npm - @apitap/core - Versions diffs - 1.0.0 - Mend

@apitap/core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (236) hide show

package/LICENSE +60 -0
package/README.md +362 -0
package/SKILL.md +270 -0
package/dist/auth/crypto.d.ts +31 -0
package/dist/auth/crypto.js +66 -0
package/dist/auth/crypto.js.map +1 -0
package/dist/auth/handoff.d.ts +29 -0
package/dist/auth/handoff.js +180 -0
package/dist/auth/handoff.js.map +1 -0
package/dist/auth/manager.d.ts +46 -0
package/dist/auth/manager.js +127 -0
package/dist/auth/manager.js.map +1 -0
package/dist/auth/oauth-refresh.d.ts +16 -0
package/dist/auth/oauth-refresh.js +91 -0
package/dist/auth/oauth-refresh.js.map +1 -0
package/dist/auth/refresh.d.ts +43 -0
package/dist/auth/refresh.js +217 -0
package/dist/auth/refresh.js.map +1 -0
package/dist/capture/anti-bot.d.ts +15 -0
package/dist/capture/anti-bot.js +43 -0
package/dist/capture/anti-bot.js.map +1 -0
package/dist/capture/blocklist.d.ts +6 -0
package/dist/capture/blocklist.js +70 -0
package/dist/capture/blocklist.js.map +1 -0
package/dist/capture/body-diff.d.ts +8 -0
package/dist/capture/body-diff.js +102 -0
package/dist/capture/body-diff.js.map +1 -0
package/dist/capture/body-variables.d.ts +13 -0
package/dist/capture/body-variables.js +142 -0
package/dist/capture/body-variables.js.map +1 -0
package/dist/capture/domain.d.ts +8 -0
package/dist/capture/domain.js +34 -0
package/dist/capture/domain.js.map +1 -0
package/dist/capture/entropy.d.ts +33 -0
package/dist/capture/entropy.js +100 -0
package/dist/capture/entropy.js.map +1 -0
package/dist/capture/filter.d.ts +11 -0
package/dist/capture/filter.js +49 -0
package/dist/capture/filter.js.map +1 -0
package/dist/capture/graphql.d.ts +21 -0
package/dist/capture/graphql.js +99 -0
package/dist/capture/graphql.js.map +1 -0
package/dist/capture/idle.d.ts +23 -0
package/dist/capture/idle.js +44 -0
package/dist/capture/idle.js.map +1 -0
package/dist/capture/monitor.d.ts +26 -0
package/dist/capture/monitor.js +183 -0
package/dist/capture/monitor.js.map +1 -0
package/dist/capture/oauth-detector.d.ts +18 -0
package/dist/capture/oauth-detector.js +96 -0
package/dist/capture/oauth-detector.js.map +1 -0
package/dist/capture/pagination.d.ts +9 -0
package/dist/capture/pagination.js +40 -0
package/dist/capture/pagination.js.map +1 -0
package/dist/capture/parameterize.d.ts +17 -0
package/dist/capture/parameterize.js +63 -0
package/dist/capture/parameterize.js.map +1 -0
package/dist/capture/scrubber.d.ts +5 -0
package/dist/capture/scrubber.js +38 -0
package/dist/capture/scrubber.js.map +1 -0
package/dist/capture/session.d.ts +46 -0
package/dist/capture/session.js +445 -0
package/dist/capture/session.js.map +1 -0
package/dist/capture/token-detector.d.ts +16 -0
package/dist/capture/token-detector.js +62 -0
package/dist/capture/token-detector.js.map +1 -0
package/dist/capture/verifier.d.ts +17 -0
package/dist/capture/verifier.js +147 -0
package/dist/capture/verifier.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +930 -0
package/dist/cli.js.map +1 -0
package/dist/discovery/auth.d.ts +17 -0
package/dist/discovery/auth.js +81 -0
package/dist/discovery/auth.js.map +1 -0
package/dist/discovery/fetch.d.ts +17 -0
package/dist/discovery/fetch.js +59 -0
package/dist/discovery/fetch.js.map +1 -0
package/dist/discovery/frameworks.d.ts +11 -0
package/dist/discovery/frameworks.js +249 -0
package/dist/discovery/frameworks.js.map +1 -0
package/dist/discovery/index.d.ts +21 -0
package/dist/discovery/index.js +219 -0
package/dist/discovery/index.js.map +1 -0
package/dist/discovery/openapi.d.ts +13 -0
package/dist/discovery/openapi.js +175 -0
package/dist/discovery/openapi.js.map +1 -0
package/dist/discovery/probes.d.ts +9 -0
package/dist/discovery/probes.js +70 -0
package/dist/discovery/probes.js.map +1 -0
package/dist/index.d.ts +25 -0
package/dist/index.js +25 -0
package/dist/index.js.map +1 -0
package/dist/inspect/report.d.ts +52 -0
package/dist/inspect/report.js +191 -0
package/dist/inspect/report.js.map +1 -0
package/dist/mcp.d.ts +8 -0
package/dist/mcp.js +526 -0
package/dist/mcp.js.map +1 -0
package/dist/orchestration/browse.d.ts +38 -0
package/dist/orchestration/browse.js +198 -0
package/dist/orchestration/browse.js.map +1 -0
package/dist/orchestration/cache.d.ts +15 -0
package/dist/orchestration/cache.js +24 -0
package/dist/orchestration/cache.js.map +1 -0
package/dist/plugin.d.ts +17 -0
package/dist/plugin.js +158 -0
package/dist/plugin.js.map +1 -0
package/dist/read/decoders/deepwiki.d.ts +2 -0
package/dist/read/decoders/deepwiki.js +148 -0
package/dist/read/decoders/deepwiki.js.map +1 -0
package/dist/read/decoders/grokipedia.d.ts +2 -0
package/dist/read/decoders/grokipedia.js +210 -0
package/dist/read/decoders/grokipedia.js.map +1 -0
package/dist/read/decoders/hackernews.d.ts +2 -0
package/dist/read/decoders/hackernews.js +168 -0
package/dist/read/decoders/hackernews.js.map +1 -0
package/dist/read/decoders/index.d.ts +2 -0
package/dist/read/decoders/index.js +12 -0
package/dist/read/decoders/index.js.map +1 -0
package/dist/read/decoders/reddit.d.ts +2 -0
package/dist/read/decoders/reddit.js +142 -0
package/dist/read/decoders/reddit.js.map +1 -0
package/dist/read/decoders/twitter.d.ts +12 -0
package/dist/read/decoders/twitter.js +187 -0
package/dist/read/decoders/twitter.js.map +1 -0
package/dist/read/decoders/wikipedia.d.ts +2 -0
package/dist/read/decoders/wikipedia.js +66 -0
package/dist/read/decoders/wikipedia.js.map +1 -0
package/dist/read/decoders/youtube.d.ts +2 -0
package/dist/read/decoders/youtube.js +69 -0
package/dist/read/decoders/youtube.js.map +1 -0
package/dist/read/extract.d.ts +25 -0
package/dist/read/extract.js +320 -0
package/dist/read/extract.js.map +1 -0
package/dist/read/index.d.ts +14 -0
package/dist/read/index.js +66 -0
package/dist/read/index.js.map +1 -0
package/dist/read/peek.d.ts +9 -0
package/dist/read/peek.js +137 -0
package/dist/read/peek.js.map +1 -0
package/dist/read/types.d.ts +44 -0
package/dist/read/types.js +3 -0
package/dist/read/types.js.map +1 -0
package/dist/replay/engine.d.ts +53 -0
package/dist/replay/engine.js +441 -0
package/dist/replay/engine.js.map +1 -0
package/dist/replay/truncate.d.ts +16 -0
package/dist/replay/truncate.js +92 -0
package/dist/replay/truncate.js.map +1 -0
package/dist/serve.d.ts +31 -0
package/dist/serve.js +149 -0
package/dist/serve.js.map +1 -0
package/dist/skill/generator.d.ts +44 -0
package/dist/skill/generator.js +419 -0
package/dist/skill/generator.js.map +1 -0
package/dist/skill/importer.d.ts +26 -0
package/dist/skill/importer.js +80 -0
package/dist/skill/importer.js.map +1 -0
package/dist/skill/search.d.ts +19 -0
package/dist/skill/search.js +51 -0
package/dist/skill/search.js.map +1 -0
package/dist/skill/signing.d.ts +16 -0
package/dist/skill/signing.js +34 -0
package/dist/skill/signing.js.map +1 -0
package/dist/skill/ssrf.d.ts +27 -0
package/dist/skill/ssrf.js +210 -0
package/dist/skill/ssrf.js.map +1 -0
package/dist/skill/store.d.ts +7 -0
package/dist/skill/store.js +93 -0
package/dist/skill/store.js.map +1 -0
package/dist/stats/report.d.ts +26 -0
package/dist/stats/report.js +157 -0
package/dist/stats/report.js.map +1 -0
package/dist/types.d.ts +214 -0
package/dist/types.js +3 -0
package/dist/types.js.map +1 -0
package/package.json +58 -0
package/src/auth/crypto.ts +92 -0
package/src/auth/handoff.ts +229 -0
package/src/auth/manager.ts +140 -0
package/src/auth/oauth-refresh.ts +120 -0
package/src/auth/refresh.ts +300 -0
package/src/capture/anti-bot.ts +63 -0
package/src/capture/blocklist.ts +75 -0
package/src/capture/body-diff.ts +109 -0
package/src/capture/body-variables.ts +156 -0
package/src/capture/domain.ts +34 -0
package/src/capture/entropy.ts +121 -0
package/src/capture/filter.ts +56 -0
package/src/capture/graphql.ts +124 -0
package/src/capture/idle.ts +45 -0
package/src/capture/monitor.ts +224 -0
package/src/capture/oauth-detector.ts +106 -0
package/src/capture/pagination.ts +49 -0
package/src/capture/parameterize.ts +68 -0
package/src/capture/scrubber.ts +49 -0
package/src/capture/session.ts +502 -0
package/src/capture/token-detector.ts +76 -0
package/src/capture/verifier.ts +171 -0
package/src/cli.ts +1031 -0
package/src/discovery/auth.ts +99 -0
package/src/discovery/fetch.ts +85 -0
package/src/discovery/frameworks.ts +231 -0
package/src/discovery/index.ts +256 -0
package/src/discovery/openapi.ts +230 -0
package/src/discovery/probes.ts +76 -0
package/src/index.ts +26 -0
package/src/inspect/report.ts +247 -0
package/src/mcp.ts +618 -0
package/src/orchestration/browse.ts +250 -0
package/src/orchestration/cache.ts +37 -0
package/src/plugin.ts +188 -0
package/src/read/decoders/deepwiki.ts +180 -0
package/src/read/decoders/grokipedia.ts +246 -0
package/src/read/decoders/hackernews.ts +198 -0
package/src/read/decoders/index.ts +15 -0
package/src/read/decoders/reddit.ts +158 -0
package/src/read/decoders/twitter.ts +211 -0
package/src/read/decoders/wikipedia.ts +75 -0
package/src/read/decoders/youtube.ts +75 -0
package/src/read/extract.ts +396 -0
package/src/read/index.ts +78 -0
package/src/read/peek.ts +175 -0
package/src/read/types.ts +37 -0
package/src/replay/engine.ts +559 -0
package/src/replay/truncate.ts +116 -0
package/src/serve.ts +189 -0
package/src/skill/generator.ts +473 -0
package/src/skill/importer.ts +107 -0
package/src/skill/search.ts +76 -0
package/src/skill/signing.ts +36 -0
package/src/skill/ssrf.ts +238 -0
package/src/skill/store.ts +107 -0
package/src/stats/report.ts +208 -0
package/src/types.ts +233 -0

package/src/capture/oauth-detector.ts ADDED Viewed

@@ -0,0 +1,106 @@
+// src/capture/oauth-detector.ts
+export interface OAuthInfo {
+  tokenEndpoint: string;
+  clientId: string;
+  grantType: 'refresh_token' | 'client_credentials';
+  scope?: string;
+  clientSecret?: string;
+}
+/**
+ * Detect OAuth2 token endpoint requests from captured traffic.
+ * Only recognizes refreshable flows (refresh_token, client_credentials).
+ * Ignores authorization_code (initial auth, not refreshable in isolation).
+ */
+export function isOAuthTokenRequest(req: {
+  url: string;
+  method: string;
+  headers: Record<string, string>;
+  postData?: string;
+}): OAuthInfo | null {
+  // Only POST requests
+  if (req.method.toUpperCase() !== 'POST') return null;
+  // URL heuristic: must contain /token or /oauth
+  const urlLower = req.url.toLowerCase();
+  if (!urlLower.includes('/token') && !urlLower.includes('/oauth')) return null;
+  if (!req.postData) return null;
+  // Parse body — support URL-encoded and JSON
+  const params = parseBody(req.postData, req.headers['content-type'] ?? '');
+  if (!params) return null;
+  const grantType = params.get('grant_type');
+  if (!grantType) return null;
+  // Only refreshable flows
+  if (grantType !== 'refresh_token' && grantType !== 'client_credentials') return null;
+  // Extract client_id — may also be in Basic auth header
+  let clientId = params.get('client_id') ?? '';
+  let clientSecret = params.get('client_secret');
+  if (!clientId) {
+    const basic = parseBasicAuth(req.headers['authorization'] ?? '');
+    if (basic) {
+      clientId = basic.username;
+      if (!clientSecret) clientSecret = basic.password;
+    }
+  }
+  if (!clientId) return null;
+  const result: OAuthInfo = {
+    tokenEndpoint: req.url.split('?')[0]!, // strip query params
+    clientId,
+    grantType: grantType as 'refresh_token' | 'client_credentials',
+  };
+  const scope = params.get('scope');
+  if (scope) result.scope = scope;
+  if (clientSecret) result.clientSecret = clientSecret;
+  return result;
+}
+function parseBody(body: string, contentType: string): Map<string, string> | null {
+  try {
+    if (contentType.includes('application/json')) {
+      const obj = JSON.parse(body);
+      if (typeof obj !== 'object' || obj === null) return null;
+      const map = new Map<string, string>();
+      for (const [k, v] of Object.entries(obj)) {
+        if (typeof v === 'string') map.set(k, v);
+      }
+      return map;
+    }
+    // Default: URL-encoded (+ is space in application/x-www-form-urlencoded)
+    const map = new Map<string, string>();
+    const pairs = body.split('&');
+    for (const pair of pairs) {
+      const idx = pair.indexOf('=');
+      if (idx === -1) continue;
+      const key = decodeURIComponent(pair.slice(0, idx).replace(/\+/g, ' '));
+      const val = decodeURIComponent(pair.slice(idx + 1).replace(/\+/g, ' '));
+      map.set(key, val);
+    }
+    return map.size > 0 ? map : null;
+  } catch {
+    return null;
+  }
+}
+function parseBasicAuth(header: string): { username: string; password: string } | null {
+  if (!header.startsWith('Basic ')) return null;
+  try {
+    const decoded = Buffer.from(header.slice(6), 'base64').toString('utf-8');
+    const idx = decoded.indexOf(':');
+    if (idx === -1) return null;
+    return { username: decoded.slice(0, idx), password: decoded.slice(idx + 1) };
+  } catch {
+    return null;
+  }
+}

package/src/capture/pagination.ts ADDED Viewed

@@ -0,0 +1,49 @@
+// src/capture/pagination.ts
+import type { PaginationInfo } from '../types.js';
+const OFFSET_PARAMS = new Set(['offset', 'skip']);
+const CURSOR_PARAMS = new Set(['cursor', 'after', 'before', 'next_cursor', 'starting_after']);
+const PAGE_PARAMS = new Set(['page', 'p', 'page_number']);
+const LIMIT_PARAMS = new Set(['limit', 'per_page', 'page_size', 'count', 'size']);
+/**
+ * Detect pagination patterns from query parameters.
+ * Returns null if no pagination pattern is detected.
+ */
+export function detectPagination(
+  queryParams: Record<string, { type: string; example: string }>,
+): PaginationInfo | null {
+  const paramNames = Object.keys(queryParams);
+  const limitParam = paramNames.find(p => LIMIT_PARAMS.has(p.toLowerCase()));
+  // Check offset-based (offset/skip + optional limit)
+  for (const name of paramNames) {
+    if (OFFSET_PARAMS.has(name.toLowerCase())) {
+      return {
+        type: 'offset',
+        paramName: name,
+        ...(limitParam ? { limitParam } : {}),
+      };
+    }
+  }
+  // Check cursor-based
+  for (const name of paramNames) {
+    if (CURSOR_PARAMS.has(name.toLowerCase())) {
+      return { type: 'cursor', paramName: name };
+    }
+  }
+  // Check page-based
+  for (const name of paramNames) {
+    if (PAGE_PARAMS.has(name.toLowerCase())) {
+      return {
+        type: 'page',
+        paramName: name,
+        ...(limitParam && limitParam !== name ? { limitParam } : {}),
+      };
+    }
+  }
+  return null;
+}

package/src/capture/parameterize.ts ADDED Viewed

@@ -0,0 +1,68 @@
+// src/capture/parameterize.ts
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const PURE_NUMERIC_RE = /^\d+$/;
+const LONG_DIGITS_RE = /\d{8,}/;
+const NEXT_DATA_PREFIX_RE = /^\/_next\/data\/[^/]+\//;
+/**
+ * Check if a path segment is a dynamic value that should be parameterized.
+ * Returns the parameter name (:id, :hash, :slug) or null if static.
+ */
+function classifySegment(segment: string): string | null {
+  // Pure numeric → :id
+  if (PURE_NUMERIC_RE.test(segment)) return ':id';
+  // UUID → :id
+  if (UUID_RE.test(segment)) return ':id';
+  // Slug with embedded long number (8+ consecutive digits) — check before hash
+  // because slugs like "btc-updown-15m-1770254100" would also match the hash rule
+  if (LONG_DIGITS_RE.test(segment)) {
+    return ':slug';
+  }
+  // Strip hyphens/underscores for character analysis
+  const stripped = segment.replace(/[-_]/g, '');
+  // Hash-like: 12+ alphanumeric chars with both letters and digits
+  if (stripped.length >= 12 && /[a-zA-Z]/.test(stripped) && /\d/.test(stripped)) {
+    return ':hash';
+  }
+  return null;
+}
+/**
+ * Replace dynamic path segments with :param placeholders.
+ *
+ * Rules:
+ * - Pure numeric → :id
+ * - UUID → :id
+ * - 12+ alphanum with mixed letters+digits → :hash
+ * - Contains 8+ consecutive digits → :slug
+ */
+export function parameterizePath(path: string): string {
+  const segments = path.split('/');
+  const result = segments.map(seg => {
+    if (seg === '') return seg;
+    return classifySegment(seg) ?? seg;
+  });
+  return result.join('/');
+}
+/**
+ * Strip framework-specific path noise for clean endpoint IDs.
+ *
+ * - Strips /_next/data/<hash>/ prefix (Next.js data routes)
+ * - Strips .json suffix
+ */
+export function cleanFrameworkPath(path: string): string {
+  let cleaned = path;
+  // Strip _next/data/<hash>/ prefix
+  cleaned = cleaned.replace(NEXT_DATA_PREFIX_RE, '/');
+  // Strip .json suffix
+  cleaned = cleaned.replace(/\.json$/, '');
+  // Ensure we have at least /
+  return cleaned || '/';
+}

package/src/capture/scrubber.ts ADDED Viewed

@@ -0,0 +1,49 @@
+// src/capture/scrubber.ts
+// Email: standard pattern
+const EMAIL_RE = /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g;
+// Phone (international): requires + prefix
+const PHONE_INTL_RE = /\+[1-9]\d{7,14}/g;
+// Phone (US): requires separators — (123) 456-7890 or 123-456-7890 or 123.456.7890
+const PHONE_US_RE = /\(\d{3}\)[-.\s]\d{3}[-.\s]\d{4}|\d{3}[-.\s]\d{3}[-.\s]\d{4}/g;
+// IPv4: four octets, each 0-255, validated programmatically
+const IPV4_RE = /\b(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})\b/g;
+// Credit card: 16 digits with optional dashes or spaces every 4
+const CARD_RE = /\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g;
+// US SSN: 123-45-6789
+const SSN_RE = /\b\d{3}-\d{2}-\d{4}\b/g;
+/**
+ * Scrub PII from a string. Returns the string with PII replaced by placeholders.
+ * Order matters: SSN before phone (SSN is more specific).
+ */
+export function scrubPII(input: string): string {
+  let result = input;
+  // Email first (most distinctive pattern)
+  result = result.replace(EMAIL_RE, '[email]');
+  // SSN before phone (SSN pattern 123-45-6789 could be confused)
+  result = result.replace(SSN_RE, '[ssn]');
+  // Credit cards
+  result = result.replace(CARD_RE, '[card]');
+  // IPv4 with octet validation
+  result = result.replace(IPV4_RE, (_match, o1, o2, o3, o4) => {
+    const octets = [o1, o2, o3, o4].map(Number);
+    if (octets.every(o => o <= 255)) return '[ip]';
+    return _match;
+  });
+  // Phone (international, then US)
+  result = result.replace(PHONE_INTL_RE, '[phone]');
+  result = result.replace(PHONE_US_RE, '[phone]');
+  return result;
+}