npm - @natchs/browser-mcp - Versions diffs - 2.6.5 → 2.7.0 - Mend

@natchs/browser-mcp 2.6.5 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +367 -367
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -1,367 +1,367 @@
-# @natchs/browser-mcp
-[![npm version](https://img.shields.io/npm/v/%40natchs%2Fbrowser-mcp?label=npm&logo=npm)](https://www.npmjs.com/package/@natchs/browser-mcp)
-[![License](https://img.shields.io/npm/l/%40natchs%2Fbrowser-mcp?color=blue&label=license)](LICENSE)
-[![Node Version](https://img.shields.io/node/v/%40natchs%2Fbrowser-mcp?logo=node.js)](package.json)
----
-# Your AI Agent's Browser Superpowers — Reverse Engineering, Network Interception & Full Browser Control
-**`@natchs/browser-mcp`** is a Model Context Protocol server that gives AI agents **complete browser control** — navigate, click, scrape, intercept network traffic, export HAR files, capture WebSocket frames, deobfuscate JavaScript, and more. All through a single MCP interface.
-Three browser modes (fresh / persistent / connect), production-grade security, 50+ tools, 9 categories. Built for reverse engineers, data extraction pipelines, and AI-powered automation.
----
-## Features
-- 🔍 **Reverse Engineering Toolkit** — JS beautify/deobfuscate, API endpoint discovery, auth flow analysis
-- 🌐 **Web Scraping** — HTML, Markdown, text, CSS selectors, tables, Schema.org JSON-LD, Open Graph
-- 📡 **Network Intelligence** — Real-time HTTP/HTTPS interception, WebSocket frame capture, HAR/JSON/CSV export
-- 🕶️ **Stealth Mode** — Fingerprint rotation, human behavior simulation
-- 🔐 **Enterprise Security** — SSRF protection, DNS rebind prevention, path traversal guards, cookie leak prevention
-- 🧩 **3 Browser Profiles** — Fresh (isolated), Persistent (your Chrome profile, auto-detected), Connect (existing browser)
-- 📦 **50+ Tools** — Navigation, interaction, extraction, network, browser control, sessions, admin, RE, stealth
-- ⚡ **Production Ready** — Rate limiting, LRU cache, structured logging, metrics, plugin system, configurable timeouts
----
-## Quick Start
-```bash
-# Install
-npm install @natchs/browser-mcp
-# Run (Chromium installs automatically ~30s on first run)
-npx @natchs/browser-mcp
-```
-### MCP Client Config
-Add to Claude Desktop, Cursor, VS Code (Cline, Roo Code), Continue.dev, or any MCP-compatible client:
-```json
-{
-  "mcpServers": {
-    "browser-mcp": {
-      "command": "npx",
-      "args": ["@natchs/browser-mcp"]
-    }
-  }
-}
-```
-### Local Build
-```bash
-git clone https://github.com/natchs/browser-mcp.git
-cd browser-mcp
-npm ci
-npm run build
-npx @natchs/browser-mcp
-```
----
-## Browser Modes
-The `BROWSER_MODE` environment variable controls which browser profile the agent uses:
-| Mode | Description | Best For |
-|------|-------------|----------|
-| `fresh` (default) | Playwright's own Chromium. Fresh profile every time — no cookies, history, or extensions carried over | Clean room analysis, leave-no-trace operations |
-| `persistent` | **Your real Chrome profile.** Auto-detected since v2.3.0. All cookies, sessions, extensions, and logged-in accounts available to the agent | When the agent needs to act "as you" — Gmail, GitHub, ChatGPT, corporate portals |
-| `connect` | Attaches to your already-running Chrome via CDP debug port | Hybrid workflows — manually drive Chrome while the agent assists |
-### Persistent (auto-detect)
-```bash
-BROWSER_MODE=persistent npx @natchs/browser-mcp
-```
-Since v2.3.0 the Chrome profile is auto-detected on Windows/macOS/Linux. No path needed. To specify a manual path:
-```bash
-BROWSER_MODE=persistent BROWSER_USER_DATA_DIR=C:\Users\...\User Data\Default npx @natchs/browser-mcp
-```
-### Connect (attach to existing Chrome)
-```bash
-# Start Chrome with debug port first:
-"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222
-# Then launch the agent:
-BROWSER_MODE=connect npx @natchs/browser-mcp
-```
-### Per-Mode Client Profiles
-```json
-{
-  "mcpServers": {
-    "browser-mcp-persistent": {
-      "command": "npx",
-      "args": ["@natchs/browser-mcp"],
-      "env": { "BROWSER_MODE": "persistent" }
-    },
-    "browser-mcp-fresh": {
-      "command": "npx",
-      "args": ["@natchs/browser-mcp"],
-      "env": { "BROWSER_MODE": "fresh" }
-    }
-  }
-}
-```
----
-## Environment Variables
-All configuration is managed through environment variables.
-### Browser
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `BROWSER_MODE` | `fresh` | Browser mode: `fresh`, `persistent`, `connect` | No |
-| `BROWSER_HEADLESS` | `true` | Run in headless mode (`true`/`false`/`1`/`0`/`yes`/`no`) | No |
-| `BROWSER_USER_DATA_DIR` | — | Chrome user data directory (absolute path) | No |
-| `BROWSER_CHANNEL` | `""` | Browser channel (`chrome`, `msedge`, `chromium`, etc.) | No |
-| `BROWSER_DEBUG_PORT` | `9222` | CDP debug port number | No |
-| `BROWSER_AUTO_DETECT_PROFILE` | `true` | Auto-detect Chrome profile location | No |
-| `BROWSER_VIEWPORT_WIDTH` | `1280` | Viewport width (px) | No |
-| `BROWSER_VIEWPORT_HEIGHT` | `720` | Viewport height (px) | No |
-| `BROWSER_USER_AGENT` | — | Custom User-Agent string | No |
-| `BROWSER_LOCALE` | — | Browser locale (e.g. `en-US`) | No |
-| `BROWSER_TIMEOUT` | `30000` | Browser operation timeout (ms) | No |
-| `BROWSER_AUTO_INSTALL` | `true` | Auto-install Chromium (`false` to disable) | No |
-### Network & Download
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `NETWORK_HAR_ENABLED` | `1` | Enable HAR capture (`0` to disable) | No |
-| `NETWORK_MAX_ENTRIES` | `5000` | Max network entries stored | No |
-| `NETWORK_MAX_RESPONSE_BODY_SIZE` | `262144` | Max response body size (bytes) | No |
-| `NETWORK_STORE_RESPONSE_BODIES` | `false` | Keep response bodies in memory | No |
-| `NETWORK_EXCLUDE_BODY_TYPES` | `["image","media","font","stylesheet"]` | Body types excluded from storage (JSON array) | No |
-| `NETWORK_EXPORT_DIR` | `./network-logs` | Network log export directory | No |
-| `NETWORK_CAPTURE_FAILED` | `true` | Capture failed requests too | No |
-| `NETWORK_CAPTURE_WS` | `true` | Capture WebSocket frames | No |
-| `NETWORK_WS_MAX_FRAMES` | `1000` | Max WebSocket frames stored | No |
-| `NETWORK_WS_MAX_FRAME_SIZE` | `65536` | Max WebSocket frame payload (bytes) | No |
-| `NETWORK_MAX_MEMORY_MB` | `256` | Max memory for network capture (MB) | No |
-| `NETWORK_CAPTURE_REQUEST_BODY` | `false` | Capture request bodies too | No |
-| `NETWORK_DOWNLOAD_DIR` | `./downloads` | Download directory | No |
-| `NETWORK_MAX_DOWNLOAD_SIZE` | `104857600` | Max download size (bytes, default 100MB) | No |
-| `NETWORK_DOWNLOAD_ENABLED` | `false` | Enable file downloads (`browser_download` tool) | No |
-| `NETWORK_SAVE_ENABLED` | `false` | Enable network capture save (`network_save` tool) | No |
-### Rate Limiting
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `RATE_LIMIT_ENABLED` | `true` | Enable rate limiting | No |
-| `RATE_LIMIT_GLOBAL_RPM` | `120` | Global requests per minute | No |
-| `RATE_LIMIT_PER_TOOL_RPM` | `30` | Per-tool requests per minute | No |
-| `RATE_LIMIT_BURST_SIZE` | `10` | Max burst size | No |
-### Cache
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `CACHE_MAX_ENTRIES` | `100` | Max cache entries | No |
-| `CACHE_TTL_SECONDS` | `300` | Cache TTL (seconds) | No |
-### Security
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `SECURITY_API_KEY` | `""` | API key for authentication (empty = auth disabled) | No |
-| `SECURITY_ALLOWED_DIRS` | `[]` | Allowed directories for file access (JSON array) | No |
-| `SECURITY_MAX_MEMORY_MB` | `512` | Max memory usage (MB) | No |
-| `SECURITY_DEFAULT_TIMEOUT` | `30000` | Default operation timeout (ms) | No |
-| `SECURITY_MAX_TIMEOUT` | `120000` | Max timeout (ms) | No |
-| `SECURITY_MAX_SESSIONS` | `10` | Max concurrent browser sessions | No |
-### Config
-| Variable | Default | Description | Required |
-|----------|---------|-------------|----------|
-| `BROWSER_MCP_CONFIG` | — | Config file path (JSON) | No |
----
-## All Tools
-### Navigation (5)
-| Tool | Description |
-|------|-------------|
-| `browser_navigate` | Navigate to a URL |
-| `browser_go_back` | Go back in history |
-| `browser_go_forward` | Go forward in history |
-| `browser_refresh` | Refresh the current page |
-| `browser_wait_for` | Wait for a specified timeout |
-### Interaction (8)
-| Tool | Description |
-|------|-------------|
-| `browser_click` | Click an element by CSS selector |
-| `browser_fill` | Fill text into an input field |
-| `browser_select` | Select option(s) in a dropdown |
-| `browser_hover` | Hover over an element |
-| `browser_drag` | Drag and drop an element |
-| `browser_type` | Type text character by character |
-| `browser_press_key` | Press a keyboard key |
-| `browser_file_upload` | Upload files via file input |
-### Extraction (7)
-| Tool | Description |
-|------|-------------|
-| `browser_extract_html` | Extract full page HTML |
-| `browser_extract_markdown` | Extract page as approximate markdown |
-| `browser_extract_text` | Extract visible text |
-| `browser_extract_with_css` | Extract data matching a CSS selector |
-| `browser_extract_table` | Extract tables as structured JSON |
-| `browser_extract_schema_org` | Extract Schema.org JSON-LD data |
-| `browser_extract_open_graph` | Extract Open Graph meta tags |
-### Network (10)
-| Tool | Description |
-|------|-------------|
-| `browser_network_requests` | List network requests made by the page |
-| `browser_network_response` | Get full response details for a request |
-| `browser_get_console` | Get console messages from the page |
-| `browser_handle_dialog` | Accept or dismiss a browser dialog |
-| `browser_wait_for_navigation` | Wait for the page to navigate |
-| `browser_get_network_entries` | List detailed network entries with timing/sizes/headers |
-| `browser_network_export` | Export network log to HAR, JSON, or CSV |
-| `browser_websocket_frames` | List captured WebSocket frames |
-| `browser_network_clear` | Clear captured network data |
-| `browser_network_save` | Save network response or WS frames to disk |
-### Browser Control (9)
-| Tool | Description |
-|------|-------------|
-| `browser_screenshot` | Take a screenshot (page or element) |
-| `browser_page_info` | Get page title, URL, viewport info |
-| `browser_get_cookies` | Get all cookies |
-| `browser_set_cookie` | Set a cookie |
-| `browser_delete_cookie` | Delete a cookie by name |
-| `browser_evaluate` | Execute JavaScript in page context |
-| `browser_pdf` | Generate a PDF of the current page |
-| `browser_download` | Download a URL to disk |
-| `browser_scroll` | Scroll the page or an element |
-### Session (3)
-| Tool | Description |
-|------|-------------|
-| `browser_open_session` | Open a new browser session (tab) |
-| `browser_close_session` | Close a session by ID |
-| `browser_list_sessions` | List all active sessions |
-### Admin (3)
-| Tool | Description |
-|------|-------------|
-| `browser_server_status` | Server status, version, session/cache stats |
-| `browser_cache_stats` | Cache statistics (hits, misses, size) |
-| `browser_clear_cache` | Clear the entire result cache |
-### Reverse Engineering (4)
-| Tool | Description |
-|------|-------------|
-| `browser_js_beautify` | Beautify and format JavaScript code |
-| `browser_js_deobfuscate` | Deobfuscate JS (hex, unicode, base64) |
-| `browser_api_discover` | Discover API endpoints in JS source |
-| `browser_auth_analyze` | Analyze network logs for auth flows |
-### Stealth (2)
-| Tool | Description |
-|------|-------------|
-| `browser_fingerprint` | Generate randomized browser fingerprint |
-| `browser_human_behavior` | Generate human-like typing/mouse/scroll profiles |
-**Total: 51 tools across 9 categories, production-grade architecture**
----
-## Use Cases
-- **Reverse Engineering** — Deobfuscate JavaScript, uncover API endpoints, map auth flows, export HAR for offline analysis
-- **Web Scraping** — Extract HTML, Markdown, structured data (Schema.org, Open Graph, tables) from any browser-accessible page
-- **Network Monitoring** — Intercept HTTP/HTTPS traffic in real time, inspect WebSocket frames, save binary bodies to disk
-- **Form Automation** — Login flows, multi-step forms, file uploads, dropdown selections — all driven by AI
-- **Session Management** — Isolated concurrent browser sessions with automatic TTL cleanup
-- **Data Export** — Network captures in HAR/JSON/CSV, body saves, WebSocket frame logs (.jsonl)
----
-## Security
-- `redirect: 'manual'` on all URL fetches — SSRF redirect bypass protection
-- `validateUrlAsync` with DNS lookup — DNS rebind attack prevention
-- `DANGEROUS_EXTENSIONS` blocklist (`.exe`, `.bat`, `.sh` etc.) → safe `.bin` fallback
-- Pseudo-FS path blocking (`/proc/`, `/sys/`, `/etc/` etc.) — path traversal prevention
-- Cookie header filter — cross-origin credential leakage prevention in HTTP re-fetch
-- `NETWORK_DOWNLOAD_ENABLED` and `NETWORK_SAVE_ENABLED` default to **false** — must be explicitly enabled
-- Input sanitization — null byte, path traversal, fileName injection guards
-- Rate limiting — token bucket algorithm, global + per-tool, configurable RPM
-- LRU cache with TTL — bounded memory usage
----
-## Development
-```bash
-# Test
-npm test
-npm run test:coverage
-# Type check (tsc --noEmit)
-npm run lint
-# Build
-npm run build
-```
----
-## Roadmap
-- **New tools**: PDF extraction, screenshot annotation, form detection, cookie manager, session snapshot/restore
-- **Cloudflare bypass**: Playwright Stealth integration, rotatable proxy support
-- **Batch scraping**: Multi-page scraping pipeline, queue system
-- **Performance**: Ring buffer optimization, streaming responses, lazy evaluation
-- **Developer Experience**: Interactive CLI, playground UI, type-safe client SDK
----
-## 🇹🇷 Türkçe
-**`@natchs/browser-mcp`** — reverse engineering, web scraping, network interception ve HAR export için tasarlanmış, AI ajanların tarayıcıyı tam kontrol etmesini sağlayan bir Model Context Protocol sunucusu.
-```bash
-npm install @natchs/browser-mcp
-npx @natchs/browser-mcp
-```
-Üç browser modu: `fresh` (izole), `persistent` (gerçek Chrome profilin, otomatik tespit), `connect` (mevcut Chrome'a bağlan). 50+ araç, 9 kategori, kurumsal güvenlik.
-Detaylı bilgi için yukarıdaki İngilizce dokümantasyonu inceleyin.
----
-## License
-MIT
+# @natchs/browser-mcp
+[![npm version](https://img.shields.io/npm/v/%40natchs%2Fbrowser-mcp?label=npm&logo=npm)](https://www.npmjs.com/package/@natchs/browser-mcp)
+[![License](https://img.shields.io/npm/l/%40natchs%2Fbrowser-mcp?color=blue&label=license)](LICENSE)
+[![Node Version](https://img.shields.io/node/v/%40natchs%2Fbrowser-mcp?logo=node.js)](package.json)
+---
+# Your AI Agent's Browser Superpowers — Reverse Engineering, Network Interception & Full Browser Control
+**`@natchs/browser-mcp`** is a Model Context Protocol server that gives AI agents **complete browser control** — navigate, click, scrape, intercept network traffic, export HAR files, capture WebSocket frames, deobfuscate JavaScript, and more. All through a single MCP interface.
+Three browser modes (fresh / persistent / connect), production-grade security, 50+ tools, 9 categories. Built for reverse engineers, data extraction pipelines, and AI-powered automation.
+---
+## Features
+- 🔍 **Reverse Engineering Toolkit** — JS beautify/deobfuscate, API endpoint discovery, auth flow analysis
+- 🌐 **Web Scraping** — HTML, Markdown, text, CSS selectors, tables, Schema.org JSON-LD, Open Graph
+- 📡 **Network Intelligence** — Real-time HTTP/HTTPS interception, WebSocket frame capture, HAR/JSON/CSV export
+- 🕶️ **Stealth Mode** — Fingerprint rotation, human behavior simulation
+- 🔐 **Enterprise Security** — SSRF protection, DNS rebind prevention, path traversal guards, cookie leak prevention
+- 🧩 **3 Browser Profiles** — Fresh (isolated), Persistent (your Chrome profile, auto-detected), Connect (existing browser)
+- 📦 **50+ Tools** — Navigation, interaction, extraction, network, browser control, sessions, admin, RE, stealth
+- ⚡ **Production Ready** — Rate limiting, LRU cache, structured logging, metrics, plugin system, configurable timeouts
+---
+## Quick Start
+```bash
+# Install
+npm install @natchs/browser-mcp
+# Run (Chromium installs automatically ~30s on first run)
+npx @natchs/browser-mcp
+```
+### MCP Client Config
+Add to Claude Desktop, Cursor, VS Code (Cline, Roo Code), Continue.dev, or any MCP-compatible client:
+```json
+{
+  "mcpServers": {
+    "browser-mcp": {
+      "command": "npx",
+      "args": ["@natchs/browser-mcp"]
+    }
+  }
+}
+```
+### Local Build
+```bash
+git clone https://github.com/natchs/browser-mcp.git
+cd browser-mcp
+npm ci
+npm run build
+npx @natchs/browser-mcp
+```
+---
+## Browser Modes
+The `BROWSER_MODE` environment variable controls which browser profile the agent uses:
+| Mode | Description | Best For |
+|------|-------------|----------|
+| `fresh` (default) | Playwright's own Chromium. Fresh profile every time — no cookies, history, or extensions carried over | Clean room analysis, leave-no-trace operations |
+| `persistent` | **Your real Chrome profile.** Auto-detected since v2.3.0. All cookies, sessions, extensions, and logged-in accounts available to the agent | When the agent needs to act "as you" — Gmail, GitHub, ChatGPT, corporate portals |
+| `connect` | Attaches to your already-running Chrome via CDP debug port | Hybrid workflows — manually drive Chrome while the agent assists |
+### Persistent (auto-detect)
+```bash
+BROWSER_MODE=persistent npx @natchs/browser-mcp
+```
+Since v2.3.0 the Chrome profile is auto-detected on Windows/macOS/Linux. No path needed. To specify a manual path:
+```bash
+BROWSER_MODE=persistent BROWSER_USER_DATA_DIR=C:\Users\...\User Data\Default npx @natchs/browser-mcp
+```
+### Connect (attach to existing Chrome)
+```bash
+# Start Chrome with debug port first:
+"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222
+# Then launch the agent:
+BROWSER_MODE=connect npx @natchs/browser-mcp
+```
+### Per-Mode Client Profiles
+```json
+{
+  "mcpServers": {
+    "browser-mcp-persistent": {
+      "command": "npx",
+      "args": ["@natchs/browser-mcp"],
+      "env": { "BROWSER_MODE": "persistent" }
+    },
+    "browser-mcp-fresh": {
+      "command": "npx",
+      "args": ["@natchs/browser-mcp"],
+      "env": { "BROWSER_MODE": "fresh" }
+    }
+  }
+}
+```
+---
+## Environment Variables
+All configuration is managed through environment variables.
+### Browser
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `BROWSER_MODE` | `fresh` | Browser mode: `fresh`, `persistent`, `connect` | No |
+| `BROWSER_HEADLESS` | `true` | Run in headless mode (`true`/`false`/`1`/`0`/`yes`/`no`) | No |
+| `BROWSER_USER_DATA_DIR` | — | Chrome user data directory (absolute path) | No |
+| `BROWSER_CHANNEL` | `""` | Browser channel (`chrome`, `msedge`, `chromium`, etc.) | No |
+| `BROWSER_DEBUG_PORT` | `9222` | CDP debug port number | No |
+| `BROWSER_AUTO_DETECT_PROFILE` | `true` | Auto-detect Chrome profile location | No |
+| `BROWSER_VIEWPORT_WIDTH` | `1280` | Viewport width (px) | No |
+| `BROWSER_VIEWPORT_HEIGHT` | `720` | Viewport height (px) | No |
+| `BROWSER_USER_AGENT` | — | Custom User-Agent string | No |
+| `BROWSER_LOCALE` | — | Browser locale (e.g. `en-US`) | No |
+| `BROWSER_TIMEOUT` | `30000` | Browser operation timeout (ms) | No |
+| `BROWSER_AUTO_INSTALL` | `true` | Auto-install Chromium (`false` to disable) | No |
+### Network & Download
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `NETWORK_HAR_ENABLED` | `1` | Enable HAR capture (`0` to disable) | No |
+| `NETWORK_MAX_ENTRIES` | `5000` | Max network entries stored | No |
+| `NETWORK_MAX_RESPONSE_BODY_SIZE` | `262144` | Max response body size (bytes) | No |
+| `NETWORK_STORE_RESPONSE_BODIES` | `false` | Keep response bodies in memory | No |
+| `NETWORK_EXCLUDE_BODY_TYPES` | `["image","media","font","stylesheet"]` | Body types excluded from storage (JSON array) | No |
+| `NETWORK_EXPORT_DIR` | `./network-logs` | Network log export directory | No |
+| `NETWORK_CAPTURE_FAILED` | `true` | Capture failed requests too | No |
+| `NETWORK_CAPTURE_WS` | `true` | Capture WebSocket frames | No |
+| `NETWORK_WS_MAX_FRAMES` | `1000` | Max WebSocket frames stored | No |
+| `NETWORK_WS_MAX_FRAME_SIZE` | `65536` | Max WebSocket frame payload (bytes) | No |
+| `NETWORK_MAX_MEMORY_MB` | `256` | Max memory for network capture (MB) | No |
+| `NETWORK_CAPTURE_REQUEST_BODY` | `false` | Capture request bodies too | No |
+| `NETWORK_DOWNLOAD_DIR` | `./downloads` | Download directory | No |
+| `NETWORK_MAX_DOWNLOAD_SIZE` | `104857600` | Max download size (bytes, default 100MB) | No |
+| `NETWORK_DOWNLOAD_ENABLED` | `false` | Enable file downloads (`browser_download` tool) | No |
+| `NETWORK_SAVE_ENABLED` | `false` | Enable network capture save (`network_save` tool) | No |
+### Rate Limiting
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `RATE_LIMIT_ENABLED` | `true` | Enable rate limiting | No |
+| `RATE_LIMIT_GLOBAL_RPM` | `120` | Global requests per minute | No |
+| `RATE_LIMIT_PER_TOOL_RPM` | `30` | Per-tool requests per minute | No |
+| `RATE_LIMIT_BURST_SIZE` | `10` | Max burst size | No |
+### Cache
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `CACHE_MAX_ENTRIES` | `100` | Max cache entries | No |
+| `CACHE_TTL_SECONDS` | `300` | Cache TTL (seconds) | No |
+### Security
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `SECURITY_API_KEY` | `""` | API key for authentication (empty = auth disabled) | No |
+| `SECURITY_ALLOWED_DIRS` | `[]` | Allowed directories for file access (JSON array) | No |
+| `SECURITY_MAX_MEMORY_MB` | `512` | Max memory usage (MB) | No |
+| `SECURITY_DEFAULT_TIMEOUT` | `30000` | Default operation timeout (ms) | No |
+| `SECURITY_MAX_TIMEOUT` | `120000` | Max timeout (ms) | No |
+| `SECURITY_MAX_SESSIONS` | `10` | Max concurrent browser sessions | No |
+### Config
+| Variable | Default | Description | Required |
+|----------|---------|-------------|----------|
+| `BROWSER_MCP_CONFIG` | — | Config file path (JSON) | No |
+---
+## All Tools
+### Navigation (5)
+| Tool | Description |
+|------|-------------|
+| `browser_navigate` | Navigate to a URL |
+| `browser_go_back` | Go back in history |
+| `browser_go_forward` | Go forward in history |
+| `browser_refresh` | Refresh the current page |
+| `browser_wait_for` | Wait for a specified timeout |
+### Interaction (8)
+| Tool | Description |
+|------|-------------|
+| `browser_click` | Click an element by CSS selector |
+| `browser_fill` | Fill text into an input field |
+| `browser_select` | Select option(s) in a dropdown |
+| `browser_hover` | Hover over an element |
+| `browser_drag` | Drag and drop an element |
+| `browser_type` | Type text character by character |
+| `browser_press_key` | Press a keyboard key |
+| `browser_file_upload` | Upload files via file input |
+### Extraction (7)
+| Tool | Description |
+|------|-------------|
+| `browser_extract_html` | Extract full page HTML |
+| `browser_extract_markdown` | Extract page as approximate markdown |
+| `browser_extract_text` | Extract visible text |
+| `browser_extract_with_css` | Extract data matching a CSS selector |
+| `browser_extract_table` | Extract tables as structured JSON |
+| `browser_extract_schema_org` | Extract Schema.org JSON-LD data |
+| `browser_extract_open_graph` | Extract Open Graph meta tags |
+### Network (10)
+| Tool | Description |
+|------|-------------|
+| `browser_network_requests` | List network requests made by the page |
+| `browser_network_response` | Get full response details for a request |
+| `browser_get_console` | Get console messages from the page |
+| `browser_handle_dialog` | Accept or dismiss a browser dialog |
+| `browser_wait_for_navigation` | Wait for the page to navigate |
+| `browser_get_network_entries` | List detailed network entries with timing/sizes/headers |
+| `browser_network_export` | Export network log to HAR, JSON, or CSV |
+| `browser_websocket_frames` | List captured WebSocket frames |
+| `browser_network_clear` | Clear captured network data |
+| `browser_network_save` | Save network response or WS frames to disk |
+### Browser Control (9)
+| Tool | Description |
+|------|-------------|
+| `browser_screenshot` | Take a screenshot (page or element) |
+| `browser_page_info` | Get page title, URL, viewport info |
+| `browser_get_cookies` | Get all cookies |
+| `browser_set_cookie` | Set a cookie |
+| `browser_delete_cookie` | Delete a cookie by name |
+| `browser_evaluate` | Execute JavaScript in page context |
+| `browser_pdf` | Generate a PDF of the current page |
+| `browser_download` | Download a URL to disk |
+| `browser_scroll` | Scroll the page or an element |
+### Session (3)
+| Tool | Description |
+|------|-------------|
+| `browser_open_session` | Open a new browser session (tab) |
+| `browser_close_session` | Close a session by ID |
+| `browser_list_sessions` | List all active sessions |
+### Admin (3)
+| Tool | Description |
+|------|-------------|
+| `browser_server_status` | Server status, version, session/cache stats |
+| `browser_cache_stats` | Cache statistics (hits, misses, size) |
+| `browser_clear_cache` | Clear the entire result cache |
+### Reverse Engineering (4)
+| Tool | Description |
+|------|-------------|
+| `browser_js_beautify` | Beautify and format JavaScript code |
+| `browser_js_deobfuscate` | Deobfuscate JS (hex, unicode, base64) |
+| `browser_api_discover` | Discover API endpoints in JS source |
+| `browser_auth_analyze` | Analyze network logs for auth flows |
+### Stealth (2)
+| Tool | Description |
+|------|-------------|
+| `browser_fingerprint` | Generate randomized browser fingerprint |
+| `browser_human_behavior` | Generate human-like typing/mouse/scroll profiles |
+**Total: 51 tools across 9 categories, production-grade architecture**
+---
+## Use Cases
+- **Reverse Engineering** — Deobfuscate JavaScript, uncover API endpoints, map auth flows, export HAR for offline analysis
+- **Web Scraping** — Extract HTML, Markdown, structured data (Schema.org, Open Graph, tables) from any browser-accessible page
+- **Network Monitoring** — Intercept HTTP/HTTPS traffic in real time, inspect WebSocket frames, save binary bodies to disk
+- **Form Automation** — Login flows, multi-step forms, file uploads, dropdown selections — all driven by AI
+- **Session Management** — Isolated concurrent browser sessions with automatic TTL cleanup
+- **Data Export** — Network captures in HAR/JSON/CSV, body saves, WebSocket frame logs (.jsonl)
+---
+## Security
+- `redirect: 'manual'` on all URL fetches — SSRF redirect bypass protection
+- `validateUrlAsync` with DNS lookup — DNS rebind attack prevention
+- `DANGEROUS_EXTENSIONS` blocklist (`.exe`, `.bat`, `.sh` etc.) → safe `.bin` fallback
+- Pseudo-FS path blocking (`/proc/`, `/sys/`, `/etc/` etc.) — path traversal prevention
+- Cookie header filter — cross-origin credential leakage prevention in HTTP re-fetch
+- `NETWORK_DOWNLOAD_ENABLED` and `NETWORK_SAVE_ENABLED` default to **false** — must be explicitly enabled
+- Input sanitization — null byte, path traversal, fileName injection guards
+- Rate limiting — token bucket algorithm, global + per-tool, configurable RPM
+- LRU cache with TTL — bounded memory usage
+---
+## Development
+```bash
+# Test
+npm test
+npm run test:coverage
+# Type check (tsc --noEmit)
+npm run lint
+# Build
+npm run build
+```
+---
+## Roadmap
+- **New tools**: PDF extraction, screenshot annotation, form detection, cookie manager, session snapshot/restore
+- **Cloudflare bypass**: Playwright Stealth integration, rotatable proxy support
+- **Batch scraping**: Multi-page scraping pipeline, queue system
+- **Performance**: Ring buffer optimization, streaming responses, lazy evaluation
+- **Developer Experience**: Interactive CLI, playground UI, type-safe client SDK
+---
+## 🇹🇷 Türkçe
+**`@natchs/browser-mcp`** — reverse engineering, web scraping, network interception ve HAR export için tasarlanmış, AI ajanların tarayıcıyı tam kontrol etmesini sağlayan bir Model Context Protocol sunucusu.
+```bash
+npm install @natchs/browser-mcp
+npx @natchs/browser-mcp
+```
+Üç browser modu: `fresh` (izole), `persistent` (gerçek Chrome profilin, otomatik tespit), `connect` (mevcut Chrome'a bağlan). 50+ araç, 9 kategori, kurumsal güvenlik.
+Detaylı bilgi için yukarıdaki İngilizce dokümantasyonu inceleyin.
+---
+## License
+MIT

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@natchs/browser-mcp",
-  "version": "2.6.5",
+  "version": "2.7.0",
   "description": "MCP server for browser automation — reverse engineering, web scraping, network interception, HAR export, WebSocket capture, SSRF-safe download tool. Three browser modes: fresh (isolated), persistent (your Chrome profile with auto-detect), connect (existing browser). AI agent controlled via Model Context Protocol.",
   "type": "module",
   "main": "dist/index.js",