@apitap/core 1.0.10 → 1.0.11

package/README.md

@@ -384,6 +384,10 @@ npm run build     # Compile to dist/
 npx tsx src/cli.ts capture <url>  # Run from source
 ```
 
+## Contact
+
+Questions, feedback, or issues? → **[hello@apitap.io](mailto:hello@apitap.io)**
+
 ## License
 
 [Business Source License 1.1](./LICENSE) — **free for all non-competing use** (personal, internal, educational, research, open source). Cannot be rebranded and sold as a competing service. Converts to Apache 2.0 on February 7, 2029.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apitap/core",
-  "version": "1.0.10",
+  "version": "1.0.11",
   "description": "Intercept web API traffic during browsing. Generate portable skill files so AI agents can call APIs directly instead of scraping.",
   "type": "module",
   "main": "dist/index.js",

package/src/auth/handoff.ts

@@ -27,6 +27,11 @@ const TRACKING_COOKIE_PATTERNS = [
   /^_ga/i, /^_gid/i, /^_fb/i, /^_gcl/i, /^__utm/i,
 ];
 
+// Common anonymous/bootstrap cookies that should not end auth flow
+const ANONYMOUS_COOKIE_PATTERNS = [
+  /^anon/i, /^guest/i, /^visitor/i, /^ab[_-]?test/i, /^optanon/i, /^consent/i,
+];
+
 /**
  * Detect whether a response indicates successful login.
  * Checks for session-like Set-Cookie headers on 2xx responses.
@@ -57,6 +62,33 @@ export function detectLoginSuccess(
   return SESSION_COOKIE_PATTERNS.some(p => p.test(cookieName));
 }
 
+function isSessionLikeCookieName(name: string): boolean {
+  return SESSION_COOKIE_PATTERNS.some(p => p.test(name));
+}
+
+function isTrackingCookieName(name: string): boolean {
+  return TRACKING_COOKIE_PATTERNS.some(p => p.test(name));
+}
+
+function isAnonymousCookieName(name: string): boolean {
+  return ANONYMOUS_COOKIE_PATTERNS.some(p => p.test(name));
+}
+
+export function hasHighConfidenceAuthTransition(
+  baselineCookieValues: Map<string, string>,
+  currentCookies: Array<{ name: string; value: string }>,
+): boolean {
+  return currentCookies.some((cookie) => {
+    const baseline = baselineCookieValues.get(cookie.name);
+    const changedOrNew = baseline === undefined || baseline !== cookie.value;
+    if (!changedOrNew) return false;
+    if (!isSessionLikeCookieName(cookie.name)) return false;
+    if (isTrackingCookieName(cookie.name)) return false;
+    if (isAnonymousCookieName(cookie.name)) return false;
+    return true;
+  });
+}
+
 // Mutex to prevent concurrent handoffs for the same domain
 const handoffLocks = new Map<string, Promise<HandoffResult>>();
 
@@ -144,9 +176,11 @@ async function doHandoff(
     // Navigate to login page
     await page.goto(loginUrl, { waitUntil: 'domcontentloaded', timeout: 30_000 });
 
-    // Baseline: snapshot cookie names present BEFORE login so we can detect new ones
+    // Baseline: snapshot cookie values present BEFORE login so we can detect real transitions
     const baselineCookies = await context.cookies();
-    const baselineCookieNames = new Set(baselineCookies.map(c => c.name));
+    const baselineCookieValues = new Map(
+      baselineCookies.map(c => [c.name, c.value])
+    );
 
     // Poll for login success: check for NEW session-like cookies
     const startTime = Date.now();
@@ -155,15 +189,10 @@ async function doHandoff(
     while (Date.now() - startTime < timeout) {
       await page.waitForTimeout(2000);
 
-      // Only trigger on NEW session-like cookies not present at page load
       const cookies = await context.cookies();
-      const hasNewSessionCookie = cookies.some(c =>
-        !baselineCookieNames.has(c.name) &&
-        SESSION_COOKIE_PATTERNS.some(p => p.test(c.name)) &&
-        !TRACKING_COOKIE_PATTERNS.some(p => p.test(c.name))
-      );
+      const hasAuthTransition = hasHighConfidenceAuthTransition(baselineCookieValues, cookies);
 
-      if (hasNewSessionCookie || authDetected) {
+      if (hasAuthTransition || authDetected) {
         // Grace period: 4 additional polls at 2s each (~8s total)
         // Allows time for MFA, CAPTCHAs, and post-login redirects
         for (let grace = 0; grace < 4; grace++) {

package/src/capture/browser.ts

@@ -9,6 +9,8 @@ const CHROME_USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit
 export function getLaunchArgs(): string[] {
   return [
     '--disable-blink-features=AutomationControlled',
+    '--disable-dev-shm-usage',
+    '--disable-features=IsolateOrigins,site-per-process',
   ];
 }
 
@@ -19,6 +21,10 @@ export function getChromeUserAgent(): string {
   return CHROME_USER_AGENT;
 }
 
+export function shouldPreferSystemChrome(): boolean {
+  return process.env.APITAP_PREFER_SYSTEM_CHROME === '1';
+}
+
 /**
  * Launch a Chromium browser with anti-detection measures.
  *
@@ -31,20 +37,51 @@ export function getChromeUserAgent(): string {
 export async function launchBrowser(options: { headless: boolean }): Promise<{ browser: Browser; context: BrowserContext }> {
   const { chromium } = await import('playwright');
 
-  const browser = await chromium.launch({
+  const launchOptions = {
     headless: options.headless,
     args: getLaunchArgs(),
-  });
+  };
+
+  let browser: Browser;
+  if (shouldPreferSystemChrome()) {
+    try {
+      browser = await chromium.launch({
+        ...launchOptions,
+        channel: 'chrome',
+      });
+    } catch {
+      browser = await chromium.launch(launchOptions);
+    }
+  } else {
+    browser = await chromium.launch(launchOptions);
+  }
 
   const context = await browser.newContext({
     userAgent: CHROME_USER_AGENT,
     viewport: { width: 1920, height: 1080 },
+    locale: 'en-US',
+    extraHTTPHeaders: { 'accept-language': 'en-US,en;q=0.9' },
   });
 
   await context.addInitScript(() => {
     Object.defineProperty(navigator, 'webdriver', {
       get: () => false,
+      configurable: true,
+    });
+    Object.defineProperty(navigator, 'languages', {
+      get: () => ['en-US', 'en'],
+      configurable: true,
+    });
+    Object.defineProperty(navigator, 'plugins', {
+      get: () => [1, 2, 3],
+      configurable: true,
     });
+    if (!(window as any).chrome) {
+      Object.defineProperty(window, 'chrome', {
+        value: { runtime: {} },
+        configurable: true,
+      });
+    }
   });
 
   return { browser, context };

package/src/capture/monitor.ts

@@ -6,6 +6,9 @@ import { SkillGenerator, type GeneratorOptions } from '../skill/generator.js';
 import { IdleTracker } from './idle.js';
 import { detectCaptcha } from '../auth/refresh.js';
 import { launchBrowser } from './browser.js';
+import { AuthManager, getMachineId } from '../auth/manager.js';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
 import type { CapturedExchange } from '../types.js';
 
 export interface CaptureOptions {
@@ -18,6 +21,7 @@ export interface CaptureOptions {
   allDomains?: boolean;
   enablePreview?: boolean;
   scrub?: boolean;
+  authDir?: string;
   onEndpoint?: (endpoint: { id: string; method: string; path: string }) => void;
   onFiltered?: () => void;
   onIdle?: () => void;
@@ -31,6 +35,7 @@ export interface CaptureResult {
 }
 
 const DEFAULT_CDP_PORTS = [18792, 18800, 9222];
+const APITAP_DIR = process.env.APITAP_DIR || join(homedir(), '.apitap');
 
 async function connectToBrowser(options: CaptureOptions): Promise<{ browser: Browser; launched: boolean; launchContext?: import('playwright').BrowserContext }> {
   if (!options.launch) {
@@ -171,6 +176,20 @@ export async function capture(options: CaptureOptions): Promise<CaptureResult> {
     }
   });
 
+  // Inject cached session cookies if available
+  try {
+    const authDir = options.authDir ?? APITAP_DIR;
+    const machineId = await getMachineId();
+    const authManager = new AuthManager(authDir, machineId);
+    const domain = new URL(targetUrl.startsWith('http') ? targetUrl : `https://${targetUrl}`).hostname;
+    const cachedSession = await authManager.retrieveSessionWithFallback(domain);
+    if (cachedSession?.cookies?.length) {
+      await page.context().addCookies(cachedSession.cookies);
+    }
+  } catch {
+    // Auth retrieval failed — proceed without cached session
+  }
+
   await page.goto(options.url, { waitUntil: 'domcontentloaded' });
 
   // Start idle check interval (every 5s) for interactive capture

package/src/capture/session.ts

@@ -15,7 +15,7 @@ import { homedir } from 'node:os';
 import { join } from 'node:path';
 import type { CapturedExchange, PageSnapshot, PageElement, InteractionResult, FinishResult } from '../types.js';
 
-const APITAP_DIR = join(homedir(), '.apitap');
+const APITAP_DIR = process.env.APITAP_DIR || join(homedir(), '.apitap');
 const MAX_ELEMENTS = 100;
 const MAX_TEXT_LENGTH = 200;
 const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes

package/src/cli.ts

@@ -23,6 +23,7 @@ import { homedir } from 'node:os';
 import { join } from 'node:path';
 import { readFileSync } from 'node:fs';
 import { fileURLToPath } from 'node:url';
+import { createMcpServer } from './mcp.js';
 
 const __dirname = fileURLToPath(new URL('.', import.meta.url));
 const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
@@ -73,6 +74,7 @@ function printUsage(): void {
     apitap import <file>       Import a skill file with safety validation
     apitap refresh <domain>    Refresh auth tokens via browser
     apitap auth [domain]       View or manage stored auth
+    apitap mcp                 Run the full ApiTap MCP server over stdio
     apitap serve <domain>      Serve a skill file as an MCP server
     apitap browse <url>        Browse a URL (discover + replay in one step)
     apitap peek <url>          Zero-cost triage (HEAD only)
@@ -169,6 +171,7 @@ async function handleCapture(positional: string[], flags: Record<string, string
     port,
     launch: flags.launch === true,
     attach: flags.attach === true,
+    authDir: APITAP_DIR,
     allDomains: flags['all-domains'] === true,
     enablePreview: flags.preview === true,
     scrub: flags['no-scrub'] !== true,
@@ -672,6 +675,16 @@ async function handleServe(positional: string[], flags: Record<string, string |
   }
 }
 
+async function handleMcp(): Promise<void> {
+  const server = createMcpServer({
+    skillsDir: SKILLS_DIR,
+    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+  });
+  const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
 function timeAgo(isoDate: string): string {
   const diff = Date.now() - new Date(isoDate).getTime();
   const minutes = Math.floor(diff / 60000);
@@ -705,6 +718,7 @@ async function handleInspect(positional: string[], flags: Record<string, string
     port: typeof flags.port === 'string' ? parseInt(flags.port, 10) : undefined,
     launch: flags.launch === true,
     attach: flags.attach === true,
+    authDir: APITAP_DIR,
     duration,
     allDomains: flags['all-domains'] === true,
     enablePreview: false,
@@ -1009,6 +1023,9 @@ async function main(): Promise<void> {
     case 'serve':
       await handleServe(positional, flags);
       break;
+    case 'mcp':
+      await handleMcp();
+      break;
     case 'inspect':
       await handleInspect(positional, flags);
       break;