fix: guard MCP HTTP redirects [AI]

[pgondhi987]

Summary

• Routes MCP HTTP, SSE, and Streamable HTTP requests through the shared SSRF-guarded fetch path.
• Keeps operator-configured MCP origin trust scoped to the configured origin, while redirect hops are re-evaluated independently.
• Preserves MCP header behavior and same-origin TLS/client-certificate options, without keeping the duplicate Streamable HTTP redirect loop.
• Out of scope: changing MCP configuration shape, OAuth flow behavior, provider routing, plugin APIs, or global network proxy policy.

Reviewers should focus on redirect behavior, exact-origin trust boundaries, dispatcher cleanup, and the per-hop dispatcher policy path in fetchWithSsrFGuard.

Linked context

Private maintainer security tracking; no public issue is linked from this PR.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: MCP HTTP redirects now go through the shared SSRF guard, so redirect targets are checked per hop instead of inheriting trust from the configured MCP URL.
• Real environment tested: Local OpenClaw source checkout on Node 24.15.0; no live external MCP server was used.
• Exact steps or command run after this patch: node scripts/run-vitest.mjs src/agents/mcp-transport.test.ts src/agents/mcp-http-fetch.test.ts src/infra/net/fetch-guard.ssrf.test.ts
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): Vitest passed 2 shards; src/infra/net/fetch-guard.ssrf.test.ts passed 85 tests and MCP transport/fetch tests passed 12 tests.
• Observed result after fix: A Streamable HTTP redirect to 169.254.169.254 is rejected before the redirected request is sent.
• What was not tested: A live external MCP server redirect flow was not exercised locally.
• Proof limitations or environment constraints: Validation used mocked DNS and HTTP fetches for deterministic SSRF regression coverage.
• Before evidence (optional but encouraged): Existing Streamable HTTP redirect tests only asserted manual redirect following and header scrubbing; they did not cover SSRF blocking on redirected targets.

Tests and validation

Commands run:

• pnpm exec oxfmt --write --threads=1 src/agents/mcp-http-fetch.ts src/agents/mcp-transport.ts src/infra/net/fetch-guard.ts src/agents/mcp-transport.test.ts src/agents/mcp-http-fetch.test.ts
• node scripts/run-vitest.mjs src/agents/mcp-transport.test.ts src/agents/mcp-http-fetch.test.ts src/infra/net/fetch-guard.ssrf.test.ts
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src.tsbuildinfo
• git diff --check origin/main...HEAD

Regression coverage added:

• Streamable HTTP redirect to a private/link-local target is blocked before the second fetch.
• MCP TLS override scoping still keeps custom TLS options on the configured MCP origin only.
• Shared fetch guard redirect loop detection now accounts for the rewritten request method.

Risk checklist

Did user-visible behavior change? (Yes/No)

Yes. MCP HTTP redirects to blocked private/internal/special-use targets now fail instead of being followed.

Did config, environment, or migration behavior change? (Yes/No)

No.

Did security, auth, secrets, network, or tool execution behavior change? (Yes/No)

Yes. Network egress for MCP HTTP transports now uses the shared SSRF guard and per-hop redirect checks.

What is the highest-risk area?

MCP servers that relied on redirects to private/internal destinations outside the configured MCP origin may now fail.

How is that risk mitigated?

The configured MCP origin still receives exact-origin trust, TLS overrides stay scoped to that origin, and redirect behavior is covered by focused MCP and shared fetch-guard tests.

Current review state

What is the next action?

Await maintainer review, automated checks, review-pr, autoreview, and the advisory gate.

What is still waiting on author, maintainer, CI, or external proof?

GitHub Actions and post-PR review gates are still pending.

Which bot or reviewer comments were addressed?

None yet.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 4, 2026, 2:42 AM ET / 06:42 UTC.

Summary
The PR routes MCP HTTP/SSE/Streamable HTTP fetches through shared SSRF-guarded redirect handling, removes the Streamable-specific redirect loop, and adds focused MCP/fetch-guard regression tests.

PR surface: Source -7, Tests +120. Total +113 across 5 files.

Reproducibility: yes. at source level: current main's Streamable redirect follower follows redirect targets through the MCP fetch helper outside fetchWithSsrFGuard. The PR tests and supplied local HTTP proof cover the private-target redirect being blocked before the second request.

Review metrics: 2 noteworthy metrics.

• MCP redirect trust change: 1 duplicate redirect loop removed; shared guard now owns MCP HTTP redirects. Maintainers should notice that redirect behavior is centralized instead of preserving the old Streamable-specific path.
• Config and migration surface: 0 added, 0 changed, 0 migrations. The private-redirect block is unconditional, so compatibility acceptance cannot be deferred to an operator setting.

Merge readiness
Overall: 🦞 diamond lobster
Proof: 🦞 diamond lobster
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] MCP servers that intentionally relied on redirects from the configured MCP origin to private, link-local, or internal targets will now fail; that is likely the desired security posture, but it is still an upgrade-visible compatibility break.
• [P1] The patch changes a security boundary in core network egress, so maintainer/advisory approval should own the final accept-risk decision even though the source review found no concrete patch defect.
• [P1] The proof covers deterministic tests and a local live HTTP redirect setup, but not a live third-party MCP/OAuth server redirect flow.

Maintainer options:

1. Land after security approval (recommended)
   Accept the intentional fail-closed compatibility break once the maintainer/advisory gate confirms private redirect targets should be blocked by default.
2. Add an explicit exception path
   If maintainers decide some private redirect workflows are supported, add a narrowly documented and tested opt-in rather than weakening the default guard.
3. Pause if advisory scope changes
   If the private tracking issue requires live external MCP/OAuth proof or a different trust boundary, pause this branch until that requirement is explicit.

Next step before merge

• No automated repair is indicated; the remaining action is maintainer/security review of the intentional fail-closed redirect behavior and private advisory gate.

Security
Cleared: The diff is security-sensitive and changes MCP network egress, but source/dependency review found no concrete security or supply-chain regression in the patch.

Review details

Best possible solution:

Land the shared guarded-fetch hardening after maintainer/advisory approval accepts the intentional fail-closed MCP redirect behavior, without adding a compatibility escape hatch unless owners explicitly request one.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main's Streamable redirect follower follows redirect targets through the MCP fetch helper outside fetchWithSsrFGuard. The PR tests and supplied local HTTP proof cover the private-target redirect being blocked before the second request.

Is this the best way to solve the issue?

Yes, this is the best fix shape: the MCP SDK calls OpenClaw's supplied fetch for Streamable and SSE network requests, so moving redirect handling into the shared SSRF guard removes duplicate policy. The remaining question is maintainer acceptance of the intentional compatibility break.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against ea6d3a35ff01.

Label changes

Label changes:

• add proof: sufficient: Contributor real behavior proof is sufficient. The contributor supplied after-fix local HTTP-server redirect proof plus focused tests, and the reviewed head has identical changed files to the proofed head.
• add rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor supplied after-fix local HTTP-server redirect proof plus focused tests, and the reviewed head has identical changed files to the proofed head.
• remove rating: 🌊 off-meta tidepool: Current PR rating is rating: 🦞 diamond lobster, so this older rating label is no longer current.

Label justifications:

• P0: The PR addresses an SSRF/network egress security boundary where MCP redirects could reach private or metadata targets.
• merge-risk: 🚨 compatibility: Existing MCP servers that redirect to private/internal destinations can stop working after this fail-closed behavior lands.
• merge-risk: 🚨 security-boundary: The diff changes the core guarded-fetch path that decides which redirected network targets MCP HTTP transports may reach.
• rating: 🦞 diamond lobster: Overall readiness is 🦞 diamond lobster; proof is 🦞 diamond lobster and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (live_output): The contributor supplied after-fix local HTTP-server redirect proof plus focused tests, and the reviewed head has identical changed files to the proofed head.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor supplied after-fix local HTTP-server redirect proof plus focused tests, and the reviewed head has identical changed files to the proofed head.

Evidence reviewed

PR surface:

Source -7, Tests +120. Total +113 across 5 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	153	160	-7
Tests	2	130	10	+120
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	5	283	170	+113

What I checked:

• Current main behavior: Current main keeps a Streamable HTTP-specific redirect follower in resolveMcpTransport; it manually follows redirect locations through the MCP fetch helper rather than the shared SSRF guard. (src/agents/mcp-transport.ts:125, ea6d3a35ff01)
• Current main fetch helper: Current main's buildMcpHttpFetch only adds optional TLS/client-cert dispatcher behavior and otherwise calls undici fetch directly; it does not call fetchWithSsrFGuard. (src/agents/mcp-http-fetch.ts:15, ea6d3a35ff01)
• PR guarded MCP fetch path: The PR builds MCP guarded fetch options with a 20-hop redirect cap, per-origin SSRF policy, unsafe replay preservation for MCP redirect compatibility, and managed response cleanup around the guard release. (src/agents/mcp-http-fetch.ts:139, 514e618386b5)
• PR removes duplicate redirect loop: The PR passes the shared httpFetch directly to StreamableHTTPClientTransport, deleting the local Streamable redirect loop from current main. (src/agents/mcp-transport.ts:139, 514e618386b5)
• Per-hop guard behavior: The PR re-resolves SSRF policy and dispatcher policy inside the redirect loop, only uses env proxy when eligible, and keys redirect loop detection on the rewritten method plus URL. (src/infra/net/fetch-guard.ts:485, 514e618386b5)
• Regression coverage: The PR adds Streamable HTTP coverage proving a redirect to 169.254.169.254 is rejected before a second fetch occurs. (src/agents/mcp-transport.test.ts:129, 514e618386b5)

Likely related people:

• steipete: Recent main history shows MCP operator workflow work and shared runtime helper updates, and current-main blame attributes the MCP redirect and fetch-guard areas to Peter Steinberger. (role: recent area contributor; confidence: high; commits: 38d3d11cbc0c, 6439b64c90e2, ea6d3a35ff01; files: src/agents/mcp-transport.ts, src/agents/mcp-http-fetch.ts, src/infra/net/fetch-guard.ts)
• pgondhi987: Prior merged history includes Streamable MCP redirect header scrubbing and pinned DNS guarded-fetch hardening, and this PR continues that exact MCP/network-security surface. (role: adjacent security contributor; confidence: high; commits: 47eb2d48d434, 9497629c1e89, 514e618386b5; files: src/agents/mcp-transport.ts, src/infra/net/fetch-guard.ts, src/agents/mcp-http-fetch.ts)
• Kaspre: Recent shared SSRF policy history includes exact-origin trust and managed proxy bypass hardening that this PR builds on. (role: adjacent SSRF policy contributor; confidence: medium; commits: 44840007d42d, fd2a9adbe6b0; files: src/infra/net/fetch-guard.ts, src/infra/net/ssrf.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[pgondhi987]

Verification for head 632954c8b3f2fa9bd66483678cd4ce30e22e6a7d.

Behavior covered:

• src/agents/mcp-transport.ts no longer has the Streamable HTTP-specific manual redirect follower; Streamable HTTP now uses the shared MCP HTTP fetch.
• src/agents/mcp-http-fetch.ts routes MCP HTTP requests through fetchWithSsrFGuard with the MCP resource-origin policy, the existing 20-hop redirect cap, cross-origin unsafe redirect replay where required by MCP behavior, env-proxy preservation, and same-origin TLS/client-cert dispatcher scoping.
• src/infra/net/fetch-guard.ts re-resolves SSRF policy, pinned hostname, dispatcher policy, and env-proxy eligibility for each redirect hop before the redirected request is sent.

Real behavior proof:

• Ran a live local Node proof with actual HTTP servers: one MCP-origin server returned 302 Location: http://127.0.0.2:<port>/metadata; a second private loopback server counted any redirected request.
• Observed result: guard rejected the redirect with Blocked hostname or private/internal/special-use IP address; redirectHits: 1, blockedHits: 0. The redirected private target was not requested.

Local validation:

• node scripts/run-vitest.mjs src/agents/mcp-transport.test.ts src/agents/mcp-http-fetch.test.ts src/infra/net/fetch-guard.ssrf.test.ts passed: 3 files, 100 tests.
• node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo passed.
• node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src.tsbuildinfo passed.
• git diff --check origin/main...HEAD passed.

Review gates:

• review-pr: passed, READY FOR /prepare-pr, zero findings; artifacts validated under the canonical .worktrees/pr-89732/.local review worktree.
• autoreview: passed with timeout 1800 .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main; result was autoreview clean: no accepted/actionable findings reported.

GHSA gates:

• ghsa_dry_run: passed on this head with scope HARDEN, fix SOLVES, backward compatibility PASS.
• ghsa_real_gate: passed on this head with scope HARDEN, fix SOLVES, backward compatibility PASS.
• Real gate posted the tracking issue evaluation: https://github.com/NVIDIA-dev/openclaw-tracking/issues/715#issuecomment-4610223396

Merge/CI:

• Conflict gate passed: GitHub reports MERGEABLE / CLEAN for this head.
• GitHub CI statusCheckRollup completed with no failed or pending relevant checks; skipped/neutral checks only where expected.

[pgondhi987]

Verification for head 6f3fec59eec524f245614e13fde2a7fba79d958f.

Behavior covered:

• MCP Streamable HTTP no longer uses the bespoke redirect-following helper; it now uses the shared MCP HTTP fetch path.
• MCP HTTP redirects are evaluated through the shared guarded fetch path before each redirected request, including private/link-local target blocking, env-proxy eligibility, same-origin TLS/client-cert dispatcher scoping, cross-origin header scrubbing, and redirect loop/method handling.
• The PR remains mergeable against main and has no actionable inline or completed bot feedback at this head.

Verification run:

• GHSA dry-run: PASS at this head.
• review-pr: READY FOR /prepare-pr, zero findings; artifacts validated under canonical .worktrees/pr-89732/.local.
• autoreview: clean, no accepted/actionable findings; one unrelated out-of-scope Parallels helper finding was ignored by the helper.
• Local validation: node scripts/run-vitest.mjs src/agents/mcp-transport.test.ts src/agents/mcp-http-fetch.test.ts src/infra/net/fetch-guard.ssrf.test.ts; node scripts/run-tsgo.mjs -p tsconfig.core.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/core.tsbuildinfo; node scripts/run-tsgo.mjs -p test/tsconfig/tsconfig.test.src.json --incremental --tsBuildInfoFile .artifacts/tsgo-cache/test-src.tsbuildinfo; git diff --check origin/main...HEAD.
• GitHub CI: no pending or failing relevant checks in statusCheckRollup; only cancelled/skipped/neutral non-blocking entries remain.
• Final security gate: PASS at this head.

Known proof gap: no live external MCP server was exercised in this final pass; the redirect behavior is covered by focused deterministic HTTP/DNS tests.