openclaw
diff --git a/‎docs/.generated/config-baseline.json‎
Lines changed: 747 additions & 138 deletions b/‎docs/.generated/config-baseline.json‎
Lines changed: 747 additions & 138 deletions
diff --git a/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 87 additions & 59 deletions b/‎docs/.generated/config-baseline.jsonl‎
Lines changed: 87 additions & 59 deletions
diff --git a/‎docs/.generated/plugin-sdk-api-baseline.json‎
Lines changed: 8 additions & 8 deletions b/‎docs/.generated/plugin-sdk-api-baseline.json‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎docs/.generated/plugin-sdk-api-baseline.jsonl‎
Lines changed: 8 additions & 8 deletions b/‎docs/.generated/plugin-sdk-api-baseline.jsonl‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎extensions/browser/src/browser/config.test.ts‎
Lines changed: 14 additions & 0 deletions b/‎extensions/browser/src/browser/config.test.ts‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎extensions/browser/src/browser/config.ts‎
Lines changed: 3 additions & 0 deletions b/‎extensions/browser/src/browser/config.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎extensions/google/src/gemini-web-search-provider.ts‎
Lines changed: 6 additions & 1 deletion b/‎extensions/google/src/gemini-web-search-provider.ts‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎extensions/mattermost/src/mattermost/send.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/mattermost/src/mattermost/send.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/msteams/src/send.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/msteams/src/send.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/signal/src/send.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/signal/src/send.ts‎
Lines changed: 1 addition & 0 deletions
@@ -1015,7 +1015,7 @@
           "exportName": "BlockStreamingCoalesceSchema",
           "kind": "const",
           "source": {
-            "line": 339,
+            "line": 350,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1033,7 +1033,7 @@
           "exportName": "DmConfigSchema",
           "kind": "const",
           "source": {
-            "line": 293,
+            "line": 304,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1042,7 +1042,7 @@
           "exportName": "DmPolicySchema",
           "kind": "const",
           "source": {
-            "line": 337,
+            "line": 348,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1060,7 +1060,7 @@
           "exportName": "GroupPolicySchema",
           "kind": "const",
           "source": {
-            "line": 335,
+            "line": 346,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1078,7 +1078,7 @@
           "exportName": "MarkdownConfigSchema",
           "kind": "const",
           "source": {
-            "line": 371,
+            "line": 382,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1096,7 +1096,7 @@
           "exportName": "ReplyRuntimeConfigSchemaShape",
           "kind": "const",
           "source": {
-            "line": 347,
+            "line": 358,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1105,7 +1105,7 @@
           "exportName": "requireOpenAllowFrom",
           "kind": "const",
           "source": {
-            "line": 486,
+            "line": 497,
             "path": "src/config/zod-schema.core.ts"
           }
         },
@@ -1141,7 +1141,7 @@
           "exportName": "ToolPolicySchema",
           "kind": "const",
           "source": {
-            "line": 253,
+            "line": 254,
             "path": "src/config/zod-schema.agent-runtime.ts"
           }
         },
 
@@ -233,12 +233,14 @@ describe("browser config", () => {
     const resolved = resolveBrowserConfig({
       ssrfPolicy: {
         allowPrivateNetwork: true,
+        allowRfc2544BenchmarkRange: true,
         allowedHostnames: [" localhost ", ""],
         hostnameAllowlist: [" *.trusted.example ", " "],
       },
     });
     expect(resolved.ssrfPolicy).toEqual({
       dangerouslyAllowPrivateNetwork: true,
+      allowRfc2544BenchmarkRange: true,
       allowedHostnames: ["localhost"],
       hostnameAllowlist: ["*.trusted.example"],
     });
@@ -260,6 +262,18 @@ describe("browser config", () => {
     expect(resolved.ssrfPolicy).toEqual({});
   });
 
+  it("preserves allowRfc2544BenchmarkRange even in strict browser mode", () => {
+    const resolved = resolveBrowserConfig({
+      ssrfPolicy: {
+        dangerouslyAllowPrivateNetwork: false,
+        allowRfc2544BenchmarkRange: true,
+      },
+    });
+    expect(resolved.ssrfPolicy).toEqual({
+      allowRfc2544BenchmarkRange: true,
+    });
+  });
+
   it("resolves existing-session profiles without cdpPort or cdpUrl", () => {
     const resolved = resolveBrowserConfig({
       profiles: {
 
@@ -102,6 +102,7 @@ function normalizeStringList(raw: string[] | undefined): string[] | undefined {
 function resolveBrowserSsrFPolicy(cfg: BrowserConfig | undefined): SsrFPolicy | undefined {
   const allowPrivateNetwork = cfg?.ssrfPolicy?.allowPrivateNetwork;
   const dangerouslyAllowPrivateNetwork = cfg?.ssrfPolicy?.dangerouslyAllowPrivateNetwork;
+  const allowRfc2544BenchmarkRange = cfg?.ssrfPolicy?.allowRfc2544BenchmarkRange;
   const allowedHostnames = normalizeStringList(cfg?.ssrfPolicy?.allowedHostnames);
   const hostnameAllowlist = normalizeStringList(cfg?.ssrfPolicy?.hostnameAllowlist);
   const hasExplicitPrivateSetting =
@@ -115,6 +116,7 @@ function resolveBrowserSsrFPolicy(cfg: BrowserConfig | undefined): SsrFPolicy |
   if (
     !resolvedAllowPrivateNetwork &&
     !hasExplicitPrivateSetting &&
+    allowRfc2544BenchmarkRange !== true &&
     !allowedHostnames &&
     !hostnameAllowlist
   ) {
@@ -123,6 +125,7 @@ function resolveBrowserSsrFPolicy(cfg: BrowserConfig | undefined): SsrFPolicy |
 
   return {
     ...(resolvedAllowPrivateNetwork ? { dangerouslyAllowPrivateNetwork: true } : {}),
+    ...(allowRfc2544BenchmarkRange === true ? { allowRfc2544BenchmarkRange: true } : {}),
     ...(allowedHostnames ? { allowedHostnames } : {}),
     ...(hostnameAllowlist ? { hostnameAllowlist } : {}),
   };
 
@@ -1,4 +1,5 @@
 import { Type } from "@sinclair/typebox";
+import type { SsrFPolicy } from "openclaw/plugin-sdk/infra-runtime";
 import { DEFAULT_GOOGLE_API_BASE_URL } from "openclaw/plugin-sdk/provider-google";
 import {
   buildSearchCacheKey,
@@ -82,6 +83,7 @@ async function runGeminiSearch(params: {
   apiKey: string;
   model: string;
   timeoutSeconds: number;
+  citationRedirectSsrFPolicy?: SsrFPolicy;
 }): Promise<{ content: string; citations: Array<{ url: string; title?: string }> }> {
   const endpoint = `${GEMINI_API_BASE}/models/${params.model}:generateContent`;
 
@@ -144,7 +146,9 @@ async function runGeminiSearch(params: {
         const resolved = await Promise.all(
           batch.map(async (citation) => ({
             ...citation,
-            url: await resolveCitationRedirectUrl(citation.url),
+            url: await resolveCitationRedirectUrl(citation.url, {
+              ssrfPolicy: params.citationRedirectSsrFPolicy,
+            }),
           })),
         );
         citations.push(...resolved);
@@ -221,6 +225,7 @@ function createGeminiToolDefinition(
         apiKey,
         model,
         timeoutSeconds: resolveSearchTimeoutSeconds(searchConfig),
+        citationRedirectSsrFPolicy: searchConfig?.citationRedirect?.ssrfPolicy,
       });
       const payload = {
         query,
 
@@ -401,6 +401,7 @@ export async function sendMessageMattermost(
     try {
       const media = await loadOutboundMediaFromUrl(mediaUrl, {
         mediaLocalRoots: opts.mediaLocalRoots,
+        ssrfPolicy: cfg.messages?.remoteMedia?.ssrfPolicy,
       });
       const fileInfo = await uploadMattermostFile(client, {
         channelId,
 
@@ -127,6 +127,7 @@ export async function sendMessageMSTeams(
     const media = await loadOutboundMediaFromUrl(mediaUrl, {
       maxBytes: mediaMaxBytes,
       mediaLocalRoots,
+      ssrfPolicy: cfg.messages?.remoteMedia?.ssrfPolicy,
     });
     const isLargeFile = media.buffer.length >= FILE_CONSENT_THRESHOLD_BYTES;
     const isImage = media.contentType?.startsWith("image/") ?? false;
 
@@ -129,6 +129,7 @@ export async function sendMessageSignal(
   if (opts.mediaUrl?.trim()) {
     const resolved = await resolveOutboundAttachmentFromUrl(opts.mediaUrl.trim(), maxBytes, {
       localRoots: opts.mediaLocalRoots,
+      ssrfPolicy: cfg.messages?.remoteMedia?.ssrfPolicy,
     });
     attachments = [resolved.path];
     const kind = kindFromMime(resolved.contentType ?? undefined);