visus-mcp 0.3.0 → 0.6.0

package/dist/utils/truncate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"truncate.d.ts","sourceRoot":"","sources":["../../src/utils/truncate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmBH;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG;IAChD,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B,CAkBA;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAEnD"}

package/dist/utils/truncate.js

@@ -0,0 +1,54 @@
+/**
+ * Token-aware content truncation utility
+ *
+ * Anthropic MCP Directory enforces a 25,000 token response limit.
+ * This utility provides safe truncation with token estimation.
+ */
+/**
+ * Maximum tokens allowed in MCP response (Anthropic Directory limit)
+ * We target 24,000 to leave headroom for metadata/JSON structure
+ */
+const MAX_TOKENS = 24000;
+/**
+ * Conservative token estimation: 1 token ≈ 4 characters
+ * This is a safe approximation that errs on the side of caution
+ */
+const CHARS_PER_TOKEN = 4;
+/**
+ * Maximum characters based on token limit
+ */
+const MAX_CHARS = MAX_TOKENS * CHARS_PER_TOKEN; // 96,000 characters
+/**
+ * Truncate content if it exceeds the token ceiling
+ *
+ * @param content Content to potentially truncate
+ * @returns Truncated content and metadata
+ */
+export function truncateContent(content) {
+    if (content.length <= MAX_CHARS) {
+        // Content is within limits
+        return {
+            content,
+            truncated: false
+        };
+    }
+    // Content exceeds limit - truncate with warning message
+    const truncatedContent = content.substring(0, MAX_CHARS);
+    const warningMessage = `\n\n--- CONTENT TRUNCATED ---\nOriginal length: ${content.length} characters (~${Math.ceil(content.length / CHARS_PER_TOKEN)} tokens)\nTruncated to: ${MAX_CHARS} characters (~${MAX_TOKENS} tokens)\nReason: Anthropic MCP Directory enforces a 25,000 token response limit\n`;
+    return {
+        content: truncatedContent + warningMessage,
+        truncated: true,
+        truncated_at_chars: MAX_CHARS
+    };
+}
+/**
+ * Estimate token count for a given string
+ * Uses conservative 4 chars per token approximation
+ *
+ * @param text Text to estimate
+ * @returns Estimated token count
+ */
+export function estimateTokens(text) {
+    return Math.ceil(text.length / CHARS_PER_TOKEN);
+}
+//# sourceMappingURL=truncate.js.map

package/dist/utils/truncate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"truncate.js","sourceRoot":"","sources":["../../src/utils/truncate.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,MAAM,UAAU,GAAG,KAAK,CAAC;AAEzB;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B;;GAEG;AACH,MAAM,SAAS,GAAG,UAAU,GAAG,eAAe,CAAC,CAAC,oBAAoB;AAEpE;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAK7C,IAAI,OAAO,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QAChC,2BAA2B;QAC3B,OAAO;YACL,OAAO;YACP,SAAS,EAAE,KAAK;SACjB,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,MAAM,gBAAgB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,mDAAmD,OAAO,CAAC,MAAM,iBAAiB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,eAAe,CAAC,2BAA2B,SAAS,iBAAiB,UAAU,oFAAoF,CAAC;IAExS,OAAO;QACL,OAAO,EAAE,gBAAgB,GAAG,cAAc;QAC1C,SAAS,EAAE,IAAI;QACf,kBAAkB,EAAE,SAAS;KAC9B,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,eAAe,CAAC,CAAC;AAClD,CAAC"}

package/infrastructure/stack.ts

@@ -19,6 +19,7 @@
 
 import * as cdk from 'aws-cdk-lib';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as lambdaNodejs from 'aws-cdk-lib/aws-lambda-nodejs';
 import * as apigateway from 'aws-cdk-lib/aws-apigateway';
 import * as cognito from 'aws-cdk-lib/aws-cognito';
 import * as dynamodb from 'aws-cdk-lib/aws-dynamodb';
@@ -69,6 +70,7 @@ export class VisusStack extends cdk.Stack {
       removalPolicy: environment === 'prod'
         ? cdk.RemovalPolicy.RETAIN
         : cdk.RemovalPolicy.DESTROY,
+      timeToLiveAttribute: 'ttl', // Auto-delete audit logs after 30 days
     });
 
     // Global Secondary Index for querying by request_id
@@ -142,12 +144,12 @@ export class VisusStack extends cdk.Stack {
     // Grant KMS decrypt access (for reading encrypted DynamoDB data if needed)
     kmsKey.grantEncryptDecrypt(lambdaRole);
 
-    // Lambda function
-    const visusFn = new lambda.Function(this, 'VisusFunction', {
+    // Lambda function (NodejsFunction with automatic bundling)
+    const visusFn = new lambdaNodejs.NodejsFunction(this, 'VisusFunction', {
       functionName: `visus-mcp-${environment}`,
       runtime: lambda.Runtime.NODEJS_20_X,
-      handler: 'index.handler',
-      code: lambda.Code.fromAsset('dist'), // Build output directory (relative to project root)
+      entry: 'src/lambda-handler.ts', // Entry point for bundler
+      handler: 'handler', // Export name in the entry file
       timeout: cdk.Duration.seconds(30), // Playwright page loads can take time
       memorySize: 1024, // Chromium requires significant memory
       reservedConcurrentExecutions: environment === 'prod' ? 100 : 10, // RULE 7: Cost protection
@@ -155,12 +157,21 @@ export class VisusStack extends cdk.Stack {
       environment: {
         AUDIT_TABLE_NAME: auditTable.tableName,
         ENVIRONMENT: environment,
+        ALLOWED_ORIGINS: 'https://claude.ai,https://app.claude.ai,http://localhost:3000',
         NODE_OPTIONS: '--enable-source-maps', // For debugging
       },
       logRetention: environment === 'prod'
         ? logs.RetentionDays.ONE_MONTH
         : logs.RetentionDays.ONE_WEEK,
       description: `Visus MCP sanitization service (${environment})`,
+      bundling: {
+        minify: false, // Keep readable for debugging
+        sourceMap: true,
+        externalModules: [
+          'playwright-core', // Playwright is huge, will be added via layer
+          '@sparticuz/chromium', // Chromium binary
+        ],
+      },
     });
 
     // ========================================
@@ -178,12 +189,44 @@ export class VisusStack extends cdk.Stack {
         metricsEnabled: true,
       },
       defaultCorsPreflightOptions: {
-        allowOrigins: apigateway.Cors.ALL_ORIGINS, // Phase 2: Open. Phase 3: Restrict to Lateos
-        allowMethods: apigateway.Cors.ALL_METHODS,
+        allowOrigins: [
+          'https://claude.ai',
+          'https://app.claude.ai',
+          'http://localhost:3000',  // local dev only
+        ],
+        allowMethods: ['POST', 'OPTIONS'],
         allowHeaders: ['Content-Type', 'Authorization'],
       },
     });
 
+    // Usage plan with rate limiting and quota
+    const usagePlan = api.addUsagePlan('VisusUsagePlan', {
+      name: `visus-usage-plan-${environment}`,
+      description: 'Rate limiting and quota management for Visus API',
+      throttle: {
+        rateLimit: 10,      // 10 requests per second
+        burstLimit: 20,     // 20 request burst
+      },
+      quota: {
+        limit: 1000,        // 1000 requests per day
+        period: apigateway.Period.DAY,
+      },
+    });
+
+    // Add deployment stage to usage plan
+    usagePlan.addApiStage({
+      stage: api.deploymentStage,
+    });
+
+    // Create API key for the usage plan
+    const apiKey = api.addApiKey('VisusApiKey', {
+      apiKeyName: `visus-api-key-${environment}`,
+      description: `API key for Visus ${environment} environment`,
+    });
+
+    // Associate API key with usage plan
+    usagePlan.addApiKey(apiKey);
+
     // Cognito authorizer
     const authorizer = new apigateway.CognitoUserPoolsAuthorizer(this, 'VisusAuthorizer', {
       cognitoUserPools: [userPool],
@@ -244,5 +287,11 @@ export class VisusStack extends cdk.Stack {
       description: 'Lambda function ARN',
       exportName: `visus-lambda-arn-${environment}`,
     });
+
+    new cdk.CfnOutput(this, 'ApiKeyId', {
+      value: apiKey.keyId,
+      description: 'API Gateway API Key ID (use aws apigateway get-api-key to retrieve value)',
+      exportName: `visus-api-key-id-${environment}`,
+    });
   }
 }

package/jest.config.js

@@ -15,6 +15,9 @@ export default {
   },
   testMatch: ['**/tests/**/*.test.ts'],
   testPathIgnorePatterns: ['/node_modules/', '/dist/'],
+  transformIgnorePatterns: [
+    'node_modules/(?!(@mozilla/readability|jsdom|@exodus/bytes|html-encoding-sniffer|@toon-format)/)',
+  ],
   testTimeout: 15000,
   forceExit: true,
   detectOpenHandles: false,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "visus-mcp",
-  "version": "0.3.0",
-  "description": "Secure web access for Claude — sanitizes all web content before it reaches your LLM",
+  "version": "0.6.0",
+  "description": "Secure, sanitized web access for Claude. Detects prompt injection (43 patterns), redacts PII, renders JavaScript pages, generates NIST AI 600-1 / OWASP / MITRE ATLAS threat reports, and auto-detects JSON/XML/RSS content types.",
   "main": "dist/index.js",
   "bin": {
     "visus-mcp": "dist/index.js"
@@ -39,15 +39,22 @@
     "node": ">=18"
   },
   "dependencies": {
+    "@aws-sdk/client-dynamodb": "^3.1014.0",
+    "@aws-sdk/lib-dynamodb": "^3.1014.0",
     "@modelcontextprotocol/sdk": "^1.0.4",
+    "@mozilla/readability": "^0.6.0",
     "@playwright/test": "^1.58.2",
+    "@toon-format/toon": "^2.1.0",
     "cheerio": "^1.2.0",
+    "fast-xml-parser": "^5.5.8",
+    "jsdom": "^29.0.1",
     "playwright": "^1.58.2",
     "undici": "^7.24.5"
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.161",
     "@types/jest": "^29.5.14",
+    "@types/jsdom": "^28.0.1",
     "@types/node": "^20.19.37",
     "aws-cdk": "^2.1112.0",
     "aws-cdk-lib": "^2.244.0",

package/src/browser/playwright-renderer.ts

@@ -126,6 +126,7 @@ async function renderWithLambda(
       html: body.html,
       title: body.title,
       url,
+      contentType: 'text/html', // Lambda renderer defaults to HTML
       text: undefined, // Lambda renderer doesn't extract text
     });
 
@@ -164,6 +165,12 @@ async function renderWithFetch(
 
     const html = await response.body.text();
 
+    // Capture Content-Type header
+    const contentTypeHeader = response.headers['content-type'];
+    const contentType = typeof contentTypeHeader === 'string'
+      ? contentTypeHeader.split(';')[0].trim()  // Remove charset and other params
+      : 'text/html'; // Default to HTML if missing
+
     // Extract title using regex (simple fallback)
     const titleMatch = html.match(/<title[^>]*>(.*?)<\/title>/i);
     const title = titleMatch ? titleMatch[1].trim() : '';
@@ -172,6 +179,7 @@ async function renderWithFetch(
       html,
       title,
       url,
+      contentType,
       text: undefined,
     });
 

package/src/browser/reader.ts

@@ -0,0 +1,129 @@
+/**
+ * Reader Mode - Mozilla Readability Integration
+ *
+ * Extracts clean article content from web pages using Mozilla's Readability.js.
+ * This module strips navigation, ads, and boilerplate to return main article content.
+ *
+ * CRITICAL: Content extraction happens BEFORE sanitization. The pipeline is:
+ * Playwright renders → Readability extracts → Sanitizer runs → Token ceiling applied
+ */
+
+import { Readability } from '@mozilla/readability';
+import { JSDOM } from 'jsdom';
+import type { Result } from '../types.js';
+import { Ok, Err } from '../types.js';
+
+/**
+ * Result from reader mode extraction
+ */
+export interface ReaderResult {
+  title: string;
+  byline: string | null;           // Author
+  publishedTime: string | null;     // ISO timestamp or null
+  content: string;                  // Extracted text content
+  excerpt: string | null;           // Short summary
+  wordCount: number;                // Estimated word count
+  readerModeAvailable: boolean;     // True if Readability succeeded
+}
+
+/**
+ * Extract clean article content using Mozilla Readability
+ *
+ * @param html - Rendered HTML from Playwright
+ * @param url - Original URL (required for relative link resolution)
+ * @returns Result containing extracted article or fallback to full HTML
+ */
+export function extractArticle(
+  html: string,
+  url: string
+): Result<ReaderResult, Error> {
+  try {
+    // Parse HTML with jsdom
+    const dom = new JSDOM(html, { url });
+    const document = dom.window.document;
+
+    // Attempt extraction with Readability
+    const reader = new Readability(document);
+    const article = reader.parse();
+
+    // If Readability succeeds, return extracted content
+    if (article && article.textContent) {
+      const wordCount = estimateWordCount(article.textContent);
+
+      return Ok({
+        title: article.title || 'Untitled',
+        byline: article.byline || null,
+        publishedTime: article.publishedTime || null,
+        content: article.textContent,
+        excerpt: article.excerpt || null,
+        wordCount,
+        readerModeAvailable: true
+      });
+    }
+
+    // Readability failed - fallback to raw text extraction
+    const fallbackText = extractFallbackText(document);
+    const wordCount = estimateWordCount(fallbackText);
+
+    // Extract title from <title> tag as fallback
+    const titleElement = document.querySelector('title');
+    const fallbackTitle = titleElement?.textContent?.trim() || 'Untitled';
+
+    return Ok({
+      title: fallbackTitle,
+      byline: null,
+      publishedTime: null,
+      content: fallbackText,
+      excerpt: null,
+      wordCount,
+      readerModeAvailable: false
+    });
+
+  } catch (error) {
+    return Err(
+      error instanceof Error
+        ? error
+        : new Error(`Reader extraction failed: ${String(error)}`)
+    );
+  }
+}
+
+/**
+ * Estimate word count from text content
+ *
+ * @param text - Text content to count
+ * @returns Estimated word count
+ */
+function estimateWordCount(text: string): number {
+  if (!text || text.trim().length === 0) {
+    return 0;
+  }
+
+  // Split on whitespace and filter out empty strings
+  const words = text.trim().split(/\s+/).filter(word => word.length > 0);
+  return words.length;
+}
+
+/**
+ * Fallback text extraction when Readability fails
+ *
+ * Extracts visible text from the page, skipping script/style elements.
+ *
+ * @param document - JSDOM document
+ * @returns Extracted text content
+ */
+function extractFallbackText(document: Document): string {
+  // Remove script and style elements
+  const scripts = document.querySelectorAll('script, style, noscript');
+  scripts.forEach(el => el.remove());
+
+  // Extract body text
+  const bodyText = document.body?.textContent || '';
+
+  // Clean up whitespace
+  return bodyText
+    .split('\n')
+    .map(line => line.trim())
+    .filter(line => line.length > 0)
+    .join('\n');
+}

package/src/index.ts

@@ -27,6 +27,8 @@ import {
 
 import { visusFetch, visusFetchToolDefinition } from './tools/fetch.js';
 import { visusFetchStructured, visusFetchStructuredToolDefinition } from './tools/fetch-structured.js';
+import { visusRead, visusReadToolDefinition } from './tools/read.js';
+import { visusSearch, visusSearchToolDefinition } from './tools/search.js';
 import { closeBrowser } from './browser/playwright-renderer.js';
 import { detectRuntime, logRuntimeConfig, validateRuntime } from './runtime.js';
 
@@ -52,7 +54,9 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
   return {
     tools: [
       visusFetchToolDefinition,
-      visusFetchStructuredToolDefinition
+      visusFetchStructuredToolDefinition,
+      visusReadToolDefinition,
+      visusSearchToolDefinition
     ]
   };
 });
@@ -105,6 +109,46 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         };
       }
 
+      case 'visus_read': {
+        const result = await visusRead(args as any);
+
+        if (!result.ok) {
+          throw new McpError(
+            ErrorCode.InternalError,
+            `visus_read failed: ${result.error.message}`
+          );
+        }
+
+        return {
+          content: [
+            {
+              type: 'text',
+              text: JSON.stringify(result.value, null, 2)
+            }
+          ]
+        };
+      }
+
+      case 'visus_search': {
+        const result = await visusSearch(args as any);
+
+        if (!result.ok) {
+          throw new McpError(
+            ErrorCode.InternalError,
+            `visus_search failed: ${result.error.message}`
+          );
+        }
+
+        return {
+          content: [
+            {
+              type: 'text',
+              text: JSON.stringify(result.value, null, 2)
+            }
+          ]
+        };
+      }
+
       default:
         throw new McpError(
           ErrorCode.MethodNotFound,
@@ -138,7 +182,7 @@ async function startMcpServer() {
     event: 'mcp_server_started',
     name: 'visus-mcp',
     version: '0.2.0',
-    tools: ['visus_fetch', 'visus_fetch_structured']
+    tools: ['visus_fetch', 'visus_fetch_structured', 'visus_read', 'visus_search']
   }));
 
   // Graceful shutdown
@@ -188,9 +232,9 @@ async function main() {
   }
 }
 
-// Export Lambda handlers (for AWS deployment)
-// These are only used when the file is imported as a module by Lambda runtime
-export { handler, healthCheck } from './lambda-handler.js';
+// Export Lambda handler (for AWS deployment)
+// This is only used when the file is imported as a module by Lambda runtime
+export { handler } from './lambda-handler.js';
 
 // Run stdio MCP server when executed directly (not in Lambda)
 if (!process.env.AWS_LAMBDA_FUNCTION_NAME) {

package/src/lambda-handler.ts

@@ -14,10 +14,16 @@
  */
 
 import type { APIGatewayProxyEvent, APIGatewayProxyResult, Context } from 'aws-lambda';
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb';
+import { DynamoDBDocumentClient, PutCommand } from '@aws-sdk/lib-dynamodb';
 import { visusFetch } from './tools/fetch.js';
 import { visusFetchStructured } from './tools/fetch-structured.js';
 import { closeBrowser } from './browser/playwright-renderer.js';
 
+// Initialize DynamoDB client
+const ddbClient = new DynamoDBClient({});
+const docClient = DynamoDBDocumentClient.from(ddbClient);
+
 /**
  * API request body for visus_fetch
  */
@@ -36,6 +42,63 @@ interface FetchStructuredRequest {
   timeout_ms?: number;
 }
 
+/**
+ * Fire-and-forget audit logging to DynamoDB
+ *
+ * Logs request metadata without blocking the response.
+ * Errors are logged but do not affect the API response.
+ *
+ * @param userId User ID from Cognito JWT
+ * @param requestId AWS request ID
+ * @param url URL being fetched
+ * @param endpoint API endpoint (/fetch or /fetch-structured)
+ * @param patternsDetected Sanitization patterns detected
+ * @param piiRedacted PII types redacted
+ */
+function logAuditEvent(
+  userId: string,
+  requestId: string,
+  url: string,
+  endpoint: string,
+  patternsDetected: string[],
+  piiRedacted: string[]
+): void {
+  const tableName = process.env.AUDIT_TABLE_NAME;
+
+  if (!tableName) {
+    console.error('AUDIT_TABLE_NAME not set - skipping audit logging');
+    return;
+  }
+
+  const now = new Date();
+  const ttl = Math.floor(now.getTime() / 1000) + (30 * 24 * 60 * 60); // 30 days from now
+
+  const item = {
+    user_id: userId,
+    timestamp: now.toISOString(),
+    request_id: requestId,
+    url,
+    endpoint,
+    patterns_detected: patternsDetected,
+    pii_redacted: piiRedacted,
+    ttl, // Auto-delete after 30 days
+  };
+
+  // Fire-and-forget: do not await
+  docClient.send(new PutCommand({
+    TableName: tableName,
+    Item: item,
+  })).catch((error: unknown) => {
+    // Log error but do not throw (fire-and-forget pattern)
+    console.error(JSON.stringify({
+      timestamp: now.toISOString(),
+      event: 'audit_logging_failed',
+      error: error instanceof Error ? error.message : String(error),
+      request_id: requestId,
+    }));
+  });
+}
+
 /**
  * Lambda handler for Visus API
  *
@@ -65,10 +128,14 @@ export async function handler(
   }));
 
   try {
-    // CORS headers for all responses
+    // CORS headers for all responses (environment-variable-driven allowlist)
+    const allowedOrigins = (process.env.ALLOWED_ORIGINS || '*').split(',');
+    const origin = event.headers.origin || event.headers.Origin || '';
+    const allowOrigin = allowedOrigins.includes(origin) ? origin : allowedOrigins[0] || '*';
+
     const corsHeaders = {
-      'Access-Control-Allow-Origin': '*', // Phase 2: Open. Phase 3: Restrict to Lateos domains
-      'Access-Control-Allow-Methods': 'POST, OPTIONS',
+      'Access-Control-Allow-Origin': allowOrigin,
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
       'Access-Control-Allow-Headers': 'Content-Type, Authorization',
       'Content-Type': 'application/json',
     };
@@ -82,7 +149,22 @@ export async function handler(
       };
     }
 
-    // Only allow POST requests
+    // Health check endpoint (no auth required, allows GET and POST)
+    // SECURITY FIX (FINDING 2): Moved before POST-only validation to support standard GET health checks
+    if (event.path === '/health' || event.path === '/dev/health' || event.path === '/prod/health') {
+      return {
+        statusCode: 200,
+        headers: corsHeaders,
+        body: JSON.stringify({
+          status: 'healthy',
+          service: 'visus-mcp',
+          version: '0.3.1',
+          timestamp: new Date().toISOString(),
+        }),
+      };
+    }
+
+    // Only allow POST requests for protected endpoints
     if (event.httpMethod !== 'POST') {
       return {
         statusCode: 405,
@@ -103,8 +185,31 @@ export async function handler(
       };
     }
 
+    // SECURITY FIX (FINDING 1): Application-level authentication enforcement
+    // Extract user ID from Cognito authorizer
+    const userId = event.requestContext.authorizer?.claims?.sub;
+
+    // Require authentication for all protected endpoints (not already handled above)
+    if (!userId) {
+      console.error(JSON.stringify({
+        timestamp: new Date().toISOString(),
+        event: 'auth_required',
+        request_id: requestId,
+        path: event.path,
+        reason: 'Missing Cognito authorizer context - Lambda must be invoked via API Gateway',
+      }));
+
+      return {
+        statusCode: 401,
+        headers: corsHeaders,
+        body: JSON.stringify({
+          error: 'Unauthorized: Authentication required. This Lambda must be invoked via API Gateway with Cognito authorizer.',
+        }),
+      };
+    }
+
     // Route based on path
-    if (event.path === '/fetch' || event.path === '/prod/fetch') {
+    if (event.path === '/fetch' || event.path === '/dev/fetch' || event.path === '/prod/fetch') {
       const fetchReq = body as FetchRequest;
 
       // Validate request
@@ -127,6 +232,16 @@ export async function handler(
         };
       }
 
+      // Fire-and-forget audit logging
+      logAuditEvent(
+        userId,
+        requestId,
+        fetchReq.url,
+        '/fetch',
+        result.value.sanitization.patterns_detected,
+        result.value.sanitization.pii_types_redacted
+      );
+
       return {
         statusCode: 200,
         headers: corsHeaders,
@@ -134,7 +249,7 @@ export async function handler(
       };
     }
 
-    if (event.path === '/fetch-structured' || event.path === '/prod/fetch-structured') {
+    if (event.path === '/fetch-structured' || event.path === '/dev/fetch-structured' || event.path === '/prod/fetch-structured') {
       const fetchReq = body as FetchStructuredRequest;
 
       // Validate request
@@ -165,6 +280,16 @@ export async function handler(
         };
       }
 
+      // Fire-and-forget audit logging
+      logAuditEvent(
+        userId,
+        requestId,
+        fetchReq.url,
+        '/fetch-structured',
+        result.value.sanitization.patterns_detected,
+        result.value.sanitization.pii_types_redacted
+      );
+
       return {
         statusCode: 200,
         headers: corsHeaders,
@@ -203,23 +328,3 @@ export async function handler(
     await closeBrowser();
   }
 }
-
-/**
- * Health check handler
- *
- * @returns API Gateway response
- */
-export async function healthCheck(): Promise<APIGatewayProxyResult> {
-  return {
-    statusCode: 200,
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({
-      status: 'healthy',
-      service: 'visus-mcp',
-      version: '0.2.0',
-      timestamp: new Date().toISOString(),
-    }),
-  };
-}