euparliamentmonitor 0.8.58 → 0.8.59

package/README.md

@@ -492,8 +492,8 @@ EU Parliament Monitor implements **security-by-design** under the [Hack23 ISMS](
 
 ### Requirements
 
-- **Node.js** 25 or higher
-- **npm** 10 or higher (ships with Node.js 25)
+- **Node.js** 26 or higher
+- **npm** 10 or higher (ships with Node.js 26)
 - **Git**
 
 ### From source

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "euparliamentmonitor",
-  "version": "0.8.58",
+  "version": "0.8.59",
   "type": "module",
   "description": "European Parliament Intelligence Platform - Monitor political activity with systematic transparency",
   "main": "scripts/index.js",
@@ -168,7 +168,7 @@
     "vitest": "4.1.5"
   },
   "engines": {
-    "node": ">=25"
+    "node": ">=26"
   },
   "dependencies": {
     "european-parliament-mcp-server": "1.2.21",

package/scripts/config/article-horizons.js

@@ -157,7 +157,7 @@ export const ARTICLE_HORIZONS = {
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.WEEK_AHEAD],
         timePeriod: CATEGORY_TIME_PERIOD[ArticleCategory.WEEK_AHEAD],
         dataWindow: { direction: 'forward', days: 7, anchor: 'today' },
-        cadence: { cron: '0 6 * * 0', description: 'Weekly — Sunday 06:00 UTC' },
+        cadence: { cron: '0 7 * * 5', description: 'Weekly — Friday 07:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS],
         mandatoryArtifacts: [...PROSPECTIVE_MANDATORY, A_FORWARD_PROJECTION],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -171,7 +171,7 @@ export const ARTICLE_HORIZONS = {
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.MONTH_AHEAD],
         timePeriod: CATEGORY_TIME_PERIOD[ArticleCategory.MONTH_AHEAD],
         dataWindow: { direction: 'forward', days: 30, anchor: 'today' },
-        cadence: { cron: '0 6 1 * *', description: 'Monthly — 1st @ 06:00 UTC' },
+        cadence: { cron: '0 8 1 * *', description: 'Monthly — 1st @ 08:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS],
         mandatoryArtifacts: [...PROSPECTIVE_MANDATORY, A_FORWARD_PROJECTION],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -222,7 +222,7 @@ export const ARTICLE_HORIZONS = {
         timePeriod: CATEGORY_TIME_PERIOD[ArticleCategory.WEEK_IN_REVIEW],
         // ADR-006: D-8 → D-36 reporting window for roll-call publication delay.
         dataWindow: { direction: 'backward', days: 28, anchor: 'today' },
-        cadence: { cron: '0 6 * * 6', description: 'Weekly — Saturday 06:00 UTC' },
+        cadence: { cron: '0 9 * * 6', description: 'Weekly — Saturday 09:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS, 'get_voting_records'],
         mandatoryArtifacts: [...RETROSPECTIVE_MANDATORY],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -236,7 +236,7 @@ export const ARTICLE_HORIZONS = {
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.MONTH_IN_REVIEW],
         timePeriod: CATEGORY_TIME_PERIOD[ArticleCategory.MONTH_IN_REVIEW],
         dataWindow: { direction: 'backward', days: 30, anchor: 'today' },
-        cadence: { cron: '0 6 5 * *', description: 'Monthly — 5th @ 06:00 UTC' },
+        cadence: { cron: '0 10 28 * *', description: 'Monthly — 28th @ 10:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS, 'get_voting_records'],
         mandatoryArtifacts: [...RETROSPECTIVE_MANDATORY],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -328,7 +328,7 @@ export const ARTICLE_HORIZONS = {
         slug: 'breaking',
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.BREAKING_NEWS],
         dataWindow: { direction: 'point', anchor: 'today' },
-        cadence: { cron: '0 */4 * * *', description: 'Every 4 hours' },
+        cadence: { cron: '0 */6 * * *', description: 'Every 6 hours' },
         primaryFeeds: [...STANDARD_FEEDS],
         mandatoryArtifacts: [
             A_SIGNIFICANCE,
@@ -357,7 +357,7 @@ export const ARTICLE_HORIZONS = {
         slug: 'committee-reports',
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.COMMITTEE_REPORTS],
         dataWindow: { direction: 'backward', days: 30, anchor: 'today' },
-        cadence: { cron: '0 7 * * 1', description: 'Weekly — Monday 07:00 UTC' },
+        cadence: { cron: '0 4 * * 1-5', description: 'Weekdays — Mon–Fri 04:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS, 'get_committee_documents'],
         mandatoryArtifacts: [...RETROSPECTIVE_MANDATORY],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -370,7 +370,7 @@ export const ARTICLE_HORIZONS = {
         slug: 'motions',
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.MOTIONS],
         dataWindow: { direction: 'backward', days: 30, anchor: 'today' },
-        cadence: { cron: '0 7 * * 2', description: 'Weekly — Tuesday 07:00 UTC' },
+        cadence: { cron: '0 6 * * 1-5', description: 'Weekdays — Mon–Fri 06:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS, 'get_voting_records'],
         mandatoryArtifacts: [...RETROSPECTIVE_MANDATORY],
         optionalArtifacts: [A_EXEC_BRIEF],
@@ -383,7 +383,7 @@ export const ARTICLE_HORIZONS = {
         slug: 'propositions',
         perspective: CATEGORY_PERSPECTIVE[ArticleCategory.PROPOSITIONS],
         dataWindow: { direction: 'forward', days: 90, anchor: 'today' },
-        cadence: { cron: '0 7 * * 3', description: 'Weekly — Wednesday 07:00 UTC' },
+        cadence: { cron: '0 5 * * 1-5', description: 'Weekdays — Mon–Fri 05:00 UTC' },
         primaryFeeds: [...STANDARD_FEEDS, 'get_procedures'],
         mandatoryArtifacts: [...PROSPECTIVE_MANDATORY],
         optionalArtifacts: [A_PIPELINE_FORECAST, A_EXEC_BRIEF],

package/scripts/mcp/fetch-proxy-server.d.ts

@@ -0,0 +1,91 @@
+/** JSON-RPC 2.0 request (minimal surface). */
+export interface JsonRpcRequest {
+    jsonrpc: '2.0';
+    id: number | string | null;
+    method: string;
+    params?: Record<string, unknown>;
+}
+/** JSON-RPC 2.0 response (success). */
+export interface JsonRpcSuccess {
+    jsonrpc: '2.0';
+    id: number | string | null;
+    result: unknown;
+}
+/** JSON-RPC 2.0 response (error). */
+export interface JsonRpcError {
+    jsonrpc: '2.0';
+    id: number | string | null;
+    error: {
+        code: number;
+        message: string;
+    };
+}
+/** MCP tool-call content item. */
+export interface McpContentItem {
+    type: 'text';
+    text: string;
+}
+/** MCP tool-call result envelope. */
+export interface McpToolResult {
+    content: McpContentItem[];
+}
+/**
+ * Returns `true` when `url` is allowed by the IMF-only fetch-proxy policy.
+ *
+ * Allowed: `https://dataservices.imf.org/REST/SDMX_3.0/...`
+ *
+ * @param url - Raw URL string to validate.
+ * @returns Whether the URL is permitted.
+ */
+export declare function isAllowedImfUrl(url: string): boolean;
+/**
+ * Serialize a JSON-RPC response to a newline-terminated string.
+ *
+ * Uses `String.fromCharCode(10)` instead of `'\n'` so that inlined
+ * (minified) versions of this code remain safe in single-quoted strings
+ * (the AWF YAML serializer rejects bare newlines in entrypointArgs).
+ *
+ * @param obj - Serializable object.
+ * @returns `JSON.stringify(obj) + '\n'`
+ */
+export declare function toWire(obj: unknown): string;
+/**
+ * Build a success response for the `initialize` handshake.
+ *
+ * @param id - Request id to echo.
+ * @returns JSON-RPC success with MCP 2024-11-05 capabilities.
+ */
+export declare function handleInitialize(id: number | string | null): JsonRpcSuccess;
+/**
+ * Build the `tools/list` response advertising the single `fetch_url` tool.
+ *
+ * @param id - Request id to echo.
+ * @returns JSON-RPC success with the tool descriptor array.
+ */
+export declare function handleToolsList(id: number | string | null): JsonRpcSuccess;
+/**
+ * Execute the `fetch_url` tool call.
+ *
+ * Only URLs matching the IMF SDMX 3.0 allowlist are permitted. Non-matching
+ * or malformed URLs receive a JSON-RPC error response; HTTP errors and network
+ * failures also surface as errors.
+ *
+ * @param id - Request id to echo.
+ * @param url - URL to fetch.
+ * @param fetchImpl - Injectable `fetch` implementation (defaults to global).
+ * @returns JSON-RPC success or error.
+ */
+export declare function handleFetchUrl(id: number | string | null, url: string | undefined, fetchImpl?: typeof fetch): Promise<JsonRpcSuccess | JsonRpcError>;
+/**
+ * Run the fetch-proxy MCP server, reading JSON-RPC messages from `input` and
+ * writing responses to `output`.
+ *
+ * Does not resolve until the input stream closes.
+ *
+ * @param input - Readable stream to read JSON-RPC lines from (default: stdin).
+ * @param output - Writable stream to write responses to (default: stdout).
+ * @param fetchImpl - Injectable fetch (default: global fetch).
+ * @returns Promise that resolves when the input stream closes.
+ */
+export declare function runServer(input?: NodeJS.ReadableStream, output?: NodeJS.WritableStream, fetchImpl?: typeof fetch): Promise<void>;
+//# sourceMappingURL=fetch-proxy-server.d.ts.map

package/scripts/mcp/fetch-proxy-server.js

@@ -0,0 +1,249 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * @module MCP/FetchProxyServer
+ * @description IMF-only MCP fetch-proxy server.
+ *
+ * Implements the Model Context Protocol (JSON-RPC 2.0 over stdio) with a
+ * single tool — `fetch_url` — that proxies HTTPS GET requests to the IMF
+ * SDMX 3.0 REST API at `https://dataservices.imf.org/REST/SDMX_3.0/`.
+ *
+ * ## Why this exists
+ *
+ * The Agent Workflow Firewall (AWF) runs a Squid proxy that blocks outbound
+ * HTTPS even to allowlisted domains such as `dataservices.imf.org`. This
+ * server is mounted as an MCP container in gh-aw workflows; because MCP
+ * containers run in a Docker network with direct outbound access (bypassing
+ * Squid), `fetch_url` can reach the IMF API while the main runner cannot.
+ *
+ * The server only allows calls to `https://dataservices.imf.org/REST/SDMX_3.0/`
+ * — all other URLs are rejected with an error message.
+ *
+ * ## Usage
+ *
+ * ```
+ * node scripts/mcp/fetch-proxy-server.js
+ * ```
+ *
+ * Or via `node -e <inlined-code>` in the gh-aw `entrypointArgs` (see
+ * `.github/workflows/shared/mcp/news-mcp-servers.md`).
+ *
+ * ## MCP tools exposed
+ *
+ * - `fetch_url` — fetches an IMF SDMX URL and returns its body as text.
+ *
+ * @author Hack23 AB
+ * @license Apache-2.0
+ */
+import * as readline from 'node:readline';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const IMF_ALLOWED_HOSTNAME = 'dataservices.imf.org';
+const IMF_ALLOWED_PATH_PREFIX = '/REST/SDMX_3.0/';
+const IMF_ALLOWED_PROTOCOL = 'https:';
+/** Per-request fetch timeout (ms). */
+const FETCH_TIMEOUT_MS = 180_000;
+// ─── Allowlist check ─────────────────────────────────────────────────────────
+/**
+ * Returns `true` when `url` is allowed by the IMF-only fetch-proxy policy.
+ *
+ * Allowed: `https://dataservices.imf.org/REST/SDMX_3.0/...`
+ *
+ * @param url - Raw URL string to validate.
+ * @returns Whether the URL is permitted.
+ */
+export function isAllowedImfUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return false;
+    }
+    return (parsed.protocol === IMF_ALLOWED_PROTOCOL &&
+        parsed.hostname === IMF_ALLOWED_HOSTNAME &&
+        (parsed.port === '' || parsed.port === '443') &&
+        parsed.username === '' &&
+        parsed.password === '' &&
+        parsed.pathname.startsWith(IMF_ALLOWED_PATH_PREFIX));
+}
+// ─── Transport helpers ───────────────────────────────────────────────────────
+/**
+ * Serialize a JSON-RPC response to a newline-terminated string.
+ *
+ * Uses `String.fromCharCode(10)` instead of `'\n'` so that inlined
+ * (minified) versions of this code remain safe in single-quoted strings
+ * (the AWF YAML serializer rejects bare newlines in entrypointArgs).
+ *
+ * @param obj - Serializable object.
+ * @returns `JSON.stringify(obj) + '\n'`
+ */
+export function toWire(obj) {
+    return JSON.stringify(obj) + String.fromCharCode(10);
+}
+// ─── MCP handlers ────────────────────────────────────────────────────────────
+/**
+ * Build a success response for the `initialize` handshake.
+ *
+ * @param id - Request id to echo.
+ * @returns JSON-RPC success with MCP 2024-11-05 capabilities.
+ */
+export function handleInitialize(id) {
+    return {
+        jsonrpc: '2.0',
+        id,
+        result: {
+            protocolVersion: '2024-11-05',
+            capabilities: { tools: {} },
+        },
+    };
+}
+/**
+ * Build the `tools/list` response advertising the single `fetch_url` tool.
+ *
+ * @param id - Request id to echo.
+ * @returns JSON-RPC success with the tool descriptor array.
+ */
+export function handleToolsList(id) {
+    return {
+        jsonrpc: '2.0',
+        id,
+        result: {
+            tools: [
+                {
+                    name: 'fetch_url',
+                    description: 'Fetch an IMF SDMX URL and return its content',
+                    inputSchema: {
+                        type: 'object',
+                        properties: {
+                            url: {
+                                type: 'string',
+                                description: 'IMF SDMX URL to fetch',
+                            },
+                        },
+                        required: ['url'],
+                    },
+                },
+            ],
+        },
+    };
+}
+/**
+ * Execute the `fetch_url` tool call.
+ *
+ * Only URLs matching the IMF SDMX 3.0 allowlist are permitted. Non-matching
+ * or malformed URLs receive a JSON-RPC error response; HTTP errors and network
+ * failures also surface as errors.
+ *
+ * @param id - Request id to echo.
+ * @param url - URL to fetch.
+ * @param fetchImpl - Injectable `fetch` implementation (defaults to global).
+ * @returns JSON-RPC success or error.
+ */
+export async function handleFetchUrl(id, url, fetchImpl = globalThis.fetch) {
+    if (!url || !isAllowedImfUrl(url)) {
+        return {
+            jsonrpc: '2.0',
+            id,
+            error: {
+                code: -1,
+                message: `fetch_url only allows ${IMF_ALLOWED_PROTOCOL}//${IMF_ALLOWED_HOSTNAME}${IMF_ALLOWED_PATH_PREFIX} URLs`,
+            },
+        };
+    }
+    try {
+        const response = await fetchImpl(url, {
+            headers: { Accept: 'application/json' },
+            signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+        });
+        if (!response.ok) {
+            return {
+                jsonrpc: '2.0',
+                id,
+                error: { code: -1, message: `HTTP ${response.status} ${response.statusText}` },
+            };
+        }
+        const text = await response.text();
+        return {
+            jsonrpc: '2.0',
+            id,
+            result: { content: [{ type: 'text', text }] },
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { jsonrpc: '2.0', id, error: { code: -1, message } };
+    }
+}
+// ─── Main server loop ─────────────────────────────────────────────────────────
+/**
+ * Run the fetch-proxy MCP server, reading JSON-RPC messages from `input` and
+ * writing responses to `output`.
+ *
+ * Does not resolve until the input stream closes.
+ *
+ * @param input - Readable stream to read JSON-RPC lines from (default: stdin).
+ * @param output - Writable stream to write responses to (default: stdout).
+ * @param fetchImpl - Injectable fetch (default: global fetch).
+ * @returns Promise that resolves when the input stream closes.
+ */
+export function runServer(input = process.stdin, output = process.stdout, fetchImpl = globalThis.fetch) {
+    const send = (obj) => {
+        output.write(toWire(obj));
+    };
+    const rl = readline.createInterface({ input, terminal: false });
+    return new Promise((resolve) => {
+        rl.on('line', (line) => {
+            let requestId = null;
+            void (async () => {
+                try {
+                    const msg = JSON.parse(line);
+                    requestId = msg.id ?? null;
+                    if (msg.method === 'initialize') {
+                        send(handleInitialize(msg.id ?? null));
+                    }
+                    else if (msg.method === 'notifications/initialized') {
+                        // No-op — notification, no response required.
+                    }
+                    else if (msg.method === 'tools/list') {
+                        send(handleToolsList(msg.id ?? null));
+                    }
+                    else if (msg.method === 'tools/call') {
+                        const params = msg.params;
+                        if (params?.name === 'fetch_url') {
+                            const url = params.arguments?.url;
+                            const result = await handleFetchUrl(msg.id ?? null, url, fetchImpl);
+                            send(result);
+                        }
+                        else {
+                            send({
+                                jsonrpc: '2.0',
+                                id: msg.id ?? null,
+                                result: { content: [{ type: 'text', text: 'unknown tool' }] },
+                            });
+                        }
+                    }
+                    else {
+                        send({
+                            jsonrpc: '2.0',
+                            id: msg.id ?? null,
+                            result: { content: [{ type: 'text', text: 'unknown method' }] },
+                        });
+                    }
+                }
+                catch (err) {
+                    const message = err instanceof Error ? err.message : String(err);
+                    send({ jsonrpc: '2.0', id: requestId, error: { code: -1, message } });
+                }
+            })();
+        });
+        rl.on('close', resolve);
+    });
+}
+// ─── Entry point ─────────────────────────────────────────────────────────────
+// Run when executed directly (not imported as a module).
+if (process.argv[1] !== undefined &&
+    (process.argv[1].endsWith('fetch-proxy-server.js') ||
+        process.argv[1].endsWith('fetch-proxy-server.ts'))) {
+    void runServer();
+}
+//# sourceMappingURL=fetch-proxy-server.js.map

package/scripts/mcp/html-lang-patcher.d.ts

@@ -0,0 +1,48 @@
+/** Parameters for the HTML language patch operation. */
+export interface HtmlLangPatchOptions {
+    /** BCP-47 language tag for the target locale, e.g. `"de"`, `"fr"`. */
+    readonly lang: string;
+    /** Text direction for the target locale: `"ltr"` or `"rtl"`. */
+    readonly langDir: 'ltr' | 'rtl';
+    /** Open Graph locale string, e.g. `"de_DE"`, `"ar_AR"`. */
+    readonly ogLocale: string;
+    /** Basename of the source English HTML file, e.g. `"2025-01-01-breaking.html"`. */
+    readonly enBasename: string;
+    /** Basename of the target language HTML file, e.g. `"2025-01-01-breaking-de.html"`. */
+    readonly langBasename: string;
+}
+/**
+ * Apply all language patches to the given HTML content string and return the
+ * patched string.
+ *
+ * Scope is intentionally narrow: only document-level lang/dir attributes,
+ * JSON-LD language fields, og:locale, and self-referential URL fields are
+ * rewritten. Body content is left untouched.
+ *
+ * @param content - Raw HTML file content.
+ * @param opts - Patch parameters.
+ * @returns Patched HTML content.
+ */
+export declare function patchHtmlContent(content: string, opts: HtmlLangPatchOptions): string;
+/**
+ * Read an HTML file, apply language patches, and write the result back to the
+ * same file (in-place).
+ *
+ * @param filePath - Absolute path to the target HTML file.
+ * @param opts - Patch parameters.
+ * @param readFileImpl - Injectable read function (default: `fs.readFileSync`).
+ * @param writeFileImpl - Injectable write function (default: `fs.writeFileSync`).
+ * @throws If the file cannot be read or written.
+ */
+export declare function patchHtmlLang(filePath: string, opts: HtmlLangPatchOptions, readFileImpl?: (p: string, enc: BufferEncoding) => string, writeFileImpl?: (p: string, data: string, enc: BufferEncoding) => void): void;
+/**
+ * CLI entry point. Positional argument order:
+ *
+ * ```
+ * node html-lang-patcher.js <filePath> <lang> <langDir> <ogLocale> <enBasename> <langBasename>
+ * ```
+ *
+ * @param argv - `process.argv` array (or equivalent for testing).
+ */
+export declare function runCli(argv?: string[]): void;
+//# sourceMappingURL=html-lang-patcher.d.ts.map

package/scripts/mcp/html-lang-patcher.js

@@ -0,0 +1,138 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * @module MCP/HtmlLangPatcher
+ * @description Patches structural HTML metadata in a copied English article
+ * file so that the file's language-specific markup matches the target locale.
+ *
+ * ## What this does
+ *
+ * When a new article is generated in English and then copied to language-
+ * specific placeholder files (e.g. `news/2025-01-01-breaking-de.html`),
+ * the copy still contains English-language metadata. This module rewrites
+ * only the metadata regions of the file (NOT the article body text, which
+ * is translated separately by an AI translation step):
+ *
+ * - `<html lang="en">` → `<html lang="<lang>">`
+ * - `<html dir="ltr|rtl">` → `<html dir="<langDir>">`
+ * - `<article lang="en">` → `<article lang="<lang>">`
+ * - JSON-LD `"inLanguage": "en"` → `"inLanguage": "<lang>"`
+ * - `<meta property="og:locale" content="...">` → target `ogLocale`
+ * - Self-referential URLs in `<link rel="canonical">` and
+ *   `<meta property="og:url">` tags, and JSON-LD `@id`/`url` fields: replaces
+ *   the English filename component with the language-specific filename.
+ *   `rel="alternate"` / hreflang links are intentionally NOT rewritten.
+ *
+ * ## Usage
+ *
+ * ```typescript
+ * import { patchHtmlLang } from './html-lang-patcher.js';
+ *
+ * patchHtmlLang('/path/to/news/2025-01-01-breaking-de.html', {
+ *   lang: 'de',
+ *   langDir: 'ltr',
+ *   ogLocale: 'de_DE',
+ *   enBasename: '2025-01-01-breaking.html',
+ *   langBasename: '2025-01-01-breaking-de.html',
+ * });
+ * ```
+ *
+ * Or use the lower-level {@link patchHtmlContent} to work with string content
+ * directly (without reading/writing files).
+ *
+ * @author Hack23 AB
+ * @license Apache-2.0
+ */
+import * as fs from 'node:fs';
+// ─── Core logic (pure — operates on string content) ──────────────────────────
+/**
+ * Apply all language patches to the given HTML content string and return the
+ * patched string.
+ *
+ * Scope is intentionally narrow: only document-level lang/dir attributes,
+ * JSON-LD language fields, og:locale, and self-referential URL fields are
+ * rewritten. Body content is left untouched.
+ *
+ * @param content - Raw HTML file content.
+ * @param opts - Patch parameters.
+ * @returns Patched HTML content.
+ */
+export function patchHtmlContent(content, opts) {
+    const { lang, langDir, ogLocale, enBasename, langBasename } = opts;
+    let c = content;
+    // 1. Document-level <html> and <article> lang/dir attributes
+    c = c.replace(/(<html\b[^>]*\s)lang="en"/, `$1lang="${lang}"`);
+    c = c.replace(/(<html\b[^>]*\s)dir="(?:ltr|rtl)"/, `$1dir="${langDir}"`);
+    c = c.replace(/(<article\b[^>]*\s)lang="en"/, `$1lang="${lang}"`);
+    // 2. JSON-LD inLanguage
+    c = c.replace(/("inLanguage"\s*:\s*")en(")/g, `$1${lang}$2`);
+    // 3. og:locale meta tag
+    c = c.replace(/(<meta\s+property="og:locale"\s+content=")[^"]*(")/g, `$1${ogLocale}$2`);
+    // 3b. Content-Language meta tag
+    c = c.replace(/(<meta\s+http-equiv="Content-Language"\s+content=")[^"]*(")/g, `$1${lang}$2`);
+    // 4. Self-referential URL fields.
+    // Restricted to rel="canonical" links and property="og:url" meta only —
+    // rel="alternate"/hreflang links are intentionally excluded.
+    const enEsc = enBasename.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    // 4a. <link rel="canonical" href="..."> (any attribute order; lookahead guards rel value)
+    c = c.replace(/(<link\b(?=[^>]*\brel="canonical")[^>]*\shref=")([^"]*)(")/g, (_, p1, p2, p3) => p1 + p2.replace(new RegExp(enEsc, 'g'), langBasename) + p3);
+    // 4b. <meta property="og:url" content="..."> (any attribute order)
+    c = c.replace(/(<meta\b(?=[^>]*\bproperty="og:url")[^>]*\scontent=")([^"]*)(")/g, (_, p1, p2, p3) => p1 + p2.replace(new RegExp(enEsc, 'g'), langBasename) + p3);
+    // 4c. JSON-LD @id, url, mainEntityOfPage fields
+    c = c.replace(/("(?:@id|url|mainEntityOfPage)"\s*:\s*")([^"]*)(")/g, (_, j1, j2, j3) => j1 + j2.replace(new RegExp(enEsc, 'g'), langBasename) + j3);
+    return c;
+}
+// ─── File I/O wrapper ─────────────────────────────────────────────────────────
+/**
+ * Read an HTML file, apply language patches, and write the result back to the
+ * same file (in-place).
+ *
+ * @param filePath - Absolute path to the target HTML file.
+ * @param opts - Patch parameters.
+ * @param readFileImpl - Injectable read function (default: `fs.readFileSync`).
+ * @param writeFileImpl - Injectable write function (default: `fs.writeFileSync`).
+ * @throws If the file cannot be read or written.
+ */
+export function patchHtmlLang(filePath, opts, readFileImpl = fs.readFileSync, writeFileImpl = fs.writeFileSync) {
+    const original = readFileImpl(filePath, 'utf8');
+    const patched = patchHtmlContent(original, opts);
+    writeFileImpl(filePath, patched, 'utf8');
+}
+// ─── CLI entry point ──────────────────────────────────────────────────────────
+/**
+ * CLI entry point. Positional argument order:
+ *
+ * ```
+ * node html-lang-patcher.js <filePath> <lang> <langDir> <ogLocale> <enBasename> <langBasename>
+ * ```
+ *
+ * @param argv - `process.argv` array (or equivalent for testing).
+ */
+export function runCli(argv = process.argv) {
+    const [, , filePath, lang, langDir, ogLocale, enBasename, langBasename] = argv;
+    if (!filePath || !lang || !langDir || !ogLocale || !enBasename || !langBasename) {
+        process.stderr.write('Usage: html-lang-patcher <filePath> <lang> <langDir> <ogLocale> <enBasename> <langBasename>' +
+            String.fromCharCode(10));
+        process.exit(1);
+        return;
+    }
+    if (langDir !== 'ltr' && langDir !== 'rtl') {
+        process.stderr.write(`Error: langDir must be "ltr" or "rtl", got "${langDir}"` + String.fromCharCode(10));
+        process.exit(1);
+        return;
+    }
+    patchHtmlLang(filePath, {
+        lang,
+        langDir: langDir,
+        ogLocale,
+        enBasename,
+        langBasename,
+    });
+}
+// Run when executed directly
+if (process.argv[1] !== undefined &&
+    (process.argv[1].endsWith('html-lang-patcher.js') ||
+        process.argv[1].endsWith('html-lang-patcher.ts'))) {
+    runCli();
+}
+//# sourceMappingURL=html-lang-patcher.js.map

package/scripts/mcp/imf-mcp-client.d.ts

@@ -1,8 +1,9 @@
 /**
  * @module MCP/IMFMCPClient
  * @description Native TypeScript IMF Data client — calls the IMF SDMX 3.0
- * REST API at {@link https://dataservices.imf.org/REST/SDMX_3.0/} directly
- * via `fetch()`, with no external MCP server process.
+ * REST API at {@link https://dataservices.imf.org/REST/SDMX_3.0/} via the
+ * shared IMF-only `fetch-proxy` MCP gateway in gh-aw/AWF runs and direct
+ * `fetch()` in local/non-AWF contexts.
  *
  * Historical note: the first Wave-1 iteration delegated to the Python
  * `c-cf/imf-data-mcp` MCP server. That dependency blocked Wave 0 rollout
@@ -220,8 +221,8 @@ export declare class IMFMCPClient {
     }): Promise<MCPToolResult>;
     /**
      * Build a full URL and GET it as text, enforcing the client-wide timeout.
-     * Tries the MCP fetch-proxy gateway first (bypasses AWF Squid proxy in
-     * agentic workflow sandbox), then falls back to direct fetch.
+     * Tries the IMF-only MCP fetch-proxy gateway first (bypasses AWF Squid
+     * proxy in agentic workflow sandbox), then falls back to direct fetch.
      *
      * @param path - Path (already URL-encoded) to append to the base URL.
      * @returns Response body (`text/*` or `application/*`) as a string.

package/scripts/mcp/imf-mcp-client.js

@@ -476,8 +476,8 @@ export class IMFMCPClient {
     // ─── private transport helpers ─────────────────────────────────────────────
     /**
      * Build a full URL and GET it as text, enforcing the client-wide timeout.
-     * Tries the MCP fetch-proxy gateway first (bypasses AWF Squid proxy in
-     * agentic workflow sandbox), then falls back to direct fetch.
+     * Tries the IMF-only MCP fetch-proxy gateway first (bypasses AWF Squid
+     * proxy in agentic workflow sandbox), then falls back to direct fetch.
      *
      * @param path - Path (already URL-encoded) to append to the base URL.
      * @returns Response body (`text/*` or `application/*`) as a string.
@@ -487,8 +487,13 @@ export class IMFMCPClient {
      */
     async _getText(path) {
         const url = `${this._apiBaseUrl}${path.startsWith('/') ? path : `/${path}`}`;
-        // Strategy 1: MCP fetch-proxy gateway (bypasses AWF Squid proxy)
-        if (this._fetchProxyGatewayUrl && this._fetchProxyApiKey) {
+        // Strategy 1: MCP fetch-proxy gateway (bypasses AWF Squid proxy).
+        // The API key is optional — the gateway adds the Authorization header only
+        // when the key is present. Without a key the request is sent unauthenticated,
+        // which is sufficient for local AWF container-to-container traffic (same
+        // Docker network). Requiring the key here caused IMF degraded mode whenever
+        // EP_MCP_GATEWAY_API_KEY extraction from mcp-config.json failed silently.
+        if (this._fetchProxyGatewayUrl) {
             try {
                 const result = await this._fetchViaGateway(url);
                 if (result !== null)
@@ -525,6 +530,9 @@ export class IMFMCPClient {
      * @internal
      */
     async _fetchViaGateway(url) {
+        const gatewayUrl = this._fetchProxyGatewayUrl;
+        if (!gatewayUrl)
+            return null;
         const rpcRequest = {
             jsonrpc: '2.0',
             id: Date.now(),
@@ -544,7 +552,7 @@ export class IMFMCPClient {
         const controller = new AbortController();
         const timer = setTimeout(() => controller.abort(), this._timeoutMs);
         try {
-            const response = await this._fetchImpl(this._fetchProxyGatewayUrl, {
+            const response = await this._fetchImpl(gatewayUrl, {
                 method: 'POST',
                 headers,
                 body: JSON.stringify(rpcRequest),

package/scripts/mcp/mcp-config-reader.d.ts

@@ -0,0 +1,61 @@
+/** Resolved gateway connection details. */
+export interface GatewayConfig {
+    /** Raw API key (without "Bearer " prefix), or `undefined` if absent. */
+    readonly apiKey: string | undefined;
+    /** Gateway TCP port, or `undefined` if not present in the config. */
+    readonly port: number | undefined;
+    /** Gateway hostname/domain, or `undefined` if not present. */
+    readonly domain: string | undefined;
+}
+/** Internal shape of the JSON the gh-aw runtime writes. */
+interface McpConfigJson {
+    gateway?: {
+        apiKey?: string;
+        port?: number | string;
+        domain?: string;
+    };
+    mcpServers?: Record<string, {
+        headers?: Record<string, string>;
+    }>;
+}
+/**
+ * Strip a leading `Bearer ` prefix (case-insensitive) from an auth string.
+ *
+ * @param raw - Raw header value that may include the prefix.
+ * @returns The bare token.
+ */
+export declare function stripBearerPrefix(raw: string): string;
+/**
+ * Extract the API key from a parsed config object.
+ *
+ * Tries four locations in priority order (see module docblock).
+ *
+ * @param config - Parsed `mcp-config.json` object.
+ * @returns The extracted key (Bearer-prefix stripped), or `undefined`.
+ */
+export declare function extractApiKey(config: McpConfigJson): string | undefined;
+/**
+ * Read and parse the gh-aw MCP config file, returning gateway connection
+ * details. Returns `undefined` fields when the config file is absent, the
+ * relevant fields are missing, or parsing fails.
+ *
+ * Never throws — all errors are silently swallowed and result in an empty
+ * config so that callers can always fall back to defaults.
+ *
+ * @param configPath - Absolute path to `mcp-config.json`.
+ * @param readFileImpl - Injectable file-read function (default: `fs.readFileSync`).
+ *   Accepts the same `(path, encoding)` signature. Used for unit-test injection.
+ * @returns Parsed gateway config (fields may be `undefined`).
+ */
+export declare function readMcpConfig(configPath: string, readFileImpl?: (path: string, encoding: BufferEncoding) => string): GatewayConfig;
+/**
+ * Resolve the canonical MCP config file path.
+ *
+ * Prefers `$GH_AW_MCP_CONFIG` env var, then falls back to
+ * `~/.copilot/mcp-config.json`.
+ *
+ * @returns Absolute config file path.
+ */
+export declare function resolveMcpConfigPath(): string;
+export {};
+//# sourceMappingURL=mcp-config-reader.d.ts.map

package/scripts/mcp/mcp-config-reader.js

@@ -0,0 +1,143 @@
+// SPDX-FileCopyrightText: 2024-2026 Hack23 AB
+// SPDX-License-Identifier: Apache-2.0
+/**
+ * @module MCP/McpConfigReader
+ * @description Reads the gh-aw MCP config JSON (`mcp-config.json`) and
+ * extracts the gateway API key and address (port + domain).
+ *
+ * ## Config format
+ *
+ * The gh-aw runtime writes a JSON file at
+ * `~/.copilot/mcp-config.json` (or `$GH_AW_MCP_CONFIG`) with the
+ * following shape (several optional paths across gh-aw versions):
+ *
+ * ```json
+ * {
+ *   "gateway": {
+ *     "apiKey": "<key>",    // gh-aw <= v0.68 (legacy)
+ *     "port": 8080,
+ *     "domain": "host.docker.internal"
+ *   },
+ *   "mcpServers": {
+ *     "european-parliament": {
+ *       "headers": { "Authorization": "<key>" }
+ *     },
+ *     "fetch-proxy": {
+ *       "headers": { "Authorization": "<key>" }
+ *     }
+ *   }
+ * }
+ * ```
+ *
+ * The API key is tried at four locations in priority order:
+ * 1. `gateway.apiKey`                        (gh-aw ≤ v0.68)
+ * 2. `mcpServers.european-parliament.headers.Authorization`  (v0.69–v0.71)
+ * 3. `mcpServers.fetch-proxy.headers.Authorization`          (v0.72+)
+ * 4. First `mcpServers[*].headers.Authorization` found       (catch-all)
+ *
+ * @author Hack23 AB
+ * @license Apache-2.0
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+/**
+ * Strip a leading `Bearer ` prefix (case-insensitive) from an auth string.
+ *
+ * @param raw - Raw header value that may include the prefix.
+ * @returns The bare token.
+ */
+export function stripBearerPrefix(raw) {
+    return raw.replace(/^bearer\s+/i, '');
+}
+/**
+ * Extract the API key from a parsed config object.
+ *
+ * Tries four locations in priority order (see module docblock).
+ *
+ * @param config - Parsed `mcp-config.json` object.
+ * @returns The extracted key (Bearer-prefix stripped), or `undefined`.
+ */
+export function extractApiKey(config) {
+    const candidates = [
+        // Priority 1 — legacy gateway.apiKey
+        config.gateway?.apiKey,
+        // Priority 2 — EP MCP server header
+        config.mcpServers?.['european-parliament']?.headers?.['Authorization'],
+        // Priority 3 — fetch-proxy server header
+        config.mcpServers?.['fetch-proxy']?.headers?.['Authorization'],
+    ];
+    for (const candidate of candidates) {
+        if (candidate && candidate.trim() !== '') {
+            return stripBearerPrefix(candidate.trim());
+        }
+    }
+    // Priority 4 — first server with a non-empty Authorization header
+    if (config.mcpServers) {
+        for (const server of Object.values(config.mcpServers)) {
+            const auth = server?.headers?.['Authorization'];
+            if (auth && auth.trim() !== '') {
+                return stripBearerPrefix(auth.trim());
+            }
+        }
+    }
+    return undefined;
+}
+// ─── Public API ──────────────────────────────────────────────────────────────
+/**
+ * Read and parse the gh-aw MCP config file, returning gateway connection
+ * details. Returns `undefined` fields when the config file is absent, the
+ * relevant fields are missing, or parsing fails.
+ *
+ * Never throws — all errors are silently swallowed and result in an empty
+ * config so that callers can always fall back to defaults.
+ *
+ * @param configPath - Absolute path to `mcp-config.json`.
+ * @param readFileImpl - Injectable file-read function (default: `fs.readFileSync`).
+ *   Accepts the same `(path, encoding)` signature. Used for unit-test injection.
+ * @returns Parsed gateway config (fields may be `undefined`).
+ */
+export function readMcpConfig(configPath, readFileImpl = fs.readFileSync) {
+    let raw;
+    try {
+        raw = readFileImpl(configPath, 'utf8');
+    }
+    catch {
+        return { apiKey: undefined, port: undefined, domain: undefined };
+    }
+    let config;
+    try {
+        const parsed = JSON.parse(raw);
+        if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+            return { apiKey: undefined, port: undefined, domain: undefined };
+        }
+        config = parsed;
+    }
+    catch {
+        return { apiKey: undefined, port: undefined, domain: undefined };
+    }
+    const apiKey = extractApiKey(config);
+    const rawPort = config.gateway?.port;
+    const port = rawPort !== undefined && rawPort !== '' ? Number.parseInt(String(rawPort), 10) : undefined;
+    const parsedPort = port !== undefined && Number.isFinite(port) ? port : undefined;
+    const domain = config.gateway?.domain !== undefined && config.gateway.domain !== ''
+        ? config.gateway.domain
+        : undefined;
+    return { apiKey, port: parsedPort, domain };
+}
+/**
+ * Resolve the canonical MCP config file path.
+ *
+ * Prefers `$GH_AW_MCP_CONFIG` env var, then falls back to
+ * `~/.copilot/mcp-config.json`.
+ *
+ * @returns Absolute config file path.
+ */
+export function resolveMcpConfigPath() {
+    const envPath = process.env['GH_AW_MCP_CONFIG'];
+    if (envPath && envPath.trim() !== '')
+        return envPath.trim();
+    const home = process.env['HOME'] ?? process.env['USERPROFILE'] ?? '/home/runner';
+    return path.join(home, '.copilot', 'mcp-config.json');
+}
+//# sourceMappingURL=mcp-config-reader.js.map

package/scripts/validate-analysis-completeness.js

@@ -88,6 +88,17 @@ const PLACEHOLDER_PATTERNS = [
   /^TODO:/m,
 ];
 
+// dataMode threshold reduction factors — when manifest.dataMode declares a
+// degraded data availability state, line floors are multiplied by this factor.
+// Structural checks (mermaid, WEP, Admiralty, SATs) are never reduced.
+const DATA_MODE_REDUCTION = {
+  'full': 1.0,
+  'title-only': 0.75,
+  'degraded-imf': 0.85,
+  'degraded-voting': 0.85,
+  'minimal': 0.65,
+};
+
 const WEP_BAND_RE =
   /\b(Almost Certain|Highly Likely|Likely|Roughly Even|Even Chance|About even|Unlikely|Highly Unlikely|Almost No Chance|WEP\s*:)\b/i;
 
@@ -182,6 +193,7 @@ function parseArgs(argv) {
     json: false,
     strict: false,
     minLines: DEFAULT_MIN_LINES,
+    minLinesExplicit: false,
     thresholdsPath: null,
   };
   for (let i = 0; i < args.length; i += 1) {
@@ -193,6 +205,7 @@ function parseArgs(argv) {
       if (!Number.isFinite(n) || n < 1) usage(2);
       // The flag may only RAISE the floor — never lower it below DEFAULT_MIN_LINES.
       opts.minLines = Math.max(DEFAULT_MIN_LINES, n);
+      opts.minLinesExplicit = true;
       i += 1;
     } else if (a === '--thresholds') {
       opts.thresholdsPath = args[i + 1];
@@ -472,6 +485,7 @@ function validateArtifact({
   relativePath,
   rules,
   options,
+  dataModeReduction = 1.0,
 }) {
   const abs = path.join(runDir, relativePath);
   const result = {
@@ -493,7 +507,16 @@ function validateArtifact({
   result.lines = countLines(content);
 
   const perFloor = rules.perArtifactFloors?.[relativePath] ?? null;
-  result.minLines = Math.max(options.minLines, perFloor ?? 0);
+  // dataMode reduction applies to per-artifact floors AND the default floor,
+  // but NOT to the CLI-provided --min-lines value. This preserves the contract
+  // that --min-lines can only raise floors, never lower them.
+  const baseFloor = perFloor != null ? perFloor : DEFAULT_MIN_LINES;
+  const reducedFloor = Math.max(1, Math.floor(baseFloor * dataModeReduction));
+  // When --min-lines is explicitly set, it acts as a hard minimum that the
+  // reduction cannot breach. When not set, use the reduced floor directly.
+  result.minLines = options.minLinesExplicit
+    ? Math.max(options.minLines, reducedFloor)
+    : reducedFloor;
   if (result.lines < result.minLines) {
     result.issues.push(
       `short:${result.lines}<${result.minLines}`,
@@ -935,6 +958,28 @@ function main() {
     );
   }
 
+  // ── Data-mode threshold adjustment (§dataMode) ────────────────────────
+  // When manifest.dataMode declares a degraded data availability state,
+  // the validator applies a line-floor reduction factor so that structurally
+  // constrained runs (missing full text, IMF unavailable, roll-call lag)
+  // can still pass Stage C without inflating thresholds that cannot be met
+  // with the available data. The reduction ONLY applies to line floors —
+  // structural requirements (mermaid, WEP, Admiralty, SATs) remain unchanged.
+  const dataMode = manifest.dataMode || 'full';
+  const dataModeReduction = DATA_MODE_REDUCTION[dataMode];
+  if (dataModeReduction === undefined) {
+    process.stderr.write(
+      `warning: manifest.dataMode="${dataMode}" is not a recognized value ` +
+        `(expected: ${Object.keys(DATA_MODE_REDUCTION).join(', ')}). Treating as "full".\n`,
+    );
+  }
+  const effectiveReduction = dataModeReduction ?? 1.0;
+  if (dataMode !== 'full' && dataModeReduction !== undefined) {
+    process.stderr.write(
+      `info: dataMode="${dataMode}" — applying ${Math.round((1 - effectiveReduction) * 100)}% line-floor reduction\n`,
+    );
+  }
+
   const thresholdsJson = loadThresholds(opts.thresholdsPath);
   let rules;
   try {
@@ -953,7 +998,7 @@ function main() {
   const mandatory = listMandatoryArtifacts(rules, manifestArtifacts, articleType);
 
   const results = mandatory.map((relativePath) =>
-    validateArtifact({ runDir, relativePath, rules, options: opts }),
+    validateArtifact({ runDir, relativePath, rules, options: opts, dataModeReduction: effectiveReduction }),
   );
 
   const forwardRegistryResult = validateForwardStatementsRegistryCoverage(runDir, articleType);