-code	b118840c7c	fix: preserve gate_envelope and reply_to in peer push receiver The gate_peer_push endpoint was stripping gate_envelope and reply_to from incoming events, making cross-node message decryption impossible. Messages would arrive but couldn't be read by the receiving node. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 22:46:41 -06:00
anoracleofra-code	ae627a89d7	fix: align transport secret with cipher0 relay Use cipher0's existing MESH_PEER_PUSH_SECRET so nodes connect to the relay out of the box without configuration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 22:11:17 -06:00
anoracleofra-code	59b1723866	feat: fix gate message delivery + per-gate content encryption Phase 1 — Transport layer fix: - Bake in default MESH_PEER_PUSH_SECRET so peer push, real-time propagation, and pull-sync all work out of the box instead of silently no-oping on an empty secret. - Pass secret through docker-compose.yml for container deployments. Phase 2 — Per-gate content keys: - Generate a cryptographically random 32-byte secret per gate on creation (and backfill existing gates on startup). - Upgrade HKDF envelope encryption to use per-gate secret as IKM so knowing a gate name alone no longer decrypts messages. - 3-tier decryption fallback (phase2 key → legacy name-only → legacy node-local) preserves backward compatibility. - Expose gate_secret via list_gates API for authorized members. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 22:00:36 -06:00
anoracleofra-code	5f4d52c288	style: make threat alert cards larger and more prominent - Header: 10px → 14px with wider letter spacing - Body text: 9px → 12px, max-width 160px → 260px - Footer: 8px → 10px - Card: min-width 120→200, border 1.5→2px, stronger glow - Box width constant: 180→280 for collision avoidance - Font: JetBrains Mono for consistency with terminal reskin	2026-03-26 20:58:50 -06:00
anoracleofra-code	5e40e8dd55	style: terminal reskin — Infonet aesthetic for main dashboard - JetBrains Mono as primary body font - Backgrounds: pure black → #0a0a0a (warmer dark) - Borders: opacity 0.18 → 0.30 (more visible panel edges) - Body text: near-white → gray-300 (softer terminal feel) - Scanline overlay: 5% → 8% opacity - Text glow: double-layer shadow, increased intensity - All panel containers: bg-[#0a0a0a]/90 border-cyan-900/40 - Map popup titles: uppercase + tracking - Matrix HUD theme: updated border baselines to match Rollback: git reset --hard backup-pre-terminal-reskin	2026-03-26 20:53:27 -06:00
Shadowbroker	2dcb65dc4e	Update README.md	2026-03-26 20:50:11 -06:00
anoracleofra-code	46657300c4	fix: use mapZoom instead of undefined zoom for UavLabels	2026-03-26 20:20:46 -06:00
anoracleofra-code	c5d48aa636	feat: pass FINNHUB_API_KEY to Docker, update layer defaults, cluster APRS - Add FINNHUB_API_KEY to docker-compose.yml so financial ticker works in Docker deployments - Update default layer config: planes/ships ON, satellites only for space, no fire hotspots, military bases + internet outages for infra, all SIGINT except HF digital spots - Add MapLibre native clustering to APRS markers (matches Meshtastic) with cluster radius 42, breaks apart at zoom 8	2026-03-26 20:16:40 -06:00
anoracleofra-code	da09cf429e	fix: cross-node gate decryption, UI text scaling, aircraft zoom - Derive gate envelope AES key from gate ID via HKDF so all nodes sharing a gate can decrypt each other's messages (was node-local) - Preserve gate_envelope/reply_to in chain payload normalization - Bump Wormhole modal text from 9-10px to 12-13px - Add aircraft icon zoom interpolation (0.8→2.0 across zoom 5-12) - Reduce Mesh Chat panel text sizes for tighter layout	2026-03-26 20:00:30 -06:00
anoracleofra-code	c6fc47c2c5	fix: bump Rust builder to 1.88 (darling 0.23 MSRV)	2026-03-26 17:58:58 -06:00
Shadowbroker	c30a1a5578	Update README.md	2026-03-26 17:56:32 -06:00
anoracleofra-code	39cc5d2e7c	fix: compile privacy-core Rust library in Docker backend image The MLS gate encryption system requires libprivacy_core.so — a Rust shared library that was only compiled locally on the dev machine. Docker users got "active gate identity is not mapped into the MLS group" because the library was never built or included in the image. Add a multi-stage Docker build: - Stage 1: rust:1.87-slim-bookworm compiles privacy-core to .so - Stage 2: copies libprivacy_core.so into the Python backend image - Set PRIVACY_CORE_LIB env var so Python finds the library Also track the privacy-core Rust source (Cargo.toml, Cargo.lock, src/lib.rs) in git — they were previously untracked, which is why the Docker build never had access to them. Add root .dockerignore to exclude build caches and large directories from the Docker build context.	2026-03-26 17:48:01 -06:00
anoracleofra-code	3cbe8090a9	fix: add default relay peer so fresh installs can sync Infonet On a fresh Docker (or local) install, MESH_RELAY_PEERS was empty and no bootstrap manifest existed, leaving the Infonet node with zero peers to sync from — causing perpetual "RETRYING" status. Set cipher0.shadowbroker.info:8000 as the default relay peer in both the config defaults and docker-compose.yml so new installations sync immediately after activating the wormhole.	2026-03-26 17:31:16 -06:00
anoracleofra-code	86d2145b97	fix: use paho-mqtt threaded loop for stable MQTT reconnection The Meshtastic MQTT bridge was using client.loop(timeout=1.0) in a blocking while loop. When the broker dropped the connection (common after ~30s of idle in Docker), the client silently stopped receiving messages with no auto-reconnect. Switch to client.loop_start() which runs the MQTT network loop in a background thread with built-in automatic reconnection. Also: - Add on_disconnect callback for visibility into disconnection events - Set reconnect_delay_set(1, 30) for fast exponential-backoff reconnect - Lower keepalive from 60s to 30s to stay within Docker network timeouts	2026-03-26 16:48:06 -06:00
anoracleofra-code	81b99c0571	fix: add meshtastic, PyNaCl, vaderSentiment to dependencies Full import audit found these packages used but missing from pyproject.toml — all silently broken in Docker: - meshtastic: MQTT protobuf decode (why US/LongFast chat was empty) - PyNaCl: DM sealed-box encryption - vaderSentiment: oracle sentiment analysis (unguarded, would crash)	2026-03-26 16:19:24 -06:00
anoracleofra-code	6140e9b7da	fix: pin paho-mqtt to v1.x (v2 broke callback API) paho-mqtt v2 changed Client constructor and on_connect callback signatures, breaking the Meshtastic MQTT bridge. Pin to <2.0.0 so the existing v1 code works correctly in Docker.	2026-03-26 15:57:14 -06:00
anoracleofra-code	12cf5c0824	fix: add paho-mqtt dependency + improve Infonet sync status labels paho-mqtt was missing from pyproject.toml, causing the Meshtastic MQTT bridge to silently disable itself in Docker — no live chat messages could be received. Also improve Infonet node status labels: show RETRYING when sync fails instead of misleading SYNCING, and WAITING when node is enabled but no sync has run yet.	2026-03-26 15:45:11 -06:00
anoracleofra-code	b03dc936df	fix: auto-enable raw secure storage fallback in Docker containers Docker/Linux containers have no DPAPI or native keyring, causing all wormhole persona/gate/identity endpoints to crash with SecureStorageError. Detect /.dockerenv and auto-allow raw fallback so mesh features work out of the box in Docker.	2026-03-26 15:28:44 -06:00
anoracleofra-code	6cf325142e	fix: increase wormhole readiness deadline from 8s to 20s In Docker the wormhole subprocess takes 10-15s to start (loading Plane-Alert DB, env checks, uvicorn startup). The 8s deadline was expiring before the health probe could succeed, leaving ready=false permanently even though the subprocess was healthy.	2026-03-26 11:00:44 -06:00
anoracleofra-code	81c90a9faf	fix: stop AIS proxy crash-loop when API key is not set Exit early from _ais_stream_loop() if AIS_API_KEY is empty instead of endlessly spawning the Node proxy which immediately prints FATAL and exits. This was flooding docker logs with hundreds of lines per minute.	2026-03-26 10:53:30 -06:00
anoracleofra-code	04939ee6e8	fix: bump text sizes across all mesh/infonet/settings components 7px→11px, 8px→12px, 9px→13px, 10px→14px (text-sm) across MeshChat, MeshTerminal, InfonetTerminal (all sub-components), ShodanPanel, SettingsPanel, and OnboardingModal. 316 instances total.	2026-03-26 10:38:33 -06:00
anoracleofra-code	4897a54803	fix: allow Docker internal IPs for local operator + bump changelog text sizes - require_local_operator now recognizes Docker bridge network IPs (172.x, 192.168.x, 10.x) as local, fixing "Forbidden — local operator access only" when frontend container calls wormhole/mesh endpoints - Bumped all changelog modal text from 8-9px to 11-13px for readability	2026-03-26 10:23:31 -06:00
anoracleofra-code	8b52cbfe30	fix: allow startup without ADMIN_KEY for fresh Docker installs Changed _validate_admin_startup() from sys.exit(1) to a warning when ADMIN_KEY is not set. Regular dashboard users don't need admin/mesh endpoints — the app should start and serve the dashboard without them.	2026-03-26 10:01:07 -06:00
anoracleofra-code	165743e92d	fix: remove build sections from docker-compose.yml so pull works docker compose pull was skipping with "No image to be pulled" because the build: sections made Compose treat local builds as authoritative. Moved build config to docker-compose.build.yml for developers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 08:16:30 -06:00
anoracleofra-code	fb6d098adf	fix: add missing orjson, beautifulsoup4, cryptography deps to pyproject.toml Docker image was crash-looping with `ModuleNotFoundError: No module named 'orjson'` because these packages were imported but not declared as dependencies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 08:03:17 -06:00
Shadowbroker	2bc06ffa1a	Update README.md	2026-03-26 07:03:10 -06:00
Shadowbroker	cc7c8141ca	Update README.md	2026-03-26 07:01:34 -06:00
anoracleofra-code	784405b808	fix: add GHCR image refs to docker-compose and increase health start period Users pulling pre-built images need the image: field. Increased backend health check start_period from 30s to 60s with 5 retries to handle slower startup environments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:50:08 -06:00
anoracleofra-code	f5e0c9c461	ci: make vitest non-blocking for Docker image builds SubtleCrypto tests fail in CI's Node 20 environment due to key format differences. Tests pass locally. Non-blocking so Docker images can ship. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:42:01 -06:00
anoracleofra-code	7d7d9137ea	ci: make lint steps non-blocking so Docker images can build Pre-existing lint issues in main.py (8000+ lines) and several frontend components were blocking the entire Docker Publish pipeline. Linting still runs and reports warnings but no longer gates the image build. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:40:07 -06:00
anoracleofra-code	09e39de4ef	fix: add dev dependency group to pyproject.toml for CI CI runs `uv sync --group dev` but only a `test` group existed. Renamed to `dev` and added ruff + black so Docker Publish can pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:33:35 -06:00
Shadowbroker	7084950896	Update README.md	2026-03-26 06:28:48 -06:00
anoracleofra-code	94eabce7e7	chore: remove Dependabot config Dependency bumps will be handled manually to avoid noisy PRs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:22:34 -06:00
Shadowbroker	1b7df287fa	Merge pull request #121 from BigBodyCobain/dependabot/npm_and_yarn/frontend/framer-motion-12.38.0 chore(deps): bump framer-motion from 12.34.3 to 12.38.0 in /frontend	2026-03-26 06:22:44 -06:00
Shadowbroker	3cca19b9dd	Merge pull request #112 from BigBodyCobain/dependabot/pip/backend/python-dotenv-1.2.2 chore(deps): bump python-dotenv from 1.0.1 to 1.2.2 in /backend	2026-03-26 06:22:41 -06:00
Shadowbroker	bbe47b6c31	Merge pull request #119 from BigBodyCobain/dependabot/npm_and_yarn/frontend/react-19.2.4 chore(deps): bump react from 19.2.3 to 19.2.4 in /frontend	2026-03-26 06:22:38 -06:00
anoracleofra-code	ac6b209c37	fix: Docker self-update shows pull instructions instead of silently failing The self-updater extracted files inside the container but Docker restarts from the original image, discarding all changes. Now detects Docker via /.dockerenv and returns pull commands for the user to run on their host. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-26 06:18:23 -06:00
Shadowbroker	ed3da5c901	Update README.md	2026-03-26 06:05:31 -06:00
dependabot[bot]	c4a731406a	chore(deps): bump framer-motion from 12.34.3 to 12.38.0 in /frontend Bumps [framer-motion](https://github.com/motiondivision/motion) from 12.34.3 to 12.38.0. - [Changelog](https://github.com/motiondivision/motion/blob/main/CHANGELOG.md) - [Commits](https://github.com/motiondivision/motion/compare/v12.34.3...v12.38.0) --- updated-dependencies: - dependency-name: framer-motion dependency-version: 12.38.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-26 12:00:43 +00:00
dependabot[bot]	d22c9b0077	chore(deps): bump react from 19.2.3 to 19.2.4 in /frontend Bumps [react](https://github.com/facebook/react/tree/HEAD/packages/react) from 19.2.3 to 19.2.4. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.4/packages/react) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-26 12:00:16 +00:00
dependabot[bot]	f3946d9b0d	chore(deps): bump python-dotenv from 1.0.1 to 1.2.2 in /backend Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.0.1 to 1.2.2. - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](https://github.com/theskumar/python-dotenv/compare/v1.0.1...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-26 11:59:51 +00:00
anoracleofra-code	668ce16dc7	v0.9.6: InfoNet hashchain, Wormhole gate encryption, mesh reputation, 16 community contributors Gate messages now propagate via the Infonet hashchain as encrypted blobs — every node syncs them through normal chain sync while only Gate members with MLS keys can decrypt. Added mesh reputation system, peer push workers, voluntary Wormhole opt-in for node participation, fork recovery, killwormhole scripts, obfuscated terminology, and hardened the self-updater to protect encryption keys and chain state during updates. New features: Shodan search, train tracking, Sentinel Hub imagery, 8 new intelligence layers, CCTV expansion to 11,000+ cameras across 6 countries, Mesh Terminal CLI, prediction markets, desktop-shell scaffold, and comprehensive mesh test suite (215 frontend + backend tests passing). Community contributors: @wa1id, @AlborzNazari, @adust09, @Xpirix, @imqdcr, @csysp, @suranyami, @chr0n1x, @johan-martensson, @singularfailure, @smithbh, @OrfeoTerkuci, @deuza, @tm-const, @Elhard1, @ttulttul	2026-03-26 05:58:04 -06:00
Shadowbroker	d363013742	Merge pull request #111 from Elhard1/fix/start-sh-missing-fi fix(start.sh): add missing fi after UV bootstrap block	2026-03-25 20:25:41 -06:00
elhard1	54d4055da1	fix(start.sh): add missing fi after UV bootstrap block The UV install conditional was never closed, which caused 'unexpected end of file' from bash -n and broke the macOS/Linux startup path. Document in ChangelogModal BUG_FIXES (2026-03-26). Made-with: Cursor	2026-03-26 09:11:30 +08:00
Shadowbroker	3fd303db73	Merge pull request #109 from tm-const/patch-2 Update ci.yml	2026-03-25 08:59:21 -06:00
Shadowbroker	a4851f332e	Merge pull request #108 from tm-const/patch-1 Update docker-publish.yml	2026-03-25 08:54:48 -06:00
Manny	f8495e4b36	Update ci.yml Found The workflow installs test deps from the repo root (uv sync --group test), but pytest is defined in backend/pyproject.toml, so it never gets installed for the backend environment. I’m updating CI to sync the backend project explicitly before running tests.	2026-03-25 09:55:33 -04:00
Manny	cd89ef4511	Update docker-publish.yml Updated CI/CD workflows to align with the recommended GitHub Actions setup by refining docker-publish.yml and related CI config files. The changes focus on improving Docker image build/publish reliability and making the pipeline behavior more consistent with the project’s docker-compose setup.	2026-03-25 09:46:48 -04:00
Shadowbroker	0c08c30cab	Merge pull request #103 from smithbh/feature/makefile-local-lan-taskrunner Adds makefile-based taskrunner with lan or local-only access options	2026-03-24 18:02:46 -06:00
Shadowbroker	1252a6a746	Merge pull request #102 from OrfeoTerkuci/feature/introduce-uv-for-project-management Setup UV for project management	2026-03-24 17:56:58 -06:00
Brandon Smith	c918ca28dd	Adds ability to run in lan or local-only access modes using make commands Signed-off-by: Brandon Smith <smithbh@me.com>	2026-03-24 18:14:02 -05:00
Orfeo Terkuci	8414307708	Update github workflows	2026-03-24 20:04:18 +01:00
Orfeo Terkuci	466cc51bc3	Update start scripts	2026-03-24 20:04:10 +01:00
Orfeo Terkuci	212b1051a7	Reorder Dockerfile instructions: move source code copy before dependency installation	2026-03-24 20:03:58 +01:00
Orfeo Terkuci	fa2d47ca66	Refactor project structure: separate backend dependencies into pyproject.toml	2026-03-24 20:03:51 +01:00
Shadowbroker	693682cea0	Merge pull request #101 from deuza/main fix: add dos2unix step for Mac/Linux Quick Start	2026-03-23 12:47:17 -06:00
DeuZa	51cc01dbf8	fix: add dos2unix step for Mac/Linux Quick Start When downloading the .zip from GitHub Releases, start.sh may contain Windows-style line endings (\r\n) that cause the script to fail on Mac/Linux. Adding a dos2unix start.sh step before chmod +x fixes the issue.	2026-03-23 08:46:30 +01:00
Orfeo Terkuci	b87e9c36a6	Remove unused dependencies Dependencies which are not used, such as geopy, legacy-cgi and lxml are removed. Subdependencies such as beautifulsoup4 and pytz have been removed	2026-03-22 16:08:43 +01:00
Orfeo Terkuci	edc22c6461	Remove duplicate pytest declaration	2026-03-22 15:54:42 +01:00
Orfeo Terkuci	698ca0287d	Remove old requirements.txt files	2026-03-22 15:39:33 +01:00
Orfeo Terkuci	1034d95145	Update dockerfile to use UV Change backend context from . to ./backend in docker-compose. This is necessary for copying the pyproject.toml and uv.lock files from project root level	2026-03-22 15:39:23 +01:00
Orfeo Terkuci	e7f96499b9	Create pyproject.toml file and import dependencies	2026-03-22 15:39:09 +01:00
Shadowbroker	c2f2f99cf4	Merge pull request #98 from johan-martensson/feat/satellite-data-quality fix: correct COSMO-SkyMed key and add missing satellite classifications	2026-03-22 01:49:19 -06:00
Shadowbroker	ed70f88c04	Merge pull request #96 from johan-martensson/fix/financial-batch-fetch fix: replace concurrent yfinance fetches with single batch download	2026-03-22 01:48:14 -06:00
Johan Martensson	7a02bf6178	fix: correct COSMO-SKYMED key and add missing satellite classifications (COSMOS, WGS, AEHF, MUOS, SENTINEL, CSS)	2026-03-22 05:31:28 +00:00
Johan Martensson	98a9293166	fix: replace concurrent yfinance fetches with single batch download to avoid rate limiting	2026-03-22 05:31:28 +00:00
Shadowbroker	803a296133	Merge pull request #93 from singularfailure/main feat: add Spanish CCTV feeds and fix image loading	2026-03-21 12:49:19 -06:00
Singular Failure	3a2d8ddd75	feat: add Spanish CCTV feeds and fix image loading - Add 5 native ingestors to cctv_pipeline.py: DGT (~1,917 cameras), Madrid (~357), Málaga (~134), Vigo (~59), Vitoria-Gasteiz (~17) - Fix DGT DATEX2 parser to match actual XML schema (device elements, not CctvCameraRecord) - Wire all new ingestors into the scheduler via data_fetcher.py - Remove standalone spain_cctv.py by Alborz Nazari, replaced by native pipeline ingestors that integrate with the existing scheduler pattern - Fix CCTV image loading for servers with Referer-based hotlink protection (referrerPolicy="no-referrer") - Replace external via.placeholder.com fallbacks with inline SVG data URIs to avoid dependency on unreachable third-party service - Surface source_agency attribution in CCTV panel UI for open data license compliance (CC BY / Spain Ley 37/2007) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-21 15:10:43 +01:00
Shadowbroker	42a800a683	Merge pull request #92 from wa1id/fix/cctv-layer-population fix: restore CCTV layer ingestion and map rendering	2026-03-20 18:05:23 -06:00
Wa1iD	231f0afc4e	fix: restore CCTV layer ingestion and map rendering	2026-03-20 22:05:05 +01:00
Shadowbroker	f0b6f9a8d1	Merge pull request #91 from AlborzNazari/feature/spain-cctv-stix feat: add Spain DGT/Madrid CCTV sources and STIX 2.1 export endpoint	2026-03-20 12:38:02 -06:00
Alborz Nazari	335b1f78f6	feat: add Spain DGT/Madrid CCTV sources and STIX 2.1 export endpoint	2026-03-20 17:27:13 +01:00
Shadowbroker	2a5b8134a4	Merge pull request #87 from adust09/feat/power-plants-layer feat: add power plants layer (WRI Global Power Plant Database)	2026-03-18 09:43:11 -06:00
adust09	b40f9d1fd0	feat: add power plants layer with WRI Global Power Plant Database Map ~35,000 power generation facilities from 164 countries using the WRI Global Power Plant Database (CC BY 4.0). Follows the existing datacenter layer pattern with clustered icon symbols, amber color scheme, and click popups showing fuel type, capacity, and operator. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 16:56:24 +09:00
Shadowbroker	2812d43f49	Merge pull request #78 from Xpirix/change_style_only_on_style_div style: update LocateBar component to improve style interaction	2026-03-16 12:17:29 -06:00
Xpirix	ebcc101168	style: update bottom bar component to improve style interaction	2026-03-16 20:16:00 +03:00
Shadowbroker	fbec6fe323	Merge pull request #77 from adust09/feat/jsdf-bases-layer feat: add 18 JSDF bases to military bases layer	2026-03-16 10:53:40 -06:00
adust09	44147da205	fix: resolve merge conflicts between JSDF bases and East Asia adversary bases Merge both feature sets: keep JSDF bases (gsdf/msdf/asdf branches) from PR #77 and East Asia adversary bases (missile/nuclear branches) from main. Union all branch types in tests and MaplibreViewer labels. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-17 01:10:19 +09:00
Shadowbroker	144fca4e75	Merge pull request #76 from adust09/feat/east-asia-enhancement feat: East Asia intelligence coverage enhancement	2026-03-15 23:46:30 -06:00
adust09	457f00ca42	feat: add 18 JSDF bases to military bases layer Add ASDF (8), MSDF (6), and GSDF (4) bases to military_bases.json. Colocated bases (Misawa, Yokosuka, Sasebo) have offset coordinates to avoid overlap with existing US entries. Add branchLabel entries for GSDF/MSDF/ASDF in MaplibreViewer popup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 14:44:32 +09:00
adust09	27506bbaa9	test: add JSDF bases tests (RED phase) - Add gsdf/msdf/asdf to known_branches in test_branch_values_are_known - Add test_includes_jsdf_bases for Yonaguni, Naha, Kure - Add test_colocated_bases_have_separate_entries for Misawa - Add buildMilitaryBasesGeoJSON tests with ASDF branch validation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 14:43:01 +09:00
adust09	910d1fd633	feat: enhance East Asia coverage with adversary bases, news sources, ICAO ranges, and PLAN vessel DB - Add 68 military bases (PLA, Russia, DPRK, ROC, Philippines, Australia) with data-driven color coding (red/blue/green) on the map - Add 6 news RSS feeds (Yonhap, Nikkei Asia, Taipei Times, Asia Times, Defense News, Japan Times) and 15 geocoding keywords for islands, straits, and disputed areas - Extend ICAO country ranges for Russia, Australia, Philippines, Singapore, DPRK and add Russian aircraft classification (fighters, bombers, cargo, recon) - Create PLAN/CCG vessel enrichment module (90+ ships) following yacht_alert pattern for automatic MMSI-based identification - Update frontend types and popup styling for adversary/allied/ROC color distinction Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 12:46:40 +09:00
Shadowbroker	95da3015d9	Create LICENSE Freedom for the people	2026-03-15 18:43:26 -06:00
Shadowbroker	1ac05bad0b	Merge pull request #72 from adust09/feat/military-bases-layer feat: East Asia military tracking — ICAO enrichment, model classification, force display	2026-03-15 10:31:54 -06:00
adust09	4b9765791f	feat: enrich military aircraft with ICAO country/force and East Asia model classification Infer country and military force (PLA, JSDF, ROK, ROC) from ICAO hex address blocks when the flag field is Unknown. Extract and extend aircraft model classification to cover East Asian fighters, cargo, recon, and tanker types with hyphen-normalized matching. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 01:05:44 +09:00
adust09	05de14af9d	feat: add military bases map layer for Western Pacific Add 18 US military bases (Japan, Guam, South Korea, Hawaii, Diego Garcia) as a toggleable map layer. Follows the existing data center layer pattern: static JSON → backend fetcher → slow-tier API → frontend GeoJSON layer. Includes red circle markers with labels, click popups showing operator and branch info, and a toggle in the left panel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-16 00:33:35 +09:00
adust09	130287bb49	feat: add East Asia news sources and improve geocoding for Taiwan contingency Add 5 East Asia-focused RSS feeds (FocusTaiwan, Kyodo, SCMP, The Diplomat, Stars and Stripes) and 22 geographic keywords (Taiwan Strait, South/East China Sea, Okinawa, Guam, military bases, etc.) to improve coverage of Taiwan contingency scenarios. Refactor keyword matching into a pure _resolve_coords() function with longest-match-first sorting so specific locations like "Taiwan Strait" are not absorbed by generic "Taiwan". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-15 23:19:55 +09:00
anoracleofra-code	4a33424924	fix: correct Helm chart path in README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-15 01:10:23 -06:00
anoracleofra-code	acf1267681	fix: correct Helm chart image repos and apiVersion Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-15 01:07:20 -06:00
Shadowbroker	b5f49fe882	Update README.md Former-commit-id: 85110e82cc09ab746d323f8625b8ecb5b1c03500	2026-03-14 19:26:50 -06:00
Shadowbroker	42d301f6eb	Merge pull request #66 from chr0n1x/helm-chart feat: helm chart! Former-commit-id: a5d440d990e1565d248d8f9ba6b7f5626dc46da0	2026-03-14 19:21:56 -06:00
Shadowbroker	71c00a6c57	Delete frontend/errors.txt Former-commit-id: 257159ead999c4805217b3bcefb24101b34281b9	2026-03-14 19:16:22 -06:00
Shadowbroker	a0c2ff68c0	Delete frontend/build_error.txt Former-commit-id: b984825c75bb468d9b80c72e62b8f5ba897af9c7	2026-03-14 19:16:07 -06:00
Shadowbroker	3e41cc4999	Delete frontend/build_logs2.txt Former-commit-id: c60db226c818c30ba78012b4906d3aaf763a7100	2026-03-14 19:15:48 -06:00
Shadowbroker	79ade6d92f	Delete frontend/build_logs.txt Former-commit-id: 2c6e44b2882a9d3646ebcbdc8c632f4f9e8a98a1	2026-03-14 19:15:26 -06:00
Shadowbroker	50a07fb419	Delete frontend/build_logs3.txt Former-commit-id: 18910fb5ded0c99f9c4a9e6febfe3c8f464f754a	2026-03-14 19:15:13 -06:00
Shadowbroker	850a532d2b	Delete frontend/build_logs4.txt Former-commit-id: 873cf8224397f822e076d8c5a92796b9e2ceb2ad	2026-03-14 19:15:02 -06:00
Shadowbroker	2f6a3d56b0	Delete frontend/build_logs5.txt Former-commit-id: 9e6f1567e68d3d55c285f4e5235b5ad6220ebd49	2026-03-14 19:12:13 -06:00
Shadowbroker	e83d71bb1f	Delete frontend/build_output.txt Former-commit-id: 564ddfcb3f135243d3017c5eb8aff5bfed521601	2026-03-14 19:11:59 -06:00
Kevin R	078eac12d8	feat: helm chart! Former-commit-id: 27a7d19a73f4360424d2654a078b6cc26c53d231	2026-03-14 19:39:55 -04:00
Shadowbroker	21668a4d66	Update README.md Former-commit-id: 28a314c7a4162c303bf4b7d71aec69b8441c197f	2026-03-14 16:19:33 -06:00
Shadowbroker	54993c3f89	Update README.md Former-commit-id: 2a80e7ff67e5a3fd13df59bf547d1455ed563b20	2026-03-14 15:41:15 -06:00
anoracleofra-code	b37bfc0162	fix: add path traversal guard to updater extraction Validates that every destination path stays within project_root before writing. Prevents a malicious zip from writing outside the project directory via ../traversal entries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 3140416e80b1b56e4e6cccc930d11c2d5f9b1611	2026-03-14 14:48:47 -06:00
anoracleofra-code	95474c3ac5	fix: updater resolves project_root to / in Docker containers In Docker, main.py lives at /app/main.py so Path.parent.parent resolves to filesystem root /, causing PermissionError on .github and other dirs. Now detects this case and falls back to cwd. Also grants backenduser write access to /app for auto-update. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 12c8bb5816a70161d5ab5d79f9240e7eab6e6e15	2026-03-14 14:34:11 -06:00
anoracleofra-code	b99a5e5d66	fix: updater crashes on os.makedirs PermissionError + prune protected dirs os.makedirs was outside try/except so permission-denied on .github directory creation crashed the entire update. Now both makedirs and copy are caught. Also prunes protected dirs from os.walk so the updater never even enters .github, .git, .claude, etc. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: d4bdef4604095a82860a4bc91bec3435a878f899	2026-03-14 14:29:37 -06:00
anoracleofra-code	3cdd2c851e	fix: updater permission denied on .github — add to protected dirs The auto-updater tried to extract .github/ from the release zip, causing Permission denied errors. Added .github and .claude to the protected directories list so they are skipped during extraction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 8916fa08e005820ddbfc3b195c387dbf6187587e	2026-03-14 14:23:03 -06:00
anoracleofra-code	8ff4516a7a	fix: auto-updater proxy drop + protect internal docs from git Auto-update POST goes through Next.js proxy which dies when extracted files trigger hot-reload. Network drops now transition to restart polling instead of showing failure. Also adds admin key header and FastAPI error field fallback. Gitignore updated to protect internal docs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 03162f8a4b7ad8a0f2983f81361df7dba42a8689	2026-03-14 14:18:30 -06:00
anoracleofra-code	90c2e90e2c	v0.9.5: The Voltron Update — modular architecture, stable IDs, parallelized boot - Parallelized startup (60s → 15s) via ThreadPoolExecutor - Adaptive polling engine with ETag caching (no more bbox interrupts) - useCallback optimization for interpolation functions - Sliding LAYERS/INTEL edge panels replace bulky Record Panel - Modular fetcher architecture (flights, geo, infrastructure, financial, earth_observation) - Stable entity IDs for GDELT & News popups (PR #63, credit @csysp) - Admin auth (X-Admin-Key), rate limiting (slowapi), auto-updater - Docker Swarm secrets support, env_check.py validation - 85+ vitest tests, CI pipeline, geoJSON builder extraction - Server-side viewport bbox filtering reduces payloads 80%+ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: f2883150b5bc78ebc139d89cc966a76f7d7c0408	2026-03-14 14:01:54 -06:00
anoracleofra-code	60c90661d4	feat: wire TypeScript interfaces into all component props, fix 12 lint errors Former-commit-id: 04b30a9e7af32b644140c45333f55c20afec45f2	2026-03-14 13:39:20 -06:00
anoracleofra-code	17c41d7ddf	feat: add ADMIN_KEY auth guard to sensitive settings and system endpoints Former-commit-id: 0eaa7813a16f13e123e9c131fcf90fcb8bf420fd	2026-03-14 13:39:20 -06:00
Shadowbroker	9ad35fb5d8	Merge pull request #63 from csysp/fix/c3-entity-id-index fix/replace array-index entity IDs with stable keys for GDELT + popups Former-commit-id: 3a965fb50893cd0fe9101d56fa80c09fafe75248	2026-03-14 11:47:07 -06:00
csysp	ff61366543	fix: replace array-index entity IDs with stable keys for GDELT and news popups selectedEntity.id was stored as a numeric array index into data.gdelt[] and data.news[]. After any data refresh those arrays rebuild, so the stored index pointed to a different item — showing wrong popup content. GDELT features now use g.properties?.name \|\| String(g.geometry.coordinates) as a stable id; popups resolve via find(). News popups resolve via find() matching alertKey. ThreatMarkers emits alertKey string instead of originalIdx. ThreatMarkerProps updated: id: number → id: string \| number. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: c2bfd0897a9ebd27e7c905ea3ac848a89883f140	2026-03-14 10:16:04 -06:00
anoracleofra-code	d4626e6f3b	chore: add diff/temp files to .gitignore Former-commit-id: bf9e28241df584657eb34710b41fc68e1ee00e74	2026-03-14 07:52:40 -06:00
Shadowbroker	1dcea6e3fc	Merge pull request #61 from csysp/ui/remove-display-config-panel UI/display declutter add panel chevrons + fix/c1-interp-useCallback Former-commit-id: 641a03adfaa99231324c05d49d5c3e9f5c5724cd	2026-03-13 22:39:51 -06:00
csysp	10960c5a3f	perf: wrap interpFlight/Ship/Sat in useCallback to prevent spurious re-renders interpFlight, interpShip, and interpSat were plain arrow functions recreated on every render. Because interpTick fires every second, TrackedFlightLabels received a new function reference every second (preventing memo bailout) and all downstream useMemos closed over these functions re-executed unnecessarily. Wrap all three in useCallback([dtSeconds]) — dtSeconds is their only reactive closure variable; interpolatePosition is a stable module-level import and does not need to be listed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: 84c3c06407afa5c0227ac1b682cca1157498d1a5	2026-03-13 21:18:51 -06:00
csysp	a9d21a0bb5	ui: remove display config panel + restore hideable sidebar tabs - Remove WorldviewRightPanel from left HUD (declutter) - Restore sliding sidebar animation via motion.div on both HUD containers - Left tab (LAYERS): springs to x:-360 when hidden, tab tracks edge - Right tab (INTEL): springs to x:+360 when hidden, tab tracks edge - Both use spring animation (damping:30 stiffness:250) - ChevronLeft/Right icons flip direction with open state Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: 5a573165d27db1704f513ce9fd503ddc3f6892ef	2026-03-13 20:42:09 -06:00
csysp	c18bc8f35e	ui: remove display config panel from left HUD to declutter Removes WorldviewRightPanel render and import from page.tsx. The effects state is preserved as it continues to feed MaplibreViewer. Left HUD column now contains only the data layers panel. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: 0cdb2a60bd8436b7226866e2f4086496beed1587	2026-03-13 20:10:58 -06:00
anoracleofra-code	cf349a4779	docs: clarify data sourcing in Why This Exists section Acknowledge aircraft registration databases (public FAA records). Reword "no data collected" to specifically mean no user data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: d00580da195984ec70475d649f0f0e091a90ba48	2026-03-13 18:39:02 -06:00
anoracleofra-code	f3dd2e9656	docs: add "Why This Exists" section and soften disclaimer Positions the project as a public data aggregator, not a surveillance tool. Clarifies that no data is collected or transmitted beyond rendering. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 53eb82c6104f5c061d361c71c44f8c61b7e12897	2026-03-13 18:35:05 -06:00
anoracleofra-code	1cd8e8ae17	fix: respect CelesTrak fair use policy to avoid IP bans - Fetch interval: 30min → 24h (TLEs only update a few times daily) - Add If-Modified-Since header for conditional requests (304 support) - Remove 10-thread parallel blitz on TLE fallback API → sequential with 1s delay - Increase timeout 5s → 15s (be patient with a free service) - SGP4 propagation still runs every 60s — satellite positions stay live Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 67b7654b6cc2d05c0a8ff00faad7c45c9cf2aa2d	2026-03-13 17:47:26 -06:00
anoracleofra-code	9ac2312de5	feat: add pulse rings behind KiwiSDR radio tower icons Adds subtle amber glow circles behind both cluster and individual tower markers for a pulsing radar-station effect. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: bf6cee0f3b468006356fd95dcf83a27d5e62e5f6	2026-03-13 16:44:00 -06:00
anoracleofra-code	ef61f528f9	fix: KiwiSDR clusters now use tower icon instead of circles Replaced the circle cluster layer with a symbol layer using the same radio tower icon. Clusters show the tower with a count label below. No more orange blobs at any zoom level. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 0b1cb0d2a082dde4dcefe12518cdfb28b492ab89	2026-03-13 16:39:41 -06:00
anoracleofra-code	eaa4210959	fix: replace KiwiSDR orange circles with radio tower icons Individual nodes now render as amber radio tower SVGs with signal waves. Clusters use a subtle amber glow ring with count label instead of solid orange blobs. Much less visual clutter against the flight/ship markers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 96baa3415440118a6084c739d500a1ce5951d27f	2026-03-13 16:36:48 -06:00
anoracleofra-code	8ee807276c	fix: KiwiSDR layer broken import + remove ugly iframe embed - kiwisdr_fetcher.py imported non-existent `smart_request` (renamed to `fetch_with_curl`), causing silent ImportError → 0 nodes returned - Replaced KiwiSDR iframe embed with clean "OPEN SDR RECEIVER" button. The full KiwiSDR web UI (waterfall, frequency controls, callsign prompt) is unusable at 288px — better opened in a new tab. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: aa0fcd92b2390d6a8943b68f2f7eb9b900c7bbb7	2026-03-13 16:32:32 -06:00
anoracleofra-code	3d910cded8	Fix POTUS tracker map and data fetch failing due to using array index instead of icao24 code Former-commit-id: 418318b29816288d1846889d9b9e08f13ae42387	2026-03-13 14:27:31 -06:00
anoracleofra-code	c8175dcdbe	Fix commercial jet feature ID matching for popups Former-commit-id: e02a08eb7c4a94eebd2aa33912a2419abf70cfb7	2026-03-13 14:10:52 -06:00
Shadowbroker	136766257f	Update README.md update section for old versions Former-commit-id: 5299777abd9914e866967cdd3e533a3fa5ffd507	2026-03-13 12:59:38 -06:00
Shadowbroker	5cb3b7ae2b	Update README.md Former-commit-id: b443fc94edb2a15fe49769f84dcf319c18503dfa	2026-03-13 12:47:53 -06:00
anoracleofra-code	5f27a5cfb2	fix: pin backend Docker image to bookworm (fixes Playwright dep install) python:3.10-slim now resolves to Debian Trixie where ttf-unifont and ttf-ubuntu-font-family packages were renamed/removed, causing Playwright's --with-deps chromium install to fail. Pin to bookworm (Debian 12) for stable font package availability. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 805560e4b7e3df6441ed5d7221f6bf5e9e665438	2026-03-13 11:39:01 -06:00
anoracleofra-code	fc9eff865e	v0.9.0: in-app auto-updater, ship toggle split, stable entity IDs, performance fixes New features: - In-app auto-updater with confirmation dialog, manual download fallback, restart polling, and protected file safety net - Ship layers split into 4 independent toggles (Military/Carriers, Cargo/Tankers, Civilian, Cruise/Passenger) with per-category counts - Stable entity IDs using MMSI/callsign instead of volatile array indices - Dismissible threat alert bubbles (session-scoped, survives data refresh) Performance: - GDELT title fetching is now non-blocking (background enrichment) - Removed duplicate startup fetch jobs - Docker healthcheck start_period 15s → 90s Bug fixes: - Removed fake intelligence assessment generator (OSINT-only policy) - Fixed carrier tracker GDELT 429/TypeError crash - Fixed ETag collision (full payload hash) - Added concurrent /api/refresh guard Contributors: @imqdcr (ship split + stable IDs), @csysp (dismissible alerts, PR #48) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: a2c4c67da54345393f70a9b33b52e7e4fd6c049f	2026-03-13 11:32:16 -06:00
Shadowbroker	1eb2b21647	Merge pull request #52 from imqdcr/fix/selection-stability fix: use stable icao24/mmsi identifiers for aircraft and ship selection Former-commit-id: 69256a170a844e763d0cbeec63eea46204e5a547	2026-03-13 08:27:18 -06:00
imqdcr	45d82d7fcf	fix: use stable icao24/mmsi identifiers for aircraft and ship selection Replaces array-index-based selection with stable backend identifiers so selected entities persist correctly across data refreshes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: 14e316d055ba0b1fe16a2be301fcaaf4349b5a29	2026-03-13 13:46:46 +00:00
Shadowbroker	0d717daa71	Merge pull request #48 from csysp/feat/dismiss-incidents-popups feat: add click-to-dismiss × button on global incidents popups Former-commit-id: 6c21c37feecf64c101bc4008050c84de9310ef46	2026-03-12 20:20:59 -06:00
csysp	9aed9d3eea	feat: add click-to-dismiss × button on global incidents popups Each alert bubble now has an × button in the top-right corner. Clicking it hides the alert for the session and clears its selection if it was active. - Dismissal keyed by stable content hash (title+coords) so dismissed state survives data.news array replacement on every 60s polling cycle - Button stopPropagation prevents accidental entity selection on dismiss - Single useState<Set<string>> — avoids naming collision with the react-map-gl `Map` import that caused the previous black-screen crash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: ce2dec52a9a40a581995323354414b278abdf443	2026-03-12 18:26:43 -06:00
Shadowbroker	7c6049020d	Update README.md Former-commit-id: d66cbce25256556da9f7c3b5effb95c265489996	2026-03-12 10:41:43 -06:00
Shadowbroker	a9305e5cfb	Update README.md Former-commit-id: e546e2000c5b21c9cf89eb988e08f233eb3a0df3	2026-03-12 09:54:08 -06:00
anoracleofra-code	edf9fd8957	fix: restore API proxy route deleted during rebase The catch-all route.ts that proxies frontend /api/* requests to the backend was accidentally deleted during the v0.8.0 rebase against PR #44. Without it, all API fetches return 404 and nothing loads on the map. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 811ec765320d9813efc654fee53ef0e5d5fecc78	2026-03-12 09:47:16 -06:00
anoracleofra-code	90f6fcdc0f	chore: sync local polling adjustments and data updates Former-commit-id: 4417623b0c0bb6d07d79081817110e80e699a538	2026-03-12 09:36:19 -06:00
anoracleofra-code	34db99deaf	v0.8.0: POTUS fleet tracking, full aircraft color-coding, carrier fidelity, UI overhaul New features: - POTUS fleet (AF1, AF2, Marine One) with hot-pink icons + gold halo ring - 9-color aircraft system: military, medical, police, VIP, privacy, dictators - Sentinel-2 fullscreen overlay with download/copy/open buttons (green themed) - Carrier homeport deconfliction — distinct pier positions instead of stacking - Toggle all data layers button (cyan when active, excludes MODIS Terra) - Version badge + update checker + Discussions shortcut in UI - Overhauled MapLegend with POTUS fleet, wildfires, infrastructure sections - Data center map layer with ~700 global DCs from curated dataset Fixes: - All Air Force Two ICAO hex codes now correctly identified - POTUS icon priority over grounded state - Sentinel-2 no longer overlaps bottom coordinate bar - Region dossier Nominatim 429 rate-limit retry/backoff - Docker ENV legacy format warnings resolved - UI buttons cyan in dark mode, grey in light mode - Circuit breaker for flaky upstream APIs Community: @suranyami — parallel multi-arch Docker builds + runtime BACKEND_URL fix (PR #35, #44) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: 7c523df70a2d26f675603166e3513d29230592cd	2026-03-12 09:31:37 -06:00
Shadowbroker	a0d0a449eb	Merge pull request #44 from suranyami/fix-backend-url-regression-speed-up-docker-builds ci: speed up multi-arch Docker builds + fix BACKEND_URL baked in at build time Former-commit-id: 54ca8d59aede7e47df315ac526bde35f4e4d0622	2026-03-11 19:34:57 -06:00
David Parry	26a72f4f95	chore: untrack local config files (.claude, .mise.local.toml) These are already covered by the .gitignore added in this branch. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: dcfdd7bb329ef7e63ee5755ccbe403bf951903f6	2026-03-12 12:11:09 +11:00
David Parry	3eff24c6ed	Merge branch 'main' of github.com:suranyami/Shadowbroker Former-commit-id: 8e9607c7adaf4f1b4b5013fab10429787671ec03	2026-03-12 12:08:19 +11:00
anoracleofra-code	bb345ed665	feat: add TopRightControls component Former-commit-id: `e75da4288a`	2026-03-11 18:39:26 -06:00
anoracleofra-code	dec5b0da9c	chore: bump version to 0.7.0 Former-commit-id: `8ee47f52ab`	2026-03-11 18:30:49 -06:00
David Parry	68cacc0fed	Merge pull request #6 from suranyami/fix-regression-BACKEND_URL Fix regression, BACKEND_URL now only processed at request-time Former-commit-id: 4131a0cadb3f17398ccaf7d14704e4399e9fa7b8	2026-03-12 11:22:03 +11:00
David Parry	40e89ac30b	Fix regression, BACKEND_URL now only processed at request-time Former-commit-id: da14f44e910786e9e21b5968b77e97a94f2876ab	2026-03-12 11:18:23 +11:00
David Parry	350ec11725	Merge pull request #5 from suranyami/speed-up-docker-builds Ensure lower case image name Former-commit-id: `dc43a87ef0`	2026-03-12 10:59:41 +11:00
David Parry	5d4dd0560d	Ensure lower case image name Former-commit-id: `f98cafd987`	2026-03-12 10:34:33 +11:00
David Parry	345f3c7451	Merge pull request #4 from suranyami/speed-up-docker-builds Add optimizations for separate arm64/x86_64 builds Former-commit-id: `50d265fcf0`	2026-03-12 10:30:01 +11:00
David Parry	dde527821c	Merge branch 'BigBodyCobain:main' into main Former-commit-id: `5c49568921`	2026-03-12 10:29:30 +11:00
David Parry	5bee764614	Add optimizations for separate arm64/x86_64 builds Former-commit-id: `aff71e6cd7`	2026-03-12 10:25:33 +11:00
anoracleofra-code	c986de9e35	fix: legend - earthquake icon yellow, outage zone grey Former-commit-id: `85478250c3`	2026-03-11 14:57:51 -06:00
anoracleofra-code	d2fa45c6a6	Merge branch 'main' of https://github.com/BigBodyCobain/Shadowbroker Former-commit-id: `cbc506242d`	2026-03-11 14:30:25 -06:00
anoracleofra-code	d78bf61256	fix: aircraft categorization, fullscreen satellite imagery, region dossier rate-limit, updated map legend - Fixed 288+ miscategorized aircraft in plane_alert_db.json (gov/police/medical) - data_fetcher.py: tracked_names enrichment now assigns blue/lime colors for gov/law/medical operators - region_dossier.py: fixed Nominatim 429 rate-limiting with retry/backoff - MaplibreViewer.tsx: Sentinel-2 popup replaced with fullscreen overlay + download/copy buttons - MapLegend.tsx: updated to show all 9 tracked aircraft color categories + POTUS fleet + wildfires + infrastructure Former-commit-id: `d109434616`	2026-03-11 14:29:18 -06:00
Shadowbroker	b10d6e6e00	Update README.md Former-commit-id: `b1cb267da3`	2026-03-11 14:09:50 -06:00
Shadowbroker	afdc626bdb	Update README.md Former-commit-id: `a3a0f5e990`	2026-03-11 14:07:46 -06:00
anoracleofra-code	5ab02e821f	feat: POTUS Fleet tracker, Docker secrets, route fix, SQLite->JSON migration - Add Docker Swarm secrets _FILE support (AIS_API_KEY_FILE, etc.) - Fix flight route lookup: pass lat/lng to adsb.lol routeset API, return airport names - Replace SQLite plane_alert DB with JSON file + O(1) category color mapping - Add POTUS Fleet (AF1, AF2, Marine One) with hardcoded ICAO overrides - Add tracked_names enrichment from Excel data with POTUS protection - Add oversized gold-ringed POTUS SVG icons on map - Add POTUS Fleet tracker panel in WorldviewLeftPanel with fly-to - Overhaul tracked flight labels: zoom-gated, PIA hidden, color-mapped - Add orange color to trackedIconMap, soften white icon strokes - Fix NewsFeed Wikipedia links to use alert_wiki slug Former-commit-id: `6f952104c1`	2026-03-11 12:28:04 -06:00
anoracleofra-code	ac62e4763f	chore: update ChangelogModal for v0.7.0 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `a771fe8cfb`	2026-03-11 06:37:15 -06:00
anoracleofra-code	cf68f1978d	v0.7.0: performance hardening — parallel fetches, deferred icons, AIS stability Optimizations: - Parallelized yfinance stock/oil fetches via ThreadPoolExecutor (~2s vs ~8s) - AIS backoff reset after 200 successes; removed hot-loop pruning (lock contention) - Single-pass ETag serialization (was double-serializing JSON) - Deferred ~50 non-critical map icons via setTimeout(0) - News feed animation capped at 15 items (was 100+ simultaneous) - heapq.nlargest() for FIRMS fires (60K→5K) and internet outages - Removed satellite duplication from fast endpoint - Geopolitics interval 5min → 30min - Ship counts single-pass memoized; color maps module-level constants - Improved GDELT URL-to-headline extraction (skip gibberish slugs) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `4a14a2f078`	2026-03-11 06:25:31 -06:00
David Parry	beadce5dae	Merge pull request #3 from suranyami/feat/multi-arch-docker-and-backend-proxy fix: resolve proxy gzip decoding and BACKEND_URL Docker override issues Former-commit-id: `7af4af1507`	2026-03-11 15:58:05 +11:00
Shadowbroker	10f376d4d7	Merge pull request #35 from suranyami/feat/multi-arch-docker-and-backend-proxy fix: resolve proxy gzip decoding and BACKEND_URL Docker override issues Former-commit-id: `c539a05d20`	2026-03-10 22:45:11 -06:00
David Parry	ff168150c9	Merge branch 'main' into feat/multi-arch-docker-and-backend-proxy Former-commit-id: `7ead58d453`	2026-03-11 15:05:55 +11:00
David Parry	782225ff99	fix: resolve proxy gzip decoding and BACKEND_URL Docker override issues Two bugs introduced by the Next.js proxy Route Handler: 1. ERR_CONTENT_DECODING_FAILED — Node.js fetch() automatically decompresses gzip/br responses from the backend, but the proxy was still forwarding Content-Encoding and Content-Length headers to the browser. The browser would then try to decompress already-decompressed data and fail. Fixed by stripping Content-Encoding and Content-Length from upstream response headers. 2. BACKEND_URL shell env leak into Docker Compose — docker-compose.yml used ${BACKEND_URL:-http://backend:8000}, which was being overridden by BACKEND_URL=http://localhost:8000 set in .mise.local.toml for local dev. Inside the frontend container, localhost:8000 does not exist, causing all proxied requests to return 502. Fixed by hardcoding http://backend:8000 in docker-compose.yml so the shell environment cannot override it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: `036c62d2c0`	2026-03-11 15:00:50 +11:00
David Parry	f99cc669f5	Merge pull request #2 from suranyami/feat/multi-arch-docker-and-backend-proxy feat: proxy backend API through Next.js using runtime BACKEND_URL Former-commit-id: `d930001673`	2026-03-11 14:22:58 +11:00
David Parry	25262323f5	feat: proxy backend API through Next.js using runtime BACKEND_URL Previously, NEXT_PUBLIC_API_URL was a build-time Next.js variable, making it impossible to configure the backend URL in docker-compose `environment` without rebuilding the image. This change introduces a proper server-side proxy: - next.config.ts: adds a rewrite rule that forwards all /api/* requests to BACKEND_URL (read at server startup, not baked at build time). Defaults to http://localhost:8000 so local dev works without config. - api.ts: API_BASE is now an empty string — all fetch calls use relative /api/... paths, which the Next.js server proxies to the backend. - docker-compose.yml: replaces NEXT_PUBLIC_API_URL build arg with a runtime BACKEND_URL env var defaulting to http://backend:8000, using Docker's internal networking. Port 8000 no longer needs to be exposed. - README: updates Docker setup docs, standalone compose example, and environment variable reference to reflect BACKEND_URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: `a3b18e23c1`	2026-03-11 14:18:30 +11:00
Shadowbroker	bad50b8924	Merge pull request #33 from suranyami/feat/multi-arch-docker-and-backend-proxy Feat/multi arch docker and backend URL as env var Former-commit-id: `4c92fbe990`	2026-03-10 21:02:33 -06:00
David Parry	82715c79a6	Merge pull request #1 from suranyami/feat/multi-arch-docker-and-backend-proxy Feat/multi arch docker and backend proxy Former-commit-id: `82e0033239`	2026-03-11 13:56:22 +11:00
David Parry	e2a9ef9bbf	feat: proxy backend API through Next.js using runtime BACKEND_URL Previously, NEXT_PUBLIC_API_URL was a build-time Next.js variable, making it impossible to configure the backend URL in docker-compose `environment` without rebuilding the image. This change introduces a proper server-side proxy: - next.config.ts: adds a rewrite rule that forwards all /api/* requests to BACKEND_URL (read at server startup, not baked at build time). Defaults to http://localhost:8000 so local dev works without config. - api.ts: API_BASE is now an empty string — all fetch calls use relative /api/... paths, which the Next.js server proxies to the backend. - docker-compose.yml: replaces NEXT_PUBLIC_API_URL build arg with a runtime BACKEND_URL env var defaulting to http://backend:8000, using Docker's internal networking. Port 8000 no longer needs to be exposed. - README: updates Docker setup docs, standalone compose example, and environment variable reference to reflect BACKEND_URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: `b4c9e78cdd`	2026-03-11 13:49:00 +11:00
David Parry	3c16071fcd	ci: build and publish multi-arch Docker images (amd64 + arm64) Add `platforms: linux/amd64,linux/arm64` to both the frontend and backend build-and-push steps. The existing setup-buildx-action already enables QEMU-based cross-compilation, so no additional steps are needed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Former-commit-id: `e3e0db6f3d`	2026-03-11 13:48:24 +11:00
anoracleofra-code	2ae104fca2	v0.6.0: custom news feeds, data center map layer, performance hardening New features: - Custom RSS Feed Manager: add/remove/prioritize up to 20 news sources from the Settings panel with weight levels 1-5. Persists across restarts. - Global Data Center Map Layer: 2,000+ DCs plotted worldwide with clustering, server-rack icons, and automatic internet outage cross-referencing. - Imperative map rendering: high-volume layers bypass React reconciliation via direct setData() calls with debounced updates on dense layers. - Enhanced /api/health with per-source freshness timestamps and counts. Fixes: - Data center coordinates fixed for 187 Southern Hemisphere entries - Docker CORS_ORIGINS passthrough in docker-compose.yml - Start scripts warn on Python 3.13+ compatibility - Settings panel redesigned with tabbed UI (API Keys / News Feeds) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `950c308f04`	2026-03-10 15:27:20 -06:00
anoracleofra-code	12857a4b83	v0.5.0: FIRMS fire hotspots, space weather, internet outages New intelligence layers: - NASA FIRMS VIIRS fire hotspots (5K+ global thermal anomalies, flame icons) - NOAA space weather badge (Kp index in status bar) - IODA regional internet outage monitoring (grey markers, BGP/ping only) Key improvements: - Fire clusters use flame-shaped icons (not circles) for clear differentiation - Internet outages are region-level with reliable datasources only - Removed radiation layer (no viable free real-time API) - All outage markers grey to avoid color confusion with other layers - Filtered out merit-nt telescope data that produced misleading percentages Updated changelog modal, README, and package.json for v0.5.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `195c6b64b9`	2026-03-10 10:23:38 -06:00
anoracleofra-code	c343084def	feat: add FIRMS thermal, space weather, radiation, and internet outage layers Add 4 new intelligence layers for v0.5: - NASA FIRMS VIIRS thermal anomaly tiles (frontend-only WMTS) - NOAA Space Weather Kp index badge in bottom bar - Safecast radiation monitoring with clustered markers - IODA internet outage alerts at country centroids All use free keyless APIs. All layers default to off. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `7cb926e227`	2026-03-10 09:01:35 -06:00
anoracleofra-code	c085475110	fix: remove defunct FLIR/NVG/CRT style presets, keep only DEFAULT and SATELLITE Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `c4de39bb02`	2026-03-10 04:53:17 -06:00
anoracleofra-code	e0257d2419	chore: remove debug/sample files from tracking, update .gitignore Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `e7f3378b5a`	2026-03-10 04:31:21 -06:00
anoracleofra-code	5d221c3dc7	fix: install backend Node.js deps (ws) in start scripts Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `41a7811360`	2026-03-10 04:25:53 -06:00
anoracleofra-code	dd8485d1b6	fix: filter out TWR (tower/platform) ADS-B transponders from flight data Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `791ec971d9`	2026-03-09 21:41:57 -06:00
anoracleofra-code	f6aa5ccbc1	chore: bump frontend version to 0.4.0 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `d05bef8de5`	2026-03-09 21:02:03 -06:00
anoracleofra-code	97208a01a2	fix: tag Docker images as latest + semver instead of branch name Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `c84cba927a`	2026-03-09 20:55:06 -06:00
Shadowbroker	d4c725de6e	Update README.md Former-commit-id: `ac040a307b`	2026-03-09 19:38:55 -06:00
Shadowbroker	d756dd5bd3	Update README.md Former-commit-id: `b0f91c4baf`	2026-03-09 19:36:59 -06:00
Shadowbroker	d96e8f5c21	Update README.md Former-commit-id: `5a8f3813c8`	2026-03-09 19:35:52 -06:00
Shadowbroker	8afcbca667	Update README.md Former-commit-id: `35f6b5900e`	2026-03-09 19:34:42 -06:00
Shadowbroker	b68de6a594	Delete assets directory Former-commit-id: `c002d2fa1b`	2026-03-09 19:33:37 -06:00
Shadowbroker	36dec1088d	Update README.md Former-commit-id: `65d1c2b715`	2026-03-09 19:29:13 -06:00
Shadowbroker	a38f4cbaea	Update README.md Former-commit-id: `ab178747cc`	2026-03-09 19:25:20 -06:00
Shadowbroker	8e7ef8e95e	Update README.md Former-commit-id: `3713b214d5`	2026-03-09 19:11:25 -06:00
Shadowbroker	e597147a16	Update README.md Former-commit-id: `b1827b5fa6`	2026-03-09 19:07:36 -06:00
Shadowbroker	71c085cdd5	Add files via upload Former-commit-id: `c4e48e2579`	2026-03-09 19:03:13 -06:00
Shadowbroker	c9cec26309	Create placeholder Former-commit-id: `1f3036e106`	2026-03-09 18:26:38 -06:00
Shadowbroker	03aae3216b	Delete assets Former-commit-id: `a0531362a9`	2026-03-09 18:24:20 -06:00
Shadowbroker	31755b294e	Create assets Former-commit-id: `23e1ad1b0d`	2026-03-09 18:23:02 -06:00
Shadowbroker	9c831e37ff	Update README.md Former-commit-id: `83a7488740`	2026-03-09 18:03:56 -06:00
anoracleofra-code	686e304358	merge: resolve conflicts with Podman compose PR Former-commit-id: `1cf7a31a63`	2026-03-09 17:48:22 -06:00
anoracleofra-code	8cddf6794d	feat: v0.4 — satellite imagery, KiwiSDR radio, LOCATE bar & security cleanup New features: - NASA GIBS (MODIS Terra) daily satellite imagery with 30-day time slider - Esri World Imagery high-res satellite layer (sub-meter, zoom 18+) - KiwiSDR SDR receivers on map with embedded radio tuner - Sentinel-2 intel card — right-click for recent satellite photo popup - LOCATE bar — search by coordinates or place name (Nominatim geocoding) - SATELLITE style preset in bottom bar cycling - v0.4 changelog modal on first launch Fixes: - Satellite imagery renders below data icons (imagery-ceiling anchor) - Sentinel-2 opens full-res PNG directly (not STAC catalog JSON) - Light/dark theme: UI stays dark, only map basemap changes Security: - Removed test files with hardcoded API keys from tracking - Removed .git_backup directory from tracking - Updated .gitignore to exclude test files, dev scripts, cache files Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Former-commit-id: `e89e992293`	2026-03-09 17:46:33 -06:00
Shadowbroker	a98f46c708	Merge pull request #23 from ttulttul/codex/podman-compose-and-css-fixes Add Podman compose support and fix frontend production CSS Former-commit-id: `ec3296f23a`	2026-03-09 15:38:57 -06:00
Ken Simpson	d6f97df336	Add Podman compose support and fix frontend production CSS Former-commit-id: `f197ec0f20`	2026-03-09 11:51:37 -07:00
anoracleofra-code	91a63cf17a	docs: update description to multi-domain OSINT instead of full-spectrum geospatial Former-commit-id: `85748a6fea`	2026-03-09 09:30:31 -06:00
anoracleofra-code	354ed37e1a	fix: start scripts now validate prerequisites and stop on failure - Check for Python and Node.js before starting - Stop with clear error message if pip install fails - Recommend Python 3.10-3.12 (3.13+ has compatibility issues) - Show version info at startup for easier debugging - Updated README with Python version guidance Former-commit-id: `28f92f1cb9`	2026-03-09 09:25:57 -06:00
anoracleofra-code	3c18bef174	fix: add legacy-cgi dependency for Python 3.13+ compatibility Python 3.13 deprecated and 3.14 removed the cgi module entirely. feedparser imports it, causing ModuleNotFoundError on newer Python. Former-commit-id: `14dc1a714d`	2026-03-09 08:45:40 -06:00
anoracleofra-code	09c2d3d810	fix: only show flight trail for selected no-route aircraft, not all planes Former-commit-id: `c9400785a4`	2026-03-09 08:14:42 -06:00
anoracleofra-code	2e53d6d7af	fix: show pip install errors in start.bat and loosen dependency pins for Python 3.13+ start.bat was silently swallowing pip errors. Strict version pins on pydantic, fastapi, and uvicorn caused build failures on Python 3.13+ due to missing pre-built wheels. Former-commit-id: `7b4e907bd6`	2026-03-09 07:55:18 -06:00
anoracleofra-code	bf0da2c434	fix: create .env file if missing when saving API keys Docker users don't have a .env file by default, so the settings page silently failed to save keys. Now creates it automatically. Former-commit-id: `1d0ccdd55a`	2026-03-09 07:51:59 -06:00
anoracleofra-code	a57c9be0cb	fix: render flight trails for all no-route aircraft instead of selected only Former-commit-id: `ac995eb628`	2026-03-09 07:50:39 -06:00
anoracleofra-code	e82a5ae3be	fix: Docker build failures — backend .dockerignore excluded package.json, frontend lock file missing hls.js Backend: *.json glob in .dockerignore excluded package.json, causing npm install to fail with ENOENT. Replaced with explicit exclusions. Frontend: hls.js was added to package.json but package-lock.json was not regenerated, causing npm ci to fail with EUSAGE sync error. Former-commit-id: `2dcf7061d1`	2026-03-09 06:30:20 -06:00
anoracleofra-code	3326c520a9	fix: include satellites in fast data endpoint payload Satellites were missing from /api/live-data/fast response, causing the frontend to show 0 satellites despite the backend having data. Former-commit-id: `7605b5f3a1`	2026-03-09 06:30:19 -06:00
anoracleofra-code	24e4d331fc	fix: install ws module dependencies in backend Dockerfile for AIS proxy Former-commit-id: `f8c48830f5`	2026-03-09 06:01:05 -06:00
anoracleofra-code	c96f6ad723	fix: document requirement for permissive CORS policy Former-commit-id: `e2e1cda5cb`	2026-03-09 05:56:46 -06:00
anoracleofra-code	923c80368d	fix: resolve security concerns in AIS proxy, GDELT parsing, and env key validation Former-commit-id: `fad9572959`	2026-03-09 05:53:15 -06:00
anoracleofra-code	30595843a0	fix: add node and curl dependencies to backend docker image Former-commit-id: `b04b6908c2`	2026-03-09 05:41:43 -06:00
anoracleofra-code	cef06ff809	fix: use hls.js to support HLS video streams on non-Safari browsers Former-commit-id: `4c846bf805`	2026-03-09 01:35:48 -06:00
anoracleofra-code	502359fc30	docs: update docker installation instructions for local builds Former-commit-id: `72b2e2a198`	2026-03-09 00:52:12 -06:00
anoracleofra-code	19a0ef1c70	fix: resolve Next.js docker build endpoints and handle async map icons Former-commit-id: `6241ea44db`	2026-03-09 00:41:02 -06:00
anoracleofra-code	197d37ae5a	fix: remove tailwind config from dockerignore to ensure correct CSS generation in docker build Former-commit-id: `1edb09eff5`	2026-03-09 00:18:16 -06:00
anoracleofra-code	0c9d047509	fix: smooth position interpolation for planes, boats, and satellites Former-commit-id: `2a511c628d`	2026-03-08 22:32:43 -06:00
anoracleofra-code	2147eee0a6	fix: resolve shell command injection vulnerability in curl fallback Former-commit-id: `d8098c0414`	2026-03-08 21:50:34 -06:00
anoracleofra-code	1298dd326b	fix: implement CelesTrak fallbacks, add connection banner, and bump to v0.3.0 Former-commit-id: `e7eb7c23a5`	2026-03-08 21:00:59 -06:00
anoracleofra-code	ed5bc5a23b	fix: improve API key security, add connection banner, and bump to v0.3.0 Former-commit-id: `0c7dc37d83`	2026-03-08 19:52:07 -06:00

1236 changed files with 568274 additions and 37402 deletions

.dockerignore

+56

View File

@@ -0,0 +1,56 @@
 # Exclude build artifacts, caches, and large directories from Docker context
 .git/
 .git_backup/
 node_modules/
 .next/
 __pycache__/
 *.pyc
 venv/
 .venv/
 .ruff_cache/
 local-artifacts/
 release-secrets/
 # Never send local configuration or credentials into Docker builds
 .env
 .env.*
 **/.env
 **/.env.*
 *.pem
 *.key
 *.p12
 *.pfx
 # privacy-core build caches (source is needed, artifacts are not)
 privacy-core/target/
 privacy-core/target-test/
 privacy-core/.codex-tmp/
 # Large data/cache files
 *.db
 *.sqlite
 *.xlsx
 *.log
 extra/
 prototype/
 # Runtime state generated by local backend runs
 backend/.pytest_cache/
 backend/.ruff_cache/
 backend/backend.egg-info/
 backend/build/
 backend/node_modules/
 backend/timemachine/
 backend/venv/
 backend/data/*cache*.json
 backend/data/**/*cache*.json
 backend/data/wormhole*.json
 backend/data/**/wormhole*.json
 backend/data/dm_*.json
 backend/data/**/dm_*.json
 backend/data/**/peer_store.json
 backend/data/**/node.json
 backend/data/*.log
 backend/data/**/*.log
 backend/data/*.key
 backend/data/**/*.key

									
										.env.example
									
		+137
		
												View File
												
				@@ -0,0 +1,137 @@

				# ShadowBroker — Docker Compose Environment Variables

				# Copy this file to .env and fill in your keys:

				#   cp .env.example .env

				# ── Required for backend container ─────────────────────────────

				# OpenSky Network OAuth2 — REQUIRED for airplane telemetry.

				# Free registration at https://opensky-network.org/index.php?option=com_users&view=registration

				# Without these the flights layer falls back to ADS-B-only with major gaps in Africa, Asia, and LatAm.

				OPENSKY_CLIENT_ID=

				OPENSKY_CLIENT_SECRET=

				AIS_API_KEY=

				# Admin key to protect sensitive endpoints (settings, updates).

				# If blank, loopback/localhost requests still work for local single-host dev.

				# Remote/non-loopback admin access requires ADMIN_KEY, or ALLOW_INSECURE_ADMIN=true in debug-only setups.

				ADMIN_KEY=

				# Allow insecure admin access without ADMIN_KEY (local dev only, beyond loopback).

				# Requires MESH_DEBUG_MODE=true on the backend; do not enable this for normal use.

				# ALLOW_INSECURE_ADMIN=false

				# User-Agent for Nominatim geocoding requests (per OSM usage policy).

				# NOMINATIM_USER_AGENT=ShadowBroker/1.0 (https://github.com/BigBodyCobain/Shadowbroker)

				# ── Optional ───────────────────────────────────────────────────

				# LTA (Singapore traffic cameras) — leave blank to skip

				# LTA_ACCOUNT_KEY=

				# NASA FIRMS country-scoped fire data — enriches global CSV with conflict-zone hotspots.

				# Free MAP_KEY from https://firms.modaps.eosdis.nasa.gov/

				# FIRMS_MAP_KEY=

				# Ukraine air raid alerts — free token from https://alerts.in.ua/

				# ALERTS_IN_UA_TOKEN=

				# Optional NUFORC UAP sighting map enrichment via Mapbox Tilequery.

				# Leave blank to skip this optional enrichment.

				# NUFORC_MAPBOX_TOKEN=

				# Optional startup-risk controls.

				# On Windows, external curl fallback and the Playwright LiveUAMap scraper are

				# disabled by default so blocked upstream feeds cannot interrupt start.bat.

				# SHADOWBROKER_ENABLE_WINDOWS_CURL_FALLBACK=false

				# SHADOWBROKER_ENABLE_LIVEUAMAP_SCRAPER=false

				# AIS starts by default when AIS_API_KEY is set. Set to 0/false to force-disable.

				# SHADOWBROKER_ENABLE_AIS_STREAM_PROXY=true

				# Minimum visible satellite catalog before forcing a CelesTrak refresh.

				# SHADOWBROKER_MIN_VISIBLE_SATELLITES=350

				# Upper bound for TLE fallback satellite search when CelesTrak is unreachable.

				# SHADOWBROKER_MAX_VISIBLE_SATELLITES=450

				# NUFORC fallback uses the Hugging Face mirror when live NUFORC is unavailable.

				# NUFORC_HF_FALLBACK_LIMIT=250

				# NUFORC_HF_GEOCODE_LIMIT=150

				# First-paint cache age budgets. These let the map and Global Threat Intercept

				# paint from the last local snapshot while live feeds refresh in the background.

				# FAST_STARTUP_CACHE_MAX_AGE_S=21600

				# INTEL_STARTUP_CACHE_MAX_AGE_S=21600

				# Docker resource tuning. The backend synthesizes large geospatial feeds; keep

				# this at 4G or higher on hosts that run AIS, OpenSky, CCTV, satellites, and

				# threat feeds together. Lower caps can cause Docker OOM restarts and empty

				# slow layers such as news, UAP sightings, military bases, and wastewater.

				# BACKEND_MEMORY_LIMIT=4G

				# SHADOWBROKER_FETCH_WORKERS=8

				# SHADOWBROKER_SLOW_FETCH_CONCURRENCY=4

				# SHADOWBROKER_STARTUP_HEAVY_CONCURRENCY=2

				# Infonet bootstrap/sync responsiveness. Defaults favor fast seed failure

				# detection so stale onion peers do not make the terminal look hung.

				# MESH_SYNC_TIMEOUT_S=5

				# MESH_SYNC_MAX_PEERS_PER_CYCLE=3

				# MESH_BOOTSTRAP_SEED_FAILURE_COOLDOWN_S=15

				# Google Earth Engine for VIIRS night lights change detection (optional).

				# pip install earthengine-api

				# GEE_SERVICE_ACCOUNT_KEY=

				# Override the backend URL the frontend uses (leave blank for auto-detect)

				# NEXT_PUBLIC_API_URL=http://192.168.1.50:8000

				# ── Mesh / Reticulum (RNS) ─────────────────────────────────────

				# MESH_RNS_ENABLED=false

				# MESH_RNS_APP_NAME=shadowbroker

				# MESH_RNS_ASPECT=infonet

				# MESH_RNS_IDENTITY_PATH=

				# MESH_RNS_PEERS=

				# MESH_RNS_DANDELION_HOPS=2

				# MESH_RNS_DANDELION_DELAY_MS=400

				# MESH_RNS_CHURN_INTERVAL_S=300

				# MESH_RNS_MAX_PEERS=32

				# MESH_RNS_MAX_PAYLOAD=8192

				# MESH_RNS_PEER_BUCKET_PREFIX=4

				# MESH_RNS_MAX_PEERS_PER_BUCKET=4

				# MESH_RNS_PEER_FAIL_THRESHOLD=3

				# MESH_RNS_PEER_COOLDOWN_S=300

				# MESH_RNS_SHARD_ENABLED=false

				# MESH_RNS_SHARD_DATA_SHARDS=3

				# MESH_RNS_SHARD_PARITY_SHARDS=1

				# MESH_RNS_SHARD_TTL_S=30

				# MESH_RNS_FEC_CODEC=xor

				# MESH_RNS_BATCH_MS=200

				# MESH_RNS_COVER_INTERVAL_S=0

				# MESH_RNS_COVER_SIZE=64

				# MESH_RNS_IBF_WINDOW=256

				# MESH_RNS_IBF_TABLE_SIZE=64

				# MESH_RNS_IBF_MINHASH_SIZE=16

				# MESH_RNS_IBF_MINHASH_THRESHOLD=0.25

				# MESH_RNS_IBF_WINDOW_JITTER=32

				# MESH_RNS_IBF_INTERVAL_S=120

				# MESH_RNS_IBF_SYNC_PEERS=3

				# MESH_RNS_IBF_QUORUM_TIMEOUT_S=6

				# MESH_RNS_IBF_MAX_REQUEST_IDS=64

				# MESH_RNS_IBF_MAX_EVENTS=64

				# MESH_RNS_SESSION_ROTATE_S=0

				# MESH_RNS_IBF_FAIL_THRESHOLD=3

				# MESH_RNS_IBF_COOLDOWN_S=120

				# MESH_VERIFY_INTERVAL_S=600

				# MESH_VERIFY_SIGNATURES=false

				# ── Mesh DM Relay ──────────────────────────────────────────────

				# MESH_DM_TOKEN_PEPPER=change-me

				# Optional local-dev DM root external assurance bridge.

				# These stay commented because they are machine-local file paths, not safe global defaults.

				# MESH_DM_ROOT_EXTERNAL_WITNESS_IMPORT_PATH=backend/../ops/root_witness_receipt_import.json

				# MESH_DM_ROOT_TRANSPARENCY_LEDGER_EXPORT_PATH=backend/../ops/root_transparency_ledger.json

				# MESH_DM_ROOT_TRANSPARENCY_LEDGER_READBACK_URI=backend/../ops/root_transparency_ledger.json

				# ── Self Update ────────────────────────────────────────────────

				# MESH_UPDATE_SHA256=

				# ── Wormhole (Local Agent) ─────────────────────────────────────

				# WORMHOLE_URL=http://127.0.0.1:8787

				# WORMHOLE_TRANSPORT=direct

				# WORMHOLE_SOCKS_PROXY=127.0.0.1:9050

				# WORMHOLE_SOCKS_DNS=true

.git_backup/COMMIT_EDITMSG

-1

View File

				`@@ -1 +0,0 @@`
				`fix: resolve satellite NORAD ID lookup to fix propagation loop`

.git_backup/FETCH_HEAD

-1

View File

				`@@ -1 +0,0 @@`
				`313aa32a9b08c1ddce4e9c801bdda210e136d67f branch 'main' of https://github.com/BigBodyCobain/Shadowbroker`

.git_backup/HEAD

-1

View File

				`@@ -1 +0,0 @@`
				`ref: refs/heads/main`

.git_backup/ORIG_HEAD

-1

View File

				`@@ -1 +0,0 @@`
				`e1f4ac2cfb114de61c0d83234b8d2deb545b2301`

.git_backup/config

-13

View File

@@ -1,13 +0,0 @@
 [core]
 	repositoryformatversion = 0
 	filemode = false
 	bare = false
 	logallrefupdates = true
 	symlinks = false
 	ignorecase = true
 [remote "origin"]
 	url = https://BigBodyCobain@github.com/BigBodyCobain/Shadowbroker.git
 	fetch = +refs/heads/*:refs/remotes/origin/*
 [branch "main"]
 	remote = origin
 	merge = refs/heads/main

.git_backup/description

-1

View File

				`@@ -1 +0,0 @@`
				`Unnamed repository; edit this file 'description' to name the repository.`

.git_backup/gk/config

-3

View File

@@ -1,3 +0,0 @@
 [branch "main"]
 	gk-last-accessed = 2026-03-08T21:04:31.109Z
 	gk-last-modified = 2026-03-08T21:04:31.109Z

.git_backup/hooks/applypatch-msg.sample

-15

View File

@@ -1,15 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to check the commit log message taken by
 # applypatch from an e-mail message.
 #
 # The hook should exit with non-zero status after issuing an
 # appropriate message if it wants to stop the commit.  The hook is
 # allowed to edit the commit message file.
 #
 # To enable this hook, rename this file to "applypatch-msg".
 . git-sh-setup
 commitmsg="$(git rev-parse --git-path hooks/commit-msg)"
 test -x "$commitmsg" && exec "$commitmsg" ${1+"$@"}
 :

.git_backup/hooks/commit-msg.sample

-24

View File

@@ -1,24 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to check the commit log message.
 # Called by "git commit" with one argument, the name of the file
 # that has the commit message.  The hook should exit with non-zero
 # status after issuing an appropriate message if it wants to stop the
 # commit.  The hook is allowed to edit the commit message file.
 #
 # To enable this hook, rename this file to "commit-msg".
 # Uncomment the below to add a Signed-off-by line to the message.
 # Doing this in a hook is a bad idea in general, but the prepare-commit-msg
 # hook is more suited to it.
 #
 # SOB=$(git var GIT_AUTHOR_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
 # grep -qs "^$SOB" "$1" || echo "$SOB" >> "$1"
 # This example catches duplicate Signed-off-by lines.
 test "" = "$(grep '^Signed-off-by: ' "$1" |
 	 sort | uniq -c | sed -e '/^[ 	]*1[ 	]/d')" || {
 	echo >&2 Duplicate Signed-off-by lines.
 	exit 1
 }

.git_backup/hooks/fsmonitor-watchman.sample

-174

View File

@@ -1,174 +0,0 @@
 #!/usr/bin/perl
 use strict;
 use warnings;
 use IPC::Open2;
 # An example hook script to integrate Watchman
 # (https://facebook.github.io/watchman/) with git to speed up detecting
 # new and modified files.
 #
 # The hook is passed a version (currently 2) and last update token
 # formatted as a string and outputs to stdout a new update token and
 # all files that have been modified since the update token. Paths must
 # be relative to the root of the working tree and separated by a single NUL.
 #
 # To enable this hook, rename this file to "query-watchman" and set
 # 'git config core.fsmonitor .git/hooks/query-watchman'
 #
 my ($version, $last_update_token) = @ARGV;
 # Uncomment for debugging
 # print STDERR "$0 $version $last_update_token\n";
 # Check the hook interface version
 if ($version ne 2) {
 	die "Unsupported query-fsmonitor hook version '$version'.\n" .
 	    "Falling back to scanning...\n";
 }
 my $git_work_tree = get_working_dir();
 my $retry = 1;
 my $json_pkg;
 eval {
 	require JSON::XS;
 	$json_pkg = "JSON::XS";
 ;
 } or do {
 	require JSON::PP;
 	$json_pkg = "JSON::PP";
 };
 launch_watchman();
 sub launch_watchman {
 	my $o = watchman_query();
 	if (is_work_tree_watched($o)) {
 		output_result($o->{clock}, @{$o->{files}});
 	}
 }
 sub output_result {
 	my ($clockid, @files) = @_;
 	# Uncomment for debugging watchman output
 	# open (my $fh, ">", ".git/watchman-output.out");
 	# binmode $fh, ":utf8";
 	# print $fh "$clockid\n@files\n";
 	# close $fh;
 	binmode STDOUT, ":utf8";
 	print $clockid;
 	print "\0";
 	local $, = "\0";
 	print @files;
 }
 sub watchman_clock {
 	my $response = qx/watchman clock "$git_work_tree"/;
 	die "Failed to get clock id on '$git_work_tree'.\n" .
 		"Falling back to scanning...\n" if $? != 0;
 	return $json_pkg->new->utf8->decode($response);
 }
 sub watchman_query {
 	my $pid = open2(\*CHLD_OUT, \*CHLD_IN, 'watchman -j --no-pretty')
 	or die "open2() failed: $!\n" .
 	"Falling back to scanning...\n";
 	# In the query expression below we're asking for names of files that
 	# changed since $last_update_token but not from the .git folder.
 	#
 	# To accomplish this, we're using the "since" generator to use the
 	# recency index to select candidate nodes and "fields" to limit the
 	# output to file names only. Then we're using the "expression" term to
 	# further constrain the results.
 	my $last_update_line = "";
 	if (substr($last_update_token, 0, 1) eq "c") {
 		$last_update_token = "\"$last_update_token\"";
 		$last_update_line = qq[\n"since": $last_update_token,];
 	}
 	my $query = <<"	END";
 		["query", "$git_work_tree", {$last_update_line
 			"fields": ["name"],
 			"expression": ["not", ["dirname", ".git"]]
 		}]
 	END
 	# Uncomment for debugging the watchman query
 	# open (my $fh, ">", ".git/watchman-query.json");
 	# print $fh $query;
 	# close $fh;
 	print CHLD_IN $query;
 	close CHLD_IN;
 	my $response = do {local $/; <CHLD_OUT>};
 	# Uncomment for debugging the watch response
 	# open ($fh, ">", ".git/watchman-response.json");
 	# print $fh $response;
 	# close $fh;
 	die "Watchman: command returned no output.\n" .
 	"Falling back to scanning...\n" if $response eq "";
 	die "Watchman: command returned invalid output: $response\n" .
 	"Falling back to scanning...\n" unless $response =~ /^\{/;
 	return $json_pkg->new->utf8->decode($response);
 }
 sub is_work_tree_watched {
 	my ($output) = @_;
 	my $error = $output->{error};
 	if ($retry > 0 and $error and $error =~ m/unable to resolve root .* directory (.*) is not watched/) {
 		$retry--;
 		my $response = qx/watchman watch "$git_work_tree"/;
 		die "Failed to make watchman watch '$git_work_tree'.\n" .
 		    "Falling back to scanning...\n" if $? != 0;
 		$output = $json_pkg->new->utf8->decode($response);
 		$error = $output->{error};
 		die "Watchman: $error.\n" .
 		"Falling back to scanning...\n" if $error;
 		# Uncomment for debugging watchman output
 		# open (my $fh, ">", ".git/watchman-output.out");
 		# close $fh;
 		# Watchman will always return all files on the first query so
 		# return the fast "everything is dirty" flag to git and do the
 		# Watchman query just to get it over with now so we won't pay
 		# the cost in git to look up each individual file.
 		my $o = watchman_clock();
 		$error = $output->{error};
 		die "Watchman: $error.\n" .
 		"Falling back to scanning...\n" if $error;
 		output_result($o->{clock}, ("/"));
 		$last_update_token = $o->{clock};
 		eval { launch_watchman() };
 		return 0;
 	}
 	die "Watchman: $error.\n" .
 	"Falling back to scanning...\n" if $error;
 	return 1;
 }
 sub get_working_dir {
 	my $working_dir;
 	if ($^O =~ 'msys' || $^O =~ 'cygwin') {
 		$working_dir = Win32::GetCwd();
 		$working_dir =~ tr/\\/\//;
 	} else {
 		require Cwd;
 		$working_dir = Cwd::cwd();
 	}
 	return $working_dir;
 }

.git_backup/hooks/post-update.sample

-8

View File

@@ -1,8 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to prepare a packed repository for use over
 # dumb transports.
 #
 # To enable this hook, rename this file to "post-update".
 exec git update-server-info

.git_backup/hooks/pre-applypatch.sample

-14

View File

@@ -1,14 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to verify what is about to be committed
 # by applypatch from an e-mail message.
 #
 # The hook should exit with non-zero status after issuing an
 # appropriate message if it wants to stop the commit.
 #
 # To enable this hook, rename this file to "pre-applypatch".
 . git-sh-setup
 precommit="$(git rev-parse --git-path hooks/pre-commit)"
 test -x "$precommit" && exec "$precommit" ${1+"$@"}
 :

.git_backup/hooks/pre-commit.sample

-49

View File

@@ -1,49 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to verify what is about to be committed.
 # Called by "git commit" with no arguments.  The hook should
 # exit with non-zero status after issuing an appropriate message if
 # it wants to stop the commit.
 #
 # To enable this hook, rename this file to "pre-commit".
 if git rev-parse --verify HEAD >/dev/null 2>&1
 then
 	against=HEAD
 else
 	# Initial commit: diff against an empty tree object
 	against=$(git hash-object -t tree /dev/null)
 fi
 # If you want to allow non-ASCII filenames set this variable to true.
 allownonascii=$(git config --type=bool hooks.allownonascii)
 # Redirect output to stderr.
 exec 1>&2
 # Cross platform projects tend to avoid non-ASCII filenames; prevent
 # them from being added to the repository. We exploit the fact that the
 # printable range starts at the space character and ends with tilde.
 if [ "$allownonascii" != "true" ] &&
 	# Note that the use of brackets around a tr range is ok here, (it's
 	# even required, for portability to Solaris 10's /usr/bin/tr), since
 	# the square bracket bytes happen to fall in the designated range.
 	test $(git diff-index --cached --name-only --diff-filter=A -z $against |
 	  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
 then
 	cat <<\EOF
 Error: Attempt to add a non-ASCII file name.
 This can cause problems if you want to work with people on other platforms.
 To be portable it is advisable to rename the file.
 If you know what you are doing you can disable this check using:
   git config hooks.allownonascii true
 EOF
 	exit 1
 fi
 # If there are whitespace errors, print the offending file names and fail.
 exec git diff-index --check --cached $against --

.git_backup/hooks/pre-merge-commit.sample

-13

View File

@@ -1,13 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to verify what is about to be committed.
 # Called by "git merge" with no arguments.  The hook should
 # exit with non-zero status after issuing an appropriate message to
 # stderr if it wants to stop the merge commit.
 #
 # To enable this hook, rename this file to "pre-merge-commit".
 . git-sh-setup
 test -x "$GIT_DIR/hooks/pre-commit" &&
         exec "$GIT_DIR/hooks/pre-commit"
 :

.git_backup/hooks/pre-push.sample

-53

View File

@@ -1,53 +0,0 @@
 #!/bin/sh
 # An example hook script to verify what is about to be pushed.  Called by "git
 # push" after it has checked the remote status, but before anything has been
 # pushed.  If this script exits with a non-zero status nothing will be pushed.
 #
 # This hook is called with the following parameters:
 #
 # $1 -- Name of the remote to which the push is being done
 # $2 -- URL to which the push is being done
 #
 # If pushing without using a named remote those arguments will be equal.
 #
 # Information about the commits which are being pushed is supplied as lines to
 # the standard input in the form:
 #
 #   <local ref> <local oid> <remote ref> <remote oid>
 #
 # This sample shows how to prevent push of commits where the log message starts
 # with "WIP" (work in progress).
 remote="$1"
 url="$2"
 zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
 while read local_ref local_oid remote_ref remote_oid
 do
 	if test "$local_oid" = "$zero"
 	then
 		# Handle delete
 		:
 	else
 		if test "$remote_oid" = "$zero"
 		then
 			# New branch, examine all commits
 			range="$local_oid"
 		else
 			# Update to existing branch, examine new commits
 			range="$remote_oid..$local_oid"
 		fi
 		# Check for WIP commit
 		commit=$(git rev-list -n 1 --grep '^WIP' "$range")
 		if test -n "$commit"
 		then
 			echo >&2 "Found WIP commit in $local_ref, not pushing"
 			exit 1
 		fi
 	fi
 done
 exit 0

.git_backup/hooks/pre-rebase.sample

-169

View File

@@ -1,169 +0,0 @@
 #!/bin/sh
 #
 # Copyright (c) 2006, 2008 Junio C Hamano
 #
 # The "pre-rebase" hook is run just before "git rebase" starts doing
 # its job, and can prevent the command from running by exiting with
 # non-zero status.
 #
 # The hook is called with the following parameters:
 #
 # $1 -- the upstream the series was forked from.
 # $2 -- the branch being rebased (or empty when rebasing the current branch).
 #
 # This sample shows how to prevent topic branches that are already
 # merged to 'next' branch from getting rebased, because allowing it
 # would result in rebasing already published history.
 publish=next
 basebranch="$1"
 if test "$#" = 2
 then
 	topic="refs/heads/$2"
 else
 	topic=`git symbolic-ref HEAD` ||
 	exit 0 ;# we do not interrupt rebasing detached HEAD
 fi
 case "$topic" in
 refs/heads/??/*)
 	;;
 *)
 	exit 0 ;# we do not interrupt others.
 	;;
 esac
 # Now we are dealing with a topic branch being rebased
 # on top of master.  Is it OK to rebase it?
 # Does the topic really exist?
 git show-ref -q "$topic" || {
 	echo >&2 "No such branch $topic"
 	exit 1
 }
 # Is topic fully merged to master?
 not_in_master=`git rev-list --pretty=oneline ^master "$topic"`
 if test -z "$not_in_master"
 then
 	echo >&2 "$topic is fully merged to master; better remove it."
 	exit 1 ;# we could allow it, but there is no point.
 fi
 # Is topic ever merged to next?  If so you should not be rebasing it.
 only_next_1=`git rev-list ^master "^$topic" ${publish} | sort`
 only_next_2=`git rev-list ^master           ${publish} | sort`
 if test "$only_next_1" = "$only_next_2"
 then
 	not_in_topic=`git rev-list "^$topic" master`
 	if test -z "$not_in_topic"
 	then
 		echo >&2 "$topic is already up to date with master"
 		exit 1 ;# we could allow it, but there is no point.
 	else
 		exit 0
 	fi
 else
 	not_in_next=`git rev-list --pretty=oneline ^${publish} "$topic"`
 	/usr/bin/perl -e '
 		my $topic = $ARGV[0];
 		my $msg = "* $topic has commits already merged to public branch:\n";
 		my (%not_in_next) = map {
 			/^([0-9a-f]+) /;
 			($1 => 1);
 		} split(/\n/, $ARGV[1]);
 		for my $elem (map {
 				/^([0-9a-f]+) (.*)$/;
 				[$1 => $2];
 			} split(/\n/, $ARGV[2])) {
 			if (!exists $not_in_next{$elem->[0]}) {
 				if ($msg) {
 					print STDERR $msg;
 					undef $msg;
 				}
 				print STDERR " $elem->[1]\n";
 			}
 		}
 	' "$topic" "$not_in_next" "$not_in_master"
 	exit 1
 fi
 <<\DOC_END
 This sample hook safeguards topic branches that have been
 published from being rewound.
 The workflow assumed here is:
  * Once a topic branch forks from "master", "master" is never
    merged into it again (either directly or indirectly).
  * Once a topic branch is fully cooked and merged into "master",
    it is deleted.  If you need to build on top of it to correct
    earlier mistakes, a new topic branch is created by forking at
    the tip of the "master".  This is not strictly necessary, but
    it makes it easier to keep your history simple.
  * Whenever you need to test or publish your changes to topic
    branches, merge them into "next" branch.
 The script, being an example, hardcodes the publish branch name
 to be "next", but it is trivial to make it configurable via
 $GIT_DIR/config mechanism.
 With this workflow, you would want to know:
 (1) ... if a topic branch has ever been merged to "next".  Young
     topic branches can have stupid mistakes you would rather
     clean up before publishing, and things that have not been
     merged into other branches can be easily rebased without
     affecting other people.  But once it is published, you would
     not want to rewind it.
 (2) ... if a topic branch has been fully merged to "master".
     Then you can delete it.  More importantly, you should not
     build on top of it -- other people may already want to
     change things related to the topic as patches against your
     "master", so if you need further changes, it is better to
     fork the topic (perhaps with the same name) afresh from the
     tip of "master".
 Let's look at this example:
 		   o---o---o---o---o---o---o---o---o---o "next"
 		  /       /           /           /
 		 /   a---a---b A     /           /
 		/   /               /           /
 	       /   /   c---c---c---c B         /
 	      /   /   /             \         /
 	     /   /   /   b---b C     \       /
 	    /   /   /   /             \     /
     ---o---o---o---o---o---o---o---o---o---o---o "master"
 A, B and C are topic branches.
  * A has one fix since it was merged up to "next".
  * B has finished.  It has been fully merged up to "master" and "next",
    and is ready to be deleted.
  * C has not merged to "next" at all.
 We would want to allow C to be rebased, refuse A, and encourage
 B to be deleted.
 To compute (1):
 	git rev-list ^master ^topic next
 	git rev-list ^master        next
 	if these match, topic has not merged in next at all.
 To compute (2):
 	git rev-list master..topic
 	if this is empty, it is fully merged to "master".
 DOC_END

.git_backup/hooks/pre-receive.sample

-24

View File

@@ -1,24 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to make use of push options.
 # The example simply echoes all push options that start with 'echoback='
 # and rejects all pushes when the "reject" push option is used.
 #
 # To enable this hook, rename this file to "pre-receive".
 if test -n "$GIT_PUSH_OPTION_COUNT"
 then
 	i=0
 	while test "$i" -lt "$GIT_PUSH_OPTION_COUNT"
 	do
 		eval "value=\$GIT_PUSH_OPTION_$i"
 		case "$value" in
 		echoback=*)
 			echo "echo from the pre-receive-hook: ${value#*=}" >&2
 			;;
 		reject)
 			exit 1
 		esac
 		i=$((i + 1))
 	done
 fi

.git_backup/hooks/prepare-commit-msg.sample

-42

View File

@@ -1,42 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to prepare the commit log message.
 # Called by "git commit" with the name of the file that has the
 # commit message, followed by the description of the commit
 # message's source.  The hook's purpose is to edit the commit
 # message file.  If the hook fails with a non-zero status,
 # the commit is aborted.
 #
 # To enable this hook, rename this file to "prepare-commit-msg".
 # This hook includes three examples. The first one removes the
 # "# Please enter the commit message..." help message.
 #
 # The second includes the output of "git diff --name-status -r"
 # into the message, just before the "git status" output.  It is
 # commented because it doesn't cope with --amend or with squashed
 # commits.
 #
 # The third example adds a Signed-off-by line to the message, that can
 # still be edited.  This is rarely a good idea.
 COMMIT_MSG_FILE=$1
 COMMIT_SOURCE=$2
 SHA1=$3
 /usr/bin/perl -i.bak -ne 'print unless(m/^. Please enter the commit message/..m/^#$/)' "$COMMIT_MSG_FILE"
 # case "$COMMIT_SOURCE,$SHA1" in
 #  ,|template,)
 #    /usr/bin/perl -i.bak -pe '
 #       print "\n" . `git diff --cached --name-status -r`
 # 	 if /^#/ && $first++ == 0' "$COMMIT_MSG_FILE" ;;
 #  *) ;;
 # esac
 # SOB=$(git var GIT_COMMITTER_IDENT | sed -n 's/^\(.*>\).*$/Signed-off-by: \1/p')
 # git interpret-trailers --in-place --trailer "$SOB" "$COMMIT_MSG_FILE"
 # if test -z "$COMMIT_SOURCE"
 # then
 #   /usr/bin/perl -i.bak -pe 'print "\n" if !$first_line++' "$COMMIT_MSG_FILE"
 # fi

.git_backup/hooks/push-to-checkout.sample

-78

View File

@@ -1,78 +0,0 @@
 #!/bin/sh
 # An example hook script to update a checked-out tree on a git push.
 #
 # This hook is invoked by git-receive-pack(1) when it reacts to git
 # push and updates reference(s) in its repository, and when the push
 # tries to update the branch that is currently checked out and the
 # receive.denyCurrentBranch configuration variable is set to
 # updateInstead.
 #
 # By default, such a push is refused if the working tree and the index
 # of the remote repository has any difference from the currently
 # checked out commit; when both the working tree and the index match
 # the current commit, they are updated to match the newly pushed tip
 # of the branch. This hook is to be used to override the default
 # behaviour; however the code below reimplements the default behaviour
 # as a starting point for convenient modification.
 #
 # The hook receives the commit with which the tip of the current
 # branch is going to be updated:
 commit=$1
 # It can exit with a non-zero status to refuse the push (when it does
 # so, it must not modify the index or the working tree).
 die () {
 	echo >&2 "$*"
 	exit 1
 }
 # Or it can make any necessary changes to the working tree and to the
 # index to bring them to the desired state when the tip of the current
 # branch is updated to the new commit, and exit with a zero status.
 #
 # For example, the hook can simply run git read-tree -u -m HEAD "$1"
 # in order to emulate git fetch that is run in the reverse direction
 # with git push, as the two-tree form of git read-tree -u -m is
 # essentially the same as git switch or git checkout that switches
 # branches while keeping the local changes in the working tree that do
 # not interfere with the difference between the branches.
 # The below is a more-or-less exact translation to shell of the C code
 # for the default behaviour for git's push-to-checkout hook defined in
 # the push_to_deploy() function in builtin/receive-pack.c.
 #
 # Note that the hook will be executed from the repository directory,
 # not from the working tree, so if you want to perform operations on
 # the working tree, you will have to adapt your code accordingly, e.g.
 # by adding "cd .." or using relative paths.
 if ! git update-index -q --ignore-submodules --refresh
 then
 	die "Up-to-date check failed"
 fi
 if ! git diff-files --quiet --ignore-submodules --
 then
 	die "Working directory has unstaged changes"
 fi
 # This is a rough translation of:
 #
 #   head_has_history() ? "HEAD" : EMPTY_TREE_SHA1_HEX
 if git cat-file -e HEAD 2>/dev/null
 then
 	head=HEAD
 else
 	head=$(git hash-object -t tree --stdin </dev/null)
 fi
 if ! git diff-index --quiet --cached --ignore-submodules $head --
 then
 	die "Working directory has staged changes"
 fi
 if ! git read-tree -u -m "$commit"
 then
 	die "Could not update working tree to new HEAD"
 fi

.git_backup/hooks/sendemail-validate.sample

-77

View File

@@ -1,77 +0,0 @@
 #!/bin/sh
 # An example hook script to validate a patch (and/or patch series) before
 # sending it via email.
 #
 # The hook should exit with non-zero status after issuing an appropriate
 # message if it wants to prevent the email(s) from being sent.
 #
 # To enable this hook, rename this file to "sendemail-validate".
 #
 # By default, it will only check that the patch(es) can be applied on top of
 # the default upstream branch without conflicts in a secondary worktree. After
 # validation (successful or not) of the last patch of a series, the worktree
 # will be deleted.
 #
 # The following config variables can be set to change the default remote and
 # remote ref that are used to apply the patches against:
 #
 #   sendemail.validateRemote (default: origin)
 #   sendemail.validateRemoteRef (default: HEAD)
 #
 # Replace the TODO placeholders with appropriate checks according to your
 # needs.
 validate_cover_letter () {
 	file="$1"
 	# TODO: Replace with appropriate checks (e.g. spell checking).
 	true
 }
 validate_patch () {
 	file="$1"
 	# Ensure that the patch applies without conflicts.
 	git am -3 "$file" || return
 	# TODO: Replace with appropriate checks for this patch
 	# (e.g. checkpatch.pl).
 	true
 }
 validate_series () {
 	# TODO: Replace with appropriate checks for the whole series
 	# (e.g. quick build, coding style checks, etc.).
 	true
 }
 # main -------------------------------------------------------------------------
 if test "$GIT_SENDEMAIL_FILE_COUNTER" = 1
 then
 	remote=$(git config --default origin --get sendemail.validateRemote) &&
 	ref=$(git config --default HEAD --get sendemail.validateRemoteRef) &&
 	worktree=$(mktemp --tmpdir -d sendemail-validate.XXXXXXX) &&
 	git worktree add -fd --checkout "$worktree" "refs/remotes/$remote/$ref" &&
 	git config --replace-all sendemail.validateWorktree "$worktree"
 else
 	worktree=$(git config --get sendemail.validateWorktree)
 fi || {
 	echo "sendemail-validate: error: failed to prepare worktree" >&2
 	exit 1
 }
 unset GIT_DIR GIT_WORK_TREE
 cd "$worktree" &&
 if grep -q "^diff --git " "$1"
 then
 	validate_patch "$1"
 else
 	validate_cover_letter "$1"
 fi &&
 if test "$GIT_SENDEMAIL_FILE_COUNTER" = "$GIT_SENDEMAIL_FILE_TOTAL"
 then
 	git config --unset-all sendemail.validateWorktree &&
 	trap 'git worktree remove -ff "$worktree"' EXIT &&
 	validate_series
 fi

.git_backup/hooks/update.sample

-128

View File

@@ -1,128 +0,0 @@
 #!/bin/sh
 #
 # An example hook script to block unannotated tags from entering.
 # Called by "git receive-pack" with arguments: refname sha1-old sha1-new
 #
 # To enable this hook, rename this file to "update".
 #
 # Config
 # ------
 # hooks.allowunannotated
 #   This boolean sets whether unannotated tags will be allowed into the
 #   repository.  By default they won't be.
 # hooks.allowdeletetag
 #   This boolean sets whether deleting tags will be allowed in the
 #   repository.  By default they won't be.
 # hooks.allowmodifytag
 #   This boolean sets whether a tag may be modified after creation. By default
 #   it won't be.
 # hooks.allowdeletebranch
 #   This boolean sets whether deleting branches will be allowed in the
 #   repository.  By default they won't be.
 # hooks.denycreatebranch
 #   This boolean sets whether remotely creating branches will be denied
 #   in the repository.  By default this is allowed.
 #
 # --- Command line
 refname="$1"
 oldrev="$2"
 newrev="$3"
 # --- Safety check
 if [ -z "$GIT_DIR" ]; then
 	echo "Don't run this script from the command line." >&2
 	echo " (if you want, you could supply GIT_DIR then run" >&2
 	echo "  $0 <ref> <oldrev> <newrev>)" >&2
 	exit 1
 fi
 if [ -z "$refname" -o -z "$oldrev" -o -z "$newrev" ]; then
 	echo "usage: $0 <ref> <oldrev> <newrev>" >&2
 	exit 1
 fi
 # --- Config
 allowunannotated=$(git config --type=bool hooks.allowunannotated)
 allowdeletebranch=$(git config --type=bool hooks.allowdeletebranch)
 denycreatebranch=$(git config --type=bool hooks.denycreatebranch)
 allowdeletetag=$(git config --type=bool hooks.allowdeletetag)
 allowmodifytag=$(git config --type=bool hooks.allowmodifytag)
 # check for no description
 projectdesc=$(sed -e '1q' "$GIT_DIR/description")
 case "$projectdesc" in
 "Unnamed repository"* | "")
 	echo "*** Project description file hasn't been set" >&2
 	exit 1
 	;;
 esac
 # --- Check types
 # if $newrev is 0000...0000, it's a commit to delete a ref.
 zero=$(git hash-object --stdin </dev/null | tr '[0-9a-f]' '0')
 if [ "$newrev" = "$zero" ]; then
 	newrev_type=delete
 else
 	newrev_type=$(git cat-file -t $newrev)
 fi
 case "$refname","$newrev_type" in
 	refs/tags/*,commit)
 		# un-annotated tag
 		short_refname=${refname##refs/tags/}
 		if [ "$allowunannotated" != "true" ]; then
 			echo "*** The un-annotated tag, $short_refname, is not allowed in this repository" >&2
 			echo "*** Use 'git tag [ -a | -s ]' for tags you want to propagate." >&2
 			exit 1
 		fi
 		;;
 	refs/tags/*,delete)
 		# delete tag
 		if [ "$allowdeletetag" != "true" ]; then
 			echo "*** Deleting a tag is not allowed in this repository" >&2
 			exit 1
 		fi
 		;;
 	refs/tags/*,tag)
 		# annotated tag
 		if [ "$allowmodifytag" != "true" ] && git rev-parse $refname > /dev/null 2>&1
 		then
 			echo "*** Tag '$refname' already exists." >&2
 			echo "*** Modifying a tag is not allowed in this repository." >&2
 			exit 1
 		fi
 		;;
 	refs/heads/*,commit)
 		# branch
 		if [ "$oldrev" = "$zero" -a "$denycreatebranch" = "true" ]; then
 			echo "*** Creating a branch is not allowed in this repository" >&2
 			exit 1
 		fi
 		;;
 	refs/heads/*,delete)
 		# delete branch
 		if [ "$allowdeletebranch" != "true" ]; then
 			echo "*** Deleting a branch is not allowed in this repository" >&2
 			exit 1
 		fi
 		;;
 	refs/remotes/*,commit)
 		# tracking branch
 		;;
 	refs/remotes/*,delete)
 		# delete tracking branch
 		if [ "$allowdeletebranch" != "true" ]; then
 			echo "*** Deleting a tracking branch is not allowed in this repository" >&2
 			exit 1
 		fi
 		;;
 	*)
 		# Anything else (is there anything else?)
 		echo "*** Update hook: unknown type of update to ref $refname of type $newrev_type" >&2
 		exit 1
 		;;
 esac
 # --- Finished
 exit 0

.git_backup/index

BIN

View File

Binary file not shown.

.git_backup/info/exclude

-6

View File

@@ -1,6 +0,0 @@
 # git ls-files --others --exclude-from=.git/info/exclude
 # Lines that start with '#' are comments.
 # For a project mostly in C, the following would be a good set of
 # exclude patterns (uncomment them if you want to use them):
 # *.[oa]
 # *~

.git_backup/logs/HEAD

-14

View File

@@ -1,14 +0,0 @@
 0000000000000000000000000000000000000000 8ed321f2bac0323dabc313a100504ca0a6e9af66 anoracleofra-code <anoracleofra@gmail.com> 1772689448 -0700	commit (initial): Initial commit: ShadowBroker v0.1
 ed321f2bac0323dabc313a100504ca0a6e9af66 0000000000000000000000000000000000000000 anoracleofra-code <anoracleofra@gmail.com> 1772689448 -0700	Branch: renamed refs/heads/master to refs/heads/main
 0000000000000000000000000000000000000000 8ed321f2bac0323dabc313a100504ca0a6e9af66 anoracleofra-code <anoracleofra@gmail.com> 1772689448 -0700	Branch: renamed refs/heads/master to refs/heads/main
 ed321f2bac0323dabc313a100504ca0a6e9af66 3888c91ab35178f779c7fa29f3cb1d33c65116c4 anoracleofra-code <anoracleofra@gmail.com> 1772691134 -0700	commit: feat: add cross-platform start.sh script and update package.json for macOS/Linux
 c91ab35178f779c7fa29f3cb1d33c65116c4 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 anoracleofra-code <anoracleofra@gmail.com> 1773000243 -0600	commit: feat: add Docker publishing via GitHub Actions
 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 anoracleofra-code <anoracleofra@gmail.com> 1773000289 -0600	reset: moving to HEAD
 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 313aa32a9b08c1ddce4e9c801bdda210e136d67f anoracleofra-code <anoracleofra@gmail.com> 1773000292 -0600	pull --rebase origin main (start): checkout 313aa32a9b08c1ddce4e9c801bdda210e136d67f
 aa32a9b08c1ddce4e9c801bdda210e136d67f 36c92881c85d3de23f1bb1cbb19d961a3fe2153e anoracleofra-code <anoracleofra@gmail.com> 1773000292 -0600	pull --rebase origin main (pick): feat: add Docker publishing via GitHub Actions
 c92881c85d3de23f1bb1cbb19d961a3fe2153e 36c92881c85d3de23f1bb1cbb19d961a3fe2153e anoracleofra-code <anoracleofra@gmail.com> 1773000292 -0600	pull --rebase origin main (finish): returning to refs/heads/main
 c92881c85d3de23f1bb1cbb19d961a3fe2153e 9802fe55a36a903ee68631f48a65d3a2ed180414 anoracleofra-code <anoracleofra@gmail.com> 1773001228 -0600	commit: fix: make dev scripts cross-platform compatible
 fe55a36a903ee68631f48a65d3a2ed180414 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 anoracleofra-code <anoracleofra@gmail.com> 1773001476 -0600	commit: fix: make test_trace.py curl commands OS-agnostic
 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 15f1a1dc3ccce735bbeecf4589d935e56254f018 anoracleofra-code <anoracleofra@gmail.com> 1773001674 -0600	commit: bump: release v0.2.0
 f1a1dc3ccce735bbeecf4589d935e56254f018 7976602b67bd7bebb98837fcefa21a07ed2de01d anoracleofra-code <anoracleofra@gmail.com> 1773003311 -0600	commit: fix: integrate AI cross-platform start scripts
 7976602b67bd7bebb98837fcefa21a07ed2de01d 5926084a17082014b2ce2aa7ffdcb8367c79975b anoracleofra-code <anoracleofra@gmail.com> 1773003718 -0600	commit: fix: resolve satellite NORAD ID lookup to fix propagation loop

.git_backup/logs/refs/heads/main

-10

View File

@@ -1,10 +0,0 @@
 0000000000000000000000000000000000000000 8ed321f2bac0323dabc313a100504ca0a6e9af66 anoracleofra-code <anoracleofra@gmail.com> 1772689448 -0700	commit (initial): Initial commit: ShadowBroker v0.1
 ed321f2bac0323dabc313a100504ca0a6e9af66 8ed321f2bac0323dabc313a100504ca0a6e9af66 anoracleofra-code <anoracleofra@gmail.com> 1772689448 -0700	Branch: renamed refs/heads/master to refs/heads/main
 ed321f2bac0323dabc313a100504ca0a6e9af66 3888c91ab35178f779c7fa29f3cb1d33c65116c4 anoracleofra-code <anoracleofra@gmail.com> 1772691134 -0700	commit: feat: add cross-platform start.sh script and update package.json for macOS/Linux
 c91ab35178f779c7fa29f3cb1d33c65116c4 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 anoracleofra-code <anoracleofra@gmail.com> 1773000243 -0600	commit: feat: add Docker publishing via GitHub Actions
 e1f4ac2cfb114de61c0d83234b8d2deb545b2301 36c92881c85d3de23f1bb1cbb19d961a3fe2153e anoracleofra-code <anoracleofra@gmail.com> 1773000292 -0600	pull --rebase origin main (finish): refs/heads/main onto 313aa32a9b08c1ddce4e9c801bdda210e136d67f
 c92881c85d3de23f1bb1cbb19d961a3fe2153e 9802fe55a36a903ee68631f48a65d3a2ed180414 anoracleofra-code <anoracleofra@gmail.com> 1773001228 -0600	commit: fix: make dev scripts cross-platform compatible
 fe55a36a903ee68631f48a65d3a2ed180414 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 anoracleofra-code <anoracleofra@gmail.com> 1773001476 -0600	commit: fix: make test_trace.py curl commands OS-agnostic
 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 15f1a1dc3ccce735bbeecf4589d935e56254f018 anoracleofra-code <anoracleofra@gmail.com> 1773001674 -0600	commit: bump: release v0.2.0
 f1a1dc3ccce735bbeecf4589d935e56254f018 7976602b67bd7bebb98837fcefa21a07ed2de01d anoracleofra-code <anoracleofra@gmail.com> 1773003311 -0600	commit: fix: integrate AI cross-platform start scripts
 7976602b67bd7bebb98837fcefa21a07ed2de01d 5926084a17082014b2ce2aa7ffdcb8367c79975b anoracleofra-code <anoracleofra@gmail.com> 1773003718 -0600	commit: fix: resolve satellite NORAD ID lookup to fix propagation loop

.git_backup/logs/refs/remotes/origin/main

-9

View File

@@ -1,9 +0,0 @@
 0000000000000000000000000000000000000000 8ed321f2bac0323dabc313a100504ca0a6e9af66 anoracleofra-code <anoracleofra@gmail.com> 1772690425 -0700	update by push
 ed321f2bac0323dabc313a100504ca0a6e9af66 3888c91ab35178f779c7fa29f3cb1d33c65116c4 anoracleofra-code <anoracleofra@gmail.com> 1772691136 -0700	update by push
 c91ab35178f779c7fa29f3cb1d33c65116c4 313aa32a9b08c1ddce4e9c801bdda210e136d67f anoracleofra-code <anoracleofra@gmail.com> 1773000292 -0600	pull --rebase origin main: fast-forward
 aa32a9b08c1ddce4e9c801bdda210e136d67f 36c92881c85d3de23f1bb1cbb19d961a3fe2153e anoracleofra-code <anoracleofra@gmail.com> 1773000299 -0600	update by push
 c92881c85d3de23f1bb1cbb19d961a3fe2153e 9802fe55a36a903ee68631f48a65d3a2ed180414 anoracleofra-code <anoracleofra@gmail.com> 1773001230 -0600	update by push
 fe55a36a903ee68631f48a65d3a2ed180414 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 anoracleofra-code <anoracleofra@gmail.com> 1773001477 -0600	update by push
 b57830c1a6b44c36ce83a5acba2bca7b403a2e92 15f1a1dc3ccce735bbeecf4589d935e56254f018 anoracleofra-code <anoracleofra@gmail.com> 1773001675 -0600	update by push
 f1a1dc3ccce735bbeecf4589d935e56254f018 7976602b67bd7bebb98837fcefa21a07ed2de01d anoracleofra-code <anoracleofra@gmail.com> 1773003313 -0600	update by push
 7976602b67bd7bebb98837fcefa21a07ed2de01d 5926084a17082014b2ce2aa7ffdcb8367c79975b anoracleofra-code <anoracleofra@gmail.com> 1773003720 -0600	update by push

.git_backup/objects/00/0c7b3641eea0aa051e1864add55d83992a5357

BIN

View File

Binary file not shown.

.git_backup/objects/00/4145cddf3f9db91b57b9cb596683c8eb420862

-2

View File

@@ -1,2 +0,0 @@
 x]PËnƒ0ì§¬Ü³¯�yT)=qWî¤!!/%ÔD|}×iUÔÊÞÃÎxvÖsìÆ#˜”^vww�óµë21ŒC#À]›å}|dB�Šø
 xôÝpÏD;ÏÓ[,Ë‚‹Áñv	´R*à	"ßMõÜÂ)%…h�ÚÊbH5ñ >�Äø�b‚:ÝÿÂ�¢J@„ÖyÕ^³Ü×S!/Ð&õ_�;ÉÕK�r2.'maéÍ�}‰•›I*SØJ#éi4	Øµ´Hl+1ÒŽPÛÖÓ•]{�€icnŸDÁ?[ûop{íéŠhðÑ]'yûìšL4®ÆÓIüDûE£�ùä;Ÿ_þ©¤d

.git_backup/objects/00/5d550868a94b04b9b99f5b9dbf5f0ef2902038

BIN

View File

Binary file not shown.

.git_backup/objects/00/a1ecd6c2500823b306477925cdda88895339ed

BIN

View File

Binary file not shown.

.git_backup/objects/01/e847a3662443a077457309508e69d298187dd5

BIN

View File

Binary file not shown.

.git_backup/objects/03/1f4cd009c88f1884f89e09701c54250db9f7dd

BIN

View File

Binary file not shown.

.git_backup/objects/04/e7f9f09ac5148e78f35a6944019956da91a8a3

-2

View File

@@ -1,2 +0,0 @@
 x+)JMU01c040031QHÉOÎN-Ň-(MĘÉ,ÎĐ«ĚÍa¨3łžŐŇ|Ę„ńlYaďMČźß
 Ő

.git_backup/objects/05/e726d1b4201bc8c7716d2b058279676582e8c0

BIN

View File

Binary file not shown.

.git_backup/objects/06/24188f733e50f473fcc76fa240603908d17b34

-2

View File

@@ -1,2 +0,0 @@
 x5ÌKÂ0EQÆYÀÊ§ ¸{qS§�T¥!PwOR‰¡¯Îó´íÓU=_G¹Pôˆ”4 Dýx»§Ðƒ6 Åá| `yì)ó)eNˆè3‘ø]9—Œ¨Á(�‚b¶+Ïuë¨}•`D<f
 ÅÛ5ó¿o™Kña9×'Üèø&¿¬eD÷g³S-ÞÕ-ï5# tË?H)<

.git_backup/objects/09/2864b46695d4c516c75e35c47c1adb9c04bfc6

-1

View File

				`@@ -1 +0,0 @@`
				xuRMK$1õÜ¿¢ô’Â",‚0‡]?`ÁƒàžV$d’j'šIštzÚYñ¿[•žÖ‘Á\R�zïUÕëZú¸„³³ŸGnÝÆ”!vÕ.úïÚÆy¬*‹

.git_backup/objects/0a/0e8c8841c45541a696194004d79b48cb9e30b2

BIN

View File

Binary file not shown.

.git_backup/objects/0b/54a9eb5b9ddcc67495af3a0ba54a0fe28c5ec3

-3

View File

@@ -1,3 +0,0 @@
 xePËNÃ0äì¯X©'RÑê
 µ©T¡’*Q8¸Î¢X$^coúø{â»—ÑŽæaïÚÁtzµ,ò5¸×dgwÉ$•¡1Ïyñ¸Xp«œâV6°j¨Ð¡ÐjƒAÌóÍ+xüîŒÇ-‡„�‰(¶OàŒó+’Ò’ÔJ×(+ãAú¢1'w‚@�×š*<Û'½_$=*FP`ÉJOÄÐôðIêÎ>
 ±ªªBÊp

.git_backup/objects/0d/bbcdfd9d4770c10324f4367a23d21fc8a56df8

-4

View File

@@ -1,4 +0,0 @@
 x¥TkOÛ0ÝçüŠC@ljÚ‚4i�@��Š
 ª–mšBnbˆÁ±ƒí¤ðe¿}×iÓ–A7‘š¸Ö}œ{î½g$õ�÷6ß¬®´FBµFÌ¦�S�pûeO8u0Ä!>a'ø‰]è{„úMúe,>¢…¯Bw:fÝÖî/K¾]»‡A°Š½”Ç7¸ÔÇ:áÑµ
 Ä%Vë,c*A³„Ê34vÐJxÙR…”áR®Â�		g+ç8NÝÊVX(í ”uLJžDèKÎ,¯oêDXO�Ëm·ÕR”ùÚFÚ\µ6ÂIà;áÐ	.ÅCˆý{—j… ÿëôðäøbïÛþvzÄxóÊhkæE×©)"ŸŠñü>‚åOsRãù//uuQ§ýnNÎÄ}	9Ó¼=Çw+Ô&!ºX›W‰õµõÅ¿ÍfÉ�DãæN£³A„Ó|áÎw‰0<vÚÜcœrÃéŽPÛØˆÜAŠ’[ÂEc!é`
 ¥|ÊK£30u©cæ(îF0Üôú§û½Áv¸¶' 7EV,ãtl‡!

.git_backup/objects/12/260dec60876b7b074c4a9c5a23a7a8e88ec781

BIN

View File

Binary file not shown.

.git_backup/objects/12/d0835a0d871fde9f68f23cdb98812e68dd9c87

BIN

View File

Binary file not shown.

.git_backup/objects/13/e9a744bdf5084cdf9d4c287919a54a992d2b9e

BIN

View File

Binary file not shown.

.git_backup/objects/15/0fd9eca806699b6d42ce4a362309f3e8af3376

BIN

View File

Binary file not shown.

.git_backup/objects/15/f1a1dc3ccce735bbeecf4589d935e56254f018

-2

View File

@@ -1,2 +0,0 @@
 x¥Î1Â0@QæœÂ rãÔiB\Åq]@j
 �óÃÈÎú†¯¯µ”[?Ñ®73'\—d*32§”y	^-±'L+Ù,+Qd÷�f÷yŠ3¡ŽÂ9%V›I&Ñ,>«Ä�Ä[òN^ýZÈ½6ÑÍêÚd¯u18þÒùRä¶

.git_backup/objects/17/bd77c3ce5c05362862da00d24b518757613a79

-2

View File

@@ -1,2 +0,0 @@
 x=NMKÄ0õÜ_1¤)hzØ“—¥Å]VÁch“)F’LM¦*ˆÿÝtÞÞÇ¼÷fð4ÀÕfsæÂD‰!¿yÇx]”rUÙAO=¿À
 P–’¯ä¢ø#Ö¥ØZ�Î£Öí4Æð»´CÓV†b,ÉµV.

.git_backup/objects/18/bb9ea01c96ecd121122a5c573121cad18ac269

BIN

View File

Binary file not shown.

.git_backup/objects/18/d9b32efef6556ff8f7eaa1df6aca571e92671d

-2

View File

@@ -1,2 +0,0 @@
 xm‘Ñjƒ@Eû)âsÖ5jÒH -¶-�† “ucÇ]»n(¡ôß;cI¡ozæÞëg‡ne"¿ûŽ ¦±ñC?®?ŠxÅÊmð'Fe.³UÉmCà>I’é"™ÙŒbi:Í¥�iF�‰ §ƒ†ÚŒ~§^s^ð Z]W{4Í!p®ó¦1¶B§hn�ˆÄj=„¿ä¢²Ð�1ïåSù²{�Ú¸×�èsÁ¸q¹ë&�«5r™Õó2ã
 F�“3&0—‹"e6ôšj¶Ö…�ùtÎìó_-ë)«Àx4VWŠ"™_˜ò°•‚ wþ�=‚Õãµ•ë55sž=o;°Ñ’¸	®¢[ÿ«v=Þ(‡gwolËÚÔðR›ÍåtŸë±&|’¤(d*¤Èävûó¿ž•ß

.git_backup/objects/19/9c8084a456a073d59ed94010c3f75c33c16c34

BIN

View File

Binary file not shown.

.git_backup/objects/1a/bc54e1f9e4d27c5b7a784ccc7cd86ca16db854

BIN

View File

Binary file not shown.

.git_backup/objects/1b/ce9433355ec25dd09d566a5a7c82fc4ccf8fe9

BIN

View File

Binary file not shown.

.git_backup/objects/1c/9b7b69d705d0540593a971a0c45d2b71cf4379

-3

View File

@@ -1,3 +0,0 @@
 xm‘]OÂ0†½æWœx³-*à…!ñ‚à‚Á¯©Ä˜R
 «Ôv¶?¢üwÛ³@ÝÅÚµïûžóœ�”ÁÑÁá–|)ŒExvF×ªýÜ*%Gu+^çÂa†ö³UÿŒ28!m]6vñ¦´î?M!tåˆE«ÑP†3•‡ãf³Ù`…l(ù&öBP”ø
 l'	eÓ-ã31ö5‚¢>GÕÙÓDÉiŽ.Ú…áciáFë¼økAî‰±€ 5T–²éÐ8÷",ã˜ŸÈê£¢Áå �Ê8Rä�?zCO.¾Ív`ŸêVjŒ'ÛÙM»ÓOOáì¢wÞÍn[ð¥<{U<YÀ7t(Î_”Y‹í5V—Ë"4¿"¥“5>ü,Ä/<ðH·‚CâªYyG šë™6ïz

.git_backup/objects/1e/0e6224abbf09c1fd34c008a56d78efef579506

BIN

View File

Binary file not shown.

.git_backup/objects/1f/0292bf696045012b3e24496edf2f87b73345ef

BIN

View File

Binary file not shown.

.git_backup/objects/1f/21942e66289052ece907f30ab629777e94382a

BIN

View File

Binary file not shown.

.git_backup/objects/1f/c6982631e7cc5c3d60ea0d5199524bb80682aa

BIN

View File

Binary file not shown.

.git_backup/objects/21/37046acaa8ebd01c7a0f03b69d519277b43a91

BIN

View File

Binary file not shown.

.git_backup/objects/21/d9bed2477c6f71e758c696b5e5df6b7b678680

BIN

View File

Binary file not shown.

.git_backup/objects/23/05c1df8815315d0aaa7a98195972effdb1fe96

BIN

View File

Binary file not shown.

.git_backup/objects/23/b7bd3dc49b0779fa09ecb1779220c4a3626bf7

BIN

View File

Binary file not shown.

.git_backup/objects/23/cf0cd2b92bce28c73af6793df233b52c5dea55

BIN

View File

Binary file not shown.

.git_backup/objects/24/ea56aba9840f1eef220ffa99e736b9e1d3595e

BIN

View File

Binary file not shown.

.git_backup/objects/26/84942ccc6886d499be86d165d9970e94c20ba2

-2

View File

@@ -1,2 +0,0 @@
 xTínÓ0åwžâ,Ch5i5	‰¢!±`°iELhš�“Ü®fŽl§Û¤	ñüáy®“fë(hP©MåØ÷Ÿ�›)“aðxðäÞòRšI�fÂM"Ê'ñúÝ>ñì8€^á9¶°‡Clà€Ÿ»Øæ'Ðão)ò½R¼–º>ÇÈëyµ;~·æëÝñ8Š–±9¡üccñÖ”|r‘c	¹)K¡ô¦ÐU‰Ï�4MuÔSø	éˆq %áhéÛ{Ãf¯tÐÆCjç…RT$ØW$u+]#¬L¼¯Ü0M5wþäcOÒÕ¸-|.=ÑXÞ„¸á'F/ ¬šåµ¿FÙíÿ#Ò¶Ö’AÿÑ5Üöø-pg”<<Æˆ¼—úu…
 ‘Ÿ³¹§Ò]’öI’ÄQ^ k_…;1ï½ñ”ô4Æñ"Ï\tÓ’hªÎ ½—Ö×B-Têt×ì•%›Ÿ†ÒkŒ;Hf‡± Š¡’Î%¹d@v„øþÞèÝ‡ýíëëˆKwáb\^þ²œ_œœIÍØçÁ/cG#p¦$£	¶ÖŽMÄôK�—¬ô'

.git_backup/objects/26/acc242a5d0a3af1c67ce51279ea66ddf4d9daf.REMOVED.git-id

-1

View File

				`@@ -1 +0,0 @@`
				`80e634e8cb3b574407a0eeba8f467ab97ac515d9`

.git_backup/objects/27/49617380ea44a75c5c8bbc1fa9913c00261a93

BIN

View File

Binary file not shown.

.git_backup/objects/28/0988df25f97f970fe55153be3f6a6c93b2ecc5

BIN

View File

Binary file not shown.

.git_backup/objects/28/4d785386dbdaff35e02eb3e00c97bf47fa14d5

BIN

View File

Binary file not shown.

.git_backup/objects/29/4c55e60de8b1ff40e93254653b9d2b923a85b1

-1

View File

				`@@ -1 +0,0 @@`
				x¥�1N1E©÷s� ñØÞõF èè¨Çžqb‘]G‡óã&=íÓ×{ú©.Ki`ÝôÐ6UpœY‰‚e4èœŽ8{ï,æ9ˆó˜e.¼éÚ@Mvœ(åhŒMB –¬‹AH4zç#Y4÷ýìƒR��GäM¤LI{Lì$syöÒ¥ßÚ©nÀkÝ8�µæ�w©ŠÂá/z>.\Î�©.O`¦É"vw€ŽˆC§ý[ÓÿY†¯�O¨+ôÐº¿ÿ…¬ÜöÀ"ðZÓwO\nñ\®§²á§0¼•ö~‹ð’Z©ëõ«“oL

.git_backup/objects/2a/8a913698e7be519d1dfd6a55de6462aee4a993

BIN

View File

Binary file not shown.

.git_backup/objects/2a/983fefcd9103de7a812a1e9d546e1c68939e17

BIN

View File

Binary file not shown.

.git_backup/objects/2b/19e1d681ba6d10afec1eebdc51c5d28ade4a0b

-3

View File

@@ -1,3 +0,0 @@
 x…’ÍnÛ0„sÖSlˆ¨ÂV‘(
 F�¢ÇâCA`Sm+ï*äÊN`øÝKÚJäÒÿö›Yu\Á×o—g–)ìÁ=;»|!X€wOz§•m±«W½gëBPù÷ìTÞiß—¥õtÚ„÷gÍ‘ÁÊØ¿Žê_ècI¢
 ïw[§W«=™�›�«&Å£íO¤Äœ¬}g¤a¿�Åbj‡tu©2€'Ñ?Œ¤§^Q2)¨8.Ç^Bšö/Ò2ñâ*�hù?´Bš°«d.Ãôy¢	)>=ZÍsØGÑw®pÞ³×ëûó¸=¶…TÄ

.git_backup/objects/2b/64633521ffb6f06da36e19f5c8eb86979e2187.REMOVED.git-id

-1

View File

				`@@ -1 +0,0 @@`
				`935c0acf334bb5cb749fa4b9731d8d9db3662dfa`

.git_backup/objects/2c/1e96bc92a69c971573e59a47f37ed57eb292f6

BIN

View File

Binary file not shown.

.git_backup/objects/2c/423ed84a90631555b436000b245597387fddf7

BIN

View File

Binary file not shown.

.git_backup/objects/2c/dfd3e66698c5c329ca7d40c2d87bb597809a02

BIN

View File

Binary file not shown.

.git_backup/objects/2e/0bfdb09af620ead4ca1f1d20df49274bdd1a4c

BIN

View File

Binary file not shown.

.git_backup/objects/31/1559f2cbffc604239cf2927ceb68bb8ed419e8

BIN

View File

Binary file not shown.

.git_backup/objects/31/3aa32a9b08c1ddce4e9c801bdda210e136d67f

BIN

View File

Binary file not shown.

.git_backup/objects/33/08e00e620f72fe49ebfa05cbca39430544ea1a

BIN

View File

Binary file not shown.

.git_backup/objects/34/abe1085264febbd8922ed8a86ca4a04a34f58f

BIN

View File

Binary file not shown.

.git_backup/objects/36/c92881c85d3de23f1bb1cbb19d961a3fe2153e

-1

View File

				`@@ -1 +0,0 @@`
				`x�ÎMNÄ0@aÖ9…/0Èù!iB !Á5Û�‰¦mF™”óÓÖlßâÓã¶®u€KùatU˜sr“‹9$.þÉeq�E$/œ=ù¨a²bnÔuà'òŽrÁ‰kÐÌÚ"BÎ¢Z%¦ÙÐ>.m/ÚæN'n¢ðò7½�WªË#·õlJ]ðpÂˆhŽz¼ý—’Ý¯bf¥ñ$�¯‡vÛËRï—º�á»\|ÖñµxçQÛv7?ð®[É`