riksdagsmonitor 0.8.54 → 0.8.55

package/README.md

@@ -725,12 +725,43 @@ flowchart LR
 
 ## 🤖 AI-Disrupted News Generation
 
-> *"While traditional newsrooms debate whether AI will replace journalists, Riksdagsmonitor already runs a fully autonomous political intelligence newsroom — 12 agentic workflows, 14 languages, zero human editors, and a publication schedule that would bankrupt any legacy outlet trying to keep up."*
+> *"While traditional newsrooms debate whether AI will replace journalists, Riksdagsmonitor already runs a fully autonomous political intelligence newsroom — 11 agentic workflows, 14 languages, zero human editors, and a publication schedule that would bankrupt any legacy outlet trying to keep up."*
 
-Riksdagsmonitor's **agentic news generation pipeline** is the world's first fully AI-driven political intelligence newsroom for parliamentary monitoring. Powered by Claude Opus (currently 4.7) via GitHub Copilot Coding Agent, our **12 specialized workflows** (11 scheduled + 1 on-demand, plus 1 dedicated translation workflow) autonomously produce deep political analysis — not shallow summaries, but structured intelligence products with source verification, multi-party balance, and GDPR-compliant OSINT methodology.
+Riksdagsmonitor's **agentic news generation pipeline** is the world's first fully AI-driven political intelligence newsroom for parliamentary monitoring. Powered by Claude Opus (currently 4.7) via GitHub Copilot Coding Agent, our **11 specialized workflows** (10 single-run news pipelines + 1 dedicated translation workflow) autonomously produce deep political analysis — not shallow summaries, but structured intelligence products with source verification, multi-party balance, and GDPR-compliant OSINT methodology.
+
+### 🧬 Pipeline at a glance
+
+```mermaid
+flowchart LR
+    A[MCP servers<br/>Riksdag · SCB · World Bank] --> B[Analysis artifacts<br/>analysis/daily/&dollar;DATE/&dollar;SUB/<br/>9 core or 14 Tier-C .md files]
+    M[analysis/methodologies/<br/>analysis/templates/] --> B
+    B --> C[scripts/aggregate-analysis.ts<br/>Concatenate · strip dups · rewrite links · emit manifest]
+    C --> D[article.md<br/>Canonical aggregated markdown]
+    D --> E[scripts/render-articles.ts<br/>+ scripts/render-lib/<br/>unified · remark · rehype · sanitize]
+    E --> F[news/&dollar;DATE-&dollar;SUB-en.html<br/>news/&dollar;DATE-&dollar;SUB-sv.html]
+    F --> G[news-translate workflow<br/>EN+SV → 12 other languages<br/>OUT-OF-BAND]
+    F --> S[sitemap.xml + sitemap.html<br/>rss.xml<br/>political-intelligence_*.html]
+    G --> S
+
+    style C fill:#2196f3,color:#fff
+    style E fill:#4caf50
+    style G fill:#9e9e9e,color:#fff
+```
+
+A new `.md` artifact written anywhere under `analysis/daily/$DATE/$SUB/` is enough to produce a published English + Swedish HTML article on the next CI build — there is no manual scaffolding step, no template fill-in, and no per-type generator class. The news workflows themselves never write localised HTML; that is the sole responsibility of `news-translate`.
+
+### 📐 Anatomy of an article
+
+Every published article is a deterministic projection of three input sources, in this priority:
+
+1. **`analysis/methodologies/`** — the *editorial method* (e.g. STRIDE, devil's-advocate, ACH, comparative-politics framing). These files define **how** an analysis is conducted; they are version-controlled and cited from every article footer.
+2. **`analysis/templates/`** — the *output structure* (executive-brief, synthesis, significance, stakeholders, SWOT, scenarios, comparative, intel-assessment, classification, …). These define **what sections** appear and in **what order**.
+3. **`analysis/daily/$DATE/$SUB/*.md`** — the *evidence* (per-day artifacts produced by the agentic workflow's analysis phase). These provide the **specific facts**, MCP query results, and per-document analyses for one day's coverage.
+
+The aggregator concatenates the day's evidence in template order (with `intelligence-assessment.md` — the ICD-203 Key Judgments centrepiece — surfaced at position 3 immediately after the executive brief + synthesis), the renderer transforms the markdown into sanitised HTML, and the chrome layer wraps it with JSON-LD, a tagline-and-breadcrumb header, a 3-column footer (*Riksdagsmonitor* / *Resources* / *Trust & compliance*) and both a dropdown and an always-visible footer language switcher. The chrome's language switcher populates `hreflangAlternates` for **all 14 supported languages** at render time, so switching language from any article always lands on the sibling article (e.g. `news/2026-04-24-propositions-de.html`), never on the language homepage. Internally, `scripts/render-lib/` is split into six focused leaf modules — `aggregator.ts`, `markdown.ts`, `chrome.ts`, `article.ts`, `url-helpers.ts`, `constants.ts` — behind a thin barrel `index.ts`; see [`ARCHITECTURE.md`](ARCHITECTURE.md#pipeline-stages) for the full per-module contract. The `Sources of Method` block in every article footer links back to every methodology and template file actually used — provenance is preserved end-to-end.
 
 > 📚 **Directory-level catalogs** (single sources of truth):
-> - [`.github/workflows/README.md`](.github/workflows/README.md) — 45 workflow files (21 standard `.yml` + 12 agentic `.md` sources + 12 compiled `.lock.yml`)
+> - [`.github/workflows/README.md`](.github/workflows/README.md) — 45 workflow files (21 standard `.yml` + 11 agentic `.md` sources + 11 compiled `.lock.yml`)
 > - [`.github/prompts/README.md`](.github/prompts/README.md) — 8 bounded-context prompt modules + `ext/tier-c-aggregation.md`, imported by every news workflow
 > - [`.github/agents/README.md`](.github/agents/README.md) — 24 Copilot agent files (14 personas + 9 workflow-specialists + 1 shared developer-instructions)
 > - [`.github/skills/README.md`](.github/skills/README.md) — 91 skills grouped by 12 functional categories
@@ -756,7 +787,6 @@ Every day, the platform's AI operatives awaken on cron schedules, query the Swed
 | 🌆 18:00 (16:00 Sat) | **Evening Analysis** | Deep-dive intelligence synthesis | Mon–Sat |
 | 📊 09:00 | **Weekly Review** | Week-in-review scorecard, party performance | Saturday |
 | 📈 10:00 | **Monthly Review** | Comprehensive monthly intelligence assessment | 28th of month |
-| 🔧 Manual | **Article Generator** | On-demand article generation / backfill | On-demand |
 
 > _All times are **UTC** (GitHub Actions cron). For local time, convert to CET/CEST. Authoritative schedules defined in `.github/workflows/news-*.lock.yml` workflows — see [`.github/workflows/README.md`](.github/workflows/README.md) for the complete inventory._
 
@@ -1060,3 +1090,21 @@ CEO, Hack23 AB
 
 *Monitor political activity in Sweden with systematic transparency*
 
+
+
+---
+
+## 🌐 Authoritative Data Sources (Current State)
+
+Riksdagsmonitor uses a **provider-tiered** data architecture, with each provider chosen for its area of strength. As of **2026-04-24**, all four providers are implemented and in production.
+
+| Tier | Provider | Scope | Access |
+|---|---|---|---|
+| **Primary economic** | **IMF** (Datamapper REST + SDMX 3.0) | GDP, growth, unemployment, inflation, fiscal balance, debt, current account, bilateral trade, commodity prices, exchange rates, government spending by COFOG function — including T+5 projections | Pure-TypeScript client `scripts/imf-client.ts` (intentionally non-MCP) |
+| **Parliamentary primary** | **Riksdagen Open Data** | Documents, motions, votes, MPs, speeches | `riksdag-regering` MCP server |
+| **Swedish ground truth** | **SCB** (PxWeb v2) | Swedish monthly labour (AKU), monthly inflation (KPI), regional/municipal, budget execution | `scb` MCP server |
+| **Non-economic residue** | **World Bank** | Governance (WGI), environment, social/education residue, defence-spending depth | `world-bank` MCP server |
+
+**Why this split** — IMF uses uniform SNA 2008 / GFSM 2014 / BPM6 methodology across countries (essential for cross-country comparison), publishes T+5 projections (essential for look-ahead workflows), and has fresher data than World Bank's economic indicators. World Bank remains the canonical source for the classes IMF does not publish (WGI governance, environment).
+
+Authority: [`.github/aw/ECONOMIC_DATA_CONTRACT.md`](.github/aw/ECONOMIC_DATA_CONTRACT.md) v2.1 · hub: [`analysis/imf/`](analysis/imf/) · agent guide: [`AGENTS.md`](AGENTS.md) §IMF.

package/SECURITY.md

@@ -75,6 +75,20 @@ A vulnerability is a weakness or flaw in the project that can be exploited to co
 - Supply chain vulnerabilities in dependencies
 - Content injection through data pipelines
 
+### In-scope components
+
+The following components are within the disclosure scope and welcome responsible-disclosure reports:
+
+- **Static site** — all HTML/CSS/JS served from `/` and `/dashboard/` and `/news/`.
+- **News generation pipeline**:
+  - `scripts/aggregate-analysis.ts` — concatenates `analysis/daily/$DATE/$SUB/` artifacts into `article.md` + SHA-256 manifest.
+  - `scripts/render-articles.ts` — markdown → sanitised HTML pipeline.
+  - `scripts/render-lib/` — shared chrome (header, footer, language switcher, JSON-LD `NewsArticle` shell) and the `rehype-sanitize` allow-list.
+  - `scripts/validate-news-translations.ts` — translation-completeness validator.
+- **Index generators** — `scripts/generate-sitemap*.ts`, `scripts/generate-rss.ts`, `scripts/generate-news-indexes.ts`, `scripts/generate-political-intelligence.ts`.
+- **Agentic workflows** — 11 workflows in `.github/workflows/news-*.md` + their compiled `.lock.yml` peers, plus the non-agentic CI/CD pipelines in `.github/workflows/`.
+- **MCP configuration** — `.github/copilot-mcp.json` and per-workflow `mcp-servers:` blocks.
+
 ### How to Privately Report a Vulnerability using GitHub
 
 1. On GitHub.com, navigate to the main page of the [riksdagsmonitor repository](https://github.com/Hack23/riksdagsmonitor).
@@ -152,3 +166,35 @@ Riksdagsmonitor's security practices are part of Hack23 AB's comprehensive Infor
 **📅 Effective Date:** 2026-02-20  
 **⏰ Next Review:** 2026-05-20  
 **🎯 Framework Compliance:** [![ISO 27001](https://img.shields.io/badge/ISO_27001-2022_Aligned-blue?style=flat-square&logo=iso&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) [![NIST CSF 2.0](https://img.shields.io/badge/NIST_CSF-2.0_Aligned-green?style=flat-square&logo=nist&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md) [![CIS Controls](https://img.shields.io/badge/CIS_Controls-v8.1_Aligned-orange?style=flat-square&logo=cisecurity&logoColor=white)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CLASSIFICATION.md)
+
+
+---
+
+## 🌐 IMF Integration — Security Disclosure Note
+
+> **Effective:** 2026-04-24 · **Authoritative hub:** [`analysis/imf/README.md`](analysis/imf/README.md) · [`analysis/imf/agentic-integration.md`](analysis/imf/agentic-integration.md) · [`analysis/imf/indicators-inventory.json`](analysis/imf/indicators-inventory.json) · [`analysis/imf/data-dictionary.md`](analysis/imf/data-dictionary.md) · [`.github/aw/ECONOMIC_DATA_CONTRACT.md`](.github/aw/ECONOMIC_DATA_CONTRACT.md)
+
+### IMF data scope
+
+Riksdagsmonitor consumes **public, anonymous, unauthenticated** macro/fiscal/monetary statistics from the IMF Datamapper REST API (`www.imf.org/external/datamapper/api/v1`) and the IMF SDMX 3.0 endpoint (`sdmxcentral.imf.org`). **No personal data, no credentials, no auth tokens** are exchanged with the IMF. The IMF integration is therefore out of scope for GDPR DPIA but in scope for this security policy as a third-party dependency.
+
+### IMF-specific security posture
+
+| Control | Implementation |
+|---|---|
+| Transport | HTTPS-only · TLS 1.3 · pinned hostnames in egress allow-list |
+| Integrity | SHA-256 payload pin per (dataflow, indicator, country, vintage); supersedes-chain in cache |
+| Vintage discipline | Reject payloads >6 months old without staleness annotation (ECONOMIC_DATA_CONTRACT v2.1) |
+| Rate-limit guard | ≤30 req/min self-imposed; exponential back-off |
+| Supply chain | `scripts/imf-*.ts` reviewed in-repo; no dynamic eval; harden-runner egress audit |
+| Licence | Attribution-required; auto-emitted in article footer template |
+
+### Reporting IMF-related vulnerabilities
+
+If you discover a vulnerability in our IMF integration (e.g., cache integrity bypass, vintage substitution, egress allow-list breakout), follow the standard vulnerability-disclosure flow above. IMF data is public, so confidentiality breaches are not a concern; integrity and availability are the relevant attack surfaces.
+
+### IMF egress allow-list
+
+**Egress hosts** (allow-list): `www.imf.org` (Datamapper REST · WEO/FM), `sdmxcentral.imf.org` (SDMX 3.0 REST · IFS/BOP/DOTS/GFS/PCPS/ER/MFS_IR/MFS_PR). Both HTTPS-only, anonymous, public — no credentials required.
+
+**Canonical rule.** Every economic claim in a Riksdagsmonitor article cites an IMF dataflow first; World Bank citations are reserved for governance, environment and social residue (the classes IMF does not publish). SCB is the Swedish-specific ground truth layer. See `ECONOMIC_DATA_CONTRACT.md` v2.1 for the banned-phrase list and vintage discipline (>6 mo → annotation).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "riksdagsmonitor",
-  "version": "0.8.54",
+  "version": "0.8.55",
   "type": "module",
   "description": "Swedish Parliament (Riksdag) intelligence platform — TypeScript utilities for political data visualization, dashboards, and open data analysis with Chart.js and D3.js",
   "main": "dist/lib/shared/index.js",
@@ -48,7 +48,7 @@
   },
   "scripts": {
     "dev": "vite",
-    "prebuild": "npx tsx scripts/generate-news-indexes/index.ts && npx tsx scripts/extract-news-metadata.ts && npx tsx scripts/generate-sitemap-html.ts && npx tsx scripts/generate-political-intelligence.ts && npx tsx scripts/generate-rss.ts && npx tsx scripts/generate-sitemap.ts",
+    "prebuild": "npx tsx scripts/aggregate-analysis.ts --all --quiet && npx tsx scripts/render-articles.ts --all --lang en,sv --quiet && npx tsx scripts/generate-news-indexes/index.ts && npx tsx scripts/extract-news-metadata.ts && npx tsx scripts/generate-sitemap-html.ts && npx tsx scripts/generate-political-intelligence.ts && npx tsx scripts/generate-rss.ts && npx tsx scripts/generate-sitemap.ts",
     "build": "vite build",
     "build:lib": "tsc -p tsconfig.lib.json && tsc -p tsconfig.npm-scripts.json",
     "postbuild": "cp rss.xml dist/rss.xml && cp sitemap.xml dist/sitemap.xml && cp -r cia-data dist/cia-data",
@@ -70,7 +70,9 @@
     "validate-translations": "npx tsx scripts/validate-translations.ts",
     "validate-news": "node scripts/validate-news-translations.ts",
     "validate-all": "npm run htmlhint && npm run validate-translations && npm run validate-news",
-    "generate-news": "node scripts/generate-news-enhanced.ts",
+    "generate-news": "npx tsx scripts/render-articles.ts --all --lang en,sv",
+    "aggregate-analysis": "npx tsx scripts/aggregate-analysis.ts --all",
+    "render-articles": "npx tsx scripts/render-articles.ts --all --lang en,sv",
     "generate-news-indexes": "node scripts/generate-news-indexes.ts",
     "generate-sitemap": "node scripts/generate-sitemap.ts",
     "generate-sitemap-html": "npx tsx scripts/generate-sitemap-html.ts",
@@ -163,13 +165,14 @@
     "@types/papaparse": "5.5.2",
     "@vitest/coverage-v8": "4.1.5",
     "@vitest/ui": "4.1.5",
-    "ajv": "8.18.0",
+    "ajv": "8.20.0",
     "ajv-formats": "3.0.1",
     "chart.js": "4.5.1",
     "chartjs-plugin-annotation": "3.1.0",
     "d3": "7.9.0",
     "eslint": "10.2.1",
     "globals": "17.5.0",
+    "gray-matter": "^4.0.3",
     "happy-dom": "20.9.0",
     "htmlhint": "1.9.2",
     "js-yaml": "4.1.1",
@@ -177,14 +180,23 @@
     "knip": "6.6.2",
     "papaparse": "5.5.3",
     "playwright": "1.59.1",
+    "rehype-autolink-headings": "^7.1.0",
+    "rehype-raw": "^7.0.0",
+    "rehype-sanitize": "^6.0.0",
+    "rehype-slug": "^6.0.0",
+    "rehype-stringify": "^10.0.1",
+    "remark-gfm": "^4.0.1",
+    "remark-parse": "^11.0.0",
+    "remark-rehype": "^11.1.2",
     "start-server-and-test": "3.0.2",
     "tsx": "4.21.0",
     "typedoc": "0.28.19",
     "typedoc-plugin-mdn-links": "5.1.1",
     "typescript": "6.0.3",
     "typescript-eslint": "8.59.0",
+    "unified": "^11.0.5",
     "vite": "8.0.10",
-    "vite-plugin-sri-gen": "1.3.2",
+    "vite-plugin-sri-gen": "1.4.0",
     "vitest": "4.1.5",
     "worldbank-mcp": "1.0.1"
   },