feat: remove bear-grab-url tool

[vasylenko]

Summary

• Removes the bear-grab-url MCP tool — the server now exposes 12 tools instead of 13.
• The tool was introduced in v2.10.0 (feat: add bear-grab-url tool for saving web pages as notes #96); this PR is a pure subtraction of its registration, URL-param plumbing (url/pin/wait), its unit tests in src/bear-urls.test.ts, and its system test file.
• Manifest, README, docs/user/NPM.md, and the website feature grid are updated to the new tool count; a ### Removed entry is added under [Unreleased] in CHANGELOG.md.
• docs/dev/SECURITY.md has two stale factual references to the tool trimmed; all forward-looking principles about network fetch as a capability class are preserved.
• Unrelated changes that shipped in the same v2.10.0 merge are intentionally kept: the busy_timeout = 3000 SQLite pragma in src/database.ts, project-structure additions in CLAUDE.md, and the pollUntil / waitForFileContent helpers in tests/system/inspector.ts (still used by attached-files.test.ts).

Why

Triggered by discussion in #106

Two reasons, both aligned with existing project principles:

• Network-free server (security). Fetching remote web pages is a prompt-injection vector — attacker-controlled HTML becomes tool output, which becomes model context. Dropping the tool eliminates that attack surface entirely and matches the threat model already documented in docs/dev/SECURITY.md.
• Marketing coherence. The README's long-standing "Local-only — no network calls, all data stays on your Mac" claim is now unconditionally true. Previously it was half-true: the MCP server itself made no network calls, but it delegated fetching to Bear on behalf of the LLM.
• KISS / YAGNI. Niche utility that didn't justify its ongoing maintenance surface.

Verification: task build (tsc clean, 37 unit tests), task test:system (57 system tests across 10 files), and a full-tree grep confirming the only remaining grab-url references are the two intentional ones in CHANGELOG.md (the new Unreleased/Removed entry and the historical v2.10.0 Added entry).

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bear-notes-mcp	Ready	Preview, Comment	Apr 21, 2026 5:55pm

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR removes the bear-grab-url MCP tool and its related plumbing/tests, updating manifests and documentation to reflect a 12-tool server and to align with the project’s “network-free server” security posture.

Changes:

• Removed bear-grab-url tool registration, URL-parameter support (url/pin/wait), and its unit/system tests.
• Updated manifest + docs/README/website copy to reflect 12 tools and removed the tool from tool lists.
• Added an [Unreleased] changelog entry documenting the removal and trimmed stale references in docs/dev/SECURITY.md.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
website/src/components/FeatureGrid.astro	Updates marketing copy from 13 → 12 tools.
tests/system/grab-url.test.ts	Removes system coverage for the deleted tool.
src/main.ts	Removes bear-grab-url tool registration and handler.
src/bear-urls.ts	Removes url/pin/wait params from Bear URL builder surface.
src/bear-urls.test.ts	Removes unit tests that only applied to the deleted grab-url plumbing.
manifest.json	Removes the tool from the extension’s tool manifest.
docs/user/NPM.md	Updates tool count and removes the tool from the documented list.
docs/dev/SECURITY.md	Removes stale references to outbound fetch via the deleted tool.
README.md	Updates tool count and removes the tool from the documented list.
CHANGELOG.md	Documents tool removal under [Unreleased].