@apitap/core 1.4.0 → 1.4.2

package/src/cli.ts

@@ -17,11 +17,13 @@ import { buildInspectReport, formatInspectHuman } from './inspect/report.js';
 import { generateStatsReport, formatStatsHuman } from './stats/report.js';
 import { detectAntiBot, type AntiBotSignal } from './capture/anti-bot.js';
 import { discover } from './discovery/index.js';
+import { readIndexEntry } from './index/reader.js';
 import { peek } from './read/peek.js';
 import { read } from './read/index.js';
 import { homedir } from 'node:os';
 import { join, resolve, dirname } from 'node:path';
 import { readFileSync } from 'node:fs';
+import { stat, unlink } from 'node:fs/promises';
 import { fileURLToPath } from 'node:url';
 import { createMcpServer } from './mcp.js';
 
@@ -79,6 +81,8 @@ function printUsage(): void {
     apitap browse <url>        Browse a URL (discover + replay in one step)
     apitap peek <url>          Zero-cost triage (HEAD only)
     apitap read <url>          Extract content without a browser
+    apitap audit               Audit stored skill files and credentials
+    apitap forget <domain>     Remove skill file and credentials for a domain
     apitap stats               Show token savings report
     apitap extension install   Register native messaging host for Chrome
 
@@ -158,6 +162,15 @@ async function handleCapture(positional: string[], flags: Record<string, string
   const skipVerify = flags['no-verify'] === true;
   const verifyPosts = flags['verify-posts'] === true;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     const domainOnly = flags['all-domains'] !== true;
     console.log(`\n  🔍 Capturing ${url}...${duration ? ` (${duration}s)` : ' (Ctrl+C to stop)'}${domainOnly ? ' [domain-only]' : ' [all domains]'}\n`);
@@ -341,7 +354,7 @@ async function handleShow(positional: string[], flags: Record<string, string | b
     process.exit(1);
   }
 
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}". Run \`apitap capture\` first.`);
     process.exit(1);
@@ -380,7 +393,8 @@ async function handleReplay(positional: string[], flags: Record<string, string |
 
   const machineId = await getMachineId();
   const signingKey = deriveSigningKey(machineId);
-  const skill = await readSkillFile(domain, SKILLS_DIR, { verifySignature: true, signingKey });
+  const trustUnsigned = flags['trust-unsigned'] === true;
+  const skill = await readSkillFile(domain, SKILLS_DIR, { verifySignature: true, signingKey, trustUnsigned });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}".`);
     process.exit(1);
@@ -417,6 +431,10 @@ async function handleReplay(positional: string[], flags: Record<string, string |
   const fresh = flags.fresh === true;
   const json = flags.json === true;
   const maxBytes = typeof flags['max-bytes'] === 'string' ? parseInt(flags['max-bytes'], 10) : undefined;
+  const dangerDisableSsrf = flags['danger-disable-ssrf'] === true;
+  if (dangerDisableSsrf) {
+    console.error('[apitap] WARNING: SSRF protection is disabled via --danger-disable-ssrf');
+  }
 
   const result = await replayEndpoint(skill, endpointId, {
     params: Object.keys(params).length > 0 ? params : undefined,
@@ -424,7 +442,7 @@ async function handleReplay(positional: string[], flags: Record<string, string |
     domain,
     fresh,
     maxBytes,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: dangerDisableSsrf,
   });
 
   if (json) {
@@ -493,7 +511,8 @@ async function handleRefresh(positional: string[], flags: Record<string, string
     process.exit(1);
   }
 
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  const trustUnsigned = flags['trust-unsigned'] === true;
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned });
   if (!skill) {
     console.error(`Error: No skill file found for "${domain}".`);
     process.exit(1);
@@ -597,8 +616,8 @@ async function handleAuth(positional: string[], flags: Record<string, string | b
     }
   }
 
-  // Read skill file for OAuth config (non-secret)
-  const skill = await readSkillFile(domain, SKILLS_DIR);
+  // Read skill file for OAuth config (non-secret) — trustUnsigned for display only
+  const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
   const oauthConfig = skill?.auth?.oauthConfig;
 
   const status = {
@@ -660,7 +679,7 @@ async function handleServe(positional: string[], flags: Record<string, string |
     });
 
     // Print tool list to stderr (stdout is the MCP transport)
-    const skill = await readSkillFile(domain, SKILLS_DIR);
+    const skill = await readSkillFile(domain, SKILLS_DIR, { trustUnsigned: true });
     const tools = buildServeTools(skill!);
 
     if (json) {
@@ -682,10 +701,13 @@ async function handleServe(positional: string[], flags: Record<string, string |
   }
 }
 
-async function handleMcp(): Promise<void> {
+async function handleMcp(flags: Record<string, string | boolean>): Promise<void> {
+  if (flags['danger-disable-ssrf'] === true) {
+    console.error('[apitap] WARNING: SSRF protection is disabled via --danger-disable-ssrf');
+  }
   const server = createMcpServer({
     skillsDir: SKILLS_DIR,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: flags['danger-disable-ssrf'] === true,
   });
   const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
   const transport = new StdioServerTransport();
@@ -710,6 +732,16 @@ async function handleInspect(positional: string[], flags: Record<string, string
     process.exit(1);
   }
 
+  // SSRF validation for CLI (H6 fix)
+  const fullInspectUrl = url.startsWith('http') ? url : `https://${url}`;
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullInspectUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   const json = flags.json === true;
   const duration = typeof flags.duration === 'string' ? parseInt(flags.duration, 10) : 30;
 
@@ -799,14 +831,37 @@ async function handleDiscover(positional: string[], flags: Record<string, string
   const json = flags.json === true;
   const save = flags.save === true;
 
+  // SSRF validation for CLI (H6 fix)
+  const fullDiscoverUrl = url.startsWith('http') ? url : `https://${url}`;
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullDiscoverUrl);
+    if (!ssrfCheck.safe) {
+      if (json) {
+        console.log(JSON.stringify({ error: `URL blocked (SSRF): ${ssrfCheck.reason}` }));
+      } else {
+        console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      }
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Discovering APIs for ${url}...\n`);
   }
 
   const result = await discover(url);
 
+  // Look up passive index data for this domain
+  let domain: string;
+  try {
+    domain = new URL(fullDiscoverUrl).hostname;
+  } catch {
+    domain = url;
+  }
+  const indexEntry = await readIndexEntry(domain);
+
   if (json) {
-    console.log(JSON.stringify(result, null, 2));
+    console.log(JSON.stringify({ ...result, indexEntry: indexEntry ?? undefined }, null, 2));
   } else {
     // Confidence summary
     const confidenceLabels: Record<string, string> = {
@@ -853,6 +908,24 @@ async function handleDiscover(positional: string[], flags: Record<string, string
       console.log(`\n  Skill file: ${result.skillFile.endpoints.length} endpoints predicted`);
     }
 
+    if (indexEntry) {
+      console.log(`\n  Passive Index (from browser extension):`);
+      console.log(`    Domain:     ${indexEntry.domain}`);
+      console.log(`    Total hits: ${indexEntry.totalHits}`);
+      console.log(`    Endpoints:  ${indexEntry.endpoints.length}`);
+      console.log(`    Promoted:   ${indexEntry.promoted ? 'yes' : 'no'}`);
+      if (indexEntry.endpoints.length > 0) {
+        console.log(`    Observed endpoints:`);
+        for (const ep of indexEntry.endpoints) {
+          const methods = ep.methods.join(', ');
+          const auth = ep.authType ? ` [${ep.authType}]` : '';
+          const pagination = ep.pagination ? ` (${ep.pagination})` : '';
+          const gql = ep.type === 'graphql' ? ' [GraphQL]' : '';
+          console.log(`      ${methods} ${ep.path} \u2014 ${ep.hits} hits${auth}${pagination}${gql}`);
+        }
+      }
+    }
+
     if (result.confidence === 'none') {
       console.log(`\n  Recommendation: Run \`apitap capture ${url}\` for browser-based discovery`);
     }
@@ -902,7 +975,7 @@ async function handleBrowse(positional: string[], flags: Record<string, string |
     skillsDir: SKILLS_DIR,
     cache: new SessionCache(),
     maxBytes,
-    _skipSsrfCheck: process.env.APITAP_SKIP_SSRF_CHECK === '1',
+    _skipSsrfCheck: flags['danger-disable-ssrf'] === true,
   });
 
   if (json) {
@@ -933,6 +1006,15 @@ async function handlePeek(positional: string[], flags: Record<string, string | b
   const json = flags.json === true;
   const fullUrl = url.startsWith('http') ? url : `https://${url}`;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Peeking at ${url}...\n`);
   }
@@ -964,6 +1046,15 @@ async function handleRead(positional: string[], flags: Record<string, string | b
   const fullUrl = url.startsWith('http') ? url : `https://${url}`;
   const maxBytes = typeof flags['max-bytes'] === 'string' ? parseInt(flags['max-bytes'], 10) : undefined;
 
+  // SSRF validation for CLI (H6 fix)
+  if (flags['danger-disable-ssrf'] !== true) {
+    const ssrfCheck = await resolveAndValidateUrl(fullUrl);
+    if (!ssrfCheck.safe) {
+      console.error(`Error: URL blocked (SSRF): ${ssrfCheck.reason}`);
+      process.exit(1);
+    }
+  }
+
   if (!json) {
     console.log(`\n  Reading ${url}...\n`);
   }
@@ -990,6 +1081,112 @@ async function handleRead(positional: string[], flags: Record<string, string | b
   console.log();
 }
 
+async function handleAudit(flags: Record<string, string | boolean>): Promise<void> {
+  const skillsDir = SKILLS_DIR || join(APITAP_DIR, 'skills');
+  const summaries = await listSkillFiles(skillsDir);
+  const machineId = await getEffectiveMachineId();
+  const authManager = new AuthManager(APITAP_DIR, machineId);
+  const authDomains = new Set(await authManager.listDomains());
+
+  // Get skill file last-modified dates
+  const rows: { domain: string; endpoints: number; auth: string; modified: string }[] = [];
+  for (const s of summaries) {
+    let modified = 'unknown';
+    try {
+      const st = await stat(s.skillFile);
+      modified = st.mtime.toISOString().slice(0, 10);
+    } catch {}
+    rows.push({
+      domain: s.domain,
+      endpoints: s.endpointCount,
+      auth: authDomains.has(s.domain) ? 'yes' : 'no',
+      modified,
+    });
+  }
+
+  // Get auth.enc last-modified
+  let authModified = 'none';
+  try {
+    const authStat = await stat(join(APITAP_DIR, 'auth.enc'));
+    authModified = authStat.mtime.toISOString().slice(0, 10);
+  } catch {}
+
+  if (flags.json === true) {
+    console.log(JSON.stringify({ domains: rows, authFileModified: authModified }, null, 2));
+    return;
+  }
+
+  if (rows.length === 0) {
+    console.log('\n  No skill files found.\n');
+    return;
+  }
+
+  // Table header
+  const domW = Math.max(6, ...rows.map(r => r.domain.length));
+  console.log();
+  console.log(`  ${'DOMAIN'.padEnd(domW)}  ${'ENDPOINTS'.padStart(9)}  ${'AUTH'.padEnd(4)}  MODIFIED`);
+  console.log(`  ${''.padEnd(domW, '-')}  ${''.padEnd(9, '-')}  ${''.padEnd(4, '-')}  ${''.padEnd(10, '-')}`);
+  for (const r of rows) {
+    console.log(`  ${r.domain.padEnd(domW)}  ${String(r.endpoints).padStart(9)}  ${r.auth.padEnd(4)}  ${r.modified}`);
+  }
+  console.log();
+  console.log(`  auth.enc last modified: ${authModified}`);
+  console.log();
+}
+
+async function handleForget(positional: string[]): Promise<void> {
+  const domain = positional[0];
+  if (!domain) {
+    console.error('Error: Domain required. Usage: apitap forget <domain>');
+    process.exit(1);
+  }
+
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(domain) || domain.includes('..')) {
+    console.error('Error: Invalid domain name');
+    process.exit(1);
+  }
+
+  const skillsDir = SKILLS_DIR || join(APITAP_DIR, 'skills');
+  let skillRemoved = false;
+  let authRemoved = false;
+  let notFound = true;
+
+  // Remove skill file
+  const skillFilePath = join(skillsDir, `${domain}.json`);
+  try {
+    await stat(skillFilePath);
+    notFound = false;
+    await unlink(skillFilePath);
+    skillRemoved = true;
+  } catch {}
+
+  // Remove stored auth
+  try {
+    const machineId = await getEffectiveMachineId();
+    const authManager = new AuthManager(APITAP_DIR, machineId);
+    const hasAuth = await authManager.has(domain);
+    if (hasAuth) {
+      notFound = false;
+      await authManager.clear(domain);
+      authRemoved = true;
+    }
+  } catch (err: any) {
+    if (skillRemoved) {
+      console.error(`Warning: Could not remove auth credentials: ${err.message}`);
+    }
+  }
+
+  if (notFound) {
+    console.log(`${domain} not found`);
+    return;
+  }
+
+  const parts: string[] = [];
+  if (skillRemoved) parts.push('skill file');
+  if (authRemoved) parts.push('credentials');
+  console.log(`Forgot ${domain} — ${parts.join(' and ')} removed`);
+}
+
 async function handleExtension(positional: string[], flags: Record<string, string | boolean>): Promise<void> {
   const subcommand = positional[0];
 
@@ -1073,7 +1270,7 @@ async function main(): Promise<void> {
       await handleServe(positional, flags);
       break;
     case 'mcp':
-      await handleMcp();
+      await handleMcp(flags);
       break;
     case 'inspect':
       await handleInspect(positional, flags);
@@ -1090,6 +1287,12 @@ async function main(): Promise<void> {
     case 'read':
       await handleRead(positional, flags);
       break;
+    case 'audit':
+      await handleAudit(flags);
+      break;
+    case 'forget':
+      await handleForget(positional);
+      break;
     case 'extension':
       await handleExtension(positional, flags);
       break;

package/src/discovery/fetch.ts

@@ -27,9 +27,9 @@ export async function safeFetch(
   url: string,
   options: SafeFetchOptions = {},
 ): Promise<FetchResult | null> {
-  // SSRF check
+  // M18: Use DNS-resolving SSRF check to prevent rebinding attacks
   if (!options.skipSsrf) {
-    const ssrfResult = validateUrl(url);
+    const ssrfResult = await resolveAndValidateUrl(url);
     if (!ssrfResult.safe) return null;
   }
 

package/src/index/reader.ts

@@ -0,0 +1,65 @@
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import os from 'node:os';
+
+// Types re-declared here (extension types can't be imported due to different tsconfig).
+// Keep in sync with extension/src/types.ts IndexFile/IndexEntry/IndexEndpoint.
+export interface IndexFile {
+  v: 1;
+  updatedAt: string;
+  entries: IndexEntry[];
+}
+
+export interface IndexEntry {
+  domain: string;
+  firstSeen: string;
+  lastSeen: string;
+  totalHits: number;
+  promoted: boolean;
+  lastPromoted?: string;
+  skillFileSource?: 'extension' | 'cli';
+  endpoints: IndexEndpoint[];
+}
+
+export interface IndexEndpoint {
+  path: string;
+  methods: string[];
+  authType?: string;
+  hasBody: boolean;
+  hits: number;
+  lastSeen: string;
+  pagination?: string;
+  type?: 'graphql';
+  queryParamNames?: string[];
+}
+
+const DEFAULT_APITAP_DIR = path.join(os.homedir(), '.apitap');
+
+/**
+ * Read the full passive index from disk.
+ * Returns null if index.json doesn't exist or is invalid.
+ */
+export async function readIndex(apitapDir: string = DEFAULT_APITAP_DIR): Promise<IndexFile | null> {
+  const indexPath = path.join(apitapDir, 'index.json');
+  try {
+    const raw = await fs.readFile(indexPath, 'utf-8');
+    const parsed = JSON.parse(raw);
+    if (parsed.v !== 1 || !Array.isArray(parsed.entries)) return null;
+    return parsed as IndexFile;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Read a single domain's index entry.
+ * Returns null if the domain is not in the index.
+ */
+export async function readIndexEntry(
+  domain: string,
+  apitapDir: string = DEFAULT_APITAP_DIR,
+): Promise<IndexEntry | null> {
+  const index = await readIndex(apitapDir);
+  if (!index) return null;
+  return index.entries.find(e => e.domain === domain) ?? null;
+}

package/src/mcp.ts

@@ -11,6 +11,7 @@ import { deriveSigningKey } from './auth/crypto.js';
 import { requestAuth } from './auth/handoff.js';
 import { CaptureSession } from './capture/session.js';
 import { discover } from './discovery/index.js';
+import { readIndexEntry } from './index/reader.js';
 import { SessionCache } from './orchestration/cache.js';
 import { peek } from './read/peek.js';
 import { read } from './read/index.js';
@@ -49,14 +50,40 @@ export interface McpServerOptions {
   skillsDir?: string;
   /** @internal Skip SSRF check in replay — for testing only */
   _skipSsrfCheck?: boolean;
+  /** Rate limit: max outbound requests per minute (default: 60). Set 0 to disable. */
+  rateLimitPerMinute?: number;
 }
 
 const MAX_SESSIONS = 3;
 
+/**
+ * M23: Simple sliding-window rate limiter for outbound MCP tool calls.
+ * Prevents misconfigured agents from flooding target APIs.
+ */
+class RateLimiter {
+  private timestamps: number[] = [];
+  private readonly maxPerMinute: number;
+
+  constructor(maxPerMinute: number) {
+    this.maxPerMinute = maxPerMinute;
+  }
+
+  check(): boolean {
+    if (this.maxPerMinute <= 0) return true; // Disabled
+    const now = Date.now();
+    const windowStart = now - 60_000;
+    this.timestamps = this.timestamps.filter(t => t > windowStart);
+    if (this.timestamps.length >= this.maxPerMinute) return false;
+    this.timestamps.push(now);
+    return true;
+  }
+}
+
 export function createMcpServer(options: McpServerOptions = {}): McpServer {
   const skillsDir = options.skillsDir;
   const sessions = new Map<string, CaptureSession>();
   const sessionCache = new SessionCache();
+  const rateLimiter = new RateLimiter(options.rateLimitPerMinute ?? 60);
 
   const server = new McpServer({
     name: 'apitap',
@@ -80,9 +107,7 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
     },
     async ({ query }) => {
       const result = await searchSkills(query, skillsDir);
-      return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-      };
+      return wrapExternalContent(result, 'apitap_search');
     },
   );
 
@@ -103,6 +128,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       try {
         if (!options._skipSsrfCheck) {
           const validation = await resolveAndValidateUrl(url);
@@ -112,18 +140,23 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         }
         const result = await discover(url);
 
-        // If we got a skill file, save it automatically
+        // Look up passive index data for this domain
+        let domain: string;
+        try { domain = new URL(url).hostname; } catch { domain = url; }
+        const indexEntry = await readIndexEntry(domain);
+
+        // If we got a skill file, sign and save it automatically
         if (result.skillFile && (result.confidence === 'high' || result.confidence === 'medium')) {
           const { writeSkillFile } = await import('./skill/store.js');
+          const { signSkillFile } = await import('./skill/signing.js');
+          const machineId = await getMachineId();
+          const sigKey = deriveSigningKey(machineId);
+          result.skillFile = signSkillFile(result.skillFile, sigKey);
           const path = await writeSkillFile(result.skillFile, skillsDir);
-          return {
-            content: [{ type: 'text' as const, text: JSON.stringify({ ...result, savedTo: path }) }],
-          };
+          return wrapExternalContent({ ...result, savedTo: path, indexEntry: indexEntry ?? undefined }, 'apitap_discover');
         }
 
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent({ ...result, indexEntry: indexEntry ?? undefined }, 'apitap_discover');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Discovery failed: ${err.message}` }],
@@ -154,6 +187,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ domain, endpointId, params, fresh, maxBytes }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       const machineId = await getMachineId();
       const signingKey = deriveSigningKey(machineId);
       const skill = await readSkillFile(domain, skillsDir, { verifySignature: true, signingKey });
@@ -258,6 +294,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, task, maxBytes }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       if (!options._skipSsrfCheck) {
         const validation = await resolveAndValidateUrl(url);
         if (!validation.safe) {
@@ -274,13 +313,8 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         // In test mode, disable bridge to avoid connecting to real socket
         ...(options._skipSsrfCheck ? { _bridgeSocketPath: '/nonexistent' } : {}),
       });
-      // Only mark as untrusted if it contains external data
-      if (result.success && result.data) {
-        return wrapExternalContent(result, 'apitap_browse');
-      }
-      return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-      };
+      // Always mark as untrusted — failed results may contain attacker-controlled strings (H7 fix)
+      return wrapExternalContent(result, 'apitap_browse');
     },
   );
 
@@ -336,6 +370,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       },
     },
     async ({ url, maxBytes }) => {
+      if (!rateLimiter.check()) {
+        return { content: [{ type: 'text' as const, text: 'Rate limit exceeded. Try again in a moment.' }], isError: true };
+      }
       try {
         if (!options._skipSsrfCheck) {
           const validation = await resolveAndValidateUrl(url);
@@ -404,9 +441,7 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
             setTimeout(() => reject(new Error('Capture timed out')), timeoutMs),
           ),
         ]);
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent(result, 'apitap_capture');
       } catch (err: any) {
         try { await session.abort(); } catch { /* already closed */ }
         return {
@@ -457,9 +492,8 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         });
         const snapshot = await session.start(url);
         sessions.set(session.id, session);
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify({ sessionId: session.id, snapshot }) }],
-        };
+        // Mark as untrusted — snapshot contains external page content (H5 fix)
+        return wrapExternalContent({ sessionId: session.id, snapshot }, 'apitap_capture_start');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Failed to start capture session: ${err.message}` }],
@@ -518,8 +552,10 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
         submit,
       });
 
+      // Mark as untrusted — result contains external page content (H5 fix)
+      const wrapped = wrapExternalContent(result, 'apitap_capture_interact');
       return {
-        content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+        ...wrapped,
         ...(result.success ? {} : { isError: true }),
       };
     },
@@ -560,15 +596,11 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
       try {
         if (shouldAbort) {
           await session.abort();
-          return {
-            content: [{ type: 'text' as const, text: JSON.stringify({ aborted: true, domains: [] }) }],
-          };
+          return wrapExternalContent({ aborted: true, domains: [] }, 'apitap_capture_finish');
         }
 
         const result = await session.finish();
-        return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
-        };
+        return wrapExternalContent(result, 'apitap_capture_finish');
       } catch (err: any) {
         return {
           content: [{ type: 'text' as const, text: `Finish failed: ${err.message}` }],
@@ -609,8 +641,9 @@ export function createMcpServer(options: McpServerOptions = {}): McpServer {
           timeout: timeout ? timeout * 1000 : undefined,
         });
 
+        const wrapped = wrapExternalContent(result, 'apitap_auth_request');
         return {
-          content: [{ type: 'text' as const, text: JSON.stringify(result) }],
+          ...wrapped,
           ...(result.success ? {} : { isError: true }),
         };
       } catch (err: any) {