freshcontext-mcp 0.3.16 → 0.3.18

package/SECURITY.md

@@ -0,0 +1,34 @@
+# Security Policy
+
+## Supported Versions
+
+FreshContext currently supports the active `freshcontext-mcp@0.3.x` package line.
+
+Please use the latest published `0.3.x` release when reporting a vulnerability, and include the exact package version, repository, transport, and environment involved.
+
+## Reporting A Vulnerability
+
+FreshContext accepts responsible security reports by email:
+
+- gimmanuel73@gmail.com
+
+Please do not post secrets, tokens, private logs, customer data, exploit payloads, or sensitive operational details in public GitHub issues.
+
+For a useful report, include:
+
+- affected repository or package
+- affected version or commit
+- reproduction steps
+- expected and observed behavior
+- security impact
+- whether the issue affects local MCP usage, hosted Worker usage, examples, docs, packaging, or another surface
+
+Public GitHub issues are fine for non-sensitive bugs, documentation mistakes, stale claims, build failures, and feature requests.
+
+## Scope Notes
+
+FreshContext does not currently offer a formal bug bounty program.
+
+Please do not send live production tokens, private Cloudflare logs, npm tokens, GitHub tokens, MCP registry tokens, customer data, or private account data. If a report requires sensitive evidence, describe the issue first by email so a safer exchange path can be agreed.
+
+This policy does not make claims of certification, compliance, guaranteed response time, or security warranty.

package/TRADEMARKS.md

@@ -0,0 +1,9 @@
+# FreshContext Brand and Trademark Notice
+
+FreshContext is the product and project name used by the project owner for this software, documentation, examples, and related public materials.
+
+No mark registration claim is made in this repository. Any future trademark filing, transfer, assignment, or licensing question should be reviewed separately.
+
+Third-party names, marks, services, and platforms, including Cloudflare, npm, GitHub, Model Context Protocol, MCP, Apify, Claude, OpenAI, Anthropic, and other referenced ecosystems, belong to their respective owners.
+
+Use of third-party names in this repository is descriptive, interoperability-oriented, or reference-oriented. It does not imply endorsement, certification, sponsorship, partnership, or official affiliation unless explicitly stated by the relevant third party.

package/dist/adapters/arxiv.js

@@ -1,66 +1,110 @@
-/**
- * arXiv adapter — uses the official arXiv API (no scraping, no auth needed).
- * Accepts a search query or a direct arXiv API URL.
- * Docs: https://arxiv.org/help/api/user-manual
- */
-export async function arxivAdapter(options) {
-    const input = options.url.trim();
-    // Build API URL — if they pass a plain query, construct it
-    const apiUrl = input.startsWith("http")
-        ? input
-        : `https://export.arxiv.org/api/query?search_query=all:${encodeURIComponent(input)}&start=0&max_results=10&sortBy=relevance&sortOrder=descending`;
+const USER_AGENT = "freshcontext-mcp/0.1.7 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)";
+const DEFAULT_ARXIV_SIGNAL_SCORE = 0.8;
+function buildArxivApiUrl(input, maxResults = 10) {
+    const trimmed = input.trim();
+    const safeMaxResults = Number.isFinite(maxResults)
+        ? Math.max(1, Math.min(Math.trunc(maxResults), 50))
+        : 10;
+    return trimmed.startsWith("http")
+        ? trimmed
+        : `https://export.arxiv.org/api/query?search_query=all:${encodeURIComponent(trimmed)}&start=0&max_results=${safeMaxResults}&sortBy=relevance&sortOrder=descending`;
+}
+async function fetchArxivXml(apiUrl) {
     const res = await fetch(apiUrl, {
-        headers: { "User-Agent": "freshcontext-mcp/0.1.7 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)" },
+        headers: { "User-Agent": USER_AGENT },
     });
     if (!res.ok)
         throw new Error(`arXiv API error: ${res.status} ${res.statusText}`);
-    const xml = await res.text();
-    // Parse the Atom XML response
-    const entries = [...xml.matchAll(/<entry>([\s\S]*?)<\/entry>/g)];
-    if (!entries.length) {
-        return { raw: "No results found for this query.", content_date: null, freshness_confidence: "low" };
-    }
-    const getTag = (block, tag) => {
-        const m = block.match(new RegExp(`<${tag}[^>]*>([\\s\\S]*?)<\\/${tag}>`, "i"));
-        return m ? m[1].trim().replace(/\s+/g, " ") : "";
-    };
-    const getAttr = (block, tag, attr) => {
-        const m = block.match(new RegExp(`<${tag}[^>]*${attr}="([^"]*)"`, "i"));
-        return m ? m[1].trim() : "";
-    };
-    const papers = entries.map((match, i) => {
+    return res.text();
+}
+function getTag(block, tag) {
+    const m = block.match(new RegExp(`<${tag}[^>]*>([\\s\\S]*?)<\\/${tag}>`, "i"));
+    return m ? m[1].trim().replace(/\s+/g, " ") : "";
+}
+function getAttr(block, tag, attr) {
+    const m = block.match(new RegExp(`<${tag}[^>]*${attr}="([^"]*)"`, "i"));
+    return m ? m[1].trim() : "";
+}
+function normalizeArxivUrl(id) {
+    return id.replace("http://arxiv.org/abs/", "https://arxiv.org/abs/");
+}
+function parseArxivEntries(xml) {
+    return [...xml.matchAll(/<entry>([\s\S]*?)<\/entry>/g)].map((match) => {
         const block = match[1];
-        const title = getTag(block, "title").replace(/\n/g, " ");
-        const summary = getTag(block, "summary").slice(0, 300).replace(/\n/g, " ");
-        const published = getTag(block, "published").slice(0, 10); // YYYY-MM-DD
-        const updated = getTag(block, "updated").slice(0, 10);
-        const id = getTag(block, "id").replace("http://arxiv.org/abs/", "https://arxiv.org/abs/");
-        // Authors — can be multiple
         const authorMatches = [...block.matchAll(/<author>([\s\S]*?)<\/author>/g)];
         const authors = authorMatches
             .map(a => getTag(a[1], "name"))
             .filter(Boolean)
-            .slice(0, 4)
-            .join(", ");
-        // Categories
-        const primaryCat = getAttr(block, "arxiv:primary_category", "term") ||
-            getAttr(block, "category", "term");
-        return [
-            `[${i + 1}] ${title}`,
-            `Authors: ${authors || "Unknown"}`,
-            `Published: ${published}${updated !== published ? ` (updated ${updated})` : ""}`,
-            primaryCat ? `Category: ${primaryCat}` : null,
-            `Abstract: ${summary}…`,
-            `Link: ${id}`,
-        ].filter(Boolean).join("\n");
+            .slice(0, 4);
+        return {
+            title: getTag(block, "title").replace(/\n/g, " "),
+            summary: getTag(block, "summary").replace(/\n/g, " "),
+            published: getTag(block, "published"),
+            updated: getTag(block, "updated"),
+            id: normalizeArxivUrl(getTag(block, "id")),
+            authors,
+            category: getAttr(block, "arxiv:primary_category", "term") ||
+                getAttr(block, "category", "term"),
+        };
     });
+}
+function formatArxivEntry(entry, index) {
+    const published = entry.published.slice(0, 10);
+    const updated = entry.updated.slice(0, 10);
+    const authors = entry.authors.join(", ");
+    const summary = entry.summary.slice(0, 300);
+    return [
+        `[${index + 1}] ${entry.title}`,
+        `Authors: ${authors || "Unknown"}`,
+        `Published: ${published}${updated !== published ? ` (updated ${updated})` : ""}`,
+        entry.category ? `Category: ${entry.category}` : null,
+        `Abstract: ${summary}\u00e2\u20ac\u00a6`,
+        `Link: ${entry.id}`,
+    ].filter(Boolean).join("\n");
+}
+/**
+ * arXiv adapter uses the official arXiv API.
+ * Accepts a search query or a direct arXiv API URL.
+ * Docs: https://arxiv.org/help/api/user-manual
+ */
+export async function arxivAdapter(options) {
+    const input = options.url.trim();
+    const apiUrl = buildArxivApiUrl(input);
+    const xml = await fetchArxivXml(apiUrl);
+    const entries = parseArxivEntries(xml);
+    if (!entries.length) {
+        return { raw: "No results found for this query.", content_date: null, freshness_confidence: "low" };
+    }
+    const papers = entries.map(formatArxivEntry);
     const raw = papers.join("\n\n").slice(0, options.maxLength ?? 6000);
-    // Most recent publication date
     const dates = entries
-        .map(m => getTag(m[1], "published").slice(0, 10))
+        .map(entry => entry.published.slice(0, 10))
         .filter(Boolean)
         .sort()
         .reverse();
     const content_date = dates[0] ?? null;
     return { raw, content_date, freshness_confidence: content_date ? "high" : "medium" };
 }
+export async function searchArxivSignals(input) {
+    const query = input.query.trim();
+    const apiUrl = buildArxivApiUrl(query, input.maxResults);
+    const xml = await fetchArxivXml(apiUrl);
+    const entries = parseArxivEntries(xml);
+    const retrievedAt = input.retrievedAt ?? new Date().toISOString();
+    const semanticScore = input.semanticScore ?? DEFAULT_ARXIV_SIGNAL_SCORE;
+    return entries.map((entry) => ({
+        title: entry.title,
+        content: entry.summary,
+        source: entry.id,
+        source_type: "arxiv",
+        published_at: entry.published || null,
+        retrieved_at: retrievedAt,
+        semantic_score: semanticScore,
+        metadata: {
+            authors: entry.authors,
+            category: entry.category || null,
+            updated_at: entry.updated || null,
+            query,
+        },
+    }));
+}

package/dist/adapters/finance.js

@@ -1,117 +1,103 @@
-function formatMarketCap(cap) {
-    if (!cap)
-        return "N/A";
-    if (cap >= 1e12)
-        return `$${(cap / 1e12).toFixed(2)}T`;
-    if (cap >= 1e9)
-        return `$${(cap / 1e9).toFixed(2)}B`;
-    if (cap >= 1e6)
-        return `$${(cap / 1e6).toFixed(2)}M`;
-    return `$${cap.toLocaleString()}`;
+function toStooqSymbol(ticker) {
+    const clean = ticker.trim().toUpperCase().replace(/[^A-Z0-9.^=-]/g, "");
+    if (!clean)
+        throw new Error("Ticker cannot be empty");
+    if (clean.includes(".") || clean.startsWith("^") || clean.includes("="))
+        return clean;
+    return `${clean}.US`;
 }
-function formatChange(change, pct) {
-    if (change === undefined || pct === undefined)
-        return "N/A";
-    const sign = change >= 0 ? "+" : "";
-    return `${sign}${change.toFixed(2)} (${sign}${pct.toFixed(2)}%)`;
+function toNumber(value) {
+    if (value === undefined || value === "N/D")
+        return null;
+    const n = typeof value === "number" ? value : Number(value);
+    return Number.isFinite(n) ? n : null;
+}
+function normalizeQuoteTimestamp(date, time) {
+    if (!date || date === "N/D")
+        throw new Error("Quote date unavailable");
+    const clock = time && time !== "N/D" ? time : "00:00:00";
+    const parsed = new Date(`${date}T${clock}Z`);
+    if (Number.isNaN(parsed.getTime()))
+        throw new Error(`Invalid quote timestamp: ${date} ${time}`);
+    return parsed.toISOString();
+}
+function formatNumber(value, prefix = "") {
+    const n = toNumber(value);
+    return n === null ? "N/A" : `${prefix}${n.toLocaleString(undefined, { maximumFractionDigits: 4 })}`;
+}
+async function fetchStooqQuote(ticker) {
+    const stooqSymbol = toStooqSymbol(ticker);
+    const url = `https://stooq.com/q/l/?s=${encodeURIComponent(stooqSymbol.toLowerCase())}&f=sd2t2ohlcv&h&e=json`;
+    const res = await fetch(url, {
+        headers: {
+            "User-Agent": "freshcontext-mcp/0.3.17",
+            "Accept": "application/json",
+        },
+    });
+    if (!res.ok)
+        throw new Error(`Stooq quote API error: ${res.status}`);
+    const data = await res.json();
+    const quote = data.symbols?.[0];
+    if (!quote)
+        throw new Error(`No quote returned for ${ticker}`);
+    if (quote.close === "N/D" || quote.date === "N/D") {
+        throw new Error(`No Stooq quote data found for ${ticker}`);
+    }
+    return {
+        requested: ticker,
+        stooqSymbol,
+        quote,
+        timestamp: normalizeQuoteTimestamp(quote.date, quote.time),
+    };
+}
+function formatQuote(result) {
+    const q = result.quote;
+    return [
+        `${result.requested.toUpperCase()} — ${q.symbol}`,
+        `source: stooq`,
+        `Quote timestamp: ${result.timestamp}`,
+        "",
+        `Close:  ${formatNumber(q.close, "$")}`,
+        `Open:   ${formatNumber(q.open, "$")}`,
+        `High:   ${formatNumber(q.high, "$")}`,
+        `Low:    ${formatNumber(q.low, "$")}`,
+        `Volume: ${formatNumber(q.volume)}`,
+    ].join("\n");
 }
 export async function financeAdapter(options) {
     const input = options.url.trim();
-    // Support comma-separated tickers
     const rawTickers = input
         .split(",")
-        .map((t) => t.trim().toUpperCase())
+        .map((t) => t.trim())
         .filter(Boolean)
-        .slice(0, 5); // max 5 at once
-    const results = [];
-    let latestTimestamp = null;
+        .slice(0, 5);
+    if (!rawTickers.length)
+        throw new Error("At least one ticker is required");
+    const successes = [];
+    const failures = [];
     for (const ticker of rawTickers) {
         try {
-            const quoteData = await fetchQuote(ticker);
-            if (quoteData) {
-                results.push(formatQuote(quoteData));
-                if (quoteData.regularMarketTime) {
-                    latestTimestamp = Math.max(latestTimestamp ?? 0, quoteData.regularMarketTime);
-                }
-            }
+            successes.push(await fetchStooqQuote(ticker));
         }
         catch (err) {
-            results.push(`[${ticker}] Error: ${err instanceof Error ? err.message : String(err)}`);
+            failures.push(`[${ticker.toUpperCase()}] ${err instanceof Error ? err.message : String(err)}`);
         }
     }
-    const raw = results.join("\n\n─────────────────────────────\n\n").slice(0, options.maxLength ?? 5000);
-    const content_date = latestTimestamp
-        ? new Date(latestTimestamp * 1000).toISOString()
-        : new Date().toISOString();
-    return { raw, content_date, freshness_confidence: "high" };
-}
-async function fetchQuote(ticker) {
-    // v7 quote endpoint — public, no auth
-    const quoteUrl = `https://query1.finance.yahoo.com/v7/finance/quote?symbols=${encodeURIComponent(ticker)}&fields=shortName,longName,regularMarketPrice,regularMarketChange,regularMarketChangePercent,marketCap,regularMarketVolume,fiftyTwoWeekHigh,fiftyTwoWeekLow,trailingPE,dividendYield,currency,exchangeName,regularMarketTime`;
-    const quoteRes = await fetch(quoteUrl, {
-        headers: {
-            "User-Agent": "Mozilla/5.0 (compatible; freshcontext-mcp/0.1.5)",
-            "Accept": "application/json",
-        },
-    });
-    if (!quoteRes.ok)
-        throw new Error(`Yahoo Finance API error: ${quoteRes.status}`);
-    const quoteJson = await quoteRes.json();
-    const quote = quoteJson?.quoteResponse?.result?.[0];
-    if (!quote)
-        throw new Error(`No data found for ticker: ${ticker}`);
-    // Optionally fetch company summary (v11 quoteSummary)
-    try {
-        const summaryUrl = `https://query1.finance.yahoo.com/v11/finance/quoteSummary/${encodeURIComponent(ticker)}?modules=assetProfile`;
-        const summaryRes = await fetch(summaryUrl, {
-            headers: { "User-Agent": "Mozilla/5.0 (compatible; freshcontext-mcp/0.1.5)" },
-        });
-        if (summaryRes.ok) {
-            const summaryJson = await summaryRes.json();
-            const profile = summaryJson?.quoteSummary?.result?.[0]?.assetProfile;
-            if (profile) {
-                Object.assign(quote, {
-                    longBusinessSummary: profile.longBusinessSummary,
-                    sector: profile.sector,
-                    industry: profile.industry,
-                    fullTimeEmployees: profile.fullTimeEmployees,
-                    website: profile.website,
-                });
-            }
-        }
-    }
-    catch {
-        // Summary is optional — continue without it
-    }
-    return quote;
-}
-function formatQuote(q) {
-    const lines = [
-        `${q.symbol} — ${q.longName ?? q.shortName ?? "Unknown"}`,
-        `Exchange: ${q.exchangeName ?? "N/A"} · Currency: ${q.currency ?? "USD"}`,
-        "",
-        `Price:       ${q.regularMarketPrice !== undefined ? `$${q.regularMarketPrice.toFixed(2)}` : "N/A"}`,
-        `Change:      ${formatChange(q.regularMarketChange, q.regularMarketChangePercent)}`,
-        `Market Cap:  ${formatMarketCap(q.marketCap)}`,
-        `Volume:      ${q.regularMarketVolume?.toLocaleString() ?? "N/A"}`,
-        `52w High:    ${q.fiftyTwoWeekHigh !== undefined ? `$${q.fiftyTwoWeekHigh.toFixed(2)}` : "N/A"}`,
-        `52w Low:     ${q.fiftyTwoWeekLow !== undefined ? `$${q.fiftyTwoWeekLow.toFixed(2)}` : "N/A"}`,
-        `P/E Ratio:   ${q.trailingPE !== undefined ? q.trailingPE.toFixed(2) : "N/A"}`,
-        `Div Yield:   ${q.dividendYield !== undefined ? `${(q.dividendYield * 100).toFixed(2)}%` : "N/A"}`,
-    ];
-    if (q.sector || q.industry) {
-        lines.push("");
-        if (q.sector)
-            lines.push(`Sector:      ${q.sector}`);
-        if (q.industry)
-            lines.push(`Industry:    ${q.industry}`);
-        if (q.fullTimeEmployees)
-            lines.push(`Employees:   ${q.fullTimeEmployees.toLocaleString()}`);
-        if (q.website)
-            lines.push(`Website:     ${q.website}`);
+    if (!successes.length) {
+        throw new Error(`Finance quote lookup failed for all tickers via source=stooq. ${failures.join("; ")}`);
     }
-    if (q.longBusinessSummary) {
-        lines.push("", "About:", q.longBusinessSummary.slice(0, 500) + (q.longBusinessSummary.length > 500 ? "…" : ""));
+    const sections = successes.map(formatQuote);
+    if (failures.length) {
+        sections.push(["Partial failures:", ...failures.map((f) => `- ${f}`)].join("\n"));
     }
-    return lines.join("\n");
+    const raw = sections.join("\n\n-----------------------------\n\n").slice(0, options.maxLength ?? 5000);
+    const content_date = successes
+        .map((s) => s.timestamp)
+        .sort()
+        .reverse()[0] ?? null;
+    return {
+        raw,
+        content_date,
+        freshness_confidence: failures.length ? "medium" : "high",
+    };
 }

package/dist/adapters/gdelt.js

@@ -11,7 +11,7 @@
  */
 const HEADERS = {
     "Accept": "application/json",
-    "User-Agent": "freshcontext-mcp/1.0 contact@freshcontext.dev",
+    "User-Agent": "freshcontext-mcp/0.3.17 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
 };
 function parseGdeltDate(raw) {
     if (!raw)

package/dist/adapters/gebiz.js

@@ -20,7 +20,7 @@ const DATASET_ID = "d_acde1106003906a75c3fa052592f2fcb";
 const BASE_URL = "https://data.gov.sg/api/action/datastore_search";
 const HEADERS = {
     "Accept": "application/json",
-    "User-Agent": "freshcontext-mcp/1.0 contact@freshcontext.dev",
+    "User-Agent": "freshcontext-mcp/0.3.17 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
 };
 function formatDate(raw) {
     if (!raw)

package/dist/adapters/hackernews.js

@@ -1,9 +1,29 @@
 import { chromium } from "playwright";
 import { validateUrl } from "../security.js";
+function isUrl(input) {
+    try {
+        new URL(input);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function normalizeHnDate(raw) {
+    if (!raw)
+        return null;
+    const match = raw.match(/\b\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?Z?\b/);
+    if (!match)
+        return null;
+    const isoLike = match[0].endsWith("Z") ? match[0] : `${match[0]}Z`;
+    const parsed = new Date(isoLike);
+    return Number.isNaN(parsed.getTime()) ? null : parsed.toISOString();
+}
 export async function hackerNewsAdapter(options) {
-    // Validate URL — allow both HN and Algolia domains
-    validateUrl(options.url, "hackernews");
-    const url = options.url;
+    const input = options.url.trim();
+    if (!input)
+        throw new Error("HN URL or search query is required");
+    const url = isUrl(input) ? validateUrl(input, "hackernews") : `hn-search:${input}`;
     if (url.includes("hn.algolia.com/api/") || url.startsWith("hn-search:")) {
         const query = url.startsWith("hn-search:")
             ? url.replace("hn-search:", "").trim()
@@ -20,45 +40,55 @@ export async function hackerNewsAdapter(options) {
             `[${i + 1}] ${r.title ?? "Untitled"}`,
             `URL: ${r.url ?? `https://news.ycombinator.com/item?id=${r.objectID}`}`,
             `Score: ${r.points} points | ${r.num_comments} comments`,
-            `Author: ${r.author} | Posted: ${r.created_at}`,
+            `Author: ${r.author} | Posted: ${normalizeHnDate(r.created_at) ?? r.created_at}`,
         ].join("\n"))
             .join("\n\n")
             .slice(0, options.maxLength ?? 4000);
-        const newest = data.hits.map((r) => r.created_at).sort().reverse()[0] ?? null;
+        const newest = data.hits
+            .map((r) => normalizeHnDate(r.created_at))
+            .filter((d) => Boolean(d))
+            .sort()
+            .reverse()[0] ?? null;
         return { raw, content_date: newest, freshness_confidence: newest ? "high" : "medium" };
     }
-    // Default: browser-based scrape for HN front page or search pages
     const browser = await chromium.launch({ headless: true });
     const page = await browser.newPage();
     await page.goto(url, { waitUntil: "domcontentloaded", timeout: 20000 });
-    const data = await page.evaluate(`(function() {
-    var items = Array.from(document.querySelectorAll('.athing')).slice(0, 20);
-    var results = items.map(function(el) {
-      var titleLineEl = el.querySelector('.titleline > a');
-      var title = titleLineEl ? titleLineEl.textContent.trim() : null;
-      var link = titleLineEl ? titleLineEl.getAttribute('href') : null;
-      var subtext = el.nextElementSibling;
-      var scoreEl = subtext ? subtext.querySelector('.score') : null;
-      var score = scoreEl ? scoreEl.textContent.trim() : null;
-      var ageEl = subtext ? subtext.querySelector('.age') : null;
-      var age = ageEl ? ageEl.getAttribute('title') : null;
-      var anchors = subtext ? subtext.querySelectorAll('a') : [];
-      var commentLink = anchors.length > 0 ? anchors[anchors.length - 1].textContent.trim() : null;
-      return { title: title, link: link, score: score, age: age, commentLink: commentLink };
-    });
-    return results;
+    const data = await page.evaluate(`(function() {
+    var items = Array.from(document.querySelectorAll('.athing')).slice(0, 20);
+    var results = items.map(function(el) {
+      var titleLineEl = el.querySelector('.titleline > a');
+      var title = titleLineEl ? titleLineEl.textContent.trim() : null;
+      var link = titleLineEl ? titleLineEl.getAttribute('href') : null;
+      var subtext = el.nextElementSibling;
+      var scoreEl = subtext ? subtext.querySelector('.score') : null;
+      var score = scoreEl ? scoreEl.textContent.trim() : null;
+      var ageEl = subtext ? subtext.querySelector('.age') : null;
+      var age = ageEl ? ageEl.getAttribute('title') : null;
+      var anchors = subtext ? subtext.querySelectorAll('a') : [];
+      var commentLink = anchors.length > 0 ? anchors[anchors.length - 1].textContent.trim() : null;
+      return { title: title, link: link, score: score, age: age, commentLink: commentLink };
+    });
+    return results;
   })()`);
     await browser.close();
     const typedData = data;
     const raw = typedData
-        .map((r, i) => [
-        `[${i + 1}] ${r.title ?? "Untitled"}`,
-        `URL: ${r.link ?? "N/A"}`,
-        `Score: ${r.score ?? "N/A"} | ${r.commentLink ?? ""}`,
-        `Posted: ${r.age ?? "unknown"}`,
-    ].join("\n"))
+        .map((r, i) => {
+        const date = normalizeHnDate(r.age);
+        return [
+            `[${i + 1}] ${r.title ?? "Untitled"}`,
+            `URL: ${r.link ?? "N/A"}`,
+            `Score: ${r.score ?? "N/A"} | ${r.commentLink ?? ""}`,
+            `Posted: ${date ?? "unknown"}`,
+        ].join("\n");
+    })
         .join("\n\n");
-    const newestDate = typedData.map((r) => r.age).filter(Boolean).sort().reverse()[0] ?? null;
+    const newestDate = typedData
+        .map((r) => normalizeHnDate(r.age))
+        .filter((d) => Boolean(d))
+        .sort()
+        .reverse()[0] ?? null;
     return {
         raw,
         content_date: newestDate,

package/dist/adapters/productHunt.js

@@ -1,5 +1,10 @@
+import { validateUrl } from "../security.js";
 export async function productHuntAdapter(options) {
-    // PH GraphQL API — public, no auth for published posts
+    const token = process.env.PH_TOKEN?.trim() || process.env.PRODUCTHUNT_TOKEN?.trim();
+    if (!token)
+        return scrapeProductHunt(options);
+    // Product Hunt GraphQL API requires a bearer token. Keep it in env/secrets,
+    // never in source.
     const query = options.url.startsWith("http")
         ? null
         : options.url;
@@ -28,8 +33,7 @@ export async function productHuntAdapter(options) {
         method: "POST",
         headers: {
             "Content-Type": "application/json",
-            // Public access token (read-only, rate-limited but usable)
-            "Authorization": "Bearer irgTzMNAz-S-p1P8H5pFCxzU4TEF7GIJZ8vZZi0gLJg",
+            "Authorization": `Bearer ${token}`,
         },
         body: JSON.stringify({ query: gql }),
     });
@@ -68,7 +72,7 @@ export async function productHuntAdapter(options) {
 async function scrapeProductHunt(options) {
     const { chromium } = await import("playwright");
     const url = options.url.startsWith("http")
-        ? options.url
+        ? validateUrl(options.url, "productHunt")
         : `https://www.producthunt.com/search?q=${encodeURIComponent(options.url)}`;
     const browser = await chromium.launch({ headless: true });
     const page = await browser.newPage();