@gajae-code/coding-agent 0.7.1 → 0.7.2

package/src/web/insane/bridge.ts

@@ -0,0 +1,350 @@
+/**
+ * Bridge from TypeScript to the vendored insane-search Python engine.
+ *
+ * Invokes `python3 -m engine "<url>" --json` per fallback attempt (cwd + PYTHONPATH
+ * pointed at the vendored engine), validates the JSON envelope, and maps it onto a
+ * discriminated result. Hardened: clamped timeout, AbortSignal propagation that
+ * kills+reaps the child, bounded stdout/stderr capture, and a per-process
+ * concurrency cap so blocked reads cannot fork-storm.
+ *
+ * Fail-closed: missing dependencies / bad output / auth-required never throw past
+ * the caller and never auto-install anything; they return ok:false with a stable,
+ * bounded note so `read` can continue with its normal degraded result.
+ */
+import { type ChildProcess, spawn as nodeSpawn } from "node:child_process";
+import * as path from "node:path";
+import { fileURLToPath } from "node:url";
+import { $which } from "@gajae-code/utils";
+
+const HERE = path.dirname(fileURLToPath(import.meta.url));
+/** packages/coding-agent/vendor/insane-search */
+export const INSANE_VENDOR_DIR = path.resolve(HERE, "../../../vendor/insane-search");
+const TEMPLATES_DIR = path.join(INSANE_VENDOR_DIR, "engine", "templates");
+
+const MAX_STDOUT_BYTES = 8 * 1024 * 1024;
+const MAX_STDERR_BYTES = 64 * 1024;
+const DEFAULT_TIMEOUT_MS = 25_000;
+const MIN_TIMEOUT_MS = 1_000;
+const MAX_TIMEOUT_MS = 120_000;
+const DEFAULT_CONCURRENCY = 2;
+const KILL_GRACE_MS = 2_000;
+
+/** Stable note prefixes — tests assert on these without depending on full stderr. */
+export const INSANE_NOTES = {
+	guardBlocked: (reason: string) => `insane fallback blocked: target URL is not public HTTP(S): ${reason}`,
+	vendorMissing: `insane fallback unavailable: vendor engine missing at packages/coding-agent/vendor/insane-search`,
+	noPython: `insane fallback unavailable: python3 not found; install python3 and curl_cffi, then retry with web.insaneFallback=true`,
+	noCurlCffi: `insane fallback unavailable: python3 cannot import curl_cffi; install curl_cffi for Phase 0-2`,
+	noBrowser: `insane fallback unavailable: node/playwright/stealth dependencies missing for Phase 3; install dependencies under packages/coding-agent/vendor/insane-search/engine/templates`,
+	timeout: (seconds: number) => `insane fallback timed out after ${seconds}s; normal read fallback preserved`,
+	invalidJson: `insane fallback failed: engine returned invalid JSON`,
+	authRequired: `insane fallback stopped: authentication required`,
+	verdict: (verdict: string) => `insane fallback failed: engine returned verdict=${verdict}`,
+	untried: (routes: string) => `insane fallback routes not tried: ${routes}`,
+	mustBrowserMcp: `insane fallback requires browser MCP/manual phase: must_invoke_playwright_mcp=true`,
+	concurrency: `insane fallback skipped: max concurrent engine attempts reached`,
+	emptyContent: `insane fallback failed: engine reported ok but returned no content`,
+} as const;
+
+/** Raw JSON envelope produced by `python3 -m engine --json`. */
+export interface InsaneFetchResultRaw {
+	ok?: boolean;
+	verdict?: string;
+	content?: string;
+	profile_used?: string;
+	trace?: unknown;
+	untried_routes?: string[];
+	must_invoke_playwright_mcp?: boolean;
+}
+
+export interface InsaneSuccess {
+	ok: true;
+	content: string;
+	profileUsed?: string;
+	notes: string[];
+}
+
+export interface InsaneFailure {
+	ok: false;
+	reason: string;
+	verdict?: string;
+	notes: string[];
+}
+
+export type InsaneBridgeResult = InsaneSuccess | InsaneFailure;
+
+export interface EngineInvocation {
+	url: string;
+	timeoutMs: number;
+	signal?: AbortSignal;
+}
+
+export interface EngineRawOutput {
+	code: number | null;
+	stdout: string;
+	stderr: string;
+	timedOut: boolean;
+	aborted: boolean;
+}
+
+/** Seam: run the engine subprocess. Default spawns python3. */
+export type EngineRunner = (inv: EngineInvocation) => Promise<EngineRawOutput>;
+
+export interface InsaneDependencyStatus {
+	vendorPresent: boolean;
+	python: boolean;
+	curlCffi: boolean;
+	browser: boolean;
+}
+
+/** Seam: probe dependencies. Default probes the real environment (cached). */
+export type DependencyProber = () => Promise<InsaneDependencyStatus>;
+
+// ---------------------------------------------------------------------------
+// Subprocess runner
+// ---------------------------------------------------------------------------
+
+type SpawnImpl = typeof nodeSpawn;
+
+function clampTimeoutMs(timeoutMs: number | undefined): number {
+	const value = timeoutMs ?? DEFAULT_TIMEOUT_MS;
+	if (!Number.isFinite(value)) return DEFAULT_TIMEOUT_MS;
+	return Math.max(MIN_TIMEOUT_MS, Math.min(MAX_TIMEOUT_MS, Math.floor(value)));
+}
+
+function appendCapped(buffer: string, chunk: string, cap: number): string {
+	if (buffer.length >= cap) return buffer;
+	const remaining = cap - buffer.length;
+	return buffer + (chunk.length > remaining ? chunk.slice(0, remaining) : chunk);
+}
+
+/** Kill a child and its group, escalating to SIGKILL after a grace period. */
+function killChild(child: ChildProcess): void {
+	try {
+		child.kill("SIGTERM");
+	} catch {
+		// already gone
+	}
+	const timer = setTimeout(() => {
+		try {
+			child.kill("SIGKILL");
+		} catch {
+			// already gone
+		}
+	}, KILL_GRACE_MS);
+	timer.unref?.();
+	child.once("exit", () => clearTimeout(timer));
+}
+
+/** Real engine runner: `python3 -m engine "<url>" --json`. */
+export function runEngineSubprocess(
+	inv: EngineInvocation,
+	options: { spawnImpl?: SpawnImpl } = {},
+): Promise<EngineRawOutput> {
+	const spawnImpl = options.spawnImpl ?? nodeSpawn;
+	return new Promise<EngineRawOutput>(resolve => {
+		let stdout = "";
+		let stderr = "";
+		let settled = false;
+		let timedOut = false;
+		let aborted = false;
+
+		const child = spawnImpl("python3", ["-m", "engine", inv.url, "--json"], {
+			cwd: INSANE_VENDOR_DIR,
+			env: { ...process.env, PYTHONPATH: INSANE_VENDOR_DIR },
+			stdio: ["ignore", "pipe", "pipe"],
+		});
+
+		const finish = (code: number | null): void => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			inv.signal?.removeEventListener("abort", onAbort);
+			resolve({ code, stdout, stderr, timedOut, aborted });
+		};
+
+		const timer = setTimeout(() => {
+			timedOut = true;
+			killChild(child);
+		}, inv.timeoutMs);
+		timer.unref?.();
+
+		const onAbort = (): void => {
+			aborted = true;
+			killChild(child);
+		};
+		if (inv.signal) {
+			if (inv.signal.aborted) onAbort();
+			else inv.signal.addEventListener("abort", onAbort, { once: true });
+		}
+
+		child.stdout?.on("data", (chunk: Buffer) => {
+			stdout = appendCapped(stdout, chunk.toString("utf8"), MAX_STDOUT_BYTES);
+		});
+		child.stderr?.on("data", (chunk: Buffer) => {
+			stderr = appendCapped(stderr, chunk.toString("utf8"), MAX_STDERR_BYTES);
+		});
+		child.on("error", () => finish(null));
+		child.on("close", code => finish(code));
+	});
+}
+
+// ---------------------------------------------------------------------------
+// Dependency probes (cached)
+// ---------------------------------------------------------------------------
+
+let probeCache: Promise<InsaneDependencyStatus> | null = null;
+
+/** Reset the probe cache between tests so probe state never leaks. */
+export function resetInsaneProbeCacheForTest(): void {
+	probeCache = null;
+}
+
+function runProbeCommand(cmd: string, args: string[], cwd?: string): Promise<boolean> {
+	return new Promise<boolean>(resolve => {
+		let settled = false;
+		const done = (ok: boolean): void => {
+			if (settled) return;
+			settled = true;
+			clearTimeout(timer);
+			resolve(ok);
+		};
+		const child = nodeSpawn(cmd, args, { cwd, stdio: "ignore" });
+		const timer = setTimeout(() => {
+			try {
+				child.kill("SIGKILL");
+			} catch {
+				// gone
+			}
+			done(false);
+		}, 10_000);
+		timer.unref?.();
+		child.on("error", () => done(false));
+		child.on("close", code => done(code === 0));
+	});
+}
+
+async function probeRealDependencies(): Promise<InsaneDependencyStatus> {
+	const { existsSync } = await import("node:fs");
+	const vendorPresent = existsSync(path.join(INSANE_VENDOR_DIR, "engine", "__main__.py"));
+	if (!vendorPresent) {
+		return { vendorPresent: false, python: false, curlCffi: false, browser: false };
+	}
+	const python = Boolean($which("python3"));
+	const curlCffi = python ? await runProbeCommand("python3", ["-c", "import curl_cffi"]) : false;
+	const node = Boolean($which("node"));
+	const browser = node
+		? await runProbeCommand(
+				"node",
+				[
+					"-e",
+					"require.resolve('playwright');require.resolve('playwright-extra');require.resolve('puppeteer-extra-plugin-stealth')",
+				],
+				TEMPLATES_DIR,
+			)
+		: false;
+	return { vendorPresent, python, curlCffi, browser };
+}
+
+/** Probe (and cache) the insane-search runtime dependencies. */
+export function probeInsaneDependencies(): Promise<InsaneDependencyStatus> {
+	if (!probeCache) probeCache = probeRealDependencies();
+	return probeCache;
+}
+
+// ---------------------------------------------------------------------------
+// Concurrency gate
+// ---------------------------------------------------------------------------
+
+let inFlight = 0;
+
+export function resetInsaneConcurrencyForTest(): void {
+	inFlight = 0;
+}
+
+// ---------------------------------------------------------------------------
+// High-level bridge
+// ---------------------------------------------------------------------------
+
+export interface TryInsaneFetchOptions {
+	timeoutMs?: number;
+	signal?: AbortSignal;
+	concurrencyLimit?: number;
+	/** Seam: dependency prober (default real, cached). */
+	prober?: DependencyProber;
+	/** Seam: engine runner (default real subprocess). */
+	runner?: EngineRunner;
+}
+
+function mapEngineOutput(raw: EngineRawOutput, timeoutMs: number): InsaneBridgeResult {
+	const notes: string[] = [];
+	if (raw.aborted) {
+		return { ok: false, reason: "aborted", notes };
+	}
+	if (raw.timedOut) {
+		notes.push(INSANE_NOTES.timeout(Math.round(timeoutMs / 1000)));
+		return { ok: false, reason: "timeout", notes };
+	}
+	let parsed: InsaneFetchResultRaw;
+	try {
+		parsed = JSON.parse(raw.stdout) as InsaneFetchResultRaw;
+	} catch {
+		notes.push(INSANE_NOTES.invalidJson);
+		return { ok: false, reason: "invalid-json", notes };
+	}
+
+	const verdict = parsed.verdict?.trim();
+	// The engine emits the Verdict enum value `auth_required` (401/407); also tolerate
+	// the human-readable phrase defensively. Either is a terminal public-content boundary.
+	if (verdict && /^(?:auth_required|authentication required)$/i.test(verdict)) {
+		notes.push(INSANE_NOTES.authRequired);
+		return { ok: false, reason: "auth-required", verdict, notes };
+	}
+
+	if (parsed.untried_routes && parsed.untried_routes.length > 0) {
+		notes.push(INSANE_NOTES.untried(parsed.untried_routes.slice(0, 8).join(", ")));
+	}
+	if (parsed.must_invoke_playwright_mcp) {
+		notes.push(INSANE_NOTES.mustBrowserMcp);
+	}
+
+	if (parsed.ok && typeof parsed.content === "string" && parsed.content.trim().length > 0) {
+		return { ok: true, content: parsed.content, profileUsed: parsed.profile_used, notes };
+	}
+	if (parsed.ok) {
+		notes.push(INSANE_NOTES.emptyContent);
+		return { ok: false, reason: "empty-content", notes };
+	}
+	notes.push(INSANE_NOTES.verdict(verdict || "unknown"));
+	return { ok: false, reason: "engine-failed", verdict, notes };
+}
+
+/**
+ * Attempt to read `url` through the insane-search engine. The caller is
+ * responsible for the opt-in gate, raw-mode skip, and the public-URL guard
+ * (which MUST run before this is called). Never throws; always returns a result.
+ */
+export async function tryInsaneFetch(url: string, options: TryInsaneFetchOptions = {}): Promise<InsaneBridgeResult> {
+	const prober = options.prober ?? probeInsaneDependencies;
+	const runner = options.runner ?? (inv => runEngineSubprocess(inv));
+	const limit = options.concurrencyLimit ?? DEFAULT_CONCURRENCY;
+
+	const deps = await prober();
+	if (!deps.vendorPresent) return { ok: false, reason: "vendor-missing", notes: [INSANE_NOTES.vendorMissing] };
+	if (!deps.python) return { ok: false, reason: "no-python", notes: [INSANE_NOTES.noPython] };
+	if (!deps.curlCffi) return { ok: false, reason: "no-curl-cffi", notes: [INSANE_NOTES.noCurlCffi] };
+	if (!deps.browser) return { ok: false, reason: "no-browser", notes: [INSANE_NOTES.noBrowser] };
+
+	if (inFlight >= limit) {
+		return { ok: false, reason: "concurrency", notes: [INSANE_NOTES.concurrency] };
+	}
+
+	inFlight++;
+	try {
+		const timeoutMs = clampTimeoutMs(options.timeoutMs);
+		const raw = await runner({ url, timeoutMs, signal: options.signal });
+		return mapEngineOutput(raw, timeoutMs);
+	} finally {
+		inFlight--;
+	}
+}

package/src/web/insane/url-guard.ts

@@ -0,0 +1,155 @@
+/**
+ * Public HTTP(S) URL guard for the insane-search read fallback.
+ *
+ * The vendored insane-search engine performs its own network requests (curl_cffi,
+ * a real browser) entirely outside the TypeScript fetch path, so the normal
+ * `loadPage()` flow cannot protect against SSRF. This guard MUST run before any
+ * dependency probe or engine subprocess is spawned. It is fail-closed: anything
+ * it cannot prove is a public, non-credentialed http/https target is rejected.
+ *
+ * It does NOT follow or re-validate redirects — the engine may follow redirects
+ * internally that this guard never sees. That residual risk is documented in the
+ * plan and mitigated by validating the input target and keeping the feature
+ * opt-in (default off).
+ */
+import * as dns from "node:dns/promises";
+import * as net from "node:net";
+
+export interface PublicUrlAccepted {
+	ok: true;
+	url: URL;
+	addresses: string[];
+}
+
+export interface PublicUrlRejected {
+	ok: false;
+	reason: string;
+}
+
+export type PublicUrlResult = PublicUrlAccepted | PublicUrlRejected;
+
+/** Resolver seam so tests can inject DNS results without real lookups. */
+export type AddressResolver = (hostname: string) => Promise<string[]>;
+
+const defaultResolver: AddressResolver = async hostname => {
+	const records = await dns.lookup(hostname, { all: true, verbatim: true });
+	return records.map(record => record.address);
+};
+
+const BLOCKED_HOSTNAMES = new Set(["localhost", "localhost.localdomain", "0.0.0.0", ""]);
+
+function isBlockedHostname(hostname: string): boolean {
+	const normalized = hostname.toLowerCase().replace(/\.$/, "");
+	return (
+		BLOCKED_HOSTNAMES.has(normalized) ||
+		normalized === "localhost" ||
+		normalized.endsWith(".localhost") ||
+		normalized.endsWith(".local") ||
+		normalized.endsWith(".internal") ||
+		normalized.endsWith(".home.arpa")
+	);
+}
+
+function isPrivateIPv4(address: string): boolean {
+	const parts = address.split(".").map(part => Number.parseInt(part, 10));
+	if (parts.length !== 4 || parts.some(part => !Number.isInteger(part) || part < 0 || part > 255)) return true;
+	const [a, b] = parts;
+	return (
+		a === 0 || // unspecified / "this network"
+		a === 10 || // RFC1918
+		a === 127 || // loopback
+		(a === 100 && b >= 64 && b <= 127) || // CGNAT 100.64/10
+		(a === 169 && b === 254) || // link-local
+		(a === 172 && b >= 16 && b <= 31) || // RFC1918
+		(a === 192 && b === 0) || // 192.0.0/24 & 192.0.2/24 (documentation/reserved)
+		(a === 192 && b === 168) || // RFC1918
+		(a === 198 && (b === 18 || b === 19)) || // benchmarking 198.18/15
+		(a === 198 && b === 51) || // 198.51.100/24 documentation
+		(a === 203 && b === 0) || // 203.0.113/24 documentation
+		a >= 224 // multicast (224/4) + reserved (240/4) + broadcast
+	);
+}
+
+function normalizeIPv4MappedIPv6(address: string): string {
+	return address.toLowerCase().startsWith("::ffff:") ? address.slice(7) : address;
+}
+
+function isPrivateIPv6(address: string): boolean {
+	const normalized = address.toLowerCase();
+	const mapped = normalizeIPv4MappedIPv6(normalized);
+	if (mapped !== normalized && net.isIP(mapped) === 4) return isPrivateIPv4(mapped);
+	return (
+		normalized === "::" || // unspecified
+		normalized === "::1" || // loopback
+		normalized.startsWith("fc") || // ULA fc00::/7
+		normalized.startsWith("fd") || // ULA
+		normalized.startsWith("fe8") || // link-local fe80::/10
+		normalized.startsWith("fe9") ||
+		normalized.startsWith("fea") ||
+		normalized.startsWith("feb") ||
+		normalized.startsWith("ff") || // multicast ff00::/8
+		normalized.startsWith("2001:db8") || // documentation
+		normalized.startsWith("::ffff:") // any remaining IPv4-mapped form we could not classify
+	);
+}
+
+/** True for any address that is not a routable public unicast address. */
+export function isPrivateOrSpecialAddress(address: string): boolean {
+	const normalized = normalizeIPv4MappedIPv6(address);
+	const family = net.isIP(normalized);
+	if (family === 4) return isPrivateIPv4(normalized);
+	if (family === 6) return isPrivateIPv6(normalized);
+	// Re-check the raw value in case it was an IPv4-mapped IPv6 literal.
+	if (net.isIP(address) === 6) return isPrivateIPv6(address);
+	return true; // not a recognizable IP -> treat as unsafe
+}
+
+/**
+ * Validate that `rawUrl` is a public http/https target safe to hand to the
+ * insane-search engine. Resolves DNS names and rejects any that map to a
+ * private/special address. Never throws; returns a discriminated result.
+ */
+export async function validatePublicHttpUrlForInsane(
+	rawUrl: string,
+	options: { resolver?: AddressResolver } = {},
+): Promise<PublicUrlResult> {
+	const resolver = options.resolver ?? defaultResolver;
+
+	let url: URL;
+	try {
+		url = new URL(rawUrl);
+	} catch {
+		return { ok: false, reason: "invalid URL" };
+	}
+	if (url.protocol !== "http:" && url.protocol !== "https:") {
+		return { ok: false, reason: `unsupported scheme ${url.protocol}` };
+	}
+	if (url.username || url.password) {
+		return { ok: false, reason: "URL credentials are not allowed" };
+	}
+	if (isBlockedHostname(url.hostname)) {
+		return { ok: false, reason: "localhost or internal host" };
+	}
+
+	const literalFamily = net.isIP(url.hostname);
+	if (literalFamily !== 0) {
+		if (isPrivateOrSpecialAddress(url.hostname)) {
+			return { ok: false, reason: "private, loopback, link-local, or reserved IP literal" };
+		}
+		return { ok: true, url, addresses: [url.hostname] };
+	}
+
+	let addresses: string[];
+	try {
+		addresses = await resolver(url.hostname);
+	} catch {
+		return { ok: false, reason: "host could not be resolved" };
+	}
+	if (addresses.length === 0) {
+		return { ok: false, reason: "host resolved to no addresses" };
+	}
+	if (addresses.some(isPrivateOrSpecialAddress)) {
+		return { ok: false, reason: "host resolves to a private or reserved address" };
+	}
+	return { ok: true, url, addresses };
+}

package/src/web/search/provider.ts

@@ -72,6 +72,11 @@ const PROVIDER_META: Record<SearchProviderId, ProviderMeta> = {
 		label: "DuckDuckGo",
 		load: async () => new (await import("./providers/duckduckgo")).DuckDuckGoProvider(),
 	},
+	insane: {
+		id: "insane",
+		label: "Insane",
+		load: async () => new (await import("./providers/insane")).InsaneProvider(),
+	},
 	"openai-compatible": {
 		id: "openai-compatible",
 		label: "OpenAI-compatible",
@@ -97,6 +102,7 @@ export async function getSearchProvider(id: SearchProviderId): Promise<SearchPro
 
 export const SEARCH_PROVIDER_ORDER: SearchProviderId[] = [
 	"duckduckgo",
+	"insane",
 	"tavily",
 	"perplexity",
 	"brave",
@@ -234,14 +240,41 @@ export function isLocalBaseUrl(baseUrl: string | undefined): boolean {
 	return false;
 }
 
+/**
+ * Whether `baseUrl` is an official OpenAI endpoint (or absent, i.e. the default
+ * hosted OpenAI). The dedicated `codex` provider authenticates against the
+ * ChatGPT backend with the user's *local* Codex OAuth, so it must only be
+ * selected when the active model is genuinely served by OpenAI/ChatGPT — never
+ * for a custom/proxy endpoint, which should reuse its own credentials through
+ * the `openai-compatible` adapter instead.
+ */
+function isOpenAIOfficialBaseUrl(baseUrl: string | undefined): boolean {
+	if (!baseUrl?.trim()) return true;
+	let host: string;
+	try {
+		host = new URL(baseUrl).hostname.toLowerCase();
+	} catch {
+		return false;
+	}
+	return (
+		host === "api.openai.com" ||
+		host === "chatgpt.com" ||
+		host.endsWith(".openai.com") ||
+		host.endsWith(".chatgpt.com")
+	);
+}
+
 export function inferNativeProviderFromModel(ctx: ActiveSearchModelContext | undefined): SearchProviderId | undefined {
 	if (!ctx || ctx.webSearch === "off") return undefined;
 	const modelId = (ctx.wireModelId ?? ctx.modelId).toLowerCase();
 	if (modelId.startsWith("claude-") && isAnthropicWire(ctx.api)) return "anthropic";
 	if (modelId.startsWith("gemini-") && isGoogleWire(ctx.api)) return "gemini";
 	if (looksXaiFamilyModelId(ctx) && isOpenAICompatWire(ctx.api)) return "xai";
-	if (looksOpenAIFamilyModelId(ctx) && isOpenAICompatWire(ctx.api)) {
-		if (ctx.webSearch === "on" || !isLocalBaseUrl(ctx.baseUrl)) return "codex";
+	// `codex` hits the ChatGPT backend with local Codex OAuth, so only infer it
+	// for genuine OpenAI endpoints. Custom/proxy OpenAI-compatible models fall
+	// through to `activeContextNativeId` → `openai-compatible` (their own creds).
+	if (looksOpenAIFamilyModelId(ctx) && isOpenAICompatWire(ctx.api) && isOpenAIOfficialBaseUrl(ctx.baseUrl)) {
+		return "codex";
 	}
 	return undefined;
 }
@@ -249,8 +282,9 @@ export function inferNativeProviderFromModel(ctx: ActiveSearchModelContext | und
 function canUseDirectProviderMapping(ctx: ActiveSearchModelContext, id: SearchProviderId): boolean {
 	if (ctx.webSearch === "off") return false;
 	if (id !== "codex") return true;
-	if (!isOpenAICompatWire(ctx.api)) return true;
-	return ctx.webSearch === "on" || !isLocalBaseUrl(ctx.baseUrl);
+	// Same constraint as inference: the ChatGPT-backed codex provider is valid
+	// only for official OpenAI endpoints, not custom/proxy base URLs.
+	return isOpenAIOfficialBaseUrl(ctx.baseUrl);
 }
 
 export async function canUseGenericCredentials(
@@ -268,17 +302,35 @@ export async function canUseGenericCredentials(
 	return Boolean(key);
 }
 
-export async function shouldTryGenericOpenAICompat(
-	authStorage: AuthStorage,
-	ctx: ActiveSearchModelContext | undefined,
-	sessionId?: string,
-	signal?: AbortSignal,
-): Promise<boolean> {
-	if (!ctx || ctx.webSearch === "off" || !isOpenAICompatWire(ctx.api)) return false;
-	const autoAllowed =
-		ctx.webSearch === "on" ||
-		((ctx.api === "openai-responses" || looksOpenAIFamilyModelId(ctx)) && !isLocalBaseUrl(ctx.baseUrl));
-	return autoAllowed && (await canUseGenericCredentials(authStorage, ctx, sessionId, signal));
+/**
+ * Native web-search provider to attempt by reusing the ACTIVE model's own
+ * credentials + baseUrl, dispatched by the model's wire protocol.
+ *
+ * This is the "native search over a proxy" path: when a model is served through
+ * a proxy/custom endpoint, its canonical search credentials (e.g. a dedicated
+ * `anthropic` key, or ChatGPT OAuth for `codex`) are usually absent, but the
+ * credential that authenticates the model itself — stored under the active
+ * provider id and aimed at `ctx.baseUrl` — can drive native web search just as
+ * well. Each provider's `search()` falls back to those active credentials when
+ * its canonical ones are missing.
+ *
+ * Returned ids are matched purely from the wire `api` (+ model-id family where a
+ * native tool only makes sense for that family); the providers themselves fail
+ * closed (and the chain falls through to DuckDuckGo) if the endpoint does not
+ * actually support web search.
+ */
+export function activeContextNativeId(ctx: ActiveSearchModelContext | undefined): SearchProviderId | undefined {
+	if (!ctx || ctx.webSearch === "off") return undefined;
+	const modelId = (ctx.wireModelId ?? ctx.modelId).toLowerCase();
+	// Dispatch must match exactly what each provider can service by reusing the
+	// active credential: the OpenAI-compatible adapter only speaks the two plain
+	// OpenAI wires (not azure), and the Gemini active path only speaks the public
+	// Generative Language wire (not vertex/cloud-code). Returning an id the
+	// provider would reject just wastes a guaranteed-fail attempt before DuckDuckGo.
+	if (isAnthropicWire(ctx.api) && modelId.startsWith("claude-")) return "anthropic";
+	if (ctx.api === "openai-responses" || ctx.api === "openai-completions") return "openai-compatible";
+	if (ctx.api === "google-generative-ai" && modelId.startsWith("gemini-")) return "gemini";
+	return undefined;
 }
 
 export async function resolveProviderChain(options: ResolveProviderChainOptions): Promise<SearchProvider[]> {
@@ -304,9 +356,16 @@ export async function resolveProviderChain(options: ResolveProviderChainOptions)
 			await appendAvailable(chain, directId, authStorage);
 		const inferred = inferNativeProviderFromModel(activeModelContext);
 		if (inferred) await appendAvailable(chain, inferred, authStorage);
-		const hasNativeXai = chain.includes("xai");
-		if (!hasNativeXai && (await shouldTryGenericOpenAICompat(authStorage, activeModelContext, sessionId, signal)))
-			appendDeduped(chain, "openai-compatible");
+		// Native-over-proxy: when no canonical native provider was selected above,
+		// fall back to the model's own credentials (resolved under the active
+		// provider id against its baseUrl) to drive native web search. Gated on
+		// those credentials actually resolving; otherwise the chain ends at the
+		// keyless DuckDuckGo terminal fallback.
+		if (chain.length === 0) {
+			const activeNativeId = activeContextNativeId(activeModelContext);
+			if (activeNativeId && (await canUseGenericCredentials(authStorage, activeModelContext, sessionId, signal)))
+				chain.push(activeNativeId);
+		}
 	}
 
 	// Configured fallbacks are user-facing only: the internal `openai-compatible`