Remove client-side PDF parsing and add URL support to methods

- Remove getPdfPageCount, isValidPdf, and processRemoteFileInput functions
- Remove allowUrlFetch client option (SSRF protection by design)
- Most methods now accept FileInputWithUrl - URLs passed to server
- Leverage API's native negative index support (-1 = last page)
- sign() remains the only method requiring local files (API limitation)
- Reduces bundle size by ~400 lines of PDF parsing code

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: nickwinder

README.md

@@ -67,21 +67,32 @@ const client = new NutrientClient({
 });
 ```
 
-### URL Fetching (SSRF Protection)
+### Working with URLs
 
-By default, the SDK blocks automatic fetching of content from URLs to protect against Server-Side Request Forgery (SSRF) attacks. To enable URL fetching for trusted sources:
+Most methods accept URLs directly. The URL is passed to the server, which fetches the content—this avoids SSRF vulnerabilities since the client never fetches URLs itself.
 
 ```typescript
-const client = new NutrientClient({
-  apiKey: 'nutr_sk_your_secret_key',
-  allowUrlFetch: true  // Enable URL fetching (use with caution)
-});
+// Pass URL as a string
+const result = await client.convert('https://example.com/document.pdf', 'docx');
 
-// Now you can pass URLs directly
-const result = await client.convert('https://trusted-source.com/document.pdf', 'pdf');
+// Or as an object (useful for TypeScript type narrowing)
+const result = await client.convert({ type: 'url', url: 'https://example.com/document.pdf' }, 'docx');
+
+// URLs also work with the workflow builder
+const result = await client.workflow()
+  .addFilePart('https://example.com/document.pdf')
+  .outputPdf()
+  .execute();
 ```
 
-**⚠️ Security Warning:** Only enable `allowUrlFetch` if you control the URLs being processed. Never enable it when processing untrusted user input.
+**Exception:** The `sign()` method only accepts local files (file paths, Buffers, streams) because the underlying API endpoint doesn't support URL inputs. For signing remote files, fetch the content first:
+
+```typescript
+// Fetch and pass the bytes for signing
+const response = await fetch('https://example.com/document.pdf');
+const buffer = Buffer.from(await response.arrayBuffer());
+const result = await client.sign(buffer, { /* signature options */ });
+```
 
 ## Direct Methods
 

src/__tests__/integration.test.ts

@@ -18,7 +18,6 @@ import {
   samplePNG,
   TestDocumentGenerator,
 } from './helpers';
-import { getPdfPageCount, processFileInput } from '../inputs';
 
 // Skip integration tests in CI/automated environments unless explicitly enabled with valid API key
 const shouldRunIntegrationTests = Boolean(process.env['NUTRIENT_API_KEY']);
@@ -236,13 +235,11 @@ describeIntegration('Integration Tests with Live API - Direct Methods', () => {
     describe('merge()', () => {
       it('should merge multiple PDF files', async () => {
         const result = await client.merge([samplePDF, samplePDF, samplePDF]);
-        const normalizedPdf = await processFileInput(samplePDF);
-        const pageCount = await getPdfPageCount(normalizedPdf);
         expect(result).toBeDefined();
         expect(result.buffer).toBeInstanceOf(Uint8Array);
         expect(result.mimeType).toBe('application/pdf');
-        const normalizedResult = await processFileInput(result.buffer);
-        await expect(getPdfPageCount(normalizedResult)).resolves.toBe(pageCount * 3);
+        // Merged PDF should be larger than original
+        expect(result.buffer.length).toBeGreaterThan(samplePDF.length);
       }, 60000);
     });
 

src/__tests__/unit/client.test.ts

@@ -114,12 +114,6 @@ interface MockWorkflowWithOutputStage<T extends keyof OutputTypeMap | undefined
 const mockValidateFileInput = inputsModule.validateFileInput as jest.MockedFunction<
   typeof inputsModule.validateFileInput
 >;
-const mockIsValidPdf = inputsModule.isValidPdf as jest.MockedFunction<
-  typeof inputsModule.isValidPdf
->;
-const mockGetPdfPageCount = inputsModule.getPdfPageCount as jest.MockedFunction<
-  typeof inputsModule.getPdfPageCount
->;
 const mockSendRequest = httpModule.sendRequest as jest.MockedFunction<
   typeof httpModule.sendRequest
 >;
@@ -173,8 +167,6 @@ describe('NutrientClient', () => {
   beforeEach(() => {
     jest.clearAllMocks();
     mockValidateFileInput.mockReturnValue(true);
-    mockIsValidPdf.mockResolvedValue(true);
-    mockGetPdfPageCount.mockResolvedValue(10);
     mockSendRequest.mockResolvedValue({
       data: TestDocumentGenerator.generateSimplePdf() as never,
       status: 200,
@@ -240,70 +232,6 @@ describe('NutrientClient', () => {
       ).toThrow('Base URL must be a string');
     });
 
-    it('should accept allowUrlFetch option', () => {
-      const clientWithUrlFetch = new NutrientClient({
-        apiKey: 'test-key',
-        allowUrlFetch: true,
-      });
-      expect(clientWithUrlFetch).toBeDefined();
-
-      const clientWithoutUrlFetch = new NutrientClient({
-        apiKey: 'test-key',
-        allowUrlFetch: false,
-      });
-      expect(clientWithoutUrlFetch).toBeDefined();
-    });
-  });
-
-  describe('SSRF Protection', () => {
-    let client: NutrientClient;
-
-    beforeEach(() => {
-      jest.clearAllMocks();
-    });
-
-    it('should pass allowUrlFetch=false to processRemoteFileInput by default', async () => {
-      (inputsModule.isRemoteFileInput as jest.Mock).mockReturnValue(true);
-      (inputsModule.processRemoteFileInput as jest.Mock).mockRejectedValue(
-        new ValidationError('SSRF protection: URL fetching disabled'),
-      );
-
-      client = new NutrientClient({
-        apiKey: 'test-key',
-      });
-
-      await expect(client.sign('https://example.com/test.pdf')).rejects.toThrow(
-        /SSRF protection/,
-      );
-      expect(inputsModule.processRemoteFileInput).toHaveBeenCalledWith(
-        'https://example.com/test.pdf',
-        false,
-      );
-    });
-
-    it('should pass allowUrlFetch=true when configured', async () => {
-      const mockBuffer = TestDocumentGenerator.generateSimplePdf('Test');
-      (inputsModule.isRemoteFileInput as jest.Mock).mockReturnValue(true);
-      (inputsModule.processRemoteFileInput as jest.Mock).mockResolvedValue({
-        data: mockBuffer,
-        filename: 'test.pdf',
-      });
-      (inputsModule.isValidPdf as jest.Mock).mockResolvedValue(true);
-      (httpModule.sendRequest as jest.Mock).mockResolvedValue({
-        data: mockBuffer,
-      });
-
-      client = new NutrientClient({
-        apiKey: 'test-key',
-        allowUrlFetch: true,
-      });
-
-      await client.sign('https://example.com/test.pdf');
-      expect(inputsModule.processRemoteFileInput).toHaveBeenCalledWith(
-        'https://example.com/test.pdf',
-        true,
-      );
-    });
   });
 
   describe('workflow()', () => {
@@ -1121,8 +1049,7 @@ describe('NutrientClient', () => {
 
       await client.addPage(file, count, index);
 
-      // Mock getPdfPageCount to test index logic
-      // This is a simplified test since we can't easily mock the internal implementation
+      // Verify the workflow was called with the correct page ranges
       expect(mockWorkflowInstance.addFilePart).toHaveBeenCalledWith(file, {
         pages: { end: 1, start: 0 },
       });
@@ -1234,18 +1161,19 @@ describe('NutrientClient', () => {
 
     it('should delete specific pages from a document', async () => {
       const file = 'test-file.pdf';
-      const pageIndices = [3, 1, 1];
+      const pageIndices = [3, 1, 1]; // Delete pages 1 and 3 (duplicates removed)
 
       await client.deletePages(file, pageIndices);
 
+      // Should keep: [0-0], [2-2], [4 to end]
       expect(mockWorkflowInstance.addFilePart).toHaveBeenCalledWith(file, {
-        pages: { end: 0, start: 0 },
+        pages: { start: 0, end: 0 },
       });
       expect(mockWorkflowInstance.addFilePart).toHaveBeenCalledWith(file, {
-        pages: { end: 2, start: 2 },
+        pages: { start: 2, end: 2 },
       });
       expect(mockWorkflowInstance.addFilePart).toHaveBeenCalledWith(file, {
-        pages: { end: 9, start: 4 },
+        pages: { start: 4, end: -1 }, // -1 means "to end of document"
       });
       expect(mockWorkflowInstance.addFilePart).toHaveBeenCalledTimes(3);
       expect(mockWorkflowInstance.outputPdf).toHaveBeenCalled();