@gajae-code/coding-agent 0.7.2 → 0.7.3

package/src/notifications/topic-registry.ts

@@ -65,6 +65,11 @@ export class TopicRegistry {
 		return this.byTopic.get(topicId);
 	}
 
+	/** All session ids with a persisted topic record. */
+	sessionIds(): string[] {
+		return [...this.topics.keys()];
+	}
+
 	/** The existing topic record for a session, if any. */
 	get(sessionId: string): TopicRecord | undefined {
 		return this.topics.get(sessionId);

package/src/slash-commands/helpers/parse.ts

@@ -1,3 +1,4 @@
+import { parseCommandArgs } from "../../utils/command-args";
 import type { ParsedSlashCommand, SlashCommandResult, SlashCommandRuntime } from "../types";
 
 export interface ParsedSubcommand {
@@ -65,7 +66,7 @@ export function errorMessage(error: unknown): string {
  * "name required" diagnostics with their own messaging.
  */
 export function parseNamedScopeArgs(rest: string, invalidScopeMessage: string): NamedScopeArgs {
-	const tokens = rest.split(/\s+/).filter(Boolean);
+	const tokens = parseCommandArgs(rest);
 	let name: string | undefined;
 	let scope: ConfigScope = "project";
 	let i = 0;

package/src/tools/bash.ts

@@ -25,6 +25,7 @@ import { type BashInteractiveResult, runInteractiveBashPty } from "./bash-intera
 import { checkBashInterception } from "./bash-interceptor";
 import { canUseInteractiveBashPty } from "./bash-pty-selection";
 import { expandInternalUrls, type InternalUrlExpansionOptions } from "./bash-skill-urls";
+import { checkComposerBashPolicy } from "./composer-bash-policy";
 import { formatStyledTruncationWarning, type OutputMeta, stripOutputNotice } from "./output-meta";
 import { resolveToCwd } from "./path-utils";
 import { formatToolWorkingDirectory, replaceTabs } from "./render-utils";
@@ -570,6 +571,14 @@ export class BashTool implements AgentTool<BashToolSchema, BashToolDetails> {
 			}
 		}
 
+		const composerPolicy = checkComposerBashPolicy({
+			modelId: this.session.getActiveModelString?.() ?? this.session.getModelString?.() ?? this.session.model?.id,
+			commands: rawCommand === command ? [command] : [rawCommand, command],
+		});
+		if (!composerPolicy.allowed) {
+			throw new ToolError(composerPolicy.message);
+		}
+
 		const internalUrlOptions: InternalUrlExpansionOptions = {
 			skills: this.session.skills ?? [],
 			internalRouter: InternalUrlRouter.instance(),

package/src/tools/composer-bash-policy.ts

@@ -0,0 +1,96 @@
+import { isComposerHarnessModel } from "@gajae-code/ai/providers/composer-discipline";
+
+export const COMPOSER_BASH_POLICY_ERROR =
+	"Composer bash policy blocked repository file I/O. Use find, search, read, and edit tools for file discovery, file inspection, and file mutation.";
+
+type ComposerBashPolicyResult =
+	| { allowed: true }
+	| {
+			allowed: false;
+			reason: string;
+			message: string;
+	  };
+
+const BLOCK_PATTERNS: Array<{ id: string; pattern: RegExp }> = [
+	{ id: "pipe", pattern: /\|/ },
+	{ id: "process-substitution", pattern: /<[>(]/ },
+	{ id: "heredoc", pattern: /<<[-~]?/ },
+	{ id: "command-substitution", pattern: /\$\(|`/ },
+	{ id: "redirection", pattern: /(^|[^<>])(?:>>?|<)(?!=)/ },
+	{ id: "tee", pattern: /(?:^|[;&|\s])tee(?:\s|$)/ },
+	{
+		id: "shell-file-read-discovery",
+		pattern: /(?:^|[;&|()\s])(?:\S*\/)?(?:cat|head|tail|less|more|grep|rg|find|fd|tree|ls)\b/,
+	},
+	{
+		id: "shell-file-mutation",
+		pattern: /(?:^|[;&|()\s])(?:\S*\/)?(?:cp|mv|rm|touch|mkdir|chmod|chown|ln)\b/,
+	},
+	{ id: "sed-print", pattern: /(?:^|[;&|()\s])sed\s+(?:-[^\s]*n\b|.*\bp\b)/ },
+	{ id: "awk-print", pattern: /(?:^|[;&|()\s])awk\b/ },
+	{ id: "git-ls-files", pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+ls-files\b/ },
+	{ id: "git-grep", pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+grep\b/ },
+	{ id: "git-show-path", pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+show\s+\S+:\S+/ },
+	{ id: "git-diff", pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+diff(?:\s|$)/ },
+	{ id: "git-cat-file", pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+cat-file\b/ },
+	{
+		id: "git-show-discovery",
+		pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+show\b.*(?:--name-only|--name-status|--stat)/,
+	},
+	{
+		id: "git-log-path-discovery",
+		pattern: /(?:^|[;&|()\s])git(?:\s+-C\s+\S+)?\s+log\b.*(?:--name-only|--name-status|--stat)/,
+	},
+	{ id: "sed-in-place", pattern: /(?:^|[;&|()\s])sed\s+-[^\s]*i\b/ },
+	{ id: "perl-in-place", pattern: /(?:^|[;&|()\s])perl\s+-[^\s]*p[^\s]*i\b/ },
+	{
+		id: "script-file-io",
+		pattern:
+			/(?:^|[;&|()\s])(?:python3?|node|bun)\s+(?:-\s*<<|-c\b|-e\b|--eval\b).*?(?:read_text|read_bytes|write_text|iterdir|listdir|glob\.glob|readFile|readFileSync|writeFile|writeFileSync|readdir|readdirSync|stat|statSync|cpSync|rmSync|mkdirSync|createReadStream|createWriteStream|Bun\.file|Bun\.write|fs\.readFile|fs\.writeFile|fs\.readdir|fs\.stat|fs\.cp|fs\.rm|fs\.mkdir|open\s*\()/s,
+	},
+	{
+		id: "contaminated-command",
+		pattern: /```|^\s*(?:I\s+(?:will|need|am going)|We\s+(?:need|will)|First[, ]|Now[, ]|Let's)\b/im,
+	},
+];
+
+const ALLOWED_TERMINAL_PATTERNS: RegExp[] = [
+	/^bun\s+test(?:\s+[\w./:@=-]+)*$/,
+	/^bun\s+run\s+(?:check(?::[\w-]+)?|test(?::[\w-]+)?|build(?::[\w-]+)?)(?:\s+[\w./:@=-]+)*$/,
+	/^bun\s+--version$/,
+	/^mise\s+x\s+bun@\d+\.\d+\.\d+\s+--\s+bun\s+test(?:\s+[\w./:@=-]+)*$/,
+	/^mise\s+x\s+bun@\d+\.\d+\.\d+\s+--\s+bun\s+run\s+(?:check(?::[\w-]+)?|test(?::[\w-]+)?|build(?::[\w-]+)?)(?:\s+[\w./:@=-]+)*$/,
+	/^cargo\s+(?:test|check|build)(?:\s+[\w./:@=-]+)*$/,
+	/^git\s+status(?:\s+--short)?(?:\s+--branch)?$/,
+	/^git\s+rev-parse\s+HEAD$/,
+	/^npm\s+--version$/,
+	/^pnpm\s+--version$/,
+	/^yarn\s+--version$/,
+];
+
+function isAllowedComposerTerminalCommand(command: string): boolean {
+	const normalized = command.trim().replace(/\s+/g, " ");
+	return ALLOWED_TERMINAL_PATTERNS.some(pattern => pattern.test(normalized));
+}
+
+export function isComposerBashPolicyModel(modelId: string | undefined): boolean {
+	return Boolean(modelId && isComposerHarnessModel(modelId));
+}
+
+export function checkComposerBashPolicy(input: {
+	modelId?: string;
+	commands: readonly string[];
+}): ComposerBashPolicyResult {
+	if (!isComposerBashPolicyModel(input.modelId)) return { allowed: true };
+	for (const command of input.commands) {
+		for (const block of BLOCK_PATTERNS) {
+			if (block.pattern.test(command)) {
+				return { allowed: false, reason: block.id, message: COMPOSER_BASH_POLICY_ERROR };
+			}
+		}
+		if (!isAllowedComposerTerminalCommand(command)) {
+			return { allowed: false, reason: "not-allowlisted", message: COMPOSER_BASH_POLICY_ERROR };
+		}
+	}
+	return { allowed: true };
+}

package/src/tools/fetch.ts

@@ -17,7 +17,7 @@ import { CachedOutputBlock } from "../tui/output-block";
 import { formatDimensionNote, resizeImage } from "../utils/image-resize";
 import { ensureTool } from "../utils/tools-manager";
 import { INSANE_NOTES, tryInsaneFetch } from "../web/insane/bridge";
-import { validatePublicHttpUrlForInsane } from "../web/insane/url-guard";
+import { validatePublicHttpUrl, validatePublicHttpUrlForInsane } from "../web/insane/url-guard";
 import { extractWithParallel, findParallelApiKey, getParallelExtractContent } from "../web/parallel";
 import { specialHandlers } from "../web/scrapers";
 import type { RenderResult } from "../web/scrapers/types";
@@ -789,6 +789,21 @@ async function renderUrl(
 
 	// Step 0: Normalize URL (ensure scheme for special handlers)
 	url = normalizeUrl(url);
+	const publicUrl = await validatePublicHttpUrl(url);
+	if (!publicUrl.ok) {
+		notes.push(`Blocked URL fetch: target URL is not public HTTP(S): ${publicUrl.reason}`);
+		return {
+			url,
+			finalUrl: url,
+			contentType: "unknown",
+			method: "failed",
+			content: "",
+			fetchedAt,
+			truncated: false,
+			notes,
+		};
+	}
+	url = publicUrl.url.toString();
 
 	// Step 1: Try special handlers for known sites (unless raw mode)
 	if (!raw) {
@@ -802,7 +817,8 @@ async function renderUrl(
 		throw new ToolAbortError();
 	}
 	if (!response.ok) {
-		const failureNote = response.status ? `Failed to fetch URL (HTTP ${response.status})` : "Failed to fetch URL";
+		const failureNote =
+			response.error ?? (response.status ? `Failed to fetch URL (HTTP ${response.status})` : "Failed to fetch URL");
 		notes.push(failureNote);
 		const insane = await tryInsaneFallback({
 			url,

package/src/web/insane/url-guard.ts

@@ -1,16 +1,13 @@
 /**
- * Public HTTP(S) URL guard for the insane-search read fallback.
+ * Public HTTP(S) URL guard for user-supplied web fetch targets.
  *
- * The vendored insane-search engine performs its own network requests (curl_cffi,
- * a real browser) entirely outside the TypeScript fetch path, so the normal
- * `loadPage()` flow cannot protect against SSRF. This guard MUST run before any
- * dependency probe or engine subprocess is spawned. It is fail-closed: anything
- * it cannot prove is a public, non-credentialed http/https target is rejected.
+ * Network-capable URL readers MUST run this guard before the first request and
+ * before following any redirect target. It is fail-closed: anything it cannot
+ * prove is a public, non-credentialed http/https target is rejected.
  *
- * It does NOT follow or re-validate redirects — the engine may follow redirects
- * internally that this guard never sees. That residual risk is documented in the
- * plan and mitigated by validating the input target and keeping the feature
- * opt-in (default off).
+ * The vendored insane-search engine performs its own redirects outside the
+ * TypeScript fetch path, so its fallback remains opt-in and is guarded before
+ * any dependency probe or engine subprocess is spawned.
  */
 import * as dns from "node:dns/promises";
 import * as net from "node:net";
@@ -105,11 +102,11 @@ export function isPrivateOrSpecialAddress(address: string): boolean {
 }
 
 /**
- * Validate that `rawUrl` is a public http/https target safe to hand to the
- * insane-search engine. Resolves DNS names and rejects any that map to a
- * private/special address. Never throws; returns a discriminated result.
+ * Validate that `rawUrl` is a public http/https target. Resolves DNS names and
+ * rejects any that map to a private/special address. Never throws; returns a
+ * discriminated result.
  */
-export async function validatePublicHttpUrlForInsane(
+export async function validatePublicHttpUrl(
 	rawUrl: string,
 	options: { resolver?: AddressResolver } = {},
 ): Promise<PublicUrlResult> {
@@ -153,3 +150,10 @@ export async function validatePublicHttpUrlForInsane(
 	}
 	return { ok: true, url, addresses };
 }
+
+export async function validatePublicHttpUrlForInsane(
+	rawUrl: string,
+	options: { resolver?: AddressResolver } = {},
+): Promise<PublicUrlResult> {
+	return validatePublicHttpUrl(rawUrl, options);
+}

package/src/web/scrapers/types.ts

@@ -6,6 +6,8 @@ import type TurndownService from "turndown";
 
 import type { AgentStorage } from "../../session/agent-storage";
 import { ToolAbortError } from "../../tools/tool-errors";
+import type { AddressResolver } from "../insane/url-guard";
+import { validatePublicHttpUrl } from "../insane/url-guard";
 
 export { formatNumber } from "@gajae-code/utils";
 
@@ -35,6 +37,7 @@ const USER_AGENTS = [
 	"Mozilla/5.0 (compatible; TextBot/1.0)",
 	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36",
 ];
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
 
 function isBotBlocked(status: number, content: string): boolean {
 	if (status === 403 || status === 503) {
@@ -70,6 +73,9 @@ export interface LoadPageOptions {
 	body?: string;
 	maxBytes?: number;
 	signal?: AbortSignal;
+	publicUrlGuard?: boolean;
+	resolver?: AddressResolver;
+	maxRedirects?: number;
 }
 
 export interface LoadPageResult {
@@ -78,87 +84,179 @@ export interface LoadPageResult {
 	finalUrl: string;
 	ok: boolean;
 	status?: number;
+	error?: string;
+}
+
+async function guardPublicFetchUrl(
+	rawUrl: string,
+	resolver: AddressResolver | undefined,
+	context: string,
+): Promise<{ ok: true; url: string } | { ok: false; error: string; finalUrl: string }> {
+	const guard = await validatePublicHttpUrl(rawUrl, { resolver });
+	if (guard.ok) return { ok: true, url: guard.url.toString() };
+	return {
+		ok: false,
+		error: `${context}: target URL is not public HTTP(S): ${guard.reason}`,
+		finalUrl: rawUrl,
+	};
+}
+
+function shouldRewriteRedirectMethod(status: number, method: string): boolean {
+	const normalized = method.toUpperCase();
+	return status === 303 || ((status === 301 || status === 302) && normalized === "POST");
 }
 
 /**
  * Fetch a page with timeout and size limit
  */
 export async function loadPage(url: string, options: LoadPageOptions = {}): Promise<LoadPageResult> {
-	const { timeout = 20, headers = {}, maxBytes = MAX_BYTES, signal, method = "GET", body } = options;
+	const {
+		timeout = 20,
+		headers = {},
+		maxBytes = MAX_BYTES,
+		signal,
+		method = "GET",
+		body,
+		publicUrlGuard = true,
+		resolver,
+		maxRedirects = 10,
+	} = options;
+
+	let initialUrl = url;
+	if (publicUrlGuard) {
+		const guarded = await guardPublicFetchUrl(url, resolver, "Blocked URL fetch");
+		if (!guarded.ok) {
+			return {
+				content: "",
+				contentType: "",
+				finalUrl: guarded.finalUrl,
+				ok: false,
+				error: guarded.error,
+			};
+		}
+		initialUrl = guarded.url;
+	}
 
-	for (let attempt = 0; attempt < USER_AGENTS.length; attempt++) {
+	attempts: for (let attempt = 0; attempt < USER_AGENTS.length; attempt++) {
 		if (signal?.aborted) {
 			throw new ToolAbortError();
 		}
 
 		const userAgent = USER_AGENTS[attempt];
 		const requestSignal = ptree.combineSignals(signal, timeout * 1000);
+		let currentUrl = initialUrl;
+		let currentMethod = method;
+		let currentBody = body;
 
 		try {
-			const requestInit: RequestInit = {
-				signal: requestSignal,
-				method,
-				headers: {
-					"User-Agent": userAgent,
-					Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-					"Accept-Language": "en-US,en;q=0.5",
-					"Accept-Encoding": "identity", // Cloudflare Markdown-for-Agents returns corrupted bytes when compression is negotiated
-					...headers,
-				},
-				redirect: "follow",
-			};
+			for (let redirectCount = 0; redirectCount <= maxRedirects; redirectCount++) {
+				const requestInit: RequestInit = {
+					signal: requestSignal,
+					method: currentMethod,
+					headers: {
+						"User-Agent": userAgent,
+						Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+						"Accept-Language": "en-US,en;q=0.5",
+						"Accept-Encoding": "identity", // Cloudflare Markdown-for-Agents returns corrupted bytes when compression is negotiated
+						...headers,
+					},
+					redirect: "manual",
+				};
+
+				if (currentBody !== undefined) {
+					requestInit.body = currentBody;
+				}
 
-			if (body !== undefined) {
-				requestInit.body = body;
-			}
+				const response = await fetch(currentUrl, requestInit);
+				if (REDIRECT_STATUSES.has(response.status)) {
+					const location = response.headers.get("location");
+					if (!location) {
+						return {
+							content: "",
+							contentType: "",
+							finalUrl: currentUrl,
+							ok: false,
+							status: response.status,
+							error: "Redirect response missing Location header",
+						};
+					}
+					const redirectUrl = new URL(location, currentUrl).toString();
+					if (publicUrlGuard) {
+						const guarded = await guardPublicFetchUrl(redirectUrl, resolver, "Blocked URL redirect");
+						if (!guarded.ok) {
+							return {
+								content: "",
+								contentType: "",
+								finalUrl: guarded.finalUrl,
+								ok: false,
+								status: response.status,
+								error: guarded.error,
+							};
+						}
+						currentUrl = guarded.url;
+					} else {
+						currentUrl = redirectUrl;
+					}
+					if (shouldRewriteRedirectMethod(response.status, currentMethod)) {
+						currentMethod = "GET";
+						currentBody = undefined;
+					}
+					continue;
+				}
 
-			const response = await fetch(url, requestInit);
+				const contentType = response.headers.get("content-type")?.split(";")[0]?.trim().toLowerCase() ?? "";
+				const finalUrl = response.url || currentUrl;
 
-			const contentType = response.headers.get("content-type")?.split(";")[0]?.trim().toLowerCase() ?? "";
-			const finalUrl = response.url;
+				const reader = response.body?.getReader();
+				if (!reader) {
+					return { content: "", contentType, finalUrl, ok: false, status: response.status };
+				}
 
-			const reader = response.body?.getReader();
-			if (!reader) {
-				return { content: "", contentType, finalUrl, ok: false, status: response.status };
-			}
+				const chunks: Uint8Array[] = [];
+				let totalSize = 0;
 
-			const chunks: Uint8Array[] = [];
-			let totalSize = 0;
+				while (true) {
+					const { done, value } = await reader.read();
+					if (done) break;
 
-			while (true) {
-				const { done, value } = await reader.read();
-				if (done) break;
+					chunks.push(value);
+					totalSize += value.length;
 
-				chunks.push(value);
-				totalSize += value.length;
+					if (totalSize > maxBytes) {
+						reader.cancel();
+						break;
+					}
+				}
 
-				if (totalSize > maxBytes) {
-					reader.cancel();
-					break;
+				const content = Buffer.concat(chunks).toString("utf-8");
+				if (isBotBlocked(response.status, content) && attempt < USER_AGENTS.length - 1) {
+					continue attempts;
 				}
-			}
 
-			const content = Buffer.concat(chunks).toString("utf-8");
-			if (isBotBlocked(response.status, content) && attempt < USER_AGENTS.length - 1) {
-				continue;
-			}
+				if (!response.ok) {
+					return { content, contentType, finalUrl, ok: false, status: response.status };
+				}
 
-			if (!response.ok) {
-				return { content, contentType, finalUrl, ok: false, status: response.status };
+				return { content, contentType, finalUrl, ok: true, status: response.status };
 			}
-
-			return { content, contentType, finalUrl, ok: true, status: response.status };
+			return {
+				content: "",
+				contentType: "",
+				finalUrl: currentUrl,
+				ok: false,
+				error: `Too many redirects (${maxRedirects})`,
+			};
 		} catch {
 			if (signal?.aborted) {
 				throw new ToolAbortError();
 			}
 			if (attempt === USER_AGENTS.length - 1) {
-				return { content: "", contentType: "", finalUrl: url, ok: false };
+				return { content: "", contentType: "", finalUrl: currentUrl, ok: false };
 			}
 		}
 	}
 
-	return { content: "", contentType: "", finalUrl: url, ok: false };
+	return { content: "", contentType: "", finalUrl: initialUrl, ok: false };
 }
 
 /** Module-level Turndown instance — built lazily on first use. */

package/src/web/scrapers/utils.ts

@@ -4,6 +4,8 @@ export { isRecord };
 
 import { ToolAbortError } from "../../tools/tool-errors";
 import { convertBufferWithMarkit } from "../../utils/markit";
+import type { AddressResolver } from "../insane/url-guard";
+import { validatePublicHttpUrl } from "../insane/url-guard";
 import { MAX_BYTES } from "./types";
 
 export function asRecord(value: unknown): Record<string, unknown> | null {
@@ -28,6 +30,14 @@ export interface BinaryFetchSuccess {
 
 export type BinaryFetchResult = BinaryFetchSuccess | { ok: false; error?: string };
 
+export interface FetchBinaryOptions {
+	publicUrlGuard?: boolean;
+	resolver?: AddressResolver;
+	maxRedirects?: number;
+}
+
+const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
+
 async function readResponseWithLimit(response: Response, maxBytes: number, signal?: AbortSignal): Promise<Uint8Array> {
 	const reader = response.body?.getReader();
 	if (!reader) return new Uint8Array(0);
@@ -60,34 +70,75 @@ async function readResponseWithLimit(response: Response, maxBytes: number, signa
 	return new Uint8Array(Buffer.concat(chunks, totalBytes));
 }
 
+async function guardPublicBinaryUrl(
+	rawUrl: string,
+	resolver: AddressResolver | undefined,
+	context: string,
+): Promise<{ ok: true; url: string } | { ok: false; error: string }> {
+	const guard = await validatePublicHttpUrl(rawUrl, { resolver });
+	if (guard.ok) return { ok: true, url: guard.url.toString() };
+	return { ok: false, error: `${context}: target URL is not public HTTP(S): ${guard.reason}` };
+}
+
 /**
  * Fetch binary content from a URL
  */
-export async function fetchBinary(url: string, timeout: number = 20, signal?: AbortSignal): Promise<BinaryFetchResult> {
+export async function fetchBinary(
+	url: string,
+	timeout: number = 20,
+	signal?: AbortSignal,
+	options: FetchBinaryOptions = {},
+): Promise<BinaryFetchResult> {
 	const requestSignal = ptree.combineSignals(signal, timeout * 1000);
+	const { publicUrlGuard = true, resolver, maxRedirects = 10 } = options;
 	try {
-		const response = await fetch(url, {
-			signal: requestSignal,
-			headers: {
-				"User-Agent": "Mozilla/5.0 (compatible; TextBot/1.0)",
-			},
-			redirect: "follow",
-		});
-
-		if (!response.ok) {
-			return { ok: false, error: `HTTP ${response.status}` };
+		let currentUrl = url;
+		if (publicUrlGuard) {
+			const guarded = await guardPublicBinaryUrl(url, resolver, "Blocked binary fetch");
+			if (!guarded.ok) return { ok: false, error: guarded.error };
+			currentUrl = guarded.url;
 		}
 
-		const contentDisposition = response.headers.get("content-disposition") || undefined;
-		const contentLength = response.headers.get("content-length");
-		if (contentLength) {
-			const size = Number.parseInt(contentLength, 10);
-			if (Number.isFinite(size) && size > MAX_BYTES) {
-				return { ok: false, error: `content-length ${size} exceeds ${MAX_BYTES}` };
+		for (let redirectCount = 0; redirectCount <= maxRedirects; redirectCount++) {
+			const response = await fetch(currentUrl, {
+				signal: requestSignal,
+				headers: {
+					"User-Agent": "Mozilla/5.0 (compatible; TextBot/1.0)",
+				},
+				redirect: "manual",
+			});
+
+			if (REDIRECT_STATUSES.has(response.status)) {
+				const location = response.headers.get("location");
+				if (!location) return { ok: false, error: "Redirect response missing Location header" };
+				const redirectUrl = new URL(location, currentUrl).toString();
+				if (publicUrlGuard) {
+					const guarded = await guardPublicBinaryUrl(redirectUrl, resolver, "Blocked binary redirect");
+					if (!guarded.ok) return { ok: false, error: guarded.error };
+					currentUrl = guarded.url;
+				} else {
+					currentUrl = redirectUrl;
+				}
+				continue;
+			}
+
+			if (!response.ok) {
+				return { ok: false, error: `HTTP ${response.status}` };
 			}
+
+			const contentDisposition = response.headers.get("content-disposition") || undefined;
+			const contentLength = response.headers.get("content-length");
+			if (contentLength) {
+				const size = Number.parseInt(contentLength, 10);
+				if (Number.isFinite(size) && size > MAX_BYTES) {
+					return { ok: false, error: `content-length ${size} exceeds ${MAX_BYTES}` };
+				}
+			}
+			const buffer = await readResponseWithLimit(response, MAX_BYTES, requestSignal);
+			return { ok: true, buffer, contentDisposition };
 		}
-		const buffer = await readResponseWithLimit(response, MAX_BYTES, requestSignal);
-		return { ok: true, buffer, contentDisposition };
+
+		return { ok: false, error: `Too many redirects (${maxRedirects})` };
 	} catch (err) {
 		if (signal?.aborted) throw new ToolAbortError();
 		if (requestSignal?.aborted) return { ok: false, error: "aborted" };