@aria-cli/tools 1.0.18 → 1.0.31

package/dist-cjs/executors/utils.js

@@ -0,0 +1,74 @@
+"use strict";
+/**
+ * @aria/tools - Shared executor utilities
+ *
+ * Common helper functions used across all executor modules.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getErrorMessage = void 0;
+exports.success = success;
+exports.fail = fail;
+exports.isPathWithinBase = isPathWithinBase;
+const nodePath = __importStar(require("node:path"));
+var types_1 = require("@aria-cli/types");
+Object.defineProperty(exports, "getErrorMessage", { enumerable: true, get: function () { return types_1.getErrorMessage; } });
+/**
+ * Creates a successful result.
+ */
+function success(message, data) {
+    return { success: true, message, data };
+}
+/**
+ * Creates a failure result.
+ */
+function fail(message, data) {
+    return { success: false, message, data };
+}
+/**
+ * Checks if a resolved path is within the allowed base directory.
+ * Prevents path traversal attacks.
+ */
+function isPathWithinBase(resolvedPath, baseDir) {
+    const normalizedPath = nodePath.normalize(resolvedPath);
+    const normalizedBase = nodePath.normalize(baseDir);
+    // normalize() strips trailing separators except for root "/".
+    // Guard against root-as-base which would allow every absolute path.
+    const baseWithSep = normalizedBase.endsWith(nodePath.sep)
+        ? normalizedBase
+        : normalizedBase + nodePath.sep;
+    return normalizedPath === normalizedBase || normalizedPath.startsWith(baseWithSep);
+}
+//# sourceMappingURL=utils.js.map

package/dist-cjs/executors/web.js

@@ -0,0 +1,548 @@
+"use strict";
+/**
+ * @aria/tools - Web tool executors
+ *
+ * Implementation of web operations for ARIA tool system.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeWebSearch = executeWebSearch;
+exports.executeWebFetch = executeWebFetch;
+exports.executeBrowse = executeBrowse;
+const node_crypto_1 = require("node:crypto");
+const types_1 = require("@aria-cli/types");
+const zod_1 = require("zod");
+const utils_js_1 = require("./utils.js");
+const safe_parse_json_js_1 = require("../utils/safe-parse-json.js");
+const ssrf_js_1 = require("../security/ssrf.js");
+const router_js_1 = require("../providers/router.js");
+const index_js_1 = require("../providers/index.js");
+const search_provider_js_1 = require("../providers/search-provider.js");
+const web_cache_js_1 = require("../cache/web-cache.js");
+const retry_js_1 = require("../utils/retry.js");
+const external_content_js_1 = require("../security/external-content.js");
+const content_extraction_js_1 = require("../extraction/content-extraction.js");
+const url_js_1 = require("../utils/url.js");
+function buildSearchEnv(ctx) {
+    const env = ctx.env ?? {};
+    return {
+        ARIA_SEARCH_PROVIDER: env.ARIA_SEARCH_PROVIDER ?? process.env.ARIA_SEARCH_PROVIDER,
+        BRAVE_API_KEY: env.BRAVE_API_KEY ?? process.env.BRAVE_API_KEY,
+        FIRECRAWL_API_KEY: env.FIRECRAWL_API_KEY ?? process.env.FIRECRAWL_API_KEY,
+        EXA_API_KEY: env.EXA_API_KEY ?? process.env.EXA_API_KEY,
+        TAVILY_API_KEY: env.TAVILY_API_KEY ?? process.env.TAVILY_API_KEY,
+        JINA_API_KEY: env.JINA_API_KEY ?? process.env.JINA_API_KEY,
+    };
+}
+function createSearchRouter(env) {
+    return new router_js_1.SearchProviderRouter([
+        new index_js_1.BraveSearchProvider(env),
+        new index_js_1.TavilySearchProvider(env),
+        new index_js_1.JinaSearchProvider(env),
+        new index_js_1.ExaSearchProvider(env),
+        new index_js_1.FirecrawlSearchProvider(env),
+        new index_js_1.DuckDuckGoSearchProvider(),
+    ], env);
+}
+/** Default timeout for fetch requests in milliseconds */
+const DEFAULT_TIMEOUT_MS = 30_000;
+/** Default maximum response size in bytes for fetch (1MB) */
+const FETCH_MAX_SIZE_BYTES = 1 * 1024 * 1024;
+/** Default maximum response size in bytes for browse (2MB) */
+const BROWSE_MAX_SIZE_BYTES = 2 * 1024 * 1024;
+const JsonFetchContentSchema = zod_1.z.union([
+    zod_1.z.record(zod_1.z.string(), zod_1.z.unknown()),
+    zod_1.z.array(zod_1.z.unknown()),
+    zod_1.z.string(),
+    zod_1.z.number(),
+    zod_1.z.boolean(),
+    zod_1.z.null(),
+]);
+/**
+ * Creates an AbortController with a timeout.
+ */
+function createTimeoutController(timeoutMs) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+        if (!controller.signal.aborted) {
+            controller.abort();
+        }
+    }, timeoutMs);
+    return { controller, timeoutId };
+}
+/**
+ * Links a parent AbortSignal to a child AbortController, forwarding abort.
+ * Returns a cleanup function that MUST be called when the operation completes
+ * to prevent the listener from firing after the try/catch scope has exited.
+ */
+function linkAbortSignal(parentSignal, childController) {
+    if (!parentSignal)
+        return () => { };
+    const onAbort = () => {
+        if (!childController.signal.aborted) {
+            childController.abort();
+        }
+    };
+    parentSignal.addEventListener("abort", onAbort, { once: true });
+    return () => {
+        parentSignal.removeEventListener("abort", onAbort);
+    };
+}
+/**
+ * Reads a response body with a streaming byte limit.
+ * Unlike checking Content-Length alone, this protects against chunked/streaming
+ * responses that lack a Content-Length header.
+ *
+ * When `truncate` is false (default), throws if the limit is exceeded.
+ * When `truncate` is true, returns whatever was read up to the limit.
+ */
+async function readResponseWithLimit(response, maxBytes, options) {
+    const body = response.body;
+    if (!body) {
+        return { text: "", truncated: false, contentBytes: 0 };
+    }
+    const truncateMode = options?.truncate ?? false;
+    const reader = body.getReader();
+    const decoder = new TextDecoder();
+    const chunks = [];
+    let totalBytes = 0;
+    try {
+        for (;;) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            const chunkBytes = value.byteLength;
+            if (totalBytes + chunkBytes > maxBytes) {
+                if (truncateMode) {
+                    // Keep what we have so far (exclude the chunk that exceeded the limit)
+                    reader.cancel();
+                    chunks.push(decoder.decode());
+                    return {
+                        text: chunks.join(""),
+                        truncated: true,
+                        contentBytes: totalBytes,
+                    };
+                }
+                reader.cancel();
+                throw new Error(`Response body exceeds maximum size of ${maxBytes} bytes`);
+            }
+            totalBytes += chunkBytes;
+            chunks.push(decoder.decode(value, { stream: true }));
+        }
+        // Flush the decoder
+        chunks.push(decoder.decode());
+        return { text: chunks.join(""), truncated: false, contentBytes: totalBytes };
+    }
+    catch (err) {
+        reader.cancel();
+        throw err;
+    }
+}
+function ensureWrappedExternalContent(content, source) {
+    return (0, external_content_js_1.wrapExternalContent)(content, source).content;
+}
+function wrapWebSearchOutput(output) {
+    return {
+        query: output.query,
+        results: output.results.map((result) => ({
+            ...result,
+            content: ensureWrappedExternalContent(result.content, "web_search"),
+        })),
+    };
+}
+function hasAdvancedSearchOptions(input) {
+    return (input.limit !== undefined ||
+        input.topic !== undefined ||
+        (input.domains?.length ?? 0) > 0 ||
+        (input.excludeDomains?.length ?? 0) > 0 ||
+        input.timeRange !== undefined);
+}
+function buildSearchCachePayload(query, options) {
+    return JSON.stringify({ query, ...options });
+}
+function buildRouterSearchCacheKey(env, query, options) {
+    const resolved = (0, search_provider_js_1.resolveSearchProviderEnv)(env);
+    const providerOverride = resolved.ARIA_SEARCH_PROVIDER ?? "auto";
+    const providerAvailability = [
+        resolved.BRAVE_API_KEY ? "brave=1" : "brave=0",
+        resolved.TAVILY_API_KEY ? "tavily=1" : "tavily=0",
+        resolved.JINA_API_KEY ? "jina=1" : "jina=0",
+        resolved.EXA_API_KEY ? "exa=1" : "exa=0",
+        resolved.FIRECRAWL_API_KEY ? "firecrawl=1" : "firecrawl=0",
+    ].join(",");
+    return `search:router:${providerOverride}:${providerAvailability}:${buildSearchCachePayload(query, options)}`;
+}
+function buildNativeSearchCacheKey(providerName, query, options) {
+    return `search:native:${providerName}:${buildSearchCachePayload(query, options)}`;
+}
+/**
+ * Searches the web using the SearchProviderRouter with automatic fallback.
+ * Providers are selected based on available API keys (Brave, Tavily, Jina, Exa,
+ * Firecrawl, DuckDuckGo). DuckDuckGo is always available as a last resort.
+ *
+ * Results are cached via LRU+TTL cache for 15 minutes.
+ */
+async function executeWebSearch(input, ctx) {
+    const limit = input.limit ?? 10;
+    const searchOptions = {
+        limit,
+        ...(input.topic ? { topic: input.topic } : {}),
+        ...(input.domains ? { domains: input.domains } : {}),
+        ...(input.excludeDomains ? { excludeDomains: input.excludeDomains } : {}),
+        ...(input.timeRange ? { timeRange: input.timeRange } : {}),
+    };
+    const searchEnv = buildSearchEnv(ctx);
+    const advancedOptionsProvided = hasAdvancedSearchOptions(input);
+    const nativeSearchAvailable = Boolean(ctx.nativeSearchAdapter && ctx.providerContext?.capabilities?.nativeSearch);
+    const nativeProviderName = ctx.providerContext?.name ?? "unknown";
+    const routerCacheKey = buildRouterSearchCacheKey(searchEnv, input.query, searchOptions);
+    const nativeCacheKey = nativeSearchAvailable && !advancedOptionsProvided
+        ? buildNativeSearchCacheKey(nativeProviderName, input.query, searchOptions)
+        : undefined;
+    if (nativeCacheKey) {
+        const cachedNative = web_cache_js_1.searchCache.get(nativeCacheKey);
+        if (cachedNative) {
+            return (0, utils_js_1.success)(`Found ${cachedNative.results.length} cached results for "${input.query}"`, wrapWebSearchOutput(cachedNative));
+        }
+    }
+    else {
+        const cachedRouter = web_cache_js_1.searchCache.get(routerCacheKey);
+        if (cachedRouter) {
+            return (0, utils_js_1.success)(`Found ${cachedRouter.results.length} cached results for "${input.query}"`, wrapWebSearchOutput(cachedRouter));
+        }
+    }
+    if (advancedOptionsProvided && nativeSearchAvailable) {
+        types_1.log.debug("[web_search] advanced options provided; bypassing native adapter");
+    }
+    // Native search routing: If provider supports native search and adapter is wired, use it
+    // Phase 1: Gemini isolated adapter (router-based callback pattern)
+    if (nativeSearchAvailable && ctx.nativeSearchAdapter && !advancedOptionsProvided) {
+        try {
+            const rawResults = await ctx.nativeSearchAdapter(input.query);
+            if (rawResults.length === 0) {
+                throw new Error("Native search returned no results");
+            }
+            const results = rawResults.map((r) => ({
+                title: r.title,
+                url: r.url,
+                content: r.content,
+                score: r.score,
+            }));
+            const output = { query: input.query, results };
+            web_cache_js_1.searchCache.set(nativeCacheKey, output);
+            return (0, utils_js_1.success)(`Found ${results.length} results for "${input.query}" (native search)`, wrapWebSearchOutput(output));
+        }
+        catch (err) {
+            // Fall through to SearchProviderRouter on native search failure
+            types_1.log.debug(`[web_search] native adapter failed, falling back: ${(0, utils_js_1.getErrorMessage)(err)}`);
+            const cachedRouterFallback = web_cache_js_1.searchCache.get(routerCacheKey);
+            if (cachedRouterFallback) {
+                return (0, utils_js_1.success)(`Found ${cachedRouterFallback.results.length} cached results for "${input.query}"`, wrapWebSearchOutput(cachedRouterFallback));
+            }
+        }
+    }
+    const searchRouter = createSearchRouter(searchEnv);
+    try {
+        // Race search against context abort signal for cancellation support
+        let results;
+        if (ctx.abortSignal) {
+            const abortPromise = new Promise((_resolve, reject) => {
+                if (ctx.abortSignal.aborted) {
+                    reject(new DOMException("The operation was aborted", "AbortError"));
+                    return;
+                }
+                ctx.abortSignal.addEventListener("abort", () => reject(new DOMException("The operation was aborted", "AbortError")), { once: true });
+            });
+            results = await Promise.race([searchRouter.search(input.query, searchOptions), abortPromise]);
+        }
+        else {
+            results = await searchRouter.search(input.query, searchOptions);
+        }
+        // Normalize results to WebSearchResult shape (cache raw; wrap at return-time)
+        const webResults = results.map((r) => ({
+            title: r.title,
+            url: r.url,
+            content: r.content,
+            score: r.score,
+        }));
+        const output = { query: input.query, results: webResults };
+        web_cache_js_1.searchCache.set(routerCacheKey, output);
+        return (0, utils_js_1.success)(`Found ${webResults.length} results for "${input.query}"`, wrapWebSearchOutput(output));
+    }
+    catch (err) {
+        if (ctx.abortSignal?.aborted) {
+            return (0, utils_js_1.fail)("Web search cancelled");
+        }
+        return (0, utils_js_1.fail)(`Web search failed: ${(0, utils_js_1.getErrorMessage)(err)}`);
+    }
+}
+function wrapWebFetchOutput(output) {
+    if (typeof output.content !== "string") {
+        return output;
+    }
+    return {
+        ...output,
+        content: ensureWrappedExternalContent(output.content, "web_fetch"),
+    };
+}
+function markFetchOutputFromCache(cached) {
+    return {
+        ...cached,
+        fromCache: true,
+    };
+}
+function normalizeRequestHeaders(headers) {
+    if (!headers) {
+        return [];
+    }
+    return Object.entries(headers)
+        .map(([name, value]) => [name.trim().toLowerCase(), value.trim()])
+        .sort(([left], [right]) => left.localeCompare(right));
+}
+function hashRequestHeaders(headers) {
+    const normalizedHeaders = normalizeRequestHeaders(headers);
+    if (normalizedHeaders.length === 0) {
+        return "none";
+    }
+    return (0, node_crypto_1.createHash)("sha256").update(JSON.stringify(normalizedHeaders)).digest("hex");
+}
+function createFetchCacheKey({ url, format, headers, timeoutMs, maxSizeBytes, }) {
+    return `fetch:${url}:${format}:headers=${hashRequestHeaders(headers)}:maxSizeBytes=${maxSizeBytes}:timeoutMs=${timeoutMs}`;
+}
+/**
+ * Fetches content from a URL with retry resilience, caching, and security wrapping.
+ * Uses fetchWithRetry for automatic retry on transient failures (429, 5xx, ECONNRESET).
+ * Results are cached via LRU+TTL cache for 15 minutes.
+ */
+async function executeWebFetch(input, ctx) {
+    // Normalize GitHub blob URLs to raw content URLs before fetching
+    const url = (0, url_js_1.normalizeGitHubUrl)(input.url);
+    // Validate URL structure. DNS/SSRF safety is enforced by fetchWithSsrf
+    // so validation and fetch share one trust boundary.
+    const urlError = (0, ssrf_js_1.validateUrlStructure)(url);
+    if (urlError) {
+        return (0, utils_js_1.fail)(urlError);
+    }
+    const format = input.format ?? "text";
+    const timeoutMs = input.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    const maxSizeBytes = input.maxSizeBytes ?? FETCH_MAX_SIZE_BYTES;
+    // Check cache first (use normalized URL + request variants to avoid collisions)
+    const cacheKey = createFetchCacheKey({
+        url,
+        format,
+        headers: input.headers,
+        timeoutMs,
+        maxSizeBytes,
+    });
+    const cached = web_cache_js_1.fetchCache.get(cacheKey);
+    if (cached) {
+        return (0, utils_js_1.success)(`Fetched ${input.url} (cached)`, wrapWebFetchOutput(markFetchOutputFromCache(cached)));
+    }
+    const { controller, timeoutId } = createTimeoutController(timeoutMs);
+    // Forward context abort signal to our controller
+    const unlinkAbort = linkAbortSignal(ctx.abortSignal, controller);
+    try {
+        const fetchOptions = {
+            headers: input.headers ?? {},
+            signal: controller.signal,
+            redirect: "manual",
+        };
+        // Use DNS-pinned SSRF fetch wrapper with transient retry support.
+        const initialResponse = await (0, retry_js_1.fetchWithSsrf)(url, fetchOptions, {
+            maxAttempts: 2,
+        });
+        // Follow redirects manually and keep each hop on the same DNS-pinned path.
+        const response = await (0, ssrf_js_1.followRedirects)(initialResponse, fetchOptions, {
+            baseUrl: url,
+            fetchFn: (redirectUrl, redirectInit) => (0, retry_js_1.fetchWithSsrf)(redirectUrl, redirectInit, { maxAttempts: 2 }),
+            validateRedirectUrl: ssrf_js_1.validateUrlStructure,
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+            await (0, ssrf_js_1.discardResponseBody)(response);
+            unlinkAbort();
+            return (0, utils_js_1.fail)(`HTTP error: ${response.status} ${response.statusText}`, {
+                status: response.status,
+                statusText: response.statusText,
+            });
+        }
+        // Check Content-Length header for size limit
+        const contentLength = response.headers.get("Content-Length");
+        if (contentLength) {
+            const size = parseInt(contentLength, 10);
+            if (!isNaN(size) && size > maxSizeBytes) {
+                await (0, ssrf_js_1.discardResponseBody)(response);
+                unlinkAbort();
+                return (0, utils_js_1.fail)(`Response too large: ${size} bytes exceeds maximum of ${maxSizeBytes} bytes`);
+            }
+        }
+        const contentType = response.headers.get("Content-Type") ?? undefined;
+        let content;
+        // Use streaming reader to enforce size limit even for chunked responses
+        let text;
+        let contentBytes = 0;
+        try {
+            const result = await readResponseWithLimit(response, maxSizeBytes);
+            text = result.text;
+            contentBytes = result.contentBytes;
+            if (result.truncated) {
+                unlinkAbort();
+                return (0, utils_js_1.fail)(`Response body exceeds maximum size of ${maxSizeBytes} bytes`);
+            }
+        }
+        catch (sizeErr) {
+            unlinkAbort();
+            return (0, utils_js_1.fail)((0, utils_js_1.getErrorMessage)(sizeErr));
+        }
+        if (format === "json") {
+            const parsed = (0, safe_parse_json_js_1.safeParseJson)(text, JsonFetchContentSchema);
+            if (!parsed.ok) {
+                unlinkAbort();
+                return (0, utils_js_1.fail)(`Failed to parse JSON response (${parsed.reason})`);
+            }
+            content = parsed.data;
+        }
+        else {
+            content = text;
+        }
+        const output = {
+            content,
+            status: response.status,
+            contentType,
+            fromCache: false,
+            fetchedAt: new Date().toISOString(),
+            finalUrl: response.url || url,
+            contentBytes,
+            truncated: false,
+        };
+        web_cache_js_1.fetchCache.set(cacheKey, output);
+        unlinkAbort();
+        return (0, utils_js_1.success)(`Fetched ${input.url} (${response.status})`, wrapWebFetchOutput(output));
+    }
+    catch (err) {
+        clearTimeout(timeoutId);
+        unlinkAbort();
+        if (err instanceof Error &&
+            (err.name === "AbortError" || (err instanceof DOMException && err.name === "AbortError"))) {
+            if (ctx.abortSignal?.aborted) {
+                return (0, utils_js_1.fail)("Request cancelled");
+            }
+            return (0, utils_js_1.fail)(`Request timed out after ${timeoutMs}ms`);
+        }
+        return (0, utils_js_1.fail)((0, utils_js_1.getErrorMessage)(err));
+    }
+}
+// ============================================================================
+// Browse
+// ============================================================================
+/** Default timeout for browsing in milliseconds */
+const BROWSE_TIMEOUT_MS = 30_000;
+/** Maximum content length returned by browse (characters) — increased from 10K to 50K */
+const BROWSE_MAX_CONTENT_LENGTH = 50_000;
+function wrapBrowseOutput(output) {
+    return {
+        ...output,
+        content: ensureWrappedExternalContent(output.content, "browse"),
+    };
+}
+function markBrowseOutputFromCache(cached) {
+    return {
+        ...cached,
+        fromCache: true,
+    };
+}
+/**
+ * Browses a URL by fetching its HTML content and extracting Markdown.
+ * Uses Readability.js + Turndown for article extraction with three-tier fallback.
+ * Supports GitHub URL normalization, retry on transient failures, LRU+TTL caching,
+ * and nonce-based external content wrapping.
+ */
+async function executeBrowse(input, ctx) {
+    // Validate URL
+    if (!input.url) {
+        return (0, utils_js_1.fail)("URL is required for browse");
+    }
+    // Normalize GitHub blob URLs to raw content URLs
+    const url = (0, url_js_1.normalizeGitHubUrl)(input.url);
+    // Check cache (using normalized URL as key)
+    const cached = web_cache_js_1.browseCache.get(url);
+    if (cached) {
+        return (0, utils_js_1.success)(`Browsed ${input.url} (cached)`, wrapBrowseOutput(markBrowseOutputFromCache(cached)));
+    }
+    const urlError = (0, ssrf_js_1.validateUrlStructure)(url);
+    if (urlError) {
+        return (0, utils_js_1.fail)(urlError);
+    }
+    const timeoutMs = input.timeoutMs ?? BROWSE_TIMEOUT_MS;
+    const { controller, timeoutId } = createTimeoutController(timeoutMs);
+    // Forward context abort signal to our controller
+    const unlinkAbort = linkAbortSignal(ctx.abortSignal, controller);
+    try {
+        const fetchOptions = {
+            headers: {
+                "User-Agent": (0, url_js_1.getUserAgent)(),
+                Accept: "text/html, application/xhtml+xml, */*",
+            },
+            signal: controller.signal,
+            redirect: "manual",
+        };
+        // Use DNS-pinned SSRF fetch wrapper with transient retry support.
+        const initialResponse = await (0, retry_js_1.fetchWithSsrf)(url, fetchOptions, {
+            maxAttempts: 2,
+        });
+        // Follow redirects manually and keep each hop on the same DNS-pinned path.
+        const response = await (0, ssrf_js_1.followRedirects)(initialResponse, fetchOptions, {
+            baseUrl: url,
+            fetchFn: (redirectUrl, redirectInit) => (0, retry_js_1.fetchWithSsrf)(redirectUrl, redirectInit, { maxAttempts: 2 }),
+            validateRedirectUrl: ssrf_js_1.validateUrlStructure,
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+            await (0, ssrf_js_1.discardResponseBody)(response);
+            unlinkAbort();
+            return (0, utils_js_1.fail)(`HTTP error fetching ${input.url}: ${response.status} ${response.statusText}`);
+        }
+        // Truncate large pages gracefully — content gets reduced to 50K chars by
+        // Readability+Turndown anyway, so the first 2MB of HTML is plenty.
+        const { text: html, truncated: responseTruncated, contentBytes, } = await readResponseWithLimit(response, BROWSE_MAX_SIZE_BYTES, {
+            truncate: true,
+        });
+        // Extract content using Content-Type-aware extraction pipeline.
+        const { title, content: extractedContent } = await (0, content_extraction_js_1.extractFromResponse)(html, url, response.headers.get("Content-Type"));
+        // Truncate to 50K character limit
+        // extractContent() internally truncates to MAX_CONTENT_LENGTH (50K),
+        // so content that was originally longer arrives here at exactly 50K.
+        // Use >= to detect content that hit the internal limit.
+        const contentLimitReached = extractedContent.length >= BROWSE_MAX_CONTENT_LENGTH;
+        const truncated = contentLimitReached || responseTruncated;
+        const truncatedContent = contentLimitReached
+            ? extractedContent.slice(0, BROWSE_MAX_CONTENT_LENGTH) + "\n\n[Content truncated]"
+            : responseTruncated
+                ? extractedContent + "\n\n[Content truncated]"
+                : extractedContent;
+        const output = {
+            url: input.url,
+            title,
+            content: truncatedContent,
+            fromCache: false,
+            fetchedAt: new Date().toISOString(),
+            finalUrl: response.url || url,
+            contentBytes,
+            truncated,
+        };
+        web_cache_js_1.browseCache.set(url, output);
+        unlinkAbort();
+        return (0, utils_js_1.success)(`Browsed ${input.url}`, wrapBrowseOutput(output));
+    }
+    catch (err) {
+        clearTimeout(timeoutId);
+        unlinkAbort();
+        if (err instanceof Error && err.name === "AbortError") {
+            if (ctx.abortSignal?.aborted) {
+                return (0, utils_js_1.fail)("Browse cancelled");
+            }
+            return (0, utils_js_1.fail)(`Browse timed out after ${timeoutMs}ms: ${input.url}`);
+        }
+        return (0, utils_js_1.fail)(`Browse failed: ${(0, utils_js_1.getErrorMessage)(err)}`);
+    }
+}
+//# sourceMappingURL=web.js.map