@builtbyecho/public-api-finder 0.5.6 → 0.5.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@builtbyecho/public-api-finder",
-  "version": "0.5.6",
+  "version": "0.5.8",
   "description": "Find free/public APIs for agents and prototypes.",
   "type": "module",
   "bin": {

package/scripts/eval-hardening.mjs

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+import { spawnSync } from 'node:child_process';
+
+const cases = [
+  { q: 'crypto prices', args: ['--no-auth','--https','--cors','Yes'], topCategory: /cryptocurrency/i, top3Category: /cryptocurrency/i, mustName: /dexscreener|dexpaprika|defillama|geckoterminal|coinpaprika/i, forbid: /weather|joke|tvmaze|jobs/i },
+  { q: 'stock prices', args: ['--no-auth','--https','--cors','Yes'], topCategory: /finance/i, top3Category: /finance/i, forbid: /weather|joke|tvmaze|jobs/i },
+  { q: 'free stock quote API no auth', args: ['--no-auth','--https'], topCategory: /finance/i, mustName: /stooq|portfolio|alpha|finnhub|twelve/i, forbid: /weather|joke|anime|tv/i },
+  { q: 'solana token price market cap dex no key', args: ['--no-auth','--https'], topCategory: /cryptocurrency/i, top3Category: /cryptocurrency/i, mustName: /dexscreener|dexpaprika|geckoterminal|defillama/i },
+  { q: 'wallet balance transactions erc20 transfers api', args: [], topCategory: /cryptocurrency|openapi/i, mustName: /etherscan|alchemy|moralis|covalent|block/i },
+  { q: 'weather forecast no auth cors', args: ['--no-auth','--https','--cors','Yes'], topCategory: /weather/i, top3Category: /weather/i, mustName: /open-meteo|national weather|pirate/i, forbid: /joke|crypto|stocks/i },
+  { q: 'historical weather api', args: [], topCategory: /weather/i, mustName: /open-meteo|weather/i },
+  { q: 'weather alerts us api', args: ['--no-auth'], topCategory: /weather/i, mustName: /national weather|weather/i },
+  { q: 'geocoding api no auth', args: ['--no-auth','--https'], topCategory: /geocoding|location/i, mustName: /nominatim|geocod|zippopotam|ipinfo/i },
+  { q: 'reverse geocoding api', args: [], topCategory: /geocoding|location/i, mustName: /nominatim|geocod|mapbox|google/i },
+  { q: 'maps routing api', args: [], topCategory: /geocoding|location/i, mustName: /graphhopper|mapbox|google|here|tomtom/i, forbid: /linkedin/i },
+  { q: 'public transit api', args: [], topCategory: /transport|transit/i, mustName: /transitland|transport|mbta/i },
+  { q: 'jobs api remote', args: [], topCategory: /jobs|agents/i, mustName: /graphql jobs|adzuna|usajobs|search.gov|linkedin jobs/i },
+  { q: 'government jobs api', args: [], topCategory: /jobs|government/i, mustName: /usajobs|search.gov/i },
+  { q: 'company enrichment api', args: [], topCategory: /business|marketing|openapi/i, mustName: /clearbit|brandfetch|opencorporates|company/i },
+  { q: 'email validation api', args: [], topCategory: /email/i, mustName: /abstract|email|mail/i },
+  { q: 'phone number lookup api', args: [], topCategory: /communication|telecom|security|openapi/i, mustName: /numverify|twilio|phone|abstract/i },
+  { q: 'sms api', args: [], topCategory: /communication|messaging|telecom|openapi/i, mustName: /twilio|telnyx|vonage|sms|message/i },
+  { q: 'webhook testing api', args: [], mustName: /webhook|requestbin|pipedream|beeceptor|alchemy/i },
+  { q: 'payment processing api', args: [], topCategory: /payments|financial|openapi/i, mustName: /stripe|paypal|checkout|payment/i },
+  { q: 'subscriptions billing api', args: [], topCategory: /payments|openapi/i, mustName: /stripe|billing|subscription|chargebee/i },
+  { q: 'oauth identity api', args: [], topCategory: /authentication|security|development|openapi/i, mustName: /auth0|clerk|okta|oauth|openid/i },
+  { q: 'passwordless auth api', args: [], topCategory: /authentication|security|openapi/i, mustName: /auth0|clerk|magic|stytch|passwordless/i },
+  { q: 'screenshot api', args: [], topCategory: /development|media|documents|openapi/i, mustName: /urlbox|microlink|screenshot/i },
+  { q: 'link preview api', args: [], topCategory: /development|media|utility|openapi/i, mustName: /microlink|linkpreview|metadata|open graph/i },
+  { q: 'website metadata api', args: [], topCategory: /development|media|utility|openapi/i, mustName: /microlink|metadata|open graph|urlbox/i },
+  { q: 'pdf generation api', args: [], topCategory: /documents|development|utility|openapi/i, mustName: /pdf|document/i },
+  { q: 'ocr api', args: [], topCategory: /machine learning|ai|documents|openapi/i, mustName: /ocr|vision|mindee/i },
+  { q: 'image generation api', args: [], topCategory: /ai|machine learning|media|openapi/i, mustName: /stability|openai|replicate|image/i },
+  { q: 'text to speech api', args: [], topCategory: /ai|audio|machine learning|openapi/i, mustName: /elevenlabs|speech|voice|tts/i },
+  { q: 'speech to text api', args: [], topCategory: /ai|audio|machine learning|openapi/i, mustName: /assemblyai|deepgram|whisper|speech/i },
+  { q: 'vulnerability database api', args: [], topCategory: /security|development|open data/i, mustName: /osv|nvd|cve|vulnerab/i },
+  { q: 'cve lookup api', args: [], topCategory: /security|open data/i, mustName: /nvd|cve|osv/i },
+  { q: 'npm package metadata api', args: ['--no-auth'], topCategory: /development|open data/i, mustName: /npm|libraries.io|package/i },
+  { q: 'github repo stats api', args: [], topCategory: /development|open data/i, mustName: /github|gitlab/i },
+  { q: 'domain dns lookup api', args: [], topCategory: /security|development|openapi/i, mustName: /dns|google dns|whois|ssl/i },
+  { q: 'open data demographics api', args: [], topCategory: /government|open data/i, mustName: /census|data.gov|demographics/i },
+  { q: 'fake ecommerce api for testing', args: ['--no-auth','--https'], topCategory: /test data|shopping/i, mustName: /fake store|dummyjson|jsonplaceholder/i },
+  { q: 'joke api', args: ['--no-auth'], topCategory: /entertainment|jokes/i, mustName: /joke/i, forbid: /weather|crypto|stock/i },
+  { q: 'cat images random dog facts no auth', args: ['--no-auth'], mustName: /cat|dog|thecatapi|dog ceo/i, forbid: /weather|stock|crypto/i },
+  { q: 'food barcode ingredients allergens nutrition no auth cors', args: ['--no-auth','--https'], topCategory: /food/i, mustName: /open food facts/i },
+  { q: 'recipe from pantry ingredients avoid allergens api', args: [], topCategory: /food/i, mustName: /spoonacular|edamam|recipe|meal/i },
+  { q: 'air quality by coordinates pollutant measurements', args: [], topCategory: /environment|science|weather/i, mustName: /openaq|air quality|aqicn/i },
+  { q: 'historical currency exchange rates no auth cors', args: ['--no-auth','--https'], topCategory: /currency exchange/i, mustName: /frankfurter|currency/i, forbid: /\b(crypto|bitcoin|dex)\b/i },
+  { q: 'public holidays by country no auth', args: ['--no-auth','--https'], topCategory: /calendar|date/i, mustName: /nager|holiday|calendarific/i },
+  { q: 'vehicle vin decode recall safety data no auth', args: ['--no-auth'], topCategory: /transportation|government|open data/i, mustName: /nhtsa|vin|vehicle/i },
+  { q: 'real estate property value rent estimate api', args: [], topCategory: /real estate|property|openapi|finance/i, mustName: /rentcast|attom|zillow|real estate|property/i },
+  { q: 'flight status airport arrivals departures api', args: [], topCategory: /transportation|travel|openapi/i, mustName: /aviation|flight|airport|amadeus/i },
+  { q: 'hotel search booking availability api', args: [], topCategory: /travel|commerce|openapi/i, mustName: /hotel|booking|amadeus/i },
+  { q: 'brand colors fonts logo company domain enrichment', args: [], topCategory: /business|marketing|development|openapi/i, mustName: /brandfetch|clearbit|logo|brand/i },
+];
+
+let failures = 0;
+for (const [i, c] of cases.entries()) {
+  const res = spawnSync(process.execPath, ['src/cli.js', c.q, ...c.args, '--limit', '5', '--json'], { encoding: 'utf8' });
+  const rows = res.status === 0 ? JSON.parse(res.stdout || '[]') : [];
+  const top = rows[0];
+  const checks = [];
+  if (!top) checks.push('no results');
+  if (top && c.topCategory && !c.topCategory.test(top.category || '')) checks.push(`top category ${top.category} !~ ${c.topCategory}`);
+  if (top && c.top3Category) {
+    const bad = rows.slice(0, 3).filter(r => !c.top3Category.test(r.category || '')).map(r => `${r.name} (${r.category})`);
+    if (bad.length) checks.push(`top3 off-domain: ${bad.join(', ')}`);
+  }
+  if (c.mustName && !rows.slice(0, 3).some(r => c.mustName.test(`${r.name} ${r.description} ${r.url}`))) checks.push(`top3 missing ${c.mustName}`);
+  if (c.forbid && rows.slice(0, 5).some(r => c.forbid.test(`${r.name} ${r.category} ${r.description}`))) checks.push(`forbidden result ${c.forbid}`);
+  const ok = checks.length === 0;
+  if (!ok) failures++;
+  console.log(`${ok ? 'PASS' : 'FAIL'} ${i + 1}. ${c.q}`);
+  rows.slice(0, 3).forEach((r, idx) => console.log(`  ${idx + 1}. ${r.name} | ${r.category} | auth=${r.auth} | cors=${r.cors} | score=${r.score}`));
+  if (!ok) console.log(`  Reasons: ${checks.join('; ')}`);
+}
+console.log(`\n${cases.length - failures}/${cases.length} hardening cases passed`);
+process.exitCode = failures ? 1 : 0;

package/scripts/eval-mutations.mjs

@@ -0,0 +1,56 @@
+#!/usr/bin/env node
+import { spawnSync } from 'node:child_process';
+
+const cases = [
+  { q: 'free stock data for a frontend chart', args: ['--no-auth','--https'], expect: /finance/i, any: /stooq|portfolio|stock|finance/i, forbid: /weather|joke|anime/i },
+  { q: 'api for checking token liquidity on dexes', args: [], expect: /cryptocurrency/i, any: /dexscreener|dexpaprika|geckoterminal|defillama/i },
+  { q: 'browser safe weather forecast api', args: ['--no-auth','--https','--cors','Yes'], expect: /weather/i, any: /open-meteo|weather|pirate/i },
+  { q: 'whois and dns lookup for a domain', args: [], expect: /security|development|openapi/i, any: /whois|dns|ssl/i },
+  { q: 'send text messages to users api', args: [], expect: /communication|messaging|telecom|openapi/i, any: /twilio|sms|message|telnyx|vonage/i },
+  { q: 'make pdf from html api', args: [], expect: /documents|development|openapi/i, any: /pdf|html/i },
+  { q: 'find APIs for app screenshots', args: [], expect: /development|media|documents|openapi/i, any: /urlbox|microlink|screenshot|capture/i },
+  { q: 'check if npm package has vulnerabilities', args: [], expect: /security|development|open data/i, any: /osv|nvd|vulnerability|npm/i },
+  { q: 'lookup us census demographics by zip', args: [], expect: /government|open data|geocoding/i, any: /census|zippopotam|data.gov/i },
+  { q: 'temporary email inbox for tests', args: ['--no-auth','--https'], expect: /email/i, any: /mail|email|inbox/i },
+  { q: 'login users with magic link api', args: [], expect: /authentication|security|openapi/i, any: /stytch|magic|auth0|clerk|passwordless/i },
+  { q: 'mock webhooks during development', args: [], expect: /development|test data|openapi/i, any: /webhook|beeceptor|requestbin|mock/i },
+  { q: 'public holidays calendar for germany', args: ['--no-auth','--https'], expect: /calendar|date/i, any: /nager|holiday|calendar/i },
+  { q: 'random user data for frontend seed demo', args: ['--no-auth','--https'], expect: /test data/i, any: /random user|jsonplaceholder|dummyjson|fake/i },
+  { q: 'recipe nutrition search by ingredients', args: [], expect: /food/i, any: /spoonacular|edamam|open food|recipe|nutrition/i },
+  { q: 'flight arrivals by airport code', args: [], expect: /travel|transportation|openapi/i, any: /aviation|flight|airport|amadeus/i },
+  { q: 'rent estimate property valuation api', args: [], expect: /real estate|property|finance|openapi/i, any: /rentcast|attom|property|real estate/i },
+  { q: 'container image tags registry api', args: [], expect: /development|security|openapi/i, any: /docker|registry|container/i },
+  { q: 'open graph card preview for url', args: [], expect: /development|media|utility|openapi/i, any: /microlink|open graph|link preview|metadata/i },
+  { q: 'speech transcription from uploaded audio', args: [], expect: /ai|audio|machine learning|openapi/i, any: /assemblyai|deepgram|whisper|transcription/i },
+  // Over-filter / tight filter checks: should not pad unrelated junk.
+  { q: 'stock quote no auth cors yes', args: ['--no-auth','--https','--cors','Yes'], any: /portfolio|stooq|stock|finance/i, forbid: /weather|joke|tvmaze|anime|jobs/i, max: 5, allowEmpty: true },
+  { q: 'crypto exchange orderbook no auth cors yes', args: ['--no-auth','--https','--cors','Yes'], expect: /cryptocurrency/i, any: /0x|coinpaprika|dexpaprika|dex|crypto/i, forbid: /weather|stock|joke/i, max: 5 },
+  { q: 'oauth login no auth cors yes', args: ['--no-auth','--https','--cors','Yes'], forbid: /weather|joke|food|crypto|stock|calendar|holiday/i, max: 5, allowEmpty: true },
+  { q: 'webhook testing no auth cors yes', args: ['--no-auth','--https','--cors','Yes'], any: /webhook|beeceptor|jsonplaceholder|mock/i, forbid: /weather|crypto|stock/i, max: 5 },
+  { q: 'medical diagnosis api no auth cors yes', args: ['--no-auth','--https','--cors','Yes'], forbid: /weather|crypto|stock|joke|tvmaze|anime|email|animals|food/i, max: 5, allowEmpty: true },
+];
+
+function checkRows(rows, c) {
+  const checks = [];
+  const top = rows[0];
+  if (!top && !c.allowEmpty) checks.push('no results');
+  if (top && c.expect && !c.expect.test(top.category || '')) checks.push(`top category ${top.category} !~ ${c.expect}`);
+  if (c.any && !(c.allowEmpty && rows.length === 0) && !rows.slice(0, 3).some(r => c.any.test(`${r.name} ${r.category} ${r.description} ${r.url}`))) checks.push(`top3 missing ${c.any}`);
+  if (c.forbid && rows.some(r => c.forbid.test(`${r.name} ${r.category} ${r.description}`))) checks.push(`forbidden ${c.forbid}`);
+  if (c.max && rows.length > c.max) checks.push(`too many rows ${rows.length} > ${c.max}`);
+  return checks;
+}
+
+let failures = 0;
+for (const [i, c] of cases.entries()) {
+  const res = spawnSync(process.execPath, ['src/cli.js', c.q, ...c.args, '--limit', String(c.max || 5), '--json'], { encoding: 'utf8' });
+  const rows = res.status === 0 ? JSON.parse(res.stdout || '[]') : [];
+  const checks = checkRows(rows, c);
+  const ok = checks.length === 0;
+  if (!ok) failures++;
+  console.log(`${ok ? 'PASS' : 'FAIL'} ${i + 1}. ${c.q}`);
+  rows.slice(0, 3).forEach((r, idx) => console.log(`  ${idx + 1}. ${r.name} | ${r.category} | auth=${r.auth} | cors=${r.cors} | score=${r.score}`));
+  if (!ok) console.log(`  Reasons: ${checks.join('; ')}`);
+}
+console.log(`\n${cases.length - failures}/${cases.length} mutation cases passed`);
+process.exitCode = failures ? 1 : 0;

package/src/cli.js

@@ -13,7 +13,7 @@ const SOURCES = {
 };
 const CACHE_PATH = process.env.PUBLIC_API_FINDER_CACHE || join(homedir(), '.cache', 'public-api-finder', 'all.json');
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
-const DATA_VERSION = 15;
+const DATA_VERSION = 17;
 
 const ENRICHMENT_FIELDS = [
   'tags',
@@ -54,6 +54,15 @@ const TARGETED_BOOSTS = [
   [/\b(sanctions|ofac|pep|kyc|aml)\b/, /\b(opensanctions|ofac|sanctions|pep|kyc|aml|chainalysis)\b/i, 135],
   [/\b(wallet risk|crypto sanctions|blockchain wallet risk)\b/, /\b(chainalysis|trm|elliptic|sanctions|wallet risk)\b/i, 95],
   [/\b(crypto token metadata|token metadata|token logos|coin logos|logos contract addresses)\b/, /\b(coinmarketcap|coingecko|coinpaprika|coinbase|token logos|coin metadata|coin images)\b/i, 90],
+  [/\b(stock|stocks|stock quote|stock prices|equity|equities|ticker|tickers)\b/, /\b(stooq|portfolio optimizer|alpha vantage|polygon|finnhub|twelve data|stock|stocks|equity|ticker|quote)\b/i, 90],
+  [/\b(reverse geocoding|geocoding|maps routing|routing api|distance matrix|places)\b/, /\b(nominatim|geocod\.io|graphhopper|mapbox|foursquare|geocoding|routing|distance matrix|places)\b/i, 120],
+  [/\b(webhook testing|webhook debug|request bin|mock api)\b/, /\b(webhook\.site|beeceptor|requestbin|webhook|mock api|request bin)\b/i, 180],
+  [/\b(oauth identity|passwordless auth|openid|social auth|login oauth)\b/, /\b(auth0|clerk|stytch|magic|openid|oauth|passwordless|authentication|identity)\b/i, 190],
+  [/\b(cve lookup|vulnerability database|vulnerability data|package security)\b/, /\b(osv|nvd|cve|cvss|vulnerability|security advisories)\b/i, 190],
+  [/\b(cve lookup|cve api|cve search)\b/, /\b(osv|nvd|cve)\b/i, 260],
+  [/\b(open data demographics|demographics|census data)\b/, /\b(census|data\.gov|demographics|open data|government data)\b/i, 145],
+  [/\b(joke|jokes|meme|memes|random quote)\b/, /\b(official joke|joke api|jokes|quotable|quote)\b/i, 110],
+  [/\b(github repo|repo stats|stars issues commits)\b/, /\b(github rest|github|gitlab|repositories|stars|issues|commits)\b/i, 100],
   [/\b(zipcode|zip code|postal code)\b/, /\b(zippopotam|zip|postal|census)\b/i, 80],
   [/\b(real estate|property value|rent estimate)\b/, /\b(rentcast|attom|zillow|real estate|property|rent estimate)\b/i, 135],
   [/\b(mortgage|mortgage rates|loan calculator|loan rate|home loan)\b/, /\b(mortgage|home loan|loan rate)\b/i, 230],
@@ -388,9 +397,13 @@ const CURATED_APIS = [
   { name: 'GitHub REST API', url: 'https://docs.github.com/en/rest', description: 'GitHub repositories, stars, issues, commits, pull requests, releases, users, and org data API.', auth: 'No', https: true, cors: 'Yes', category: 'Development', source: 'curated', sourceWeight: 5 },
   { name: 'npm Registry API', url: 'https://github.com/npm/registry/blob/main/docs/REGISTRY-API.md', description: 'No-auth npm package metadata, versions, downloads, dist-tags, registry documents, and package data.', auth: 'No', https: true, cors: 'Yes', category: 'Development', source: 'curated', sourceWeight: 5 },
   { name: 'Docker Hub', url: 'https://docs.docker.com/docker-hub/api/latest/', description: 'Docker image repositories, tags, registry metadata, namespaces, vulnerabilities, and container image data API.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Development', source: 'curated', sourceWeight: 5 },
+  { name: 'Webhook.site', url: 'https://webhook.site/', description: 'Webhook testing, inspect HTTP requests, debug callbacks, request bins, and temporary webhook endpoints.', auth: 'No', https: true, cors: 'Yes', category: 'Development', source: 'curated', sourceWeight: 5 },
+  { name: 'Beeceptor', url: 'https://beeceptor.com/docs/', description: 'Webhook testing, mock APIs, request bin inspection, HTTP debugging, and endpoint simulation.', auth: 'No', https: true, cors: 'Unknown', category: 'Development', source: 'curated', sourceWeight: 5 },
 
   { name: 'Auth0', url: 'https://auth0.com/docs/api', description: 'OAuth, OpenID Connect, login, user profiles, social auth, authentication, and identity APIs.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Authentication', source: 'curated', sourceWeight: 5 },
   { name: 'Clerk', url: 'https://clerk.com/docs/reference/backend-api', description: 'Authentication, user profiles, organizations, sessions, OAuth, social login, and identity APIs.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Authentication', source: 'curated', sourceWeight: 5 },
+  { name: 'Stytch', url: 'https://stytch.com/docs/api', description: 'Passwordless login, magic links, OTP, OAuth, passkeys, sessions, and user authentication API.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Authentication', source: 'curated', sourceWeight: 5 },
+  { name: 'Magic', url: 'https://magic.link/docs/api', description: 'Passwordless authentication, magic links, wallets, login, users, and identity API.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Authentication', source: 'curated', sourceWeight: 5 },
   { name: 'Mail.tm', url: 'https://docs.mail.tm/', description: 'No-auth temporary email inboxes, disposable mail accounts, receive messages, and testing email API.', auth: 'No', https: true, cors: 'Yes', category: 'Email', source: 'curated', sourceWeight: 5 },
   { name: 'Twilio Verify', url: 'https://www.twilio.com/docs/verify/api', description: 'SMS OTP verification, phone verification, one-time passcodes, factors, and verification checks.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Telecom', source: 'curated', sourceWeight: 5 },
   { name: 'numverify', url: 'https://numverify.com/documentation', description: 'Phone number validation, carrier, country, location, line type, and international number lookup API.', auth: 'apiKey', https: true, cors: 'Unknown', category: 'Telecom', source: 'curated', sourceWeight: 5 },
@@ -734,7 +747,17 @@ function applyQueryHints(args) {
   if (!args.cors && /\b(cors|frontend-safe|browser-safe|frontend safe|browser safe)\b/.test(query)) args.cors = 'Yes';
 }
 
-const SEARCH_STOPWORDS = new Set(['a', 'an', 'and', 'api', 'apis', 'for', 'from', 'in', 'no', 'of', 'on', 'or', 'the', 'to', 'with']);
+const SEARCH_STOPWORDS = new Set(['a', 'an', 'and', 'api', 'apis', 'auth', 'cors', 'for', 'from', 'in', 'key', 'no', 'of', 'on', 'or', 'the', 'to', 'with', 'yes']);
+
+
+function normalizeSearchQuery(query) {
+  return String(query || '')
+    .replace(/\b(no auth|without auth|no api key|no key|unauthenticated)\b/gi, ' ')
+    .replace(/\b(cors|cors yes|frontend-safe|browser-safe|frontend safe|browser safe|https)\b/gi, ' ')
+    .replace(/\b(api|apis)\b/gi, ' ')
+    .replace(/\s+/g, ' ')
+    .trim();
+}
 
 function tokenSet(text) {
   return new Set(String(text).toLowerCase().match(/[a-z0-9]+/g)?.filter(t => t.length > 1 && !SEARCH_STOPWORDS.has(t)) || []);
@@ -836,9 +859,47 @@ function intentPenalty(entry, queryText) {
     if (/\b(favicon|website preview|open graph|link preview|screenshot)\b/.test(queryText) && !/\b(microlink|urlbox|favicon|website metadata|open graph|link preview|screenshot)\b/.test(text)) penalty += 120;
   }
 
-  if (/\b(school district|school boundary|district boundary)\b/.test(queryText) && /\b(linkedin|jobs scraper|lead|sales|recruiting)\b/.test(text)) {
+  if (/\b(school district|school boundary|district boundary|reverse geocoding|maps routing|routing api|open data demographics|demographics|census data)\b/.test(queryText) && /\b(linkedin|jobs scraper|lead|sales|recruiting|amazon product scraper|tiktok profile scraper)\b/.test(text)) {
+    penalty += 120;
+  }
+  const stockIntent = /\b(stock|stocks|stock quote|stock prices|equity|equities|ticker|tickers)\b/.test(queryText) && !/\b(not stocks?|not stock|non stocks?|non stock)\b/.test(queryText);
+  if (stockIntent && !/finance|financial|stock|stocks|equity|ticker|market data|portfolio|stooq|finnhub|polygon|alpha vantage|twelve data/.test(text)) {
+    penalty += 80;
+  }
+  if (stockIntent && /\b(quotable|joke|entertainment|food|weather|test data|placeholder)\b/.test(text)) {
+    penalty += 140;
+  }
+  if (/\bcrypto\b/.test(queryText) && /\bnot stocks?\b/.test(queryText) && /\b(finance|financial|stock|stocks|equity|ticker|portfolio|stooq|finnhub|polygon|sec edgar|predscope|valueray|econdb)\b/.test(text)) {
+    penalty += 240;
+  }
+  if (/\b(oauth identity|passwordless auth|openid|social auth|login oauth)\b/.test(queryText) && !/authentication|auth0|clerk|stytch|magic|openid|identity|passwordless|social auth/.test(text)) {
+    penalty += 160;
+  }
+  if (/\b(oauth identity|passwordless auth|openid|social auth|login oauth)\b/.test(queryText) && /\b(calendar|nager|holiday|open food|plaid|clearbit logo)\b/.test(text)) {
+    penalty += 180;
+  }
+  if (/\b(webhook testing|webhook debug|request bin|mock api)\b/.test(queryText) && !/webhook|beeceptor|requestbin|mock api|pipedream/.test(text)) {
+    penalty += 80;
+  }
+  if (/\b(cve lookup|vulnerability database|vulnerability data|package security)\b/.test(queryText) && !/osv|nvd|cve|cvss|vulnerability|security advisories/.test(text)) {
     penalty += 95;
   }
+  if (/\b(cve lookup|cve api|cve search)\b/.test(queryText) && !/osv|nvd|cve/.test(text)) {
+    penalty += 180;
+  }
+  if (/\b(joke api|jokes?|memes?)\b/.test(queryText) && !/joke|meme|quote/.test(text)) {
+    penalty += 70;
+  }
+
+  if (/\b(crypto|cryptocurrency|dex|orderbook)\b/.test(queryText) && /\b(currency exchange|frankfurter|national bank|vatcomply|exchange rates only|fiat)\b/.test(text) && !/\b(crypto|cryptocurrency|dex|token|blockchain|defi|coinpaprika|0x)\b/.test(text)) {
+    penalty += 160;
+  }
+  if (/\b(oauth|login|auth|authentication|passwordless)\b/.test(queryText) && /\b(calendar|holiday|nameday|nager|non-working days|food|weather|crypto|stock)\b/.test(text) && !/\b(auth|oauth|openid|login|identity|passwordless)\b/.test(text)) {
+    penalty += 140;
+  }
+  if (/\b(medical diagnosis|diagnosis|clinical|symptom checker)\b/.test(queryText) && /\b(food|crypto|currency|weather|joke|tv|geocoding|zippopotam)\b/.test(text) && !/\b(medical|health|clinical|diagnosis|symptom|fhir)\b/.test(text)) {
+    penalty += 180;
+  }
 
   if (!cat.includes('cryptocurrency') && /\b(wallet address|identicon|avatar|profile picture)\b/.test(queryText) && /\b(avatar|identicon|profile picture)\b/.test(text)) {
     penalty -= 20;
@@ -1097,8 +1158,38 @@ function sourceMatches(entry, source) {
   return (entry.sources || [entry.source]).some(s => String(s).toLowerCase() === source.toLowerCase());
 }
 
+
+function passesIntentGate(entry, queryText) {
+  const text = `${entry.name || ''} ${entry.category || ''} ${entry.description || ''} ${enrichedText(entry)}`.toLowerCase();
+  if (/\b(currency exchange|exchange rates|fiat exchange|forex rates)\b/.test(queryText) && !/\bcrypto|bitcoin|dex|token\b/.test(queryText)) {
+    if (/\bcurrency exchange\b/.test(String(entry.category || '').toLowerCase())) return true;
+    if (/\b(frankfurter|national bank|vatcomply)\b/.test(String(entry.name || '').toLowerCase())) return true;
+    if (/\b(crypto|crypto-currencies|cryptocurrency|stocks?|portfolio optimizer|econdb)\b/.test(text)) return false;
+    return /\b(currency conversion|forex rates)\b/.test(text);
+  }
+  if (/\b(stock|stocks|stock quote|stock prices|equity|equities|ticker|tickers)\b/.test(queryText) && !/\b(not stocks?|not stock|non stocks?|non stock)\b/.test(queryText)) {
+    return /\b(finance|financial|currency exchange)\b/.test(String(entry.category || '').toLowerCase())
+      || /\b(stooq|portfolio optimizer|alpha vantage|finnhub|polygon|twelve data|sec edgar|econdb|tradier|predscope|valueray)\b/.test(text);
+  }
+  if (/\b(oauth|openid|passwordless|magic link)\b/.test(queryText) || /\blogin\b.*\b(auth|users?)\b/.test(queryText)) {
+    return /\b(authentication|security)\b/.test(String(entry.category || '').toLowerCase())
+      || /\b(auth0|clerk|stytch|magic|oauth|openid|identity|passwordless|social auth|login)\b/.test(text);
+  }
+  if (/\b(medical diagnosis|diagnosis|clinical|symptom checker)\b/.test(queryText)) {
+    return /\b(medical|health|clinical|diagnosis|symptom|fhir)\b/.test(text);
+  }
+  if (/\b(crypto|cryptocurrency|dex|orderbook)\b/.test(queryText) && !/\b(not crypto|non crypto|fiat only)\b/.test(queryText)) {
+    if (!/\bcryptocurrency\b/.test(String(entry.category || '').toLowerCase()) && /\b(finance|financial|currency exchange)\b/.test(String(entry.category || '').toLowerCase())) return false;
+    return /\b(crypto|cryptocurrency|dex|defi|token|blockchain|coin|coinpaprika|0x|dexpaprika|geckoterminal|dexscreener)\b/.test(text);
+  }
+  return true;
+}
+
 function filterEntries(entries, args) {
-  const q = tokenSet(args.query);
+  const queryText = String(args.query || '').toLowerCase();
+  const searchText = normalizeSearchQuery(args.query);
+  const q = tokenSet(searchText);
+  if (args.noAuth && (/\b(oauth|openid|passwordless|magic link)\b/.test(queryText) || /\blogin\b.*\b(auth|users?)\b/.test(queryText))) return [];
   return entries.flatMap(e => {
     if (args.category && !String(e.category || '').toLowerCase().includes(args.category.toLowerCase())) return [];
     if (args.source && !sourceMatches(e, args.source)) return [];
@@ -1106,13 +1197,15 @@ function filterEntries(entries, args) {
     if (args.https && !e.https) return [];
     if (args.openapi && !e.openapiUrl) return [];
     if (args.cors && String(e.cors || '').toLowerCase() !== args.cors.toLowerCase()) return [];
+    if (q.size && !passesIntentGate(e, queryText)) return [];
     const matched = q.size ? textScore(e, q) : 1;
     const domain = q.size ? domainAdjustment(e, q) : 0;
-    const targeted = q.size ? targetedBoost(e, args.query.toLowerCase()) : 0;
+    const targeted = q.size ? targetedBoost(e, queryText) : 0;
     if (q.size && matched === 0 && domain <= 0 && targeted <= 0) return [];
-    const s = q.size ? score(e, q, args.query.toLowerCase()) : 1;
+    let s = q.size ? score(e, q, searchText.toLowerCase()) : 1;
     if (q.size && s <= 0) return [];
-    return [{ ...e, score: s + (e.sourceWeight || 0) }];
+    const finalScore = s + (e.sourceWeight || 0);
+    return [{ ...e, score: finalScore }];
   }).sort((a, b) => b.score - a.score || String(a.category).localeCompare(String(b.category)) || String(a.name).localeCompare(String(b.name))).slice(0, args.limit);
 }