@aria-cli/tools 1.0.12 → 1.0.14

package/dist/security/ssrf.js

@@ -1,181 +0,0 @@
-/**
- * SSRF (Server-Side Request Forgery) protection utilities
- *
- * Provides IP validation, URL validation, and redirect following with
- * SSRF protection for web operations.
- */
-import * as dns from "node:dns";
-import * as net from "node:net";
-import { getErrorMessage } from "../executors/utils.js";
-import { normalizeLookupResult } from "./dns-normalization.js";
-/** Maximum number of redirects to follow manually */
-const MAX_REDIRECT_HOPS = 5;
-/**
- * Validates URL syntax/protocol only (no DNS resolution).
- * Use this when DNS validation is enforced by the fetch boundary itself
- * (for example, DNS-pinned fetch).
- */
-export function validateUrlStructure(url) {
-    try {
-        const parsed = new URL(url);
-        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
-            return `Invalid URL protocol: ${parsed.protocol}. Only http: and https: are allowed.`;
-        }
-    }
-    catch {
-        return `Invalid URL format: ${url}`;
-    }
-    return null;
-}
-/**
- * Checks whether an IP address belongs to a private/reserved network range.
- * Blocks loopback, RFC 1918, link-local, IPv6 private, and unspecified addresses.
- */
-export function isPrivateAddress(ip) {
-    // IPv6-mapped IPv4 (::ffff:127.0.0.1) — strip prefix and re-check as IPv4
-    if (ip.startsWith("::ffff:")) {
-        return isPrivateAddress(ip.slice(7));
-    }
-    // Unspecified addresses
-    if (ip === "0.0.0.0" || ip === "::" || ip === "[::]") {
-        return true;
-    }
-    // IPv6 loopback
-    if (ip === "::1") {
-        return true;
-    }
-    // IPv6 private (fc00::/7 — covers fc00:: through fdff::)
-    if (/^f[cd]/i.test(ip)) {
-        return true;
-    }
-    // IPv6 link-local (fe80::/10)
-    if (/^fe[89ab]/i.test(ip)) {
-        return true;
-    }
-    // For IPv4 addresses, parse octets
-    if (net.isIPv4(ip)) {
-        const parts = ip.split(".").map(Number);
-        const a = parts[0];
-        const b = parts[1];
-        // 127.0.0.0/8 — loopback
-        if (a === 127)
-            return true;
-        // 10.0.0.0/8 — RFC 1918
-        if (a === 10)
-            return true;
-        // 172.16.0.0/12 — RFC 1918 (172.16.x.x – 172.31.x.x)
-        if (a === 172 && b >= 16 && b <= 31)
-            return true;
-        // 192.168.0.0/16 — RFC 1918
-        if (a === 192 && b === 168)
-            return true;
-        // 169.254.0.0/16 — link-local (incl. AWS metadata 169.254.169.254)
-        if (a === 169 && b === 254)
-            return true;
-        // 0.0.0.0/8 — current network
-        if (a === 0)
-            return true;
-        // 100.64.0.0/10 — RFC 6598 shared address space (CGNAT)
-        if (a === 100 && b >= 64 && b <= 127)
-            return true;
-        // 192.0.0.0/24 — RFC 6890 IETF protocol assignments
-        if (a === 192 && b === 0 && parts[2] === 0)
-            return true;
-        // 198.18.0.0/15 — RFC 2544 benchmark testing (198.18.x.x – 198.19.x.x)
-        if (a === 198 && (b === 18 || b === 19))
-            return true;
-        // 240.0.0.0/4 — RFC 1112 future use / reserved (240.x.x.x – 255.x.x.x)
-        if (a >= 240)
-            return true;
-    }
-    return false;
-}
-/**
- * Validates that a string is a valid HTTP(S) URL and does not resolve
- * to a private/reserved IP address (SSRF protection).
- * Returns null if valid, error message if invalid.
- */
-export async function validateUrl(url) {
-    const structureError = validateUrlStructure(url);
-    if (structureError) {
-        return structureError;
-    }
-    const parsed = new URL(url);
-    // Resolve hostname to IP and check for private addresses
-    try {
-        const lookupResult = await dns.promises.lookup(parsed.hostname, {
-            all: true,
-            verbatim: true,
-        });
-        const addresses = normalizeLookupResult(lookupResult).map((entry) => entry.address);
-        if (addresses.length === 0) {
-            return `DNS resolution failed for ${parsed.hostname}: no addresses returned`;
-        }
-        const privateAddress = addresses.find((address) => isPrivateAddress(address));
-        if (privateAddress) {
-            return `Access to private network address denied: ${parsed.hostname} resolved to ${privateAddress}`;
-        }
-    }
-    catch (err) {
-        return `DNS resolution failed for ${parsed.hostname}: ${getErrorMessage(err)}`;
-    }
-    return null;
-}
-/**
- * Best-effort disposal for unread response bodies.
- * Redirect and early-return paths must explicitly close bodies they abandon so
- * later aborts cannot surface from resources that no caller still owns.
- */
-export async function discardResponseBody(response) {
-    const body = response?.body;
-    if (!body || body.locked) {
-        return;
-    }
-    try {
-        await body.cancel();
-    }
-    catch {
-        // Discard is best-effort cleanup only.
-    }
-}
-export async function followRedirects(initialResponse, requestInit, options = {}) {
-    const maxHops = options.maxHops ?? MAX_REDIRECT_HOPS;
-    const fetchFn = options.fetchFn ?? fetch;
-    const validateRedirectUrl = options.validateRedirectUrl ?? validateUrl;
-    let response = initialResponse;
-    let currentUrl = response.url || options.baseUrl || "";
-    let hops = 0;
-    while (hops < maxHops && response.status >= 300 && response.status < 400) {
-        const location = response.headers.get("Location");
-        if (!location) {
-            break;
-        }
-        let resolvedLocation;
-        try {
-            if (currentUrl) {
-                resolvedLocation = new URL(location, currentUrl).toString();
-            }
-            else {
-                resolvedLocation = new URL(location).toString();
-            }
-        }
-        catch {
-            await discardResponseBody(response);
-            throw new Error(`Invalid redirect URL: ${location}`);
-        }
-        // Validate the redirect target against SSRF
-        const redirectError = await validateRedirectUrl(resolvedLocation);
-        if (redirectError) {
-            await discardResponseBody(response);
-            throw new Error(`Redirect blocked (hop ${hops + 1}): ${redirectError}`);
-        }
-        await discardResponseBody(response);
-        response = await fetchFn(resolvedLocation, {
-            ...requestInit,
-            redirect: "manual",
-        });
-        currentUrl = response.url || resolvedLocation;
-        hops++;
-    }
-    return response;
-}

package/dist/slack/desktop-session.js

@@ -1,324 +0,0 @@
-import crypto from "node:crypto";
-import { execFile } from "node:child_process";
-import { promises as fs } from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { promisify } from "node:util";
-const execFileAsync = promisify(execFile);
-const SLACK_APP_SUPPORT_DIR = path.join(os.homedir(), "Library", "Application Support", "Slack");
-const SLACK_LEVELDB_DIR = path.join(SLACK_APP_SUPPORT_DIR, "Local Storage", "leveldb");
-const SLACK_COOKIE_DB_PATH = path.join(SLACK_APP_SUPPORT_DIR, "Cookies");
-const SLACK_SAFE_STORAGE_SERVICE = "Slack Safe Storage";
-const SLACK_APP_ORIGIN = "https://app.slack.com";
-const DEFAULT_BOOTSTRAP_TIMEOUT_MS = 30_000;
-const TEAM_ID_REGEX = /\bT[A-Z0-9]{8,}\b/g;
-const TOKEN_REGEX = /\bxoxc-[A-Za-z0-9-]{20,}\b/g;
-export function extractCachedSlackDesktopState(levelDbText) {
-    const cachedToken = levelDbText.match(TOKEN_REGEX)?.[0] ?? null;
-    const teamIds = [];
-    const seen = new Set();
-    const localConfigSegments = [...levelDbText.matchAll(/localConfig_v2[\s\S]{0,8000}/g)].map((match) => match[0]);
-    const sources = localConfigSegments.length > 0 ? localConfigSegments : [levelDbText];
-    for (const source of sources) {
-        for (const teamId of source.match(TEAM_ID_REGEX) ?? []) {
-            if (seen.has(teamId))
-                continue;
-            seen.add(teamId);
-            teamIds.push(teamId);
-        }
-    }
-    return { cachedToken, teamIds };
-}
-export function extractWorkspaceHostFromAppHtml(html) {
-    const enterpriseHosts = [...html.matchAll(/https:\/\/([A-Za-z0-9.-]+\.enterprise\.slack\.com)/g)]
-        .map((match) => match[1])
-        .filter(Boolean);
-    if (enterpriseHosts.length > 0) {
-        return enterpriseHosts[0] ?? null;
-    }
-    const workspaceHosts = [...html.matchAll(/https:\/\/([A-Za-z0-9.-]+\.slack\.com)/g)]
-        .map((match) => match[1])
-        .filter((host) => host !== "api.slack.com" && host !== "app.slack.com");
-    return workspaceHosts[0] ?? null;
-}
-export function extractLiveSlackTokenFromMultipartBody(body) {
-    const match = body.match(/name="token"\r?\n\r?\n([^\r\n]+)/);
-    return match?.[1] ?? null;
-}
-function decryptChromiumCookieHex(cookieHex, safeStoragePassword) {
-    const encryptedValue = Buffer.from(cookieHex, "hex");
-    if (encryptedValue.length === 0) {
-        return "";
-    }
-    const versionPrefix = encryptedValue.subarray(0, 3).toString("utf8");
-    if (versionPrefix !== "v10" && versionPrefix !== "v11") {
-        return encryptedValue.toString("utf8");
-    }
-    const key = crypto.pbkdf2Sync(safeStoragePassword, "saltysalt", 1003, 16, "sha1");
-    const decipher = crypto.createDecipheriv("aes-128-cbc", key, Buffer.alloc(16, 0x20));
-    let decrypted = Buffer.concat([decipher.update(encryptedValue.subarray(3)), decipher.final()]);
-    const padLength = decrypted.at(-1) ?? 0;
-    if (padLength > 0 && padLength <= 16) {
-        decrypted = decrypted.subarray(0, decrypted.length - padLength);
-    }
-    // Chromium cookie DB version 24 prefixes SHA-256(host_key) before the plaintext value.
-    if (decrypted.length >= 32) {
-        decrypted = decrypted.subarray(32);
-    }
-    return decrypted.toString("utf8");
-}
-async function readSlackLevelDbText(levelDbDir = SLACK_LEVELDB_DIR) {
-    const entries = await fs.readdir(levelDbDir);
-    const files = entries.filter((entry) => entry.endsWith(".ldb") || entry.endsWith(".log")).sort();
-    const chunks = await Promise.all(files.map(async (entry) => {
-        const fullPath = path.join(levelDbDir, entry);
-        return fs.readFile(fullPath, "utf8").catch(async () => {
-            const bytes = await fs.readFile(fullPath);
-            return bytes.toString("utf8");
-        });
-    }));
-    return chunks.join("\n");
-}
-async function readSeedCookies(cookieDbPath = SLACK_COOKIE_DB_PATH) {
-    const { stdout: passwordStdout } = await execFileAsync("security", [
-        "find-generic-password",
-        "-w",
-        "-s",
-        SLACK_SAFE_STORAGE_SERVICE,
-    ]);
-    const safeStoragePassword = passwordStdout.trim();
-    const sql = [
-        "SELECT host_key, name, path, is_secure, is_httponly, hex(encrypted_value)",
-        "FROM cookies",
-        "WHERE host_key IN ('.slack.com', 'app.slack.com')",
-        "AND name IN ('b', 'd')",
-        "ORDER BY name",
-    ].join(" ");
-    const { stdout } = await execFileAsync("sqlite3", ["-separator", "\t", cookieDbPath, sql]);
-    const cookies = stdout
-        .split("\n")
-        .map((line) => line.trim())
-        .filter(Boolean)
-        .map((line) => {
-        const [domain, name, cookiePath, secureFlag, httpOnlyFlag, encryptedHex] = line.split("\t");
-        if (!domain || !name || !encryptedHex) {
-            throw new Error(`Unexpected sqlite3 cookie row shape: ${line}`);
-        }
-        return {
-            name,
-            value: decryptChromiumCookieHex(encryptedHex ?? "", safeStoragePassword),
-            domain,
-            path: cookiePath || "/",
-            secure: secureFlag === "1",
-            httpOnly: httpOnlyFlag === "1",
-        };
-    });
-    if (cookies.length === 0) {
-        throw new Error("Slack Desktop auth cookies were not found in the local Chromium cookie store.");
-    }
-    return cookies;
-}
-async function waitForLiveSlackBootstrap(page, timeoutMs) {
-    return new Promise((resolve, reject) => {
-        const timer = setTimeout(() => {
-            page.off("request", handleRequest);
-            reject(new Error("Timed out while waiting for the live Slack Desktop API bootstrap request."));
-        }, timeoutMs);
-        const handleRequest = (request) => {
-            const requestUrl = request.url();
-            if (!requestUrl.includes("/api/")) {
-                return;
-            }
-            const liveToken = extractLiveSlackTokenFromMultipartBody(request.postData() ?? "");
-            if (!liveToken) {
-                return;
-            }
-            clearTimeout(timer);
-            page.off("request", handleRequest);
-            resolve({
-                workspaceHost: new URL(requestUrl).host,
-                liveToken,
-            });
-        };
-        page.on("request", handleRequest);
-    });
-}
-function normalizeRequestForm(liveToken, fields) {
-    const form = { token: liveToken };
-    for (const [key, value] of Object.entries(fields)) {
-        if (value === undefined)
-            continue;
-        if (typeof value === "string") {
-            form[key] = value;
-            continue;
-        }
-        if (typeof value === "number" || typeof value === "boolean") {
-            form[key] = String(value);
-            continue;
-        }
-        form[key] = JSON.stringify(value);
-    }
-    return form;
-}
-function normalizeChannelRef(channelRef) {
-    return channelRef.startsWith("#") ? channelRef.slice(1) : channelRef;
-}
-function looksLikeConversationId(channelRef) {
-    return /^[CDG][A-Z0-9]{8,}$/.test(channelRef);
-}
-function toSlackMessageView(message) {
-    return {
-        ts: typeof message.ts === "string" ? message.ts : "",
-        user: typeof message.user === "string"
-            ? message.user
-            : typeof message.bot_id === "string"
-                ? message.bot_id
-                : null,
-        text: typeof message.text === "string" ? message.text : "",
-        subtype: typeof message.subtype === "string" ? message.subtype : null,
-        threadTs: typeof message.thread_ts === "string" ? message.thread_ts : null,
-    };
-}
-export async function createSlackDesktopClient(options) {
-    const cachedState = extractCachedSlackDesktopState(await readSlackLevelDbText());
-    const teamId = options?.teamId ?? cachedState.teamIds[0];
-    if (!teamId) {
-        throw new Error("No Slack workspace team id was discovered in the local Slack Desktop storage.");
-    }
-    const playwright = await import("playwright");
-    const browser = await playwright.chromium.launch({ headless: true });
-    const context = await browser.newContext();
-    await context.addCookies(await readSeedCookies());
-    const page = await context.newPage();
-    const bootstrapPromise = waitForLiveSlackBootstrap(page, options?.bootstrapTimeoutMs ?? DEFAULT_BOOTSTRAP_TIMEOUT_MS);
-    await page.goto(`${SLACK_APP_ORIGIN}/client/${teamId}`, {
-        waitUntil: "domcontentloaded",
-        timeout: options?.bootstrapTimeoutMs ?? DEFAULT_BOOTSTRAP_TIMEOUT_MS,
-    });
-    const bootstrap = await bootstrapPromise;
-    const invokeJsonApi = async (method, fields) => {
-        const response = await context.request.post(`https://${bootstrap.workspaceHost}/api/${method}`, {
-            form: normalizeRequestForm(bootstrap.liveToken, fields),
-            headers: {
-                Origin: SLACK_APP_ORIGIN,
-                Referer: `${SLACK_APP_ORIGIN}/client/${teamId}`,
-            },
-        });
-        const text = await response.text();
-        let json;
-        try {
-            json = JSON.parse(text);
-        }
-        catch {
-            throw new Error(`Slack API ${method} returned non-JSON response (HTTP ${response.status()}).`);
-        }
-        if (json.ok !== true) {
-            const errorCode = typeof json.error === "string" ? json.error : `http_${response.status()}`;
-            throw new Error(`Slack API ${method} failed: ${errorCode}`);
-        }
-        return json;
-    };
-    const resolveConversationId = async (channelRef) => {
-        const normalized = normalizeChannelRef(channelRef);
-        if (looksLikeConversationId(normalized)) {
-            return normalized;
-        }
-        let cursor;
-        for (let pageNumber = 0; pageNumber < 20; pageNumber += 1) {
-            const response = await invokeJsonApi("conversations.list", {
-                limit: 200,
-                exclude_archived: true,
-                types: "public_channel,private_channel,im,mpim",
-                cursor,
-            });
-            const channels = Array.isArray(response.channels) ? response.channels : [];
-            const match = channels.find((channel) => {
-                if (!channel || typeof channel !== "object")
-                    return false;
-                const name = typeof channel.name === "string" ? channel.name : null;
-                const nameNormalized = typeof channel.name_normalized === "string" ? channel.name_normalized : null;
-                return name === normalized || nameNormalized === normalized.toLowerCase();
-            });
-            if (match && typeof match.id === "string") {
-                return match.id;
-            }
-            const responseMetadata = response.response_metadata && typeof response.response_metadata === "object"
-                ? response.response_metadata
-                : undefined;
-            const nextCursor = responseMetadata && typeof responseMetadata.next_cursor === "string"
-                ? responseMetadata.next_cursor.trim()
-                : "";
-            if (!nextCursor) {
-                break;
-            }
-            cursor = nextCursor;
-        }
-        throw new Error(`Slack conversation "${channelRef}" was not found. Use a channel id like C..., G..., or D... if the name cannot be resolved.`);
-    };
-    return {
-        getTeamId: () => teamId,
-        getWorkspaceHost: () => bootstrap.workspaceHost,
-        listMessages: async ({ channel, limit = 20, threadTs }) => {
-            const channelId = await resolveConversationId(channel);
-            const method = threadTs ? "conversations.replies" : "conversations.history";
-            const response = await invokeJsonApi(method, {
-                channel: channelId,
-                limit: Math.max(1, Math.min(limit, 100)),
-                ...(threadTs ? { ts: threadTs } : {}),
-            });
-            const responseMetadata = response.response_metadata && typeof response.response_metadata === "object"
-                ? response.response_metadata
-                : undefined;
-            const nextCursor = responseMetadata && typeof responseMetadata.next_cursor === "string"
-                ? responseMetadata.next_cursor || null
-                : null;
-            const rawMessages = Array.isArray(response.messages) ? response.messages : [];
-            return {
-                teamId,
-                workspaceHost: bootstrap.workspaceHost,
-                channelId,
-                messages: rawMessages
-                    .filter((message) => !!message && typeof message === "object")
-                    .map(toSlackMessageView),
-                hasMore: response.has_more === true,
-                nextCursor,
-            };
-        },
-        sendMessage: async ({ channel, text, threadTs }) => {
-            const channelId = await resolveConversationId(channel);
-            const response = await invokeJsonApi("chat.postMessage", {
-                channel: channelId,
-                text,
-                ...(threadTs ? { thread_ts: threadTs } : {}),
-            });
-            const ts = typeof response.ts === "string" ? response.ts : null;
-            if (!ts) {
-                throw new Error("Slack API chat.postMessage did not return a message timestamp.");
-            }
-            return {
-                teamId,
-                workspaceHost: bootstrap.workspaceHost,
-                channelId,
-                ts,
-            };
-        },
-        addReaction: async ({ channel, timestamp, name }) => {
-            const channelId = await resolveConversationId(channel);
-            await invokeJsonApi("reactions.add", {
-                channel: channelId,
-                timestamp,
-                name,
-            });
-            return {
-                teamId,
-                workspaceHost: bootstrap.workspaceHost,
-                channelId,
-            };
-        },
-        close: async () => {
-            await page.close().catch(() => undefined);
-            await context.close().catch(() => undefined);
-            await browser.close().catch(() => undefined);
-        },
-    };
-}

package/dist/tool-factory.js

@@ -1,47 +0,0 @@
-/**
- * @aria/tools - Tool factory function
- *
- * Creates Tool objects from Zod schemas with runtime validation.
- */
-import { z } from "zod";
-/**
- * Factory function for creating Tool objects from Zod schemas.
- *
- * Converts the Zod schema to JSON Schema 7 for LLM consumption,
- * and wraps the execute handler with Zod validation.
- *
- * @example
- * ```ts
- * const getWeather = tool({
- *   name: "get_weather",
- *   description: "Get weather for a city",
- *   parameters: z.object({ city: z.string(), units: z.enum(["F", "C"]) }),
- *   execute: async (input) => ({
- *     success: true,
- *     message: `Weather in ${input.city}: sunny`,
- *   }),
- * });
- * ```
- */
-export function tool(options) {
-    const { name, description, parameters: zodSchema, execute, riskLevel = "safe", isReadOnly = true, category = "meta", loadingTier = "always", } = options;
-    // Convert Zod schema to JSON Schema 7 using Zod v4's built-in conversion
-    const jsonSchema = z.toJSONSchema(zodSchema);
-    // Remove the $schema key since the Tool interface expects a plain JSONSchema7 object
-    // describing the parameters, not a full standalone schema document
-    delete jsonSchema.$schema;
-    return {
-        name,
-        description,
-        category,
-        parameters: jsonSchema,
-        riskLevel,
-        isReadOnly,
-        loadingTier,
-        execute: async (input, context) => {
-            // Validate input with Zod before calling the handler
-            const parsed = zodSchema.parse(input);
-            return execute(parsed, context);
-        },
-    };
-}

package/dist/types.js

@@ -1,7 +0,0 @@
-/**
- * @aria/tools - Tool system types
- *
- * Unified tool interface for all ARIA tools.
- * All tools are LLM-callable with optional user confirmation.
- */
-export {};

package/dist/utils/retry.js

@@ -1,132 +0,0 @@
-function createAbortError() {
-    const err = new Error("AbortError");
-    err.name = "AbortError";
-    return err;
-}
-/**
- * AbortSignal-aware sleep that rejects immediately if the signal fires during the delay.
- */
-function abortAwareSleep(ms, signal) {
-    if (signal?.aborted) {
-        return Promise.reject(createAbortError());
-    }
-    return new Promise((resolve, reject) => {
-        let settled = false;
-        let abortHandler;
-        const timer = setTimeout(() => {
-            if (settled)
-                return;
-            settled = true;
-            if (signal && abortHandler) {
-                signal.removeEventListener("abort", abortHandler);
-            }
-            resolve();
-        }, ms);
-        if (signal) {
-            abortHandler = () => {
-                if (settled)
-                    return;
-                settled = true;
-                signal.removeEventListener("abort", abortHandler);
-                clearTimeout(timer);
-                reject(createAbortError());
-            };
-            signal.addEventListener("abort", abortHandler, { once: true });
-        }
-    });
-}
-function isAbortError(err) {
-    if (!(err instanceof Error))
-        return false;
-    const domErr = err;
-    return domErr.name === "AbortError" || err.message === "AbortError";
-}
-function getErrorCode(err) {
-    if (typeof err === "object" &&
-        err !== null &&
-        "code" in err &&
-        typeof err.code === "string") {
-        return err.code;
-    }
-    if (err instanceof Error && err.cause) {
-        const cause = err.cause;
-        if (typeof cause.code === "string") {
-            return cause.code;
-        }
-    }
-    return undefined;
-}
-export async function fetchWithRetry(url, init, options) {
-    const maxAttempts = options?.maxAttempts ?? 3;
-    const baseDelayMs = options?.baseDelayMs ?? 1000;
-    const maxDelayMs = options?.maxDelayMs ?? 30000;
-    const retryableStatuses = options?.retryableStatuses ?? [429, 500, 502, 503, 504];
-    const retryableCodes = options?.retryableCodes ?? [
-        "ECONNRESET",
-        "ETIMEDOUT",
-        "EPIPE",
-        "ENETUNREACH",
-        "EHOSTUNREACH",
-        "ECONNREFUSED",
-        "EAI_AGAIN",
-        "UND_ERR_CONNECT_TIMEOUT",
-        "UND_ERR_SOCKET",
-    ];
-    const doFetch = options?.fetchFn ?? fetch;
-    const signal = init.signal ?? null;
-    if (signal?.aborted) {
-        throw createAbortError();
-    }
-    let lastError;
-    for (let attempt = 0; attempt < maxAttempts; attempt++) {
-        try {
-            const response = await doFetch(url, init);
-            // Check for Cloudflare 403 challenge
-            if (response.status === 403 && response.headers.get("cf-mitigated") === "challenge") {
-                if (attempt < maxAttempts - 1) {
-                    // Retry with simplified UA
-                    const delay = Math.min(baseDelayMs * 2 ** attempt + Math.random() * 500, maxDelayMs);
-                    await abortAwareSleep(delay, signal);
-                    continue;
-                }
-                // Last attempt - throw
-                throw new Error(`Cloudflare challenge after ${maxAttempts} attempts: ${response.status}`);
-            }
-            // Check for retryable status codes
-            if (!response.ok && retryableStatuses.includes(response.status)) {
-                if (attempt < maxAttempts - 1) {
-                    const delay = Math.min(baseDelayMs * 2 ** attempt + Math.random() * 500, maxDelayMs);
-                    await abortAwareSleep(delay, signal);
-                    continue;
-                }
-                // Last attempt - throw
-                throw new Error(`Request failed after ${maxAttempts} attempts: ${response.status}`);
-            }
-            return response;
-        }
-        catch (err) {
-            // Re-throw AbortError immediately — do not retry aborted requests
-            if (isAbortError(err)) {
-                throw err;
-            }
-            const code = getErrorCode(err);
-            if (code && retryableCodes.includes(code) && attempt < maxAttempts - 1) {
-                const delay = Math.min(baseDelayMs * 2 ** attempt + Math.random() * 500, maxDelayMs);
-                await abortAwareSleep(delay, signal);
-                continue;
-            }
-            lastError = err;
-            throw err;
-        }
-    }
-    throw lastError ?? new Error("fetchWithRetry: unreachable");
-}
-export async function fetchWithSsrf(url, init, retryOptions) {
-    const { fetchWithDnsPinning } = await import("../security/dns-pinning.js");
-    return fetchWithRetry(url, init, {
-        ...retryOptions,
-        fetchFn: async (attemptUrl, attemptInit) => {
-            return fetchWithDnsPinning(attemptUrl, attemptInit);
-        },
-    });
-}