@gajae-code/coding-agent 0.7.1 → 0.7.3

package/src/web/insane/url-guard.ts

@@ -0,0 +1,159 @@
+/**
+ * Public HTTP(S) URL guard for user-supplied web fetch targets.
+ *
+ * Network-capable URL readers MUST run this guard before the first request and
+ * before following any redirect target. It is fail-closed: anything it cannot
+ * prove is a public, non-credentialed http/https target is rejected.
+ *
+ * The vendored insane-search engine performs its own redirects outside the
+ * TypeScript fetch path, so its fallback remains opt-in and is guarded before
+ * any dependency probe or engine subprocess is spawned.
+ */
+import * as dns from "node:dns/promises";
+import * as net from "node:net";
+
+export interface PublicUrlAccepted {
+	ok: true;
+	url: URL;
+	addresses: string[];
+}
+
+export interface PublicUrlRejected {
+	ok: false;
+	reason: string;
+}
+
+export type PublicUrlResult = PublicUrlAccepted | PublicUrlRejected;
+
+/** Resolver seam so tests can inject DNS results without real lookups. */
+export type AddressResolver = (hostname: string) => Promise<string[]>;
+
+const defaultResolver: AddressResolver = async hostname => {
+	const records = await dns.lookup(hostname, { all: true, verbatim: true });
+	return records.map(record => record.address);
+};
+
+const BLOCKED_HOSTNAMES = new Set(["localhost", "localhost.localdomain", "0.0.0.0", ""]);
+
+function isBlockedHostname(hostname: string): boolean {
+	const normalized = hostname.toLowerCase().replace(/\.$/, "");
+	return (
+		BLOCKED_HOSTNAMES.has(normalized) ||
+		normalized === "localhost" ||
+		normalized.endsWith(".localhost") ||
+		normalized.endsWith(".local") ||
+		normalized.endsWith(".internal") ||
+		normalized.endsWith(".home.arpa")
+	);
+}
+
+function isPrivateIPv4(address: string): boolean {
+	const parts = address.split(".").map(part => Number.parseInt(part, 10));
+	if (parts.length !== 4 || parts.some(part => !Number.isInteger(part) || part < 0 || part > 255)) return true;
+	const [a, b] = parts;
+	return (
+		a === 0 || // unspecified / "this network"
+		a === 10 || // RFC1918
+		a === 127 || // loopback
+		(a === 100 && b >= 64 && b <= 127) || // CGNAT 100.64/10
+		(a === 169 && b === 254) || // link-local
+		(a === 172 && b >= 16 && b <= 31) || // RFC1918
+		(a === 192 && b === 0) || // 192.0.0/24 & 192.0.2/24 (documentation/reserved)
+		(a === 192 && b === 168) || // RFC1918
+		(a === 198 && (b === 18 || b === 19)) || // benchmarking 198.18/15
+		(a === 198 && b === 51) || // 198.51.100/24 documentation
+		(a === 203 && b === 0) || // 203.0.113/24 documentation
+		a >= 224 // multicast (224/4) + reserved (240/4) + broadcast
+	);
+}
+
+function normalizeIPv4MappedIPv6(address: string): string {
+	return address.toLowerCase().startsWith("::ffff:") ? address.slice(7) : address;
+}
+
+function isPrivateIPv6(address: string): boolean {
+	const normalized = address.toLowerCase();
+	const mapped = normalizeIPv4MappedIPv6(normalized);
+	if (mapped !== normalized && net.isIP(mapped) === 4) return isPrivateIPv4(mapped);
+	return (
+		normalized === "::" || // unspecified
+		normalized === "::1" || // loopback
+		normalized.startsWith("fc") || // ULA fc00::/7
+		normalized.startsWith("fd") || // ULA
+		normalized.startsWith("fe8") || // link-local fe80::/10
+		normalized.startsWith("fe9") ||
+		normalized.startsWith("fea") ||
+		normalized.startsWith("feb") ||
+		normalized.startsWith("ff") || // multicast ff00::/8
+		normalized.startsWith("2001:db8") || // documentation
+		normalized.startsWith("::ffff:") // any remaining IPv4-mapped form we could not classify
+	);
+}
+
+/** True for any address that is not a routable public unicast address. */
+export function isPrivateOrSpecialAddress(address: string): boolean {
+	const normalized = normalizeIPv4MappedIPv6(address);
+	const family = net.isIP(normalized);
+	if (family === 4) return isPrivateIPv4(normalized);
+	if (family === 6) return isPrivateIPv6(normalized);
+	// Re-check the raw value in case it was an IPv4-mapped IPv6 literal.
+	if (net.isIP(address) === 6) return isPrivateIPv6(address);
+	return true; // not a recognizable IP -> treat as unsafe
+}
+
+/**
+ * Validate that `rawUrl` is a public http/https target. Resolves DNS names and
+ * rejects any that map to a private/special address. Never throws; returns a
+ * discriminated result.
+ */
+export async function validatePublicHttpUrl(
+	rawUrl: string,
+	options: { resolver?: AddressResolver } = {},
+): Promise<PublicUrlResult> {
+	const resolver = options.resolver ?? defaultResolver;
+
+	let url: URL;
+	try {
+		url = new URL(rawUrl);
+	} catch {
+		return { ok: false, reason: "invalid URL" };
+	}
+	if (url.protocol !== "http:" && url.protocol !== "https:") {
+		return { ok: false, reason: `unsupported scheme ${url.protocol}` };
+	}
+	if (url.username || url.password) {
+		return { ok: false, reason: "URL credentials are not allowed" };
+	}
+	if (isBlockedHostname(url.hostname)) {
+		return { ok: false, reason: "localhost or internal host" };
+	}
+
+	const literalFamily = net.isIP(url.hostname);
+	if (literalFamily !== 0) {
+		if (isPrivateOrSpecialAddress(url.hostname)) {
+			return { ok: false, reason: "private, loopback, link-local, or reserved IP literal" };
+		}
+		return { ok: true, url, addresses: [url.hostname] };
+	}
+
+	let addresses: string[];
+	try {
+		addresses = await resolver(url.hostname);
+	} catch {
+		return { ok: false, reason: "host could not be resolved" };
+	}
+	if (addresses.length === 0) {
+		return { ok: false, reason: "host resolved to no addresses" };
+	}
+	if (addresses.some(isPrivateOrSpecialAddress)) {
+		return { ok: false, reason: "host resolves to a private or reserved address" };
+	}
+	return { ok: true, url, addresses };
+}
+
+export async function validatePublicHttpUrlForInsane(
+	rawUrl: string,
+	options: { resolver?: AddressResolver } = {},
+): Promise<PublicUrlResult> {
+	return validatePublicHttpUrl(rawUrl, options);
+}

package/src/web/scrapers/types.ts

@@ -6,6 +6,8 @@ import type TurndownService from "turndown";
 
 import type { AgentStorage } from "../../session/agent-storage";
 import { ToolAbortError } from "../../tools/tool-errors";
+import type { AddressResolver } from "../insane/url-guard";
+import { validatePublicHttpUrl } from "../insane/url-guard";
 
 export { formatNumber } from "@gajae-code/utils";
 
@@ -35,6 +37,7 @@ const USER_AGENTS = [
 	"Mozilla/5.0 (compatible; TextBot/1.0)",
 	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
 ];
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
 
 function isBotBlocked(status: number, content: string): boolean {
 	if (status === 403 || status === 503) {
@@ -70,6 +73,9 @@ export interface LoadPageOptions {
 	body?: string;
 	maxBytes?: number;
 	signal?: AbortSignal;
+	publicUrlGuard?: boolean;
+	resolver?: AddressResolver;
+	maxRedirects?: number;
 }
 
 export interface LoadPageResult {
@@ -78,87 +84,179 @@ export interface LoadPageResult {
 	finalUrl: string;
 	ok: boolean;
 	status?: number;
+	error?: string;
+}
+
+async function guardPublicFetchUrl(
+	rawUrl: string,
+	resolver: AddressResolver | undefined,
+	context: string,
+): Promise<{ ok: true; url: string } | { ok: false; error: string; finalUrl: string }> {
+	const guard = await validatePublicHttpUrl(rawUrl, { resolver });
+	if (guard.ok) return { ok: true, url: guard.url.toString() };
+	return {
+		ok: false,
+		error: `${context}: target URL is not public HTTP(S): ${guard.reason}`,
+		finalUrl: rawUrl,
+	};
+}
+
+function shouldRewriteRedirectMethod(status: number, method: string): boolean {
+	const normalized = method.toUpperCase();
+	return status === 303 || ((status === 301 || status === 302) && normalized === "POST");
 }
 
 /**
  * Fetch a page with timeout and size limit
  */
 export async function loadPage(url: string, options: LoadPageOptions = {}): Promise<LoadPageResult> {
-	const { timeout = 20, headers = {}, maxBytes = MAX_BYTES, signal, method = "GET", body } = options;
+	const {
+		timeout = 20,
+		headers = {},
+		maxBytes = MAX_BYTES,
+		signal,
+		method = "GET",
+		body,
+		publicUrlGuard = true,
+		resolver,
+		maxRedirects = 10,
+	} = options;
+
+	let initialUrl = url;
+	if (publicUrlGuard) {
+		const guarded = await guardPublicFetchUrl(url, resolver, "Blocked URL fetch");
+		if (!guarded.ok) {
+			return {
+				content: "",
+				contentType: "",
+				finalUrl: guarded.finalUrl,
+				ok: false,
+				error: guarded.error,
+			};
+		}
+		initialUrl = guarded.url;
+	}
 
-	for (let attempt = 0; attempt < USER_AGENTS.length; attempt++) {
+	attempts: for (let attempt = 0; attempt < USER_AGENTS.length; attempt++) {
 		if (signal?.aborted) {
 			throw new ToolAbortError();
 		}
 
 		const userAgent = USER_AGENTS[attempt];
 		const requestSignal = ptree.combineSignals(signal, timeout * 1000);
+		let currentUrl = initialUrl;
+		let currentMethod = method;
+		let currentBody = body;
 
 		try {
-			const requestInit: RequestInit = {
-				signal: requestSignal,
-				method,
-				headers: {
-					"User-Agent": userAgent,
-					Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-					"Accept-Language": "en-US,en;q=0.5",
-					"Accept-Encoding": "identity", // Cloudflare Markdown-for-Agents returns corrupted bytes when compression is negotiated
-					...headers,
-				},
-				redirect: "follow",
-			};
+			for (let redirectCount = 0; redirectCount <= maxRedirects; redirectCount++) {
+				const requestInit: RequestInit = {
+					signal: requestSignal,
+					method: currentMethod,
+					headers: {
+						"User-Agent": userAgent,
+						Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+						"Accept-Language": "en-US,en;q=0.5",
+						"Accept-Encoding": "identity", // Cloudflare Markdown-for-Agents returns corrupted bytes when compression is negotiated
+						...headers,
+					},
+					redirect: "manual",
+				};
+
+				if (currentBody !== undefined) {
+					requestInit.body = currentBody;
+				}
 
-			if (body !== undefined) {
-				requestInit.body = body;
-			}
+				const response = await fetch(currentUrl, requestInit);
+				if (REDIRECT_STATUSES.has(response.status)) {
+					const location = response.headers.get("location");
+					if (!location) {
+						return {
+							content: "",
+							contentType: "",
+							finalUrl: currentUrl,
+							ok: false,
+							status: response.status,
+							error: "Redirect response missing Location header",
+						};
+					}
+					const redirectUrl = new URL(location, currentUrl).toString();
+					if (publicUrlGuard) {
+						const guarded = await guardPublicFetchUrl(redirectUrl, resolver, "Blocked URL redirect");
+						if (!guarded.ok) {
+							return {
+								content: "",
+								contentType: "",
+								finalUrl: guarded.finalUrl,
+								ok: false,
+								status: response.status,
+								error: guarded.error,
+							};
+						}
+						currentUrl = guarded.url;
+					} else {
+						currentUrl = redirectUrl;
+					}
+					if (shouldRewriteRedirectMethod(response.status, currentMethod)) {
+						currentMethod = "GET";
+						currentBody = undefined;
+					}
+					continue;
+				}
 
-			const response = await fetch(url, requestInit);
+				const contentType = response.headers.get("content-type")?.split(";")[0]?.trim().toLowerCase() ?? "";
+				const finalUrl = response.url || currentUrl;
 
-			const contentType = response.headers.get("content-type")?.split(";")[0]?.trim().toLowerCase() ?? "";
-			const finalUrl = response.url;
+				const reader = response.body?.getReader();
+				if (!reader) {
+					return { content: "", contentType, finalUrl, ok: false, status: response.status };
+				}
 
-			const reader = response.body?.getReader();
-			if (!reader) {
-				return { content: "", contentType, finalUrl, ok: false, status: response.status };
-			}
+				const chunks: Uint8Array[] = [];
+				let totalSize = 0;
 
-			const chunks: Uint8Array[] = [];
-			let totalSize = 0;
+				while (true) {
+					const { done, value } = await reader.read();
+					if (done) break;
 
-			while (true) {
-				const { done, value } = await reader.read();
-				if (done) break;
+					chunks.push(value);
+					totalSize += value.length;
 
-				chunks.push(value);
-				totalSize += value.length;
+					if (totalSize > maxBytes) {
+						reader.cancel();
+						break;
+					}
+				}
 
-				if (totalSize > maxBytes) {
-					reader.cancel();
-					break;
+				const content = Buffer.concat(chunks).toString("utf-8");
+				if (isBotBlocked(response.status, content) && attempt < USER_AGENTS.length - 1) {
+					continue attempts;
 				}
-			}
 
-			const content = Buffer.concat(chunks).toString("utf-8");
-			if (isBotBlocked(response.status, content) && attempt < USER_AGENTS.length - 1) {
-				continue;
-			}
+				if (!response.ok) {
+					return { content, contentType, finalUrl, ok: false, status: response.status };
+				}
 
-			if (!response.ok) {
-				return { content, contentType, finalUrl, ok: false, status: response.status };
+				return { content, contentType, finalUrl, ok: true, status: response.status };
 			}
-
-			return { content, contentType, finalUrl, ok: true, status: response.status };
+			return {
+				content: "",
+				contentType: "",
+				finalUrl: currentUrl,
+				ok: false,
+				error: `Too many redirects (${maxRedirects})`,
+			};
 		} catch {
 			if (signal?.aborted) {
 				throw new ToolAbortError();
 			}
 			if (attempt === USER_AGENTS.length - 1) {
-				return { content: "", contentType: "", finalUrl: url, ok: false };
+				return { content: "", contentType: "", finalUrl: currentUrl, ok: false };
 			}
 		}
 	}
 
-	return { content: "", contentType: "", finalUrl: url, ok: false };
+	return { content: "", contentType: "", finalUrl: initialUrl, ok: false };
 }
 
 /** Module-level Turndown instance — built lazily on first use. */

package/src/web/scrapers/utils.ts

@@ -4,6 +4,8 @@ export { isRecord };
 
 import { ToolAbortError } from "../../tools/tool-errors";
 import { convertBufferWithMarkit } from "../../utils/markit";
+import type { AddressResolver } from "../insane/url-guard";
+import { validatePublicHttpUrl } from "../insane/url-guard";
 import { MAX_BYTES } from "./types";
 
 export function asRecord(value: unknown): Record<string, unknown> | null {
@@ -28,6 +30,14 @@ export interface BinaryFetchSuccess {
 
 export type BinaryFetchResult = BinaryFetchSuccess | { ok: false; error?: string };
 
+export interface FetchBinaryOptions {
+	publicUrlGuard?: boolean;
+	resolver?: AddressResolver;
+	maxRedirects?: number;
+}
+
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
+
 async function readResponseWithLimit(response: Response, maxBytes: number, signal?: AbortSignal): Promise<Uint8Array> {
 	const reader = response.body?.getReader();
 	if (!reader) return new Uint8Array(0);
@@ -60,34 +70,75 @@ async function readResponseWithLimit(response: Response, maxBytes: number, signa
 	return new Uint8Array(Buffer.concat(chunks, totalBytes));
 }
 
+async function guardPublicBinaryUrl(
+	rawUrl: string,
+	resolver: AddressResolver | undefined,
+	context: string,
+): Promise<{ ok: true; url: string } | { ok: false; error: string }> {
+	const guard = await validatePublicHttpUrl(rawUrl, { resolver });
+	if (guard.ok) return { ok: true, url: guard.url.toString() };
+	return { ok: false, error: `${context}: target URL is not public HTTP(S): ${guard.reason}` };
+}
+
 /**
  * Fetch binary content from a URL
  */
-export async function fetchBinary(url: string, timeout: number = 20, signal?: AbortSignal): Promise<BinaryFetchResult> {
+export async function fetchBinary(
+	url: string,
+	timeout: number = 20,
+	signal?: AbortSignal,
+	options: FetchBinaryOptions = {},
+): Promise<BinaryFetchResult> {
 	const requestSignal = ptree.combineSignals(signal, timeout * 1000);
+	const { publicUrlGuard = true, resolver, maxRedirects = 10 } = options;
 	try {
-		const response = await fetch(url, {
-			signal: requestSignal,
-			headers: {
-				"User-Agent": "Mozilla/5.0 (compatible; TextBot/1.0)",
-			},
-			redirect: "follow",
-		});
-
-		if (!response.ok) {
-			return { ok: false, error: `HTTP ${response.status}` };
+		let currentUrl = url;
+		if (publicUrlGuard) {
+			const guarded = await guardPublicBinaryUrl(url, resolver, "Blocked binary fetch");
+			if (!guarded.ok) return { ok: false, error: guarded.error };
+			currentUrl = guarded.url;
 		}
 
-		const contentDisposition = response.headers.get("content-disposition") || undefined;
-		const contentLength = response.headers.get("content-length");
-		if (contentLength) {
-			const size = Number.parseInt(contentLength, 10);
-			if (Number.isFinite(size) && size > MAX_BYTES) {
-				return { ok: false, error: `content-length ${size} exceeds ${MAX_BYTES}` };
+		for (let redirectCount = 0; redirectCount <= maxRedirects; redirectCount++) {
+			const response = await fetch(currentUrl, {
+				signal: requestSignal,
+				headers: {
+					"User-Agent": "Mozilla/5.0 (compatible; TextBot/1.0)",
+				},
+				redirect: "manual",
+			});
+
+			if (REDIRECT_STATUSES.has(response.status)) {
+				const location = response.headers.get("location");
+				if (!location) return { ok: false, error: "Redirect response missing Location header" };
+				const redirectUrl = new URL(location, currentUrl).toString();
+				if (publicUrlGuard) {
+					const guarded = await guardPublicBinaryUrl(redirectUrl, resolver, "Blocked binary redirect");
+					if (!guarded.ok) return { ok: false, error: guarded.error };
+					currentUrl = guarded.url;
+				} else {
+					currentUrl = redirectUrl;
+				}
+				continue;
+			}
+
+			if (!response.ok) {
+				return { ok: false, error: `HTTP ${response.status}` };
 			}
+
+			const contentDisposition = response.headers.get("content-disposition") || undefined;
+			const contentLength = response.headers.get("content-length");
+			if (contentLength) {
+				const size = Number.parseInt(contentLength, 10);
+				if (Number.isFinite(size) && size > MAX_BYTES) {
+					return { ok: false, error: `content-length ${size} exceeds ${MAX_BYTES}` };
+				}
+			}
+			const buffer = await readResponseWithLimit(response, MAX_BYTES, requestSignal);
+			return { ok: true, buffer, contentDisposition };
 		}
-		const buffer = await readResponseWithLimit(response, MAX_BYTES, requestSignal);
-		return { ok: true, buffer, contentDisposition };
+
+		return { ok: false, error: `Too many redirects (${maxRedirects})` };
 	} catch (err) {
 		if (signal?.aborted) throw new ToolAbortError();
 		if (requestSignal?.aborted) return { ok: false, error: "aborted" };

package/src/web/search/provider.ts

@@ -72,6 +72,11 @@ const PROVIDER_META: Record<SearchProviderId, ProviderMeta> = {
 		label: "DuckDuckGo",
 		load: async () => new (await import("./providers/duckduckgo")).DuckDuckGoProvider(),
 	},
+	insane: {
+		id: "insane",
+		label: "Insane",
+		load: async () => new (await import("./providers/insane")).InsaneProvider(),
+	},
 	"openai-compatible": {
 		id: "openai-compatible",
 		label: "OpenAI-compatible",
@@ -97,6 +102,7 @@ export async function getSearchProvider(id: SearchProviderId): Promise<SearchPro
 
 export const SEARCH_PROVIDER_ORDER: SearchProviderId[] = [
 	"duckduckgo",
+	"insane",
 	"tavily",
 	"perplexity",
 	"brave",
@@ -234,14 +240,41 @@ export function isLocalBaseUrl(baseUrl: string | undefined): boolean {
 	return false;
 }
 
+/**
+ * Whether `baseUrl` is an official OpenAI endpoint (or absent, i.e. the default
+ * hosted OpenAI). The dedicated `codex` provider authenticates against the
+ * ChatGPT backend with the user's *local* Codex OAuth, so it must only be
+ * selected when the active model is genuinely served by OpenAI/ChatGPT — never
+ * for a custom/proxy endpoint, which should reuse its own credentials through
+ * the `openai-compatible` adapter instead.
+ */
+function isOpenAIOfficialBaseUrl(baseUrl: string | undefined): boolean {
+	if (!baseUrl?.trim()) return true;
+	let host: string;
+	try {
+		host = new URL(baseUrl).hostname.toLowerCase();
+	} catch {
+		return false;
+	}
+	return (
+		host === "api.openai.com" ||
+		host === "chatgpt.com" ||
+		host.endsWith(".openai.com") ||
+		host.endsWith(".chatgpt.com")
+	);
+}
+
 export function inferNativeProviderFromModel(ctx: ActiveSearchModelContext | undefined): SearchProviderId | undefined {
 	if (!ctx || ctx.webSearch === "off") return undefined;
 	const modelId = (ctx.wireModelId ?? ctx.modelId).toLowerCase();
 	if (modelId.startsWith("claude-") && isAnthropicWire(ctx.api)) return "anthropic";
 	if (modelId.startsWith("gemini-") && isGoogleWire(ctx.api)) return "gemini";
 	if (looksXaiFamilyModelId(ctx) && isOpenAICompatWire(ctx.api)) return "xai";
-	if (looksOpenAIFamilyModelId(ctx) && isOpenAICompatWire(ctx.api)) {
-		if (ctx.webSearch === "on" || !isLocalBaseUrl(ctx.baseUrl)) return "codex";
+	// `codex` hits the ChatGPT backend with local Codex OAuth, so only infer it
+	// for genuine OpenAI endpoints. Custom/proxy OpenAI-compatible models fall
+	// through to `activeContextNativeId` → `openai-compatible` (their own creds).
+	if (looksOpenAIFamilyModelId(ctx) && isOpenAICompatWire(ctx.api) && isOpenAIOfficialBaseUrl(ctx.baseUrl)) {
+		return "codex";
 	}
 	return undefined;
 }
@@ -249,8 +282,9 @@ export function inferNativeProviderFromModel(ctx: ActiveSearchModelContext | und
 function canUseDirectProviderMapping(ctx: ActiveSearchModelContext, id: SearchProviderId): boolean {
 	if (ctx.webSearch === "off") return false;
 	if (id !== "codex") return true;
-	if (!isOpenAICompatWire(ctx.api)) return true;
-	return ctx.webSearch === "on" || !isLocalBaseUrl(ctx.baseUrl);
+	// Same constraint as inference: the ChatGPT-backed codex provider is valid
+	// only for official OpenAI endpoints, not custom/proxy base URLs.
+	return isOpenAIOfficialBaseUrl(ctx.baseUrl);
 }
 
 export async function canUseGenericCredentials(
@@ -268,17 +302,35 @@ export async function canUseGenericCredentials(
 	return Boolean(key);
 }
 
-export async function shouldTryGenericOpenAICompat(
-	authStorage: AuthStorage,
-	ctx: ActiveSearchModelContext | undefined,
-	sessionId?: string,
-	signal?: AbortSignal,
-): Promise<boolean> {
-	if (!ctx || ctx.webSearch === "off" || !isOpenAICompatWire(ctx.api)) return false;
-	const autoAllowed =
-		ctx.webSearch === "on" ||
-		((ctx.api === "openai-responses" || looksOpenAIFamilyModelId(ctx)) && !isLocalBaseUrl(ctx.baseUrl));
-	return autoAllowed && (await canUseGenericCredentials(authStorage, ctx, sessionId, signal));
+/**
+ * Native web-search provider to attempt by reusing the ACTIVE model's own
+ * credentials + baseUrl, dispatched by the model's wire protocol.
+ *
+ * This is the "native search over a proxy" path: when a model is served through
+ * a proxy/custom endpoint, its canonical search credentials (e.g. a dedicated
+ * `anthropic` key, or ChatGPT OAuth for `codex`) are usually absent, but the
+ * credential that authenticates the model itself — stored under the active
+ * provider id and aimed at `ctx.baseUrl` — can drive native web search just as
+ * well. Each provider's `search()` falls back to those active credentials when
+ * its canonical ones are missing.
+ *
+ * Returned ids are matched purely from the wire `api` (+ model-id family where a
+ * native tool only makes sense for that family); the providers themselves fail
+ * closed (and the chain falls through to DuckDuckGo) if the endpoint does not
+ * actually support web search.
+ */
+export function activeContextNativeId(ctx: ActiveSearchModelContext | undefined): SearchProviderId | undefined {
+	if (!ctx || ctx.webSearch === "off") return undefined;
+	const modelId = (ctx.wireModelId ?? ctx.modelId).toLowerCase();
+	// Dispatch must match exactly what each provider can service by reusing the
+	// active credential: the OpenAI-compatible adapter only speaks the two plain
+	// OpenAI wires (not azure), and the Gemini active path only speaks the public
+	// Generative Language wire (not vertex/cloud-code). Returning an id the
+	// provider would reject just wastes a guaranteed-fail attempt before DuckDuckGo.
+	if (isAnthropicWire(ctx.api) && modelId.startsWith("claude-")) return "anthropic";
+	if (ctx.api === "openai-responses" || ctx.api === "openai-completions") return "openai-compatible";
+	if (ctx.api === "google-generative-ai" && modelId.startsWith("gemini-")) return "gemini";
+	return undefined;
 }
 
 export async function resolveProviderChain(options: ResolveProviderChainOptions): Promise<SearchProvider[]> {
@@ -304,9 +356,16 @@ export async function resolveProviderChain(options: ResolveProviderChainOptions)
 			await appendAvailable(chain, directId, authStorage);
 		const inferred = inferNativeProviderFromModel(activeModelContext);
 		if (inferred) await appendAvailable(chain, inferred, authStorage);
-		const hasNativeXai = chain.includes("xai");
-		if (!hasNativeXai && (await shouldTryGenericOpenAICompat(authStorage, activeModelContext, sessionId, signal)))
-			appendDeduped(chain, "openai-compatible");
+		// Native-over-proxy: when no canonical native provider was selected above,
+		// fall back to the model's own credentials (resolved under the active
+		// provider id against its baseUrl) to drive native web search. Gated on
+		// those credentials actually resolving; otherwise the chain ends at the
+		// keyless DuckDuckGo terminal fallback.
+		if (chain.length === 0) {
+			const activeNativeId = activeContextNativeId(activeModelContext);
+			if (activeNativeId && (await canUseGenericCredentials(authStorage, activeModelContext, sessionId, signal)))
+				chain.push(activeNativeId);
+		}
 	}
 
 	// Configured fallbacks are user-facing only: the internal `openai-compatible`