Phase 2A: Add 6 new data sources (ACLED, ADS-B, GDELT, InSight Crime, OpenSanctions, SpiderFoot, Unusual Whales)

[devin-ai-integration]

Summary

Syncs the Phase 2A data source expansion from ltmsuma/CrucixDEVIN PR #1 into the COG-GTM fork. This adds 3 new source modules, enhances 4 existing sources, and adds corresponding dashboard panels (Narco & Organized Crime, Market Intelligence, PRC Tension Index).

Depends on PR #1 (upstream master sync) — must be merged first.

21 commits across 12 files (+1,629 / -130 lines)

Why

The upstream repo added a Phase 2A data expansion that significantly broadens intelligence coverage. This sync brings those capabilities into the COG-GTM fork so we stay at full parity.

Scope

• New source
• Dashboard change
• Docs/config change

What Changed

New Sources

Source	File	API Key?	Description
InSight Crime	apis/sources/insightcrime.mjs	No	Central America organized crime RSS feed; cross-references with OpenSanctions
SpiderFoot	apis/sources/spiderfoot.mjs	SPIDERFOOT_API_KEY	OSINT reconnaissance (IP, domain, email enrichment)
Unusual Whales	apis/sources/unusualwhales.mjs	UNUSUAL_WHALES_API_KEY	Options flow, congressional trades, dark pool prints >$5M

Enhanced Existing Sources

Source	Key Changes
ACLED	New API key auth method, API URL changed to api.acleddata.com, FLASH alerts for events with >50 fatalities
ADS-B	opendata.adsb.fi as free primary (no key), sensitive region detection (7 regions), PRIORITY alerts for military over hotspots
GDELT	Rate-limit resilience (4 retries, 5s stagger delay, 60s timeout), tone scores derived from article data, parenthesized OR queries
OpenSanctions	Handles totalResults as object, guards against collections 404

Dashboard

• Narco & Organized Crime panel — InSight Crime headlines with sanctions cross-reference badges
• Market Intelligence panel — Unusual Whales options flow, congressional trades (defense/energy filtered), dark pool prints
• PRC Tension Index — Composite score in Signal Core (air activity + GDELT mentions + ISR flights)
• Globe markers — Red markers for PRC-related intelligence, Asia Pacific default camera view
• Loading behavior — Server mode now always fetches live API data, renders inline data as placeholder while loading

Delta Engine

• ACLED FLASH alerts (fatalities >50) → critical severity
• ADS-B PRIORITY alerts (military over sensitive regions)
• GDELT tone deterioration alerts
• InSight Crime sanctions cross-ref alerts
• Unusual Whales options flow >$5M alerts
• Defense committee cross-reference: FLASH alert when a defense committee member trades within 48h of a geopolitical event

Validation

• Verified clean fast-forward merge from upstream PR branch (no conflicts)
• git merge-tree confirms zero conflict markers against COG-GTM master
• Not tested locally — this is a direct sync of upstream's already-iterated code (21 commits including 14 bug-fix iterations)

Config and Docs

• .env.example — not updated in this PR (new env vars SPIDERFOOT_API_KEY, UNUSUAL_WHALES_API_KEY, ACLED_API_KEY should be documented; may need a follow-up)
• Source count in briefing.mjs updated (29 → 30, though actual count is higher)

Source Additions

InSight Crime: Adds Central American organized crime coverage — a region not covered by existing sources. No API key required (public RSS). Degrades to empty result on fetch failure. Cross-references entities against OpenSanctions for sanctions overlap. Wired into briefing.mjs as Tier 7 and inject.mjs for the Narco panel.

SpiderFoot: Adds OSINT enrichment (IP/domain/email reconnaissance). Requires SPIDERFOOT_API_KEY; returns stub when missing. Wired into briefing.mjs as Tier 7.

Unusual Whales: Adds market intelligence — options flow anomalies, congressional trading (filtered to defense/energy), dark pool large prints. Requires UNUSUAL_WHALES_API_KEY; degrades gracefully. Wired into briefing.mjs as Tier 8 and inject.mjs for the Market Intelligence panel.

Human Review Checklist

• innerHTML security — New dashboard panels (Narco, Market Intelligence) render fetched data via innerHTML with cleanText(). Verify cleanText() adequately sanitizes all injected content per CONTRIBUTING.md requirements.
• ACLED API URL change — Endpoint changed from acleddata.com/api/acled/read to api.acleddata.com/acled/read. Confirm this is the correct current ACLED API endpoint.
• PRC Tension Index scoring — Hardcoded weights (air * 1.5 + GDELT * 8 + ISR * 15, max 100). Review whether these weights produce meaningful results or could be misleading.
• Defense committee cross-reference logic (lib/delta/engine.mjs) — Generates FLASH alerts when defense committee members trade within 48h of any geopolitical event. Review for false positive risk and whether the correlation logic is sound.
• jarvis.html loading change — canProbeApi block now always fetches from /api/data even when inline data exists. Verify this doesn't cause flash-of-content or data race issues.
• GDELT fragility — 14 of 21 commits are iterative GDELT bug fixes (rate limiting, timeouts, query syntax). The 60s slow-source timeout is a workaround. Consider whether GDELT reliability is sufficient.
• Source count mismatch — briefing.mjs says "30 sources" but this PR adds 3 new sources to the existing set. Verify the actual count is correct.
• Missing .env.example updates — New env vars (ACLED_API_KEY, SPIDERFOOT_API_KEY, UNUSUAL_WHALES_API_KEY) are referenced in source code but .env.example is not updated in this PR.

Checklist

• This PR stays within one bugfix or one feature family (Phase 2A sources)
• I kept unrelated changes out of the diff
• I considered security for any mixed-source content rendering — flagged for review above
• I tested the changed path locally — not tested; synced from upstream

Link to Devin session: https://app.devin.ai/sessions/a046d43371284e3f8175cb76185f3ced
Requested by: @jakexcosme

---

[devin-ai-integration]

Original prompt from Jake

Check our repo against this version: ltmsuma#1 - let me know how far behind we are and what we need to change in order to make our fork in COG-GTM up to date as /ltmsuma/ - come up with a plan for this

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 5 potential issues.

View 7 additional findings in Devin Review.

[devin-ai-integration]

🔴 Delta engine alerts lack dedup — persistent alerts re-reported as "new" every sweep, inflating criticalChanges

All new alert types (ACLED flash, ADS-B priority, GDELT tone, InSight Crime sanctions, Unusual Whales options, Unusual Whales FLASH) are unconditionally pushed to signals.new without any dedup against the previous run. By contrast, the existing Telegram dedup (lines 183-199) correctly checks prevHashes before adding to signals.new. A mass casualty event (fatalities > 50) persists in ACLED data for days, so every sweep will re-add criticalChanges += 3 for the same event. Similarly, a military aircraft over a sensitive region will increment criticalChanges every ~15 minutes as long as it's airborne. This inflated count is consumed by the dashboard (jarvis.html:1885), Telegram alerts (server.mjs:103), and LLM idea generation (lib/llm/ideas.mjs:147), misrepresenting the situation as continuously escalating. Additionally, _compactForStorage in lib/delta/memory.mjs:196-221 does not preserve flashAlerts, priorityAlerts, adsbMilitary, insightCrime, or unusualWhales, so even if dedup were added, the previous run data wouldn't contain these fields to compare against.

Prompt for agents

The new alert types (ACLED flash, ADS-B priority, GDELT tone, InSight Crime sanctions, Unusual Whales) in computeDelta() are pushed unconditionally to signals.new without dedup against prior runs. This is inconsistent with the Telegram dedup pattern at lines 183-199 which builds prevHashes from prior runs.

Two changes are needed:

1. In lib/delta/engine.mjs: For each new alert category, build a set of prior alert keys from the previous run(s) and only push to signals.new if the key is not already present. For example, collect previous acled flash headlines, previous adsb priority headlines, etc. from the previous/priorRuns data and skip alerts whose key already appeared.

2. In lib/delta/memory.mjs _compactForStorage(): Preserve the alert fields needed for dedup in subsequent runs. Add at minimum: acled.flashAlerts (array of headlines), adsbMilitary.priorityAlerts, gdelt.priorityAlerts, insightCrime.priorityAlerts, unusualWhales.priorityAlerts, and unusualWhales.congressTrades.defenseCommittee. Without storing these, the dedup in step 1 would have nothing to compare against in prior runs.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Valid finding — all new alert types are pushed unconditionally to signals.new without dedup, unlike the Telegram dedup pattern. And _compactForStorage doesn't preserve the alert fields needed for comparison.

Since this is a direct sync of upstream code from ltmsuma/CrucixDEVIN PR #1, the fix should be a follow-up PR. Two changes needed:

1. In engine.mjs: Build prior alert key sets from previous runs and skip duplicates
2. In memory.mjs: Preserve acled.flashAlerts, adsbMilitary.priorityAlerts, gdelt.priorityAlerts, insightCrime.priorityAlerts, unusualWhales.priorityAlerts, and unusualWhales.congressTrades.defenseCommittee

Happy to implement this as a follow-up if requested.

[devin-ai-integration]

🟡 Source count log message says 30 but there are 32 sources

The fullBriefing() function logs "Starting intelligence sweep — 30 sources" but the allPromises array contains 32 entries (29 original + SpiderFoot, InSightCrime, UnusualWhales). The computed sourcesQueried in the output object is correct (derived from sources.length), but the startup log is misleading.

Suggested change

	console.error('[Crucix] Starting intelligence sweep — 30 sources...');
	console.error('[Crucix] Starting intelligence sweep — 32 sources...');

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Correct — the log says "30 sources" but allPromises actually has 32 entries after this PR adds SpiderFoot, InSight Crime, and Unusual Whales. The runtime sourcesQueried count is correct, but the startup log is misleading. Upstream bug — can fix in a follow-up.

[devin-ai-integration]

🔴 New environment variables not documented in .env.example, violating CONTRIBUTING.md

CONTRIBUTING.md mandates: "document any required environment variables in .env.example and README.md". This PR introduces four new environment variables — ACLED_API_KEY, OPENSANCTIONS_API_KEY, UNUSUAL_WHALES_API_KEY, and SPIDERFOOT_URL — but neither .env.example nor README.md were updated. This is a violation of the mandatory contributing rules.

Prompt for agents

CONTRIBUTING.md requires that new environment variables are documented in both .env.example and README.md.

The following new env vars need to be added to .env.example:
- ACLED_API_KEY: Used in apis/sources/acled.mjs as the preferred auth method (set alongside ACLED_EMAIL)
- OPENSANCTIONS_API_KEY: Required for opensanctions.mjs search endpoint (free key at opensanctions.org/api)
- UNUSUAL_WHALES_API_KEY: Required for unusualwhales.mjs options flow, congressional trades, dark pool data
- SPIDERFOOT_URL: Optional, defaults to http://localhost:5001, used by apis/sources/spiderfoot.mjs

Also update README.md with setup instructions for these new sources.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Acknowledged — this is a valid gap. Four new env vars (ACLED_API_KEY, OPENSANCTIONS_API_KEY, UNUSUAL_WHALES_API_KEY, SPIDERFOOT_URL) are used in the source code but not documented in .env.example or README.md. This is inherited from the upstream PR. Can fix in a follow-up.

[devin-ai-integration]

🟡 crossReference makes dozens of failing API calls when OPENSANCTIONS_API_KEY is not set

insightcrime.mjs:120 calls crossReference(entityList) which invokes matchEntity for up to 30 entities. Each matchEntity call goes through safeFetch with default retries: 1, hitting the OpenSanctions API. Without OPENSANCTIONS_API_KEY, the API returns 401 and safeFetch retries each call once (with 2s delay). This wastes ~6-12 seconds of the source's 30-second timeout budget on requests guaranteed to fail. The opensanctions.mjs briefing() function at opensanctions.mjs:127 has a proper guard for missing API key, but crossReference() does not, and insightcrime.mjs calls it directly without checking.

Suggested change

	try {
	sanctionsHits = await crossReference(entityList);
	// PRIORITY alerts for sanctions matches
	priorityAlerts = sanctionsHits.map(hit => ({
	tier: 'PRIORITY',
	headline: `SANCTIONS MATCH: "${hit.name}" found in InSight Crime + OpenSanctions`,
	detail: `Matched: ${hit.matches.map(m => m.caption).join(', ')} (datasets: ${hit.matches.flatMap(m => m.datasets || []).slice(0, 3).join(', ')})`,
	}));
	} catch (e) {
	// Cross-referencing is best-effort
	}
	if (process.env.OPENSANCTIONS_API_KEY) {
	try {
	sanctionsHits = await crossReference(entityList);
	// PRIORITY alerts for sanctions matches
	priorityAlerts = sanctionsHits.map(hit => ({
	tier: 'PRIORITY',
	headline: `SANCTIONS MATCH: "${hit.name}" found in InSight Crime + OpenSanctions`,
	detail: `Matched: ${hit.matches.map(m => m.caption).join(', ')} (datasets: ${hit.matches.flatMap(m => m.datasets || []).slice(0, 3).join(', ')})`,
	}));
	} catch (e) {
	// Cross-referencing is best-effort
	}
	}

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Valid — crossReference() doesn't guard on OPENSANCTIONS_API_KEY, so it fires up to 30 safeFetch calls that all 401 with retries, wasting 6-12 seconds. The suggested fix of wrapping the call in if (process.env.OPENSANCTIONS_API_KEY) would prevent this. Upstream code — can fix in a follow-up.

[devin-ai-integration]

🟡 Geo-clustering centroid drifts toward later points instead of computing true average

In clusterGeoPoints, the centroid update cluster.lat = (cluster.lat + points[j].lat) / 2 gives equal weight to the current centroid and the new point regardless of cluster size. With points at latitudes [0, 0, 90], the centroid after all three is 45 instead of the correct 30. This biases centroids toward later-added points, and because subsequent point-to-cluster distance checks use the drifted centroid, it can cause incorrect cluster assignments — points that should be grouped together may end up in separate clusters.

Suggested change

	cluster.lat = (cluster.lat + points[j].lat) / 2;
	cluster.lon = (cluster.lon + points[j].lon) / 2;
	// Update centroid as weighted average
	const n = cluster.points.length;
	cluster.lat = (cluster.lat * (n - 1) + points[j].lat) / n;
	cluster.lon = (cluster.lon * (n - 1) + points[j].lon) / n;

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Good catch on the centroid drift. The running average (cluster.lat + points[j].lat) / 2 gives equal weight to the centroid and the new point regardless of cluster size. The suggested fix using (cluster.lat * (n-1) + points[j].lat) / n would compute the true weighted average. This is upstream code — can fix in a follow-up.