@studiomeyer/mcp-video 1.0.0 → 1.0.1

package/.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: studiomeyer-io
+custom: ["https://studiomeyer.io"]

package/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,9 @@
+## What does this PR do?
+
+## How to test
+
+## Checklist
+
+- [ ] Tests pass
+- [ ] Build succeeds
+- [ ] No breaking changes

package/.github/dependabot.yml

@@ -0,0 +1,46 @@
+version: 2
+# Conservative policy (S992):
+# - Weekly Monday 06:00 CET, max 5 open PRs
+# - Patches + minors auto-grouped into one PR
+# - Major bumps IGNORED for routine updates (require manual review)
+# - Security advisories still auto-applied (security fixes bypass `ignore`)
+# - GitHub Actions monthly, all bumps grouped (Action versions usually safe)
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Berlin"
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: "deps"
+      prefix-development: "deps-dev"
+      include: "scope"
+    labels:
+      - "dependencies"
+    groups:
+      patch-and-minor:
+        update-types:
+          - "patch"
+          - "minor"
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - "version-update:semver-major"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+    labels:
+      - "ci"
+    groups:
+      actions:
+        patterns:
+          - "*"

package/.github/workflows/ci.yml

@@ -14,10 +14,10 @@ jobs:
         node-version: [18, 20, 22]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
 

package/CHANGELOG.md

@@ -5,6 +5,163 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Fixed — Cross-platform ffmpeg detection (issue #11, 2026-05-07)
+
+- **Windows startup failure**: `checkDependencies()` previously called
+  `execFileSync('which', [bin])` to verify ffmpeg/ffprobe presence. `which`
+  is a Unix-only command, so the check failed on Windows even when ffmpeg
+  was on PATH and runnable. Reported by [@Firelods](https://github.com/Firelods)
+  in [#11](https://github.com/studiomeyer-io/mcp-video/issues/11).
+- **`FFMPEG_PATH` / `FFPROBE_PATH` env overrides now actually work at
+  runtime**, not only in error-message text. The previous implementation
+  spawned `execFile('ffmpeg', ...)` directly inside `ffmpeg-run.ts`, so
+  setting the env var was ignored at every spawn site. The original
+  reporter confirmed this on the issue thread.
+
+**New module:** `src/lib/ffmpeg-bin.ts` exposes `resolveFfmpegBin()` (env
+override → bare-name fallback) and `assertFfmpegBinAvailable()` (probe via
+`<bin> -version`, no shell, `windowsHide: true`). Both `server.ts`
+startup-check and `ffmpeg-run.ts` runtime spawn now go through the same
+helper, so the override stays consistent.
+
+15 new regression tests + the original test suite (104/104 green); typecheck
+clean. Thanks to [@Firelods](https://github.com/Firelods) for the detailed
+environment + reproduction.
+
+### Security — Round-4 OSS-Sweep (2026-04-24)
+
+- **`server.ts` dependency check**: replaced `execSync(\`which ${bin}\`)`
+  shell-interpolation with `execFileSync('which', [bin], ...)`. The input
+  was already a hardcoded literal array, so no real exposure today — this
+  is defense-in-depth so a future refactor that makes the list
+  config-driven can't turn into a command-injection sink. 89/89 tests
+  still green, tsc clean.
+
+### Security — hardening sweep (Session 840, 2026-04-21)
+
+Four of the five Session 837 Must-Fix items plus the three Session 839
+follow-up findings (DNS-rebinding, ffmpeg hop-2 SSRF, redirect following)
+are now addressed in one coherent patch. 42 new tests; 89/89 green.
+
+**Post-review follow-through (Session 840 Agent Critic):**
+
+A full triple-agent review (Analyst + Critic + Research) caught one
+remaining bypass: every engine still had a LOCAL `runFfmpeg` function that
+delegated to the safe runner, but five engines (`audio.ts`,
+`audio-mixer.ts`, `beat-sync.ts`, `editing.ts`, `voice-effects.ts`) ALSO
+called `ffprobe` directly via `execFile('ffprobe', ...)` — and `ffprobe`
+follows HLS/DASH playlists just like `ffmpeg` does. The "just probe it
+first" path was a complete SSRF bypass.
+
+- `src/lib/ffmpeg-run.ts` gains `runFfprobe(args, opts, resolver)` —
+  same discipline as `runFfmpeg`: prepend `-protocol_whitelist`, sanitize
+  stderr, label for rejection messages. Every `ffprobe` call across the
+  five engines now routes through it.
+- `narrated-video.ts` internal `runFfmpeg` helper now delegates to the
+  central safe runner (was still using its own `execFile` wrapper from
+  the first pass of the sweep).
+- All thirteen engines drop their `import { execFile } from 'child_process'`
+  now that the last consumer is gone.
+
+**`src/lib/url-guard.ts` — DNS resolution + IPv6-mapped IPv4 + final URL check**
+
+- New async `resolveAndGuardUrl(raw)` uses `dns.lookup(family:0)` and
+  rejects any hostname that resolves to a loopback / RFC1918 / link-local
+  IP. Catches the naive DNS-rebinding case where a public hostname
+  resolves to `127.0.0.1` at lookup time.
+- New `guardFinalUrl(raw)` is called AFTER `page.goto()` on the URL the
+  browser actually landed on — 302 redirects to internal metadata
+  endpoints are now blocked at the post-navigation checkpoint.
+- `BLOCKED_HOST_PATTERNS` now matches the full `fc00::/7` ULA range
+  (previously only `fc00:`, missing `fd00:`-`fdff:`).
+- IPv6-mapped IPv4 (`::ffff:127.0.0.1`, `::ffff:7f00:1`, and
+  `0:0:0:0:0:ffff:7f00:1` — all three forms the WHATWG URL parser
+  can produce) are now explicitly blocked.
+
+**`src/lib/ffmpeg-safety.ts` — protocol whitelist + flag-injection guard (NEW)**
+
+- `buildFfmpegArgs(args, set)` prepends `-protocol_whitelist` to every
+  ffmpeg invocation. Three protocol sets cover all internal use:
+  `local-only` (file+pipe+crypto+cache+fd), `https-input` (adds
+  https+tls+tcp for one-top-level-URL), `https-and-hls` (adds hls for
+  master+segment playback). `http://` is in none of them — forces TLS
+  for any network-bound ffmpeg read.
+- `validateFfmpegPath(p, label)` rejects values starting with `-`
+  (turns `-i /etc/passwd ...` smuggled as "filename" into an error) and
+  null-byte injections. `validateFfmpegPaths(args, indices)` applies
+  the check to specific user-controlled positions in an args array.
+
+**`src/lib/ffmpeg-run.ts` — central ffmpeg runner (NEW)**
+
+- Every engine (audio, audio-mixer, beat-sync, chroma-key, concat,
+  editing, encoder, lut-presets, narrated-video, social-format,
+  template-renderer, text-animations, text-overlay, voice-effects —
+  14 call sites across 13 files) now routes through `runFfmpeg()`,
+  which injects `-protocol_whitelist` + sanitizes stderr before it
+  reaches logs or thrown errors. `resolver: 'stderr'` lets beat-sync
+  still pick up its filter-info output.
+
+**`src/lib/temp-dir.ts` — safe mkdtemp helper (NEW)**
+
+- `withTempDir(prefix, fn)` wraps `fs.mkdtemp` + try/finally cleanup so
+  a crash or throw inside `fn` still removes the directory. Replaces
+  the predictable `/tmp/narrated-video-${Date.now()}` pattern in
+  `tools/engine/narrated-video.ts` that raced when two invocations
+  hit the same millisecond and leaked on SIGTERM.
+
+**`src/lib/error-sanitizer.ts` — upstream-API secret scrub (NEW)**
+
+- `sanitizeErrorMessage(raw, opts)` strips seven secret shapes before
+  ffmpeg stderr or TTS-provider error bodies land in logs or thrown
+  errors: Bearer tokens, `xi-api-key` / `x-api-key` header values,
+  OpenAI `sk-` keys, AWS `AKIA...`, generic `"api_key"` JSON fields,
+  Authorization headers (with a negative lookahead so already-redacted
+  Bearer markers survive), and signed-URL `X-Amz-Signature` params.
+  Length-capped at 300 chars by default.
+
+**`src/handlers/tts.ts` — missing SSRF guard on `create_narrated_video`**
+
+- Session 837 wrapped three video handlers in `guardUrl` but skipped
+  `create_narrated_video`. That handler now guards `args.url` the same
+  way as the other three — Playwright + ffmpeg no longer see
+  unvalidated URLs.
+
+**`src/tools/engine/capture.ts` + `smart-screenshot.ts` — post-redirect guard**
+
+- Each `page.goto()` is now followed by `guardFinalUrl(page.url())`.
+  If the browser followed a 302 to an internal host (classic SSRF
+  escalation path via open redirect on a public domain), the engine
+  throws before rendering frames or saving screenshots.
+
+**`src/tools/engine/narrated-video.ts` — withTempDir + safe ffmpeg**
+
+- `createNarratedVideo` now uses `withTempDir` instead of the
+  predictable timestamp-based path. Its inner `runFfmpeg` helper routes
+  through the central safe runner. Concat list generation escapes
+  single quotes in file names before writing the concat list file.
+
+### Added — url-guard test suite
+
+- **`src/lib/url-guard.test.ts`** (38 tests) locks in every branch of
+  `guardUrl()`, including the classic SSRF-filter evasion encodings. All
+  pass because Node's WHATWG URL parser normalises them before the regex
+  check sees the hostname; the tests exist so a future parser change,
+  regex tweak, or refactor can't silently re-open the hole.
+
+  Covered bypass vectors: decimal IPv4 (`http://2130706433/`), hex IPv4
+  (`0x7f000001`), octal IPv4 (`0177.0.0.1`), short-form IPv4 (`127.1`),
+  bare zero (`http://0/`), IPv6-mapped IPv4 (`[::ffff:127.0.0.1]` plus
+  its compact `[::ffff:7f00:1]` and expanded forms).
+
+  Plus full coverage of the scheme allow-list (rejects `file://`, `ftp://`,
+  `gopher://`, `data:`, `javascript:`), private ranges, link-local
+  (including the AWS/GCP/Azure metadata endpoint at `169.254.169.254`),
+  IPv6 `::1` / fc00::/7 ULA / fe80::/10 link-local, and the
+  `MCP_VIDEO_ALLOW_INTERNAL` escape hatch (strict equality on `"1"` —
+  `"true"` / `"yes"` / `"0"` do not open the door).
+
 ## [1.0.0] - 2026-03-14
 
 ### Added

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,7 @@
+# Code of Conduct
+
+Be kind. Be respectful. Help each other.
+
+This project follows the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) v2.1.
+
+Report issues to hello@studiomeyer.io.

package/ECOSYSTEM.md

@@ -0,0 +1,35 @@
+# StudioMeyer Ecosystem
+
+MCP Video is part of the StudioMeyer open source toolkit. Here is everything we build and maintain.
+
+## MCP Server Products (Hosted)
+
+| Product | Tools | What it does | Link |
+|---------|-------|-------------|------|
+| **StudioMeyer Memory** | 53 | Persistent AI memory with knowledge graph, semantic search, multi-agent support | [memory.studiomeyer.io](https://memory.studiomeyer.io) |
+| **StudioMeyer CRM** | 33 | Headless CRM — contacts, companies, deals, pipeline, health scores, Stripe sync | [crm.studiomeyer.io](https://crm.studiomeyer.io) |
+| **StudioMeyer GEO** | 24 | AI visibility monitoring across 8 LLM platforms | [geo.studiomeyer.io](https://geo.studiomeyer.io) |
+| **MCP Crew** | 10 | 8 expert personas with domain frameworks | [crew.studiomeyer.io](https://crew.studiomeyer.io) |
+
+All MCP products use OAuth 2.1 + Magic Link authentication. Free tiers available. EU Frankfurt hosting.
+
+## Open Source Tools
+
+| Project | Description | Install |
+|---------|-------------|---------|
+| **[AI Shield](https://github.com/studiomeyer-io/ai-shield)** | LLM security — prompt injection, PII, cost tracking, tool policies | `npm install ai-shield-core` |
+| **[Darwin Agents](https://github.com/studiomeyer-io/darwin-agents)** | Self-evolving AI agents with A/B testing and safety gates | `npm install darwin-agents` |
+| **[Agent Fleet](https://github.com/studiomeyer-io/agent-fleet)** | Multi-agent orchestration for Claude Code CLI | `git clone` + `npm install` |
+| **[MCP Video](https://github.com/studiomeyer-io/mcp-video)** | Cinema-grade video production via MCP | `npx mcp-video` |
+
+## How MCP Video fits in
+
+MCP Video handles the visual content layer. Record product demos, create social media clips, add AI voiceovers, and export for every platform. Pairs well with MCP Crew (Creative Director persona for direction) and Agent Fleet (automated content pipelines).
+
+## License
+
+All open source projects are MIT licensed.
+
+---
+
+Built by [StudioMeyer](https://studiomeyer.io) — AI agency from Mallorca, Spain.

package/README.md

@@ -1,3 +1,7 @@
+<!-- studiomeyer-mcp-stack-banner:start -->
+> **Part of the [StudioMeyer MCP Stack](https://studiomeyer.io)** — Built in Mallorca 🌴 · ⭐ if you use it
+<!-- studiomeyer-mcp-stack-banner:end -->
+
 <div align="center">
 
 # mcp-video
@@ -18,6 +22,16 @@ Built on [ffmpeg](https://ffmpeg.org/) and [Playwright](https://playwright.dev/)
 
 </div>
 
+## A note from us
+
+We have been building tools and systems for ourselves for the past two years. The fact that this repo is small and has few stars is not because it is new. It is because we only just decided to share what we have built. It is not a fresh experiment, it is a long story with a recent commit.
+
+We love building things and sharing them. We do not love social media tactics, growth hacks, or chasing stars and followers. So this repo is small. The code is real, it gets used, issues get answered. Judge for yourself.
+
+If it helps you, sharing, testing, and feedback help us. If it could be better, an issue is more useful. If you build something with it, tell us at hello@studiomeyer.io. That genuinely makes our day.
+
+From a small studio in Palma de Mallorca.
+
 ## Features
 
 | Tool | Operations | Description |
@@ -44,11 +58,15 @@ Built on [ffmpeg](https://ffmpeg.org/) and [Playwright](https://playwright.dev/)
 ## Prerequisites
 
 - **Node.js** >= 18
-- **ffmpeg** and **ffprobe** (validated on startup)
+- **ffmpeg** and **ffprobe** (validated on startup, cross-platform)
 - **Playwright** browsers (`npx playwright install chromium`)
 - Optional: `ELEVENLABS_API_KEY` for ElevenLabs TTS
 - Optional: `OPENAI_API_KEY` for Whisper captions and OpenAI TTS
 
+If ffmpeg lives outside `PATH`, set `FFMPEG_PATH` and `FFPROBE_PATH` to the
+absolute binary paths. Both env vars are honoured at startup AND at every
+runtime spawn site.
+
 ## Quick Start
 
 ### With Claude Code (stdio)
@@ -96,6 +114,8 @@ MCP_HTTP=1 MCP_PORT=9847 npx mcp-video
 | Environment Variable | Default | Description |
 |---------------------|---------|-------------|
 | `VIDEO_OUTPUT_DIR` | `./output` | Directory for generated files |
+| `FFMPEG_PATH` | — | Absolute path to `ffmpeg` binary if not on `PATH` |
+| `FFPROBE_PATH` | — | Absolute path to `ffprobe` binary if not on `PATH` |
 | `ELEVENLABS_API_KEY` | — | ElevenLabs TTS API key |
 | `OPENAI_API_KEY` | — | OpenAI API key (Whisper + TTS) |
 | `MCP_HTTP` | `false` | Enable HTTP transport |
@@ -185,6 +205,10 @@ npm test             # Run tests
 npm run check        # Verify ffmpeg/ffprobe installed
 ```
 
+## About StudioMeyer
+
+[StudioMeyer](https://studiomeyer.io) is an AI and design studio based in Palma de Mallorca, working with clients worldwide. We build custom websites and AI infrastructure for small and medium businesses. Production stack on Claude Agent SDK, MCP and n8n, with Sentry, Langfuse and LangGraph for observability and an in-house guard layer.
+
 ## License
 
 MIT
@@ -195,4 +219,4 @@ Built by [StudioMeyer](https://studiomeyer.io). Part of our open-source toolkit
 
 - [ai-shield](https://github.com/studiomeyer-io/ai-shield) — LLM security middleware for TypeScript
 - [agent-fleet](https://github.com/studiomeyer-io/agent-fleet) — Multi-agent orchestration for Claude Code
-- [darwin-agents](https://github.com/studiomeyer-io/darwin-agents) — Self-evolving agent framework
+- [darwin-agents](https://github.com/studiomeyer-io/darwin-agents) — Self-evolving agent framework

package/SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you find a security vulnerability, please report it privately.
+
+**Email:** hello@studiomeyer.io
+
+Please do not open a public GitHub issue for security vulnerabilities.
+
+We will acknowledge your report within 48 hours and provide a fix timeline within 7 days.

package/dist/handlers/smart-screenshot.js

@@ -4,14 +4,18 @@
 import { jsonResponse } from '../lib/types.js';
 import { logger } from '../lib/logger.js';
 import { smartScreenshot } from '../tools/engine/smart-screenshot.js';
+import { guardUrl } from '../lib/url-guard.js';
 export const smartScreenshotHandlers = {
     /**
      * Take element-aware screenshots of specific page features
      */
     screenshot_element: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const config = {
-                url: args.url,
+                url: guard.url,
                 targets: normalizeTargetArgs(args.targets),
                 outputDir: args.outputDir,
                 viewport: args.viewport ?? { width: 1920, height: 1080 },
@@ -33,8 +37,11 @@ export const smartScreenshotHandlers = {
      */
     detect_page_features: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const config = {
-                url: args.url,
+                url: guard.url,
                 targets: ['all'],
                 viewport: args.viewport ?? { width: 1920, height: 1080 },
                 includeFullPage: false,
@@ -44,7 +51,7 @@ export const smartScreenshotHandlers = {
             const result = await smartScreenshot(config);
             return jsonResponse({
                 success: true,
-                url: args.url,
+                url: guard.url,
                 features: result.detected.map(f => ({
                     name: f.name,
                     selector: f.selector,

package/dist/handlers/smart-screenshot.js.map

@@ -1 +1 @@
-{"version":3,"file":"smart-screenshot.js","sourceRoot":"","sources":["../../src/handlers/smart-screenshot.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAC;AAGtE,MAAM,CAAC,MAAM,uBAAuB,GAAgC;IAClE;;OAEG;IACH,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAA0B;gBACpC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC1C,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBACxD,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IAAI,CAAC;gBAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK;gBAChC,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,KAAK;aAC/C,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,oBAAoB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,MAAM,GAA0B;gBACpC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,OAAO,EAAE,CAAC,KAAK,CAAC;gBAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBACxD,eAAe,EAAE,KAAK;aACvB,CAAC;YAEF,gEAAgE;YAChE,oFAAoF;YACpF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAClC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,IAAI,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE;oBAC5C,QAAQ,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG;oBAClE,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,UAAU,EAAE,CAAC,CAAC,UAAU;iBACzB,CAAC,CAAC;gBACH,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;gBAC7B,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACxC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;aACJ,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;YACxD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACrB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QACpC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAgB,CAAC;QAC1B,CAAC;QACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"smart-screenshot.js","sourceRoot":"","sources":["../../src/handlers/smart-screenshot.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAC;AAEtE,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAE/C,MAAM,CAAC,MAAM,uBAAuB,GAAgC;IAClE;;OAEG;IACH,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACjC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,MAAM,GAA0B;gBACpC,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,OAAO,EAAE,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC;gBAC1C,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBACxD,iBAAiB,EAAE,IAAI,CAAC,iBAAiB,IAAI,CAAC;gBAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK;gBAChC,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,KAAK;aAC/C,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,8BAA8B,OAAO,EAAE,CAAC,CAAC;YACtD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,oBAAoB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,MAAM,GAA0B;gBACpC,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,OAAO,EAAE,CAAC,KAAK,CAAC;gBAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE;gBACxD,eAAe,EAAE,KAAK;aACvB,CAAC;YAEF,gEAAgE;YAChE,oFAAoF;YACpF,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,CAAC;YAC7C,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAClC,IAAI,EAAE,CAAC,CAAC,IAAI;oBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,IAAI,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,EAAE;oBAC5C,QAAQ,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG;oBAClE,WAAW,EAAE,CAAC,CAAC,WAAW;oBAC1B,UAAU,EAAE,CAAC,CAAC,UAAU;iBACzB,CAAC,CAAC;gBACH,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;gBAC7B,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBACxC,OAAO,EAAE,CAAC,CAAC,OAAO;oBAClB,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;aACJ,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;YACxD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF,CAAC;AAEF,SAAS,mBAAmB,CAAC,OAAgB;IAC3C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;QACrB,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,CAAC,CAAC;QACpC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAgB,CAAC;QAC1B,CAAC;QACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/handlers/tts.js

@@ -3,6 +3,7 @@
  */
 import { jsonResponse } from '../lib/types.js';
 import { logger } from '../lib/logger.js';
+import { guardUrl } from '../lib/url-guard.js';
 import { generateSpeech, listElevenLabsVoices, createNarratedVideo, } from '../tools/index.js';
 const OUTPUT_DIR = process.env.VIDEO_OUTPUT_DIR || './output';
 export const ttsHandlers = {
@@ -51,15 +52,18 @@ export const ttsHandlers = {
     },
     create_narrated_video: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const segments = args.segments.map((s) => ({
                 text: s.text,
                 scene: s.scene,
                 paddingAfter: s.paddingAfter,
             }));
-            const hostname = new URL(args.url).hostname.replace(/^www\./, '').replace(/\./g, '-');
+            const hostname = new URL(guard.url).hostname.replace(/^www\./, '').replace(/\./g, '-');
             const defaultOutput = `${OUTPUT_DIR}/narrated-${hostname}-${new Date().toISOString().slice(0, 10)}`;
             const result = await createNarratedVideo({
-                url: args.url,
+                url: guard.url,
                 segments,
                 outputPath: args.outputPath ?? defaultOutput,
                 provider: args.provider,

package/dist/handlers/tts.js.map

@@ -1 +1 @@
-{"version":3,"file":"tts.js","sourceRoot":"","sources":["../../src/handlers/tts.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAQ3B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,UAAU,CAAC;AAE9D,MAAM,CAAC,MAAM,WAAW,GAAgC;IAEtD,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAc;gBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,GAAG,UAAU,WAAW,IAAI,CAAC,GAAG,EAAE,MAAM;gBACvE,QAAQ,EAAE,IAAI,CAAC,QAAmC;gBAClD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;gBAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;YAC5C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;YAC/C,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,WAAW,EAAE,KAAK,IAAI,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,oBAAoB,EAAE,CAAC;YAC5C,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,MAAM;gBACN,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,OAAO,EAAE;oBACP,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,WAAW;oBACpE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU;iBAC3E;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,qBAAqB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAwB,IAAI,CAAC,QAIxC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACd,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,YAAY,EAAE,CAAC,CAAC,YAAY;aAC7B,CAAC,CAAC,CAAC;YAEJ,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACtF,MAAM,aAAa,GAAG,GAAG,UAAU,aAAa,QAAQ,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YAEpG,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;gBACvC,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,aAAa;gBAC5C,QAAQ,EAAE,IAAI,CAAC,QAAmC;gBAClD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;gBAC/B,QAAQ,EAAG,IAAI,CAAC,QAA2B,IAAI,SAAS;gBACxD,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;gBAC7C,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;aAClD,CAAC,CAAC;YAEH,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;YACrD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;CACF,CAAC"}
+{"version":3,"file":"tts.js","sourceRoot":"","sources":["../../src/handlers/tts.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EACL,cAAc,EACd,oBAAoB,EACpB,mBAAmB,GACpB,MAAM,mBAAmB,CAAC;AAQ3B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,UAAU,CAAC;AAE9D,MAAM,CAAC,MAAM,WAAW,GAAgC;IAEtD,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAc;gBACxB,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,GAAG,UAAU,WAAW,IAAI,CAAC,GAAG,EAAE,MAAM;gBACvE,QAAQ,EAAE,IAAI,CAAC,QAAmC;gBAClD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;gBAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,eAAe,EAAE,IAAI,CAAC,eAAe;aACtC,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;YAC5C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,2BAA2B,GAAG,EAAE,CAAC,CAAC;YAC/C,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,WAAW,EAAE,KAAK,IAAI,EAAE;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,oBAAoB,EAAE,CAAC;YAC5C,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,MAAM;gBACN,WAAW,EAAE,MAAM,CAAC,MAAM;gBAC1B,OAAO,EAAE;oBACP,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,WAAW;oBACpE,WAAW,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU;iBAC3E;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,uBAAuB,GAAG,EAAE,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,qBAAqB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAElF,MAAM,QAAQ,GAAwB,IAAI,CAAC,QAIxC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACd,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,YAAY,EAAE,CAAC,CAAC,YAAY;aAC7B,CAAC,CAAC,CAAC;YAEJ,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACvF,MAAM,aAAa,GAAG,GAAG,UAAU,aAAa,QAAQ,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YAEpG,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;gBACvC,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,QAAQ;gBACR,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,aAAa;gBAC5C,QAAQ,EAAE,IAAI,CAAC,QAAmC;gBAClD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,IAAI;gBAC/B,QAAQ,EAAG,IAAI,CAAC,QAA2B,IAAI,SAAS;gBACxD,eAAe,EAAE,IAAI,CAAC,eAAe;gBACrC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;gBAC7C,qBAAqB,EAAE,IAAI,CAAC,qBAAqB;aAClD,CAAC,CAAC;YAEH,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,MAAM,CAAC,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;YACrD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/handlers/video.js

@@ -5,6 +5,7 @@ import { jsonResponse } from '../lib/types.js';
 import { logger } from '../lib/logger.js';
 import { recordWebsite } from '../tools/index.js';
 import * as path from 'path';
+import { guardUrl } from '../lib/url-guard.js';
 const OUTPUT_DIR = process.env.VIDEO_OUTPUT_DIR || './output';
 export const videoHandlers = {
     /**
@@ -12,9 +13,12 @@ export const videoHandlers = {
      */
     record_website_video: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const config = {
-                url: args.url,
-                outputPath: args.outputPath ?? generateOutputPath(args.url, 'video'),
+                url: guard.url,
+                outputPath: args.outputPath ?? generateOutputPath(guard.url, 'video'),
                 viewport: args.viewport ?? 'desktop',
                 fps: args.fps ?? 60,
                 scenes: args.scenes,
@@ -41,11 +45,14 @@ export const videoHandlers = {
      */
     record_website_scroll: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const duration = args.duration ?? 12;
             const easing = args.easing ?? 'showcase';
             const config = {
-                url: args.url,
-                outputPath: args.outputPath ?? generateOutputPath(args.url, 'scroll'),
+                url: guard.url,
+                outputPath: args.outputPath ?? generateOutputPath(guard.url, 'scroll'),
                 viewport: args.viewport ?? 'desktop',
                 fps: 60,
                 scenes: [
@@ -70,15 +77,18 @@ export const videoHandlers = {
      */
     record_multi_device: async (args) => {
         try {
+            const guard = guardUrl(args.url);
+            if (!guard.ok)
+                return jsonResponse({ success: false, error: guard.reason }, true);
             const devices = args.devices ?? ['desktop', 'tablet', 'mobile'];
             const duration = args.duration ?? 10;
             const outputDir = args.outputDir ?? OUTPUT_DIR;
             const results = {};
             for (const device of devices) {
-                logger.info(`Recording ${device} viewport for ${args.url}...`);
+                logger.info(`Recording ${device} viewport for ${guard.url}...`);
                 const config = {
-                    url: args.url,
-                    outputPath: path.join(outputDir, generateOutputName(args.url, device)),
+                    url: guard.url,
+                    outputPath: path.join(outputDir, generateOutputName(guard.url, device)),
                     viewport: device,
                     fps: 60,
                     scenes: [

package/dist/handlers/video.js.map

@@ -1 +1 @@
-{"version":3,"file":"video.js","sourceRoot":"","sources":["../../src/handlers/video.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAE7B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,UAAU,CAAC;AAE9D,MAAM,CAAC,MAAM,aAAa,GAAgC;IACxD;;OAEG;IACH,oBAAoB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,MAAM,GAAoB;gBAC9B,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC;gBACpE,QAAQ,EAAE,IAAI,CAAC,QAA0B,IAAI,SAAS;gBACtD,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,EAAE;gBACnB,MAAM,EAAE,IAAI,CAAC,MAA6B;gBAC1C,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBACxC,QAAQ,EAAE;oBACR,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM;oBAC3B,GAAG,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;iBACxB;gBACD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK;gBAChC,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,IAAI;gBAC3C,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,IAAI;aAC9C,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;YACxD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,qBAAqB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC;YAEzC,MAAM,MAAM,GAAoB;gBAC9B,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC;gBACrE,QAAQ,EAAG,IAAI,CAAC,QAA2B,IAAI,SAAS;gBACxD,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE;oBAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE;oBAClD,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE;iBAC/B;gBACD,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC1B,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;aACrC,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;YACzD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,mBAAmB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAqB,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC;YAC/C,MAAM,OAAO,GAA4B,EAAE,CAAC;YAE5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,aAAa,MAAM,iBAAiB,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;gBAE/D,MAAM,MAAM,GAAoB;oBAC9B,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;oBACtE,QAAQ,EAAE,MAAM;oBAChB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE;wBAC9B,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE;wBAC9D,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE;qBACjC;oBACD,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,kBAAkB,EAAE;oBACzE,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;iBACrC,CAAC;gBAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;YAC3B,CAAC;YAED,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,OAAO,CAAC,MAAM;gBACvB,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;YACvD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAc;IACrD,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC7C,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;aACnC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;aACrB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxD,OAAO,GAAG,QAAQ,IAAI,MAAM,IAAI,SAAS,EAAE,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC3C,CAAC;AACH,CAAC"}
+{"version":3,"file":"video.js","sourceRoot":"","sources":["../../src/handlers/video.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAoB,MAAM,iBAAiB,CAAC;AACjE,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAE/C,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,UAAU,CAAC;AAE9D,MAAM,CAAC,MAAM,aAAa,GAAgC;IACxD;;OAEG;IACH,oBAAoB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACnC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,MAAM,GAAoB;gBAC9B,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC,KAAK,CAAC,GAAG,EAAE,OAAO,CAAC;gBACrE,QAAQ,EAAE,IAAI,CAAC,QAA0B,IAAI,SAAS;gBACtD,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,EAAE;gBACnB,MAAM,EAAE,IAAI,CAAC,MAA6B;gBAC1C,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE;gBACxC,QAAQ,EAAE;oBACR,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,MAAM;oBAC3B,GAAG,EAAE,IAAI,CAAC,OAAO,IAAI,EAAE;iBACxB;gBACD,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK;gBAChC,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,IAAI;gBAC3C,eAAe,EAAE,IAAI,CAAC,eAAe,IAAI,IAAI;aAC9C,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,gCAAgC,OAAO,EAAE,CAAC,CAAC;YACxD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,qBAAqB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC;YAEzC,MAAM,MAAM,GAAoB;gBAC9B,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,UAAU,EAAE,IAAI,CAAC,UAAU,IAAI,kBAAkB,CAAC,KAAK,CAAC,GAAG,EAAE,QAAQ,CAAC;gBACtE,QAAQ,EAAG,IAAI,CAAC,QAA2B,IAAI,SAAS;gBACxD,GAAG,EAAE,EAAE;gBACP,MAAM,EAAE;oBACN,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE;oBAChC,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE;oBAClD,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE;iBAC/B;gBACD,MAAM,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;gBAC1B,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;aACrC,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;YACzD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,mBAAmB,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClC,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,EAAE;gBAAE,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,EAAE,IAAI,CAAC,CAAC;YAClF,MAAM,OAAO,GAAqB,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAClF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC;YAC/C,MAAM,OAAO,GAA4B,EAAE,CAAC;YAE5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,aAAa,MAAM,iBAAiB,KAAK,CAAC,GAAG,KAAK,CAAC,CAAC;gBAEhE,MAAM,MAAM,GAAoB;oBAC9B,GAAG,EAAE,KAAK,CAAC,GAAG;oBACd,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,kBAAkB,CAAC,KAAK,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;oBACvE,QAAQ,EAAE,MAAM;oBAChB,GAAG,EAAE,EAAE;oBACP,MAAM,EAAE;wBACN,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE;wBAC9B,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE;wBAC9D,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE;qBACjC;oBACD,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,kBAAkB,EAAE;oBACzE,QAAQ,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE;iBACrC,CAAC;gBAEF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;gBAC3C,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;YAC3B,CAAC;YAED,OAAO,YAAY,CAAC;gBAClB,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,OAAO,CAAC,MAAM;gBACvB,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,CAAC,KAAK,CAAC,+BAA+B,OAAO,EAAE,CAAC,CAAC;YACvD,OAAO,YAAY,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAc;IACrD,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC7C,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAc;IACrD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;aACnC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;aACrB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QACvB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACxD,OAAO,GAAG,QAAQ,IAAI,MAAM,IAAI,SAAS,EAAE,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/lib/error-sanitizer.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Error-message sanitizer for upstream API responses.
+ *
+ * Motivation: TTS, cloud-media and similar APIs echo request bodies or
+ * auth headers back in error responses. Our code previously did
+ *   throw new Error(`ElevenLabs API ${status}: ${errorText}`);
+ * which happily embedded Bearer tokens, full xi-api-key values, signed
+ * URLs and sometimes the caller's text payload into stack traces that
+ * the MCP client then logged or surfaced to the human.
+ *
+ * `sanitizeErrorMessage` strips the common secret-looking patterns and
+ * truncates to a fixed cap so a 2 MB HTML error page doesn't turn into
+ * a 2 MB thrown string.
+ */
+export interface SanitizeOptions {
+    /** Max length of the returned string (default: 300). */
+    limit?: number;
+    /** Optional prefix added before the sanitized body. */
+    prefix?: string;
+}
+export declare function sanitizeErrorMessage(raw: unknown, opts?: SanitizeOptions): string;
+/**
+ * Wrap a thrown non-Error value and return a sanitized Error.
+ * Use inside catch-blocks that re-throw upstream API failures.
+ */
+export declare function sanitizedError(raw: unknown, prefix?: string): Error;

package/dist/lib/error-sanitizer.js

@@ -0,0 +1,58 @@
+/**
+ * Error-message sanitizer for upstream API responses.
+ *
+ * Motivation: TTS, cloud-media and similar APIs echo request bodies or
+ * auth headers back in error responses. Our code previously did
+ *   throw new Error(`ElevenLabs API ${status}: ${errorText}`);
+ * which happily embedded Bearer tokens, full xi-api-key values, signed
+ * URLs and sometimes the caller's text payload into stack traces that
+ * the MCP client then logged or surfaced to the human.
+ *
+ * `sanitizeErrorMessage` strips the common secret-looking patterns and
+ * truncates to a fixed cap so a 2 MB HTML error page doesn't turn into
+ * a 2 MB thrown string.
+ */
+// Order matters: specific-form patterns (Bearer / sk- / AKIA) run first and
+// leave `[REDACTED]` markers behind. The generic Authorization pattern has
+// a negative lookahead for `Bearer` / `[REDACTED]` so it does not re-consume
+// an already-tokenised value (which would lose the `Bearer` marker that
+// log-readers rely on to see *what kind* of token leaked).
+const PATTERNS = [
+    // Bearer tokens — `Bearer sk-abc...`
+    { re: /\bBearer\s+[A-Za-z0-9._~+/-]+=*/gi, replacement: 'Bearer [REDACTED]' },
+    // ElevenLabs `xi-api-key`, standard `x-api-key` (AWS / Anthropic / many APIs)
+    { re: /(xi?-api-key["':\s]+)[^"'\s,}]+/gi, replacement: '$1[REDACTED]' },
+    // OpenAI-style `sk-` and `sk-proj-` keys
+    { re: /\bsk-[a-zA-Z0-9_-]{20,}/g, replacement: 'sk-[REDACTED]' },
+    // AWS access keys (AKIA + 16 chars)
+    { re: /\bAKIA[0-9A-Z]{16}\b/g, replacement: '[REDACTED-AWS-KEY]' },
+    // Generic `"api_key": "..."` or `"apiKey": "..."` inside JSON
+    { re: /("api[-_]?key"\s*:\s*")[^"]+/gi, replacement: '$1[REDACTED]' },
+    // Authorization header full line — skip values we already redacted.
+    {
+        re: /(authorization["':\s]+)(?!Bearer\s)(?!\[REDACTED\])[^"'\s,}]+/gi,
+        replacement: '$1[REDACTED]',
+    },
+    // Signed URLs with `X-Amz-Signature=` or `?signature=`
+    { re: /([?&](?:X-Amz-Signature|signature)=)[^&\s"']+/gi, replacement: '$1[REDACTED]' },
+];
+export function sanitizeErrorMessage(raw, opts = {}) {
+    const { limit = 300, prefix = '' } = opts;
+    let str = typeof raw === 'string' ? raw : raw instanceof Error ? raw.message : String(raw);
+    for (const { re, replacement } of PATTERNS) {
+        str = str.replace(re, replacement);
+    }
+    // Collapse whitespace for readability.
+    str = str.replace(/\s+/g, ' ').trim();
+    if (str.length > limit)
+        str = `${str.slice(0, limit)}…`;
+    return prefix ? `${prefix}${str}` : str;
+}
+/**
+ * Wrap a thrown non-Error value and return a sanitized Error.
+ * Use inside catch-blocks that re-throw upstream API failures.
+ */
+export function sanitizedError(raw, prefix = '') {
+    return new Error(sanitizeErrorMessage(raw, { prefix }));
+}
+//# sourceMappingURL=error-sanitizer.js.map

package/dist/lib/error-sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-sanitizer.js","sourceRoot":"","sources":["../../src/lib/error-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,4EAA4E;AAC5E,2EAA2E;AAC3E,6EAA6E;AAC7E,wEAAwE;AACxE,2DAA2D;AAC3D,MAAM,QAAQ,GAA+C;IAC3D,qCAAqC;IACrC,EAAE,EAAE,EAAE,mCAAmC,EAAE,WAAW,EAAE,mBAAmB,EAAE;IAC7E,8EAA8E;IAC9E,EAAE,EAAE,EAAE,mCAAmC,EAAE,WAAW,EAAE,cAAc,EAAE;IACxE,yCAAyC;IACzC,EAAE,EAAE,EAAE,0BAA0B,EAAE,WAAW,EAAE,eAAe,EAAE;IAChE,oCAAoC;IACpC,EAAE,EAAE,EAAE,uBAAuB,EAAE,WAAW,EAAE,oBAAoB,EAAE;IAClE,8DAA8D;IAC9D,EAAE,EAAE,EAAE,gCAAgC,EAAE,WAAW,EAAE,cAAc,EAAE;IACrE,oEAAoE;IACpE;QACE,EAAE,EAAE,iEAAiE;QACrE,WAAW,EAAE,cAAc;KAC5B;IACD,uDAAuD;IACvD,EAAE,EAAE,EAAE,iDAAiD,EAAE,WAAW,EAAE,cAAc,EAAE;CACvF,CAAC;AASF,MAAM,UAAU,oBAAoB,CAAC,GAAY,EAAE,OAAwB,EAAE;IAC3E,MAAM,EAAE,KAAK,GAAG,GAAG,EAAE,MAAM,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC;IAC1C,IAAI,GAAG,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3F,KAAK,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC3C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IACrC,CAAC;IACD,uCAAuC;IACvC,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACtC,IAAI,GAAG,CAAC,MAAM,GAAG,KAAK;QAAE,GAAG,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC;IACxD,OAAO,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;AAC1C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,GAAY,EAAE,MAAM,GAAG,EAAE;IACtD,OAAO,IAAI,KAAK,CAAC,oBAAoB,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;AAC1D,CAAC"}