crawlforge-mcp-server 3.0.1 → 3.0.3

package/CLAUDE.md

@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-CrawlForge MCP Server - A professional MCP (Model Context Protocol) server implementation providing 18+ comprehensive web scraping, crawling, and content processing tools. Version 3.0 includes advanced content extraction, document processing, summarization, and analysis capabilities. Wave 2 adds asynchronous batch processing and browser automation features. Wave 3 introduces deep research orchestration, stealth scraping, localization, and change tracking.
+CrawlForge MCP Server - A professional MCP (Model Context Protocol) server implementation providing 19 comprehensive web scraping, crawling, and content processing tools. Version 3.0 includes advanced content extraction, document processing, summarization, and analysis capabilities. Wave 2 adds asynchronous batch processing and browser automation features. Wave 3 introduces deep research orchestration, stealth scraping, localization, and change tracking.
 
 ## Development Commands
 
@@ -12,15 +12,11 @@ CrawlForge MCP Server - A professional MCP (Model Context Protocol) server imple
 # Install dependencies
 npm install
 
-# Setup (required for first run unless in creator mode)
+# Setup (required for first run)
 npm run setup
 # Or provide API key via environment:
 export CRAWLFORGE_API_KEY="your_api_key_here"
 
-# Creator Mode (bypass API key requirement for development)
-export BYPASS_API_KEY=true
-npm start
-
 # Run the server (production)
 npm start
 
@@ -67,7 +63,8 @@ node test-real-world.js                                 # Real-world scenarios t
 ## High-Level Architecture
 
 ### Core Infrastructure (`src/core/`)
-- **AuthManager**: Authentication, credit tracking, and usage reporting (supports creator mode)
+
+- **AuthManager**: Authentication, credit tracking, and usage reporting
 - **PerformanceManager**: Centralized performance monitoring and optimization
 - **JobManager**: Asynchronous job tracking and management for batch operations
 - **WebhookDispatcher**: Event notification system for job completion callbacks
@@ -79,33 +76,37 @@ node test-real-world.js                                 # Real-world scenarios t
 - **SnapshotManager**: Manages website snapshots and version history
 
 ### Tool Layer (`src/tools/`)
+
 Tools are organized in subdirectories by category:
+
 - `advanced/` - BatchScrapeTool, ScrapeWithActionsTool
 - `crawl/` - crawlDeep, mapSite
 - `extract/` - analyzeContent, extractContent, processDocument, summarizeContent
 - `research/` - deepResearch
 - `search/` - searchWeb and provider adapters (Google, DuckDuckGo)
-- `tracking/` - trackChanges (currently disabled in server.js)
+- `tracking/` - trackChanges
 - `llmstxt/` - generateLLMsTxt
 
-### Available MCP Tools (18 total)
+### Available MCP Tools (19 total)
+
 **Basic Tools (server.js inline):**
+
 - fetch_url, extract_text, extract_links, extract_metadata, scrape_structured
 
 **Advanced Tools:**
+
 - search_web (conditional - requires search provider), crawl_deep, map_site
 - extract_content, process_document, summarize_content, analyze_content
 - batch_scrape, scrape_with_actions, deep_research
-- generate_llms_txt, stealth_mode, localization
-
-**Note:** track_changes tool is implemented but currently commented out in server.js (line 1409-1535)
+- track_changes, generate_llms_txt, stealth_mode, localization
 
 ### MCP Server Entry Point
+
 The main server implementation is in `server.js` which:
+
 1. **Authentication Flow**: Uses AuthManager for API key validation and credit tracking
-   - Checks for authentication on startup (skipped in creator mode)
+   - Checks for authentication on startup
    - Auto-setup if CRAWLFORGE_API_KEY environment variable is present
-   - Creator mode enabled via BYPASS_API_KEY=true
 2. **Tool Registration**: All tools registered via `server.registerTool()` pattern
    - Wrapped with `withAuth()` function for credit tracking and authentication
    - Each tool has inline Zod schema for parameter validation
@@ -114,8 +115,10 @@ The main server implementation is in `server.js` which:
 4. **Graceful Shutdown**: Cleans up browser instances, job managers, and other resources
 
 ### Tool Credit System
+
 Each tool wrapped with `withAuth(toolName, handler)`:
-- Checks credits before execution (skipped in creator mode)
+
+- Checks credits before execution
 - Reports usage with credit deduction on success
 - Charges half credits on error
 - Returns credit error if insufficient balance
@@ -125,9 +128,8 @@ Each tool wrapped with `withAuth(toolName, handler)`:
 Critical environment variables defined in `src/constants/config.js`:
 
 ```bash
-# Authentication (required unless in creator mode)
+# Authentication (required)
 CRAWLFORGE_API_KEY=your_api_key_here
-BYPASS_API_KEY=true  # Enable creator mode for development
 
 # Search Provider (auto, google, duckduckgo)
 SEARCH_PROVIDER=auto
@@ -149,6 +151,7 @@ RESPECT_ROBOTS_TXT=true
 ```
 
 ### Configuration Files
+
 - `~/.crawlforge/config.json` - User authentication and API key storage
 - `.env` - Environment variables for development
 - `src/constants/config.js` - Central configuration with defaults and validation
@@ -156,6 +159,7 @@ RESPECT_ROBOTS_TXT=true
 ## Common Development Tasks
 
 ### Running a Single Test
+
 ```bash
 # Run a specific test file
 node tests/unit/linkAnalyzer.test.js
@@ -168,6 +172,7 @@ npm run test:wave3:verbose
 ```
 
 ### Testing Tool Integration
+
 ```bash
 # Test MCP protocol compliance
 npm test
@@ -181,16 +186,18 @@ node tests/validation/wave3-validation.js
 ```
 
 ### Debugging Tips
+
 - Server logs are written to console via Winston logger (stderr for status, stdout for MCP protocol)
 - Set `NODE_ENV=development` for verbose logging
 - Use `--expose-gc` flag for memory profiling: `node --expose-gc server.js`
 - Check `cache/` directory for cached responses
 - Review `logs/` directory for application logs
-- Use creator mode during development to bypass authentication: `BYPASS_API_KEY=true npm start`
 - Memory monitoring automatically enabled in development mode (logs every 60s if >200MB)
 
 ### Adding New Tools
+
 When adding a new tool to server.js:
+
 1. Import the tool class from `src/tools/`
 2. Instantiate the tool (with config if needed)
 3. Register with `server.registerTool(name, { description, inputSchema }, withAuth(name, handler))`
@@ -205,9 +212,11 @@ When adding a new tool to server.js:
 The project includes comprehensive security testing integrated into the CI/CD pipeline:
 
 #### Main CI Pipeline (`.github/workflows/ci.yml`)
+
 The CI pipeline runs on every PR and push to main/develop branches and includes:
 
 **Security Test Suite:**
+
 - SSRF Protection validation
 - Input validation (XSS, SQL injection, command injection)
 - Rate limiting functionality
@@ -215,42 +224,50 @@ The CI pipeline runs on every PR and push to main/develop branches and includes:
 - Regex DoS vulnerability detection
 
 **Dependency Security:**
+
 - npm audit with JSON output and summary generation
 - Vulnerability severity analysis (critical/high/moderate/low)
 - License compliance checking
 - Outdated package detection
 
 **Static Code Analysis:**
+
 - CodeQL security analysis with extended queries
 - ESLint security rules for dangerous patterns
 - Hardcoded secret detection
 - Security file scanning
 
 **Reporting & Artifacts:**
+
 - Comprehensive security reports generated
 - PR comments with security summaries
 - Artifact upload for detailed analysis
 - Build failure on critical vulnerabilities
 
 #### Dedicated Security Workflow (`.github/workflows/security.yml`)
+
 Daily scheduled comprehensive security scanning:
 
 **Dependency Security Scan:**
+
 - Full vulnerability audit with configurable severity levels
 - License compliance verification
 - Detailed vulnerability reporting
 
 **Static Code Analysis:**
+
 - Extended CodeQL analysis with security-focused queries
 - ESLint security plugin integration
 - Pattern-based secret detection
 
 **Container Security:**
+
 - Trivy vulnerability scanning
 - SARIF report generation
 - Container base image analysis
 
 **Automated Issue Creation:**
+
 - GitHub issues created for critical vulnerabilities
 - Detailed security reports with remediation steps
 - Configurable severity thresholds
@@ -258,11 +275,13 @@ Daily scheduled comprehensive security scanning:
 ### Security Thresholds and Policies
 
 **Build Failure Conditions:**
+
 - Any critical severity vulnerabilities
 - More than 3 high severity vulnerabilities
 - Security test suite failures
 
 **Automated Actions:**
+
 - Daily security scans at 2 AM UTC
 - PR blocking for security failures
 - Automatic security issue creation
@@ -291,6 +310,7 @@ node tests/security/security-test-suite.js
 ### Security Artifacts and Reports
 
 **Generated Reports:**
+
 - `SECURITY-REPORT.md`: Comprehensive security assessment
 - `npm-audit.json`: Detailed vulnerability data
 - `security-tests.log`: Test execution logs
@@ -298,6 +318,7 @@ node tests/security/security-test-suite.js
 - `license-check.md`: License compliance report
 
 **Artifact Retention:**
+
 - CI security results: 30 days
 - Comprehensive security reports: 90 days
 - Critical vulnerability reports: Indefinite
@@ -317,18 +338,21 @@ gh workflow run security.yml \
 ```
 
 **Available Options:**
+
 - `scan_type`: all, dependencies, code-analysis, container-scan
 - `severity_threshold`: low, moderate, high, critical
 
 ### Security Integration Best Practices
 
 **For Contributors:**
+
 1. Always run `npm run test:security` before submitting PRs
 2. Address any security warnings in your code
 3. Keep dependencies updated with `npm audit fix`
 4. Review security artifacts when CI fails
 
 **For Maintainers:**
+
 1. Review security reports weekly
 2. Respond to automated security issues promptly
 3. Keep security thresholds updated
@@ -337,11 +361,13 @@ gh workflow run security.yml \
 ### Security Documentation
 
 Comprehensive security documentation is available in:
+
 - `.github/SECURITY.md` - Complete security policy and procedures
 - Security workflow logs and artifacts
 - Generated security reports in CI runs
 
 The security integration ensures that:
+
 - No critical vulnerabilities reach production
 - Security issues are detected early in development
 - Comprehensive audit trails are maintained
@@ -350,7 +376,9 @@ The security integration ensures that:
 ## Important Implementation Patterns
 
 ### Tool Structure
+
 All tools follow a consistent class-based pattern:
+
 ```javascript
 export class ToolName {
   constructor(config) {
@@ -372,26 +400,32 @@ export class ToolName {
 ```
 
 ### Search Provider Architecture
+
 Search providers implement a factory pattern:
+
 - `searchProviderFactory.js` selects provider based on config
 - Providers implement common interface: `search(query, options)`
 - Auto-fallback: Google → DuckDuckGo if Google credentials missing
 - Each provider in `src/tools/search/adapters/`
 
 ### Browser Management
+
 - Playwright used for browser automation (ActionExecutor, ScrapeWithActionsTool)
 - Stealth features in StealthBrowserManager
 - Always cleanup browsers in error handlers
 - Context isolation per operation for security
 
 ### Memory Management
+
 Critical for long-running processes:
+
 - Graceful shutdown handlers registered for SIGINT/SIGTERM
 - All tools with heavy resources must implement `destroy()` or `cleanup()`
 - Memory monitoring in development mode (server.js line 1955-1963)
 - Force GC on shutdown if available
 
 ### Error Handling Pattern
+
 ```javascript
 try {
   const result = await tool.execute(params);
@@ -399,14 +433,24 @@ try {
 } catch (error) {
   return {
     content: [{ type: "text", text: `Operation failed: ${error.message}` }],
-    isError: true
+    isError: true,
   };
 }
 ```
 
 ### Configuration Validation
+
 - All config in `src/constants/config.js` with defaults
 - `validateConfig()` checks required settings
 - Environment variables parsed with fallbacks
 - Config errors only fail in production (warnings in dev)
 
+## 🎯 Project Management Rules
+
+## 🎯 Project Management Rules
+
+- always have the project manager work with the appropriate sub agents in parallel
+- i want the project manager to always be in charge and then get the appropriate sub agents to work on the tasks in parallel. each sub agent must work on their strengths. when they are done they let the project manager know and the project manager updates the @PRODUCTION_READINESS.md file.
+- whenever a phase is completed push all changes to github
+- put all the documentation md files into the docs folders to keep everything organized
+- every time you finish a phase run npm run build and fix all errors. do this before you push to github.

package/README.md

@@ -9,7 +9,7 @@ Professional web scraping and content extraction server implementing the Model C
 
 ## 🎯 Features
 
-- **18+ Advanced Tools**: Web scraping, deep research, stealth browsing, content analysis
+- **19 Professional Tools**: Web scraping, deep research, stealth browsing, content analysis
 - **Free Tier**: 1,000 credits to get started instantly
 - **MCP Compatible**: Works with Claude, Cursor, and other MCP-enabled AI tools
 - **Enterprise Ready**: Scale up with paid plans for production use
@@ -34,7 +34,7 @@ This will:
 - Configure your credentials securely
 - Verify your setup is working
 
-**Don't have an API key?** Get one free at [https://crawlforge.com/signup](https://crawlforge.com/signup)
+**Don't have an API key?** Get one free at [https://www.crawlforge.dev/signup](https://www.crawlforge.dev/signup)
 
 ### 3. Configure Your IDE
 
@@ -105,15 +105,19 @@ Or use the MCP plugin in Cursor settings.
 
 ## 💳 Pricing
 
-| Plan | Credits/Month | Price | Best For |
-|------|---------------|-------|----------|
-| **Free** | 1,000 | $0 | Testing & personal projects |
-| **Hobby** | 10,000 | $19 | Small projects |
-| **Pro** | 50,000 | $49 | Professional use |
-| **Business** | 200,000 | $149 | Teams & automation |
-| **Enterprise** | Unlimited | Custom | Large scale operations |
+| Plan | Credits/Month | Best For |
+|------|---------------|----------|
+| **Free** | 1,000 | Testing & personal projects |
+| **Starter** | 5,000 | Small projects & development |
+| **Professional** | 50,000 | Professional use & production |
+| **Enterprise** | 250,000 | Large scale operations |
 
-[View full pricing](https://crawlforge.com/pricing)
+**All plans include:**
+- Access to all 19 tools
+- Credits never expire and roll over month-to-month
+- API access and webhook notifications
+
+[View full pricing](https://www.crawlforge.dev/pricing)
 
 ## 🔧 Advanced Configuration
 
@@ -124,7 +128,7 @@ Or use the MCP plugin in Cursor settings.
 export CRAWLFORGE_API_KEY="sk_live_your_api_key_here"
 
 # Optional: Custom API endpoint (for enterprise)
-export CRAWLFORGE_API_URL="https://api.crawlforge.com"
+export CRAWLFORGE_API_URL="https://api.crawlforge.dev"
 ```
 
 ### Manual Configuration
@@ -161,9 +165,9 @@ Once configured, use these tools in your AI assistant:
 
 ## 🆘 Support
 
-- **Documentation**: [https://crawlforge.com/docs](https://crawlforge.com/docs)
-- **Issues**: [GitHub Issues](https://github.com/crawlforge/mcp-server/issues)
-- **Email**: support@crawlforge.com
+- **Documentation**: [https://www.crawlforge.dev/docs](https://www.crawlforge.dev/docs)
+- **Issues**: [GitHub Issues](https://github.com/mysleekdesigns/crawlforge-mcp/issues)
+- **Email**: support@crawlforge.dev
 - **Discord**: [Join our community](https://discord.gg/crawlforge)
 
 ## 📄 License
@@ -178,4 +182,4 @@ Contributions are welcome! Please read our [Contributing Guide](CONTRIBUTING.md)
 
 **Built with ❤️ by the CrawlForge team**
 
-[Website](https://crawlforge.com) | [Documentation](https://crawlforge.com/docs) | [API Reference](https://crawlforge.com/api)
+[Website](https://www.crawlforge.dev) | [Documentation](https://www.crawlforge.dev/docs) | [API Reference](https://www.crawlforge.dev/api-reference)

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "crawlforge-mcp-server",
-  "version": "3.0.1",
-  "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 16+ comprehensive web scraping, crawling, and content processing tools.",
+  "version": "3.0.3",
+  "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 19 comprehensive web scraping, crawling, and content processing tools.",
   "main": "server.js",
   "bin": {
     "crawlforge": "server.js",
@@ -48,17 +48,17 @@
   ],
   "author": {
     "name": "Simon Lacey",
-    "email": "your-email@example.com"
+    "email": "support@crawlforge.dev"
   },
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/crawlforge/mcp-server.git"
+    "url": "git+https://github.com/mysleekdesigns/crawlforge-mcp.git"
   },
   "bugs": {
-    "url": "https://github.com/crawlforge/mcp-server/issues"
+    "url": "https://github.com/mysleekdesigns/crawlforge-mcp/issues"
   },
-  "homepage": "https://crawlforge.com",
+  "homepage": "https://crawlforge.dev",
   "type": "module",
   "engines": {
     "node": ">=18.0.0",

package/server.js

@@ -1,5 +1,30 @@
 #!/usr/bin/env node
 
+// Secure Creator Mode Authentication - MUST run before any imports
+// Only the creator can enable unlimited access with their secret
+import crypto from 'crypto';
+import dotenv from 'dotenv';
+
+// Load .env file early to check for creator secret
+dotenv.config({ path: '.env', quiet: true });
+
+const CREATOR_SECRET_HASH = 'cfef62e5068d48e7dd6a39c9e16f0be2615510c6b68274fc8abe3156feb5050b';
+
+if (process.env.CRAWLFORGE_CREATOR_SECRET) {
+  const providedHash = crypto
+    .createHash('sha256')
+    .update(process.env.CRAWLFORGE_CREATOR_SECRET)
+    .digest('hex');
+
+  if (providedHash === CREATOR_SECRET_HASH) {
+    process.env.CRAWLFORGE_CREATOR_MODE = 'true';
+    console.log('🔓 Creator Mode Enabled - Unlimited Access');
+  } else {
+    console.warn('⚠️  Invalid creator secret provided');
+  }
+}
+
+// Now import everything else
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
@@ -16,8 +41,8 @@ import { BatchScrapeTool } from "./src/tools/advanced/BatchScrapeTool.js";
 import { ScrapeWithActionsTool } from "./src/tools/advanced/ScrapeWithActionsTool.js";
 // Deep Research Tool
 import { DeepResearchTool } from "./src/tools/research/deepResearch.js";
-// Change Tracking Tool - commented out due to import issue
-// import { TrackChangesTool } from "./src/tools/tracking/trackChanges.js";
+// Change Tracking Tool
+import { TrackChangesTool } from "./src/tools/tracking/trackChanges.js";
 // LLMs.txt Generator Tool (Phase 2.5)
 import { GenerateLLMsTxtTool } from "./src/tools/llmstxt/generateLLMsTxt.js";
 // Wave 3-4 Core Managers
@@ -28,11 +53,6 @@ import { config, validateConfig, isSearchConfigured, getToolConfig, getActiveSea
 // Authentication Manager
 import AuthManager from "./src/core/AuthManager.js";
 
-// Enable creator mode if BYPASS_API_KEY is set
-if (process.env.BYPASS_API_KEY === 'true') {
-  process.env.CRAWLFORGE_CREATOR_MODE = 'true';
-}
-
 // Initialize Authentication Manager
 await AuthManager.initialize();
 
@@ -62,7 +82,7 @@ if (!AuthManager.isAuthenticated() && !AuthManager.isCreatorMode()) {
     console.log('Or set your API key via environment variable:');
     console.log('  export CRAWLFORGE_API_KEY="your_api_key_here"');
     console.log('');
-    console.log('Get your free API key at: https://crawlforge.com/signup');
+    console.log('Get your free API key at: https://www.crawlforge.dev/signup');
     console.log('(Includes 1,000 free credits!)');
     console.log('');
     process.exit(0);
@@ -77,7 +97,7 @@ if (configErrors.length > 0 && config.server.nodeEnv === 'production') {
 }
 
 // Create the server
-const server = new McpServer({ name: "crawlforge", version: "3.0.0" });
+const server = new McpServer({ name: "crawlforge", version: "3.0.1" });
 
 // Helper function to wrap tool handlers with authentication and credit tracking
 function withAuth(toolName, handler) {
@@ -97,7 +117,7 @@ function withAuth(toolName, handler) {
               type: "text",
               text: JSON.stringify({
                 error: "Insufficient credits",
-                message: `This operation requires ${creditCost} credits. Please upgrade your plan at https://crawlforge.com/pricing`,
+                message: `This operation requires ${creditCost} credits. Please upgrade your plan at https://www.crawlforge.dev/pricing`,
                 creditsRequired: creditCost
               }, null, 2)
             }]
@@ -161,8 +181,8 @@ const scrapeWithActionsTool = new ScrapeWithActionsTool();
 // Initialize Deep Research Tool
 const deepResearchTool = new DeepResearchTool();
 
-// Initialize Change Tracking Tool - temporarily disabled due to import issue
-// const trackChangesTool = new TrackChangesTool();
+// Initialize Change Tracking Tool
+const trackChangesTool = new TrackChangesTool();
 
 // Initialize LLMs.txt Generator Tool (Phase 2.5)
 const generateLLMsTxtTool = new GenerateLLMsTxtTool();
@@ -1407,8 +1427,6 @@ server.registerTool("deep_research", {
 }));
 
 // Tool: track_changes - Enhanced Content change tracking with baseline capture and monitoring (Phase 2.4)
-// Temporarily disabled due to import issue
-/*
 server.registerTool("track_changes", {
   description: "Enhanced content change tracking with baseline capture, comparison, scheduled monitoring, advanced comparison engine, alert system, and historical analysis",
   inputSchema: {
@@ -1512,8 +1530,8 @@ server.registerTool("track_changes", {
       includeTrends: z.boolean().default(true),
       includeMonitorStatus: z.boolean().default(true)
     }).optional()
-  })
-}, async (params) => {
+  }
+}, withAuth("track_changes", async (params) => {
   try {
     const result = await trackChangesTool.execute(params);
     return {
@@ -1531,7 +1549,7 @@ server.registerTool("track_changes", {
       isError: true
     };
   }
-});
+}));
 
 // Tool: generate_llms_txt - Generate LLMs.txt and LLMs-full.txt files (Phase 2.5)
 server.registerTool("generate_llms_txt", {
@@ -1575,8 +1593,7 @@ server.registerTool("generate_llms_txt", {
       isError: true
     };
   }
-});
-*/
+}));
 
 // Tool: stealth_mode - Advanced anti-detection browser management (Wave 3)
 server.registerTool("stealth_mode", {
@@ -1854,7 +1871,7 @@ async function runServer() {
   const phase3Tools = ', extract_content, process_document, summarize_content, analyze_content';
   const wave2Tools = ', batch_scrape, scrape_with_actions';
   const researchTools = ', deep_research';
-  const trackingTools = ''; // track_changes temporarily disabled
+  const trackingTools = ', track_changes';
   const llmsTxtTools = ', generate_llms_txt';
   const wave3Tools = ', stealth_mode, localization';
   console.error(`Tools available: ${baseTools}${searchTool}${phase3Tools}${wave2Tools}${researchTools}${trackingTools}${llmsTxtTools}${wave3Tools}`);
@@ -1890,7 +1907,7 @@ async function gracefulShutdown(signal) {
       batchScrapeTool,
       scrapeWithActionsTool,
       deepResearchTool,
-      // trackChangesTool, // temporarily disabled
+      trackChangesTool,
       generateLLMsTxtTool,
       stealthBrowserManager,
       localizationManager

package/setup.js

@@ -29,7 +29,7 @@ async function main() {
   console.log('  • An internet connection');
   console.log('');
   console.log('Don\'t have an API key yet?');
-  console.log('Get one free at: https://crawlforge.com/signup');
+  console.log('Get one free at: https://www.crawlforge.dev/signup');
   console.log('(Includes 1,000 free credits to get started!)');
   console.log('');
   console.log('────────────────────────────────────────────────────────');
@@ -57,7 +57,7 @@ async function main() {
   if (!apiKey || !apiKey.trim()) {
     console.log('');
     console.log('❌ API key is required');
-    console.log('Get your free API key at: https://crawlforge.com/signup');
+    console.log('Get your free API key at: https://www.crawlforge.dev/signup');
     rl.close();
     process.exit(1);
   }
@@ -78,15 +78,15 @@ async function main() {
     console.log('  npm start              # Start the MCP server');
     console.log('  npm run test           # Test your setup');
     console.log('');
-    console.log('Need help? Visit: https://crawlforge.com/docs');
+    console.log('Need help? Visit: https://www.crawlforge.dev/docs');
     console.log('');
   } else {
     console.log('');
     console.log('Setup failed. Please check your API key and try again.');
     console.log('');
     console.log('Need help?');
-    console.log('  • Documentation: https://crawlforge.com/docs');
-    console.log('  • Support: support@crawlforge.com');
+    console.log('  • Documentation: https://www.crawlforge.dev/docs');
+    console.log('  • Support: support@crawlforge.dev');
     console.log('');
     rl.close();
     process.exit(1);

package/src/core/ActionExecutor.js

@@ -704,7 +704,23 @@ export class ActionExecutor extends EventEmitter {
    * @param {Object} action - JavaScript action
    * @returns {Promise<Object>} JavaScript result
    */
+
   async executeJavaScriptAction(page, action) {
+    // SECURITY: JavaScript execution is disabled by default for security
+    // Set ALLOW_JAVASCRIPT_EXECUTION=true to enable (NOT recommended in production)
+    const allowJsExecution = process.env.ALLOW_JAVASCRIPT_EXECUTION === 'true';
+    
+    if (!allowJsExecution) {
+      throw new Error(
+        'JavaScript execution is disabled for security reasons. ' +
+        'Set ALLOW_JAVASCRIPT_EXECUTION=true environment variable to enable (NOT recommended in production). ' +
+        'This feature allows arbitrary code execution and should only be used in trusted environments.'
+      );
+    }
+    
+    // Log security warning when JS execution is enabled
+    console.warn('⚠️  SECURITY WARNING: JavaScript execution is enabled. This allows arbitrary code execution!');
+    
     const result = await page.evaluate(
       new Function('...args', action.script),
       ...action.args
@@ -716,7 +732,6 @@ export class ActionExecutor extends EventEmitter {
       result: action.returnResult ? result : undefined
     };
   }
-
   /**
    * Capture screenshot
    * @param {Page} page - Playwright page