@apitap/core 1.0.6 → 1.0.8

package/README.md

@@ -1,7 +1,7 @@
 # ApiTap
 
 [![npm version](https://img.shields.io/npm/v/@apitap/core)](https://www.npmjs.com/package/@apitap/core)
-[![tests](https://img.shields.io/badge/tests-721%20passing-brightgreen)](https://github.com/n1byn1kt/apitap)
+[![tests](https://img.shields.io/badge/tests-789%20passing-brightgreen)](https://github.com/n1byn1kt/apitap)
 [![license](https://img.shields.io/badge/license-BSL--1.1-blue)](./LICENSE)
 
 **The MCP server that turns any website into an API — no docs, no SDK, no browser.**
@@ -28,6 +28,8 @@ apitap replay gamma-api.polymarket.com get-events  # Call the API directly
 
 No scraping. No browser. Just the API.
 
+![ApiTap demo](https://raw.githubusercontent.com/n1byn1kt/apitap/main/docs/demo.gif)
+
 ---
 
 ## How It Works
@@ -332,7 +334,7 @@ Endpoint replayed
 
 This is especially relevant now that [MCP servers are being used as attack vectors in the wild](https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use) — Google's Threat Intelligence Group recently documented underground toolkits built on compromised MCP servers. ApiTap is designed to be safe even when processing untrusted inputs.
 
-See [docs/security-audit-v1.md](./docs/security-audit-v1.md) for the full security audit (19 findings, current posture 9/10).
+
 
 ## CLI Reference
 
@@ -376,7 +378,7 @@ All commands support `--json` for machine-readable output.
 git clone https://github.com/n1byn1kt/apitap.git
 cd apitap
 npm install
-npm test          # 721 tests, Node built-in test runner
+npm test          # 789 tests, Node built-in test runner
 npm run typecheck # Type checking
 npm run build     # Compile to dist/
 npx tsx src/cli.ts capture <url>  # Run from source

package/dist/auth/crypto.d.ts

@@ -9,7 +9,7 @@ export interface EncryptedData {
  * Uses a fixed application salt — the entropy comes from the machine ID
  * being stretched through 100K iterations.
  */
-export declare function deriveKey(machineId: string): Buffer;
+export declare function deriveKey(machineId: string, saltFile?: string): Buffer;
 /**
  * Encrypt plaintext using AES-256-GCM.
  * Each call generates a random IV for semantic security.

package/dist/auth/crypto.js

@@ -4,14 +4,37 @@ const ALGORITHM = 'aes-256-gcm';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16;
 const PBKDF2_ITERATIONS = 100_000;
-const PBKDF2_SALT = 'apitap-v0.2-key-derivation';
+// const PBKDF2_SALT = 'apitap-v0.2-key-derivation'; // fallback for migration
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+function getInstallSalt(saltFile) {
+    const saltPath = saltFile || `${homedir()}/.apitap/install-salt`;
+    if (existsSync(saltPath)) {
+        return readFileSync(saltPath, 'utf8').trim();
+    }
+    // Generate and save new salt
+    const salt = randomBytes(32).toString('hex');
+    try {
+        mkdirSync(saltPath.replace(/\/[^/]+$/, ''), { recursive: true });
+        writeFileSync(saltPath, salt, { mode: 0o600 });
+    }
+    catch { }
+    return salt;
+}
 /**
  * Derive a 256-bit key from a machine identifier using PBKDF2.
  * Uses a fixed application salt — the entropy comes from the machine ID
  * being stretched through 100K iterations.
  */
-export function deriveKey(machineId) {
-    return pbkdf2Sync(machineId, PBKDF2_SALT, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+export function deriveKey(machineId, saltFile) {
+    // Try per-install salt first, fallback to old constant for migration
+    try {
+        return pbkdf2Sync(machineId, getInstallSalt(saltFile), PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+    }
+    catch {
+        // Fallback for old installs (migration note: remove after all users migrated)
+        return pbkdf2Sync(machineId, 'apitap-v0.2-key-derivation', PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+    }
 }
 /**
  * Encrypt plaintext using AES-256-GCM.
@@ -24,7 +47,7 @@ export function encrypt(plaintext, key) {
     ciphertext += cipher.final('hex');
     const tag = cipher.getAuthTag();
     return {
-        salt: PBKDF2_SALT,
+        salt: 'apitap-v0.2-key-derivation', // Legacy: stored for reference, not used in decrypt
         iv: iv.toString('hex'),
         ciphertext,
         tag: tag.toString('hex'),

package/dist/auth/crypto.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,UAAU,EACV,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,WAAW,GAAG,4BAA4B,CAAC;AASjD;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,SAAiB;IACzC,OAAO,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,iBAAiB,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACrF,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAElD,IAAI,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,UAAU,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,UAAU;QACV,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;KACzB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAmB,EAAE,GAAW;IACtD,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,SAAS,EACT,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAC5B,CAAC;IACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAElD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAChE,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,GAAW;IAChD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,SAAiB,EAAE,GAAW;IACrE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO,KAAK,CAAC;IAExD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAErC,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACzC,CAAC"}
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,UAAU,EACV,UAAU,EACV,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAClC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,8EAA8E;AAC9E,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,SAAS,cAAc,CAAC,QAAiB;IACvC,MAAM,QAAQ,GAAG,QAAQ,IAAI,GAAG,OAAO,EAAE,uBAAuB,CAAC;IACjE,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,OAAO,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/C,CAAC;IACD,6BAA6B;IAC7B,MAAM,IAAI,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC7C,IAAI,CAAC;QACH,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjE,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,IAAI,CAAC;AACd,CAAC;AAUD;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,SAAiB,EAAE,QAAiB;IAC5D,qEAAqE;IACrE,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,SAAS,EAAE,cAAc,CAAC,QAAQ,CAAC,EAAE,iBAAiB,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IAClG,CAAC;IAAC,MAAM,CAAC;QACP,8EAA8E;QAC9E,OAAO,UAAU,CAAC,SAAS,EAAE,4BAA4B,EAAE,iBAAiB,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACtG,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAElD,IAAI,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,UAAU,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,OAAO;QACL,IAAI,EAAE,4BAA4B,EAAE,oDAAoD;QACxF,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC;QACtB,UAAU;QACV,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC;KACzB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,IAAmB,EAAE,GAAW;IACtD,MAAM,QAAQ,GAAG,gBAAgB,CAC/B,SAAS,EACT,GAAG,EACH,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,CAC5B,CAAC;IACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC;IAElD,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAChE,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACpC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,GAAW;IAChD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAClB,OAAO,eAAe,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,SAAiB,EAAE,GAAW;IACrE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,cAAc,CAAC;QAAE,OAAO,KAAK,CAAC;IAExD,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAErC,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,OAAO,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACzC,CAAC"}

package/dist/auth/manager.d.ts

@@ -6,7 +6,7 @@ import type { StoredAuth, StoredToken, StoredSession } from '../types.js';
 export declare class AuthManager {
     private key;
     private authPath;
-    constructor(baseDir: string, machineId: string);
+    constructor(baseDir: string, machineId: string, saltFile?: string);
     /** Store auth credentials for a domain (overwrites existing). */
     store(domain: string, auth: StoredAuth): Promise<void>;
     /** Retrieve auth credentials for a domain. Returns null if not found or decryption fails. */

package/dist/auth/manager.js

@@ -10,8 +10,8 @@ const AUTH_FILENAME = 'auth.enc';
 export class AuthManager {
     key;
     authPath;
-    constructor(baseDir, machineId) {
-        this.key = deriveKey(machineId);
+    constructor(baseDir, machineId, saltFile) {
+        this.key = deriveKey(machineId, saltFile);
         this.authPath = join(baseDir, AUTH_FILENAME);
     }
     /** Store auth credentials for a domain (overwrites existing). */

package/dist/auth/manager.js.map

@@ -1 +1 @@
-{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/auth/manager.ts"],"names":[],"mappings":"AAAA,sBAAsB;AACtB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAsB,MAAM,aAAa,CAAC;AAG9E,MAAM,aAAa,GAAG,UAAU,CAAC;AAEjC;;;GAGG;AACH,MAAM,OAAO,WAAW;IACd,GAAG,CAAS;IACZ,QAAQ,CAAS;IAEzB,YAAY,OAAe,EAAE,SAAiB;QAC5C,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;QAChC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,KAAK,CAAC,MAAc,EAAE,IAAgB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED,6FAA6F;IAC7F,KAAK,CAAC,QAAQ,CAAC,MAAc;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,MAAM,IAAI,OAAO,CAAC;IAC3B,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,MAAmC;QACnE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC;IACrC,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,OAAsB;QACvD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,CAAC;QACvC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IACtC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,qBAAqB,CAAC,MAAc,EAAE,KAAuD;QACjG,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,GAAG,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IAC9E,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,KAAK,CAAC,MAAc;QACxB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,SAAS,GAAkB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,IAAgC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAE/C,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3F,+DAA+D;QAC/D,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACtD,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO,GAAG,QAAQ,EAAE,IAAI,OAAO,EAAE,EAAE,CAAC;IACtC,CAAC;AACH,CAAC"}
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/auth/manager.ts"],"names":[],"mappings":"AAAA,sBAAsB;AACtB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAsB,MAAM,aAAa,CAAC;AAG9E,MAAM,aAAa,GAAG,UAAU,CAAC;AAEjC;;;GAGG;AACH,MAAM,OAAO,WAAW;IACd,GAAG,CAAS;IACZ,QAAQ,CAAS;IAEzB,YAAY,OAAe,EAAE,SAAiB,EAAE,QAAiB;QAC/D,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAC/C,CAAC;IAED,iEAAiE;IACjE,KAAK,CAAC,KAAK,CAAC,MAAc,EAAE,IAAgB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED,6FAA6F;IAC7F,KAAK,CAAC,QAAQ,CAAC,MAAc;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC;IACjC,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,MAAM,IAAI,OAAO,CAAC;IAC3B,CAAC;IAED,yEAAyE;IACzE,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,MAAmC;QACnE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,MAAM,EAAE,CAAC;QACtC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,gDAAgD;IAChD,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,IAAI,IAAI,CAAC;IACrC,CAAC;IAED,gFAAgF;IAChF,KAAK,CAAC,YAAY,CAAC,MAAc,EAAE,OAAsB;QACvD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,QAAQ,EAAE,OAAO,EAAE,CAAC;QACvC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,6CAA6C;IAC7C,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;IACtC,CAAC;IAED,wEAAwE;IACxE,KAAK,CAAC,qBAAqB,CAAC,MAAc,EAAE,KAAuD;QACjG,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,QAAiB,EAAE,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QACnF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS;YAAE,QAAQ,CAAC,YAAY,GAAG,KAAK,CAAC,YAAY,CAAC;QACjF,GAAG,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;QACvB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,+CAA+C;IAC/C,KAAK,CAAC,wBAAwB,CAAC,MAAc;QAC3C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QAC1D,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;IAC9E,CAAC;IAED,yCAAyC;IACzC,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAED,mCAAmC;IACnC,KAAK,CAAC,KAAK,CAAC,MAAc;QACxB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QACjC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC;QACnB,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC1B,CAAC;IAEO,KAAK,CAAC,OAAO;QACnB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACvD,MAAM,SAAS,GAAkB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,OAAO,CAAC,IAAgC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACtC,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEtC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAE/C,MAAM,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3F,+DAA+D;QAC/D,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QACtD,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;QACjC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;QAC5C,OAAO,GAAG,QAAQ,EAAE,IAAI,OAAO,EAAE,EAAE,CAAC;IACtC,CAAC;AACH,CAAC"}

package/dist/discovery/fetch.js

@@ -27,9 +27,21 @@ export async function safeFetch(url, options = {}) {
                 'User-Agent': USER_AGENT,
                 'Accept': 'text/html,application/json,*/*',
             },
-            redirect: 'follow',
+            redirect: 'manual',
         });
         clearTimeout(timer);
+        // SSRF-safe manual redirect (one hop max)
+        if (response.status >= 300 && response.status < 400 && response.headers.has('location')) {
+            const location = response.headers.get('location');
+            if (!location)
+                return null;
+            const redirectUrl = new URL(location, url).toString();
+            const ssrfResult = validateUrl(redirectUrl);
+            if (!ssrfResult.safe)
+                return null;
+            // Follow one redirect hop only
+            return await safeFetch(redirectUrl, { ...options, skipSsrf: true });
+        }
         // Extract headers
         const headers = {};
         response.headers.forEach((value, key) => {

package/dist/discovery/fetch.js.map

@@ -1 +1 @@
-{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../src/discovery/fetch.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAgB/C,MAAM,eAAe,GAAG,IAAI,CAAC;AAC7B,MAAM,gBAAgB,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,QAAQ;AAC7C,MAAM,UAAU,GAAG,sBAAsB,CAAC;AAE1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,UAA4B,EAAE;IAE9B,aAAa;IACb,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,UAAU,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;IACpC,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IACnD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,IAAI,gBAAgB,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,OAAO,EAAE;gBACP,YAAY,EAAE,UAAU;gBACxB,QAAQ,EAAE,gCAAgC;aAC3C;YACD,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;QAEH,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,kBAAkB;QAClB,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAElD,qCAAqC;QACrC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;QACrE,CAAC;QAED,4BAA4B;QAC5B,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB,EAAE,OAAe;IAChE,yEAAyE;IACzE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../src/discovery/fetch.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAgB/C,MAAM,eAAe,GAAG,IAAI,CAAC;AAC7B,MAAM,gBAAgB,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,QAAQ;AAC7C,MAAM,UAAU,GAAG,sBAAsB,CAAC;AAE1C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,UAA4B,EAAE;IAE9B,aAAa;IACb,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,UAAU,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;IACpC,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,eAAe,CAAC;IACnD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,IAAI,gBAAgB,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAE5D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM;YACN,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,OAAO,EAAE;gBACP,YAAY,EAAE,UAAU;gBACxB,QAAQ,EAAE,gCAAgC;aAC3C;YACD,QAAQ,EAAE,QAAQ;SACnB,CAAC,CAAC;QAEH,YAAY,CAAC,KAAK,CAAC,CAAC;QAEpB,0CAA0C;QAC1C,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACxF,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ;gBAAE,OAAO,IAAI,CAAC;YAC3B,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC;YACtD,MAAM,UAAU,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;YAC5C,IAAI,CAAC,UAAU,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAC;YAClC,+BAA+B;YAC/B,OAAO,MAAM,SAAS,CAAC,WAAW,EAAE,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,kBAAkB;QAClB,MAAM,OAAO,GAA2B,EAAE,CAAC;QAC3C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACtC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAElD,qCAAqC;QACrC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,CAAC;QACrE,CAAC;QAED,4BAA4B;QAC5B,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAEtD,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,QAAkB,EAAE,OAAe;IAChE,yEAAyE;IACzE,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,MAAM,GAAG,OAAO,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apitap/core",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Intercept web API traffic during browsing. Generate portable skill files so AI agents can call APIs directly instead of scraping.",
   "type": "module",
   "main": "dist/index.js",

package/src/auth/crypto.ts

@@ -12,7 +12,24 @@ const ALGORITHM = 'aes-256-gcm';
 const KEY_LENGTH = 32; // 256 bits
 const IV_LENGTH = 16;
 const PBKDF2_ITERATIONS = 100_000;
-const PBKDF2_SALT = 'apitap-v0.2-key-derivation';
+// const PBKDF2_SALT = 'apitap-v0.2-key-derivation'; // fallback for migration
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+
+function getInstallSalt(saltFile?: string): string {
+  const saltPath = saltFile || `${homedir()}/.apitap/install-salt`;
+  if (existsSync(saltPath)) {
+    return readFileSync(saltPath, 'utf8').trim();
+  }
+  // Generate and save new salt
+  const salt = randomBytes(32).toString('hex');
+  try {
+    mkdirSync(saltPath.replace(/\/[^/]+$/, ''), { recursive: true });
+    writeFileSync(saltPath, salt, { mode: 0o600 });
+  } catch {}
+  return salt;
+}
+
 
 export interface EncryptedData {
   salt: string;
@@ -26,8 +43,14 @@ export interface EncryptedData {
  * Uses a fixed application salt — the entropy comes from the machine ID
  * being stretched through 100K iterations.
  */
-export function deriveKey(machineId: string): Buffer {
-  return pbkdf2Sync(machineId, PBKDF2_SALT, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+export function deriveKey(machineId: string, saltFile?: string): Buffer {
+  // Try per-install salt first, fallback to old constant for migration
+  try {
+    return pbkdf2Sync(machineId, getInstallSalt(saltFile), PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+  } catch {
+    // Fallback for old installs (migration note: remove after all users migrated)
+    return pbkdf2Sync(machineId, 'apitap-v0.2-key-derivation', PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
+  }
 }
 
 /**
@@ -43,7 +66,7 @@ export function encrypt(plaintext: string, key: Buffer): EncryptedData {
   const tag = cipher.getAuthTag();
 
   return {
-    salt: PBKDF2_SALT,
+    salt: 'apitap-v0.2-key-derivation', // Legacy: stored for reference, not used in decrypt
     iv: iv.toString('hex'),
     ciphertext,
     tag: tag.toString('hex'),

package/src/auth/handoff.ts

@@ -1,6 +1,7 @@
 // src/auth/handoff.ts
 import type { AuthManager } from './manager.js';
 import type { StoredSession, StoredAuth } from '../types.js';
+import { launchBrowser } from '../capture/browser.js';
 
 export interface HandoffOptions {
   domain: string;
@@ -98,15 +99,12 @@ async function doHandoff(
   const loginUrl = options.loginUrl || `https://${domain}`;
   const timeout = options.timeout ?? 300_000; // 5 minutes
 
-  const { chromium } = await import('playwright');
-
-  const browser = await chromium.launch({ headless: false });
+  const { browser, context } = await launchBrowser({ headless: false });
 
   try {
-    const context = await browser.newContext();
 
     // Restore existing session cookies if available (warm start)
-    const cachedSession = await authManager.retrieveSession(domain);
+    const cachedSession = await authManager.retrieveSessionWithFallback(domain);
     if (cachedSession?.cookies?.length) {
       await context.addCookies(cachedSession.cookies);
     }
@@ -161,8 +159,13 @@ async function doHandoff(
       );
 
       if (hasSessionCookie || authDetected) {
-        // Wait a bit more for any final redirects/requests
-        await page.waitForTimeout(2000);
+        // Grace period: 4 additional polls at 2s each (~8s total)
+        // Allows time for MFA, CAPTCHAs, and post-login redirects
+        for (let grace = 0; grace < 4; grace++) {
+          if (page.isClosed()) break;
+          await page.waitForLoadState('networkidle', { timeout: 3000 }).catch(() => {});
+          await page.waitForTimeout(2000);
+        }
         loginDetected = true;
         break;
       }

package/src/auth/manager.ts

@@ -14,8 +14,8 @@ export class AuthManager {
   private key: Buffer;
   private authPath: string;
 
-  constructor(baseDir: string, machineId: string) {
-    this.key = deriveKey(machineId);
+  constructor(baseDir: string, machineId: string, saltFile?: string) {
+    this.key = deriveKey(machineId, saltFile);
     this.authPath = join(baseDir, AUTH_FILENAME);
   }
 
@@ -66,6 +66,25 @@ export class AuthManager {
     return all[domain]?.session ?? null;
   }
 
+  /**
+   * Retrieve session with subdomain fallback.
+   * Tries exact match first, then walks up parent domains.
+   * e.g., dashboard.twitch.tv → twitch.tv
+   */
+  async retrieveSessionWithFallback(domain: string): Promise<StoredSession | null> {
+    // Try exact match first
+    const exact = await this.retrieveSession(domain);
+    if (exact) return exact;
+
+    // Try parent domains
+    for (const parent of getParentDomains(domain)) {
+      const session = await this.retrieveSession(parent);
+      if (session) return session;
+    }
+
+    return null;
+  }
+
   /** Store OAuth credentials for a domain (merges with existing auth). */
   async storeOAuthCredentials(domain: string, creds: { refreshToken?: string; clientSecret?: string }): Promise<void> {
     const all = await this.loadAll();
@@ -122,6 +141,24 @@ export class AuthManager {
   }
 }
 
+/**
+ * Get parent domains for subdomain fallback.
+ * dashboard.twitch.tv → ["twitch.tv"]
+ * a.b.example.com → ["b.example.com", "example.com"]
+ * twitch.tv → [] (already base, 2 labels)
+ */
+export function getParentDomains(domain: string): string[] {
+  const parts = domain.split('.');
+  const parents: string[] = [];
+
+  // Stop at 2 labels (e.g., "example.com" is the minimum)
+  for (let i = 1; i < parts.length - 1; i++) {
+    parents.push(parts.slice(i).join('.'));
+  }
+
+  return parents;
+}
+
 /**
  * Get the machine ID for key derivation.
  * Linux: /etc/machine-id

package/src/auth/oauth-refresh.ts

@@ -56,9 +56,11 @@ export async function refreshOAuth(
     'oauth2.googleapis.com', 'accounts.google.com',
     'login.microsoftonline.com', 'github.com',
     'oauth.reddit.com', 'api.twitter.com',
+    'auth0.com', 'okta.com',
+    'securetoken.googleapis.com',
   ];
   const tokenHost = new URL(oauthConfig.tokenEndpoint).hostname;
-  if (tokenHost !== domain && !tokenHost.endsWith('.' + domain) && !KNOWN_OAUTH_HOSTS.includes(tokenHost)) {
+  if (tokenHost !== domain && !tokenHost.endsWith('.' + domain) && !isKnownOAuthHost(tokenHost, KNOWN_OAUTH_HOSTS)) {
     return { success: false, error: `Token endpoint domain mismatch: ${tokenHost} vs ${domain}` };
   }
 
@@ -118,3 +120,13 @@ export async function refreshOAuth(
     };
   }
 }
+
+/**
+ * Check if a hostname matches a known OAuth provider.
+ * Supports exact match and subdomain match (e.g., tenant.auth0.com matches auth0.com).
+ */
+function isKnownOAuthHost(tokenHost: string, knownHosts: string[]): boolean {
+  return knownHosts.some(known =>
+    tokenHost === known || tokenHost.endsWith('.' + known)
+  );
+}

package/src/auth/refresh.ts

@@ -2,6 +2,7 @@
 import type { SkillFile, StoredToken, StoredSession } from '../types.js';
 import type { AuthManager } from './manager.js';
 import { refreshOAuth, type OAuthRefreshResult } from './oauth-refresh.js';
+import { launchBrowser } from '../capture/browser.js';
 
 export interface RefreshOptions {
   domain: string;
@@ -197,22 +198,19 @@ async function doBrowserRefresh(
     return { success: oauthRefreshed, tokens: {}, oauthRefreshed: oauthRefreshed || undefined };
   }
 
-  const { chromium } = await import('playwright');
-
   const browserMode = options.browserMode || skill.auth?.browserMode || 'headless';
   const refreshUrl = options.refreshUrl || skill.auth?.refreshUrl || skill.baseUrl;
   const timeout = options.timeout || (skill.auth?.captchaRisk ? 300_000 : 30_000);
 
   // Try to restore session from cache
-  const cachedSession = await authManager.retrieveSession(options.domain);
+  const cachedSession = await authManager.retrieveSessionWithFallback(options.domain);
   const sessionValid = cachedSession && isSessionValid(cachedSession);
 
-  const browser = await chromium.launch({
+  const { browser, context } = await launchBrowser({
     headless: browserMode === 'headless',
   });
 
   try {
-    const context = await browser.newContext();
 
     // Restore cookies if session is valid
     if (sessionValid && cachedSession) {

package/src/capture/browser.ts

@@ -0,0 +1,51 @@
+// src/capture/browser.ts
+import type { Browser, BrowserContext } from 'playwright';
+
+const CHROME_USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36';
+
+/**
+ * Launch args that reduce Playwright's automation fingerprint.
+ */
+export function getLaunchArgs(): string[] {
+  return [
+    '--disable-blink-features=AutomationControlled',
+  ];
+}
+
+/**
+ * Realistic Chrome user-agent string for anti-detection.
+ */
+export function getChromeUserAgent(): string {
+  return CHROME_USER_AGENT;
+}
+
+/**
+ * Launch a Chromium browser with anti-detection measures.
+ *
+ * Three layers:
+ * 1. --disable-blink-features=AutomationControlled in launch args
+ * 2. Realistic Chrome UA on context
+ * 3. navigator.webdriver = false via addInitScript
+ * 4. Viewport 1920x1080
+ */
+export async function launchBrowser(options: { headless: boolean }): Promise<{ browser: Browser; context: BrowserContext }> {
+  const { chromium } = await import('playwright');
+
+  const browser = await chromium.launch({
+    headless: options.headless,
+    args: getLaunchArgs(),
+  });
+
+  const context = await browser.newContext({
+    userAgent: CHROME_USER_AGENT,
+    viewport: { width: 1920, height: 1080 },
+  });
+
+  await context.addInitScript(() => {
+    Object.defineProperty(navigator, 'webdriver', {
+      get: () => false,
+    });
+  });
+
+  return { browser, context };
+}

package/src/capture/monitor.ts

@@ -5,6 +5,7 @@ import { isDomainMatch } from './domain.js';
 import { SkillGenerator, type GeneratorOptions } from '../skill/generator.js';
 import { IdleTracker } from './idle.js';
 import { detectCaptcha } from '../auth/refresh.js';
+import { launchBrowser } from './browser.js';
 import type { CapturedExchange } from '../types.js';
 
 export interface CaptureOptions {
@@ -31,7 +32,7 @@ export interface CaptureResult {
 
 const DEFAULT_CDP_PORTS = [18792, 18800, 9222];
 
-async function connectToBrowser(options: CaptureOptions): Promise<{ browser: Browser; launched: boolean }> {
+async function connectToBrowser(options: CaptureOptions): Promise<{ browser: Browser; launched: boolean; launchContext?: import('playwright').BrowserContext }> {
   if (!options.launch) {
     const ports = options.port ? [options.port] : DEFAULT_CDP_PORTS;
     for (const port of ports) {
@@ -49,12 +50,12 @@ async function connectToBrowser(options: CaptureOptions): Promise<{ browser: Bro
     throw new Error(`No browser found on CDP ports: ${ports.join(', ')}. Is a Chromium browser running with remote debugging?`);
   }
 
-  const browser = await chromium.launch({ headless: options.headless ?? (process.env.DISPLAY ? false : true) });
-  return { browser, launched: true };
+  const { browser, context } = await launchBrowser({ headless: options.headless ?? (process.env.DISPLAY ? false : true) });
+  return { browser, launched: true, launchContext: context };
 }
 
 export async function capture(options: CaptureOptions): Promise<CaptureResult> {
-  const { browser, launched } = await connectToBrowser(options);
+  const { browser, launched, launchContext } = await connectToBrowser(options);
   const generators = new Map<string, SkillGenerator>();
   let totalRequests = 0;
   let filteredRequests = 0;
@@ -73,7 +74,10 @@ export async function capture(options: CaptureOptions): Promise<CaptureResult> {
   let idleInterval: ReturnType<typeof setInterval> | null = null;
 
   let page: Page;
-  if (launched) {
+  if (launched && launchContext) {
+    page = await launchContext.newPage();
+  } else if (launched) {
+    // Fallback: shouldn't happen, but handle gracefully
     const context = await browser.newContext();
     page = await context.newPage();
   } else {

package/src/capture/oauth-detector.ts

@@ -6,6 +6,7 @@ export interface OAuthInfo {
   grantType: 'refresh_token' | 'client_credentials';
   scope?: string;
   clientSecret?: string;
+  refreshToken?: string;
 }
 
 /**
@@ -26,18 +27,48 @@ export function isOAuthTokenRequest(req: {
   const urlLower = req.url.toLowerCase();
   if (!urlLower.includes('/token') && !urlLower.includes('/oauth')) return null;
 
+  // Parse URL once — reused for query param fallback and Firebase detection
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(req.url);
+  } catch {
+    return null;
+  }
+
   if (!req.postData) return null;
 
   // Parse body — support URL-encoded and JSON
   const params = parseBody(req.postData, req.headers['content-type'] ?? '');
   if (!params) return null;
 
-  const grantType = params.get('grant_type');
+  // grant_type: body takes precedence, URL query param as fallback (Supabase GoTrue)
+  let grantType = params.get('grant_type');
+  if (!grantType) {
+    grantType = parsedUrl.searchParams.get('grant_type') ?? undefined;
+  }
   if (!grantType) return null;
 
   // Only refreshable flows
   if (grantType !== 'refresh_token' && grantType !== 'client_credentials') return null;
 
+  // Firebase provider-specific detection:
+  // securetoken.googleapis.com uses ?key= instead of client_id
+  if (
+    parsedUrl.hostname === 'securetoken.googleapis.com' &&
+    parsedUrl.searchParams.has('key') &&
+    grantType === 'refresh_token'
+  ) {
+    const firebaseKey = parsedUrl.searchParams.get('key')!;
+    const result: OAuthInfo = {
+      tokenEndpoint: req.url, // Keep full URL with ?key= param
+      clientId: firebaseKey,
+      grantType: 'refresh_token',
+    };
+    const refreshToken = params.get('refresh_token');
+    if (refreshToken) result.refreshToken = refreshToken;
+    return result;
+  }
+
   // Extract client_id — may also be in Basic auth header
   let clientId = params.get('client_id') ?? '';
   let clientSecret = params.get('client_secret');
@@ -61,6 +92,8 @@ export function isOAuthTokenRequest(req: {
   const scope = params.get('scope');
   if (scope) result.scope = scope;
   if (clientSecret) result.clientSecret = clientSecret;
+  const refreshToken = params.get('refresh_token');
+  if (refreshToken) result.refreshToken = refreshToken;
 
   return result;
 }

package/src/capture/session.ts

@@ -1,7 +1,8 @@
 // src/capture/session.ts
-import { chromium, type Browser, type Page } from 'playwright';
+import { type Browser, type Page } from 'playwright';
 import { randomUUID } from 'node:crypto';
 import { shouldCapture } from './filter.js';
+import { launchBrowser } from './browser.js';
 import { isDomainMatch } from './domain.js';
 import { SkillGenerator, type GeneratorOptions } from '../skill/generator.js';
 import { detectCaptcha } from '../auth/refresh.js';
@@ -53,8 +54,8 @@ export class CaptureSession {
     this.targetUrl = url.startsWith('http') ? url : `https://${url}`;
     const headless = this.options.headless ?? true;
 
-    this.browser = await chromium.launch({ headless });
-    const context = await this.browser.newContext();
+    const { browser, context } = await launchBrowser({ headless });
+    this.browser = browser;
 
     // Inject cached session cookies if available
     try {
@@ -62,7 +63,7 @@ export class CaptureSession {
       const machineId = await getMachineId();
       const authManager = new AuthManager(authDir, machineId);
       const domain = new URL(this.targetUrl).hostname;
-      const cachedSession = await authManager.retrieveSession(domain);
+      const cachedSession = await authManager.retrieveSessionWithFallback(domain);
       if (cachedSession?.cookies?.length) {
         await context.addCookies(cachedSession.cookies);
       }
@@ -224,8 +225,12 @@ export class CaptureSession {
       const oauthConfig = generator.getOAuthConfig();
       if (oauthConfig) {
         const clientSecret = generator.getOAuthClientSecret();
-        if (clientSecret) {
-          await authManager.storeOAuthCredentials(domain, { clientSecret });
+        const refreshToken = generator.getOAuthRefreshToken();
+        if (clientSecret || refreshToken) {
+          await authManager.storeOAuthCredentials(domain, {
+            ...(clientSecret ? { clientSecret } : {}),
+            ...(refreshToken ? { refreshToken } : {}),
+          });
         }
       }
 

package/src/cli.ts

@@ -211,8 +211,12 @@ async function handleCapture(positional: string[], flags: Record<string, string
       const oauthConfig = generator.getOAuthConfig();
       if (oauthConfig) {
         const clientSecret = generator.getOAuthClientSecret();
-        if (clientSecret) {
-          await authManager.storeOAuthCredentials(domain, { clientSecret });
+        const refreshToken = generator.getOAuthRefreshToken();
+        if (clientSecret || refreshToken) {
+          await authManager.storeOAuthCredentials(domain, {
+            ...(clientSecret ? { clientSecret } : {}),
+            ...(refreshToken ? { refreshToken } : {}),
+          });
         }
       }
 

package/src/discovery/fetch.ts

@@ -48,11 +48,22 @@ export async function safeFetch(
         'User-Agent': USER_AGENT,
         'Accept': 'text/html,application/json,*/*',
       },
-      redirect: 'follow',
+      redirect: 'manual',
     });
 
     clearTimeout(timer);
 
+    // SSRF-safe manual redirect (one hop max)
+    if (response.status >= 300 && response.status < 400 && response.headers.has('location')) {
+      const location = response.headers.get('location');
+      if (!location) return null;
+      const redirectUrl = new URL(location, url).toString();
+      const ssrfResult = validateUrl(redirectUrl);
+      if (!ssrfResult.safe) return null;
+      // Follow one redirect hop only
+      return await safeFetch(redirectUrl, { ...options, skipSsrf: true });
+    }
+
     // Extract headers
     const headers: Record<string, string> = {};
     response.headers.forEach((value, key) => {

package/src/skill/generator.ts

@@ -180,6 +180,7 @@ export class SkillGenerator {
   private captchaRisk = false;
   private oauthConfig: OAuthConfig | null = null;
   private oauthClientSecret: string | undefined;
+  private oauthRefreshToken: string | undefined;
   private totalNetworkBytes = 0; // v1.0: accumulate all response sizes
 
   /** Number of unique endpoints captured so far */
@@ -255,6 +256,7 @@ export class SkillGenerator {
         ...(oauthInfo.scope ? { scope: oauthInfo.scope } : {}),
       };
       this.oauthClientSecret = oauthInfo.clientSecret;
+      this.oauthRefreshToken = oauthInfo.refreshToken;
     }
 
     // Extract auth before filtering headers (includes entropy-based detection)
@@ -402,6 +404,11 @@ export class SkillGenerator {
     return this.oauthClientSecret;
   }
 
+  /** Get the refresh token captured from OAuth traffic (for encrypted storage). */
+  getOAuthRefreshToken(): string | undefined {
+    return this.oauthRefreshToken;
+  }
+
   /** Check if any endpoint has refreshable tokens. */
   private hasRefreshableTokens(): boolean {
     for (const endpoint of this.endpoints.values()) {