Highlights #
Auto shipped to production this week. Point it at any URL and it walks a cost-aware ladder (probe, find an exit, browser solve, cheap replay) and returns the content plus the session that got it. A cold Cloudflare Turnstile solve on minfin.bg takes about 5 seconds through Auto; the next call replays through Single at 2 credits. We also added 6 languages across the blog, docs, and updates portal, taking us from 7 to 13.
What's New #
Auto: one endpoint, four products, cost-aware
POST /api/auto
is live. You hand it a URL and it picks the right product (Single, Proxy Finder, or Browser), handles Cloudflare challenges when they show up, and hands back the response plus a session
object with the proxy ID, cookies, and user agent that worked. Reuse the returned session on the next call and Auto replays through Single at 2 credits instead of grinding through a fresh solve.
Every response now carries a meta
trace so you can see which rung won, whether a defense was solved, how many sub-calls it took, and the total credits spent. Bring your own validate
rules and Auto enforces them on every rung, not just the last one, so a geo-block page returned with transport 200 no longer counts as success the way it used to.
The Dashboard playground got an Auto tab with timeout_ms
, ignoreProxies
, returnSession
, and forceProxy
wired up, so you can drive Auto from a form before wiring it into code.
6 new languages
Spanish, French, Japanese, Korean, Brazilian Portuguese, and Russian joined the blog, docs, and updates portal, taking us from 7 to 13 languages across our public sites. Content is translated by a role-aware pipeline: nav labels get a brevity-over-literal prompt so the sidebar stays short, post bodies get a preserve-markdown prompt so code blocks and headings survive intact.
The language switcher got rebuilt too. Flags are gone (Spain's flag alienates the other 20 Spanish-speaking countries, and the same logic applies to Portuguese, Arabic, and English). Native names carry the signal now, and each option also shows its name in the active UI language, so you can find "Deutsch" as "немски" from a Bulgarian browser. Type in the search box at the top to filter 13 locales down to the one you want, use arrow keys to move, hit enter to switch. Each option is a real <a href>
with hreflang
and lang
, so search engines and AI crawlers can follow every language version.
Cloudflare handling: what actually got fixed
Auto now handles four Cloudflare situations that used to leak the wrong response:
- The "Just a moment" interstitial served with transport 200 no longer counts as a success. Auto escalates to a solve rung instead of handing you the challenge page.
- Non-interactive challenges (marathonbet's "Checking your browser" auto-pass) render client-side after clearance. Browser polls the live DOM and finalizes the moment
cf_clearance
lands, instead of timing out on an empty top-level response. - The real post-clearance status is honoured. A geo-block that Cloudflare serves after the challenge passes returns 451, not 200 with a suspicious body.
- Interactive Turnstile (minfin.bg) solves end-to-end. Auto tries a direct-egress browser solve first (a trusted egress endpoint passes Turnstile where free datacenter exits get the challenge escalated), then falls back to the proxy grind if that fails.
MCP: foura_auto
and public discovery
The MCP server picked up a foura_auto
tool that mirrors /api/auto
. Hand it a URL, get content and a session back. Discovery (tools, prompts, capabilities) is now unauthenticated so agents can browse before authenticating, and the /llms.txt
map is proxied at the root. The landing moved to foura.ai/mcp for link equity, and the subdomain 301s browsers there.
Under the Hood #
We tightened the SSRF boundary around the fetchers. A kernel-level egress firewall blocks the two request-issuing services from opening connections to private, CGNAT, link-local, and cloud metadata ranges. The app-level check already covered the URL, now the lower-level paths can't slip anything past either. The proxy
field on a request gets the same treatment: a client-supplied proxy host that resolves to a private address is rejected before the request goes out.
The Activity log never stores a raw proxy URL anymore, even when a client sent one. The response you see always carries the opaque base36 proxy ID, and the stored payload matches. We also stripped the x-powered-by
header from every API response.
Numbers #
- The interactive Turnstile solve on minfin.bg: 200 with ministry content in about 5 seconds, then 2 credits per replay through the cached session.
- On a rate-limited target under concurrent load, Auto now spreads across multiple exits (4 distinct exits used on a fixed-exit host, 21 of 24 replays at 2 credits) instead of piling every request onto one exit.
- 13 languages live across blog, docs, and updates.
Auto is the shape of the API we've been building toward all quarter. Point at a URL, get the response, keep the session. The interesting work now is on the edges: measuring how well the cost-aware ladder amortizes on your real traffic, and finding the validate patterns that catch the false-positive success cases nobody thinks about.