crawlforge-mcp-server 4.7.1 → 4.8.0

package/CLAUDE.md

@@ -62,7 +62,7 @@ These guidelines are working if: fewer unnecessary changes in diffs, fewer rewri
 
 CrawlForge MCP Server - A professional MCP (Model Context Protocol) server providing 26 web scraping, crawling, and content processing tools (5 inline + 21 advanced).
 
-**Current Version:** 4.6.0
+**Current Version:** 4.8.0
 
 ## Development Commands
 
@@ -241,7 +241,7 @@ When adding a new tool to server.js:
 
 Key mechanisms for security-conscious future sessions:
 
-- **SSRF** (`src/utils/ssrfProtection.js`): Every scraped URL validated — http/https only; blocks loopback, RFC1918, IPv6 ULA/link-local, cloud metadata endpoints; blocks dangerous ports (22, 25, 53, 445, 3306, 5432, 6379, 27017, etc.); redirects re-validated per hop, capped at 5; pre-parse path-traversal rejection. Blocklist-based — no per-deployment outbound allowlist.
+- **SSRF** (`src/utils/ssrfGuard.js` enforcing `src/utils/ssrfProtection.js`): As of v4.8.0 SSRF is actually enforced on the live scraping fetch path (previously `ssrfProtection.js` was unwired). `ssrfGuard` injects an undici dispatcher whose connect-time `lookup` validates every connection — initial request and each redirect hop — and pins the validated IP (closing the DNS-rebinding TOCTOU window). Stage 1 (default) blocks loopback, link-local/cloud-metadata (169.254.169.254), and 0.0.0.0; `SSRF_STRICT=true` adds full RFC1918/ULA/etc. enforcement. Kill switch `SSRF_PROTECTION_ENABLED=false`; `ALLOWED_DOMAINS` allowlist bypass. Wired into every read-scrape site (`_fetch.js`, `_fetchAndParse.js`, `batchScrape/worker.js`, `mapSite.js`, `BFSCrawler.js`, extract/template/session/research/llms-txt/robots/sitemap/track-changes fetches) via `ssrfGuard()`/`safeFetch()`. http/https only; dangerous ports + path-traversal still rejected by `ssrfProtection.js`.
 - **endpointGuard** (`src/core/endpointGuard.js`): Hard allow-list of `{crawlforge.dev, www.crawlforge.dev, api.crawlforge.dev}` for the server's own backend calls; HTTPS required; fail-closed. Localhost only in creator mode (v3.0.18).
 - **Action allowlist** (`src/core/ActionExecutor.js`): `scrape_with_actions` accepts only 7 action types: `wait`, `click`, `type`, `press`, `scroll`, `screenshot`, `executeJavaScript`. `executeJavaScript` throws unless `ALLOW_JAVASCRIPT_EXECUTION=true` is set at deploy time (off by default).
 - **Elicitation** (`src/core/ElicitationHelper.js`): User confirmation requested for `deep_research` (>50 URLs), `batch_scrape` (sync, >25 URLs), `crawl_deep` (projected >500 pages), `extract_structured` (schema has >3 required fields, no LLM configured), and credit-low situations. Fail-open if client does not support elicitation.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "crawlforge-mcp-server",
-  "version": "4.7.1",
+  "version": "4.8.0",
   "mcpName": "io.github.mysleekdesigns/crawlforge-mcp-server",
   "description": "CrawlForge MCP Server - Professional Model Context Protocol server with 26 web scraping, crawling, deep-research, and autonomous-extraction tools. Returns clean Markdown and structured JSON for Claude, Cursor, and any MCP client. Defaults to local Ollama for LLM extraction (no API key needed); OpenAI/Anthropic available as opt-in. Includes a unified multi-format scrape tool, an autonomous agent, pre-built site templates, and Camoufox stealth browsing.",
   "main": "server.js",
@@ -22,6 +22,7 @@
     "test:tools": "node test-tools.js",
     "test:real-world": "node test-real-world.js",
     "test:all": "bash run-all-tests.sh",
+    "skills:gen": "node scripts/generate-skill-md.mjs",
     "postinstall": "echo '\nCrawlForge MCP Server installed!\n\nQuick start: run \"npx crawlforge init\" to configure your API key, install skills, and register the MCP server with your AI clients.\nOr run \"npx crawlforge-setup\" to configure your API key only.\n'",
     "docker:build": "docker build -t crawlforge .",
     "docker:dev": "docker-compose up crawlforge-dev",

package/server.js

@@ -89,7 +89,7 @@ if (configErrors.length > 0 && config.server.nodeEnv === 'production') {
 // Create the server
 const server = new McpServer({
   name: "crawlforge",
-  version: "4.7.1",
+  version: "4.7.2",
   description: "Production-ready MCP server with 26 web scraping, crawling, and content processing tools. Features MCP Resources (crawlforge://), Prompts, Sampling fallback, Elicitation, stealth browsing, deep research, structured extraction, change tracking, local-LLM extraction via Ollama, unified multi-format scrape, and autonomous agent tool.",
   homepage: "https://www.crawlforge.dev",
   icon: "https://www.crawlforge.dev/icon.png"
@@ -154,7 +154,7 @@ const deepResearchTool = new DeepResearchTool();
 const trackChangesTool = new TrackChangesTool();
 const generateLLMsTxtTool = new GenerateLLMsTxtTool();
 const scrapeTemplateTool = new ScrapeTemplateTool(); // D3.3
-const unifiedScrapeTool = new UnifiedScrapeTool(); // D4 D1
+const unifiedScrapeTool = new UnifiedScrapeTool({ actionExecutor: scrapeWithActionsTool.actionExecutor }); // D4 D1 (+v4.8 screenshot reuses the shared browser pool)
 const agentTool = new AgentTool(); // D4 D2
 const stealthBrowserManager = new StealthBrowserManager();
 const localizationManager = new LocalizationManager();
@@ -177,6 +177,7 @@ batchScrapeTool.setMcpServer(server);
 crawlDeepTool.setMcpServer(server);
 extractStructuredTool.setMcpServer(server);
 agentTool.setMcpServer(server); // D4 D2: SamplingClient + Elicitation
+trackChangesTool.setMcpServer(server); // v4.8: SamplingClient for scheduled-monitor goal judging
 AuthManager.setElicitation(elicitation);
 
 // ─── D1.1 Resource Templates (MCP Resources) ─────────────────────────────────
@@ -736,6 +737,19 @@ server.registerTool("scrape_with_actions", {
 }, withAuth("scrape_with_actions", async (params) => {
   try {
     const result = await scrapeWithActionsTool.execute(params);
+
+    // Publish captured screenshots as crawlforge://screenshot/{actionId}
+    // resources (the documented contract) and annotate each with its URI.
+    if (Array.isArray(result.screenshots)) {
+      result.screenshots = result.screenshots.map((shot) => {
+        if (shot?.actionId && shot?.data) {
+          resourceRegistry.storeScreenshot(shot.actionId, shot.data);
+          return { ...shot, resourceUri: `crawlforge://screenshot/${shot.actionId}` };
+        }
+        return shot;
+      });
+    }
+
     return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
   } catch (error) {
     return { content: [{ type: "text", text: `Scrape with actions failed: ${error.message}` }], isError: true };
@@ -800,12 +814,12 @@ server.registerTool("deep_research", {
 
 // Tool: scrape (D4 D1 — unified multi-format single-fetch)
 server.registerTool("scrape", {
-  description: "Use this when you need multiple content formats from a single URL in one call — e.g. markdown + links + metadata together. One fetch, no N-request fan-out. Formats: \"markdown\", \"html\", \"rawHtml\", \"text\", \"links\", \"metadata\", or {type:\"json\",schema,prompt} for LLM-structured extraction. onlyMainContent:true (default) strips boilerplate via Readability. Partial success: per-format warnings never fail the whole call. Example: scrape({url:\"https://example.com\", formats:[\"markdown\",\"links\",\"metadata\"]})",
+  description: "Use this when you need multiple content formats from a single URL in one call — e.g. markdown + links + metadata together. One fetch, no N-request fan-out. Formats: \"markdown\", \"html\", \"rawHtml\", \"text\", \"links\", \"metadata\", \"branding\" (static design tokens: colors, fonts, logo), \"screenshot\" (renders in a browser, returns crawlforge://screenshot/{id} resources), or {type:\"json\",schema,prompt} for LLM-structured extraction. onlyMainContent:true (default) strips boilerplate via Readability. Partial success: per-format warnings never fail the whole call. Example: scrape({url:\"https://example.com\", formats:[\"markdown\",\"links\",\"branding\"]})",
   annotations: { title: "Scrape (Multi-Format)", readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },
   inputSchema: {
     url: z.string().url().describe("The URL to scrape"),
     formats: z.array(z.union([
-      z.enum(["markdown", "html", "rawHtml", "text", "links", "metadata", "screenshot"]),
+      z.enum(["markdown", "html", "rawHtml", "text", "links", "metadata", "screenshot", "branding"]),
       z.object({
         type: z.literal("json"),
         schema: z.record(z.any()).optional().describe("JSON schema for extraction"),
@@ -813,11 +827,31 @@ server.registerTool("scrape", {
       })
     ])).min(1).optional().default(["markdown"]).describe("Formats to return (default: [\"markdown\"])"),
     onlyMainContent: z.boolean().optional().default(true).describe("Strip boilerplate via Readability (default: true)"),
-    timeoutMs: z.number().min(1000).max(60000).optional().default(15000).describe("Fetch timeout in ms")
+    timeoutMs: z.number().min(1000).max(60000).optional().default(15000).describe("Fetch timeout in ms"),
+    brandingOptions: z.object({
+      fetchLinkedCss: z.boolean().optional().default(true).describe("Fetch linked stylesheets for richer color/font extraction"),
+      maxStylesheets: z.number().min(0).max(20).optional().default(10).describe("Max linked stylesheets to fetch")
+    }).optional().describe("Options for the \"branding\" format"),
+    screenshotOptions: z.object({
+      fullPage: z.boolean().optional().default(false).describe("Capture the full scrollable page"),
+      format: z.enum(["png", "jpeg"]).optional().default("png"),
+      quality: z.number().min(0).max(100).optional().describe("JPEG quality (jpeg only)")
+    }).optional().describe("Options for the \"screenshot\" format")
   }
 }, withAuth("scrape", async (params) => {
   try {
     const result = await unifiedScrapeTool.execute(params);
+    // Publish any captured screenshots as crawlforge://screenshot/{actionId}
+    // resources and annotate each with its URI (mirrors scrape_with_actions).
+    if (Array.isArray(result?.content?.screenshots)) {
+      result.content.screenshots = result.content.screenshots.map((shot) => {
+        if (shot?.actionId && shot?.data) {
+          resourceRegistry.storeScreenshot(shot.actionId, shot.data);
+          return { ...shot, resourceUri: `crawlforge://screenshot/${shot.actionId}` };
+        }
+        return shot;
+      });
+    }
     return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
   } catch (error) {
     return { content: [{ type: "text", text: `Scrape failed: ${error.message}` }], isError: true };
@@ -850,10 +884,10 @@ server.registerTool("track_changes", {
   description: "Use this when you need to monitor a URL for content changes over time — e.g. competitor pricing, regulation updates, product availability. Start with operation:\"create_baseline\", then periodically use operation:\"compare\" to diff. Supports webhooks and scheduled monitoring. Example: track_changes({url: \"https://example.com/pricing\", operation: \"create_baseline\"})",
   annotations: { title: "Track Changes", readOnlyHint: false, destructiveHint: false, idempotentHint: false, openWorldHint: true },
   inputSchema: {
-    url: z.string().url().describe("The URL to track changes for"),
+    url: z.string().url().optional().describe("The URL to track changes for (optional for list_scheduled_monitors)"),
     operation: z.enum([
       'create_baseline', 'compare', 'monitor', 'get_history', 'get_stats',
-      'create_scheduled_monitor', 'stop_scheduled_monitor', 'get_dashboard',
+      'create_scheduled_monitor', 'stop_scheduled_monitor', 'list_scheduled_monitors', 'get_dashboard',
       'export_history', 'create_alert_rule', 'generate_trend_report', 'get_monitoring_templates'
     ]).default('compare').describe("Tracking operation to perform"),
     content: z.string().optional().describe("Content to compare against baseline"),
@@ -917,10 +951,14 @@ server.registerTool("track_changes", {
       }).optional()
     }).optional().describe("Notification configuration for webhooks and Slack"),
     scheduledMonitorOptions: z.object({
-      schedule: z.string().optional(),
+      schedule: z.string().optional().describe("Optional cron expression (power users)"),
       templateId: z.string().optional(),
-      enabled: z.boolean().default(true)
-    }).optional().describe("Scheduled monitoring options with cron expressions"),
+      enabled: z.boolean().default(true),
+      interval: z.number().min(60000).optional().describe("Polling interval in ms (default 1h)"),
+      goal: z.string().optional().describe("Plain-English alert goal; an LLM judges whether a change matches (degrades to threshold if no LLM)"),
+      monitorId: z.string().optional().describe("Monitor id for stop_scheduled_monitor"),
+      notificationThreshold: z.enum(['minor', 'moderate', 'major', 'critical']).optional()
+    }).optional().describe("Scheduled monitoring: recurring compare + notify, optional plain-English goal"),
     alertRuleOptions: z.object({
       ruleId: z.string().optional(),
       condition: z.string().optional(),
@@ -1258,6 +1296,14 @@ async function runServer() {
     await connectStdio(server);
   }
 
+  // v4.8: start the scheduled-monitor engine (loads persisted monitors, catches
+  // up any due runs). Best-effort — a scheduler failure must not block startup.
+  try {
+    await trackChangesTool.startScheduler();
+  } catch (err) {
+    console.error('Scheduled-monitor engine failed to start:', err.message);
+  }
+
   console.error(`Environment: ${config.server.nodeEnv}`);
   console.error("Search enabled: true (via CrawlForge proxy)");
 

package/src/cli/commands/init.js

@@ -3,7 +3,7 @@
  */
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
 import { join } from 'node:path';
-import { install } from '../../skills/installer.js';
+import { install, installHook } from '../../skills/installer.js';
 
 const HOME = process.env.HOME || process.env.USERPROFILE || '';
 
@@ -61,6 +61,7 @@ export function register(program) {
     .description('Set up CrawlForge: verify API key, install skills, and register the MCP server with your AI clients')
     .option('--all', 'Install skills to all targets and register all detected client configs')
     .option('--client <name>', 'Target client to register: claude-code, claude-desktop, or cursor')
+    .option('--with-hook', 'Add an opt-in UserPromptSubmit reminder to boost skill auto-activation')
     .option('--yes', 'Non-interactive — assume yes to all prompts')
     .action(async (opts) => {
       const out = (msg) => process.stderr.write(msg + '\n');
@@ -80,7 +81,7 @@ export function register(program) {
       try {
         const results = await install({ target: skillTarget, force: false, cwd: process.cwd() });
         if (results.installed.length > 0) {
-          out('Skills installed: ' + results.installed.length + ' file(s)');
+          out('Skills installed: ' + results.installed.length + ' skill(s)');
         } else {
           out('Skills: already up to date (use crawlforge install-skills --force to overwrite)');
         }
@@ -88,6 +89,16 @@ export function register(program) {
         out('Warning: skill install failed — ' + err.message);
       }
 
+      // 2b. Optional forced-eval hook (opt-in)
+      if (opts.withHook) {
+        try {
+          const hook = installHook();
+          out(hook.added ? 'Forced-eval hook added: ' + hook.path : 'Forced-eval hook already present');
+        } catch (err) {
+          out('Warning: could not add forced-eval hook — ' + err.message);
+        }
+      }
+
       // 3. MCP stanza merge
       const clientFilter = opts.client || (opts.all ? undefined : 'claude-code');
       const targets = resolveClientPaths(clientFilter);

package/src/cli/commands/install-skills.js

@@ -1,7 +1,7 @@
 /**
  * install-skills command -- install CrawlForge skill files into AI coding tools.
  */
-import { install } from '../../skills/installer.js';
+import { install, installHook } from '../../skills/installer.js';
 
 export function register(program) {
   program
@@ -10,6 +10,7 @@ export function register(program) {
     .option('--target <target>', 'Target: claude-code, cursor, vscode, or all', 'all')
     .option('--force', 'Overwrite existing skill files')
     .option('--dry-run', 'Show what would be installed without writing files')
+    .option('--with-hook', 'Also add an opt-in UserPromptSubmit reminder to boost skill auto-activation')
     .action(async (opts) => {
       try {
         const results = await install({
@@ -19,6 +20,14 @@ export function register(program) {
           cwd: process.cwd()
         });
 
+        if (opts.withHook && !opts.dryRun) {
+          const hook = installHook();
+          process.stdout.write(
+            (hook.added ? 'Added forced-eval hook: ' : 'Forced-eval hook already present: ') +
+            hook.path + '\n'
+          );
+        }
+
         if (opts.dryRun) {
           process.stdout.write('Dry run -- would install to:\n');
           results.paths.forEach(p => process.stdout.write('  ' + p + '\n'));

package/src/cli/commands/monitor.js

@@ -46,4 +46,85 @@ export function register(program) {
       // monitor runs continuously — do not auto-exit after the first result.
       await runTool(wrapperTool, params, cliFlags, { exitOnSuccess: false });
     });
+
+  // ── Scheduled monitors (persisted; fire in-process while the server runs, or
+  //    via `monitor:run-due` from system cron for guaranteed firing) ──────────
+
+  const emit = (obj) => process.stdout.write(JSON.stringify(obj, null, 2) + '\n');
+
+  program
+    .command('monitor:create <url>')
+    .description('Create a persisted scheduled monitor (optionally with a plain-English alert goal)')
+    .option('--every <seconds>', 'Polling interval in seconds', '3600')
+    .option('--goal <text>', 'Plain-English alert goal (LLM-judged; degrades to threshold if no LLM)')
+    .option('--webhook <url>', 'Webhook URL to notify on meaningful changes')
+    .option('--threshold <level>', 'Notification threshold: minor|moderate|major|critical', 'moderate')
+    .option('--cron <expr>', 'Optional cron expression (advanced)')
+    .option('--selector <css>', 'CSS selector to scope monitoring')
+    .action(async (url, opts) => {
+      const tool = new TrackChangesTool(getToolConfig('track_changes'));
+      try {
+        const res = await tool.execute({
+          url,
+          operation: 'create_scheduled_monitor',
+          ...(opts.selector ? { trackingOptions: { customSelectors: [opts.selector] } } : {}),
+          ...(opts.webhook ? { notificationOptions: { webhook: { enabled: true, url: opts.webhook } } } : {}),
+          scheduledMonitorOptions: {
+            interval: Math.max(parseInt(opts.every, 10), 60) * 1000,
+            ...(opts.goal ? { goal: opts.goal } : {}),
+            ...(opts.cron ? { schedule: opts.cron } : {}),
+            notificationThreshold: opts.threshold
+          }
+        });
+        emit(res);
+        process.exit(res.success ? 0 : 1);
+      } catch (err) {
+        process.stderr.write('Error: ' + err.message + '\n');
+        process.exit(1);
+      }
+    });
+
+  program
+    .command('monitor:list')
+    .description('List persisted scheduled monitors')
+    .action(async () => {
+      const tool = new TrackChangesTool(getToolConfig('track_changes'));
+      try {
+        emit(await tool.execute({ operation: 'list_scheduled_monitors' }));
+        process.exit(0);
+      } catch (err) {
+        process.stderr.write('Error: ' + err.message + '\n');
+        process.exit(1);
+      }
+    });
+
+  program
+    .command('monitor:stop <id>')
+    .description('Stop and remove a scheduled monitor by id')
+    .action(async (id) => {
+      const tool = new TrackChangesTool(getToolConfig('track_changes'));
+      try {
+        const res = await tool.execute({ operation: 'stop_scheduled_monitor', scheduledMonitorOptions: { monitorId: id } });
+        emit(res);
+        process.exit(res.success ? 0 : 1);
+      } catch (err) {
+        process.stderr.write('Error: ' + err.message + '\n');
+        process.exit(1);
+      }
+    });
+
+  program
+    .command('monitor:run-due')
+    .description('Fire every due scheduled monitor once and exit (wire into system cron for guaranteed firing)')
+    .action(async () => {
+      const tool = new TrackChangesTool(getToolConfig('track_changes'));
+      try {
+        const res = await tool.runDueOnce();
+        emit({ success: true, ...res });
+        process.exit(0);
+      } catch (err) {
+        process.stderr.write('Error: ' + err.message + '\n');
+        process.exit(1);
+      }
+    });
 }

package/src/cli/commands/uninstall-skills.js

@@ -1,13 +1,14 @@
 /**
  * uninstall-skills command -- remove CrawlForge skill files.
  */
-import { uninstall } from '../../skills/installer.js';
+import { uninstall, uninstallHook } from '../../skills/installer.js';
 
 export function register(program) {
   program
     .command('uninstall-skills')
     .description('Remove CrawlForge skill files from Claude Code, Cursor, or VS Code')
     .option('--target <target>', 'Target: claude-code, cursor, vscode, or all', 'all')
+    .option('--remove-hook', 'Also remove the opt-in UserPromptSubmit reminder hook')
     .action(async (opts) => {
       try {
         const results = await uninstall({
@@ -15,6 +16,14 @@ export function register(program) {
           cwd: process.cwd()
         });
 
+        if (opts.removeHook) {
+          const hook = uninstallHook();
+          process.stdout.write(
+            (hook.removed ? 'Removed forced-eval hook: ' : 'No forced-eval hook found: ') +
+            hook.path + '\n'
+          );
+        }
+
         if (results.removed.length > 0) {
           process.stdout.write('Removed:\n');
           results.removed.forEach(p => process.stdout.write('  ' + p + '\n'));

package/src/core/ActionExecutor.js

@@ -6,6 +6,12 @@
 import { z } from 'zod';
 import BrowserProcessor from './processing/BrowserProcessor.js';
 import { EventEmitter } from 'events';
+import { createHash } from 'node:crypto';
+
+// executeJavaScript hardening limits (only relevant when the deploy-time flag
+// ALLOW_JAVASCRIPT_EXECUTION=true is set; JS execution stays off by default).
+const JS_MAX_SCRIPT_LENGTH = parseInt(process.env.JS_MAX_SCRIPT_LENGTH || '10000', 10);
+const JS_EXECUTION_TIMEOUT_MS = parseInt(process.env.JS_EXECUTION_TIMEOUT_MS || '5000', 10);
 
 // Action schemas
 const BaseActionSchema = z.object({
@@ -23,8 +29,8 @@ const WaitActionSchema = BaseActionSchema.extend({
   selector: z.string().optional(),
   condition: z.enum(['visible', 'hidden', 'enabled', 'disabled', 'stable']).optional(),
   text: z.string().optional()
-}).refine(data => data.duration || data.milliseconds || data.selector || data.text, {
-  message: 'Wait action requires duration/milliseconds, selector, or text'
+}).refine(data => data.duration || data.milliseconds || data.timeout || data.selector || data.text, {
+  message: 'Wait action requires duration/milliseconds/timeout, selector, or text'
 });
 
 const ClickActionSchema = BaseActionSchema.extend({
@@ -329,6 +335,18 @@ export class ActionExecutor extends EventEmitter {
           executionContext.results.push(actionResult);
           this.stats.totalActions++;
 
+          // Collect screenshots produced by successful screenshot actions so
+          // they surface in the tool result (not just error screenshots).
+          if (actionResult.success && action.type === 'screenshot' && actionResult.result?.data) {
+            executionContext.screenshots.push({
+              actionId: actionResult.id,
+              data: actionResult.result.data,
+              format: actionResult.result.format,
+              fullPage: actionResult.result.fullPage,
+              timestamp: actionResult.timestamp
+            });
+          }
+
           if (actionResult.success) {
             this.stats.successfulActions++;
           } else {
@@ -382,7 +400,16 @@ export class ActionExecutor extends EventEmitter {
       this.emit('actionStarted', { actionId, action, chainId: executionContext.id });
 
       let result;
-      const timeout = action.timeout || this.defaultTimeout;
+      let timeout = action.timeout || this.defaultTimeout;
+
+      // A `wait` action that uses `timeout` as its pause duration (no
+      // duration/milliseconds/selector/text) must not also use that same value
+      // as its abort deadline, or the abort would race the wait. Give headroom.
+      if (action.type === 'wait' &&
+          !action.duration && !action.milliseconds && !action.selector && !action.text &&
+          action.timeout) {
+        timeout = Math.max(this.defaultTimeout, action.timeout + 5000);
+      }
 
       // Execute based on action type with timeout
       const executionPromise = this.executeActionByType(page, action);
@@ -467,8 +494,11 @@ export class ActionExecutor extends EventEmitter {
    * @returns {Promise<Object>} Wait result
    */
   async executeWaitAction(page, action) {
-    // Handle both 'duration' and 'milliseconds' for backwards compatibility
-    const waitTime = action.duration || action.milliseconds;
+    // Handle 'duration'/'milliseconds' (and 'timeout' as a pause duration only
+    // when no selector/text is given — selector/text waits use 'timeout' as
+    // their abort deadline instead).
+    const waitTime = action.duration || action.milliseconds ||
+      (!action.selector && !action.text ? action.timeout : undefined);
     if (waitTime) {
       await this.delay(waitTime);
       return { waited: waitTime };
@@ -492,7 +522,7 @@ export class ActionExecutor extends EventEmitter {
       return { text: action.text };
     }
 
-    throw new Error('Wait action requires duration, selector, or text');
+    throw new Error('Wait action requires duration/milliseconds/timeout, selector, or text');
   }
 
   /**
@@ -691,17 +721,53 @@ export class ActionExecutor extends EventEmitter {
       );
     }
     
-    // Log security warning when JS execution is enabled
-    console.warn('⚠️  SECURITY WARNING: JavaScript execution is enabled. This allows arbitrary code execution!');
-    
-    const result = await page.evaluate(
-      new Function('...args', action.script),
-      ...action.args
+    const script = typeof action.script === 'string' ? action.script : '';
+    const args = Array.isArray(action.args) ? action.args : [];
+
+    // Defense-in-depth: bound script size before evaluating.
+    if (script.length > JS_MAX_SCRIPT_LENGTH) {
+      throw new Error(
+        `JavaScript execution rejected: script length ${script.length} exceeds limit of ${JS_MAX_SCRIPT_LENGTH} ` +
+        `(set JS_MAX_SCRIPT_LENGTH to raise it).`
+      );
+    }
+
+    // Structured audit log to stderr (stdout is reserved for the MCP JSON-RPC stream).
+    const scriptHash = createHash('sha256').update(script).digest('hex').slice(0, 16);
+    let targetUrl = 'unknown';
+    try { targetUrl = page.url(); } catch { /* page may be closed */ }
+    console.warn(
+      '[security] executeJavaScript ' + JSON.stringify({
+        ts: new Date().toISOString(),
+        url: targetUrl,
+        scriptSha256: scriptHash,
+        scriptLength: script.length,
+        argCount: args.length
+      })
     );
-    
+
+    // Bound execution time independent of the generic per-action timeout.
+    let timer;
+    const timeout = new Promise((_, reject) => {
+      timer = setTimeout(
+        () => reject(new Error(`JavaScript execution timed out after ${JS_EXECUTION_TIMEOUT_MS}ms`)),
+        JS_EXECUTION_TIMEOUT_MS
+      );
+    });
+
+    let result;
+    try {
+      result = await Promise.race([
+        page.evaluate(new Function('...args', script), ...args),
+        timeout
+      ]);
+    } finally {
+      clearTimeout(timer);
+    }
+
     return {
-      script: action.script,
-      args: action.args,
+      script,
+      args,
       result: action.returnResult ? result : undefined
     };
   }

package/src/core/ElicitationHelper.js

@@ -24,7 +24,16 @@ export class ElicitationHelper {
    * @returns {boolean}
    */
   get supported() {
-    return !!(this._mcpServer?.server?.elicit);
+    const server = this._mcpServer?.server;
+    // The MCP SDK exposes elicitation via Server.elicitInput(); it is only
+    // usable when the connected CLIENT advertised the `elicitation` capability.
+    if (typeof server?.elicitInput !== 'function') return false;
+    try {
+      const caps = server.getClientCapabilities?.();
+      return !!caps?.elicitation;
+    } catch {
+      return false;
+    }
   }
 
   /**
@@ -48,7 +57,7 @@ export class ElicitationHelper {
         .join('\n');
       const fullMessage = detailLines ? `${message}\n\n${detailLines}` : message;
 
-      const result = await this._mcpServer.server.elicit({
+      const result = await this._mcpServer.server.elicitInput({
         message: fullMessage,
         requestedSchema: {
           type: 'object',
@@ -63,7 +72,8 @@ export class ElicitationHelper {
         },
       });
 
-      return result?.content?.confirmed === true;
+      // Only an explicit accept + confirmed=true proceeds; decline/cancel = stop.
+      return result?.action === 'accept' && result?.content?.confirmed === true;
     } catch (err) {
       this._logger.warn('Elicitation request failed — proceeding without confirmation', { error: err.message });
       return true; // fail-open
@@ -87,7 +97,7 @@ export class ElicitationHelper {
     }
 
     try {
-      const result = await this._mcpServer.server.elicit({
+      const result = await this._mcpServer.server.elicitInput({
         message,
         requestedSchema: {
           type: 'object',
@@ -103,7 +113,10 @@ export class ElicitationHelper {
         },
       });
 
-      return result?.content?.[fieldName] || defaultValue || null;
+      if (result?.action === 'accept' && result?.content?.[fieldName] != null) {
+        return result.content[fieldName];
+      }
+      return defaultValue || null;
     } catch (err) {
       this._logger.warn('Elicitation request failed', { error: err.message });
       return defaultValue || null;

package/src/core/LLMsTxtAnalyzer.js

@@ -4,6 +4,7 @@ import { MapSiteTool } from '../tools/crawl/mapSite.js';
 import { CrawlDeepTool } from '../tools/crawl/crawlDeep.js';
 import { normalizeUrl, getBaseUrl } from '../utils/urlNormalizer.js';
 import { Logger } from '../utils/Logger.js';
+import { safeFetch } from '../utils/ssrfGuard.js';
 
 const logger = new Logger('LLMsTxtAnalyzer');
 
@@ -442,7 +443,7 @@ export class LLMsTxtAnalyzer {
     const timeoutId = setTimeout(() => controller.abort(), timeout);
 
     try {
-      const response = await fetch(url, {
+      const response = await safeFetch(url, {
         signal: controller.signal,
         headers: {
           'User-Agent': this.options.userAgent