@apitap/core 1.3.1 → 1.4.1

package/src/cli.ts

@@ -4,7 +4,7 @@ import { capture } from './capture/monitor.js';
 import { writeSkillFile, readSkillFile, listSkillFiles } from './skill/store.js';
 import { replayEndpoint } from './replay/engine.js';
 import { AuthManager, getMachineId } from './auth/manager.js';
-import { deriveKey } from './auth/crypto.js';
+import { deriveSigningKey } from './auth/crypto.js';
 import { signSkillFile } from './skill/signing.js';
 import { importSkillFile } from './skill/importer.js';
 import { resolveAndValidateUrl } from './skill/ssrf.js';
@@ -158,6 +158,15 @@ async function handleCapture(positional: string[], flags: Record<string, string
   const skipVerify = flags['no-verify'] === true;
   const verifyPosts = flags['verify-posts'] === true;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     const domainOnly = flags['all-domains'] !== true;
     console.log(`\n  🔍 Capturing ${url}...${duration ? ` (${duration}s)` : ' (Ctrl+C to stop)'}${domainOnly ? ' [domain-only]' : ' [all domains]'}\n`);
@@ -194,7 +203,7 @@ async function handleCapture(positional: string[], flags: Record<string, string
 
   // Get machine ID for signing and auth storage
   const machineId = await getMachineId();
-  const key = deriveKey(machineId);
+  const key = deriveSigningKey(machineId);
   const authManager = new AuthManager(APITAP_DIR, machineId);
 
   // Write skill files for each domain
@@ -341,7 +350,7 @@ async function handleShow(positional: string[], flags: Record<string, string | b
     process.exit(1);
   }
 
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}". Run \`apitap capture\` first.`);
     process.exit(1);
@@ -378,7 +387,10 @@ async function handleReplay(positional: string[], flags: Record<string, string |
     process.exit(1);
   }
 
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  const machineId = await getMachineId();
+  const signingKey = deriveSigningKey(machineId);
+  const trustUnsigned = flags['trust-unsigned'] === true;
+  const skill = await readSkillFile(domain, SKILLS_DIR, { verifySignature: true, signingKey, trustUnsigned });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}".`);
     process.exit(1);
@@ -394,7 +406,6 @@ async function handleReplay(positional: string[], flags: Record<string, string |
   }
 
   // Merge stored auth into endpoint headers for replay
-  const machineId = await getMachineId();
   const authManager = new AuthManager(APITAP_DIR, machineId);
   const storedAuth = await authManager.retrieve(domain);
 
@@ -416,6 +427,10 @@ async function handleReplay(positional: string[], flags: Record<string, string |
   const fresh = flags.fresh === true;
   const json = flags.json === true;
   const maxBytes = typeof flags['max-bytes'] === 'string' ? parseInt(flags['max-bytes'], 10) : undefined;
+  const dangerDisableSsrf = flags['danger-disable-ssrf'] === true;
+  if (dangerDisableSsrf) {
+    console.error('[apitap] WARNING: SSRF protection is disabled via --danger-disable-ssrf');
+  }
 
   const result = await replayEndpoint(skill, endpointId, {
     params: Object.keys(params).length > 0 ? params : undefined,
@@ -423,7 +438,7 @@ async function handleReplay(positional: string[], flags: Record<string, string |
     domain,
     fresh,
     maxBytes,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: dangerDisableSsrf,
   });
 
   if (json) {
@@ -446,7 +461,7 @@ async function handleImport(positional: string[], flags: Record<string, string |
 
   // Get local key for signature verification
   const machineId = await getMachineId();
-  const key = deriveKey(machineId);
+  const key = deriveSigningKey(machineId);
 
   // DNS-resolving SSRF check before importing (prevents DNS rebinding attacks)
   try {
@@ -492,7 +507,8 @@ async function handleRefresh(positional: string[], flags: Record<string, string
     process.exit(1);
   }
 
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  const trustUnsigned = flags['trust-unsigned'] === true;
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}".`);
     process.exit(1);
@@ -596,8 +612,8 @@ async function handleAuth(positional: string[], flags: Record<string, string | b
     }
   }
 
-  // Read skill file for OAuth config (non-secret)
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  // Read skill file for OAuth config (non-secret) — trustUnsigned for display only
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
   const oauthConfig = skill?.auth?.oauthConfig;
 
   const status = {
@@ -659,7 +675,7 @@ async function handleServe(positional: string[], flags: Record<string, string |
     });
 
     // Print tool list to stderr (stdout is the MCP transport)
-    const skill = await readSkillFile(domain, SKILLS_DIR);
+    const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
     const tools = buildServeTools(skill!);
 
     if (json) {
@@ -681,10 +697,13 @@ async function handleServe(positional: string[], flags: Record<string, string |
   }
 }
 
-async function handleMcp(): Promise<void> {
+async function handleMcp(flags: Record<string, string | boolean>): Promise<void> {
+  if (flags['danger-disable-ssrf'] === true) {
+    console.error('[apitap] WARNING: SSRF protection is disabled via --danger-disable-ssrf');
+  }
   const server = createMcpServer({
     skillsDir: SKILLS_DIR,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: flags['danger-disable-ssrf'] === true,
   });
   const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
   const transport = new StdioServerTransport();
@@ -709,6 +728,16 @@ async function handleInspect(positional: string[], flags: Record<string, string
     process.exit(1);
   }
 
+  // SSRF validation for CLI (H6 fix)
+  const fullInspectUrl = url.startsWith('http') ? url : `https://${url}`;
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullInspectUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   const json = flags.json === true;
   const duration = typeof flags.duration === 'string' ? parseInt(flags.duration, 10) : 30;
 
@@ -798,6 +827,20 @@ async function handleDiscover(positional: string[], flags: Record<string, string
   const json = flags.json === true;
   const save = flags.save === true;
 
+  // SSRF validation for CLI (H6 fix)
+  const fullDiscoverUrl = url.startsWith('http') ? url : `https://${url}`;
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullDiscoverUrl);
+    if (!ssrfCheck.safe) {
+      if (json) {
+        console.log(JSON.stringify({ error: `URL blocked (SSRF): ${ssrfCheck.reason}` }));
+      } else {
+        console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      }
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Discovering APIs for ${url}...\n`);
   }
@@ -863,9 +906,9 @@ async function handleDiscover(positional: string[], flags: Record<string, string
   if (save && result.skillFile) {
     const { writeSkillFile } = await import('./skill/store.js');
     const { signSkillFile } = await import('./skill/signing.js');
-    const { deriveKey } = await import('./auth/crypto.js');
+    const { deriveSigningKey } = await import('./auth/crypto.js');
     const machineId = await getMachineId();
-    const key = deriveKey(machineId);
+    const key = deriveSigningKey(machineId);
 
     const signed = signSkillFile(result.skillFile, key);
     const path = await writeSkillFile(signed, SKILLS_DIR);
@@ -901,7 +944,7 @@ async function handleBrowse(positional: string[], flags: Record<string, string |
     skillsDir: SKILLS_DIR,
     cache: new SessionCache(),
     maxBytes,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: flags['danger-disable-ssrf'] === true,
   });
 
   if (json) {
@@ -932,6 +975,15 @@ async function handlePeek(positional: string[], flags: Record<string, string | b
   const json = flags.json === true;
   const fullUrl = url.startsWith('http') ? url : `https://${url}`;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Peeking at ${url}...\n`);
   }
@@ -963,6 +1015,15 @@ async function handleRead(positional: string[], flags: Record<string, string | b
   const fullUrl = url.startsWith('http') ? url : `https://${url}`;
   const maxBytes = typeof flags['max-bytes'] === 'string' ? parseInt(flags['max-bytes'], 10) : undefined;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Reading ${url}...\n`);
   }
@@ -1072,7 +1133,7 @@ async function main(): Promise<void> {
       await handleServe(positional, flags);
       break;
     case 'mcp':
-      await handleMcp();
+      await handleMcp(flags);
       break;
     case 'inspect':
       await handleInspect(positional, flags);

package/src/discovery/fetch.ts

@@ -27,9 +27,9 @@ export async function safeFetch(
   url: string,
   options: SafeFetchOptions = {},
 ): Promise<FetchResult | null> {
-  // SSRF check
+  // M18: Use DNS-resolving SSRF check to prevent rebinding attacks
   if (!options.skipSsrf) {
-    const ssrfResult = validateUrl(url);
+    const ssrfResult = await resolveAndValidateUrl(url);
     if (!ssrfResult.safe) return null;
   }
 

package/src/mcp.ts

@@ -7,6 +7,7 @@ import { searchSkills } from './skill/search.js';
 import { readSkillFile } from './skill/store.js';
 import { replayEndpoint } from './replay/engine.js';
 import { AuthManager, getMachineId } from './auth/manager.js';
+import { deriveSigningKey } from './auth/crypto.js';
 import { requestAuth } from './auth/handoff.js';
 import { CaptureSession } from './capture/session.js';
 import { discover } from './discovery/index.js';
@@ -48,14 +49,40 @@ export interface McpServerOptions {
   skillsDir?: string;
   /** @internal Skip SSRF check in replay — for testing only */
   _skipSsrfCheck?: boolean;
+  /** Rate limit: max outbound requests per minute (default: 60). Set 0 to disable. */
+  rateLimitPerMinute?: number;
 }
 
 const MAX_SESSIONS = 3;
 
+/**
+ * M23: Simple sliding-window rate limiter for outbound MCP tool calls.
+ * Prevents misconfigured agents from flooding target APIs.
+ */
+class RateLimiter {
+  private timestamps: number[] = [];
+  private readonly maxPerMinute: number;
+
+  constructor(maxPerMinute: number) {
+    this.maxPerMinute = maxPerMinute;
+  }
+
+  check(): boolean {
+    if (this.maxPerMinute <= 0) return true; // Disabled
+    const now = Date.now();
+    const windowStart = now - 60_000;
+    this.timestamps = this.timestamps.filter(t => t > windowStart);
+    if (this.timestamps.length >= this.maxPerMinute) return false;
+    this.timestamps.push(now);
+    return true;
+  }
+}
+
 export function createMcpServer(options: McpServerOptions = {}): McpServer {
   const skillsDir = options.skillsDir;
   const sessions = new Map<string, CaptureSession>();
   const sessionCache = new SessionCache();
+  const rateLimiter = new RateLimiter(options.rateLimitPerMinute ?? 60);
 
   const server = new McpServer({
     name: 'apitap',
@@ -79,9 +106,7 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
     },
     async ({ query }) => {
       const result = await searchSkills(query, skillsDir);
-      return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-      };
+      return wrapExternalContent(result, 'apitap_search');
     },
   );
 
@@ -102,6 +127,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       try {
         if (!options._skipSsrfCheck) {
           const validation = await resolveAndValidateUrl(url);
@@ -111,18 +139,18 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         }
         const result = await discover(url);
 
-        // If we got a skill file, save it automatically
+        // If we got a skill file, sign and save it automatically
         if (result.skillFile && (result.confidence === 'high' || result.confidence === 'medium')) {
           const { writeSkillFile } = await import('./skill/store.js');
+          const { signSkillFile } = await import('./skill/signing.js');
+          const machineId = await getMachineId();
+          const sigKey = deriveSigningKey(machineId);
+          result.skillFile = signSkillFile(result.skillFile, sigKey);
           const path = await writeSkillFile(result.skillFile, skillsDir);
-          return {
-            content: [{ type: 'text' as const, text: JSON.stringify({ ...result, savedTo: path }) }],
-          };
+          return wrapExternalContent({ ...result, savedTo: path }, 'apitap_discover');
         }
 
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent(result, 'apitap_discover');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Discovery failed: ${err.message}` }],
@@ -153,7 +181,12 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ domain, endpointId, params, fresh, maxBytes }) => {
-      const skill = await readSkillFile(domain, skillsDir);
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
+      const machineId = await getMachineId();
+      const signingKey = deriveSigningKey(machineId);
+      const skill = await readSkillFile(domain, skillsDir, { verifySignature: true, signingKey });
       if (!skill) {
         return {
           content: [{ type: 'text' as const, text: `No skill file found for "${domain}". Use apitap_capture to capture it first.` }],
@@ -170,7 +203,6 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       }
 
       // Get auth manager for token injection and header auth
-      const machineId = await getMachineId();
       const authManager = new AuthManager(APITAP_DIR, machineId);
 
       try {
@@ -256,6 +288,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, task, maxBytes }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       if (!options._skipSsrfCheck) {
         const validation = await resolveAndValidateUrl(url);
         if (!validation.safe) {
@@ -272,13 +307,8 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         // In test mode, disable bridge to avoid connecting to real socket
         ...(options._skipSsrfCheck ? { _bridgeSocketPath: '/nonexistent' } : {}),
       });
-      // Only mark as untrusted if it contains external data
-      if (result.success && result.data) {
-        return wrapExternalContent(result, 'apitap_browse');
-      }
-      return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-      };
+      // Always mark as untrusted — failed results may contain attacker-controlled strings (H7 fix)
+      return wrapExternalContent(result, 'apitap_browse');
     },
   );
 
@@ -334,6 +364,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, maxBytes }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       try {
         if (!options._skipSsrfCheck) {
           const validation = await resolveAndValidateUrl(url);
@@ -402,9 +435,7 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
             setTimeout(() => reject(new Error('Capture timed out')), timeoutMs),
           ),
         ]);
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent(result, 'apitap_capture');
       } catch (err: any) {
         try { await session.abort(); } catch { /* already closed */ }
         return {
@@ -455,9 +486,8 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         });
         const snapshot = await session.start(url);
         sessions.set(session.id, session);
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify({ sessionId: session.id, snapshot }) }],
-        };
+        // Mark as untrusted — snapshot contains external page content (H5 fix)
+        return wrapExternalContent({ sessionId: session.id, snapshot }, 'apitap_capture_start');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Failed to start capture session: ${err.message}` }],
@@ -516,8 +546,10 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         submit,
       });
 
+      // Mark as untrusted — result contains external page content (H5 fix)
+      const wrapped = wrapExternalContent(result, 'apitap_capture_interact');
       return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+        ...wrapped,
         ...(result.success ? {} : { isError: true }),
       };
     },
@@ -558,15 +590,11 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       try {
         if (shouldAbort) {
           await session.abort();
-          return {
-            content: [{ type: 'text' as const, text: JSON.stringify({ aborted: true, domains: [] }) }],
-          };
+          return wrapExternalContent({ aborted: true, domains: [] }, 'apitap_capture_finish');
         }
 
         const result = await session.finish();
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent(result, 'apitap_capture_finish');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Finish failed: ${err.message}` }],
@@ -607,8 +635,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
           timeout: timeout ? timeout * 1000 : undefined,
         });
 
+        const wrapped = wrapExternalContent(result, 'apitap_auth_request');
         return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          ...wrapped,
           ...(result.success ? {} : { isError: true }),
         };
       } catch (err: any) {

package/src/native-host.ts

@@ -7,7 +7,7 @@ import path from 'node:path';
 import os from 'node:os';
 import net from 'node:net';
 import { signSkillFile } from './skill/signing.js';
-import { deriveKey } from './auth/crypto.js';
+import { deriveSigningKey } from './auth/crypto.js';
 import { getMachineId } from './auth/manager.js';
 
 const SKILLS_DIR = path.join(os.homedir(), '.apitap', 'skills');
@@ -18,7 +18,7 @@ async function signSkillJson(skillJson: string): Promise<string> {
   try {
     const skill = JSON.parse(skillJson);
     const machineId = await getMachineId();
-    const key = deriveKey(machineId);
+    const key = deriveSigningKey(machineId);
     const signed = signSkillFile(skill, key);
     return JSON.stringify(signed);
   } catch {

package/src/orchestration/browse.ts

@@ -4,6 +4,9 @@ import { replayEndpoint } from '../replay/engine.js';
 import { SessionCache } from './cache.js';
 import { read } from '../read/index.js';
 import { bridgeAvailable, requestBridgeCapture, DEFAULT_SOCKET } from '../bridge/client.js';
+import { signSkillFile } from '../skill/signing.js';
+import { deriveSigningKey } from '../auth/crypto.js';
+import { getMachineId } from '../auth/manager.js';
 
 export interface BrowseOptions {
   skillsDir?: string;
@@ -61,11 +64,14 @@ async function tryBridgeCapture(
 
   if (result.success && result.skillFiles && result.skillFiles.length > 0) {
     const skillFiles = result.skillFiles;
-    // Save each skill file to disk
+    // Sign and save each skill file to disk
     try {
       const { writeSkillFile: writeSF } = await import('../skill/store.js');
-      for (const skill of skillFiles) {
-        await writeSF(skill, options.skillsDir);
+      const mid = await getMachineId();
+      const sk = deriveSigningKey(mid);
+      for (let i = 0; i < skillFiles.length; i++) {
+        skillFiles[i] = signSkillFile(skillFiles[i], sk);
+        await writeSF(skillFiles[i], options.skillsDir);
       }
     } catch {
       // Saving failed — still have the data in memory
@@ -202,7 +208,10 @@ export async function browse(
         skill = discovery.skillFile;
         source = 'discovered';
 
-        // Save to disk
+        // Sign and save to disk (H1: skill files must be signed for verification)
+        const machineId = await getMachineId();
+        const sigKey = deriveSigningKey(machineId);
+        skill = signSkillFile(skill, sigKey);
         const { writeSkillFile: writeSF } = await import('../skill/store.js');
         await writeSF(skill, skillsDir);
         cache?.set(domain, skill, 'discovered');

package/src/plugin.ts

@@ -21,12 +21,17 @@ export interface Plugin {
 
 export interface PluginOptions {
   skillsDir?: string;
-  /** @internal Skip SSRF check — for testing only */
+  /** @internal Testing only — never expose to external callers (M14) */
   _skipSsrfCheck?: boolean;
 }
 
 const APITAP_DIR = join(homedir(), '.apitap');
 
+/** M20: Mark plugin responses as untrusted external content */
+function wrapUntrusted(data: unknown): unknown {
+  return { ...data as Record<string, unknown>, _meta: { externalContent: { untrusted: true } } };
+}
+
 export function createPlugin(options: PluginOptions = {}): Plugin {
   const skillsDir = options.skillsDir;
 
@@ -53,7 +58,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
     },
     execute: async (args) => {
       const query = args.query as string;
-      return searchSkills(query, skillsDir);
+      return wrapUntrusted(await searchSkills(query, skillsDir));
     },
   };
 
@@ -88,7 +93,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
       const endpointId = args.endpointId as string;
       const params = args.params as Record<string, string> | undefined;
 
-      const skill = await readSkillFile(domain, skillsDir);
+      const skill = await readSkillFile(domain, skillsDir, { trustUnsigned: true });
       if (!skill) {
         return {
           error: `No skill file found for "${domain}". Use apitap_capture to capture it first.`,
@@ -104,7 +109,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
           domain,
           _skipSsrfCheck: options._skipSsrfCheck,
         });
-        return { status: result.status, data: result.data };
+        return wrapUntrusted({ status: result.status, data: result.data });
       } catch (err: any) {
         return { error: err.message };
       }
@@ -142,6 +147,13 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
       const duration = (args.duration as number) ?? 30;
       const allDomains = (args.allDomains as boolean) ?? false;
 
+      // M19: SSRF validation before capture
+      const { resolveAndValidateUrl } = await import('./skill/ssrf.js');
+      const ssrfCheck = await resolveAndValidateUrl(url);
+      if (!ssrfCheck.safe) {
+        return { error: `Blocked: ${ssrfCheck.reason}` };
+      }
+
       // Shell out to CLI for capture (it handles browser lifecycle, signing, etc.)
       const { execFile } = await import('node:child_process');
       const { promisify } = await import('node:util');
@@ -155,7 +167,7 @@ export function createPlugin(options: PluginOptions = {}): Plugin {
           timeout: (duration + 30) * 1000,
           env: { ...process.env, ...(skillsDir ? { APITAP_SKILLS_DIR: skillsDir } : {}) },
         });
-        return JSON.parse(stdout);
+        return wrapUntrusted(JSON.parse(stdout));
       } catch (err: any) {
         return { error: `Capture failed: ${err.message}` };
       }

package/src/read/decoders/reddit.ts

@@ -58,6 +58,10 @@ async function recoverDeletedComments(
   const recovered = new Map<string, { author: string; body: string }>();
   if (commentIds.length === 0) return recovered;
 
+  // M21: Third-party requests are opt-in, not opt-out.
+  // PullPush is an external service — only contact it if explicitly enabled.
+  if (process.env.APITAP_THIRD_PARTY !== '1') return recovered;
+
   try {
     const ids = commentIds.join(',');
     const ppUrl = `https://api.pullpush.io/reddit/search/comment/?ids=${ids}`;