@j0hanz/fetch-url-mcp 1.5.0 → 1.6.0

package/dist/http/auth.js

@@ -1,7 +1,7 @@
 import { Buffer } from 'node:buffer';
 import { randomBytes } from 'node:crypto';
 import { InvalidTokenError, ServerError, } from '@modelcontextprotocol/sdk/server/auth/errors.js';
-import { config } from '../lib/core.js';
+import { config, logWarn } from '../lib/core.js';
 import { normalizeHost } from '../lib/url.js';
 import { hmacSha256Hex, timingSafeEqualUtf8 } from '../lib/utils.js';
 import { isObject } from '../lib/utils.js';
@@ -186,6 +186,9 @@ export function ensureMcpProtocolVersion(req, res, options) {
             // Permissive backward-compat fallback: clients predating MCP 2025-03-26 do not
             // send MCP-Protocol-Version. Accepting requests without the header keeps older
             // integrations working. Pass requireHeader: true to enforce strict version checking.
+            logWarn('MCP-Protocol-Version header missing; defaulting to permissive fallback', {
+                remoteAddress: req.socket.remoteAddress,
+            });
             return true;
         }
         sendError(res, -32600, 'Missing MCP-Protocol-Version header');

package/dist/http/native.js

@@ -139,6 +139,11 @@ class McpSessionGateway {
             sendError(ctx.res, -32600, 'Session not found', 404);
             return;
         }
+        const fingerprint = buildAuthFingerprint(ctx.auth);
+        if (!fingerprint || session.authFingerprint !== fingerprint) {
+            sendError(ctx.res, -32600, 'Session not found', 404);
+            return;
+        }
         if (!ensureMcpProtocolVersion(ctx.req, ctx.res, {
             requireHeader: true,
             expectedVersion: session.negotiatedProtocolVersion,
@@ -147,7 +152,9 @@ class McpSessionGateway {
         }
         const acceptHeader = getHeaderValue(ctx.req, 'accept');
         if (!acceptsEventStream(acceptHeader)) {
-            sendJson(ctx.res, 405, { error: 'Method Not Allowed' });
+            sendJson(ctx.res, 406, {
+                error: 'Not Acceptable: expected text/event-stream',
+            });
             return;
         }
         this.store.touch(sessionId);
@@ -164,6 +171,11 @@ class McpSessionGateway {
             sendError(ctx.res, -32600, 'Session not found', 404);
             return;
         }
+        const fingerprint = buildAuthFingerprint(ctx.auth);
+        if (!fingerprint || session.authFingerprint !== fingerprint) {
+            sendError(ctx.res, -32600, 'Session not found', 404);
+            return;
+        }
         if (!ensureMcpProtocolVersion(ctx.req, ctx.res, {
             requireHeader: true,
             expectedVersion: session.negotiatedProtocolVersion,
@@ -172,7 +184,7 @@ class McpSessionGateway {
         }
         await session.transport.close();
         this.cleanupSessionRecord(sessionId, 'session-delete');
-        sendText(ctx.res, 200, 'Session closed');
+        sendJson(ctx.res, 200, { status: 'closed' });
     }
     async getOrCreateTransport(ctx, requestId) {
         const sessionId = getMcpSessionId(ctx.req);

package/dist/lib/content.js

@@ -19,7 +19,7 @@ const HEADER_NOISE_PATTERN = /\b(site-header|masthead|topbar|navbar|nav(?:bar)?|
 const FIXED_OR_HIGH_Z_PATTERN = /\b(?:fixed|sticky|z-(?:4\d|50)|isolate)\b/;
 const SKIP_URL_PREFIXES = [
     '#',
-    'java' + 'script:',
+    'javascript:',
     'mailto:',
     'tel:',
     'data:',

package/dist/lib/core.d.ts

@@ -131,6 +131,7 @@ export declare const config: {
         allowedHosts: Set<string>;
         apiKey: string | undefined;
         allowRemote: boolean;
+        allowLocalFetch: boolean;
     };
     auth: AuthConfig;
     rateLimit: {
@@ -187,6 +188,7 @@ export declare function keys(): readonly string[];
 export declare function getEntryMeta(cacheKey: string): {
     url: string;
     title?: string;
+    fetchedAt?: string;
 } | undefined;
 export declare function isEnabled(): boolean;
 type LogMetadata = Record<string, unknown>;

package/dist/lib/core.js

@@ -4,11 +4,11 @@ import { accessSync, constants as fsConstants, readFileSync } from 'node:fs';
 import { findPackageJSON } from 'node:module';
 import { isIP } from 'node:net';
 import process from 'node:process';
-import { domainToASCII } from 'node:url';
 import { inspect, stripVTControlCharacters } from 'node:util';
 import {} from '@modelcontextprotocol/sdk/server/mcp.js';
 import {} from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { z } from 'zod';
+import { buildIpv4, normalizeHostname, stripTrailingDots, } from './net-utils.js';
 import { getErrorMessage, isAbortError, sha256Hex, stableStringify as stableJsonStringify, startAbortableIntervalLoop, } from './utils.js';
 export const serverVersion = readServerVersion(import.meta.url);
 const LOG_LEVELS = ['debug', 'info', 'warn', 'error'];
@@ -57,31 +57,11 @@ function loadEnvFileIfAvailable() {
 }
 loadEnvFileIfAvailable();
 const { env } = process;
-function buildIpv4(parts) {
-    return parts.join('.');
-}
-function stripTrailingDots(value) {
-    let result = value;
-    while (result.endsWith('.'))
-        result = result.slice(0, -1);
-    return result;
-}
 function formatHostForUrl(hostname) {
     if (hostname.includes(':') && !hostname.startsWith('['))
         return `[${hostname}]`;
     return hostname;
 }
-function normalizeHostname(value) {
-    const trimmed = value.trim();
-    if (!trimmed)
-        return null;
-    const lowered = trimmed.toLowerCase();
-    const ipType = isIP(lowered);
-    if (ipType)
-        return stripTrailingDots(lowered);
-    const ascii = domainToASCII(lowered);
-    return ascii ? stripTrailingDots(ascii) : null;
-}
 function normalizeHostValue(value) {
     const raw = value.trim();
     if (!raw)
@@ -458,6 +438,7 @@ export const config = {
         allowedHosts: parseAllowedHosts(env['ALLOWED_HOSTS']),
         apiKey: env['API_KEY'],
         allowRemote,
+        allowLocalFetch: parseBoolean(env['ALLOW_LOCAL_FETCH'], false),
     },
     auth: buildAuthConfig(baseUrl),
     rateLimit: {
@@ -705,9 +686,11 @@ export function getEntryMeta(cacheKey) {
     const entry = store.peek(cacheKey);
     if (!entry)
         return undefined;
-    return entry.title !== undefined
-        ? { url: entry.url, title: entry.title }
-        : { url: entry.url };
+    return {
+        url: entry.url,
+        ...(entry.title !== undefined ? { title: entry.title } : {}),
+        ...(entry.fetchedAt ? { fetchedAt: entry.fetchedAt } : {}),
+    };
 }
 export function isEnabled() {
     return store.isEnabled();

package/dist/lib/http.d.ts

@@ -1,4 +1,5 @@
 import { type ServerResponse } from 'node:http';
+import { Agent } from 'undici';
 import { type TransformResult } from './url.js';
 export declare function generateSafeFilename(url: string, title?: string, hashFallback?: string, extension?: string): string;
 export declare function handleDownload(res: ServerResponse, namespace: string, hash: string): void;
@@ -27,6 +28,7 @@ export declare function recordFetchError(context: FetchTelemetryContext, error:
 export declare function fetchWithRedirects(url: string, init: RequestInit, maxRedirects: number): Promise<{
     response: Response;
     url: string;
+    agent?: Agent;
 }>;
 export declare function readResponseText(response: Response, url: string, maxBytes: number, signal?: AbortSignal, encoding?: string): Promise<{
     text: string;

package/dist/lib/http.js

@@ -15,7 +15,7 @@ import { Agent } from 'undici';
 import { z } from 'zod';
 import { get as cacheGet, config, getOperationId, getRequestId, logDebug, logError, logWarn, parseCachedPayload, redactUrl, resolveCachedPayloadContent, } from './core.js';
 import { BLOCKED_HOST_SUFFIXES, createDnsPreflight, IpBlocker, RawUrlTransformer, SafeDnsResolver, UrlNormalizer, VALIDATION_ERROR_CODE, } from './url.js';
-import { createErrorWithCode, FetchError, isError, isObject, isSystemError, toError, } from './utils.js';
+import { createErrorWithCode, FetchError, isAbortError, isError, isObject, isSystemError, toError, } from './utils.js';
 const FILENAME_RULES = {
     MAX_LEN: 200,
     UNSAFE_CHARS: /[<>:"/\\|?*\p{C}]/gu,
@@ -315,10 +315,6 @@ function createFetchError(input, url) {
             return new FetchError(input.message ?? 'Unexpected error', url);
     }
 }
-function isAbortError(error) {
-    return (isError(error) &&
-        (error.name === 'AbortError' || error.name === 'TimeoutError'));
-}
 function isTimeoutError(error) {
     return isError(error) && error.name === 'TimeoutError';
 }
@@ -334,7 +330,7 @@ function mapFetchError(error, fallbackUrl, timeoutMs) {
     if (error instanceof FetchError)
         return error;
     const url = resolveErrorUrl(error, fallbackUrl);
-    if (isAbortError(error)) {
+    if (isAbortError(error) || isTimeoutError(error)) {
         return isTimeoutError(error)
             ? createFetchError({ kind: 'timeout', timeout: timeoutMs }, url)
             : createFetchError({ kind: 'canceled' }, url);
@@ -386,16 +382,26 @@ class RedirectFollower {
     async fetchWithRedirects(url, init, maxRedirects) {
         let currentUrl = url;
         const redirectLimit = Math.max(0, maxRedirects);
+        const visited = new Set();
         for (let redirectCount = 0; redirectCount <= redirectLimit; redirectCount += 1) {
-            const { response, nextUrl } = await this.withRedirectErrorContext(currentUrl, async () => {
+            if (visited.has(currentUrl)) {
+                throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
+            }
+            visited.add(currentUrl);
+            const { response, nextUrl, agent: returnedAgent, } = await this.withRedirectErrorContext(currentUrl, async () => {
                 let ipAddress;
                 if (this.preflight) {
                     ipAddress = await this.preflight(currentUrl, init.signal ?? undefined);
                 }
                 return this.performFetchCycle(currentUrl, init, redirectLimit, redirectCount, ipAddress);
             });
-            if (!nextUrl)
-                return { response, url: currentUrl };
+            if (!nextUrl) {
+                return {
+                    response,
+                    url: currentUrl,
+                    ...(returnedAgent ? { agent: returnedAgent } : {}),
+                };
+            }
             currentUrl = nextUrl;
         }
         throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
@@ -405,9 +411,10 @@ class RedirectFollower {
             ...init,
             redirect: 'manual',
         };
+        let agent;
         if (ipAddress) {
             const ca = tls.rootCertificates.length > 0 ? tls.rootCertificates : undefined;
-            const agent = new Agent({
+            agent = new Agent({
                 connect: {
                     lookup: (hostname, options, callback) => {
                         const family = isIP(ipAddress) === 6 ? 6 : 4;
@@ -428,25 +435,36 @@ class RedirectFollower {
             });
             fetchInit.dispatcher = agent;
         }
-        const response = await this.fetchFn(currentUrl, fetchInit);
-        if (!isRedirectStatus(response.status))
-            return { response };
-        if (redirectCount >= redirectLimit) {
+        let closeAgent = true;
+        try {
+            const response = await this.fetchFn(currentUrl, fetchInit);
+            // Only follow redirects if the status code indicates a redirect and there's a Location header.
+            if (!isRedirectStatus(response.status)) {
+                closeAgent = false;
+                return { response, ...(agent ? { agent } : {}) };
+            }
+            if (redirectCount >= redirectLimit) {
+                cancelResponseBody(response);
+                throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
+            }
+            const location = this.getRedirectLocation(response, currentUrl);
             cancelResponseBody(response);
-            throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
+            const nextUrl = this.resolveRedirectTarget(currentUrl, location);
+            const parsedNextUrl = new URL(nextUrl);
+            if (parsedNextUrl.protocol !== 'http:' &&
+                parsedNextUrl.protocol !== 'https:') {
+                throw createErrorWithCode(`Unsupported redirect protocol: ${parsedNextUrl.protocol}`, 'EUNSUPPORTEDPROTOCOL');
+            }
+            return {
+                response,
+                nextUrl,
+            };
         }
-        const location = this.getRedirectLocation(response, currentUrl);
-        cancelResponseBody(response);
-        const nextUrl = this.resolveRedirectTarget(currentUrl, location);
-        const parsedNextUrl = new URL(nextUrl);
-        if (parsedNextUrl.protocol !== 'http:' &&
-            parsedNextUrl.protocol !== 'https:') {
-            throw createErrorWithCode(`Unsupported redirect protocol: ${parsedNextUrl.protocol}`, 'EUNSUPPORTEDPROTOCOL');
+        finally {
+            if (closeAgent) {
+                await agent?.close();
+            }
         }
-        return {
-            response,
-            nextUrl,
-        };
     }
     getRedirectLocation(response, currentUrl) {
         const location = response.headers.get('location');
@@ -694,16 +712,8 @@ async function decodeResponseIfNeeded(response, url, signal) {
         clearAbortListener();
         abortDecodePipeline();
         void decodedReader.cancel(error).catch(() => undefined);
-        logDebug('Content-Encoding decode failed; using passthrough body', {
-            url: redactUrl(url),
-            encoding: encodingHeader ?? encodings.join(','),
-            error: isError(error) ? error.message : String(error),
-        });
-        return new Response(passthroughBranch, {
-            status: response.status,
-            statusText: response.statusText,
-            headers,
-        });
+        void passthroughBranch.cancel().catch(() => undefined);
+        throw new FetchError(`Content-Encoding decode failed for ${redactUrl(url)}: ${isError(error) ? error.message : String(error)}`, url);
     }
 }
 class ResponseTextReader {
@@ -851,17 +861,16 @@ async function readAndRecordDecodedResponse(response, finalUrl, ctx, telemetry,
         cancelResponseBody(response);
         throw responseError;
     }
-    const decodedResponse = await decodeResponseIfNeeded(response, finalUrl, signal);
-    const contentType = decodedResponse.headers.get('content-type');
+    const contentType = response.headers.get('content-type');
     assertSupportedContentType(contentType, finalUrl);
     const declaredEncoding = getCharsetFromContentType(contentType ?? null);
     if (mode === 'text') {
-        const { text, size, truncated } = await reader.read(decodedResponse, finalUrl, maxBytes, signal, declaredEncoding);
-        telemetry.recordResponse(ctx, decodedResponse, size);
+        const { text, size, truncated } = await reader.read(response, finalUrl, maxBytes, signal, declaredEncoding);
+        telemetry.recordResponse(ctx, response, size);
         return { kind: 'text', text, size, truncated };
     }
-    const { buffer, encoding, size, truncated } = await reader.readBuffer(decodedResponse, finalUrl, maxBytes, signal, declaredEncoding);
-    telemetry.recordResponse(ctx, decodedResponse, size);
+    const { buffer, encoding, size, truncated } = await reader.readBuffer(response, finalUrl, maxBytes, signal, declaredEncoding);
+    telemetry.recordResponse(ctx, response, size);
     return { kind: 'buffer', buffer, encoding, size, truncated };
 }
 function isReadableStreamLike(value) {
@@ -1053,8 +1062,10 @@ class HttpFetcher {
         const signal = buildRequestSignal(timeoutMs, options?.signal);
         const init = buildRequestInit(headers, signal);
         const ctx = this.telemetry.start(normalizedUrl, 'GET');
+        let agent;
         try {
-            const { response, url: finalUrl } = await this.redirectFollower.fetchWithRedirects(normalizedUrl, init, this.fetcherConfig.maxRedirects);
+            const { response, url: finalUrl, agent: returnedAgent, } = await this.redirectFollower.fetchWithRedirects(normalizedUrl, init, this.fetcherConfig.maxRedirects);
+            agent = returnedAgent;
             ctx.url = this.telemetry.redact(finalUrl);
             return await this.readPayload(response, finalUrl, ctx, mode, init.signal ?? undefined);
         }
@@ -1064,6 +1075,9 @@ class HttpFetcher {
             this.telemetry.recordError(ctx, mapped, mapped.statusCode);
             throw mapped;
         }
+        finally {
+            await agent?.close();
+        }
     }
     async readPayload(response, finalUrl, ctx, mode, signal) {
         try {
@@ -1087,8 +1101,9 @@ const DEFAULT_HEADERS = {
     'User-Agent': config.fetcher.userAgent,
     Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
     'Accept-Language': 'en-US,en;q=0.5',
-    'Accept-Encoding': 'gzip, deflate, br',
-    Connection: 'keep-alive',
+    // Accept-Encoding and Connection are forbidden Fetch API headers.
+    // The undici-based globalThis.fetch manages content negotiation and
+    // decompression transparently per the Fetch spec.
 };
 function buildHeaders() {
     return DEFAULT_HEADERS;

package/dist/lib/net-utils.d.ts

@@ -0,0 +1,3 @@
+export declare function buildIpv4(parts: readonly [number, number, number, number]): string;
+export declare function stripTrailingDots(value: string): string;
+export declare function normalizeHostname(value: string): string | null;

package/dist/lib/net-utils.js

@@ -0,0 +1,21 @@
+import { isIP } from 'node:net';
+import { domainToASCII } from 'node:url';
+export function buildIpv4(parts) {
+    return parts.join('.');
+}
+export function stripTrailingDots(value) {
+    let result = value;
+    while (result.endsWith('.'))
+        result = result.slice(0, -1);
+    return result;
+}
+export function normalizeHostname(value) {
+    const trimmed = value.trim();
+    if (!trimmed)
+        return null;
+    const lowered = trimmed.toLowerCase();
+    if (isIP(lowered))
+        return stripTrailingDots(lowered);
+    const ascii = domainToASCII(lowered);
+    return ascii ? stripTrailingDots(ascii) : null;
+}

package/dist/lib/task-handlers.js

@@ -136,6 +136,7 @@ function resolveOwnerScopedExtra(extra) {
     };
 }
 function getSdkCallToolHandler(server) {
+    // S-2: see tests/sdk-compat-guard.test.ts
     const maybeHandlers = Reflect.get(server.server, '_requestHandlers');
     if (!(maybeHandlers instanceof Map))
         return null;
@@ -209,6 +210,8 @@ export function registerTaskHandlers(server) {
                 ...(task.statusMessage ? { statusMessage: task.statusMessage } : {}),
             });
         }
+        // Forward-compat: input_required is a valid MCP task status but not currently
+        // produced by any tool in this server. Kept for future spec support.
         if (task.status === 'input_required') {
             throw new McpError(ErrorCode.InvalidRequest, 'Task requires additional input', { taskId: task.taskId, status: 'input_required' });
         }

package/dist/lib/types.d.ts

@@ -0,0 +1,4 @@
+export interface IconInfo {
+    src: string;
+    mimeType: string;
+}

package/dist/lib/types.js

@@ -0,0 +1 @@
+export {};

package/dist/lib/url.d.ts

@@ -1,5 +1,5 @@
 import { BlockList } from 'node:net';
-import { type config } from './core.js';
+import { config } from './core.js';
 export declare class SafeDnsResolver {
     private readonly ipBlocker;
     private readonly security;

package/dist/lib/url.js

@@ -1,7 +1,7 @@
 import dns from 'node:dns';
 import { BlockList, isIP, SocketAddress } from 'node:net';
-import { domainToASCII } from 'node:url';
-import { logDebug } from './core.js';
+import { config, logDebug } from './core.js';
+import { buildIpv4, normalizeHostname } from './net-utils.js';
 import { createErrorWithCode, isError, isSystemError } from './utils.js';
 const DNS_LOOKUP_TIMEOUT_MS = 5000;
 const CNAME_LOOKUP_MAX_DEPTH = 5;
@@ -76,7 +76,7 @@ export class SafeDnsResolver {
             if (isCloudMetadataHost(normalizedHostname)) {
                 throw createErrorWithCode(`Blocked IP range: ${normalizedHostname}. Cloud metadata endpoints are not allowed`, 'EBLOCKED');
             }
-            if (process.env['ALLOW_LOCAL_FETCH'] !== 'true' &&
+            if (!isLocalFetchAllowed() &&
                 this.ipBlocker.isBlockedIp(normalizedHostname)) {
                 throw createErrorWithCode(`Blocked IP range: ${normalizedHostname}. Private IPs are not allowed`, 'EBLOCKED');
             }
@@ -227,15 +227,6 @@ function normalizeBracketedIpv6(value) {
         return null;
     return normalizeHostname(ipv6);
 }
-function normalizeHostname(value) {
-    const trimmed = trimToNull(value)?.toLowerCase();
-    if (!trimmed)
-        return null;
-    if (isIP(trimmed))
-        return stripTrailingDots(trimmed);
-    const ascii = domainToASCII(trimmed);
-    return ascii ? stripTrailingDots(ascii) : null;
-}
 function parseHostWithUrl(value) {
     const candidateUrl = `http://${value}`;
     if (!URL.canParse(candidateUrl))
@@ -252,16 +243,6 @@ function trimToNull(value) {
     const trimmed = value.trim();
     return trimmed ? trimmed : null;
 }
-function stripTrailingDots(value) {
-    // Keep loop (rather than regex) to preserve exact behavior and avoid hidden allocations.
-    let result = value;
-    while (result.endsWith('.'))
-        result = result.slice(0, -1);
-    return result;
-}
-function buildIpv4(parts) {
-    return parts.join('.');
-}
 function buildIpv6(parts) {
     return parts.map(String).join(':');
 }
@@ -590,7 +571,7 @@ function isCloudMetadataHost(hostname) {
     return normalized !== null && CLOUD_METADATA_HOSTS.has(normalized.ip);
 }
 function isLocalFetchAllowed() {
-    return process.env['ALLOW_LOCAL_FETCH'] === 'true';
+    return config.security.allowLocalFetch;
 }
 export class IpBlocker {
     security;

package/dist/prompts/index.d.ts

@@ -1,7 +1,3 @@
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-interface IconInfo {
-    src: string;
-    mimeType: string;
-}
+import type { IconInfo } from '../lib/types.js';
 export declare function registerGetHelpPrompt(server: McpServer, instructions: string, iconInfo?: IconInfo): void;
-export {};

package/dist/resources/index.d.ts

@@ -1,8 +1,4 @@
 import { type McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-interface IconInfo {
-    src: string;
-    mimeType: string;
-}
+import type { IconInfo } from '../lib/types.js';
 export declare function registerInstructionResource(server: McpServer, instructions: string, iconInfo?: IconInfo): void;
 export declare function registerCacheResourceTemplate(server: McpServer, iconInfo?: IconInfo): void;
-export {};

package/dist/resources/index.js

@@ -177,6 +177,7 @@ function listCacheResources() {
             annotations: {
                 audience: ['assistant'],
                 priority: 0.6,
+                ...(meta.fetchedAt ? { lastModified: meta.fetchedAt } : {}),
             },
         };
     })

package/dist/resources/instructions.js

@@ -9,12 +9,12 @@ export function buildServerInstructions() {
 
 <capabilities>
 - Tools: \`${FETCH_URL_TOOL_NAME}\` (READ-ONLY).
-- Resources: \`internal://cache/{namespace}/{hash}\` (ephemeral cached Markdown).
+- Resources: \`internal://instructions\` (server usage guidance).
 - Prompts: \`get-help\` (returns these instructions).
 </capabilities>
 
 <workflows>
-1. Standard: Call \`${FETCH_URL_TOOL_NAME}\` -> Read \`markdown\`. If \`truncated: true\`, use \`cacheResourceUri\` with \`resources/read\` for full content.
+1. Standard: Call \`${FETCH_URL_TOOL_NAME}\` -> Read \`markdown\`. If \`truncated: true\`, retry with \`forceRefresh: true\`.
 2. Fresh: Set \`forceRefresh: true\` to bypass cache.
 3. Full-Fidelity: Set \`skipNoiseRemoval: true\` to preserve nav/footers.
 4. Async: Add \`task: { ttl: <ms> }\` to \`tools/call\` -> Poll \`tasks/get\` -> Call \`tasks/result\`.
@@ -24,7 +24,7 @@ export function buildServerInstructions() {
 - Blocked: localhost, private IPs (10.x, 172.16-31.x, 192.168.x), metadata endpoints (169.254.169.254), .local/.internal.
 - Limits: Max HTML ${maxHtmlSizeMb}MB. Max ${config.fetcher.maxRedirects} redirects.
 - Cache: ${config.cache.maxKeys} entries, ${cacheSizeMb}MB, ${cacheTtlHours}h TTL.
-- Cache scope: process-local and ephemeral. Cache URIs are invalid across server restarts or separate CLI invocations (-32002).
+- Cache scope: process-local and ephemeral.
 - No JS: Client-side rendered pages may be incomplete.
 - Binary: Not supported.
 - Batch JSON-RPC: Array requests (\`[{...}]\`) are rejected with HTTP 400.

package/dist/schemas/outputs.d.ts

@@ -4,7 +4,6 @@ export declare const fetchUrlOutputSchema: z.ZodObject<{
     inputUrl: z.ZodOptional<z.ZodString>;
     resolvedUrl: z.ZodOptional<z.ZodString>;
     finalUrl: z.ZodOptional<z.ZodString>;
-    cacheResourceUri: z.ZodOptional<z.ZodString>;
     title: z.ZodOptional<z.ZodString>;
     metadata: z.ZodOptional<z.ZodObject<{
         title: z.ZodOptional<z.ZodString>;

package/dist/schemas/outputs.js

@@ -21,11 +21,6 @@ export const fetchUrlOutputSchema = z.strictObject({
         .max(config.constants.maxUrlLength)
         .optional()
         .describe('Final URL after HTTP redirects.'),
-    cacheResourceUri: z
-        .string()
-        .max(config.constants.maxUrlLength)
-        .optional()
-        .describe('URI for resources/read to get full markdown.'),
     title: z.string().max(512).optional().describe('Page title.'),
     metadata: z
         .strictObject({

package/dist/server.js

@@ -8,10 +8,13 @@ import { logError, logInfo, setLogLevel, setMcpServer } from './lib/core.js';
 import { abortAllTaskExecutions, registerTaskHandlers, } from './lib/mcp-tools.js';
 import { toError } from './lib/utils.js';
 import { registerGetHelpPrompt } from './prompts/index.js';
-import { registerCacheResourceTemplate, registerInstructionResource, } from './resources/index.js';
+import { registerInstructionResource } from './resources/index.js';
 import { buildServerInstructions } from './resources/instructions.js';
 import { registerAllTools } from './tools/index.js';
 import { shutdownTransformWorkerPool } from './transform/transform.js';
+/* -------------------------------------------------------------------------------------------------
+ * Icons + server info
+ * ------------------------------------------------------------------------------------------------- */
 async function getLocalIconInfo() {
     const name = 'logo.svg';
     const mime = 'image/svg+xml';
@@ -31,13 +34,9 @@ const serverInstructions = buildServerInstructions();
 function createServerCapabilities() {
     return {
         logging: {},
-        resources: {
-            subscribe: true,
-            listChanged: true,
-        },
+        resources: { subscribe: true, listChanged: true },
         tools: {},
         prompts: {},
-        completions: {},
         tasks: {
             list: {},
             cancel: {},
@@ -85,7 +84,6 @@ async function createMcpServerWithOptions(options) {
     registerAllTools(server);
     registerGetHelpPrompt(server, serverInstructions, localIcon);
     registerInstructionResource(server, serverInstructions, localIcon);
-    registerCacheResourceTemplate(server, localIcon);
     // NOTE: Internally patches server.close and server.server.onclose for cleanup
     // callbacks, and intercepts tools/call via Reflect.get on private SDK state.
     // See src/lib/task-handlers.ts for risk documentation (S-2, S-3).

package/dist/tasks/execution.js

@@ -6,6 +6,7 @@ import { isObject } from '../lib/utils.js';
 import { taskManager, } from './manager.js';
 import { compact, tryReadToolStructuredError, } from './owner.js';
 import { getTaskCapableTool, hasTaskCapableTool, } from './tool-registry.js';
+const TASK_NOT_FOUND_ERROR_CODE = RESOURCE_NOT_FOUND_ERROR_CODE;
 /* -------------------------------------------------------------------------------------------------
  * Abort-controller management for in-flight task executions
  * ------------------------------------------------------------------------------------------------- */
@@ -113,7 +114,7 @@ function buildTaskStatusNotificationParams(task) {
  * Validation helpers
  * ------------------------------------------------------------------------------------------------- */
 export function throwTaskNotFound() {
-    throw new McpError(RESOURCE_NOT_FOUND_ERROR_CODE, 'Task not found');
+    throw new McpError(TASK_NOT_FOUND_ERROR_CODE, 'Task not found');
 }
 function resolveTaskCapableTool(name) {
     const descriptor = getTaskCapableTool(name);

package/dist/tasks/manager.js

@@ -69,6 +69,8 @@ class TaskManager {
     applyTaskUpdate(task, updates) {
         Object.assign(task, updates);
         task.lastUpdatedAt = new Date().toISOString();
+        // Slide TTL window on every activity so long-running tasks don't expire mid-flight.
+        task._createdAtMs = Date.now();
     }
     cancelActiveTask(task, statusMessage) {
         this.applyTaskUpdate(task, {

package/dist/tools/fetch-url.js

@@ -1,12 +1,10 @@
 import { randomUUID } from 'node:crypto';
 import { ErrorCode, McpError } from '@modelcontextprotocol/sdk/types.js';
 import { z } from 'zod';
-import * as cache from '../lib/core.js';
 import { config } from '../lib/core.js';
 import { getRequestId, logDebug, logError, logWarn, runWithRequestContext, } from '../lib/core.js';
-import { generateSafeFilename } from '../lib/http.js';
 import { handleToolError } from '../lib/mcp-tools.js';
-import { appendTruncationMarker, markdownTransform, parseCachedMarkdownResult, performSharedFetch, readNestedRecord, readString, serializeMarkdownResult, TRUNCATION_MARKER, withSignal, } from '../lib/mcp-tools.js';
+import { appendTruncationMarker, markdownTransform, parseCachedMarkdownResult, performSharedFetch, readNestedRecord, serializeMarkdownResult, TRUNCATION_MARKER, withSignal, } from '../lib/mcp-tools.js';
 import { createProgressReporter, } from '../lib/mcp-tools.js';
 import { isAbortError, isObject, toError } from '../lib/utils.js';
 import { fetchUrlInputSchema } from '../schemas/inputs.js';
@@ -19,7 +17,7 @@ const FETCH_URL_TOOL_DESCRIPTION = `
 <constraints>
 - READ-ONLY. No JavaScript execution.
 - GitHub/GitLab/Bitbucket URLs auto-transform to raw endpoints (check resolvedUrl).
-- If truncated=true, use cacheResourceUri with resources/read for full content.
+- If truncated=true, full content is available in the next fetch with forceRefresh.
 - For large pages/timeouts, use task mode (task: {}).
 - If error queue_full, retry with task mode.
 </constraints>
@@ -38,47 +36,6 @@ function buildTextBlock(structuredContent) {
         text: JSON.stringify(structuredContent),
     };
 }
-function buildEmbeddedResource(content, url, title) {
-    if (!content)
-        return null;
-    const filename = generateSafeFilename(url, title, undefined, '.md');
-    const uri = `internal://inline/${encodeURIComponent(filename)}`;
-    const resource = {
-        uri,
-        mimeType: 'text/markdown',
-        text: content,
-    };
-    return {
-        type: 'resource',
-        resource,
-    };
-}
-function buildCacheResourceLink(cacheResourceUri, contentSize, fetchedAt) {
-    return {
-        type: 'resource_link',
-        uri: cacheResourceUri,
-        name: 'cached-markdown',
-        title: 'Cached Fetch Output',
-        description: 'Read full markdown via resources/read.',
-        mimeType: 'text/markdown',
-        ...(contentSize > 0 ? { size: contentSize } : {}),
-        annotations: {
-            audience: ['assistant'],
-            priority: 0.8,
-            lastModified: fetchedAt,
-        },
-    };
-}
-function buildToolContentBlocks(structuredContent, resourceLink, embeddedResource) {
-    const blocks = [buildTextBlock(structuredContent)];
-    appendIfPresent(blocks, resourceLink);
-    appendIfPresent(blocks, embeddedResource);
-    return blocks;
-}
-function appendIfPresent(items, value) {
-    if (value !== null && value !== undefined)
-        items.push(value);
-}
 /* -------------------------------------------------------------------------------------------------
  * Tool abort signal
  * ------------------------------------------------------------------------------------------------- */
@@ -116,15 +73,15 @@ function truncateMetadata(metadata) {
     return result;
 }
 function buildStructuredContent(pipeline, inlineResult, inputUrl) {
-    const cacheResourceUri = resolveCacheResourceUri(pipeline.cacheKey);
     const truncated = inlineResult.truncated ?? pipeline.data.truncated;
-    const markdown = applyTruncationMarker(inlineResult.content, pipeline.data.truncated);
+    const rawMarkdown = applyTruncationMarker(inlineResult.content, pipeline.data.truncated);
+    const maxChars = config.constants.maxInlineContentChars;
+    const markdown = maxChars > 0 ? truncateStr(rawMarkdown, maxChars) : rawMarkdown;
     const { metadata } = pipeline.data;
     return {
         url: pipeline.originalUrl ?? pipeline.url,
         resolvedUrl: pipeline.url,
         ...(pipeline.finalUrl ? { finalUrl: pipeline.finalUrl } : {}),
-        ...(cacheResourceUri ? { cacheResourceUri } : {}),
         inputUrl,
         title: truncateStr(pipeline.data.title, 512),
         ...(metadata ? { metadata: truncateMetadata(metadata) } : {}),
@@ -140,34 +97,12 @@ function applyTruncationMarker(content, truncated) {
         return content;
     return appendTruncationMarker(content, TRUNCATION_MARKER);
 }
-function resolveCacheResourceUri(cacheKey) {
-    if (!cacheKey)
-        return undefined;
-    if (!cache.isEnabled())
-        return undefined;
-    if (!cache.get(cacheKey))
-        return undefined;
-    const parsed = cache.parseCacheKey(cacheKey);
-    if (!parsed)
-        return undefined;
-    return `internal://cache/${encodeURIComponent(parsed.namespace)}/${encodeURIComponent(parsed.urlHash)}`;
-}
-function buildFetchUrlContentBlocks(structuredContent, pipeline, inlineResult) {
-    const cacheResourceUri = readString(structuredContent, 'cacheResourceUri');
-    const contentToEmbed = config.runtime.httpMode
-        ? inlineResult.content
-        : pipeline.data.content;
-    const resourceLink = cacheResourceUri
-        ? buildCacheResourceLink(cacheResourceUri, inlineResult.contentSize, pipeline.fetchedAt)
-        : null;
-    const embedded = contentToEmbed && pipeline.url
-        ? buildEmbeddedResource(contentToEmbed, pipeline.url, pipeline.data.title)
-        : null;
-    return buildToolContentBlocks(structuredContent, resourceLink, embedded);
+function buildFetchUrlContentBlocks(structuredContent) {
+    return [buildTextBlock(structuredContent)];
 }
 function buildResponse(pipeline, inlineResult, inputUrl) {
     const structuredContent = buildStructuredContent(pipeline, inlineResult, inputUrl);
-    const content = buildFetchUrlContentBlocks(structuredContent, pipeline, inlineResult);
+    const content = buildFetchUrlContentBlocks(structuredContent);
     const validation = fetchUrlOutputSchema.safeParse(structuredContent);
     if (!validation.success) {
         logWarn('Tool output schema validation failed', {

package/dist/transform/transform.js

@@ -9,7 +9,7 @@ import { config } from '../lib/core.js';
 import { getOperationId, getRequestId, logDebug, logError, logInfo, logWarn, redactUrl, } from '../lib/core.js';
 import { isRawTextContentUrl } from '../lib/http.js';
 import { createAbortError, throwIfAborted } from '../lib/utils.js';
-import { FetchError, getErrorMessage } from '../lib/utils.js';
+import { FetchError, getErrorMessage, toError } from '../lib/utils.js';
 import { isObject } from '../lib/utils.js';
 import { translateHtmlFragmentToMarkdown } from './html-translators.js';
 import { extractMetadata, extractMetadataFromHead, mergeMetadata, } from './metadata.js';
@@ -178,13 +178,22 @@ function trimUtf8Buffer(buffer, maxBytes) {
     return buffer.subarray(0, end);
 }
 function trimDanglingTagFragment(content) {
-    const lastOpen = content.lastIndexOf('<');
-    const lastClose = content.lastIndexOf('>');
+    let result = content;
+    // Trim dangling HTML entity (e.g. "&amp" cut before ";")
+    const lastAmp = result.lastIndexOf('&');
+    if (lastAmp !== -1 && lastAmp > result.length - 10) {
+        const tail = result.slice(lastAmp + 1);
+        if (!tail.includes(';') && /^[#a-zA-Z][a-zA-Z0-9]*$/.test(tail)) {
+            result = result.substring(0, lastAmp);
+        }
+    }
+    const lastOpen = result.lastIndexOf('<');
+    const lastClose = result.lastIndexOf('>');
     if (lastOpen > lastClose) {
-        if (lastOpen === content.length - 1) {
-            return content.substring(0, lastOpen);
+        if (lastOpen === result.length - 1) {
+            return result.substring(0, lastOpen);
         }
-        const code = content.codePointAt(lastOpen + 1);
+        const code = result.codePointAt(lastOpen + 1);
         if (code !== undefined &&
             (code === 47 || // '/'
                 code === 33 || // '!'
@@ -192,10 +201,10 @@ function trimDanglingTagFragment(content) {
                 (code >= 65 && code <= 90) || // A-Z
                 (code >= 97 && code <= 122)) // a-z
         ) {
-            return content.substring(0, lastOpen);
+            return result.substring(0, lastOpen);
         }
     }
-    return content;
+    return result;
 }
 function truncateHtml(html, inputTruncated = false) {
     const maxSize = config.constants.maxHtmlSize;
@@ -1047,6 +1056,8 @@ function resolveWorkerFallback(error, htmlOrBuffer, url, options) {
     abortPolicy.throwIfAborted(options.signal, url, 'transform:worker-fallback');
     if (error instanceof FetchError)
         throw error;
+    if (!(error instanceof Error))
+        throw toError(error);
     const message = getErrorMessage(error);
     logWarn('Transform worker failed; falling back to in-process', {
         url: redactUrl(url),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@j0hanz/fetch-url-mcp",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "mcpName": "io.github.j0hanz/fetch-url-mcp",
   "description": "Intelligent web content fetcher MCP server that converts HTML to clean, AI-readable Markdown",
   "type": "module",
@@ -81,7 +81,7 @@
     "eslint": "^10.0.2",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-de-morgan": "^2.1.1",
-    "eslint-plugin-depend": "^1.4.0",
+    "eslint-plugin-depend": "^1.5.0",
     "eslint-plugin-unused-imports": "^4.4.1",
     "knip": "^5.85.0",
     "prettier": "^3.8.1",