crawlforge-mcp-server 4.2.2 → 4.2.4

package/CLAUDE.md

@@ -60,9 +60,9 @@ These guidelines are working if: fewer unnecessary changes in diffs, fewer rewri
 
 ## Project Overview
 
-CrawlForge MCP Server - A professional MCP (Model Context Protocol) server providing 20 web scraping, crawling, and content processing tools.
+CrawlForge MCP Server - A professional MCP (Model Context Protocol) server providing 23 web scraping, crawling, and content processing tools (5 inline + 18 advanced).
 
-**Current Version:** 3.0.12
+**Current Version:** 4.2.2
 
 ## Development Commands
 
@@ -92,6 +92,12 @@ npm run dev
 # Test MCP protocol compliance
 npm test
 
+# Unit tests (131 tests across 17 tools, no live network)
+npm run test:unit
+
+# Integration tests
+npm run test:integration
+
 # Functional tests
 node test-tools.js             # Test all tools
 node test-real-world.js        # Test real-world usage scenarios
@@ -99,6 +105,13 @@ node test-real-world.js        # Test real-world usage scenarios
 # MCP Protocol tests
 node tests/integration/mcp-protocol-compliance.test.js
 
+# CLI (v4.1.0+, requires global install or npx)
+crawlforge --help              # Show all 15 subcommands
+crawlforge scrape https://example.com
+crawlforge batch --urls urls.txt --format markdown
+crawlforge install-skills --target claude-code
+# See docs/cli-guide.md for full reference
+
 # Docker
 npm run docker:build         # Build Docker image
 npm run docker:dev          # Run development container
@@ -124,30 +137,37 @@ npm run docker:prod         # Run production container
 - **WebhookDispatcher**: Event notification system for job completion callbacks
 - **ActionExecutor**: Browser automation engine (Playwright-based)
 - **ResearchOrchestrator**: Multi-stage research with query expansion and synthesis
-- **StealthBrowserManager**: Stealth mode scraping with anti-detection
+- **StealthBrowserManager**: Stealth mode scraping with anti-detection; Camoufox (Firefox) engine added in v4.0.0
 - **LocalizationManager**: Multi-language content and localization
 - **ChangeTracker**: Content change tracking over time
 - **SnapshotManager**: Website snapshots and version history
+- **ResourceRegistry**: MCP Resources (crawlforge:// URI scheme, 5 resource types) — D1.1, v3.6.0
+- **PromptRegistry** (`src/prompts/`): 5 workflow prompts — D1.2, v3.6.0
+- **SamplingClient**: MCP Sampling with Ollama-API fallback chain — D1.3, v3.6.0
+- **ElicitationHelper**: MCP Elicitation for user confirmation on expensive operations — D1.4, v3.6.0
+- **endpointGuard**: Allow-list guard for server's own backend calls — v3.0.18
 
 ### Tool Layer (`src/tools/`)
 
 Tools are organized in subdirectories by category:
 
 - `advanced/` - BatchScrapeTool, ScrapeWithActionsTool
+- `basic/` - fetchUrl, extractText, extractLinks, extractMetadata, scrapeStructured
 - `crawl/` - crawlDeep, mapSite
-- `extract/` - analyzeContent, extractContent, processDocument, summarizeContent
+- `extract/` - analyzeContent, extractContent, extractStructured, extractWithLlm, listOllamaModels, processDocument, summarizeContent
 - `research/` - deepResearch
 - `search/` - searchWeb (proxied through CrawlForge.dev API)
+- `templates/` - ScrapeTemplateTool (10 pre-built site templates, v4.0.0)
 - `tracking/` - trackChanges
 - `llmstxt/` - generateLLMsTxt
 
-### Available MCP Tools (20 total)
+### Available MCP Tools (23 total)
 
-**Basic Tools (server.js inline):**
+**Basic Tools (server.js inline, 5):**
 fetch_url, extract_text, extract_links, extract_metadata, scrape_structured
 
-**Advanced Tools:**
-search_web, crawl_deep, map_site, extract_content, process_document, summarize_content, analyze_content, extract_structured, batch_scrape, scrape_with_actions, deep_research, track_changes, generate_llms_txt, stealth_mode, localization
+**Advanced Tools (18):**
+search_web, crawl_deep, map_site, extract_content, process_document, summarize_content, analyze_content, extract_structured, extract_with_llm, list_ollama_models, batch_scrape, scrape_with_actions, deep_research, track_changes, generate_llms_txt, stealth_mode, localization, scrape_template
 
 ### MCP Server Entry Point
 
@@ -202,10 +222,23 @@ When adding a new tool to server.js:
 5. Add to cleanup array in gracefulShutdown if it has `destroy()` or `cleanup()` methods
 6. Update tool count in console log at server startup
 
+## Sandboxing & Approvals
+
+Key mechanisms for security-conscious future sessions:
+
+- **SSRF** (`src/utils/ssrfProtection.js`): Every scraped URL validated — http/https only; blocks loopback, RFC1918, IPv6 ULA/link-local, cloud metadata endpoints; blocks dangerous ports (22, 25, 53, 445, 3306, 5432, 6379, 27017, etc.); redirects re-validated per hop, capped at 5; pre-parse path-traversal rejection. Blocklist-based — no per-deployment outbound allowlist.
+- **endpointGuard** (`src/core/endpointGuard.js`): Hard allow-list of `{crawlforge.dev, www.crawlforge.dev, api.crawlforge.dev}` for the server's own backend calls; HTTPS required; fail-closed. Localhost only in creator mode (v3.0.18).
+- **Action allowlist** (`src/core/ActionExecutor.js`): `scrape_with_actions` accepts only 7 action types: `wait`, `click`, `type`, `press`, `scroll`, `screenshot`, `executeJavaScript`. `executeJavaScript` throws unless `ALLOW_JAVASCRIPT_EXECUTION=true` is set at deploy time (off by default).
+- **Elicitation** (`src/core/ElicitationHelper.js`): User confirmation requested for `deep_research` (>50 URLs), `batch_scrape` (sync, >25 URLs), `crawl_deep` (projected >500 pages), `extract_structured` (schema has >3 required fields, no LLM configured), and credit-low situations. Fail-open if client does not support elicitation.
+- **Browser sandboxing**: Standard pool retains OS sandbox. Stealth Chromium uses `--no-sandbox` + `--disable-web-security` (deliberate fingerprint-spoofing trade-off). Camoufox (Firefox, v4.0.0) is the alternative — see `docs/stealth-engines.md`.
+
+See `docs/sandboxing-and-approvals.md` for the full reference.
+
 ## Security
 
 Security testing and CI/CD pipeline details are in:
 
+- `docs/sandboxing-and-approvals.md` — Canonical sandboxing & approvals reference
 - `docs/security-audit-report.md` — Full security audit
 - `.github/workflows/ci.yml` — CI pipeline with security checks
 - `.github/workflows/security.yml` — Daily scheduled security scanning

package/README.md

@@ -9,7 +9,7 @@ Professional web scraping and content extraction server implementing the Model C
 
 ## 🎯 Features
 
-- **22 Professional Tools**: Web scraping, deep research, stealth browsing, content analysis, local-LLM extraction (Ollama)
+- **23 Professional Tools**: Web scraping, deep research, stealth browsing, content analysis, local-LLM extraction (Ollama)
 - **Free Tier**: 1,000 credits to get started instantly
 - **MCP Compatible**: Works with Claude, Cursor, and other MCP-enabled AI tools
 - **Enterprise Ready**: Scale up with paid plans for production use
@@ -140,7 +140,7 @@ Restart Cursor to activate.
 | **Enterprise** | 250,000 | Large scale operations |
 
 **All plans include:**
-- Access to all 22 tools
+- Access to all 23 tools
 - Credits never expire and roll over month-to-month
 - API access and webhook notifications
 
@@ -216,6 +216,17 @@ Once configured, use these tools in your AI assistant:
 - **Rate Limiting**: Built-in protection against abuse
 - **Compliance**: Respects robots.txt and GDPR requirements
 
+### Security & Approvals
+
+- **SSRF enforcement**: Every scraped URL is validated before the request is sent — http/https only; blocks loopback, RFC1918, IPv6 private/link-local ranges, cloud metadata endpoints (GCP, Azure), and dangerous ports (SSH, SMTP, DNS, MySQL, Postgres, Redis, MongoDB, etc.). Redirects are re-validated each hop, capped at 5.
+- **Backend endpoint guard** (v3.0.18): The server's own calls to CrawlForge.dev use a separate fail-closed allow-list (`{crawlforge.dev, www.crawlforge.dev, api.crawlforge.dev}`, HTTPS required). Setting `CRAWLFORGE_API_URL` to an arbitrary host is blocked at parse time.
+- **Action allowlist**: `scrape_with_actions` accepts only 7 action types (`wait`, `click`, `type`, `press`, `scroll`, `screenshot`, `executeJavaScript`). No download, file-write, or arbitrary cross-page navigation primitives exist.
+- **JavaScript gate**: The `executeJavaScript` action throws by default. Set `ALLOW_JAVASCRIPT_EXECUTION=true` at deploy time to enable (not recommended in production).
+- **MCP Elicitation** (v3.6.0): Four tools request user confirmation before executing expensive operations — `deep_research` (>50 URLs), `batch_scrape` (sync mode, >25 URLs), `crawl_deep` (projected >500 pages), `extract_structured` (schema has >3 required fields with no LLM configured). Credit-low situations also elicit. Confirmation is best-effort: if the MCP client does not support elicitation the tool proceeds (fail-open).
+- **Per-tool credit gating**: Every tool is wrapped with `withAuth()`, which checks and deducts credits before execution. Fail-closed since v3.0.18.
+
+See [docs/sandboxing-and-approvals.md](docs/sandboxing-and-approvals.md) for the full reference.
+
 ### Security Updates
 
 **v3.0.3 (2025-10-01)**: Removed authentication bypass vulnerability. All users must authenticate with valid API keys.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "crawlforge-mcp-server",
-  "version": "4.2.2",
+  "version": "4.2.4",
   "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 23 web scraping, crawling, and content processing tools. Defaults to local Ollama for LLM extraction (no API key needed); OpenAI/Anthropic available as opt-in. v4.0 adds Markdown-first output, pre-built site templates, Camoufox stealth engine, and cost transparency.",
   "main": "server.js",
   "bin": {
@@ -19,7 +19,7 @@
     "test:tools": "node test-tools.js",
     "test:real-world": "node test-real-world.js",
     "test:all": "bash run-all-tests.sh",
-    "postinstall": "echo '\n\ud83c\udf89 CrawlForge MCP Server installed!\n\nRun \"npx crawlforge-setup\" to configure your API key and get started.\n'",
+    "postinstall": "echo '\n🎉 CrawlForge MCP Server installed!\n\nRun \"npx crawlforge-setup\" to configure your API key and get started.\n'",
     "docker:build": "docker build -t crawlforge .",
     "docker:dev": "docker-compose up crawlforge-dev",
     "docker:prod": "docker-compose up crawlforge-prod"

package/server.js

@@ -57,7 +57,8 @@ if (!AuthManager.isAuthenticated() && !AuthManager.isCreatorMode()) {
   const apiKey = process.env.CRAWLFORGE_API_KEY;
   if (apiKey) {
     // Auto-setup if API key is provided via environment
-    console.log('🔧 Auto-configuring CrawlForge with provided API key...');
+    // Status → stderr; stdout is reserved for the MCP JSON-RPC stream.
+    console.error('🔧 Auto-configuring CrawlForge with provided API key...');
     const success = await AuthManager.runSetup(apiKey);
     if (!success) {
       console.error('❌ Failed to authenticate with provided API key');
@@ -110,7 +111,7 @@ server.prompt("getting-started", {
       role: "user",
       content: {
         type: "text",
-        text: "You have access to CrawlForge MCP with 22 web scraping tools. Key tools:\n\n" +
+        text: "You have access to CrawlForge MCP with 23 web scraping tools. Key tools:\n\n" +
           "- fetch_url: Fetch raw HTML/content from any URL\n" +
           "- extract_text: Extract clean text from a webpage\n" +
           "- extract_content: Smart content extraction with readability\n" +

package/src/cli/commands/analyze.js

@@ -1,6 +1,9 @@
 /**
  * analyze command — analyze content of a URL.
+ * Fetches and cleans the page content first (extract_content), then runs
+ * NLP analysis (analyze_content) on the extracted text.
  */
+import { ExtractContentTool } from '../../tools/extract/extractContent.js';
 import { AnalyzeContentTool } from '../../tools/extract/analyzeContent.js';
 import { getToolConfig } from '../../constants/config.js';
 import { runTool } from '../lib/runTool.js';
@@ -13,7 +16,29 @@ export function register(program) {
     .action(async (url, opts, cmd) => {
       const globals = cmd.parent.opts();
       const cliFlags = { json: globals.json, pretty: globals.pretty, quiet: globals.quiet };
+
+      // analyze_content operates on text, so fetch & clean the page first.
+      const extractor = new ExtractContentTool(getToolConfig('extract_content'));
+      let text;
+      try {
+        const extracted = await extractor.execute({ url });
+        text = extracted?.content?.text;
+      } catch (e) {
+        process.stderr.write(`Error fetching content from ${url}: ${e.message}\n`);
+        process.exit(1);
+      }
+
+      if (!text || text.trim().length < 10) {
+        process.stderr.write(`Error: could not extract enough text from ${url} to analyze\n`);
+        process.exit(1);
+      }
+
       const tool = new AnalyzeContentTool(getToolConfig('analyze_content'));
-      await runTool(tool, { url, analysis_depth: opts.depth }, cliFlags);
+      // All analyses (language, topics, entities, sentiment, readability) default to true;
+      // --depth full additionally enables advanced metrics.
+      await runTool(tool, {
+        text,
+        options: { includeAdvancedMetrics: opts.depth === 'full' }
+      }, cliFlags);
     });
 }

package/src/cli/commands/localize.js

@@ -1,29 +1,64 @@
 /**
- * localize command — fetch content with locale/geo awareness.
+ * localize command — fetch a URL with locale/geo-aware request headers.
+ * Builds a localization config (Accept-Language, User-Agent) for the target
+ * country via LocalizationManager, then fetches the URL with those headers.
  */
 import { LocalizationManager } from '../../core/LocalizationManager.js';
+import { fetchUrlHandler } from '../../tools/basic/fetchUrl.js';
 import { getToolConfig } from '../../constants/config.js';
 import { runTool } from '../lib/runTool.js';
 
+// Derive a 2-letter country code from a --country flag or an en-US style locale.
+function resolveCountry(country, locale) {
+  if (country) return country.toUpperCase();
+  if (locale && locale.includes('-')) return locale.split('-')[1].toUpperCase();
+  return 'US';
+}
+
 export function register(program) {
   program
     .command('localize <url>')
-    .description('Fetch URL with locale/geo-aware settings')
+    .description('Fetch URL with locale/geo-aware request headers')
     .option('--locale <locale>', 'Locale code (e.g. en-US, fr-FR)', 'en-US')
     .option('--country <code>', 'Country code for geo-targeting (e.g. US, FR)')
     .option('--currency <code>', 'Currency code (e.g. USD, EUR)')
     .action(async (url, opts, cmd) => {
       const globals = cmd.parent.opts();
       const cliFlags = { json: globals.json, pretty: globals.pretty, quiet: globals.quiet };
-      const mgr = new LocalizationManager(getToolConfig('localization'));
+
+      const countryCode = resolveCountry(opts.country, opts.locale);
+      const language = opts.locale ? opts.locale.split('-')[0] : undefined;
+
       const wrapperTool = {
-        execute: (p) => mgr.fetchWithLocalization(p)
+        execute: async () => {
+          const mgr = new LocalizationManager(getToolConfig('localization'));
+          await mgr.initialize();
+          const config = await mgr.configureCountry(countryCode, {
+            language,
+            currency: opts.currency
+          });
+
+          const headers = {
+            'Accept-Language': config.acceptLanguage,
+            'User-Agent': mgr.generateUserAgent(countryCode),
+            ...(config.customHeaders || {})
+          };
+
+          const fetched = await fetchUrlHandler({ url, headers });
+          return {
+            localization: {
+              countryCode: config.countryCode,
+              language: config.language,
+              timezone: config.timezone,
+              currency: config.currency,
+              acceptLanguage: config.acceptLanguage
+            },
+            request_headers: headers,
+            response: fetched
+          };
+        }
       };
-      await runTool(wrapperTool, {
-        url,
-        locale: opts.locale,
-        country: opts.country,
-        currency: opts.currency
-      }, cliFlags);
+
+      await runTool(wrapperTool, {}, cliFlags);
     });
 }

package/src/cli/commands/monitor.js

@@ -17,6 +17,7 @@ export function register(program) {
       const globals = cmd.parent.opts();
       const cliFlags = { json: globals.json, pretty: globals.pretty, quiet: globals.quiet };
       const tool = new TrackChangesTool(getToolConfig('track_changes'));
+      // monitor runs continuously — do not auto-exit after the first result.
       await runTool(tool, {
         url,
         scheduled: true,
@@ -24,6 +25,6 @@ export function register(program) {
         selector: opts.selector,
         webhook_url: opts.webhook,
         change_threshold: parseFloat(opts.threshold)
-      }, cliFlags);
+      }, cliFlags, { exitOnSuccess: false });
     });
 }

package/src/cli/commands/template.js

@@ -7,7 +7,7 @@ import { runTool } from '../lib/runTool.js';
 
 export function register(program) {
   program
-    .command('template <id> <target>')
+    .command('template [id] [target]')
     .description('Scrape using a pre-built site template (e.g. amazon-product, github-repo)')
     .option('--list', 'List all available templates')
     .action(async (id, target, opts, cmd) => {
@@ -16,11 +16,16 @@ export function register(program) {
       const tool = new ScrapeTemplateTool(getToolConfig('scrape_template'));
 
       if (opts.list) {
-        const wrapperTool = { execute: () => tool.listTemplates() };
+        const wrapperTool = { execute: () => tool.execute({ template: 'list' }) };
         await runTool(wrapperTool, {}, cliFlags);
         return;
       }
 
-      await runTool(tool, { template_id: id, url: target }, cliFlags);
+      if (!id || !target) {
+        process.stderr.write('Error: template requires <id> and <target>, or use --list\n');
+        process.exit(1);
+      }
+
+      await runTool(tool, { template: id, url: target }, cliFlags);
     });
 }

package/src/cli/index.js

@@ -58,11 +58,28 @@ program
   .option('--api-key <key>', 'CrawlForge API key (overrides CRAWLFORGE_API_KEY env var)')
   .option('--timeout <ms>', 'Global request timeout in milliseconds', '30000');
 
+// Resolve the API key from (in priority order): --api-key flag, CRAWLFORGE_API_KEY env,
+// then the stored ~/.crawlforge/config.json written by `crawlforge-setup`.
+function loadStoredApiKey() {
+  try {
+    const home = process.env.HOME || process.env.USERPROFILE;
+    if (!home) return undefined;
+    const cfgPath = join(home, '.crawlforge', 'config.json');
+    const cfg = JSON.parse(readFileSync(cfgPath, 'utf8'));
+    return cfg.apiKey || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 // Apply --api-key globally before commands run
 program.hook('preAction', (thisCommand) => {
   const opts = program.opts();
   if (opts.apiKey) {
     process.env.CRAWLFORGE_API_KEY = opts.apiKey;
+  } else if (!process.env.CRAWLFORGE_API_KEY) {
+    const stored = loadStoredApiKey();
+    if (stored) process.env.CRAWLFORGE_API_KEY = stored;
   }
   if (opts.timeout) {
     process.env.CRAWLFORGE_CLI_TIMEOUT = opts.timeout;

package/src/cli/lib/runTool.js

@@ -16,9 +16,13 @@ import { formatResult, formatError } from '../formatter.js';
  * @param {object} cliFlags     — { json, pretty, quiet }
  * @param {object} [options]
  * @param {boolean} [options.exitOnError=true]
+ * @param {boolean} [options.exitOnSuccess=true]  Exit the process after writing
+ *        output. One-shot CLI commands need this because background timers
+ *        (metrics, cache/connection cleanup, etc.) otherwise keep the event loop
+ *        alive. Long-running commands (e.g. `monitor`) pass false.
  */
 export async function runTool(tool, params, cliFlags, options = {}) {
-  const { exitOnError = true } = options;
+  const { exitOnError = true, exitOnSuccess = true } = options;
 
   try {
     const result = await tool.execute(params);
@@ -32,7 +36,12 @@ export async function runTool(tool, params, cliFlags, options = {}) {
     }
 
     const output = formatResult(result, cliFlags);
-    if (output) process.stdout.write(output + '\n');
+    if (output) {
+      // Wait for stdout to flush (pipes/files buffer) before exiting.
+      process.stdout.write(output + '\n', () => { if (exitOnSuccess) process.exit(0); });
+    } else if (exitOnSuccess) {
+      process.exit(0);
+    }
   } catch (error) {
     process.stderr.write(formatError(error, cliFlags) + '\n');
     if (exitOnError) process.exit(1);

package/src/core/ActionExecutor.js

@@ -926,7 +926,8 @@ export class ActionExecutor extends EventEmitter {
    */
   log(level, message) {
     if (this.enableLogging) {
-      console.log('[ActionExecutor:' + level.toUpperCase() + '] ' + message);
+      // → stderr so stdout stays clean for MCP JSON-RPC / CLI --json output.
+      console.error('[ActionExecutor:' + level.toUpperCase() + '] ' + message);
     }
   }
 

package/src/core/AuthManager.js

@@ -69,7 +69,8 @@ class AuthManager {
 
     // Skip config loading in creator mode
     if (this.isCreatorMode()) {
-      console.log('🚀 Creator Mode Active - Unlimited Access Enabled');
+      // Status → stderr; stdout is reserved for MCP JSON-RPC / CLI --json output.
+      console.error('🚀 Creator Mode Active - Unlimited Access Enabled');
       this.initialized = true;
       return;
     }
@@ -78,7 +79,7 @@ class AuthManager {
       await this.loadConfig();
       this.initialized = true;
     } catch (error) {
-      console.log('No existing CrawlForge configuration found. Run setup to configure.');
+      console.error('No existing CrawlForge configuration found. Run setup to configure.');
       this.initialized = true;
     }
 

package/src/core/PerformanceManager.js

@@ -771,6 +771,9 @@ export class PerformanceManager extends EventEmitter {
     this.metricsTimer = setInterval(() => {
       this.collectMetrics();
     }, this.metricsInterval);
+    // Don't let the metrics interval keep a short-lived process (e.g. a one-shot
+    // CLI command) alive. The long-running server stays up via its stdio transport.
+    if (typeof this.metricsTimer.unref === 'function') this.metricsTimer.unref();
   }
 
   /**

package/src/core/creatorMode.js

@@ -29,7 +29,8 @@ if (process.env.CRAWLFORGE_CREATOR_SECRET) {
 
   if (crypto.timingSafeEqual(Buffer.from(providedHash, 'hex'), Buffer.from(CREATOR_SECRET_HASH, 'hex'))) {
     _creatorModeVerified = true;
-    console.log('Creator Mode Enabled - Unlimited Access');
+    // Status message → stderr so stdout stays clean (MCP JSON-RPC / CLI --json output).
+    console.error('Creator Mode Enabled - Unlimited Access');
   } else {
     console.warn('Invalid creator secret provided');
   }

package/src/tools/advanced/batchScrape/index.js

@@ -301,7 +301,8 @@ export class BatchScrapeTool extends EventEmitter {
   }
 
   _log(level, message) {
-    if (this.enableLogging) console.log(`[BatchScrapeTool:${level.toUpperCase()}] ${message}`);
+    // → stderr so stdout stays clean for MCP JSON-RPC / CLI --json output.
+    if (this.enableLogging) console.error(`[BatchScrapeTool:${level.toUpperCase()}] ${message}`);
   }
 
   _initializeJobExecutors() {

package/src/tools/search/adapters/searchProviderFactory.js

@@ -36,7 +36,8 @@ export class SearchProviderFactory {
         );
       }
 
-      console.log('🔍 Creator Mode: Using Google Search API directly');
+      // Status message → stderr so stdout stays clean (MCP JSON-RPC / CLI --json).
+      console.error('🔍 Creator Mode: Using Google Search API directly');
       return new GoogleSearchAdapter(googleApiKey, googleSearchEngineId);
     }
 

package/src/utils/Logger.js

@@ -116,6 +116,9 @@ export class Logger {
 
     if (enableConsole) {
       transports.push(new winston.transports.Console({
+        // Route ALL log levels to stderr so stdout stays reserved for structured
+        // output (MCP JSON-RPC protocol and CLI --json results).
+        stderrLevels: ['error', 'warn', 'info', 'http', 'verbose', 'debug', 'silly'],
         format: winston.format.combine(
           winston.format.colorize(),
           winston.format.simple()