[Feature]: Add ssrfPolicy config support for web_fetch tool (parity with browser)

[chancheuklap]

Summary

web_fetch tool lacks ssrfPolicy configuration support, unlike the browser tool which already has it (and defaults to dangerouslyAllowPrivateNetwork=true as of v2026.2.23). This causes web_fetch to fail in environments where DNS resolves to special-use IP ranges.

Problem

Users running Clash/mihomo with fake-ip mode (a common proxy setup in China and corporate environments) encounter SsrFBlockedError: Blocked: resolves to private/internal/special-use IP address on every web_fetch call.

Root cause: Clash fake-ip mode returns IPs from 198.18.0.0/16 (RFC 2544 benchmarking range). OpenClaw SSRF protection correctly blocks this range via isBlockedSpecialUseIpv4Address(), but web_fetch has no config option to opt out.

Code path:

• createWebFetchTool() → runWebFetch() → fetchWithSsrFGuard() — does NOT pass any policy parameter
• resolvePinnedHostnameWithPolicy() defaults to allowPrivateNetwork: false
• DNS resolves to 198.18.x.x → blocked

Browser tool already solved this:

• browser.ssrfPolicy.dangerouslyAllowPrivateNetwork config option exists
• v2026.2.23 defaults it to true for trusted-network setups

Proposed Solution

Add ssrfPolicy (or a subset like dangerouslyAllowPrivateNetwork) to the tools.web.fetch config schema, and pass it through to fetchWithSsrFGuard() in the web_fetch tool implementation.

Example config:

gateway:
  tools:
    web:
      fetch:
        ssrfPolicy:
          dangerouslyAllowPrivateNetwork: true

This is a minimal change:

1. Add ssrfPolicy to ToolsWebFetchSchema (same shape as browser.ssrfPolicy)
2. Pass it as policy to fetchWithSsrFGuard() in runWebFetch()

Context

• Related (closed, PR not merged): [Feature]: Add HTTP proxy support for web_fetch tool #6298 proposed adding a proxy config, but was rejected due to security concerns about bypassing SSRF entirely. This proposal is different — it reuses the existing ssrfPolicy mechanism that browser already has.
• Affected version: 2026.2.22-2 (and likely all versions with SSRF protection)
• Workaround: Add affected domains to Clash fake-ip-filter so they get real DNS resolution instead of fake IPs. This is domain-by-domain whack-a-mole.
• Environment: macOS + Clash Verge (mihomo) with TUN + fake-ip mode, which is an extremely common setup for developers in mainland China.

[byungsker]

This was fixed in PR #25258 (merged pending review) which adds tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange to the config schema and wires it through to fetchWithSsrFGuard. That PR also adds readability and firecrawl to ToolsWebFetchSchema which were similarly missing.

After the PR lands, set tools.web.fetch.ssrfPolicy.allowRfc2544BenchmarkRange: true in your config to allow Clash/mihomo fake-ip ranges.