@j0hanz/fetch-url-mcp 1.3.1 → 1.5.0

package/dist/{fetch.js → lib/http.js}

@@ -1,551 +1,277 @@
 import { Buffer } from 'node:buffer';
 import { randomUUID } from 'node:crypto';
 import diagnosticsChannel from 'node:diagnostics_channel';
-import dns from 'node:dns';
+import {} from 'node:http';
 import { isIP } from 'node:net';
+import { posix as pathPosix } from 'node:path';
 import { performance } from 'node:perf_hooks';
 import { PassThrough, Readable, Transform } from 'node:stream';
 import { buffer as consumeBuffer } from 'node:stream/consumers';
 import { finished, pipeline } from 'node:stream/promises';
+import {} from 'node:stream/web';
+import tls from 'node:tls';
 import { createBrotliDecompress, createGunzip, createInflate } from 'node:zlib';
 import { Agent } from 'undici';
-import { config } from './config.js';
-import { createErrorWithCode, FetchError, isSystemError } from './errors.js';
-import { decodeBuffer, getCharsetFromContentType, isBinaryContent, resolveEncoding, } from './fetch-content.js';
-import { toNodeReadableStream, toWebReadableStream } from './fetch-stream.js';
-import { createDefaultBlockList, normalizeIpForBlockList, } from './ip-blocklist.js';
-import { getOperationId, getRequestId, logDebug, logError, logWarn, redactUrl, } from './observability.js';
-import { isError, isObject } from './type-guards.js';
-const defaultLogger = {
-    debug: logDebug,
-    warn: logWarn,
-    error: logError,
+import { z } from 'zod';
+import { get as cacheGet, config, getOperationId, getRequestId, logDebug, logError, logWarn, parseCachedPayload, redactUrl, resolveCachedPayloadContent, } from './core.js';
+import { BLOCKED_HOST_SUFFIXES, createDnsPreflight, IpBlocker, RawUrlTransformer, SafeDnsResolver, UrlNormalizer, VALIDATION_ERROR_CODE, } from './url.js';
+import { createErrorWithCode, FetchError, isError, isObject, isSystemError, toError, } from './utils.js';
+const FILENAME_RULES = {
+    MAX_LEN: 200,
+    UNSAFE_CHARS: /[<>:"/\\|?*\p{C}]/gu,
+    WHITESPACE: /\s+/g,
+    EXTENSIONS: /\.(html?|php|aspx?|jsp)$/i,
 };
-const defaultContext = {
-    getRequestId,
-    getOperationId,
-};
-const defaultRedactor = {
-    redact: redactUrl,
-};
-const defaultFetch = (input, init) => globalThis.fetch(input, init);
-function isLocalFetchAllowed() {
-    return process.env['ALLOW_LOCAL_FETCH'] === 'true';
-}
-class IpBlocker {
-    security;
-    blockList = createDefaultBlockList();
-    constructor(security) {
-        this.security = security;
-    }
-    isBlockedIp(candidate) {
-        const normalized = candidate.trim().toLowerCase();
-        if (isCloudMetadataHost(normalized))
-            return true;
-        if (isLocalFetchAllowed())
-            return false;
-        if (!normalized)
-            return false;
-        if (this.security.blockedHosts.has(normalized))
-            return true;
-        const normalizedIp = normalizeIpForBlockList(normalized);
-        return normalizedIp
-            ? this.blockList.check(normalizedIp.ip, normalizedIp.family)
-            : false;
-    }
-}
-const VALIDATION_ERROR_CODE = 'VALIDATION_ERROR';
-function createValidationError(message) {
-    return createErrorWithCode(message, VALIDATION_ERROR_CODE);
-}
-const BLOCKED_HOST_SUFFIXES = ['.local', '.internal'];
-// This list is not exhaustive but covers the most common cloud metadata endpoints.
-const CLOUD_METADATA_HOSTS = new Set([
-    '169.254.169.254', // AWS / GCP / Azure
-    'metadata.google.internal', // GCP
-    '100.100.100.200', // Alibaba Cloud
-    'fd00:ec2::254', // AWS IPv6
-]);
-function isCloudMetadataHost(hostname) {
-    const lowered = hostname.toLowerCase();
-    if (CLOUD_METADATA_HOSTS.has(lowered))
-        return true;
-    const normalized = normalizeIpForBlockList(lowered);
-    return normalized !== null && CLOUD_METADATA_HOSTS.has(normalized.ip);
-}
-class UrlNormalizer {
-    constants;
-    security;
-    ipBlocker;
-    blockedHostSuffixes;
-    constructor(constants, security, ipBlocker, blockedHostSuffixes) {
-        this.constants = constants;
-        this.security = security;
-        this.ipBlocker = ipBlocker;
-        this.blockedHostSuffixes = blockedHostSuffixes;
-    }
-    normalize(urlString) {
-        const trimmedUrl = this.requireTrimmedUrl(urlString);
-        if (trimmedUrl.length > this.constants.maxUrlLength) {
-            throw createValidationError(`URL exceeds maximum length of ${this.constants.maxUrlLength} characters`);
-        }
-        let url;
-        try {
-            url = new URL(trimmedUrl);
-        }
-        catch {
-            throw createValidationError('Invalid URL format');
-        }
-        if (url.protocol !== 'http:' && url.protocol !== 'https:') {
-            throw createValidationError(`Invalid protocol: ${url.protocol}. Only http: and https: are allowed`);
-        }
-        if (url.username || url.password) {
-            throw createValidationError('URLs with embedded credentials are not allowed');
-        }
-        const hostname = this.normalizeHostname(url);
-        this.assertHostnameAllowed(hostname);
-        url.hostname = hostname;
-        return { normalizedUrl: url.href, hostname };
-    }
-    validateAndNormalize(urlString) {
-        return this.normalize(urlString).normalizedUrl;
-    }
-    requireTrimmedUrl(urlString) {
-        if (!urlString || typeof urlString !== 'string') {
-            throw createValidationError('URL is required');
-        }
-        const trimmed = urlString.trim();
-        if (!trimmed)
-            throw createValidationError('URL cannot be empty');
-        return trimmed;
-    }
-    normalizeHostname(url) {
-        const hostname = url.hostname.toLowerCase().replace(/\.+$/, '');
-        if (!hostname) {
-            throw createValidationError('URL must have a valid hostname');
-        }
-        return hostname;
-    }
-    assertHostnameAllowed(hostname) {
-        this.assertNotBlockedHost(hostname);
-        this.assertNotBlockedIp(hostname);
-        this.assertNotBlockedHostnameSuffix(hostname);
-    }
-    assertNotBlockedHost(hostname) {
-        if (isCloudMetadataHost(hostname)) {
-            throw createValidationError(`Blocked host: ${hostname}. Cloud metadata endpoints are not allowed`);
-        }
-        if (isLocalFetchAllowed())
-            return;
-        if (!this.security.blockedHosts.has(hostname))
-            return;
-        throw createValidationError(`Blocked host: ${hostname}. Internal hosts are not allowed`);
-    }
-    assertNotBlockedIp(hostname) {
-        if (isCloudMetadataHost(hostname)) {
-            throw createValidationError(`Blocked IP range: ${hostname}. Cloud metadata endpoints are not allowed`);
-        }
-        if (isLocalFetchAllowed())
-            return;
-        if (!this.ipBlocker.isBlockedIp(hostname))
-            return;
-        throw createValidationError(`Blocked IP range: ${hostname}. Private IPs are not allowed`);
-    }
-    assertNotBlockedHostnameSuffix(hostname) {
-        const blocked = this.blockedHostSuffixes.some((suffix) => hostname.endsWith(suffix));
-        if (!blocked)
-            return;
-        throw createValidationError(`Blocked hostname pattern: ${hostname}. Internal domain suffixes are not allowed`);
-    }
+function sanitizeString(input) {
+    return input
+        .toLowerCase()
+        .replace(FILENAME_RULES.UNSAFE_CHARS, '')
+        .replace(FILENAME_RULES.WHITESPACE, '-')
+        .replace(/-+/g, '-')
+        .replace(/(?:^-|-$)/g, '');
 }
-function getPatternGroup(groups, key) {
-    const value = groups[key];
-    if (value === undefined)
+function resolveUrlFilenameCandidate(url) {
+    const parsed = new URL(url);
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
         return null;
-    if (value === '')
+    const basename = pathPosix.basename(parsed.pathname);
+    if (!basename || basename === 'index')
         return null;
-    return value;
+    const cleaned = basename.replace(FILENAME_RULES.EXTENSIONS, '');
+    const sanitized = sanitizeString(cleaned);
+    if (sanitized === 'index')
+        return null;
+    return sanitized || null;
 }
-const GITHUB_BLOB_PATTERN = new URLPattern({
-    protocol: 'http{s}?',
-    hostname: '{:sub.}?github.com',
-    pathname: '/:owner/:repo/blob/:branch/:path+',
-});
-const GITHUB_GIST_PATTERN = new URLPattern({
-    protocol: 'http{s}?',
-    hostname: 'gist.github.com',
-    pathname: '/:user/:gistId',
-});
-const GITHUB_GIST_RAW_PATTERN = new URLPattern({
-    protocol: 'http{s}?',
-    hostname: 'gist.github.com',
-    pathname: '/:user/:gistId/raw/:filePath+',
-});
-const GITLAB_BLOB_PATTERNS = [
-    new URLPattern({
-        protocol: 'http{s}?',
-        hostname: 'gitlab.com',
-        pathname: '/:base+/-/blob/:branch/:path+',
-    }),
-    new URLPattern({
-        protocol: 'http{s}?',
-        hostname: '*:sub.gitlab.com',
-        pathname: '/:base+/-/blob/:branch/:path+',
-    }),
-];
-const BITBUCKET_SRC_PATTERN = new URLPattern({
-    protocol: 'http{s}?',
-    hostname: '{:sub.}?bitbucket.org',
-    pathname: '/:owner/:repo/src/:branch/:path+',
-});
-const BITBUCKET_RAW_RE = /bitbucket\.org\/[^/]+\/[^/]+\/raw\//;
-const RAW_TEXT_EXTENSIONS = new Set([
-    '.md',
-    '.markdown',
-    '.txt',
-    '.json',
-    '.yaml',
-    '.yml',
-    '.toml',
-    '.xml',
-    '.csv',
-    '.rst',
-    '.adoc',
-    '.org',
-]);
-class RawUrlTransformer {
-    logger;
-    constructor(logger) {
-        this.logger = logger;
-    }
-    transformToRawUrl(url) {
-        if (!url)
-            return { url, transformed: false };
-        if (this.isRawUrl(url))
-            return { url, transformed: false };
-        let base;
-        let hash;
-        let parsed;
-        try {
-            parsed = new URL(url);
-            base = parsed.origin + parsed.pathname;
-            ({ hash } = parsed);
-        }
-        catch {
-            ({ base, hash } = this.splitParams(url));
-        }
-        const match = this.tryTransformWithUrl(base, hash, parsed);
-        if (!match)
-            return { url, transformed: false };
-        this.logger.debug('URL transformed to raw content URL', {
-            platform: match.platform,
-            original: url.substring(0, 100),
-            transformed: match.url.substring(0, 100),
-        });
-        return { url: match.url, transformed: true, platform: match.platform };
-    }
-    isRawTextContentUrl(urlString) {
-        if (!urlString)
-            return false;
-        if (this.isRawUrl(urlString))
-            return true;
-        try {
-            const url = new URL(urlString);
-            const pathname = url.pathname.toLowerCase();
-            const lastDot = pathname.lastIndexOf('.');
-            if (lastDot === -1)
-                return false;
-            return RAW_TEXT_EXTENSIONS.has(pathname.slice(lastDot));
-        }
-        catch {
-            const { base } = this.splitParams(urlString);
-            const lowerBase = base.toLowerCase();
-            const lastDot = lowerBase.lastIndexOf('.');
-            if (lastDot === -1)
-                return false;
-            return RAW_TEXT_EXTENSIONS.has(lowerBase.slice(lastDot));
-        }
-    }
-    isRawUrl(url) {
-        const lower = url.toLowerCase();
-        return (lower.includes('raw.githubusercontent.com') ||
-            lower.includes('gist.githubusercontent.com') ||
-            lower.includes('/-/raw/') ||
-            BITBUCKET_RAW_RE.test(lower));
-    }
-    splitParams(urlString) {
-        const hashIndex = urlString.indexOf('#');
-        const queryIndex = urlString.indexOf('?');
-        const endIndex = Math.min(queryIndex === -1 ? urlString.length : queryIndex, hashIndex === -1 ? urlString.length : hashIndex);
-        const hash = hashIndex !== -1 ? urlString.slice(hashIndex) : '';
-        return { base: urlString.slice(0, endIndex), hash };
-    }
-    tryTransformWithUrl(base, hash, preParsed) {
-        let parsed = preParsed ?? null;
-        if (!parsed) {
-            try {
-                parsed = new URL(base);
-            }
-            catch {
-                // Ignore invalid URLs
-            }
-        }
-        if (!parsed)
-            return null;
-        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
-            return null;
-        const gist = this.transformGithubGist(base, hash);
-        if (gist)
-            return gist;
-        const github = this.transformGithubBlob(base);
-        if (github)
-            return github;
-        const gitlab = this.transformGitLab(base, parsed.origin);
-        if (gitlab)
-            return gitlab;
-        const bitbucket = this.transformBitbucket(base, parsed.origin);
-        if (bitbucket)
-            return bitbucket;
+function truncateFilenameBase(name, extension) {
+    const maxBase = FILENAME_RULES.MAX_LEN - extension.length;
+    return name.length > maxBase ? name.substring(0, maxBase) : name;
+}
+function resolveTitleFilenameCandidate(title) {
+    if (!title)
         return null;
+    return sanitizeString(title) || null;
+}
+function resolveFilenameBase(url, title, hashFallback) {
+    try {
+        const fromUrl = resolveUrlFilenameCandidate(url);
+        if (fromUrl)
+            return fromUrl;
     }
-    transformGithubBlob(url) {
-        const match = GITHUB_BLOB_PATTERN.exec(url);
-        if (!match)
-            return null;
-        const groups = match.pathname.groups;
-        const owner = getPatternGroup(groups, 'owner');
-        const repo = getPatternGroup(groups, 'repo');
-        const branch = getPatternGroup(groups, 'branch');
-        const path = getPatternGroup(groups, 'path');
-        if (!owner || !repo || !branch || !path)
-            return null;
-        return {
-            url: `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${path}`,
-            platform: 'github',
-        };
-    }
-    transformGithubGist(url, hash) {
-        const rawMatch = GITHUB_GIST_RAW_PATTERN.exec(url);
-        if (rawMatch) {
-            const groups = rawMatch.pathname.groups;
-            const user = getPatternGroup(groups, 'user');
-            const gistId = getPatternGroup(groups, 'gistId');
-            const filePath = getPatternGroup(groups, 'filePath');
-            if (!user || !gistId)
-                return null;
-            const resolvedFilePath = filePath ? `/${filePath}` : '';
-            return {
-                url: `https://gist.githubusercontent.com/${user}/${gistId}/raw${resolvedFilePath}`,
-                platform: 'github-gist',
-            };
-        }
-        const match = GITHUB_GIST_PATTERN.exec(url);
-        if (!match)
-            return null;
-        const groups = match.pathname.groups;
-        const user = getPatternGroup(groups, 'user');
-        const gistId = getPatternGroup(groups, 'gistId');
-        if (!user || !gistId)
-            return null;
-        let filePath = '';
-        if (hash.startsWith('#file-')) {
-            const filename = hash.slice('#file-'.length).replace(/-/g, '.');
-            if (filename)
-                filePath = `/${filename}`;
-        }
-        return {
-            url: `https://gist.githubusercontent.com/${user}/${gistId}/raw${filePath}`,
-            platform: 'github-gist',
-        };
+    catch {
+        // Ignore URL parsing errors and continue fallbacks.
+    }
+    const fromTitle = resolveTitleFilenameCandidate(title);
+    if (fromTitle)
+        return fromTitle;
+    if (hashFallback)
+        return hashFallback.substring(0, 16);
+    return `download-${Date.now()}`;
+}
+export function generateSafeFilename(url, title, hashFallback, extension = '.md') {
+    const name = resolveFilenameBase(url, title, hashFallback);
+    return `${truncateFilenameBase(name, extension)}${extension}`;
+}
+const DownloadParamsSchema = z.strictObject({
+    namespace: z.literal('markdown'),
+    hash: z
+        .string()
+        .regex(/^[a-f0-9.]+$/i)
+        .min(8)
+        .max(64),
+});
+function writeJsonError(res, status, message, code) {
+    res.writeHead(status, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: message, code }));
+}
+export function handleDownload(res, namespace, hash) {
+    const parsed = DownloadParamsSchema.safeParse({ namespace, hash });
+    if (!parsed.success) {
+        writeJsonError(res, 400, 'Invalid namespace or hash', 'BAD_REQUEST');
+        return;
     }
-    transformGitLab(url, origin) {
-        for (const pattern of GITLAB_BLOB_PATTERNS) {
-            const match = pattern.exec(url);
-            if (!match)
-                continue;
-            const groups = match.pathname.groups;
-            const base = getPatternGroup(groups, 'base');
-            const branch = getPatternGroup(groups, 'branch');
-            const path = getPatternGroup(groups, 'path');
-            if (!base || !branch || !path)
-                return null;
-            return {
-                url: `${origin}/${base}/-/raw/${branch}/${path}`,
-                platform: 'gitlab',
-            };
-        }
-        return null;
+    const cacheKey = `${parsed.data.namespace}:${parsed.data.hash}`;
+    const entry = cacheGet(cacheKey, { force: true });
+    if (!entry) {
+        writeJsonError(res, 404, 'Not found or expired', 'NOT_FOUND');
+        return;
     }
-    transformBitbucket(url, origin) {
-        const match = BITBUCKET_SRC_PATTERN.exec(url);
-        if (!match)
-            return null;
-        const groups = match.pathname.groups;
-        const owner = getPatternGroup(groups, 'owner');
-        const repo = getPatternGroup(groups, 'repo');
-        const branch = getPatternGroup(groups, 'branch');
-        const path = getPatternGroup(groups, 'path');
-        if (!owner || !repo || !branch || !path)
-            return null;
-        return {
-            url: `${origin}/${owner}/${repo}/raw/${branch}/${path}`,
-            platform: 'bitbucket',
-        };
+    const payload = parseCachedPayload(entry.content);
+    const content = payload ? resolveCachedPayloadContent(payload) : null;
+    if (!content) {
+        writeJsonError(res, 404, 'Content missing', 'NOT_FOUND');
+        return;
     }
+    const fileName = generateSafeFilename(entry.url, payload?.title, parsed.data.hash);
+    // Safe header generation — RFC 5987 encoding for non-ASCII filenames
+    const encoded = encodeURIComponent(fileName).replace(/'/g, '%27');
+    res.setHeader('Content-Type', 'text/markdown; charset=utf-8');
+    res.setHeader('Content-Disposition', `attachment; filename="${fileName}"; filename*=UTF-8''${encoded}`);
+    res.setHeader('Cache-Control', `private, max-age=${config.cache.ttl}`);
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.end(content);
 }
-const DNS_LOOKUP_TIMEOUT_MS = 5000;
-const CNAME_LOOKUP_MAX_DEPTH = 5;
-function normalizeDnsName(value) {
-    const normalized = value.trim().toLowerCase().replace(/\.+$/, '');
-    return normalized;
-}
-function createSignalAbortRace(signal, isAbort, onTimeout, onAbort) {
-    let abortListener = null;
-    const abortPromise = new Promise((_, reject) => {
-        abortListener = () => {
-            reject(isAbort() ? onAbort() : onTimeout());
-        };
-        signal.addEventListener('abort', abortListener, { once: true });
-        if (signal.aborted)
-            abortListener();
-    });
-    const cleanup = () => {
-        if (!abortListener)
-            return;
-        try {
-            signal.removeEventListener('abort', abortListener);
-        }
-        catch {
-            // Ignore listener cleanup failures; they are non-fatal by design.
-        }
-        abortListener = null;
-    };
-    return { abortPromise, cleanup };
-}
-async function withTimeout(promise, timeoutMs, onTimeout, signal, onAbort) {
-    const timeoutSignal = timeoutMs > 0 ? AbortSignal.timeout(timeoutMs) : undefined;
-    const raceSignal = signal && timeoutSignal
-        ? AbortSignal.any([signal, timeoutSignal])
-        : (signal ?? timeoutSignal);
-    if (!raceSignal)
-        return promise;
-    const abortRace = createSignalAbortRace(raceSignal, () => signal?.aborted === true, onTimeout, onAbort ?? (() => new Error('Request was canceled')));
+const UTF8_ENCODING = 'utf-8';
+function getCharsetFromContentType(contentType) {
+    if (!contentType)
+        return undefined;
+    const match = /charset=([^;]+)/i.exec(contentType);
+    const charsetGroup = match?.[1];
+    if (!charsetGroup)
+        return undefined;
+    let charset = charsetGroup.trim();
+    if (charset.startsWith('"') && charset.endsWith('"')) {
+        charset = charset.slice(1, -1);
+    }
+    return charset.trim();
+}
+function createDecoder(encoding) {
+    const fallback = () => new TextDecoder(UTF8_ENCODING);
+    if (!encoding)
+        return fallback();
     try {
-        return await Promise.race([promise, abortRace.abortPromise]);
+        return new TextDecoder(encoding);
     }
-    finally {
-        abortRace.cleanup();
+    catch {
+        return fallback();
     }
 }
-function createAbortSignalError() {
-    const err = new Error('Request was canceled');
-    err.name = 'AbortError';
-    return err;
-}
-class SafeDnsResolver {
-    ipBlocker;
-    security;
-    blockedHostSuffixes;
-    constructor(ipBlocker, security, blockedHostSuffixes) {
-        this.ipBlocker = ipBlocker;
-        this.security = security;
-        this.blockedHostSuffixes = blockedHostSuffixes;
-    }
-    async resolveAndValidate(hostname, signal) {
-        const normalizedHostname = normalizeDnsName(hostname.replace(/^\[|\]$/g, ''));
-        if (!normalizedHostname) {
-            throw createErrorWithCode('Invalid hostname provided', 'EINVAL');
-        }
-        if (signal?.aborted) {
-            throw createAbortSignalError();
-        }
-        if (this.isBlockedHostname(normalizedHostname)) {
-            throw createErrorWithCode(`Blocked host: ${normalizedHostname}. Internal hosts are not allowed`, 'EBLOCKED');
-        }
-        if (isIP(normalizedHostname)) {
-            if (isCloudMetadataHost(normalizedHostname)) {
-                throw createErrorWithCode(`Blocked IP range: ${normalizedHostname}. Cloud metadata endpoints are not allowed`, 'EBLOCKED');
-            }
-            if (process.env['ALLOW_LOCAL_FETCH'] !== 'true' &&
-                this.ipBlocker.isBlockedIp(normalizedHostname)) {
-                throw createErrorWithCode(`Blocked IP range: ${normalizedHostname}. Private IPs are not allowed`, 'EBLOCKED');
-            }
-            return normalizedHostname;
-        }
-        await this.assertNoBlockedCname(normalizedHostname, signal);
-        const resultPromise = dns.promises.lookup(normalizedHostname, {
-            all: true,
-            order: 'verbatim',
-        });
-        const addresses = await withTimeout(resultPromise, DNS_LOOKUP_TIMEOUT_MS, () => createErrorWithCode(`DNS lookup timed out for ${normalizedHostname}`, 'ETIMEOUT'), signal, createAbortSignalError);
-        if (addresses.length === 0 || !addresses[0]) {
-            throw createErrorWithCode(`No DNS results returned for ${normalizedHostname}`, 'ENODATA');
-        }
-        for (const addr of addresses) {
-            if (addr.family !== 4 && addr.family !== 6) {
-                throw createErrorWithCode(`Invalid address family returned for ${normalizedHostname}`, 'EINVAL');
-            }
-            if (isCloudMetadataHost(addr.address)) {
-                throw createErrorWithCode(`Blocked IP detected for ${normalizedHostname}`, 'EBLOCKED');
-            }
-            if (!isLocalFetchAllowed() && this.ipBlocker.isBlockedIp(addr.address)) {
-                throw createErrorWithCode(`Blocked IP detected for ${normalizedHostname}`, 'EBLOCKED');
-            }
-        }
-        return addresses[0].address;
-    }
-    isBlockedHostname(hostname) {
-        if (isCloudMetadataHost(hostname))
-            return true;
-        if (isLocalFetchAllowed())
+function decodeBuffer(buffer, encoding) {
+    return createDecoder(encoding).decode(buffer);
+}
+function normalizeEncodingLabel(encoding) {
+    return encoding?.trim().toLowerCase() ?? '';
+}
+function isUnicodeWideEncoding(encoding) {
+    const normalized = normalizeEncodingLabel(encoding);
+    return (normalized.startsWith('utf-16') ||
+        normalized.startsWith('utf-32') ||
+        normalized === 'ucs-2' ||
+        normalized === 'unicodefffe' ||
+        normalized === 'unicodefeff');
+}
+const BOM_SIGNATURES = [
+    // 4-byte BOMs must come first to avoid false matches with 2-byte prefixes
+    { bytes: [0xff, 0xfe, 0x00, 0x00], encoding: 'utf-32le' },
+    { bytes: [0x00, 0x00, 0xfe, 0xff], encoding: 'utf-32be' },
+    { bytes: [0xef, 0xbb, 0xbf], encoding: 'utf-8' },
+    { bytes: [0xff, 0xfe], encoding: 'utf-16le' },
+    { bytes: [0xfe, 0xff], encoding: 'utf-16be' },
+];
+function startsWithBytes(buffer, signature) {
+    const sigLen = signature.length;
+    if (buffer.length < sigLen)
+        return false;
+    for (let i = 0; i < sigLen; i += 1) {
+        if (buffer[i] !== signature[i])
             return false;
-        if (this.security.blockedHosts.has(hostname))
-            return true;
-        return this.blockedHostSuffixes.some((suffix) => hostname.endsWith(suffix));
     }
-    async assertNoBlockedCname(hostname, signal) {
-        let current = hostname;
-        const seen = new Set();
-        for (let depth = 0; depth < CNAME_LOOKUP_MAX_DEPTH; depth += 1) {
-            if (!current || seen.has(current))
-                return;
-            seen.add(current);
-            const cnames = await this.resolveCname(current, signal);
-            if (cnames.length === 0)
-                return;
-            for (const cname of cnames) {
-                if (this.isBlockedHostname(cname)) {
-                    throw createErrorWithCode(`Blocked DNS CNAME detected for ${hostname}: ${cname}`, 'EBLOCKED');
-                }
-            }
-            current = cnames[0] ?? '';
-        }
+    return true;
+}
+function detectBomEncoding(buffer) {
+    for (const { bytes, encoding } of BOM_SIGNATURES) {
+        if (startsWithBytes(buffer, bytes))
+            return encoding;
     }
-    async resolveCname(hostname, signal) {
-        try {
-            const resultPromise = dns.promises.resolveCname(hostname);
-            const cnames = await withTimeout(resultPromise, DNS_LOOKUP_TIMEOUT_MS, () => createErrorWithCode(`DNS CNAME lookup timed out for ${hostname}`, 'ETIMEOUT'), signal, createAbortSignalError);
-            return cnames
-                .map((value) => normalizeDnsName(value))
-                .filter((value) => value.length > 0);
-        }
-        catch (error) {
-            if (isError(error) && error.name === 'AbortError') {
-                throw error;
-            }
-            if (isSystemError(error) &&
-                (error.code === 'ENODATA' ||
-                    error.code === 'ENOTFOUND' ||
-                    error.code === 'ENODOMAIN')) {
-                return [];
-            }
-            logDebug('DNS CNAME lookup failed; continuing with address lookup', {
-                hostname,
-                ...(isSystemError(error) ? { code: error.code } : {}),
-            });
-            return [];
-        }
+    return undefined;
+}
+function readQuotedValue(input, startIndex) {
+    const first = input[startIndex];
+    if (!first)
+        return '';
+    const quoted = first === '"' || first === "'";
+    if (quoted) {
+        const end = input.indexOf(first, startIndex + 1);
+        return end === -1 ? '' : input.slice(startIndex + 1, end).trim();
+    }
+    const tail = input.slice(startIndex);
+    const stop = tail.search(/[\s/>]/);
+    return (stop === -1 ? tail : tail.slice(0, stop)).trim();
+}
+function findTokenValue(original, lower, token, fromIndex = 0) {
+    const tokenIndex = lower.indexOf(token, fromIndex);
+    if (tokenIndex === -1)
+        return undefined;
+    const valueStart = tokenIndex + token.length;
+    const value = readQuotedValue(original, valueStart);
+    return value || undefined;
+}
+function extractHtmlCharset(headSnippet) {
+    const lower = headSnippet.toLowerCase();
+    const charset = findTokenValue(headSnippet, lower, 'charset=');
+    return charset ? charset.toLowerCase() : undefined;
+}
+function extractXmlEncoding(headSnippet) {
+    const lower = headSnippet.toLowerCase();
+    const xmlStart = lower.indexOf('<?xml');
+    if (xmlStart === -1)
+        return undefined;
+    const xmlEnd = lower.indexOf('?>', xmlStart);
+    const declaration = xmlEnd === -1
+        ? headSnippet.slice(xmlStart)
+        : headSnippet.slice(xmlStart, xmlEnd + 2);
+    const declarationLower = declaration.toLowerCase();
+    const encoding = findTokenValue(declaration, declarationLower, 'encoding=');
+    return encoding ? encoding.toLowerCase() : undefined;
+}
+function detectHtmlDeclaredEncoding(buffer) {
+    const scanSize = Math.min(buffer.length, 8_192);
+    if (scanSize === 0)
+        return undefined;
+    const headSnippet = Buffer.from(buffer.buffer, buffer.byteOffset, scanSize).toString('latin1');
+    return extractHtmlCharset(headSnippet) ?? extractXmlEncoding(headSnippet);
+}
+function resolveEncoding(declaredEncoding, sample) {
+    const bomEncoding = detectBomEncoding(sample);
+    if (bomEncoding)
+        return bomEncoding;
+    if (declaredEncoding)
+        return declaredEncoding;
+    return detectHtmlDeclaredEncoding(sample);
+}
+const BINARY_SIGNATURES = [
+    [0x25, 0x50, 0x44, 0x46],
+    [0x89, 0x50, 0x4e, 0x47],
+    [0x47, 0x49, 0x46, 0x38],
+    [0xff, 0xd8, 0xff],
+    [0x52, 0x49, 0x46, 0x46],
+    [0x42, 0x4d],
+    [0x49, 0x49, 0x2a, 0x00],
+    [0x4d, 0x4d, 0x00, 0x2a],
+    [0x00, 0x00, 0x01, 0x00],
+    [0x50, 0x4b, 0x03, 0x04],
+    [0x1f, 0x8b],
+    [0x42, 0x5a, 0x68],
+    [0x52, 0x61, 0x72, 0x21],
+    [0x37, 0x7a, 0xbc, 0xaf],
+    [0x7f, 0x45, 0x4c, 0x46],
+    [0x4d, 0x5a],
+    [0xcf, 0xfa, 0xed, 0xfe],
+    [0x00, 0x61, 0x73, 0x6d],
+    [0x1a, 0x45, 0xdf, 0xa3],
+    [0x66, 0x74, 0x79, 0x70],
+    [0x46, 0x4c, 0x56],
+    [0x49, 0x44, 0x33],
+    [0xff, 0xfb],
+    [0xff, 0xfa],
+    [0x4f, 0x67, 0x67, 0x53],
+    [0x66, 0x4c, 0x61, 0x43],
+    [0x4d, 0x54, 0x68, 0x64],
+    [0x77, 0x4f, 0x46, 0x46],
+    [0x00, 0x01, 0x00, 0x00],
+    [0x4f, 0x54, 0x54, 0x4f],
+    [0x53, 0x51, 0x4c, 0x69],
+];
+function hasNullByte(buffer, limit) {
+    const checkLen = Math.min(buffer.length, limit);
+    return buffer.subarray(0, checkLen).includes(0x00);
+}
+function isBinaryContent(buffer, encoding) {
+    for (const signature of BINARY_SIGNATURES) {
+        if (startsWithBytes(buffer, signature))
+            return true;
     }
+    return !isUnicodeWideEncoding(encoding) && hasNullByte(buffer, 1000);
 }
 function parseRetryAfter(header) {
     if (!header)
@@ -563,43 +289,31 @@ function parseRetryAfter(header) {
         return 0;
     return Math.ceil(deltaMs / 1000);
 }
-function createCanceledFetchError(url) {
-    return new FetchError('Request was canceled', url, 499, {
-        reason: 'aborted',
-    });
-}
-function createTimeoutFetchError(url, timeoutMs) {
-    return new FetchError(`Request timeout after ${timeoutMs}ms`, url, 504, {
-        timeout: timeoutMs,
-    });
-}
-function createRateLimitedFetchError(url, retryAfterHeader) {
-    return new FetchError('Too many requests', url, 429, {
-        retryAfter: parseRetryAfter(retryAfterHeader),
-    });
-}
-function createHttpFetchError(url, status, statusText) {
-    return new FetchError(`HTTP ${status}: ${statusText}`, url, status);
-}
-function createTooManyRedirectsFetchError(url) {
-    return new FetchError('Too many redirects', url);
-}
-function createMissingRedirectLocationFetchError(url) {
-    return new FetchError('Redirect response missing Location header', url);
-}
-function buildNetworkErrorMessage(url) {
-    return `Network error: Could not reach ${url}`;
-}
-function createNetworkFetchError(url, message) {
-    return new FetchError(buildNetworkErrorMessage(url), url, undefined, message ? { message } : {});
-}
-function createUnknownFetchError(url, message) {
-    return new FetchError(message, url);
-}
-function createAbortedFetchError(url) {
-    return new FetchError('Request was aborted during response read', url, 499, {
-        reason: 'aborted',
-    });
+function createFetchError(input, url) {
+    switch (input.kind) {
+        case 'canceled':
+            return new FetchError('Request was canceled', url, 499, {
+                reason: 'aborted',
+            });
+        case 'aborted':
+            return new FetchError('Request was aborted during response read', url, 499, { reason: 'aborted' });
+        case 'timeout':
+            return new FetchError(`Request timeout after ${input.timeout}ms`, url, 504, { timeout: input.timeout });
+        case 'rate-limited':
+            return new FetchError('Too many requests', url, 429, {
+                retryAfter: parseRetryAfter(input.retryAfter),
+            });
+        case 'http':
+            return new FetchError(`HTTP ${input.status}: ${input.statusText}`, url, input.status);
+        case 'too-many-redirects':
+            return new FetchError('Too many redirects', url);
+        case 'missing-redirect-location':
+            return new FetchError('Redirect response missing Location header', url);
+        case 'network':
+            return new FetchError(`Network error: Could not reach ${url}`, url, undefined, { message: input.message });
+        case 'unknown':
+            return new FetchError(input.message ?? 'Unexpected error', url);
+    }
 }
 function isAbortError(error) {
     return (isError(error) &&
@@ -622,15 +336,15 @@ function mapFetchError(error, fallbackUrl, timeoutMs) {
     const url = resolveErrorUrl(error, fallbackUrl);
     if (isAbortError(error)) {
         return isTimeoutError(error)
-            ? createTimeoutFetchError(url, timeoutMs)
-            : createCanceledFetchError(url);
+            ? createFetchError({ kind: 'timeout', timeout: timeoutMs }, url)
+            : createFetchError({ kind: 'canceled' }, url);
     }
     if (!isError(error))
-        return createUnknownFetchError(url, 'Unexpected error');
+        return createFetchError({ kind: 'unknown', message: 'Unexpected error' }, url);
     if (!isSystemError(error)) {
         const err = error;
         const causeStr = err.cause instanceof Error ? err.cause.message : String(err.cause);
-        return createNetworkFetchError(url, `${err.message}. Cause: ${causeStr}`);
+        return createFetchError({ kind: 'network', message: `${err.message}. Cause: ${causeStr}` }, url);
     }
     const { code } = error;
     if (code === 'ETIMEOUT') {
@@ -643,158 +357,7 @@ function mapFetchError(error, fallbackUrl, timeoutMs) {
         code === 'EINVAL') {
         return new FetchError(error.message, url, 400, { code });
     }
-    return new FetchError(buildNetworkErrorMessage(url), url, undefined, {
-        code,
-        message: error.message,
-    });
-}
-const fetchChannel = diagnosticsChannel.channel('fetch-url-mcp.fetch');
-const SLOW_REQUEST_THRESHOLD_MS = 5000;
-class FetchTelemetry {
-    logger;
-    context;
-    redactor;
-    constructor(logger, context, redactor) {
-        this.logger = logger;
-        this.context = context;
-        this.redactor = redactor;
-    }
-    redact(url) {
-        return this.redactor.redact(url);
-    }
-    start(url, method) {
-        const safeUrl = this.redactor.redact(url);
-        const contextRequestId = this.context.getRequestId();
-        const operationId = this.context.getOperationId();
-        const ctx = {
-            requestId: randomUUID(),
-            startTime: performance.now(),
-            url: safeUrl,
-            method: method.toUpperCase(),
-        };
-        if (contextRequestId)
-            ctx.contextRequestId = contextRequestId;
-        if (operationId)
-            ctx.operationId = operationId;
-        const event = {
-            v: 1,
-            type: 'start',
-            requestId: ctx.requestId,
-            method: ctx.method,
-            url: ctx.url,
-        };
-        if (ctx.contextRequestId)
-            event.contextRequestId = ctx.contextRequestId;
-        if (ctx.operationId)
-            event.operationId = ctx.operationId;
-        this.publish(event);
-        const logData = {
-            requestId: ctx.requestId,
-            method: ctx.method,
-            url: ctx.url,
-        };
-        if (ctx.contextRequestId)
-            logData['contextRequestId'] = ctx.contextRequestId;
-        if (ctx.operationId)
-            logData['operationId'] = ctx.operationId;
-        this.logger.debug('HTTP Request', logData);
-        return ctx;
-    }
-    recordResponse(context, response, contentSize) {
-        const duration = performance.now() - context.startTime;
-        const durationLabel = `${Math.round(duration)}ms`;
-        const event = {
-            v: 1,
-            type: 'end',
-            requestId: context.requestId,
-            status: response.status,
-            duration,
-        };
-        if (context.contextRequestId)
-            event.contextRequestId = context.contextRequestId;
-        if (context.operationId)
-            event.operationId = context.operationId;
-        this.publish(event);
-        const contentType = response.headers.get('content-type') ?? undefined;
-        const contentLengthHeader = response.headers.get('content-length');
-        const size = contentLengthHeader ??
-            (contentSize === undefined ? undefined : String(contentSize));
-        const logData = {
-            requestId: context.requestId,
-            status: response.status,
-            url: context.url,
-            duration: durationLabel,
-        };
-        if (context.contextRequestId)
-            logData['contextRequestId'] = context.contextRequestId;
-        if (context.operationId)
-            logData['operationId'] = context.operationId;
-        if (contentType)
-            logData['contentType'] = contentType;
-        if (size)
-            logData['size'] = size;
-        this.logger.debug('HTTP Response', logData);
-        if (duration > SLOW_REQUEST_THRESHOLD_MS) {
-            const warnData = {
-                requestId: context.requestId,
-                url: context.url,
-                duration: durationLabel,
-            };
-            if (context.contextRequestId)
-                warnData['contextRequestId'] = context.contextRequestId;
-            if (context.operationId)
-                warnData['operationId'] = context.operationId;
-            this.logger.warn('Slow HTTP request detected', warnData);
-        }
-    }
-    recordError(context, error, status) {
-        const duration = performance.now() - context.startTime;
-        const err = isError(error) ? error : new Error(String(error));
-        const code = isSystemError(err) ? err.code : undefined;
-        const event = {
-            v: 1,
-            type: 'error',
-            requestId: context.requestId,
-            url: context.url,
-            error: err.message,
-            duration,
-        };
-        if (code !== undefined)
-            event.code = code;
-        if (status !== undefined)
-            event.status = status;
-        if (context.contextRequestId)
-            event.contextRequestId = context.contextRequestId;
-        if (context.operationId)
-            event.operationId = context.operationId;
-        this.publish(event);
-        const logData = {
-            requestId: context.requestId,
-            url: context.url,
-            status,
-            code,
-            error: err.message,
-        };
-        if (context.contextRequestId)
-            logData['contextRequestId'] = context.contextRequestId;
-        if (context.operationId)
-            logData['operationId'] = context.operationId;
-        if (status === 429) {
-            this.logger.warn('HTTP Request Error', logData);
-            return;
-        }
-        this.logger.error('HTTP Request Error', logData);
-    }
-    publish(event) {
-        if (!fetchChannel.hasSubscribers)
-            return;
-        try {
-            fetchChannel.publish(event);
-        }
-        catch {
-            // Best-effort telemetry; never crash request path.
-        }
-    }
+    return createFetchError({ kind: 'network', message: error.message }, url);
 }
 const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
 function isRedirectStatus(status) {
@@ -835,7 +398,7 @@ class RedirectFollower {
                 return { response, url: currentUrl };
             currentUrl = nextUrl;
         }
-        throw createTooManyRedirectsFetchError(currentUrl);
+        throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
     }
     async performFetchCycle(currentUrl, init, redirectLimit, redirectCount, ipAddress) {
         const fetchInit = {
@@ -843,6 +406,7 @@ class RedirectFollower {
             redirect: 'manual',
         };
         if (ipAddress) {
+            const ca = tls.rootCertificates.length > 0 ? tls.rootCertificates : undefined;
             const agent = new Agent({
                 connect: {
                     lookup: (hostname, options, callback) => {
@@ -854,6 +418,8 @@ class RedirectFollower {
                             callback(null, ipAddress, family);
                         }
                     },
+                    timeout: config.fetcher.timeout,
+                    ...(ca ? { ca } : {}),
                 },
                 pipelining: 1,
                 connections: 1,
@@ -865,7 +431,10 @@ class RedirectFollower {
         const response = await this.fetchFn(currentUrl, fetchInit);
         if (!isRedirectStatus(response.status))
             return { response };
-        this.assertRedirectWithinLimit(response, currentUrl, redirectLimit, redirectCount);
+        if (redirectCount >= redirectLimit) {
+            cancelResponseBody(response);
+            throw createFetchError({ kind: 'too-many-redirects' }, currentUrl);
+        }
         const location = this.getRedirectLocation(response, currentUrl);
         cancelResponseBody(response);
         const nextUrl = this.resolveRedirectTarget(currentUrl, location);
@@ -874,221 +443,57 @@ class RedirectFollower {
             parsedNextUrl.protocol !== 'https:') {
             throw createErrorWithCode(`Unsupported redirect protocol: ${parsedNextUrl.protocol}`, 'EUNSUPPORTEDPROTOCOL');
         }
-        return {
-            response,
-            nextUrl,
-        };
-    }
-    assertRedirectWithinLimit(response, currentUrl, redirectLimit, redirectCount) {
-        if (redirectCount < redirectLimit)
-            return;
-        cancelResponseBody(response);
-        throw createTooManyRedirectsFetchError(currentUrl);
-    }
-    getRedirectLocation(response, currentUrl) {
-        const location = response.headers.get('location');
-        if (location)
-            return location;
-        cancelResponseBody(response);
-        throw createMissingRedirectLocationFetchError(currentUrl);
-    }
-    resolveRedirectTarget(baseUrl, location) {
-        let resolved;
-        try {
-            resolved = new URL(location, baseUrl);
-        }
-        catch {
-            throw createErrorWithCode('Invalid redirect target', 'EBADREDIRECT');
-        }
-        if (resolved.username || resolved.password) {
-            throw createErrorWithCode('Redirect target includes credentials', 'EBADREDIRECT');
-        }
-        return this.normalizeUrl(resolved.href);
-    }
-    annotateRedirectError(error, url) {
-        if (!isObject(error))
-            return;
-        error['requestUrl'] = url;
-    }
-    async withRedirectErrorContext(url, fn) {
-        try {
-            return await fn();
-        }
-        catch (error) {
-            this.annotateRedirectError(error, url);
-            throw error;
-        }
-    }
-}
-class ResponseTextReader {
-    async read(response, url, maxBytes, signal, encoding) {
-        const { buffer, encoding: effectiveEncoding, truncated, } = await this.readBuffer(response, url, maxBytes, signal, encoding);
-        const text = decodeBuffer(buffer, effectiveEncoding);
-        return { text, size: buffer.byteLength, truncated };
-    }
-    async readBuffer(response, url, maxBytes, signal, encoding) {
-        if (signal?.aborted) {
-            cancelResponseBody(response);
-            throw createAbortedFetchError(url);
-        }
-        if (!response.body) {
-            return this.readNonStreamBuffer(response, url, maxBytes, signal, encoding);
-        }
-        return this.readStreamToBuffer(response.body, url, maxBytes, signal, encoding);
-    }
-    async readNonStreamBuffer(response, url, maxBytes, signal, encoding) {
-        if (signal?.aborted)
-            throw createCanceledFetchError(url);
-        const limit = maxBytes <= 0 ? Number.POSITIVE_INFINITY : maxBytes;
-        let buffer;
-        let truncated = false;
-        try {
-            // Try safe blob slicing if available (Node 18+) to avoid OOM
-            const blob = await response.blob();
-            if (Number.isFinite(limit) && blob.size > limit) {
-                const sliced = blob.slice(0, limit);
-                buffer = new Uint8Array(await sliced.arrayBuffer());
-                truncated = true;
-            }
-            else {
-                buffer = new Uint8Array(await blob.arrayBuffer());
-            }
-        }
-        catch {
-            // Fallback if blob() fails
-            const arrayBuffer = await response.arrayBuffer();
-            const length = Math.min(arrayBuffer.byteLength, limit);
-            buffer = new Uint8Array(arrayBuffer, 0, length);
-            truncated = Number.isFinite(limit) && arrayBuffer.byteLength > limit;
-        }
-        const effectiveEncoding = resolveEncoding(encoding, buffer) ?? encoding ?? 'utf-8';
-        if (isBinaryContent(buffer, effectiveEncoding)) {
-            throw new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' });
-        }
-        return {
-            buffer,
-            encoding: effectiveEncoding,
-            size: buffer.byteLength,
-            truncated,
-        };
-    }
-    async readStreamToBuffer(stream, url, maxBytes, signal, encoding) {
-        const byteLimit = maxBytes <= 0 ? Number.POSITIVE_INFINITY : maxBytes;
-        const captureChunks = byteLimit !== Number.POSITIVE_INFINITY;
-        let effectiveEncoding = encoding ?? 'utf-8';
-        let encodingResolved = false;
-        let total = 0;
-        const chunks = [];
-        const source = Readable.fromWeb(toNodeReadableStream(stream, url, 'response:read-stream-buffer'));
-        const guard = new Transform({
-            transform(chunk, _encoding, callback) {
-                try {
-                    const buf = Buffer.isBuffer(chunk)
-                        ? chunk
-                        : Buffer.from(chunk.buffer, chunk.byteOffset, chunk.byteLength);
-                    if (!encodingResolved) {
-                        encodingResolved = true;
-                        effectiveEncoding =
-                            resolveEncoding(encoding, buf) ?? encoding ?? 'utf-8';
-                    }
-                    if (isBinaryContent(buf, effectiveEncoding)) {
-                        callback(new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' }));
-                        return;
-                    }
-                    const newTotal = total + buf.length;
-                    if (newTotal > byteLimit) {
-                        const remaining = byteLimit - total;
-                        if (remaining > 0) {
-                            const slice = buf.subarray(0, remaining);
-                            total += remaining;
-                            if (captureChunks)
-                                chunks.push(slice);
-                            this.push(slice);
-                        }
-                        callback(new MaxBytesError());
-                        return;
-                    }
-                    total = newTotal;
-                    if (captureChunks)
-                        chunks.push(buf);
-                    callback(null, buf);
-                }
-                catch (error) {
-                    callback(error instanceof Error ? error : new Error(String(error)));
-                }
-            },
-        });
-        const guarded = source.pipe(guard);
-        const abortHandler = () => {
-            source.destroy();
-            guard.destroy();
+        return {
+            response,
+            nextUrl,
         };
-        if (signal) {
-            signal.addEventListener('abort', abortHandler, { once: true });
+    }
+    getRedirectLocation(response, currentUrl) {
+        const location = response.headers.get('location');
+        if (location)
+            return location;
+        cancelResponseBody(response);
+        throw createFetchError({ kind: 'missing-redirect-location' }, currentUrl);
+    }
+    resolveRedirectTarget(baseUrl, location) {
+        let resolved;
+        try {
+            resolved = new URL(location, baseUrl);
         }
+        catch {
+            throw createErrorWithCode('Invalid redirect target', 'EBADREDIRECT');
+        }
+        if (resolved.username || resolved.password) {
+            throw createErrorWithCode('Redirect target includes credentials', 'EBADREDIRECT');
+        }
+        return this.normalizeUrl(resolved.href);
+    }
+    annotateRedirectError(error, url) {
+        if (!isObject(error))
+            return;
+        error['requestUrl'] = url;
+    }
+    async withRedirectErrorContext(url, fn) {
         try {
-            const buffer = await consumeBuffer(guarded);
-            return {
-                buffer,
-                encoding: effectiveEncoding,
-                size: total,
-                truncated: false,
-            };
+            return await fn();
         }
         catch (error) {
-            if (signal?.aborted)
-                throw createAbortedFetchError(url);
-            if (error instanceof FetchError)
-                throw error;
-            if (error instanceof MaxBytesError) {
-                source.destroy();
-                guard.destroy();
-                return {
-                    buffer: Buffer.concat(chunks, total),
-                    encoding: effectiveEncoding,
-                    size: total,
-                    truncated: true,
-                };
-            }
+            this.annotateRedirectError(error, url);
             throw error;
         }
-        finally {
-            if (signal) {
-                signal.removeEventListener('abort', abortHandler);
-            }
-        }
     }
 }
-const DEFAULT_HEADERS = {
-    'User-Agent': config.fetcher.userAgent,
-    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
-    'Accept-Language': 'en-US,en;q=0.5',
-    'Accept-Encoding': 'gzip, deflate, br',
-    Connection: 'keep-alive',
-};
-function buildHeaders() {
-    return DEFAULT_HEADERS;
-}
-function buildRequestSignal(timeoutMs, external) {
-    if (timeoutMs <= 0)
-        return external;
-    const timeoutSignal = AbortSignal.timeout(timeoutMs);
-    return external ? AbortSignal.any([external, timeoutSignal]) : timeoutSignal;
-}
-function buildRequestInit(headers, signal) {
-    return {
-        method: 'GET',
-        headers,
-        ...(signal ? { signal } : {}),
-    };
-}
 function resolveResponseError(response, finalUrl) {
     if (response.status === 429) {
-        return createRateLimitedFetchError(finalUrl, response.headers.get('retry-after'));
+        return createFetchError({ kind: 'rate-limited', retryAfter: response.headers.get('retry-after') }, finalUrl);
     }
     return response.ok
         ? null
-        : createHttpFetchError(finalUrl, response.status, response.statusText);
+        : createFetchError({
+            kind: 'http',
+            status: response.status,
+            statusText: response.statusText,
+        }, finalUrl);
 }
 function resolveMediaType(contentType) {
     if (!contentType)
@@ -1220,85 +625,224 @@ async function decodeResponseIfNeeded(response, url, signal) {
         if (!isSupportedContentEncoding(encoding)) {
             throw createUnsupportedContentEncodingError(url, encodingHeader ?? encoding);
         }
-    }
-    if (!response.body)
-        return response;
-    const [decodeBranch, passthroughBranch] = response.body.tee();
-    const decodeOrder = encodings
-        .slice()
-        .reverse()
-        .filter(isSupportedContentEncoding);
-    const decompressors = decodeOrder.map((encoding) => createDecompressor(encoding));
-    const decodeSource = Readable.fromWeb(toNodeReadableStream(decodeBranch, url, 'response:decode-content-encoding'));
-    const decodedNodeStream = new PassThrough();
-    const decodedPipeline = pipeline([
-        decodeSource,
-        ...decompressors,
-        decodedNodeStream,
-    ]);
-    const headers = new Headers(response.headers);
-    headers.delete('content-encoding');
-    headers.delete('content-length');
-    const abortDecodePipeline = () => {
-        decodeSource.destroy();
-        for (const decompressor of decompressors) {
-            decompressor.destroy();
+    }
+    if (!response.body)
+        return response;
+    const [decodeBranch, passthroughBranch] = response.body.tee();
+    const decodeOrder = encodings
+        .slice()
+        .reverse()
+        .filter(isSupportedContentEncoding);
+    const decompressors = decodeOrder.map((encoding) => createDecompressor(encoding));
+    const decodeSource = Readable.fromWeb(toNodeReadableStream(decodeBranch, url, 'response:decode-content-encoding'));
+    const decodedNodeStream = new PassThrough();
+    const decodedPipeline = pipeline([
+        decodeSource,
+        ...decompressors,
+        decodedNodeStream,
+    ]);
+    const headers = new Headers(response.headers);
+    headers.delete('content-encoding');
+    headers.delete('content-length');
+    const abortDecodePipeline = () => {
+        decodeSource.destroy();
+        for (const decompressor of decompressors) {
+            decompressor.destroy();
+        }
+        decodedNodeStream.destroy();
+    };
+    if (signal) {
+        signal.addEventListener('abort', abortDecodePipeline, { once: true });
+    }
+    void decodedPipeline.catch((error) => {
+        decodedNodeStream.destroy(toError(error));
+    });
+    const decodedBodyStream = toWebReadableStream(decodedNodeStream, url, 'response:decode-content-encoding');
+    const decodedReader = decodedBodyStream.getReader();
+    const clearAbortListener = () => {
+        if (!signal)
+            return;
+        signal.removeEventListener('abort', abortDecodePipeline);
+    };
+    try {
+        const first = await decodedReader.read();
+        if (first.done) {
+            clearAbortListener();
+            void passthroughBranch.cancel().catch(() => undefined);
+            return new Response(null, {
+                status: response.status,
+                statusText: response.statusText,
+                headers,
+            });
+        }
+        void passthroughBranch.cancel().catch(() => undefined);
+        const body = createPumpedStream(first.value, decodedReader);
+        if (signal) {
+            void finished(decodedNodeStream, { cleanup: true })
+                .catch(() => { })
+                .finally(() => {
+                clearAbortListener();
+            });
+        }
+        return new Response(body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers,
+        });
+    }
+    catch (error) {
+        clearAbortListener();
+        abortDecodePipeline();
+        void decodedReader.cancel(error).catch(() => undefined);
+        logDebug('Content-Encoding decode failed; using passthrough body', {
+            url: redactUrl(url),
+            encoding: encodingHeader ?? encodings.join(','),
+            error: isError(error) ? error.message : String(error),
+        });
+        return new Response(passthroughBranch, {
+            status: response.status,
+            statusText: response.statusText,
+            headers,
+        });
+    }
+}
+class ResponseTextReader {
+    async read(response, url, maxBytes, signal, encoding) {
+        const { buffer, encoding: effectiveEncoding, truncated, } = await this.readBuffer(response, url, maxBytes, signal, encoding);
+        const text = decodeBuffer(buffer, effectiveEncoding);
+        return { text, size: buffer.byteLength, truncated };
+    }
+    async readBuffer(response, url, maxBytes, signal, encoding) {
+        if (signal?.aborted) {
+            cancelResponseBody(response);
+            throw createFetchError({ kind: 'aborted' }, url);
+        }
+        if (!response.body) {
+            return this.readNonStreamBuffer(response, url, maxBytes, signal, encoding);
+        }
+        return this.readStreamToBuffer(response.body, url, maxBytes, signal, encoding);
+    }
+    async readNonStreamBuffer(response, url, maxBytes, signal, encoding) {
+        if (signal?.aborted)
+            throw createFetchError({ kind: 'canceled' }, url);
+        const limit = maxBytes <= 0 ? Number.POSITIVE_INFINITY : maxBytes;
+        let buffer;
+        let truncated = false;
+        try {
+            // Try safe blob slicing if available (Node 18+) to avoid OOM
+            const blob = await response.blob();
+            if (Number.isFinite(limit) && blob.size > limit) {
+                const sliced = blob.slice(0, limit);
+                buffer = new Uint8Array(await sliced.arrayBuffer());
+                truncated = true;
+            }
+            else {
+                buffer = new Uint8Array(await blob.arrayBuffer());
+            }
+        }
+        catch {
+            // Fallback if blob() fails
+            const arrayBuffer = await response.arrayBuffer();
+            const length = Math.min(arrayBuffer.byteLength, limit);
+            buffer = new Uint8Array(arrayBuffer, 0, length);
+            truncated = Number.isFinite(limit) && arrayBuffer.byteLength > limit;
+        }
+        const effectiveEncoding = resolveEncoding(encoding, buffer) ?? encoding ?? 'utf-8';
+        if (isBinaryContent(buffer, effectiveEncoding)) {
+            throw new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' });
+        }
+        return {
+            buffer,
+            encoding: effectiveEncoding,
+            size: buffer.byteLength,
+            truncated,
+        };
+    }
+    async readStreamToBuffer(stream, url, maxBytes, signal, encoding) {
+        const byteLimit = maxBytes <= 0 ? Number.POSITIVE_INFINITY : maxBytes;
+        const captureChunks = byteLimit !== Number.POSITIVE_INFINITY;
+        let effectiveEncoding = encoding ?? 'utf-8';
+        let encodingResolved = false;
+        let total = 0;
+        const chunks = [];
+        const source = Readable.fromWeb(toNodeReadableStream(stream, url, 'response:read-stream-buffer'));
+        const guard = new Transform({
+            transform(chunk, _encoding, callback) {
+                try {
+                    const buf = Buffer.isBuffer(chunk)
+                        ? chunk
+                        : Buffer.from(chunk.buffer, chunk.byteOffset, chunk.byteLength);
+                    if (!encodingResolved) {
+                        encodingResolved = true;
+                        effectiveEncoding =
+                            resolveEncoding(encoding, buf) ?? encoding ?? 'utf-8';
+                    }
+                    if (isBinaryContent(buf, effectiveEncoding)) {
+                        callback(new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' }));
+                        return;
+                    }
+                    const newTotal = total + buf.length;
+                    if (newTotal > byteLimit) {
+                        const remaining = byteLimit - total;
+                        if (remaining > 0) {
+                            const slice = buf.subarray(0, remaining);
+                            total += remaining;
+                            if (captureChunks)
+                                chunks.push(slice);
+                            this.push(slice);
+                        }
+                        callback(new MaxBytesError());
+                        return;
+                    }
+                    total = newTotal;
+                    if (captureChunks)
+                        chunks.push(buf);
+                    callback(null, buf);
+                }
+                catch (error) {
+                    callback(toError(error));
+                }
+            },
+        });
+        const guarded = source.pipe(guard);
+        const abortHandler = () => {
+            source.destroy();
+            guard.destroy();
+        };
+        if (signal) {
+            signal.addEventListener('abort', abortHandler, { once: true });
+        }
+        try {
+            const buffer = await consumeBuffer(guarded);
+            return {
+                buffer,
+                encoding: effectiveEncoding,
+                size: total,
+                truncated: false,
+            };
         }
-        decodedNodeStream.destroy();
-    };
-    if (signal) {
-        signal.addEventListener('abort', abortDecodePipeline, { once: true });
-    }
-    void decodedPipeline.catch((error) => {
-        decodedNodeStream.destroy(error instanceof Error ? error : new Error(String(error)));
-    });
-    const decodedBodyStream = toWebReadableStream(decodedNodeStream, url, 'response:decode-content-encoding');
-    const decodedReader = decodedBodyStream.getReader();
-    const clearAbortListener = () => {
-        if (!signal)
-            return;
-        signal.removeEventListener('abort', abortDecodePipeline);
-    };
-    try {
-        const first = await decodedReader.read();
-        if (first.done) {
-            clearAbortListener();
-            void passthroughBranch.cancel().catch(() => undefined);
-            return new Response(null, {
-                status: response.status,
-                statusText: response.statusText,
-                headers,
-            });
+        catch (error) {
+            if (signal?.aborted)
+                throw createFetchError({ kind: 'aborted' }, url);
+            if (error instanceof FetchError)
+                throw error;
+            if (error instanceof MaxBytesError) {
+                source.destroy();
+                guard.destroy();
+                return {
+                    buffer: Buffer.concat(chunks, total),
+                    encoding: effectiveEncoding,
+                    size: total,
+                    truncated: true,
+                };
+            }
+            throw error;
         }
-        void passthroughBranch.cancel().catch(() => undefined);
-        const body = createPumpedStream(first.value, decodedReader);
-        if (signal) {
-            void finished(decodedNodeStream, { cleanup: true })
-                .catch(() => { })
-                .finally(() => {
-                clearAbortListener();
-            });
+        finally {
+            if (signal) {
+                signal.removeEventListener('abort', abortHandler);
+            }
         }
-        return new Response(body, {
-            status: response.status,
-            statusText: response.statusText,
-            headers,
-        });
-    }
-    catch (error) {
-        clearAbortListener();
-        abortDecodePipeline();
-        void decodedReader.cancel(error).catch(() => undefined);
-        logDebug('Content-Encoding decode failed; using passthrough body', {
-            url: redactUrl(url),
-            encoding: encodingHeader ?? encodings.join(','),
-            error: isError(error) ? error.message : String(error),
-        });
-        return new Response(passthroughBranch, {
-            status: response.status,
-            statusText: response.statusText,
-            headers,
-        });
     }
 }
 async function readAndRecordDecodedResponse(response, finalUrl, ctx, telemetry, reader, maxBytes, mode, signal) {
@@ -1320,20 +864,172 @@ async function readAndRecordDecodedResponse(response, finalUrl, ctx, telemetry,
     telemetry.recordResponse(ctx, decodedResponse, size);
     return { kind: 'buffer', buffer, encoding, size, truncated };
 }
-function extractHostname(url) {
-    try {
-        return new URL(url).hostname;
+function isReadableStreamLike(value) {
+    if (!isObject(value))
+        return false;
+    return (typeof value['getReader'] === 'function' &&
+        typeof value['cancel'] === 'function' &&
+        typeof value['tee'] === 'function' &&
+        typeof value['locked'] === 'boolean');
+}
+function assertReadableStreamLike(stream, url, stage) {
+    if (isReadableStreamLike(stream))
+        return;
+    throw new FetchError('Invalid response stream', url, 500, {
+        reason: 'invalid_stream',
+        stage,
+    });
+}
+function toNodeReadableStream(stream, url, stage) {
+    assertReadableStreamLike(stream, url, stage);
+    return stream;
+}
+function toWebReadableStream(stream, url, stage) {
+    const converted = Readable.toWeb(stream);
+    assertReadableStreamLike(converted, url, stage);
+    return converted;
+}
+const fetchChannel = diagnosticsChannel.channel('fetch-url-mcp.fetch');
+const SLOW_REQUEST_THRESHOLD_MS = 5000;
+class FetchTelemetry {
+    logger;
+    context;
+    redactor;
+    constructor(logger, context, redactor) {
+        this.logger = logger;
+        this.context = context;
+        this.redactor = redactor;
     }
-    catch {
-        throw createErrorWithCode('Invalid URL', 'EINVAL');
+    redact(url) {
+        return this.redactor.redact(url);
+    }
+    contextFields(ctx) {
+        return {
+            ...(ctx.contextRequestId
+                ? { contextRequestId: ctx.contextRequestId }
+                : {}),
+            ...(ctx.operationId ? { operationId: ctx.operationId } : {}),
+        };
+    }
+    start(url, method) {
+        const safeUrl = this.redactor.redact(url);
+        const contextRequestId = this.context.getRequestId();
+        const operationId = this.context.getOperationId();
+        const ctx = {
+            requestId: randomUUID(),
+            startTime: performance.now(),
+            url: safeUrl,
+            method: method.toUpperCase(),
+        };
+        if (contextRequestId)
+            ctx.contextRequestId = contextRequestId;
+        if (operationId)
+            ctx.operationId = operationId;
+        const ctxFields = this.contextFields(ctx);
+        this.publish({
+            v: 1,
+            type: 'start',
+            requestId: ctx.requestId,
+            method: ctx.method,
+            url: ctx.url,
+            ...ctxFields,
+        });
+        this.logger.debug('HTTP Request', {
+            requestId: ctx.requestId,
+            method: ctx.method,
+            url: ctx.url,
+            ...ctxFields,
+        });
+        return ctx;
+    }
+    recordResponse(context, response, contentSize) {
+        const duration = performance.now() - context.startTime;
+        const durationLabel = `${Math.round(duration)}ms`;
+        const ctxFields = this.contextFields(context);
+        this.publish({
+            v: 1,
+            type: 'end',
+            requestId: context.requestId,
+            status: response.status,
+            duration,
+            ...ctxFields,
+        });
+        const contentType = response.headers.get('content-type') ?? undefined;
+        const contentLengthHeader = response.headers.get('content-length');
+        const size = contentLengthHeader ??
+            (contentSize === undefined ? undefined : String(contentSize));
+        this.logger.debug('HTTP Response', {
+            requestId: context.requestId,
+            status: response.status,
+            url: context.url,
+            duration: durationLabel,
+            ...ctxFields,
+            ...(contentType ? { contentType } : {}),
+            ...(size ? { size } : {}),
+        });
+        if (duration > SLOW_REQUEST_THRESHOLD_MS) {
+            this.logger.warn('Slow HTTP request detected', {
+                requestId: context.requestId,
+                url: context.url,
+                duration: durationLabel,
+                ...ctxFields,
+            });
+        }
+    }
+    recordError(context, error, status) {
+        const duration = performance.now() - context.startTime;
+        const err = toError(error);
+        const code = isSystemError(err) ? err.code : undefined;
+        const ctxFields = this.contextFields(context);
+        this.publish({
+            v: 1,
+            type: 'error',
+            requestId: context.requestId,
+            url: context.url,
+            error: err.message,
+            duration,
+            ...(code !== undefined ? { code } : {}),
+            ...(status !== undefined ? { status } : {}),
+            ...ctxFields,
+        });
+        const logData = {
+            requestId: context.requestId,
+            url: context.url,
+            status,
+            code,
+            error: err.message,
+            ...ctxFields,
+        };
+        if (status === 429) {
+            this.logger.warn('HTTP Request Error', logData);
+            return;
+        }
+        this.logger.error('HTTP Request Error', logData);
+    }
+    publish(event) {
+        if (!fetchChannel.hasSubscribers)
+            return;
+        try {
+            fetchChannel.publish(event);
+        }
+        catch {
+            // Best-effort telemetry; never crash request path.
+        }
     }
 }
-function createDnsPreflight(dnsResolver) {
-    return async (url, signal) => {
-        const hostname = extractHostname(url);
-        return await dnsResolver.resolveAndValidate(hostname, signal);
-    };
-}
+const defaultLogger = {
+    debug: logDebug,
+    warn: logWarn,
+    error: logError,
+};
+const defaultContext = {
+    getRequestId,
+    getOperationId,
+};
+const defaultRedactor = {
+    redact: redactUrl,
+};
+const defaultFetch = (input, init) => globalThis.fetch(input, init);
 class HttpFetcher {
     fetcherConfig;
     redirectFollower;
@@ -1387,6 +1083,29 @@ class HttpFetcher {
         }
     }
 }
+const DEFAULT_HEADERS = {
+    'User-Agent': config.fetcher.userAgent,
+    Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+    'Accept-Language': 'en-US,en;q=0.5',
+    'Accept-Encoding': 'gzip, deflate, br',
+    Connection: 'keep-alive',
+};
+function buildHeaders() {
+    return DEFAULT_HEADERS;
+}
+function buildRequestSignal(timeoutMs, external) {
+    if (timeoutMs <= 0)
+        return external;
+    const timeoutSignal = AbortSignal.timeout(timeoutMs);
+    return external ? AbortSignal.any([external, timeoutSignal]) : timeoutSignal;
+}
+function buildRequestInit(headers, signal) {
+    return {
+        method: 'GET',
+        headers,
+        ...(signal ? { signal } : {}),
+    };
+}
 const ipBlocker = new IpBlocker(config.security);
 const urlNormalizer = new UrlNormalizer(config.constants, config.security, ipBlocker, BLOCKED_HOST_SUFFIXES);
 const rawUrlTransformer = new RawUrlTransformer(defaultLogger);
@@ -1394,7 +1113,6 @@ const dnsResolver = new SafeDnsResolver(ipBlocker, config.security, BLOCKED_HOST
 const telemetry = new FetchTelemetry(defaultLogger, defaultContext, defaultRedactor);
 const normalizeRedirectUrl = (url) => urlNormalizer.validateAndNormalize(url);
 const dnsPreflight = createDnsPreflight(dnsResolver);
-// Redirect follower with per-hop DNS preflight.
 const secureRedirectFollower = new RedirectFollower(defaultFetch, normalizeRedirectUrl, dnsPreflight);
 const responseReader = new ResponseTextReader();
 const httpFetcher = new HttpFetcher(config.fetcher, secureRedirectFollower, responseReader, telemetry);
@@ -1436,4 +1154,3 @@ export async function fetchNormalizedUrl(normalizedUrl, options) {
 export async function fetchNormalizedUrlBuffer(normalizedUrl, options) {
     return httpFetcher.fetchNormalizedUrlBuffer(normalizedUrl, options);
 }
-//# sourceMappingURL=fetch.js.map