@codemation/core-nodes 0.7.1 → 0.8.1

package/dist/metadata.json

@@ -0,0 +1,162 @@
+{
+  "schemaVersion": 1,
+  "packageName": "@codemation/core-nodes",
+  "packageVersion": "0.8.1",
+  "description": "",
+  "kind": "nodes",
+  "nodes": [
+    {
+      "name": "Collection: Delete",
+      "kind": "node",
+      "description": "Delete a row by id from a collection.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionDeleteNode.types.ts"
+    },
+    {
+      "name": "Collection: Find One",
+      "kind": "node",
+      "description": "Find a single row matching a filter in a collection.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionFindOneNode.types.ts"
+    },
+    {
+      "name": "Collection: Get",
+      "kind": "node",
+      "description": "Get a single row by id from a collection.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionGetNode.types.ts"
+    },
+    {
+      "name": "Collection: Insert",
+      "kind": "node",
+      "description": "Insert a new row into a collection.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionInsertNode.types.ts"
+    },
+    {
+      "name": "Collection: List",
+      "kind": "node",
+      "description": "List rows from a collection with optional pagination and filtering.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionListNode.types.ts"
+    },
+    {
+      "name": "Collection: Update",
+      "kind": "node",
+      "description": "Update a row by id in a collection.",
+      "inputPorts": [
+        "main"
+      ],
+      "outputPorts": [
+        "main"
+      ],
+      "sourcePath": "src/nodes/collections/collectionUpdateNode.types.ts"
+    }
+  ],
+  "credentials": [
+    {
+      "name": "core-nodes.api-key",
+      "description": "Authenticates requests by injecting an API key into a header or query parameter.",
+      "fields": [
+        {
+          "key": "placement",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "name",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "apiKey",
+          "type": "password",
+          "required": true
+        }
+      ]
+    },
+    {
+      "name": "core-nodes.basic-auth",
+      "description": "Authenticates requests using HTTP Basic Authentication (username + password).",
+      "fields": [
+        {
+          "key": "username",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "password",
+          "type": "password",
+          "required": true
+        }
+      ]
+    },
+    {
+      "name": "core-nodes.bearer-token",
+      "description": "Authenticates requests using a static Bearer token in the Authorization header.",
+      "fields": [
+        {
+          "key": "token",
+          "type": "password",
+          "required": true
+        }
+      ]
+    },
+    {
+      "name": "core-nodes.oauth2-client-credentials",
+      "description": "Machine-to-machine OAuth2 using the client_credentials grant. Exchanges client ID and secret for a bearer token before each workflow execution.",
+      "fields": [
+        {
+          "key": "tokenUrl",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "scopes",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "audience",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "clientId",
+          "type": "string",
+          "required": true
+        },
+        {
+          "key": "clientSecret",
+          "type": "password",
+          "required": true
+        }
+      ]
+    }
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@codemation/core-nodes",
-  "version": "0.7.1",
+  "version": "0.8.1",
   "publishConfig": {
     "access": "public"
   },
@@ -32,11 +32,11 @@
     "@ai-sdk/provider": "^3.0.8",
     "ai": "^6.0.168",
     "croner": "^10.0.1",
-    "lucide-react": "^0.577.0",
-    "@codemation/core": "0.10.2"
+    "@codemation/core": "0.11.1"
   },
   "devDependencies": {
     "@types/node": "^25.3.5",
+    "lucide-react": "^0.577.0",
     "eslint": "^10.0.3",
     "reflect-metadata": "^0.2.2",
     "tsdown": "^0.15.5",
@@ -48,7 +48,8 @@
   "scripts": {
     "changeset:verify": "pnpm --workspace-root run changeset:verify",
     "dev": "tsdown --watch",
-    "build": "tsdown",
+    "build": "tsdown && pnpm build:metadata",
+    "build:metadata": "tsx ../../tooling/discovery/scripts/extract-metadata.ts",
     "typecheck": "tsc -p tsconfig.json --noEmit",
     "lint": "eslint .",
     "test": "pnpm --filter @codemation/core build && pnpm build && vitest run",

package/src/authoring/defineRestNode.types.ts

@@ -1,10 +1,11 @@
 import { defineNode } from "@codemation/core";
-import type { DefinedNode, DefinedNodeCredentialBindings } from "@codemation/core";
+import type { DefinedNode, DefinedNodeCredentialBindings, NodeInspectorSummaryRow } from "@codemation/core";
 import type { ZodType } from "zod";
 import type { HttpBodySpec } from "../http/httpRequest.types";
 import { HttpRequestExecutor } from "../http/HttpRequestExecutor";
 import { HttpBodyBuilder } from "../http/HttpBodyBuilder";
 import { HttpUrlBuilder } from "../http/HttpUrlBuilder";
+import { SsrfGuard } from "../http/SsrfGuard";
 
 type MaybePromise<T> = T | Promise<T>;
 
@@ -96,6 +97,14 @@ export interface DefineRestNodeOptions<
    * @default "throw"
    */
   readonly errorPolicy?: RestNodeErrorPolicy;
+  /**
+   * Static configuration summary surfaced in the workflow inspector.
+   * Receives the static config (empty record for defineRestNode — config lives on item input).
+   * Most callers return rows based on the static `api` descriptor instead.
+   */
+  readonly inspectorSummary?: (
+    args: Readonly<{ config: Record<string, never> }>,
+  ) => ReadonlyArray<NodeInspectorSummaryRow> | undefined;
 }
 
 /**
@@ -149,6 +158,7 @@ export function defineRestNode<
     icon: options.icon,
     credentials: options.credentials,
     inputSchema: options.inputSchema,
+    inspectorSummary: options.inspectorSummary,
     async execute({ input, item, ctx }, { credentials }) {
       // Resolve credential if one is bound.
       const credentialSlot = options.credentials ? Object.keys(options.credentials)[0] : undefined;
@@ -163,7 +173,12 @@ export function defineRestNode<
       const resolvedPath = substitutePath(options.api.path, pathParams);
       const resolvedUrl = `${options.api.baseUrl}${resolvedPath}`;
 
-      const executor = new HttpRequestExecutor(globalThis.fetch, new HttpBodyBuilder(), new HttpUrlBuilder());
+      const executor = new HttpRequestExecutor(
+        globalThis.fetch,
+        new HttpBodyBuilder(),
+        new HttpUrlBuilder(),
+        new SsrfGuard(),
+      );
       const result = await executor.execute(
         {
           url: resolvedUrl,

package/src/chatModels/CodemationChatModelConfig.ts

@@ -0,0 +1,47 @@
+import type { AgentCanvasPresentation, ChatModelConfig } from "@codemation/core";
+
+import type { CanvasIconName } from "../canvasIconName";
+import { CodemationChatModelFactory } from "./CodemationChatModelFactory";
+
+/**
+ * A platform-managed model entry as returned by GET /api/llm/managed-models.
+ */
+export interface ManagedModelDto {
+  id: string;
+  modelId: string;
+  displayName: string;
+  providerKey: string;
+  inputCostPerMTok: number;
+  outputCostPerMTok: number;
+  contextWindow: number;
+  tier: string;
+}
+
+/**
+ * Bifrost-namespaced model ID. Kept as `string` so runtime-fetched model IDs
+ * (from the CP allowlist) work without compile-time enumeration.
+ * Story C replaced the prior hardcoded union with this open type.
+ */
+export type CodemationManagedModel = string;
+
+export class CodemationChatModelConfig implements ChatModelConfig {
+  readonly type = CodemationChatModelFactory;
+  readonly presentation: AgentCanvasPresentation<CanvasIconName>;
+  readonly provider = "codemation-managed";
+  readonly modelName: string;
+
+  constructor(
+    public readonly name: string,
+    public readonly model: CodemationManagedModel,
+    presentationIn?: AgentCanvasPresentation<CanvasIconName>,
+    public readonly options?: Readonly<{
+      temperature?: number;
+      maxTokens?: number;
+    }>,
+  ) {
+    this.modelName = model;
+    this.presentation = presentationIn ?? { icon: "lucide:bot", label: name };
+  }
+
+  // No getCredentialRequirements() — authentication is implicit via workspace pairing secret (D2).
+}

package/src/chatModels/CodemationChatModelFactory.ts

@@ -0,0 +1,103 @@
+import { createHmac, createHash, randomBytes } from "node:crypto";
+import type { ChatLanguageModel, ChatModelFactory, NodeExecutionContext } from "@codemation/core";
+import { chatModel } from "@codemation/core";
+
+import { createOpenAI } from "@ai-sdk/openai";
+
+import type { CodemationChatModelConfig } from "./CodemationChatModelConfig";
+
+@chatModel({ packageName: "@codemation/core-nodes" })
+export class CodemationChatModelFactory implements ChatModelFactory<CodemationChatModelConfig> {
+  create(
+    args: Readonly<{ config: CodemationChatModelConfig; ctx: NodeExecutionContext<any> }>,
+  ): Promise<ChatLanguageModel> {
+    // D5: read at session-create time so unpairing or misconfiguration surfaces at workflow run, not boot.
+    // eslint-disable-next-line no-restricted-properties -- LLM_GATEWAY_URL is injected by the control-plane provisioner into the workspace process env; reading it at factory-create time is the justified boundary.
+    const gatewayUrl = process.env["LLM_GATEWAY_URL"];
+    if (!gatewayUrl) {
+      throw new Error("Codemation managed AI not available in this environment (LLM_GATEWAY_URL is not set).");
+    }
+
+    // eslint-disable-next-line no-restricted-properties -- workspace pairing vars are injected by the provisioner; factory reading them here is the justified boundary.
+    const workspaceId = process.env["WORKSPACE_ID"];
+    // eslint-disable-next-line no-restricted-properties -- workspace pairing vars are injected by the provisioner; factory reading them here is the justified boundary.
+    const pairingSecret = process.env["WORKSPACE_PAIRING_SECRET"];
+    if (!workspaceId || !pairingSecret) {
+      throw new Error("Codemation managed AI not available in this environment (workspace pairing is not configured).");
+    }
+
+    const hmacFetch = this.buildHmacSignedFetch(workspaceId, pairingSecret);
+    // apiKey is required by the AI SDK but unused — authentication is handled by the HMAC-signed fetch wrapper.
+    const provider = createOpenAI({ baseURL: `${gatewayUrl}/v1`, apiKey: "codemation-managed", fetch: hmacFetch });
+    const languageModel = provider.chat(args.config.model);
+
+    return Promise.resolve({
+      languageModel,
+      modelName: args.config.model,
+      provider: "codemation-managed",
+      defaultCallOptions: {
+        maxOutputTokens: args.config.options?.maxTokens,
+        temperature: args.config.options?.temperature,
+      },
+    });
+  }
+
+  /**
+   * Creates an HMAC-signed fetch wrapper for use with AI SDK's createOpenAI.
+   * Each call signs the request body with the workspace pairing secret so the
+   * LLM broker can authenticate the workspace without a user-managed API key.
+   *
+   * Mirrors HmacRequestSigner from @codemation/host/pairing without importing
+   * that package (which would create a circular dependency since @codemation/host
+   * depends on @codemation/core-nodes).
+   */
+  private buildHmacSignedFetch(workspaceId: string, pairingSecret: string): typeof fetch {
+    return async (input: string | URL | Request, init?: RequestInit): Promise<Response> => {
+      const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+      const method = init?.method ?? "POST";
+
+      // Normalise body to a string for signing. Chat completions are always JSON strings
+      // but the fetch spec allows other BodyInit types — handle those defensively.
+      let bodyString = "";
+      if (init?.body !== undefined && init.body !== null) {
+        if (typeof init.body === "string") {
+          bodyString = init.body;
+        } else {
+          bodyString = await new Response(init.body).text();
+        }
+      }
+
+      const authHeader = this.buildHmacAuthHeader(workspaceId, pairingSecret, method, url, bodyString);
+
+      const headers = new Headers(init?.headers as Record<string, string> | undefined);
+      headers.set("Authorization", authHeader);
+
+      // Use the same (possibly normalised) body string that was signed.
+      const effectiveBody = bodyString || init?.body;
+      return fetch(input, { ...init, body: effectiveBody, headers });
+    };
+  }
+
+  /**
+   * Produces a Codemation-Hmac v1 Authorization header value.
+   * The algorithm must match HmacVerifier.computeSignature() in the control-plane.
+   */
+  private buildHmacAuthHeader(
+    workspaceId: string,
+    pairingSecret: string,
+    method: string,
+    url: string,
+    body: string,
+  ): string {
+    const ts = Math.floor(Date.now() / 1000);
+    const nonce = randomBytes(16).toString("base64");
+    const parsed = new URL(url);
+    const path = (parsed.pathname + parsed.search).toLowerCase();
+    const bodyHash = createHash("sha256").update(body, "utf8").digest("hex");
+    const baseString = [method.toUpperCase(), path, ts, nonce, bodyHash].join("\n");
+    // eslint-disable-next-line codemation/no-buffer-everything -- pairing secret is a fixed 32-byte value, never large
+    const secretBytes = Buffer.from(pairingSecret, "base64");
+    const sig = createHmac("sha256", secretBytes).update(baseString, "utf8").digest("base64");
+    return `Codemation-Hmac v=1,workspaceId=${workspaceId},ts=${ts},nonce=${nonce},sig=${sig}`;
+  }
+}

package/src/chatModels/ManagedModelFetcher.ts

@@ -0,0 +1,23 @@
+import type { ManagedModelDto } from "./CodemationChatModelConfig";
+
+/**
+ * Fetches the active platform-managed model allowlist from the CP.
+ * Reads CONTROL_PLANE_URL from the workspace process env.
+ * Returns an empty array if the env var is absent or the fetch fails.
+ * Cache the result per session — the allowlist changes infrequently.
+ */
+export class ManagedModelFetcher {
+  async fetch(): Promise<ManagedModelDto[]> {
+    // eslint-disable-next-line no-restricted-properties -- CONTROL_PLANE_URL is injected by the provisioner; this class is the justified boundary.
+    const cpUrl = process.env["CONTROL_PLANE_URL"];
+    if (!cpUrl) return [];
+
+    try {
+      const res = await globalThis.fetch(`${cpUrl}/api/llm/managed-models`);
+      if (!res.ok) return [];
+      return (await res.json()) as ManagedModelDto[];
+    } catch {
+      return [];
+    }
+  }
+}

package/src/http/HttpRequestExecutor.ts

@@ -2,6 +2,7 @@ import type { Item } from "@codemation/core";
 import type { HttpRequestResult, HttpRequestSpec } from "./httpRequest.types";
 import type { HttpBodyBuilder } from "./HttpBodyBuilder";
 import type { HttpUrlBuilder } from "./HttpUrlBuilder";
+import type { SsrfGuard } from "./SsrfGuard";
 
 /**
  * Executes a single HTTP request described by {@link HttpRequestSpec}.
@@ -9,27 +10,34 @@ import type { HttpUrlBuilder } from "./HttpUrlBuilder";
  * - Credential sessions provide header/query deltas via `applyToRequest`.
  * - Body encoding is delegated to {@link HttpBodyBuilder}.
  * - URL query merging is delegated to {@link HttpUrlBuilder}.
+ * - SSRF protection is delegated to {@link SsrfGuard} (injected).
  * - Binary response bodies: when `download.mode` triggers binary attach, the
  *   `bodyBinaryName` field is set in the result but the body is NOT read here.
  *   Callers that need binary attachment should use `buildRequest` to get the
  *   resolved URL + init and make the fetch + binary attach themselves.
  *
- * Collaborators (`fetch`, body builder, url builder) are injected so callers
- * own construction at composition roots and tests can supply deterministic stubs.
+ * Collaborators (`fetch`, body builder, url builder, ssrfGuard) are injected so
+ * callers own construction at composition roots and tests can supply deterministic stubs.
  */
 export class HttpRequestExecutor {
   constructor(
     private readonly fetchFn: typeof globalThis.fetch,
     private readonly bodyBuilder: HttpBodyBuilder,
     private readonly urlBuilder: HttpUrlBuilder,
+    private readonly ssrfGuard: SsrfGuard,
   ) {}
 
   /**
    * Builds the fetch init (headers, query, body) from the spec + credential delta,
    * returning both the resolved URL and the RequestInit so callers can make the
    * actual fetch call themselves (useful for streaming / binary attach).
+   *
+   * Also performs SSRF protection via the injected {@link SsrfGuard} before
+   * returning — throws {@link SSRFBlockedError} if the target is a private address.
    */
   async buildRequest(spec: HttpRequestSpec, item: Item): Promise<Readonly<{ url: string; init: RequestInit }>> {
+    await this.ssrfGuard.check(spec.url, spec.allowPrivateNetworkTargets ?? false);
+
     const credentialDelta = spec.credential?.applyToRequest(spec) ?? {};
 
     const mergedHeaders: Record<string, string> = {

package/src/http/SSRFBlockedError.ts

@@ -0,0 +1,16 @@
+/**
+ * Thrown when an HTTP request target resolves to a private, link-local, or
+ * loopback address and `allowPrivateNetworkTargets` is not set.
+ */
+export class SSRFBlockedError extends Error {
+  readonly resolvedIp: string;
+
+  constructor(host: string, resolvedIp: string) {
+    super(
+      `SSRF protection blocked request to host "${host}" — resolved IP ${resolvedIp} is a private, ` +
+        `link-local, or loopback address. Set allowPrivateNetworkTargets: true to allow trusted internal targets.`,
+    );
+    this.name = "SSRFBlockedError";
+    this.resolvedIp = resolvedIp;
+  }
+}

package/src/http/SsrfGuard.ts

@@ -0,0 +1,141 @@
+import dns from "node:dns/promises";
+import { SSRFBlockedError } from "./SSRFBlockedError";
+
+export { SSRFBlockedError } from "./SSRFBlockedError";
+
+/** Emitted once per process when NODE_ENV=production and no allowedOutboundHosts is set. */
+let _productionNoAllowlistWarned = false;
+
+/**
+ * Guards HTTP requests against Server-Side Request Forgery (SSRF) by
+ * DNS-resolving the target host and rejecting private/link-local/loopback
+ * addresses.
+ *
+ * Blocked ranges:
+ * - RFC-1918: 10/8, 172.16/12, 192.168/16
+ * - Link-local: 169.254/16
+ * - Loopback: 127/8, ::1
+ *
+ * When `allowedOutboundHosts` is set, every resolved DNS target must match
+ * at least one entry in the list (exact hostname or `*.example.com` wildcard).
+ * When unset, existing behaviour applies: private ranges blocked, public allowed.
+ *
+ * Call {@link check} before making any outbound HTTP request.
+ * Pass `allowPrivate: true` to bypass the private-network guard for trusted workflows
+ * (allowedOutboundHosts allowlist is still applied when set).
+ */
+export class SsrfGuard {
+  constructor(private readonly allowedOutboundHosts?: ReadonlyArray<string>) {
+    if (
+      // eslint-disable-next-line no-restricted-properties
+      process.env.NODE_ENV === "production" &&
+      (allowedOutboundHosts == null || allowedOutboundHosts.length === 0) &&
+      !_productionNoAllowlistWarned
+    ) {
+      _productionNoAllowlistWarned = true;
+      console.warn(
+        "[SsrfGuard] WARNING: NODE_ENV=production but no allowedOutboundHosts is configured for HttpRequest. " +
+          "All public destinations are permitted. Set allowedOutboundHosts to restrict outbound traffic.",
+      );
+    }
+  }
+
+  /**
+   * Resolves the host of `url` via DNS and throws {@link SSRFBlockedError}
+   * if any resolved address falls in a blocked range, or if the host does not
+   * match the operator-configured allowlist (when set).
+   *
+   * @param url - Fully-qualified URL of the intended request target.
+   * @param allowPrivate - When `true`, the private-network check is skipped.
+   *   The allowedOutboundHosts check is still applied when set.
+   */
+  async check(url: string, allowPrivate: boolean): Promise<void> {
+    if (allowPrivate && !this.allowedOutboundHosts?.length) return;
+
+    let host: string;
+    try {
+      host = new URL(url).hostname;
+    } catch {
+      // Malformed URL — let the fetch call surface the error.
+      return;
+    }
+
+    // Check allowedOutboundHosts allowlist first (hostname match, no DNS needed).
+    if (this.allowedOutboundHosts?.length) {
+      if (!this.isHostAllowed(host)) {
+        throw new SSRFBlockedError(host, host);
+      }
+      // Host is in the allowlist — skip private-network checks (host is trusted).
+      return;
+    }
+
+    // No allowlist: apply the standard private-network SSRF guard.
+    if (allowPrivate) return;
+
+    // Strip IPv6 brackets for the check below.
+    const bareHost = host.startsWith("[") ? host.slice(1, -1) : host;
+
+    // If the host is already a bare IP address, check directly without DNS.
+    if (this.isPrivateAddress(bareHost)) {
+      throw new SSRFBlockedError(host, bareHost);
+    }
+
+    let addresses: ReadonlyArray<{ address: string; family: number }>;
+    try {
+      addresses = (await dns.lookup(host, { all: true })) as ReadonlyArray<{ address: string; family: number }>;
+    } catch {
+      // DNS failure — let the fetch call surface the real error (ENOTFOUND etc.).
+      return;
+    }
+
+    for (const { address } of addresses) {
+      if (this.isPrivateAddress(address)) {
+        throw new SSRFBlockedError(host, address);
+      }
+    }
+  }
+
+  /**
+   * Returns true when `host` matches at least one entry in `allowedOutboundHosts`.
+   * Supports exact hostnames (`api.example.com`) and wildcard prefixes (`*.example.com`).
+   */
+  private isHostAllowed(host: string): boolean {
+    for (const allowed of this.allowedOutboundHosts ?? []) {
+      if (allowed.startsWith("*.")) {
+        // Wildcard: *.example.com matches sub.example.com but NOT example.com itself.
+        const suffix = allowed.slice(1); // ".example.com"
+        if (host.endsWith(suffix) && host.length > suffix.length) return true;
+      } else {
+        if (host === allowed) return true;
+      }
+    }
+    return false;
+  }
+
+  private isPrivateAddress(ip: string): boolean {
+    return this.isPrivateIPv4(ip) || this.isPrivateIPv6(ip);
+  }
+
+  private isPrivateIPv4(ip: string): boolean {
+    const parts = ip.split(".").map(Number);
+    if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+      return false;
+    }
+    const [a, b] = parts as [number, number, number, number];
+    if (a === 127) return true; // loopback 127/8
+    if (a === 10) return true; // RFC-1918 10/8
+    if (a === 172 && b >= 16 && b <= 31) return true; // RFC-1918 172.16/12
+    if (a === 192 && b === 168) return true; // RFC-1918 192.168/16
+    if (a === 169 && b === 254) return true; // link-local 169.254/16
+    if (a === 100 && b >= 64 && b <= 127) return true; // CGN 100.64.0.0/10
+    return false;
+  }
+
+  private isPrivateIPv6(ip: string): boolean {
+    const lower = ip.toLowerCase().replace(/^\[/, "").replace(/\]$/, "");
+    if (lower === "::1" || lower === "0:0:0:0:0:0:0:1") return true; // loopback
+    if (lower.startsWith("fc") || lower.startsWith("fd")) return true; // fc00::/7 ULA
+    if (lower.startsWith("fe80")) return true; // fe80::/10 link-local
+    return false;
+  }
+}

package/src/http/httpRequest.types.ts

@@ -67,6 +67,12 @@ export type HttpRequestSpec = Readonly<{
   responseBinarySlot?: string;
   /** Maximum allowed response size in bytes (checked against Content-Length before allocating). Defaults to 100 MiB. */
   responseSizeCapBytes?: number;
+  /**
+   * When `false` (default), requests whose target host resolves to an RFC-1918,
+   * link-local (169.254/16), or loopback address are blocked to prevent SSRF attacks.
+   * Set to `true` only for workflows that intentionally reach private infrastructure.
+   */
+  allowPrivateNetworkTargets?: boolean;
   /** Execution context — needed for binary attach. */
   ctx: NodeExecutionContext<RunnableNodeConfig<unknown, unknown>>;
 }>;

package/src/index.ts

@@ -1,12 +1,16 @@
 export * from "./canvasIconName";
 export * from "./credentials/index";
 export * from "./http/httpRequest.types";
+export { SSRFBlockedError, SsrfGuard } from "./http/SsrfGuard";
 export * from "./authoring/defineRestNode.types";
 export * from "./chatModels/OpenAIChatModelFactory";
 export * from "./chatModels/OpenAiStrictJsonSchemaFactory";
 export * from "./chatModels/OpenAiCredentialSession";
 export * from "./chatModels/openAiChatModelConfig";
 export * from "./chatModels/OpenAiChatModelPresetsFactory";
+export * from "./chatModels/CodemationChatModelFactory";
+export * from "./chatModels/CodemationChatModelConfig";
+export * from "./chatModels/ManagedModelFetcher";
 export * from "./nodes/aiAgent";
 export * from "./nodes/assertion";
 export * from "./nodes/CallbackNodeFactory";