@j0hanz/superfetch 2.5.3 → 2.6.0

package/dist/config.d.ts

@@ -1,8 +1,17 @@
 export declare const serverVersion: string;
 export type LogLevel = 'debug' | 'info' | 'warn' | 'error';
-export type TransformMetadataFormat = 'markdown' | 'frontmatter';
+/** Hardcoded to 'markdown'. Type retained for consumer compatibility. */
+export type TransformMetadataFormat = 'markdown';
+export type TransformWorkerMode = 'threads' | 'process';
+type AuthMode = 'oauth' | 'static';
+interface WorkerResourceLimits {
+    maxOldGenerationSizeMb?: number;
+    maxYoungGenerationSizeMb?: number;
+    codeRangeSizeMb?: number;
+    stackSizeMb?: number;
+}
 interface AuthConfig {
-    mode: 'oauth' | 'static';
+    mode: AuthMode;
     issuerUrl: URL | undefined;
     authorizationUrl: URL | undefined;
     tokenUrl: URL | undefined;
@@ -29,9 +38,11 @@ export declare const config: {
         sessionInitTimeoutMs: number;
         maxSessions: number;
         http: {
-            headersTimeoutMs: number | undefined;
-            requestTimeoutMs: number | undefined;
-            keepAliveTimeoutMs: number | undefined;
+            headersTimeoutMs: undefined;
+            requestTimeoutMs: undefined;
+            keepAliveTimeoutMs: undefined;
+            maxConnections: number;
+            blockPrivateConnections: boolean;
             shutdownCloseIdleConnections: boolean;
             shutdownCloseAllConnections: boolean;
         };
@@ -45,8 +56,10 @@ export declare const config: {
     transform: {
         timeoutMs: number;
         stageWarnRatio: number;
-        metadataFormat: TransformMetadataFormat;
+        metadataFormat: string;
         maxWorkerScale: number;
+        workerMode: TransformWorkerMode;
+        workerResourceLimits: WorkerResourceLimits | undefined;
     };
     tools: {
         enabled: string[];
@@ -64,6 +77,27 @@ export declare const config: {
     noiseRemoval: {
         extraTokens: string[];
         extraSelectors: string[];
+        enabledCategories: string[];
+        debug: boolean;
+        aggressiveMode: boolean;
+        preserveSvgCanvas: boolean;
+        weights: {
+            hidden: number;
+            structural: number;
+            promo: number;
+            stickyFixed: number;
+            threshold: number;
+        };
+    };
+    markdownCleanup: {
+        promoteOrphanHeadings: boolean;
+        removeSkipLinks: boolean;
+        removeTocBlocks: boolean;
+        removeTypeDocComments: boolean;
+        headingKeywords: string[];
+    };
+    i18n: {
+        locale: string | undefined;
     };
     logging: {
         level: LogLevel;
@@ -75,7 +109,7 @@ export declare const config: {
     };
     security: {
         blockedHosts: Set<string>;
-        blockedIpPatterns: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+        blockedIpPatterns: readonly RegExp[];
         blockedIpPattern: RegExp;
         blockedIpv4MappedPattern: RegExp;
         allowedHosts: Set<string>;

package/dist/config.js

@@ -1,62 +1,140 @@
-import packageJson from '../package.json' with { type: 'json' };
+import { readFileSync } from 'node:fs';
+import { findPackageJSON } from 'node:module';
+import { isIP } from 'node:net';
+import process from 'node:process';
+import { domainToASCII } from 'node:url';
+const packageJsonPath = findPackageJSON(import.meta.url);
+if (!packageJsonPath) {
+    throw new Error('package.json not found');
+}
+const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+if (typeof packageJson.version !== 'string') {
+    throw new Error('package.json version is missing');
+}
 export const serverVersion = packageJson.version;
+const LOG_LEVELS = ['debug', 'info', 'warn', 'error'];
+const DEFAULT_HEADING_KEYWORDS = [
+    'overview',
+    'introduction',
+    'summary',
+    'conclusion',
+    'prerequisites',
+    'requirements',
+    'installation',
+    'configuration',
+    'usage',
+    'features',
+    'limitations',
+    'troubleshooting',
+    'faq',
+    'resources',
+    'references',
+    'changelog',
+    'license',
+    'acknowledgments',
+    'appendix',
+];
+function isMissingEnvFileError(error) {
+    if (!error || typeof error !== 'object')
+        return false;
+    const { code } = error;
+    return code === 'ENOENT' || code === 'ERR_ENV_FILE_NOT_FOUND';
+}
+function loadEnvFileIfAvailable() {
+    if (typeof process.loadEnvFile !== 'function')
+        return;
+    try {
+        process.loadEnvFile();
+    }
+    catch (error) {
+        if (isMissingEnvFileError(error))
+            return;
+        throw error;
+    }
+}
+loadEnvFileIfAvailable();
+const { env } = process;
+class ConfigError extends Error {
+    name = 'ConfigError';
+}
 function buildIpv4(parts) {
     return parts.join('.');
 }
 function formatHostForUrl(hostname) {
-    if (hostname.includes(':') && !hostname.startsWith('[')) {
+    if (hostname.includes(':') && !hostname.startsWith('['))
         return `[${hostname}]`;
-    }
     return hostname;
 }
-function normalizeHostValue(value) {
-    const trimmed = value.trim().toLowerCase();
+function stripTrailingDots(value) {
+    let result = value;
+    while (result.endsWith('.'))
+        result = result.slice(0, -1);
+    return result;
+}
+function normalizeHostname(value) {
+    const trimmed = value.trim();
     if (!trimmed)
         return null;
-    if (trimmed.startsWith('[')) {
-        const end = trimmed.indexOf(']');
-        if (end === -1)
+    const lowered = trimmed.toLowerCase();
+    const ipType = isIP(lowered);
+    if (ipType)
+        return stripTrailingDots(lowered);
+    const ascii = domainToASCII(lowered);
+    return ascii ? stripTrailingDots(ascii) : null;
+}
+function normalizeHostValue(value) {
+    const raw = value.trim();
+    if (!raw)
+        return null;
+    if (raw.includes('://')) {
+        if (!URL.canParse(raw))
             return null;
-        return trimmed.slice(1, end);
+        return normalizeHostname(new URL(raw).hostname);
     }
-    const colonIndex = trimmed.indexOf(':');
-    if (colonIndex !== -1) {
-        return trimmed.slice(0, colonIndex);
+    const candidateUrl = `http://${raw}`;
+    if (URL.canParse(candidateUrl)) {
+        return normalizeHostname(new URL(candidateUrl).hostname);
     }
-    return trimmed;
-}
-const ALLOWED_LOG_LEVELS = new Set([
-    'debug',
-    'info',
-    'warn',
-    'error',
-]);
-function isLogLevel(value) {
-    return ALLOWED_LOG_LEVELS.has(value);
-}
-function isOutsideRange(value, min, max) {
-    return ((min !== undefined && value < min) || (max !== undefined && value > max));
+    const lowered = raw.toLowerCase();
+    if (lowered.startsWith('[')) {
+        const end = lowered.indexOf(']');
+        if (end === -1)
+            return null;
+        return normalizeHostname(lowered.slice(1, end));
+    }
+    if (isIP(lowered) === 6)
+        return stripTrailingDots(lowered);
+    const firstColon = lowered.indexOf(':');
+    if (firstColon === -1)
+        return normalizeHostname(lowered);
+    if (lowered.includes(':', firstColon + 1))
+        return null;
+    const host = lowered.slice(0, firstColon);
+    return host ? normalizeHostname(host) : null;
 }
 function parseIntegerValue(envValue, min, max) {
     if (!envValue)
         return null;
-    const parsed = parseInt(envValue, 10);
+    const parsed = Number.parseInt(envValue, 10);
     if (Number.isNaN(parsed))
         return null;
-    if (isOutsideRange(parsed, min, max))
+    if (min !== undefined && parsed < min)
+        return null;
+    if (max !== undefined && parsed > max)
         return null;
     return parsed;
 }
+function parseOptionalInteger(envValue, min, max) {
+    const parsed = parseIntegerValue(envValue, min, max);
+    return parsed ?? undefined;
+}
 function parseInteger(envValue, defaultValue, min, max) {
     return parseIntegerValue(envValue, min, max) ?? defaultValue;
 }
-function parseOptionalInteger(envValue, min, max) {
-    return parseIntegerValue(envValue, min, max) ?? undefined;
-}
 function parseBoolean(envValue, defaultValue) {
     if (!envValue)
         return defaultValue;
-    return envValue !== 'false';
+    return envValue.trim().toLowerCase() !== 'false';
 }
 function parseList(envValue) {
     if (!envValue)
@@ -66,74 +144,115 @@ function parseList(envValue) {
         .map((entry) => entry.trim())
         .filter((entry) => entry.length > 0);
 }
+function parseListOrDefault(envValue, defaultValue) {
+    const parsed = parseList(envValue);
+    return parsed.length > 0 ? parsed : [...defaultValue];
+}
+function normalizeLocale(value) {
+    if (!value)
+        return undefined;
+    const trimmed = value.trim();
+    if (!trimmed)
+        return undefined;
+    const lowered = trimmed.toLowerCase();
+    if (lowered === 'system' || lowered === 'default')
+        return undefined;
+    return trimmed;
+}
 function parseUrlEnv(value, name) {
     if (!value)
         return undefined;
     if (!URL.canParse(value)) {
-        throw new Error(`Invalid ${name} value: ${value}`);
+        throw new ConfigError(`Invalid ${name} value: ${value}`);
     }
     return new URL(value);
 }
 function readUrlEnv(name) {
-    return parseUrlEnv(process.env[name], name);
+    return parseUrlEnv(env[name], name);
 }
 function parseAllowedHosts(envValue) {
     const hosts = new Set();
     for (const entry of parseList(envValue)) {
         const normalized = normalizeHostValue(entry);
-        if (normalized) {
+        if (normalized)
             hosts.add(normalized);
-        }
     }
     return hosts;
 }
+const ALLOWED_LOG_LEVELS = new Set(LOG_LEVELS);
+function isLogLevel(value) {
+    return ALLOWED_LOG_LEVELS.has(value);
+}
 function parseLogLevel(envValue) {
-    const level = envValue?.toLowerCase();
-    if (!level)
+    if (!envValue)
         return 'info';
+    const level = envValue.toLowerCase();
     return isLogLevel(level) ? level : 'info';
 }
-function parseTransformMetadataFormat(envValue) {
-    const normalized = envValue?.trim().toLowerCase();
-    if (normalized === 'frontmatter')
-        return 'frontmatter';
-    return 'markdown';
+function parseTransformWorkerMode(envValue) {
+    if (!envValue)
+        return 'threads';
+    const normalized = envValue.trim().toLowerCase();
+    if (normalized === 'process' || normalized === 'fork')
+        return 'process';
+    return 'threads';
 }
-const SIZE_LIMITS = {
-    TEN_MB: 10 * 1024 * 1024,
-};
-const TIMEOUT = {
-    DEFAULT_FETCH_TIMEOUT_MS: parseInteger(process.env.FETCH_TIMEOUT_MS, 15000, 1000, 60000),
-    DEFAULT_SESSION_TTL_MS: 30 * 60 * 1000,
-    DEFAULT_TRANSFORM_TIMEOUT_MS: parseInteger(process.env.TRANSFORM_TIMEOUT_MS, 30000, 5000, 120000),
-};
-const DEFAULT_TOOL_TIMEOUT_MS = TIMEOUT.DEFAULT_FETCH_TIMEOUT_MS +
-    TIMEOUT.DEFAULT_TRANSFORM_TIMEOUT_MS +
-    5000;
-function readCoreOAuthUrls() {
-    return {
-        issuerUrl: readUrlEnv('OAUTH_ISSUER_URL'),
-        authorizationUrl: readUrlEnv('OAUTH_AUTHORIZATION_URL'),
-        tokenUrl: readUrlEnv('OAUTH_TOKEN_URL'),
-    };
+function parsePort(envValue) {
+    if (envValue?.trim() === '0')
+        return 0;
+    return parseInteger(envValue, 3000, 1024, 65535);
 }
-function readOptionalOAuthUrls(baseUrl) {
-    return {
-        revocationUrl: readUrlEnv('OAUTH_REVOCATION_URL'),
-        registrationUrl: readUrlEnv('OAUTH_REGISTRATION_URL'),
-        introspectionUrl: readUrlEnv('OAUTH_INTROSPECTION_URL'),
-        resourceUrl: parseUrlEnv(process.env.OAUTH_RESOURCE_URL, 'OAUTH_RESOURCE_URL') ??
-            new URL('/mcp', baseUrl),
-    };
+const MAX_HTML_BYTES = 10 * 1024 * 1024; // 10 MB
+const MAX_INLINE_CONTENT_CHARS = 0;
+const DEFAULT_SESSION_TTL_MS = 30 * 60 * 1000;
+const DEFAULT_SESSION_INIT_TIMEOUT_MS = 10000;
+const DEFAULT_MAX_SESSIONS = 200;
+const DEFAULT_USER_AGENT = `superFetch-MCP/${serverVersion}`;
+const DEFAULT_TOOL_TIMEOUT_PADDING_MS = 5000;
+const DEFAULT_TRANSFORM_TIMEOUT_MS = 30000;
+const DEFAULT_FETCH_TIMEOUT_MS = parseInteger(env.FETCH_TIMEOUT_MS, 15000, 1000, 60000);
+const DEFAULT_TOOL_TIMEOUT_MS = DEFAULT_FETCH_TIMEOUT_MS +
+    DEFAULT_TRANSFORM_TIMEOUT_MS +
+    DEFAULT_TOOL_TIMEOUT_PADDING_MS;
+function resolveWorkerResourceLimits() {
+    const limits = {};
+    const maxOldGenerationSizeMb = parseOptionalInteger(env.TRANSFORM_WORKER_MAX_OLD_GENERATION_MB, 1);
+    const maxYoungGenerationSizeMb = parseOptionalInteger(env.TRANSFORM_WORKER_MAX_YOUNG_GENERATION_MB, 1);
+    const codeRangeSizeMb = parseOptionalInteger(env.TRANSFORM_WORKER_CODE_RANGE_MB, 1);
+    const stackSizeMb = parseOptionalInteger(env.TRANSFORM_WORKER_STACK_MB, 1);
+    if (maxOldGenerationSizeMb !== undefined) {
+        limits.maxOldGenerationSizeMb = maxOldGenerationSizeMb;
+    }
+    if (maxYoungGenerationSizeMb !== undefined) {
+        limits.maxYoungGenerationSizeMb = maxYoungGenerationSizeMb;
+    }
+    if (codeRangeSizeMb !== undefined) {
+        limits.codeRangeSizeMb = codeRangeSizeMb;
+    }
+    if (stackSizeMb !== undefined) {
+        limits.stackSizeMb = stackSizeMb;
+    }
+    return Object.keys(limits).length > 0 ? limits : undefined;
 }
 function readOAuthUrls(baseUrl) {
-    return { ...readCoreOAuthUrls(), ...readOptionalOAuthUrls(baseUrl) };
+    const issuerUrl = readUrlEnv('OAUTH_ISSUER_URL');
+    const authorizationUrl = readUrlEnv('OAUTH_AUTHORIZATION_URL');
+    const tokenUrl = readUrlEnv('OAUTH_TOKEN_URL');
+    const revocationUrl = readUrlEnv('OAUTH_REVOCATION_URL');
+    const registrationUrl = readUrlEnv('OAUTH_REGISTRATION_URL');
+    const introspectionUrl = readUrlEnv('OAUTH_INTROSPECTION_URL');
+    const resourceUrl = new URL('/mcp', baseUrl);
+    return {
+        issuerUrl,
+        authorizationUrl,
+        tokenUrl,
+        revocationUrl,
+        registrationUrl,
+        introspectionUrl,
+        resourceUrl,
+    };
 }
-function resolveAuthMode(authModeEnv, urls) {
-    if (authModeEnv === 'oauth')
-        return 'oauth';
-    if (authModeEnv === 'static')
-        return 'static';
+function resolveAuthMode(urls) {
     const oauthConfigured = [
         urls.issuerUrl,
         urls.authorizationUrl,
@@ -143,22 +262,21 @@ function resolveAuthMode(authModeEnv, urls) {
     return oauthConfigured ? 'oauth' : 'static';
 }
 function collectStaticTokens() {
-    const staticTokens = new Set(parseList(process.env.ACCESS_TOKENS));
-    if (process.env.API_KEY) {
-        staticTokens.add(process.env.API_KEY);
-    }
+    const staticTokens = new Set(parseList(env.ACCESS_TOKENS));
+    if (env.API_KEY)
+        staticTokens.add(env.API_KEY);
     return [...staticTokens];
 }
 function buildAuthConfig(baseUrl) {
     const urls = readOAuthUrls(baseUrl);
-    const mode = resolveAuthMode(process.env.AUTH_MODE?.toLowerCase(), urls);
+    const mode = resolveAuthMode(urls);
     return {
         mode,
         ...urls,
-        requiredScopes: parseList(process.env.OAUTH_REQUIRED_SCOPES),
-        clientId: process.env.OAUTH_CLIENT_ID,
-        clientSecret: process.env.OAUTH_CLIENT_SECRET,
-        introspectionTimeoutMs: parseInteger(process.env.OAUTH_INTROSPECTION_TIMEOUT_MS, 5000, 1000, 30000),
+        requiredScopes: parseList(env.OAUTH_REQUIRED_SCOPES),
+        clientId: env.OAUTH_CLIENT_ID,
+        clientSecret: env.OAUTH_CLIENT_SECRET,
+        introspectionTimeoutMs: 5000,
         staticTokens: collectStaticTokens(),
     };
 }
@@ -166,51 +284,85 @@ const LOOPBACK_V4 = buildIpv4([127, 0, 0, 1]);
 const ANY_V4 = buildIpv4([0, 0, 0, 0]);
 const METADATA_V4_AWS = buildIpv4([169, 254, 169, 254]);
 const METADATA_V4_AZURE = buildIpv4([100, 100, 100, 200]);
-const host = process.env.HOST ?? LOOPBACK_V4;
-const port = process.env.PORT?.trim() === '0'
-    ? 0
-    : parseInteger(process.env.PORT, 3000, 1024, 65535);
+const BLOCKED_HOSTS = new Set([
+    'localhost',
+    LOOPBACK_V4,
+    ANY_V4,
+    '::1',
+    METADATA_V4_AWS,
+    'metadata.google.internal',
+    'metadata.azure.com',
+    METADATA_V4_AZURE,
+    'instance-data',
+]);
+const BLOCKED_IP_PATTERNS = [
+    /^10\./,
+    /^172\.(1[6-9]|2\d|3[01])\./,
+    /^192\.168\./,
+    /^127\./,
+    /^0\./,
+    /^169\.254\./,
+    /^100\.64\./,
+    /^fc00:/i,
+    /^fd00:/i,
+    /^fe80:/i,
+    /^::ffff:127\./,
+    /^::ffff:10\./,
+    /^::ffff:172\.(1[6-9]|2\d|3[01])\./,
+    /^::ffff:192\.168\./,
+    /^::ffff:169\.254\./,
+];
+const BLOCKED_IP_PATTERN = /^(?:10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|127\.|0\.|169\.254\.|100\.64\.|fc00:|fd00:|fe80:)/i;
+const BLOCKED_IPV4_MAPPED_PATTERN = /^::ffff:(?:127\.|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.)/i;
+const host = (env.HOST ?? LOOPBACK_V4).trim();
+const port = parsePort(env.PORT);
+const maxConnections = parseInteger(env.SERVER_MAX_CONNECTIONS, 0, 0);
+const blockPrivateConnections = parseBoolean(env.SERVER_BLOCK_PRIVATE_CONNECTIONS, false);
 const baseUrl = new URL(`http://${formatHostForUrl(host)}:${port}`);
-const allowRemote = parseBoolean(process.env.ALLOW_REMOTE, false);
+const allowRemote = parseBoolean(env.ALLOW_REMOTE, false);
 const runtimeState = {
     httpMode: false,
 };
 export const config = {
     server: {
         name: 'superFetch',
-        version: packageJson.version,
+        version: serverVersion,
         port,
         host,
-        sessionTtlMs: TIMEOUT.DEFAULT_SESSION_TTL_MS,
-        sessionInitTimeoutMs: 10000,
-        maxSessions: 200,
+        sessionTtlMs: DEFAULT_SESSION_TTL_MS,
+        sessionInitTimeoutMs: DEFAULT_SESSION_INIT_TIMEOUT_MS,
+        maxSessions: DEFAULT_MAX_SESSIONS,
         http: {
-            headersTimeoutMs: parseOptionalInteger(process.env.SERVER_HEADERS_TIMEOUT_MS, 1000, 600000),
-            requestTimeoutMs: parseOptionalInteger(process.env.SERVER_REQUEST_TIMEOUT_MS, 1000, 600000),
-            keepAliveTimeoutMs: parseOptionalInteger(process.env.SERVER_KEEP_ALIVE_TIMEOUT_MS, 1000, 600000),
-            shutdownCloseIdleConnections: parseBoolean(process.env.SERVER_SHUTDOWN_CLOSE_IDLE, false),
-            shutdownCloseAllConnections: parseBoolean(process.env.SERVER_SHUTDOWN_CLOSE_ALL, false),
+            headersTimeoutMs: undefined,
+            requestTimeoutMs: undefined,
+            keepAliveTimeoutMs: undefined,
+            maxConnections,
+            blockPrivateConnections,
+            shutdownCloseIdleConnections: true,
+            shutdownCloseAllConnections: false,
         },
     },
     fetcher: {
-        timeout: TIMEOUT.DEFAULT_FETCH_TIMEOUT_MS,
+        timeout: DEFAULT_FETCH_TIMEOUT_MS,
         maxRedirects: 5,
-        userAgent: process.env.USER_AGENT ?? 'superFetch-MCP/2.0',
-        maxContentLength: SIZE_LIMITS.TEN_MB,
+        userAgent: env.USER_AGENT ?? DEFAULT_USER_AGENT,
+        maxContentLength: MAX_HTML_BYTES,
     },
     transform: {
-        timeoutMs: TIMEOUT.DEFAULT_TRANSFORM_TIMEOUT_MS,
-        stageWarnRatio: parseFloat(process.env.TRANSFORM_STAGE_WARN_RATIO ?? '0.5'),
-        metadataFormat: parseTransformMetadataFormat(process.env.TRANSFORM_METADATA_FORMAT),
-        maxWorkerScale: parseInteger(process.env.TRANSFORM_WORKER_MAX_SCALE, 4, 1, 16),
+        timeoutMs: DEFAULT_TRANSFORM_TIMEOUT_MS,
+        stageWarnRatio: 0.5,
+        metadataFormat: 'markdown',
+        maxWorkerScale: 4,
+        workerMode: parseTransformWorkerMode(env.TRANSFORM_WORKER_MODE),
+        workerResourceLimits: resolveWorkerResourceLimits(),
     },
     tools: {
-        enabled: parseList(process.env.ENABLED_TOOLS ?? 'fetch-url'),
-        timeoutMs: parseInteger(process.env.TOOL_TIMEOUT_MS, DEFAULT_TOOL_TIMEOUT_MS, 1000, 300000),
+        enabled: ['fetch-url'],
+        timeoutMs: DEFAULT_TOOL_TIMEOUT_MS,
     },
     cache: {
-        enabled: parseBoolean(process.env.CACHE_ENABLED, true),
-        ttl: parseInteger(process.env.CACHE_TTL, 3600, 60, 86400),
+        enabled: parseBoolean(env.CACHE_ENABLED, true),
+        ttl: 86400,
         maxKeys: 100,
     },
     extraction: {
@@ -218,59 +370,57 @@ export const config = {
         minParagraphLength: 10,
     },
     noiseRemoval: {
-        extraTokens: parseList(process.env.SUPERFETCH_EXTRA_NOISE_TOKENS),
-        extraSelectors: parseList(process.env.SUPERFETCH_EXTRA_NOISE_SELECTORS),
+        extraTokens: parseList(env.SUPERFETCH_EXTRA_NOISE_TOKENS),
+        extraSelectors: parseList(env.SUPERFETCH_EXTRA_NOISE_SELECTORS),
+        enabledCategories: [
+            'cookie-banners',
+            'newsletters',
+            'social-share',
+            'nav-footer',
+        ],
+        debug: false,
+        aggressiveMode: false,
+        preserveSvgCanvas: false,
+        weights: {
+            hidden: 50,
+            structural: 50,
+            promo: 35,
+            stickyFixed: 30,
+            threshold: 50,
+        },
+    },
+    markdownCleanup: {
+        promoteOrphanHeadings: true,
+        removeSkipLinks: true,
+        removeTocBlocks: true,
+        removeTypeDocComments: true,
+        headingKeywords: parseListOrDefault(env.MARKDOWN_HEADING_KEYWORDS, DEFAULT_HEADING_KEYWORDS),
+    },
+    i18n: {
+        locale: normalizeLocale(env.SUPERFETCH_LOCALE),
     },
     logging: {
-        level: parseLogLevel(process.env.LOG_LEVEL),
+        level: parseLogLevel(env.LOG_LEVEL),
     },
     constants: {
-        maxHtmlSize: SIZE_LIMITS.TEN_MB,
+        maxHtmlSize: MAX_HTML_BYTES,
         maxUrlLength: 2048,
-        maxInlineContentChars: 20000,
+        maxInlineContentChars: MAX_INLINE_CONTENT_CHARS,
     },
     security: {
-        blockedHosts: new Set([
-            'localhost',
-            LOOPBACK_V4,
-            ANY_V4,
-            '::1',
-            METADATA_V4_AWS,
-            'metadata.google.internal',
-            'metadata.azure.com',
-            METADATA_V4_AZURE,
-            'instance-data',
-        ]),
-        blockedIpPatterns: [
-            /^10\./,
-            /^172\.(1[6-9]|2\d|3[01])\./,
-            /^192\.168\./,
-            /^127\./,
-            /^0\./,
-            /^169\.254\./,
-            /^100\.64\./,
-            /^fc00:/i,
-            /^fd00:/i,
-            /^fe80:/i,
-            /^::ffff:127\./,
-            /^::ffff:10\./,
-            /^::ffff:172\.(1[6-9]|2\d|3[01])\./,
-            /^::ffff:192\.168\./,
-            /^::ffff:169\.254\./,
-        ],
-        // Combined regex patterns for fast IP blocking (used in fetch.ts)
-        // Split into two patterns to reduce complexity while maintaining performance
-        blockedIpPattern: /^(?:10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|127\.|0\.|169\.254\.|100\.64\.|fc00:|fd00:|fe80:)/i,
-        blockedIpv4MappedPattern: /^::ffff:(?:127\.|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.)/i,
-        allowedHosts: parseAllowedHosts(process.env.ALLOWED_HOSTS),
-        apiKey: process.env.API_KEY,
+        blockedHosts: BLOCKED_HOSTS,
+        blockedIpPatterns: BLOCKED_IP_PATTERNS,
+        blockedIpPattern: BLOCKED_IP_PATTERN,
+        blockedIpv4MappedPattern: BLOCKED_IPV4_MAPPED_PATTERN,
+        allowedHosts: parseAllowedHosts(env.ALLOWED_HOSTS),
+        apiKey: env.API_KEY,
         allowRemote,
     },
     auth: buildAuthConfig(baseUrl),
     rateLimit: {
         enabled: true,
-        maxRequests: parseInteger(process.env.RATE_LIMIT_MAX, 100, 1, 10000),
-        windowMs: parseInteger(process.env.RATE_LIMIT_WINDOW_MS, 60000, 1000, 3600000),
+        maxRequests: 100,
+        windowMs: 60000,
         cleanupIntervalMs: 60000,
     },
     runtime: runtimeState,