@apitap/core 1.1.0 → 1.3.0

package/src/cli.ts

@@ -512,7 +512,12 @@ async function handleRefresh(positional: string[], flags: Record<string, string
   });
 
   if (json) {
-    console.log(JSON.stringify(result, null, 2));
+    // Redact token values from JSON output to prevent credential leaks in logs
+    const safeResult = {
+      ...result,
+      tokens: Object.fromEntries(Object.keys(result.tokens).map(k => [k, '[redacted]'])),
+    };
+    console.log(JSON.stringify(safeResult, null, 2));
   } else if (result.success) {
     if (result.oauthRefreshed) {
       console.log(`  ✓ OAuth token refreshed via token endpoint`);

package/src/discovery/fetch.ts

@@ -1,5 +1,5 @@
 // src/discovery/fetch.ts
-import { validateUrl } from '../skill/ssrf.js';
+import { validateUrl, resolveAndValidateUrl } from '../skill/ssrf.js';
 
 export interface FetchResult {
   status: number;
@@ -53,12 +53,12 @@ export async function safeFetch(
 
     clearTimeout(timer);
 
-    // SSRF-safe manual redirect (one hop max)
+    // SSRF-safe manual redirect (one hop max, with DNS resolution check)
     if (response.status >= 300 && response.status < 400 && response.headers.has('location')) {
       const location = response.headers.get('location');
       if (!location) return null;
       const redirectUrl = new URL(location, url).toString();
-      const ssrfResult = validateUrl(redirectUrl);
+      const ssrfResult = await resolveAndValidateUrl(redirectUrl);
       if (!ssrfResult.safe) return null;
       // Follow one redirect hop only
       return await safeFetch(redirectUrl, { ...options, skipSsrf: true });

package/src/mcp.ts

@@ -103,6 +103,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
     },
     async ({ url }) => {
       try {
+        if (!options._skipSsrfCheck) {
+          const validation = await resolveAndValidateUrl(url);
+          if (!validation.safe) {
+            return { content: [{ type: 'text' as const, text: `Blocked: ${validation.reason}` }], isError: true };
+          }
+        }
         const result = await discover(url);
 
         // If we got a skill file, save it automatically
@@ -250,6 +256,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, task, maxBytes }) => {
+      if (!options._skipSsrfCheck) {
+        const validation = await resolveAndValidateUrl(url);
+        if (!validation.safe) {
+          return { content: [{ type: 'text' as const, text: `Blocked: ${validation.reason}` }], isError: true };
+        }
+      }
       const { browse: doBrowse } = await import('./orchestration/browse.js');
       const result = await doBrowse(url, {
         skillsDir,
@@ -257,6 +269,8 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         task,
         maxBytes: maxBytes ?? 50_000,
         _skipSsrfCheck: options._skipSsrfCheck,
+        // In test mode, disable bridge to avoid connecting to real socket
+        ...(options._skipSsrfCheck ? { _bridgeSocketPath: '/nonexistent' } : {}),
       });
       // Only mark as untrusted if it contains external data
       if (result.success && result.data) {
@@ -285,6 +299,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
     },
     async ({ url }) => {
       try {
+        if (!options._skipSsrfCheck) {
+          const validation = await resolveAndValidateUrl(url);
+          if (!validation.safe) {
+            return { content: [{ type: 'text' as const, text: `Blocked: ${validation.reason}` }], isError: true };
+          }
+        }
         const result = await peek(url);
         // Peek returns metadata, not content — but still from external source
         return wrapExternalContent(result, 'apitap_peek');
@@ -315,9 +335,11 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
     },
     async ({ url, maxBytes }) => {
       try {
-        const validation = await resolveAndValidateUrl(url);
-        if (!validation.safe) {
-          throw new Error(validation.reason ?? 'URL validation failed');
+        if (!options._skipSsrfCheck) {
+          const validation = await resolveAndValidateUrl(url);
+          if (!validation.safe) {
+            throw new Error(validation.reason ?? 'URL validation failed');
+          }
         }
         const result = await read(url, { maxBytes: maxBytes ?? undefined });
         if (!result) {
@@ -354,6 +376,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, duration }) => {
+      if (!options._skipSsrfCheck) {
+        const validation = await resolveAndValidateUrl(url);
+        if (!validation.safe) {
+          return { content: [{ type: 'text' as const, text: `Blocked: ${validation.reason}` }], isError: true };
+        }
+      }
       const dur = duration ?? 30;
       const timeoutMs = (dur + 60) * 1000; // generous timeout: capture duration + 60s for start/finish
 
@@ -406,6 +434,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, headless, allDomains }) => {
+      if (!options._skipSsrfCheck) {
+        const validation = await resolveAndValidateUrl(url);
+        if (!validation.safe) {
+          return { content: [{ type: 'text' as const, text: `Blocked: ${validation.reason}` }], isError: true };
+        }
+      }
       if (sessions.size >= MAX_SESSIONS) {
         return {
           content: [{ type: 'text' as const, text: `Maximum ${MAX_SESSIONS} concurrent sessions. Finish or abort an existing session first.` }],

package/src/native-host.ts

@@ -5,6 +5,7 @@
 import { promises as fs } from 'node:fs';
 import path from 'node:path';
 import os from 'node:os';
+import net from 'node:net';
 import { signSkillFile } from './skill/signing.js';
 import { deriveKey } from './auth/crypto.js';
 import { getMachineId } from './auth/manager.js';
@@ -26,7 +27,7 @@ async function signSkillJson(skillJson: string): Promise<string> {
 }
 
 export interface NativeRequest {
-  action: 'save_skill' | 'save_batch' | 'ping';
+  action: 'save_skill' | 'save_batch' | 'ping' | 'capture_request';
   domain?: string;
   skillJson?: string;
   skills?: Array<{ domain: string; skillJson: string }>;
@@ -120,6 +121,94 @@ export async function handleNativeMessage(
   }
 }
 
+// --- Relay handler ---
+
+// Actions handled locally by the native host (filesystem operations)
+const LOCAL_ACTIONS = new Set(['save_skill', 'save_batch', 'ping']);
+
+// Actions relayed to the extension (browser operations)
+const EXTENSION_ACTIONS = new Set(['capture_request']);
+
+export function createRelayHandler(
+  sendToExtension: (msg: any) => Promise<any>,
+  skillsDir: string = SKILLS_DIR,
+): MessageHandler {
+  return async (message: any) => {
+    if (LOCAL_ACTIONS.has(message.action)) {
+      return handleNativeMessage(message, skillsDir);
+    }
+
+    if (EXTENSION_ACTIONS.has(message.action)) {
+      try {
+        return await sendToExtension(message);
+      } catch (err) {
+        return { success: false, error: String(err) };
+      }
+    }
+
+    return { success: false, error: `Unknown action: ${message.action}` };
+  };
+}
+
+// --- Unix socket server for CLI relay ---
+
+export type MessageHandler = (message: any) => Promise<any>;
+
+let socketServer: net.Server | null = null;
+
+export async function startSocketServer(
+  socketPath: string,
+  handler: MessageHandler,
+): Promise<void> {
+  // Clean up stale socket
+  try { await fs.unlink(socketPath); } catch { /* doesn't exist — fine */ }
+
+  return new Promise((resolve, reject) => {
+    socketServer = net.createServer((conn) => {
+      let buffer = '';
+
+      conn.on('data', (chunk) => {
+        buffer += chunk.toString();
+        const newlineIdx = buffer.indexOf('\n');
+        if (newlineIdx === -1) return;
+
+        const line = buffer.slice(0, newlineIdx);
+        buffer = buffer.slice(newlineIdx + 1);
+
+        let request: any;
+        try {
+          request = JSON.parse(line);
+        } catch {
+          conn.end(JSON.stringify({ success: false, error: 'Invalid JSON' }) + '\n');
+          return;
+        }
+
+        handler(request).then(
+          (response) => conn.end(JSON.stringify(response) + '\n'),
+          (err) => conn.end(JSON.stringify({ success: false, error: String(err) }) + '\n'),
+        );
+      });
+
+      conn.on('error', () => { /* client disconnect — ignore */ });
+    });
+
+    socketServer.on('error', reject);
+    socketServer.listen(socketPath, () => {
+      // Restrict socket permissions to owner only
+      fs.chmod(socketPath, 0o600).catch(() => {});
+      resolve();
+    });
+  });
+}
+
+export async function stopSocketServer(): Promise<void> {
+  if (!socketServer) return;
+  return new Promise((resolve) => {
+    socketServer!.close(() => resolve());
+    socketServer = null;
+  });
+}
+
 // --- stdio framing (only runs when executed directly, not when imported for tests) ---
 
 function readMessage(): Promise<NativeRequest | null> {
@@ -206,12 +295,64 @@ const isMainModule = process.argv[1] &&
   (process.argv[1].endsWith('native-host.ts') || process.argv[1].endsWith('native-host.js'));
 
 if (isMainModule) {
+  const bridgeDir = path.join(os.homedir(), '.apitap');
+  const socketPath = path.join(bridgeDir, 'bridge.sock');
+
+  // Pending CLI requests waiting for extension responses
+  const pendingRequests = new Map<string, {
+    resolve: (value: any) => void;
+    timer: ReturnType<typeof setTimeout>;
+  }>();
+  let requestCounter = 0;
+
+  // Send a message to the extension via stdout and wait for response
+  function sendToExtension(message: any): Promise<any> {
+    return new Promise((resolve) => {
+      const id = String(++requestCounter);
+      const timer = setTimeout(() => {
+        pendingRequests.delete(id);
+        resolve({ success: false, error: 'approval_timeout' });
+      }, 60_000);
+
+      pendingRequests.set(id, { resolve, timer });
+
+      // Tag message with ID so we can match the response
+      sendMessage({ ...message, _relayId: id } as any);
+    });
+  }
+
+  const handler = createRelayHandler(sendToExtension);
+
   (async () => {
+    // Ensure bridge directory exists
+    await fs.mkdir(bridgeDir, { recursive: true });
+
+    // Start socket server for CLI connections
+    await startSocketServer(socketPath, handler);
+
+    // Read messages from extension via stdin
     while (true) {
-      const request = await readMessage();
-      if (!request) break;
-      const response = await handleNativeMessage(request);
+      const message = await readMessage();
+      if (!message) break;
+
+      // Check if this is a response to a relayed request
+      const relayId = (message as any)._relayId;
+      if (relayId && pendingRequests.has(relayId)) {
+        const pending = pendingRequests.get(relayId)!;
+        clearTimeout(pending.timer);
+        pendingRequests.delete(relayId);
+        const { _relayId, ...response } = message as any;
+        pending.resolve(response);
+        continue;
+      }
+
+      // Otherwise, handle as a direct extension message (save_skill, etc.)
+      const response = await handleNativeMessage(message);
       sendMessage(response);
     }
+
+    // Extension disconnected — clean up
+    await stopSocketServer();
+    try { await fs.unlink(socketPath); } catch { /* already gone */ }
   })();
 }

package/src/orchestration/browse.ts

@@ -3,6 +3,7 @@ import { readSkillFile } from '../skill/store.js';
 import { replayEndpoint } from '../replay/engine.js';
 import { SessionCache } from './cache.js';
 import { read } from '../read/index.js';
+import { bridgeAvailable, requestBridgeCapture, DEFAULT_SOCKET } from '../bridge/client.js';
 
 export interface BrowseOptions {
   skillsDir?: string;
@@ -13,6 +14,10 @@ export interface BrowseOptions {
   maxBytes?: number;
   /** @internal Skip SSRF check — for testing only */
   _skipSsrfCheck?: boolean;
+  /** @internal Override bridge socket path — for testing only */
+  _bridgeSocketPath?: string;
+  /** @internal Override bridge timeout — for testing only */
+  _bridgeTimeout?: number;
 }
 
 export interface BrowseSuccess {
@@ -22,7 +27,7 @@ export interface BrowseSuccess {
   domain: string;
   endpointId: string;
   tier: string;
-  skillSource: 'disk' | 'discovered' | 'captured';
+  skillSource: 'disk' | 'discovered' | 'captured' | 'bridge';
   capturedAt: string;
   task?: string;
   truncated?: boolean;
@@ -40,6 +45,106 @@ export interface BrowseGuidance {
 
 export type BrowseResult = BrowseSuccess | BrowseGuidance;
 
+/**
+ * Try escalating to the Chrome extension bridge for authenticated capture.
+ * Returns a BrowseResult if the bridge handled it, or null to fall through.
+ */
+async function tryBridgeCapture(
+  domain: string,
+  fullUrl: string,
+  options: BrowseOptions,
+): Promise<BrowseResult | null> {
+  const socketPath = options._bridgeSocketPath ?? DEFAULT_SOCKET;
+  if (!await bridgeAvailable(socketPath)) return null;
+
+  const result = await requestBridgeCapture(domain, socketPath, { timeout: options._bridgeTimeout });
+
+  if (result.success && result.skillFiles && result.skillFiles.length > 0) {
+    const skillFiles = result.skillFiles;
+    // Save each skill file to disk
+    try {
+      const { writeSkillFile: writeSF } = await import('../skill/store.js');
+      for (const skill of skillFiles) {
+        await writeSF(skill, options.skillsDir);
+      }
+    } catch {
+      // Saving failed — still have the data in memory
+    }
+
+    // Find the skill file matching the requested domain
+    const primarySkill = skillFiles.find((s: any) => s.domain === domain)
+      ?? skillFiles[0];
+
+    if (primarySkill?.endpoints?.length > 0) {
+      // Pick the best endpoint and replay it
+      let urlPath = '/';
+      try { urlPath = new URL(fullUrl).pathname; } catch { /* use default */ }
+      const endpoint = pickEndpoint(primarySkill, urlPath);
+
+      if (endpoint) {
+        try {
+          const replayResult = await replayEndpoint(primarySkill, endpoint.id, {
+            maxBytes: options.maxBytes,
+            _skipSsrfCheck: options._skipSsrfCheck,
+          });
+          if (replayResult.status >= 200 && replayResult.status < 300) {
+            return {
+              success: true,
+              data: replayResult.data,
+              status: replayResult.status,
+              domain,
+              endpointId: endpoint.id,
+              tier: endpoint.replayability?.tier ?? 'unknown',
+              skillSource: 'bridge',
+              capturedAt: primarySkill.capturedAt ?? new Date().toISOString(),
+              task: options.task,
+              ...(replayResult.truncated ? { truncated: true } : {}),
+            };
+          }
+        } catch {
+          // Replay failed — but skill file is saved for next time
+        }
+      }
+    }
+
+    // Skill file saved but replay didn't work
+    return {
+      success: false,
+      reason: 'bridge_capture_saved',
+      suggestion: `Captured ${skillFiles.length} skill file(s) from browser. Replay failed — try 'apitap replay ${domain}'.`,
+      domain,
+      url: fullUrl,
+      task: options.task,
+    };
+  }
+
+  // Bridge returned an error
+  if (result.error === 'user_denied') {
+    return {
+      success: false,
+      reason: 'user_denied',
+      suggestion: `User denied browser access to ${domain}. Use 'apitap auth request ${domain}' for manual login instead.`,
+      domain,
+      url: fullUrl,
+      task: options.task,
+    };
+  }
+
+  if (result.error === 'approval_timeout') {
+    return {
+      success: false,
+      reason: 'approval_timeout',
+      suggestion: `User approval pending for ${domain}. Click Allow in the ApiTap extension and try again.`,
+      domain,
+      url: fullUrl,
+      task: options.task,
+    };
+  }
+
+  // Other bridge errors — fall through to existing fallback
+  return null;
+}
+
 /**
  * High-level browse: check cache → disk → discover → replay.
  * Auto-escalates cheap steps. Returns guidance for expensive ones.
@@ -121,6 +226,10 @@ export async function browse(
         } catch {
           // Read failed — fall through to capture_needed
         }
+        // Try extension bridge before giving up
+        const bridgeResult1 = await tryBridgeCapture(domain, fullUrl, options);
+        if (bridgeResult1) return bridgeResult1;
+
         return {
           success: false,
           reason: 'no_replayable_endpoints',
@@ -158,6 +267,10 @@ export async function browse(
         // Read failed — fall through to capture_needed
       }
     }
+    // Try extension bridge before giving up
+    const bridgeResult2 = await tryBridgeCapture(domain, fullUrl, options);
+    if (bridgeResult2) return bridgeResult2;
+
     return {
       success: false,
       reason: 'no_skill_file',
@@ -171,6 +284,10 @@ export async function browse(
   // Step 4: Pick best endpoint
   const endpoint = pickEndpoint(skill, urlPath);
   if (!endpoint) {
+    // Try extension bridge before giving up
+    const bridgeResult3 = await tryBridgeCapture(domain, fullUrl, options);
+    if (bridgeResult3) return bridgeResult3;
+
     return {
       success: false,
       reason: 'no_replayable_endpoints',
@@ -213,6 +330,10 @@ export async function browse(
       ...(result.truncated ? { truncated: true } : {}),
     };
   } catch {
+    // Try extension bridge before giving up
+    const bridgeResult4 = await tryBridgeCapture(domain, fullUrl, options);
+    if (bridgeResult4) return bridgeResult4;
+
     return {
       success: false,
       reason: 'replay_failed',

package/src/read/decoders/deepwiki.ts

@@ -1,5 +1,6 @@
 // src/read/decoders/deepwiki.ts
 import type { Decoder, ReadResult } from '../types.js';
+import { validateUrl } from '../../skill/ssrf.js';
 
 function estimateTokens(text: string): number {
   return Math.ceil(text.length / 4);
@@ -35,8 +36,15 @@ export const deepwikiDecoder: Decoder = {
     const repo = match[3];
     const pagePath = match[4] || '';
 
+    // SSRF check
+    const ssrfResult = validateUrl(url);
+    if (!ssrfResult.safe) return null;
+
+    // Sanitize extracted values for header injection
+    const sanitize = (s: string) => s.replace(/[\r\n]/g, '');
+
     // Construct the path for the RSC request
-    const fullPath = `/${org}/${repo}${pagePath}`;
+    const fullPath = sanitize(`/${org}/${repo}${pagePath}`);
 
     try {
       const response = await fetch(url, {

package/src/replay/engine.ts

@@ -222,11 +222,18 @@ export async function replayEndpoint(
   let body: string | undefined;
   const headers = { ...endpoint.headers };
 
-  // Filter headers from skill file — block dangerous headers
+  // Filter headers from skill file — block dangerous headers and sanitize values
+  const allowedMethods = new Set(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']);
+  if (!allowedMethods.has(endpoint.method)) {
+    throw new Error(`Blocked: unsupported HTTP method "${endpoint.method}"`);
+  }
   for (const key of Object.keys(headers)) {
     const lower = key.toLowerCase();
     if (BLOCKED_REPLAY_HEADERS.has(lower) || lower.startsWith('sec-')) {
       delete headers[key];
+    } else {
+      // Sanitize CRLF from header values to prevent header injection
+      headers[key] = headers[key].replace(/[\r\n]/g, '');
     }
   }
 
@@ -381,10 +388,22 @@ export async function replayEndpoint(
           throw new Error(`Redirect blocked (SSRF): ${redirectCheck.reason}`);
         }
       }
+      // Strip auth headers before cross-domain redirect
+      const redirectHeaders = { ...headers };
+      const originalHost = url.hostname;
+      const redirectHost = redirectUrl.hostname;
+      if (redirectHost !== originalHost && !redirectHost.endsWith('.' + originalHost)) {
+        delete redirectHeaders['authorization'];
+        for (const key of Object.keys(redirectHeaders)) {
+          if (key.toLowerCase() === 'authorization' || redirectHeaders[key] === '[stored]') {
+            delete redirectHeaders[key];
+          }
+        }
+      }
       // Follow the redirect manually (single hop to prevent chains)
       response = await fetch(redirectFetchUrl, {
         method: 'GET',  // Redirects typically become GET
-        headers,  // Forward headers (already filtered)
+        headers: redirectHeaders,
         signal: AbortSignal.timeout(30_000),
         redirect: 'manual',  // Prevent chaining
       });

package/src/serve.ts

@@ -153,7 +153,7 @@ export async function createServeServer(
             }],
           };
         } catch (err: any) {
-          console.error('Replay failed:', err);
+          console.error('Replay failed:', err instanceof Error ? err.message : String(err));
           return {
             content: [{
               type: 'text' as const,

package/src/skill/generator.ts

@@ -49,6 +49,12 @@ const STRIP_HEADERS = new Set([
 const AUTH_HEADERS = new Set([
   'authorization',
   'x-api-key',
+  'x-guest-token',
+  'x-csrf-token',
+  'x-xsrf-token',
+  'x-auth-token',
+  'x-access-token',
+  'x-session-token',
 ]);
 
 export interface GeneratorOptions {
@@ -165,25 +171,47 @@ function extractQueryParams(url: URL): Record<string, { type: string; example: s
   return params;
 }
 
+/** Query param names that carry API keys or tokens */
+const SENSITIVE_QUERY_KEYS = /api.?key|token|secret|credential|key|access.?key/i;
+
 function scrubQueryParams(
   params: Record<string, { type: string; example: string }>,
 ): Record<string, { type: string; example: string }> {
   const scrubbed: Record<string, { type: string; example: string }> = {};
   for (const [key, val] of Object.entries(params)) {
-    scrubbed[key] = { type: val.type, example: scrubPII(val.example) };
+    // Scrub known sensitive query param names
+    if (SENSITIVE_QUERY_KEYS.test(key)) {
+      scrubbed[key] = { type: val.type, example: '[scrubbed]' };
+    } else {
+      // Also apply entropy-based detection for unknown high-entropy values
+      const classification = isLikelyToken(key, val.example);
+      if (classification.isToken) {
+        scrubbed[key] = { type: val.type, example: '[scrubbed]' };
+      } else {
+        scrubbed[key] = { type: val.type, example: scrubPII(val.example) };
+      }
+    }
   }
   return scrubbed;
 }
 
+/** Body field names that must always be scrubbed (credentials in POST bodies) */
+const SENSITIVE_BODY_KEYS = /^(password|passwd|pass|secret|client_secret|refresh_token|access_token|api_key|apikey|token|csrf_token|_csrf|xsrf_token|private_key|credential)$/i;
+
 function scrubBody(body: unknown, doScrub: boolean): unknown {
   if (!doScrub) return body;
   if (typeof body === 'string') {
     return scrubPII(body);
   }
+  if (Array.isArray(body)) {
+    return body.map(item => scrubBody(item, doScrub));
+  }
   if (body && typeof body === 'object') {
     const scrubbed: Record<string, unknown> = {};
     for (const [key, value] of Object.entries(body as Record<string, unknown>)) {
-      if (typeof value === 'string') {
+      if (SENSITIVE_BODY_KEYS.test(key) && typeof value === 'string') {
+        scrubbed[key] = '[scrubbed]';
+      } else if (typeof value === 'string') {
         scrubbed[key] = scrubPII(value);
       } else if (value && typeof value === 'object') {
         scrubbed[key] = scrubBody(value, doScrub);
@@ -310,8 +338,8 @@ export class SkillGenerator {
     let responsePreview: unknown = null;
     if (this.options.enablePreview) {
       const preview = truncatePreview(exchange.response.body);
-      responsePreview = this.options.scrub && typeof preview === 'string'
-        ? scrubPII(preview)
+      responsePreview = this.options.scrub
+        ? scrubBody(preview, true)
         : preview;
     }
 

package/src/skill/ssrf.ts

@@ -11,7 +11,7 @@ export interface ValidationResult {
 }
 
 const INTERNAL_HOSTNAMES = ['localhost'];
-const INTERNAL_SUFFIXES = ['.local', '.internal'];
+const INTERNAL_SUFFIXES = ['.local', '.internal', '.localhost', '.corp', '.intranet', '.lan', '.test', '.invalid', '.example'];
 
 /**
  * Check if a URL is safe to replay (not targeting internal infrastructure).
@@ -126,8 +126,17 @@ function isPrivateIp(ip: string): string | null {
   const v4mapped = ip.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
   const ipv4 = v4mapped ? v4mapped[1] : ip;
 
+  // IPv4-mapped IPv6 hex form (e.g. ::ffff:7f00:1)
+  const v4mappedHex = ip.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i);
+  if (v4mappedHex) {
+    const hi = parseInt(v4mappedHex[1], 16);
+    const lo = parseInt(v4mappedHex[2], 16);
+    const reconstructed = `${(hi >> 8) & 0xff}.${hi & 0xff}.${(lo >> 8) & 0xff}.${lo & 0xff}`;
+    return isPrivateIp(reconstructed);
+  }
+
   const parts = ipv4.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
-  if (!parts) return null; // Not an IPv4 — let it pass (non-private IPv6)
+  if (!parts) return 'unrecognized IP format'; // Fail closed for unrecognized formats
 
   const [, a, b] = parts;
   const first = Number(a);

package/src/skill/store.ts

@@ -39,7 +39,7 @@ export async function writeSkillFile(
   await mkdir(skillsDir, { recursive: true });
   await ensureGitignore(skillsDir);
   const filePath = skillPath(skill.domain, skillsDir);
-  await writeFile(filePath, JSON.stringify(skill, null, 2) + '\n');
+  await writeFile(filePath, JSON.stringify(skill, null, 2) + '\n', { mode: 0o600 });
   return filePath;
 }
 
@@ -88,9 +88,11 @@ export async function listSkillFiles(
   }
 
   const summaries: SkillSummary[] = [];
+  const DOMAIN_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
   for (const file of files) {
     if (!file.endsWith('.json')) continue;
     const domain = file.replace(/\.json$/, '');
+    if (!DOMAIN_RE.test(domain)) continue; // skip non-conforming filenames
     const skill = await readSkillFile(domain, skillsDir);
     if (skill) {
       summaries.push({