Skip to content

fix(feeds): allowlist war.gov + thenationalnews.com + trumpstruth.org — unblock feed-health activation (#4970)#4971

Merged
koala73 merged 1 commit into
mainfrom
feat/rss-allowlist-war-gov-4970
Jul 6, 2026
Merged

fix(feeds): allowlist war.gov + thenationalnews.com + trumpstruth.org — unblock feed-health activation (#4970)#4971
koala73 merged 1 commit into
mainfrom
feat/rss-allowlist-war-gov-4970

Conversation

@koala73

@koala73 koala73 commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Closes #4970. Unblocks the feed-health + recall-benchmark activation that #4927 wired (your UPSTASH secrets are confirmed reaching the workflow; this was the only thing standing in the way).

Problem

validate-rss-feeds.mjs --ci hard-fails exit 1 on 3 catalog feeds whose hosts aren't allowlisted (Host not in allowlist), and the #4927 guardrail correctly refuses to publish health metadata on a drift-failing run. Pre-existing (files last touched by #4199/#3986/#3891 — none of the news-pipeline PRs); activating the publish path surfaced it.

Feed Host Cause
Pentagon www.war.gov DoD rebrand defense.govwar.gov; allowlist had only www.defense.gov
The National www.thenationalnews.com in catalog, never allowlisted
Trump - Truth Social trumpstruth.org in catalog, never allowlisted

Fix

Add the 3 hosts to every allowlist mirror: shared/rss-allowed-domains.json (source of truth) → byte-identical scripts/shared/ mirror → api/_rss-allowed-domains.js (the copy the validator + Edge SSRF guard read) → vite.config.ts:RSS_PROXY_ALLOWED_DOMAINS (dev proxy). .cjs re-requires the JSON.

Verification

  • isAllowedDomain()true for all three (exact/bare/www rule).
  • shared and api lists byte-equal (339 entries); tests/edge-functions.test.mjs + tests/scripts-shared-mirror.test.mjs green (228).
  • feed-validation.yml does not run on PRs (SSRF surface — schedule/push/dispatch only), so PR checks won't exercise the full fetch. The end-to-end proof is a post-merge workflow dispatch: expect exit 0, the 3 out of the Host not in allowlist class, feed-health published, and the two health keys flip pending-activation → monitored.

Security note: this widens the RSS-proxy SSRF allowlist by 3 legitimate news hosts already present in the feed catalog — deliberate, reviewed.

https://claude.ai/code/session_01WmhkGjZrb9RbV7pV3muFxP

… — unblock feed-health activation (#4970)

Three server-catalog feeds (Pentagon, The National, Truth Social) had
hosts absent from the RSS allowlist, tripping the CONFIG_DRIFT hard-fail
in validate-rss-feeds.mjs --ci (exit 1) which — per the #4927 ordering —
blocks feed-health/recall-benchmark publishing before it runs. Pre-existing
drift (DoD rebranded defense.gov→war.gov; the other two were added to the
catalog without allowlisting), surfaced by activating the publish path.

Adds the three hosts to all mirrors: shared/rss-allowed-domains.json
(source of truth) + its byte-identical scripts/shared mirror + the
api/_rss-allowed-domains.js copy the validator and Edge SSRF guard
actually read + vite.config.ts RSS_PROXY_ALLOWED_DOMAINS (dev proxy).
The .cjs re-requires the JSON (no edit).

Verified: isAllowedDomain() now returns true for www.war.gov,
www.thenationalnews.com, trumpstruth.org (exact/bare/www rule); shared
and api lists are byte-equal (339); edge-functions + scripts-shared
mirror guards green (228). feed-validation.yml does not run on PRs
(SSRF surface) — post-merge workflow dispatch is the end-to-end proof.

Closes #4970

Claude-Session: https://claude.ai/code/session_01WmhkGjZrb9RbV7pV3muFxP
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
worldmonitor Ready Ready Preview, Comment Jul 6, 2026 11:31am

Request Review

@greptile-apps

greptile-apps Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds three hosts — www.war.gov, www.thenationalnews.com, and trumpstruth.org — to all four RSS allowlist mirrors, unblocking the feed-health publication path that was failing CI with Host not in allowlist exits.

  • All four mirrors (shared/rss-allowed-domains.json, scripts/shared/rss-allowed-domains.json, api/_rss-allowed-domains.js, vite.config.ts:RSS_PROXY_ALLOWED_DOMAINS) are updated consistently; the two .cjs wrappers auto-resolve via require('./rss-allowed-domains.json').
  • The three added hostnames exactly match the feed URLs in server/worldmonitor/news/v1/_feeds.ts (trumpstruth.org/feed, www.thenationalnews.com/arc/…, www.war.gov/DesktopModules/…), so isAllowedDomain() passes for all three under the exact-match path without relying on the www-normalization fallback.

Confidence Score: 5/5

Safe to merge — the change is a mechanical allowlist extension for three hosts already present in the feed catalog, applied consistently across every mirror.

All four editable mirrors receive identical additions, the two .cjs wrappers pick up the JSON change automatically, and each added hostname exactly matches the feed URL hostname already registered in _feeds.ts. No logic, no schema, no auth path is touched.

No files require special attention.

Important Files Changed

Filename Overview
shared/rss-allowed-domains.json Source-of-truth allowlist JSON; 3 entries appended at end, JSON syntax valid, mirrors in scripts/shared are byte-identical.
scripts/shared/rss-allowed-domains.json Mirror of shared/rss-allowed-domains.json; diff is identical to the source-of-truth change.
api/_rss-allowed-domains.js Edge Function copy of the allowlist (JS export); 3 entries appended consistently with the JSON mirrors.
vite.config.ts Dev-proxy Set updated with all 3 new hosts; uses exact Set.has() match which aligns with the added hostnames' exact forms.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[RSS Feed Request] --> B{isAllowedDomain?}
    B -- "exact / bare / www match" --> C[Allowed ✓]
    B -- "no match" --> D[403 / exit 1]

    subgraph "Allowlist mirrors (all updated)"
        E[shared/rss-allowed-domains.json\nsource of truth]
        F[scripts/shared/rss-allowed-domains.json\nmirror]
        G[api/_rss-allowed-domains.js\nEdge SSRF guard]
        H[vite.config.ts RSS_PROXY_ALLOWED_DOMAINS\ndev proxy Set]
        I[*.cjs wrappers\nauto via require JSON]
        E --> F
        E --> G
        E --> H
        E --> I
    end

    subgraph "Newly allowlisted hosts"
        J[www.war.gov\nPentagon DoD rebrand]
        K[www.thenationalnews.com\nMiddle East / GCC feeds]
        L[trumpstruth.org\nTruth Social feed]
    end

    J & K & L --> B
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[RSS Feed Request] --> B{isAllowedDomain?}
    B -- "exact / bare / www match" --> C[Allowed ✓]
    B -- "no match" --> D[403 / exit 1]

    subgraph "Allowlist mirrors (all updated)"
        E[shared/rss-allowed-domains.json\nsource of truth]
        F[scripts/shared/rss-allowed-domains.json\nmirror]
        G[api/_rss-allowed-domains.js\nEdge SSRF guard]
        H[vite.config.ts RSS_PROXY_ALLOWED_DOMAINS\ndev proxy Set]
        I[*.cjs wrappers\nauto via require JSON]
        E --> F
        E --> G
        E --> H
        E --> I
    end

    subgraph "Newly allowlisted hosts"
        J[www.war.gov\nPentagon DoD rebrand]
        K[www.thenationalnews.com\nMiddle East / GCC feeds]
        L[trumpstruth.org\nTruth Social feed]
    end

    J & K & L --> B
Loading

Reviews (1): Last reviewed commit: "fix(feeds): allowlist war.gov + thenatio..." | Re-trigger Greptile

@koala73 koala73 merged commit a91203b into main Jul 6, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(feeds): RSS allowlist drift blocks feed-health activation — war.gov/thenationalnews.com/trumpstruth.org in catalog, missing from allowlist mirrors

1 participant