@j0hanz/superfetch 2.5.3 → 2.6.0

package/dist/fetch.js

@@ -1,106 +1,81 @@
+import { Buffer } from 'node:buffer';
 import { randomUUID } from 'node:crypto';
 import diagnosticsChannel from 'node:diagnostics_channel';
 import dns from 'node:dns';
-import { BlockList, isIP } from 'node:net';
+import { isIP } from 'node:net';
 import { performance } from 'node:perf_hooks';
+import { Readable } from 'node:stream';
+import { setTimeout as delay } from 'node:timers/promises';
+import { createBrotliDecompress, createGunzip, createInflate } from 'node:zlib';
 import { config } from './config.js';
 import { createErrorWithCode, FetchError, isSystemError } from './errors.js';
+import { createDefaultBlockList, normalizeIpForBlockList, } from './ip-blocklist.js';
 import { getOperationId, getRequestId, logDebug, logError, logWarn, redactUrl, } from './observability.js';
-import { isObject } from './type-guards.js';
-function buildIpv4(parts) {
-    return parts.join('.');
-}
-function buildIpv6(parts) {
-    return parts.map(String).join(':');
-}
-const IPV6_ZERO = buildIpv6([0, 0, 0, 0, 0, 0, 0, 0]);
-const IPV6_LOOPBACK = buildIpv6([0, 0, 0, 0, 0, 0, 0, 1]);
-const IPV6_64_FF9B = buildIpv6(['64', 'ff9b', 0, 0, 0, 0, 0, 0]);
-const IPV6_64_FF9B_1 = buildIpv6(['64', 'ff9b', 1, 0, 0, 0, 0, 0]);
-const IPV6_2001 = buildIpv6(['2001', 0, 0, 0, 0, 0, 0, 0]);
-const IPV6_2002 = buildIpv6(['2002', 0, 0, 0, 0, 0, 0, 0]);
-const IPV6_FC00 = buildIpv6(['fc00', 0, 0, 0, 0, 0, 0, 0]);
-const IPV6_FE80 = buildIpv6(['fe80', 0, 0, 0, 0, 0, 0, 0]);
-const IPV6_FF00 = buildIpv6(['ff00', 0, 0, 0, 0, 0, 0, 0]);
-const BLOCKED_IPV4_SUBNETS = [
-    { subnet: buildIpv4([0, 0, 0, 0]), prefix: 8 },
-    { subnet: buildIpv4([10, 0, 0, 0]), prefix: 8 },
-    { subnet: buildIpv4([100, 64, 0, 0]), prefix: 10 },
-    { subnet: buildIpv4([127, 0, 0, 0]), prefix: 8 },
-    { subnet: buildIpv4([169, 254, 0, 0]), prefix: 16 },
-    { subnet: buildIpv4([172, 16, 0, 0]), prefix: 12 },
-    { subnet: buildIpv4([192, 168, 0, 0]), prefix: 16 },
-    { subnet: buildIpv4([224, 0, 0, 0]), prefix: 4 },
-    { subnet: buildIpv4([240, 0, 0, 0]), prefix: 4 },
-];
-const BLOCKED_IPV6_SUBNETS = [
-    { subnet: IPV6_ZERO, prefix: 128 },
-    { subnet: IPV6_LOOPBACK, prefix: 128 },
-    { subnet: IPV6_64_FF9B, prefix: 96 },
-    { subnet: IPV6_64_FF9B_1, prefix: 48 },
-    { subnet: IPV6_2001, prefix: 32 },
-    { subnet: IPV6_2002, prefix: 16 },
-    { subnet: IPV6_FC00, prefix: 7 },
-    { subnet: IPV6_FE80, prefix: 10 },
-    { subnet: IPV6_FF00, prefix: 8 },
-];
+import { isError, isObject } from './type-guards.js';
+const defaultLogger = {
+    debug: logDebug,
+    warn: logWarn,
+    error: logError,
+};
+const defaultContext = {
+    getRequestId,
+    getOperationId,
+};
+const defaultRedactor = {
+    redact: redactUrl,
+};
+const defaultFetch = (input, init) => globalThis.fetch(input, init);
 class IpBlocker {
-    cachedBlockList;
+    security;
+    blockList = createDefaultBlockList();
+    constructor(security) {
+        this.security = security;
+    }
     isBlockedIp(candidate) {
-        if (config.security.blockedHosts.has(candidate))
-            return true;
-        const ipType = this.resolveIpType(candidate);
-        if (!ipType)
+        const normalized = candidate.trim().toLowerCase();
+        if (!normalized)
             return false;
-        const normalized = candidate.toLowerCase();
-        if (this.isBlockedBySubnetList(normalized, ipType))
+        if (this.security.blockedHosts.has(normalized))
             return true;
-        return (config.security.blockedIpPattern.test(normalized) ||
-            config.security.blockedIpv4MappedPattern.test(normalized));
-    }
-    resolveIpType(ip) {
-        const ipType = isIP(ip);
-        return ipType === 4 || ipType === 6 ? ipType : null;
-    }
-    isBlockedBySubnetList(ip, ipType) {
-        const list = this.getBlockList();
-        return ipType === 4 ? list.check(ip, 'ipv4') : list.check(ip, 'ipv6');
-    }
-    getBlockList() {
-        if (!this.cachedBlockList) {
-            const list = new BlockList();
-            for (const entry of BLOCKED_IPV4_SUBNETS)
-                list.addSubnet(entry.subnet, entry.prefix, 'ipv4');
-            for (const entry of BLOCKED_IPV6_SUBNETS)
-                list.addSubnet(entry.subnet, entry.prefix, 'ipv6');
-            this.cachedBlockList = list;
-        }
-        return this.cachedBlockList;
+        const normalizedIp = normalizeIpForBlockList(normalized);
+        if (!normalizedIp)
+            return false;
+        return this.blockList.check(normalizedIp.ip, normalizedIp.family);
     }
 }
-const ipBlocker = new IpBlocker();
-/** Backwards-compatible export */
-export function isBlockedIp(ip) {
-    return ipBlocker.isBlockedIp(ip);
-}
-/* -------------------------------------------------------------------------------------------------
- * URL normalization & hostname policy
- * ------------------------------------------------------------------------------------------------- */
 const VALIDATION_ERROR_CODE = 'VALIDATION_ERROR';
 function createValidationError(message) {
     return createErrorWithCode(message, VALIDATION_ERROR_CODE);
 }
 const BLOCKED_HOST_SUFFIXES = ['.local', '.internal'];
 class UrlNormalizer {
+    constants;
+    security;
+    ipBlocker;
+    blockedHostSuffixes;
+    constructor(constants, security, ipBlocker, blockedHostSuffixes) {
+        this.constants = constants;
+        this.security = security;
+        this.ipBlocker = ipBlocker;
+        this.blockedHostSuffixes = blockedHostSuffixes;
+    }
     normalize(urlString) {
         const trimmedUrl = this.requireTrimmedUrl(urlString);
-        this.assertUrlLength(trimmedUrl);
-        const url = this.parseUrl(trimmedUrl);
-        this.assertHttpProtocol(url);
-        this.assertNoCredentials(url);
+        if (trimmedUrl.length > this.constants.maxUrlLength) {
+            throw createValidationError(`URL exceeds maximum length of ${this.constants.maxUrlLength} characters`);
+        }
+        if (!URL.canParse(trimmedUrl)) {
+            throw createValidationError('Invalid URL format');
+        }
+        const url = new URL(trimmedUrl);
+        if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+            throw createValidationError(`Invalid protocol: ${url.protocol}. Only http: and https: are allowed`);
+        }
+        if (url.username || url.password) {
+            throw createValidationError('URLs with embedded credentials are not allowed');
+        }
         const hostname = this.normalizeHostname(url);
         this.assertHostnameAllowed(hostname);
-        // Canonicalize hostname to avoid trailing-dot variants and keep url.href consistent.
         url.hostname = hostname;
         return { normalizedUrl: url.href, hostname };
     }
@@ -116,32 +91,13 @@ class UrlNormalizer {
             throw createValidationError('URL cannot be empty');
         return trimmed;
     }
-    assertUrlLength(url) {
-        if (url.length <= config.constants.maxUrlLength)
-            return;
-        throw createValidationError(`URL exceeds maximum length of ${config.constants.maxUrlLength} characters`);
-    }
-    parseUrl(urlString) {
-        if (!URL.canParse(urlString))
-            throw createValidationError('Invalid URL format');
-        return new URL(urlString);
-    }
-    assertHttpProtocol(url) {
-        if (url.protocol === 'http:' || url.protocol === 'https:')
-            return;
-        throw createValidationError(`Invalid protocol: ${url.protocol}. Only http: and https: are allowed`);
-    }
-    assertNoCredentials(url) {
-        if (!url.username && !url.password)
-            return;
-        throw createValidationError('URLs with embedded credentials are not allowed');
-    }
     normalizeHostname(url) {
         let hostname = url.hostname.toLowerCase();
         while (hostname.endsWith('.'))
             hostname = hostname.slice(0, -1);
-        if (!hostname)
+        if (!hostname) {
             throw createValidationError('URL must have a valid hostname');
+        }
         return hostname;
     }
     assertHostnameAllowed(hostname) {
@@ -150,80 +106,62 @@ class UrlNormalizer {
         this.assertNotBlockedHostnameSuffix(hostname);
     }
     assertNotBlockedHost(hostname) {
-        if (!config.security.blockedHosts.has(hostname))
+        if (!this.security.blockedHosts.has(hostname))
             return;
         throw createValidationError(`Blocked host: ${hostname}. Internal hosts are not allowed`);
     }
     assertNotBlockedIp(hostname) {
-        if (!ipBlocker.isBlockedIp(hostname))
+        if (!this.ipBlocker.isBlockedIp(hostname))
             return;
         throw createValidationError(`Blocked IP range: ${hostname}. Private IPs are not allowed`);
     }
     assertNotBlockedHostnameSuffix(hostname) {
-        const blocked = BLOCKED_HOST_SUFFIXES.some((suffix) => hostname.endsWith(suffix));
+        const blocked = this.blockedHostSuffixes.some((suffix) => hostname.endsWith(suffix));
         if (!blocked)
             return;
         throw createValidationError(`Blocked hostname pattern: ${hostname}. Internal domain suffixes are not allowed`);
     }
 }
-const urlNormalizer = new UrlNormalizer();
-/** Backwards-compatible exports */
-export function normalizeUrl(urlString) {
-    return urlNormalizer.normalize(urlString);
-}
-export function validateAndNormalizeUrl(urlString) {
-    return urlNormalizer.validateAndNormalize(urlString);
+function getPatternGroup(groups, key) {
+    const value = groups[key];
+    if (value === undefined)
+        return null;
+    if (value === '')
+        return null;
+    return value;
 }
-const GITHUB_BLOB_RULE = {
-    name: 'github',
-    pattern: /^https?:\/\/(?:www\.)?github\.com\/([^/]+)\/([^/]+)\/blob\/([^/]+)\/(.+)$/i,
-    transform: (match) => {
-        const owner = match[1] ?? '';
-        const repo = match[2] ?? '';
-        const branch = match[3] ?? '';
-        const path = match[4] ?? '';
-        return `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${path}`;
-    },
-};
-const GITHUB_GIST_RULE = {
-    name: 'github-gist',
-    pattern: /^https?:\/\/gist\.github\.com\/([^/]+)\/([a-f0-9]+)(?:#file-(.+)|\/raw\/([^/]+))?$/i,
-    transform: (match) => {
-        const user = match[1] ?? '';
-        const gistId = match[2] ?? '';
-        const hashFile = match[3];
-        const rawFile = match[4];
-        const filename = rawFile ?? hashFile?.replace(/-/g, '.');
-        const filePath = filename ? `/${filename}` : '';
-        return `https://gist.githubusercontent.com/${user}/${gistId}/raw${filePath}`;
-    },
-};
-const GITLAB_BLOB_RULE = {
-    name: 'gitlab',
-    pattern: /^(https?:\/\/(?:[^/]+\.)?gitlab\.com\/[^/]+\/[^/]+)\/-\/blob\/([^/]+)\/(.+)$/i,
-    transform: (match) => {
-        const baseUrl = match[1] ?? '';
-        const branch = match[2] ?? '';
-        const path = match[3] ?? '';
-        return `${baseUrl}/-/raw/${branch}/${path}`;
-    },
-};
-const BITBUCKET_SRC_RULE = {
-    name: 'bitbucket',
-    pattern: /^(https?:\/\/(?:www\.)?bitbucket\.org\/[^/]+\/[^/]+)\/src\/([^/]+)\/(.+)$/i,
-    transform: (match) => {
-        const baseUrl = match[1] ?? '';
-        const branch = match[2] ?? '';
-        const path = match[3] ?? '';
-        return `${baseUrl}/raw/${branch}/${path}`;
-    },
-};
-const TRANSFORM_RULES = [
-    GITHUB_BLOB_RULE,
-    GITHUB_GIST_RULE,
-    GITLAB_BLOB_RULE,
-    BITBUCKET_SRC_RULE,
+const GITHUB_BLOB_PATTERN = new URLPattern({
+    protocol: 'http{s}?',
+    hostname: '{:sub.}?github.com',
+    pathname: '/:owner/:repo/blob/:branch/:path+',
+});
+const GITHUB_GIST_PATTERN = new URLPattern({
+    protocol: 'http{s}?',
+    hostname: 'gist.github.com',
+    pathname: '/:user/:gistId',
+});
+const GITHUB_GIST_RAW_PATTERN = new URLPattern({
+    protocol: 'http{s}?',
+    hostname: 'gist.github.com',
+    pathname: '/:user/:gistId/raw/:filePath+',
+});
+const GITLAB_BLOB_PATTERNS = [
+    new URLPattern({
+        protocol: 'http{s}?',
+        hostname: 'gitlab.com',
+        pathname: '/:base+/-/blob/:branch/:path+',
+    }),
+    new URLPattern({
+        protocol: 'http{s}?',
+        hostname: '*:sub.gitlab.com',
+        pathname: '/:base+/-/blob/:branch/:path+',
+    }),
 ];
+const BITBUCKET_SRC_PATTERN = new URLPattern({
+    protocol: 'http{s}?',
+    hostname: '{:sub.}?bitbucket.org',
+    pathname: '/:owner/:repo/src/:branch/:path+',
+});
 const BITBUCKET_RAW_RE = /bitbucket\.org\/[^/]+\/[^/]+\/raw\//;
 const RAW_TEXT_EXTENSIONS = new Set([
     '.md',
@@ -240,33 +178,57 @@ const RAW_TEXT_EXTENSIONS = new Set([
     '.org',
 ]);
 class RawUrlTransformer {
+    logger;
+    constructor(logger) {
+        this.logger = logger;
+    }
     transformToRawUrl(url) {
         if (!url)
             return { url, transformed: false };
         if (this.isRawUrl(url))
             return { url, transformed: false };
-        const { base, hash } = this.splitParams(url);
-        const result = this.applyRules(base, hash);
-        if (!result)
+        let base;
+        let hash;
+        let parsed;
+        try {
+            parsed = new URL(url);
+            base = parsed.origin + parsed.pathname;
+            ({ hash } = parsed);
+        }
+        catch {
+            ({ base, hash } = this.splitParams(url));
+        }
+        const match = this.tryTransformWithUrl(base, hash, parsed);
+        if (!match)
             return { url, transformed: false };
-        logDebug('URL transformed to raw content URL', {
-            platform: result.platform,
+        this.logger.debug('URL transformed to raw content URL', {
+            platform: match.platform,
             original: url.substring(0, 100),
-            transformed: result.url.substring(0, 100),
+            transformed: match.url.substring(0, 100),
         });
-        return { url: result.url, transformed: true, platform: result.platform };
+        return { url: match.url, transformed: true, platform: match.platform };
     }
-    isRawTextContentUrl(url) {
-        if (!url)
+    isRawTextContentUrl(urlString) {
+        if (!urlString)
             return false;
-        if (this.isRawUrl(url))
+        if (this.isRawUrl(urlString))
             return true;
-        const { base } = this.splitParams(url);
-        const lowerBase = base.toLowerCase();
-        const lastDot = lowerBase.lastIndexOf('.');
-        if (lastDot === -1)
-            return false;
-        return RAW_TEXT_EXTENSIONS.has(lowerBase.slice(lastDot));
+        try {
+            const url = new URL(urlString);
+            const pathname = url.pathname.toLowerCase();
+            const lastDot = pathname.lastIndexOf('.');
+            if (lastDot === -1)
+                return false;
+            return RAW_TEXT_EXTENSIONS.has(pathname.slice(lastDot));
+        }
+        catch {
+            const { base } = this.splitParams(urlString);
+            const lowerBase = base.toLowerCase();
+            const lastDot = lowerBase.lastIndexOf('.');
+            if (lastDot === -1)
+                return false;
+            return RAW_TEXT_EXTENSIONS.has(lowerBase.slice(lastDot));
+        }
     }
     isRawUrl(url) {
         const lower = url.toLowerCase();
@@ -275,226 +237,340 @@ class RawUrlTransformer {
             lower.includes('/-/raw/') ||
             BITBUCKET_RAW_RE.test(lower));
     }
-    splitParams(url) {
-        const hashIndex = url.indexOf('#');
-        const queryIndex = url.indexOf('?');
-        const endIndex = Math.min(queryIndex === -1 ? url.length : queryIndex, hashIndex === -1 ? url.length : hashIndex);
-        const hash = hashIndex !== -1 ? url.slice(hashIndex) : '';
-        return { base: url.slice(0, endIndex), hash };
-    }
-    applyRules(base, hash) {
-        for (const rule of TRANSFORM_RULES) {
-            const urlToMatch = rule.name === 'github-gist' && hash.startsWith('#file-')
-                ? base + hash
-                : base;
-            const match = rule.pattern.exec(urlToMatch);
-            if (match)
-                return { url: rule.transform(match), platform: rule.name };
-        }
-        return null;
-    }
-}
-const rawUrlTransformer = new RawUrlTransformer();
-/** Backwards-compatible exports */
-export function transformToRawUrl(url) {
-    return rawUrlTransformer.transformToRawUrl(url);
-}
-export function isRawTextContentUrl(url) {
-    return rawUrlTransformer.isRawTextContentUrl(url);
-}
-const DNS_LOOKUP_TIMEOUT_MS = 5000;
-class SafeDnsLookup {
-    lookup(hostname, options, callback) {
-        const normalizedOptions = this.normalizeOptions(options);
-        const useAll = Boolean(normalizedOptions.all);
-        const resolvedFamily = this.resolveFamily(normalizedOptions.family);
-        const lookupOptions = {
-            family: normalizedOptions.family,
-            hints: normalizedOptions.hints,
-            all: true, // Always request all results; we select based on caller preference.
-            order: this.resolveOrder(normalizedOptions),
-        };
-        const timeout = this.createTimeout(hostname, callback);
-        const safeCallback = (err, address, family) => {
-            if (timeout.isDone())
-                return;
-            timeout.markDone();
-            callback(err, address, family);
-        };
-        (async () => {
-            try {
-                const result = await dns.promises.lookup(hostname, lookupOptions);
-                const addresses = Array.isArray(result) ? result : [result];
-                this.handleLookupResult(null, addresses, hostname, resolvedFamily, useAll, safeCallback);
-            }
-            catch (error) {
-                this.handleLookupResult(error, [], hostname, resolvedFamily, useAll, safeCallback);
-            }
-        })().catch((error) => {
-            if (!timeout.isDone()) {
-                safeCallback(error, []);
-            }
-        });
-    }
-    normalizeOptions(options) {
-        return typeof options === 'number' ? { family: options } : options;
-    }
-    resolveFamily(family) {
-        if (family === 'IPv4')
-            return 4;
-        if (family === 'IPv6')
-            return 6;
-        return family;
-    }
-    resolveOrder(options) {
-        if (options.order)
-            return options.order;
-        // legacy `verbatim` option support
-        if (isObject(options)) {
-            const legacy = options.verbatim;
-            if (typeof legacy === 'boolean')
-                return legacy ? 'verbatim' : 'ipv4first';
-        }
-        return 'verbatim';
-    }
-    handleLookupResult(error, addresses, hostname, resolvedFamily, useAll, callback) {
-        if (error) {
-            callback(error, addresses);
-            return;
-        }
-        const list = this.normalizeResults(addresses, resolvedFamily);
-        const validationError = this.validateResults(list, hostname);
-        if (validationError) {
-            callback(validationError, list);
-            return;
+    splitParams(urlString) {
+        try {
+            const url = new URL(urlString);
+            const base = url.origin + url.pathname;
+            return { base, hash: url.hash };
         }
-        const selection = this.selectResult(list, useAll, hostname);
-        if (selection.error) {
-            callback(selection.error, selection.fallback);
-            return;
+        catch {
+            const hashIndex = urlString.indexOf('#');
+            const queryIndex = urlString.indexOf('?');
+            const endIndex = Math.min(queryIndex === -1 ? urlString.length : queryIndex, hashIndex === -1 ? urlString.length : hashIndex);
+            const hash = hashIndex !== -1 ? urlString.slice(hashIndex) : '';
+            return { base: urlString.slice(0, endIndex), hash };
         }
-        callback(null, selection.address, selection.family);
     }
-    normalizeResults(addresses, family) {
-        if (Array.isArray(addresses))
-            return addresses;
-        return [{ address: addresses, family: family ?? 4 }];
-    }
-    validateResults(list, hostname) {
-        if (list.length === 0) {
-            return createErrorWithCode(`No DNS results returned for ${hostname}`, 'ENODATA');
+    tryTransformWithUrl(base, hash, preParsed) {
+        let parsed = null;
+        if (preParsed?.href.startsWith(base)) {
+            parsed = preParsed;
         }
-        for (const addr of list) {
-            if (addr.family !== 4 && addr.family !== 6) {
-                return createErrorWithCode(`Invalid address family returned for ${hostname}`, 'EINVAL');
-            }
-            if (ipBlocker.isBlockedIp(addr.address)) {
-                return createErrorWithCode(`Blocked IP detected for ${hostname}`, 'EBLOCKED');
-            }
+        else if (URL.canParse(base)) {
+            parsed = new URL(base);
         }
+        if (!parsed)
+            return null;
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+            return null;
+        const gist = this.transformGithubGist(base, hash);
+        if (gist)
+            return gist;
+        const github = this.transformGithubBlob(base);
+        if (github)
+            return github;
+        const gitlab = this.transformGitLab(base, parsed.origin);
+        if (gitlab)
+            return gitlab;
+        const bitbucket = this.transformBitbucket(base, parsed.origin);
+        if (bitbucket)
+            return bitbucket;
         return null;
     }
-    selectResult(list, useAll, hostname) {
-        if (list.length === 0) {
+    transformGithubBlob(url) {
+        const match = GITHUB_BLOB_PATTERN.exec(url);
+        if (!match)
+            return null;
+        const groups = match.pathname.groups;
+        const owner = getPatternGroup(groups, 'owner');
+        const repo = getPatternGroup(groups, 'repo');
+        const branch = getPatternGroup(groups, 'branch');
+        const path = getPatternGroup(groups, 'path');
+        if (!owner || !repo || !branch || !path)
+            return null;
+        return {
+            url: `https://raw.githubusercontent.com/${owner}/${repo}/${branch}/${path}`,
+            platform: 'github',
+        };
+    }
+    transformGithubGist(url, hash) {
+        const rawMatch = GITHUB_GIST_RAW_PATTERN.exec(url);
+        if (rawMatch) {
+            const groups = rawMatch.pathname.groups;
+            const user = getPatternGroup(groups, 'user');
+            const gistId = getPatternGroup(groups, 'gistId');
+            const filePath = getPatternGroup(groups, 'filePath');
+            if (!user || !gistId)
+                return null;
+            const resolvedFilePath = filePath ? `/${filePath}` : '';
             return {
-                error: createErrorWithCode(`No DNS results returned for ${hostname}`, 'ENODATA'),
-                fallback: [],
-                address: [],
+                url: `https://gist.githubusercontent.com/${user}/${gistId}/raw${resolvedFilePath}`,
+                platform: 'github-gist',
             };
         }
-        if (useAll)
-            return { address: list, fallback: list };
-        const first = list.at(0);
-        if (!first) {
+        const match = GITHUB_GIST_PATTERN.exec(url);
+        if (!match)
+            return null;
+        const groups = match.pathname.groups;
+        const user = getPatternGroup(groups, 'user');
+        const gistId = getPatternGroup(groups, 'gistId');
+        if (!user || !gistId)
+            return null;
+        let filePath = '';
+        if (hash.startsWith('#file-')) {
+            const filename = hash.slice('#file-'.length).replace(/-/g, '.');
+            if (filename)
+                filePath = `/${filename}`;
+        }
+        return {
+            url: `https://gist.githubusercontent.com/${user}/${gistId}/raw${filePath}`,
+            platform: 'github-gist',
+        };
+    }
+    transformGitLab(url, origin) {
+        for (const pattern of GITLAB_BLOB_PATTERNS) {
+            const match = pattern.exec(url);
+            if (!match)
+                continue;
+            const groups = match.pathname.groups;
+            const base = getPatternGroup(groups, 'base');
+            const branch = getPatternGroup(groups, 'branch');
+            const path = getPatternGroup(groups, 'path');
+            if (!base || !branch || !path)
+                return null;
             return {
-                error: createErrorWithCode(`No DNS results returned for ${hostname}`, 'ENODATA'),
-                fallback: [],
-                address: [],
+                url: `${origin}/${base}/-/raw/${branch}/${path}`,
+                platform: 'gitlab',
             };
         }
-        return { address: first.address, family: first.family, fallback: list };
+        return null;
     }
-    createTimeout(hostname, callback) {
-        let done = false;
-        const timer = setTimeout(() => {
-            if (done)
-                return;
-            done = true;
-            callback(createErrorWithCode(`DNS lookup timed out for ${hostname}`, 'ETIMEOUT'), []);
-        }, DNS_LOOKUP_TIMEOUT_MS);
-        timer.unref();
+    transformBitbucket(url, origin) {
+        const match = BITBUCKET_SRC_PATTERN.exec(url);
+        if (!match)
+            return null;
+        const groups = match.pathname.groups;
+        const owner = getPatternGroup(groups, 'owner');
+        const repo = getPatternGroup(groups, 'repo');
+        const branch = getPatternGroup(groups, 'branch');
+        const path = getPatternGroup(groups, 'path');
+        if (!owner || !repo || !branch || !path)
+            return null;
         return {
-            isDone: () => done,
-            markDone: () => {
-                done = true;
-                clearTimeout(timer);
-            },
+            url: `${origin}/${owner}/${repo}/raw/${branch}/${path}`,
+            platform: 'bitbucket',
         };
     }
 }
-const safeDns = new SafeDnsLookup();
-async function assertSafeDnsLookup(hostname) {
-    await new Promise((resolve, reject) => {
-        safeDns.lookup(hostname, { all: true }, (err) => {
-            if (err) {
-                reject(err);
-                return;
-            }
-            resolve();
-        });
-    });
-}
-/* -------------------------------------------------------------------------------------------------
- * Fetch error mapping (request-level)
- * ------------------------------------------------------------------------------------------------- */
-function parseRetryAfter(header) {
-    if (!header)
-        return 60;
-    const parsed = Number.parseInt(header, 10);
-    return Number.isNaN(parsed) ? 60 : parsed;
+const DNS_LOOKUP_TIMEOUT_MS = 5000;
+const CNAME_LOOKUP_MAX_DEPTH = 5;
+function normalizeDnsName(value) {
+    let normalized = value.trim().toLowerCase();
+    while (normalized.endsWith('.'))
+        normalized = normalized.slice(0, -1);
+    return normalized;
 }
-class FetchErrorFactory {
-    canceled(url) {
-        return new FetchError('Request was canceled', url, 499, {
-            reason: 'aborted',
-        });
+function createAbortRace(signal, onAbort) {
+    if (!signal) {
+        return { abortPromise: null, cleanup: () => { } };
     }
-    timeout(url, timeoutMs) {
-        return new FetchError(`Request timeout after ${timeoutMs}ms`, url, 504, {
-            timeout: timeoutMs,
-        });
+    if (signal.aborted) {
+        return {
+            abortPromise: Promise.reject(onAbort()),
+            cleanup: () => { },
+        };
     }
-    rateLimited(url, retryAfterHeader) {
-        return new FetchError('Too many requests', url, 429, {
-            retryAfter: parseRetryAfter(retryAfterHeader),
-        });
+    let abortListener = null;
+    const abortPromise = new Promise((_, reject) => {
+        abortListener = () => {
+            reject(onAbort());
+        };
+        signal.addEventListener('abort', abortListener, { once: true });
+    });
+    const cleanup = () => {
+        if (!abortListener)
+            return;
+        try {
+            signal.removeEventListener('abort', abortListener);
+        }
+        catch {
+            // Ignore listener cleanup failures; they are non-fatal by design.
+        }
+        abortListener = null;
+    };
+    return { abortPromise, cleanup };
+}
+async function withTimeout(promise, timeoutMs, onTimeout, signal, onAbort) {
+    const controller = new AbortController();
+    const timeoutPromise = delay(timeoutMs, null, {
+        ref: false,
+        signal: controller.signal,
+    })
+        .then(() => Promise.reject(onTimeout()))
+        .catch((err) => {
+        if (isError(err) && err.name === 'AbortError')
+            return new Promise(() => { });
+        throw err;
+    });
+    const abortRace = createAbortRace(signal, onAbort ?? (() => new Error('Request was canceled')));
+    try {
+        return await Promise.race(abortRace.abortPromise
+            ? [promise, timeoutPromise, abortRace.abortPromise]
+            : [promise, timeoutPromise]);
     }
-    http(url, status, statusText) {
-        return new FetchError(`HTTP ${status}: ${statusText}`, url, status);
+    finally {
+        controller.abort();
+        abortRace.cleanup();
     }
-    tooManyRedirects(url) {
-        return new FetchError('Too many redirects', url);
+}
+function createAbortSignalError() {
+    const err = new Error('Request was canceled');
+    err.name = 'AbortError';
+    return err;
+}
+class SafeDnsResolver {
+    ipBlocker;
+    security;
+    blockedHostSuffixes;
+    constructor(ipBlocker, security, blockedHostSuffixes) {
+        this.ipBlocker = ipBlocker;
+        this.security = security;
+        this.blockedHostSuffixes = blockedHostSuffixes;
     }
-    missingRedirectLocation(url) {
-        return new FetchError('Redirect response missing Location header', url);
+    async assertSafeHostname(hostname, signal) {
+        const normalizedHostname = normalizeDnsName(hostname);
+        if (!normalizedHostname) {
+            throw createErrorWithCode('Invalid hostname provided', 'EINVAL');
+        }
+        if (signal?.aborted) {
+            throw createAbortSignalError();
+        }
+        if (isIP(normalizedHostname)) {
+            if (this.ipBlocker.isBlockedIp(normalizedHostname)) {
+                throw createErrorWithCode(`Blocked IP range: ${normalizedHostname}. Private IPs are not allowed`, 'EBLOCKED');
+            }
+            return;
+        }
+        await this.assertNoBlockedCname(normalizedHostname, signal);
+        const resultPromise = dns.promises.lookup(normalizedHostname, {
+            all: true,
+            order: 'verbatim',
+        });
+        const addresses = await withTimeout(resultPromise, DNS_LOOKUP_TIMEOUT_MS, () => createErrorWithCode(`DNS lookup timed out for ${normalizedHostname}`, 'ETIMEOUT'), signal, createAbortSignalError);
+        if (addresses.length === 0) {
+            throw createErrorWithCode(`No DNS results returned for ${normalizedHostname}`, 'ENODATA');
+        }
+        for (const addr of addresses) {
+            if (addr.family !== 4 && addr.family !== 6) {
+                throw createErrorWithCode(`Invalid address family returned for ${normalizedHostname}`, 'EINVAL');
+            }
+            if (this.ipBlocker.isBlockedIp(addr.address)) {
+                throw createErrorWithCode(`Blocked IP detected for ${normalizedHostname}`, 'EBLOCKED');
+            }
+        }
     }
-    sizeLimit(url, maxBytes) {
-        return new FetchError(`Response exceeds maximum size of ${maxBytes} bytes`, url);
+    isBlockedHostname(hostname) {
+        if (this.security.blockedHosts.has(hostname))
+            return true;
+        return this.blockedHostSuffixes.some((suffix) => hostname.endsWith(suffix));
     }
-    network(url, message) {
-        return new FetchError(`Network error: Could not reach ${url}`, url, undefined, message ? { message } : {});
+    async assertNoBlockedCname(hostname, signal) {
+        let current = hostname;
+        const seen = new Set();
+        for (let depth = 0; depth < CNAME_LOOKUP_MAX_DEPTH; depth += 1) {
+            if (!current || seen.has(current))
+                return;
+            seen.add(current);
+            const cnames = await this.resolveCname(current, signal);
+            if (cnames.length === 0)
+                return;
+            for (const cname of cnames) {
+                if (this.isBlockedHostname(cname)) {
+                    throw createErrorWithCode(`Blocked DNS CNAME detected for ${hostname}: ${cname}`, 'EBLOCKED');
+                }
+            }
+            current = cnames[0] ?? '';
+        }
     }
-    unknown(url, message) {
-        return new FetchError(message, url);
+    async resolveCname(hostname, signal) {
+        try {
+            const resultPromise = dns.promises.resolveCname(hostname);
+            const cnames = await withTimeout(resultPromise, DNS_LOOKUP_TIMEOUT_MS, () => createErrorWithCode(`DNS CNAME lookup timed out for ${hostname}`, 'ETIMEOUT'), signal, createAbortSignalError);
+            return cnames
+                .map((value) => normalizeDnsName(value))
+                .filter((value) => value.length > 0);
+        }
+        catch (error) {
+            if (isError(error) && error.name === 'AbortError') {
+                throw error;
+            }
+            if (isSystemError(error) &&
+                (error.code === 'ENODATA' ||
+                    error.code === 'ENOTFOUND' ||
+                    error.code === 'ENODOMAIN')) {
+                return [];
+            }
+            return [];
+        }
     }
 }
-const fetchErrors = new FetchErrorFactory();
+function parseRetryAfter(header) {
+    if (!header)
+        return 60;
+    const trimmed = header.trim();
+    // Retry-After can be seconds or an HTTP-date.
+    const seconds = Number.parseInt(trimmed, 10);
+    if (!Number.isNaN(seconds) && seconds >= 0)
+        return seconds;
+    const dateMs = Date.parse(trimmed);
+    if (Number.isNaN(dateMs))
+        return 60;
+    const deltaMs = dateMs - Date.now();
+    if (deltaMs <= 0)
+        return 0;
+    return Math.ceil(deltaMs / 1000);
+}
+function createCanceledFetchError(url) {
+    return new FetchError('Request was canceled', url, 499, {
+        reason: 'aborted',
+    });
+}
+function createTimeoutFetchError(url, timeoutMs) {
+    return new FetchError(`Request timeout after ${timeoutMs}ms`, url, 504, {
+        timeout: timeoutMs,
+    });
+}
+function createRateLimitedFetchError(url, retryAfterHeader) {
+    return new FetchError('Too many requests', url, 429, {
+        retryAfter: parseRetryAfter(retryAfterHeader),
+    });
+}
+function createHttpFetchError(url, status, statusText) {
+    return new FetchError(`HTTP ${status}: ${statusText}`, url, status);
+}
+function createTooManyRedirectsFetchError(url) {
+    return new FetchError('Too many redirects', url);
+}
+function createMissingRedirectLocationFetchError(url) {
+    return new FetchError('Redirect response missing Location header', url);
+}
+function createNetworkFetchError(url, message) {
+    return new FetchError(`Network error: Could not reach ${url}`, url, undefined, message ? { message } : {});
+}
+function createUnknownFetchError(url, message) {
+    return new FetchError(message, url);
+}
+function createAbortedFetchError(url) {
+    return new FetchError('Request was aborted during response read', url, 499, {
+        reason: 'aborted',
+    });
+}
 function isAbortError(error) {
-    return (error instanceof Error &&
+    return (isError(error) &&
         (error.name === 'AbortError' || error.name === 'TimeoutError'));
 }
 function isTimeoutError(error) {
-    return error instanceof Error && error.name === 'TimeoutError';
+    return isError(error) && error.name === 'TimeoutError';
 }
 function resolveErrorUrl(error, fallback) {
     if (error instanceof FetchError)
@@ -510,122 +586,165 @@ function mapFetchError(error, fallbackUrl, timeoutMs) {
     const url = resolveErrorUrl(error, fallbackUrl);
     if (isAbortError(error)) {
         return isTimeoutError(error)
-            ? fetchErrors.timeout(url, timeoutMs)
-            : fetchErrors.canceled(url);
+            ? createTimeoutFetchError(url, timeoutMs)
+            : createCanceledFetchError(url);
+    }
+    if (!isError(error))
+        return createUnknownFetchError(url, 'Unexpected error');
+    if (!isSystemError(error))
+        return createNetworkFetchError(url, error.message);
+    const { code } = error;
+    if (code === 'ETIMEOUT') {
+        return new FetchError(error.message, url, 504, { code });
     }
-    if (error instanceof Error)
-        return fetchErrors.network(url, error.message);
-    return fetchErrors.unknown(url, 'Unexpected error');
+    if (code === VALIDATION_ERROR_CODE ||
+        code === 'EBADREDIRECT' ||
+        code === 'EBLOCKED' ||
+        code === 'ENODATA' ||
+        code === 'EINVAL') {
+        return new FetchError(error.message, url, 400, { code });
+    }
+    return new FetchError(`Network error: Could not reach ${url}`, url, undefined, {
+        code,
+        message: error.message,
+    });
 }
 const fetchChannel = diagnosticsChannel.channel('superfetch.fetch');
 const SLOW_REQUEST_THRESHOLD_MS = 5000;
 class FetchTelemetry {
+    logger;
+    context;
+    redactor;
+    constructor(logger, context, redactor) {
+        this.logger = logger;
+        this.context = context;
+        this.redactor = redactor;
+    }
+    redact(url) {
+        return this.redactor.redact(url);
+    }
     start(url, method) {
-        const safeUrl = redactUrl(url);
-        const contextRequestId = getRequestId();
-        const operationId = getOperationId();
+        const safeUrl = this.redactor.redact(url);
+        const contextRequestId = this.context.getRequestId();
+        const operationId = this.context.getOperationId();
         const ctx = {
             requestId: randomUUID(),
             startTime: performance.now(),
             url: safeUrl,
             method: method.toUpperCase(),
-            ...(contextRequestId ? { contextRequestId } : {}),
-            ...(operationId ? { operationId } : {}),
         };
-        this.publish({
+        if (contextRequestId)
+            ctx.contextRequestId = contextRequestId;
+        if (operationId)
+            ctx.operationId = operationId;
+        const event = {
             v: 1,
             type: 'start',
             requestId: ctx.requestId,
             method: ctx.method,
             url: ctx.url,
-            ...(ctx.contextRequestId
-                ? { contextRequestId: ctx.contextRequestId }
-                : {}),
-            ...(ctx.operationId ? { operationId: ctx.operationId } : {}),
-        });
-        logDebug('HTTP Request', {
+        };
+        if (ctx.contextRequestId)
+            event.contextRequestId = ctx.contextRequestId;
+        if (ctx.operationId)
+            event.operationId = ctx.operationId;
+        this.publish(event);
+        const logData = {
             requestId: ctx.requestId,
             method: ctx.method,
             url: ctx.url,
-            ...(ctx.contextRequestId
-                ? { contextRequestId: ctx.contextRequestId }
-                : {}),
-            ...(ctx.operationId ? { operationId: ctx.operationId } : {}),
-        });
+        };
+        if (ctx.contextRequestId)
+            logData.contextRequestId = ctx.contextRequestId;
+        if (ctx.operationId)
+            logData.operationId = ctx.operationId;
+        this.logger.debug('HTTP Request', logData);
         return ctx;
     }
     recordResponse(context, response, contentSize) {
         const duration = performance.now() - context.startTime;
         const durationLabel = `${Math.round(duration)}ms`;
-        this.publish({
+        const event = {
             v: 1,
             type: 'end',
             requestId: context.requestId,
             status: response.status,
             duration,
-            ...(context.contextRequestId
-                ? { contextRequestId: context.contextRequestId }
-                : {}),
-            ...(context.operationId ? { operationId: context.operationId } : {}),
-        });
+        };
+        if (context.contextRequestId)
+            event.contextRequestId = context.contextRequestId;
+        if (context.operationId)
+            event.operationId = context.operationId;
+        this.publish(event);
         const contentType = response.headers.get('content-type') ?? undefined;
         const contentLengthHeader = response.headers.get('content-length');
         const size = contentLengthHeader ??
             (contentSize === undefined ? undefined : String(contentSize));
-        logDebug('HTTP Response', {
+        const logData = {
             requestId: context.requestId,
             status: response.status,
             url: context.url,
             duration: durationLabel,
-            ...(context.contextRequestId
-                ? { contextRequestId: context.contextRequestId }
-                : {}),
-            ...(context.operationId ? { operationId: context.operationId } : {}),
-            ...(contentType ? { contentType } : {}),
-            ...(size ? { size } : {}),
-        });
+        };
+        if (context.contextRequestId)
+            logData.contextRequestId = context.contextRequestId;
+        if (context.operationId)
+            logData.operationId = context.operationId;
+        if (contentType)
+            logData.contentType = contentType;
+        if (size)
+            logData.size = size;
+        this.logger.debug('HTTP Response', logData);
         if (duration > SLOW_REQUEST_THRESHOLD_MS) {
-            logWarn('Slow HTTP request detected', {
+            const warnData = {
                 requestId: context.requestId,
                 url: context.url,
                 duration: durationLabel,
-                ...(context.contextRequestId
-                    ? { contextRequestId: context.contextRequestId }
-                    : {}),
-                ...(context.operationId ? { operationId: context.operationId } : {}),
-            });
+            };
+            if (context.contextRequestId)
+                warnData.contextRequestId = context.contextRequestId;
+            if (context.operationId)
+                warnData.operationId = context.operationId;
+            this.logger.warn('Slow HTTP request detected', warnData);
         }
     }
     recordError(context, error, status) {
         const duration = performance.now() - context.startTime;
-        const err = error instanceof Error ? error : new Error(String(error));
+        const err = isError(error) ? error : new Error(String(error));
         const code = isSystemError(err) ? err.code : undefined;
-        this.publish({
+        const event = {
             v: 1,
             type: 'error',
             requestId: context.requestId,
             url: context.url,
             error: err.message,
             duration,
-            ...(code !== undefined ? { code } : {}),
-            ...(status !== undefined ? { status } : {}),
-            ...(context.contextRequestId
-                ? { contextRequestId: context.contextRequestId }
-                : {}),
-            ...(context.operationId ? { operationId: context.operationId } : {}),
-        });
-        const log = status === 429 ? logWarn : logError;
-        log('HTTP Request Error', {
+        };
+        if (code !== undefined)
+            event.code = code;
+        if (status !== undefined)
+            event.status = status;
+        if (context.contextRequestId)
+            event.contextRequestId = context.contextRequestId;
+        if (context.operationId)
+            event.operationId = context.operationId;
+        this.publish(event);
+        const logData = {
             requestId: context.requestId,
             url: context.url,
             status,
             code,
             error: err.message,
-            ...(context.contextRequestId
-                ? { contextRequestId: context.contextRequestId }
-                : {}),
-            ...(context.operationId ? { operationId: context.operationId } : {}),
-        });
+        };
+        if (context.contextRequestId)
+            logData.contextRequestId = context.contextRequestId;
+        if (context.operationId)
+            logData.operationId = context.operationId;
+        if (status === 429) {
+            this.logger.warn('HTTP Request Error', logData);
+            return;
+        }
+        this.logger.error('HTTP Request Error', logData);
     }
     publish(event) {
         if (!fetchChannel.hasSubscribers)
@@ -634,49 +753,50 @@ class FetchTelemetry {
             fetchChannel.publish(event);
         }
         catch {
-            // Best-effort; subscriber failures must not crash request path.
+            // Best-effort telemetry; never crash request path.
         }
     }
 }
-const telemetry = new FetchTelemetry();
-/** Backwards-compatible exports */
-export function startFetchTelemetry(url, method) {
-    return telemetry.start(url, method);
-}
-export function recordFetchResponse(context, response, contentSize) {
-    telemetry.recordResponse(context, response, contentSize);
-}
-export function recordFetchError(context, error, status) {
-    telemetry.recordError(context, error, status);
-}
-/* -------------------------------------------------------------------------------------------------
- * Redirect handling
- * ------------------------------------------------------------------------------------------------- */
 const REDIRECT_STATUSES = new Set([301, 302, 303, 307, 308]);
 function isRedirectStatus(status) {
     return REDIRECT_STATUSES.has(status);
 }
 function cancelResponseBody(response) {
     const cancelPromise = response.body?.cancel();
-    if (cancelPromise)
-        cancelPromise.catch(() => {
-            /* ignore */
-        });
+    if (!cancelPromise)
+        return;
+    void cancelPromise.catch(() => undefined);
 }
 class RedirectFollower {
+    fetchFn;
+    normalizeUrl;
+    preflight;
+    constructor(fetchFn, normalizeUrl, preflight) {
+        this.fetchFn = fetchFn;
+        this.normalizeUrl = normalizeUrl;
+        this.preflight = preflight;
+    }
     async fetchWithRedirects(url, init, maxRedirects) {
         let currentUrl = url;
         const redirectLimit = Math.max(0, maxRedirects);
         for (let redirectCount = 0; redirectCount <= redirectLimit; redirectCount += 1) {
-            const { response, nextUrl } = await this.withRedirectErrorContext(currentUrl, async () => this.performFetchCycle(currentUrl, init, redirectLimit, redirectCount));
+            const { response, nextUrl } = await this.withRedirectErrorContext(currentUrl, async () => {
+                if (this.preflight) {
+                    await this.preflight(currentUrl, init.signal ?? undefined);
+                }
+                return this.performFetchCycle(currentUrl, init, redirectLimit, redirectCount);
+            });
             if (!nextUrl)
                 return { response, url: currentUrl };
             currentUrl = nextUrl;
         }
-        throw fetchErrors.tooManyRedirects(currentUrl);
+        throw createTooManyRedirectsFetchError(currentUrl);
     }
     async performFetchCycle(currentUrl, init, redirectLimit, redirectCount) {
-        const response = await fetch(currentUrl, { ...init, redirect: 'manual' });
+        const response = await this.fetchFn(currentUrl, {
+            ...init,
+            redirect: 'manual',
+        });
         if (!isRedirectStatus(response.status))
             return { response };
         this.assertRedirectWithinLimit(response, currentUrl, redirectLimit, redirectCount);
@@ -691,23 +811,24 @@ class RedirectFollower {
         if (redirectCount < redirectLimit)
             return;
         cancelResponseBody(response);
-        throw fetchErrors.tooManyRedirects(currentUrl);
+        throw createTooManyRedirectsFetchError(currentUrl);
     }
     getRedirectLocation(response, currentUrl) {
         const location = response.headers.get('location');
         if (location)
             return location;
         cancelResponseBody(response);
-        throw fetchErrors.missingRedirectLocation(currentUrl);
+        throw createMissingRedirectLocationFetchError(currentUrl);
     }
     resolveRedirectTarget(baseUrl, location) {
-        if (!URL.canParse(location, baseUrl))
+        if (!URL.canParse(location, baseUrl)) {
             throw createErrorWithCode('Invalid redirect target', 'EBADREDIRECT');
+        }
         const resolved = new URL(location, baseUrl);
         if (resolved.username || resolved.password) {
             throw createErrorWithCode('Redirect target includes credentials', 'EBADREDIRECT');
         }
-        return validateAndNormalizeUrl(resolved.href);
+        return this.normalizeUrl(resolved.href);
     }
     annotateRedirectError(error, url) {
         if (!isObject(error))
@@ -724,94 +845,266 @@ class RedirectFollower {
         }
     }
 }
-const redirectFollower = new RedirectFollower();
-/** Backwards-compatible export */
-export async function fetchWithRedirects(url, init, maxRedirects) {
-    return redirectFollower.fetchWithRedirects(url, init, maxRedirects);
+function getCharsetFromContentType(contentType) {
+    if (!contentType)
+        return undefined;
+    const match = /charset=([^;]+)/i.exec(contentType);
+    const charsetGroup = match?.[1];
+    if (!charsetGroup)
+        return undefined;
+    let charset = charsetGroup.trim();
+    if (charset.startsWith('"') && charset.endsWith('"')) {
+        charset = charset.slice(1, -1);
+    }
+    return charset.trim();
 }
-/* -------------------------------------------------------------------------------------------------
- * Response reading (max size + abort-aware streaming)
- * ------------------------------------------------------------------------------------------------- */
-function assertContentLengthWithinLimit(response, url, maxBytes) {
-    const header = response.headers.get('content-length');
-    if (!header)
-        return;
-    const contentLength = Number.parseInt(header, 10);
-    if (Number.isNaN(contentLength) || contentLength <= maxBytes)
-        return;
-    cancelResponseBody(response);
-    throw fetchErrors.sizeLimit(url, maxBytes);
+function createDecoder(encoding) {
+    if (!encoding)
+        return new TextDecoder('utf-8');
+    try {
+        return new TextDecoder(encoding);
+    }
+    catch {
+        return new TextDecoder('utf-8');
+    }
+}
+function normalizeEncodingLabel(encoding) {
+    return encoding?.trim().toLowerCase() ?? '';
+}
+function isUnicodeWideEncoding(encoding) {
+    const normalized = normalizeEncodingLabel(encoding);
+    return (normalized.startsWith('utf-16') ||
+        normalized.startsWith('utf-32') ||
+        normalized === 'ucs-2' ||
+        normalized === 'unicodefffe' ||
+        normalized === 'unicodefeff');
+}
+const BOM_SIGNATURES = [
+    // 4-byte BOMs must come first to avoid false matches with 2-byte prefixes
+    { bytes: [0xff, 0xfe, 0x00, 0x00], encoding: 'utf-32le' },
+    { bytes: [0x00, 0x00, 0xfe, 0xff], encoding: 'utf-32be' },
+    { bytes: [0xef, 0xbb, 0xbf], encoding: 'utf-8' },
+    { bytes: [0xff, 0xfe], encoding: 'utf-16le' },
+    { bytes: [0xfe, 0xff], encoding: 'utf-16be' },
+];
+function detectBomEncoding(buffer) {
+    for (const { bytes, encoding } of BOM_SIGNATURES) {
+        if (startsWithBytes(buffer, bytes))
+            return encoding;
+    }
+    return undefined;
+}
+function readQuotedValue(input, startIndex) {
+    const first = input[startIndex];
+    if (!first)
+        return '';
+    const quoted = first === '"' || first === "'";
+    if (quoted) {
+        const end = input.indexOf(first, startIndex + 1);
+        return end === -1 ? '' : input.slice(startIndex + 1, end).trim();
+    }
+    const tail = input.slice(startIndex);
+    const stop = tail.search(/[\s/>]/);
+    return (stop === -1 ? tail : tail.slice(0, stop)).trim();
+}
+function extractHtmlCharset(headSnippet) {
+    const lower = headSnippet.toLowerCase();
+    const charsetToken = 'charset=';
+    const charsetIdx = lower.indexOf(charsetToken);
+    if (charsetIdx === -1)
+        return undefined;
+    const valueStart = charsetIdx + charsetToken.length;
+    const charset = readQuotedValue(headSnippet, valueStart);
+    return charset ? charset.toLowerCase() : undefined;
+}
+function extractXmlEncoding(headSnippet) {
+    const lower = headSnippet.toLowerCase();
+    const xmlStart = lower.indexOf('<?xml');
+    if (xmlStart === -1)
+        return undefined;
+    const xmlEnd = lower.indexOf('?>', xmlStart);
+    const declaration = xmlEnd === -1
+        ? headSnippet.slice(xmlStart)
+        : headSnippet.slice(xmlStart, xmlEnd + 2);
+    const declarationLower = declaration.toLowerCase();
+    const encodingToken = 'encoding=';
+    const encodingIdx = declarationLower.indexOf(encodingToken);
+    if (encodingIdx === -1)
+        return undefined;
+    const valueStart = encodingIdx + encodingToken.length;
+    const encoding = readQuotedValue(declaration, valueStart);
+    return encoding ? encoding.toLowerCase() : undefined;
+}
+function detectHtmlDeclaredEncoding(buffer) {
+    const scanSize = Math.min(buffer.length, 8_192);
+    if (scanSize === 0)
+        return undefined;
+    const headSnippet = Buffer.from(buffer.buffer, buffer.byteOffset, scanSize).toString('latin1');
+    return extractHtmlCharset(headSnippet) ?? extractXmlEncoding(headSnippet);
+}
+function resolveEncoding(declaredEncoding, sample) {
+    const bomEncoding = detectBomEncoding(sample);
+    if (bomEncoding)
+        return bomEncoding;
+    if (declaredEncoding)
+        return declaredEncoding;
+    return detectHtmlDeclaredEncoding(sample);
+}
+const BINARY_SIGNATURES = [
+    [0x25, 0x50, 0x44, 0x46],
+    [0x89, 0x50, 0x4e, 0x47],
+    [0x47, 0x49, 0x46, 0x38],
+    [0xff, 0xd8, 0xff],
+    [0x52, 0x49, 0x46, 0x46],
+    [0x42, 0x4d],
+    [0x49, 0x49, 0x2a, 0x00],
+    [0x4d, 0x4d, 0x00, 0x2a],
+    [0x00, 0x00, 0x01, 0x00],
+    [0x50, 0x4b, 0x03, 0x04],
+    [0x1f, 0x8b],
+    [0x42, 0x5a, 0x68],
+    [0x52, 0x61, 0x72, 0x21],
+    [0x37, 0x7a, 0xbc, 0xaf],
+    [0x7f, 0x45, 0x4c, 0x46],
+    [0x4d, 0x5a],
+    [0xcf, 0xfa, 0xed, 0xfe],
+    [0x00, 0x61, 0x73, 0x6d],
+    [0x1a, 0x45, 0xdf, 0xa3],
+    [0x66, 0x74, 0x79, 0x70],
+    [0x46, 0x4c, 0x56],
+    [0x49, 0x44, 0x33],
+    [0xff, 0xfb],
+    [0xff, 0xfa],
+    [0x4f, 0x67, 0x67, 0x53],
+    [0x66, 0x4c, 0x61, 0x43],
+    [0x4d, 0x54, 0x68, 0x64],
+    [0x77, 0x4f, 0x46, 0x46],
+    [0x00, 0x01, 0x00, 0x00],
+    [0x4f, 0x54, 0x54, 0x4f],
+    [0x53, 0x51, 0x4c, 0x69],
+];
+function startsWithBytes(buffer, signature) {
+    const sigLen = signature.length;
+    if (buffer.length < sigLen)
+        return false;
+    for (let i = 0; i < sigLen; i += 1) {
+        if (buffer[i] !== signature[i])
+            return false;
+    }
+    return true;
+}
+function hasNullByte(buffer, limit) {
+    const checkLen = Math.min(buffer.length, limit);
+    return buffer.subarray(0, checkLen).includes(0x00);
+}
+function isBinaryContent(buffer, encoding) {
+    for (const signature of BINARY_SIGNATURES) {
+        if (startsWithBytes(buffer, signature))
+            return true;
+    }
+    return !isUnicodeWideEncoding(encoding) && hasNullByte(buffer, 1000);
 }
 class ResponseTextReader {
-    async read(response, url, maxBytes, signal) {
-        assertContentLengthWithinLimit(response, url, maxBytes);
+    async read(response, url, maxBytes, signal, encoding) {
+        const { buffer, encoding: effectiveEncoding } = await this.readBuffer(response, url, maxBytes, signal, encoding);
+        const decoder = createDecoder(effectiveEncoding);
+        const text = decoder.decode(buffer);
+        return { text, size: buffer.byteLength };
+    }
+    async readBuffer(response, url, maxBytes, signal, encoding) {
+        if (signal?.aborted) {
+            cancelResponseBody(response);
+            throw createAbortedFetchError(url);
+        }
+        const limit = maxBytes <= 0 ? Number.POSITIVE_INFINITY : maxBytes;
         if (!response.body) {
-            const text = await response.text();
-            const size = Buffer.byteLength(text);
-            if (size > maxBytes)
-                throw fetchErrors.sizeLimit(url, maxBytes);
-            return { text, size };
+            if (signal?.aborted)
+                throw createCanceledFetchError(url);
+            const arrayBuffer = await response.arrayBuffer();
+            const length = Math.min(arrayBuffer.byteLength, limit);
+            const buffer = new Uint8Array(arrayBuffer, 0, length);
+            const effectiveEncoding = resolveEncoding(encoding, buffer) ?? encoding ?? 'utf-8';
+            if (isBinaryContent(buffer, effectiveEncoding)) {
+                throw new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' });
+            }
+            return { buffer, encoding: effectiveEncoding, size: buffer.byteLength };
         }
-        return this.readStreamWithLimit(response.body, url, maxBytes, signal);
+        return this.readStreamToBuffer(response.body, url, limit, signal, encoding);
     }
-    async readStreamWithLimit(stream, url, maxBytes, signal) {
-        const decoder = new TextDecoder();
-        const parts = [];
+    async readNext(reader, abortPromise) {
+        return abortPromise
+            ? await Promise.race([reader.read(), abortPromise])
+            : await reader.read();
+    }
+    async readStreamToBuffer(stream, url, maxBytes, signal, encoding) {
+        let effectiveEncoding = encoding;
+        let decoder = null;
+        const chunks = [];
         let total = 0;
         const reader = stream.getReader();
+        const abortRace = createAbortRace(signal, () => createAbortedFetchError(url));
         try {
-            await this.throwIfAborted(signal, url, reader);
-            let result = await reader.read();
+            let result = await this.readNext(reader, abortRace.abortPromise);
+            if (!result.done) {
+                effectiveEncoding =
+                    resolveEncoding(encoding, result.value) ?? encoding ?? 'utf-8';
+                decoder = createDecoder(effectiveEncoding);
+            }
+            let checkedBinary = false;
             while (!result.done) {
-                total += result.value.byteLength;
-                if (total > maxBytes)
-                    throw fetchErrors.sizeLimit(url, maxBytes);
-                const decoded = decoder.decode(result.value, { stream: true });
-                if (decoded)
-                    parts.push(decoded);
-                await this.throwIfAborted(signal, url, reader);
-                result = await reader.read();
+                const chunk = result.value;
+                if (!checkedBinary) {
+                    checkedBinary = true;
+                    if (isBinaryContent(chunk, decoder?.encoding)) {
+                        await this.cancelReaderQuietly(reader);
+                        throw new FetchError('Detailed content type check failed: binary content detected', url, 500, { reason: 'binary_content_detected' });
+                    }
+                }
+                const newTotal = total + chunk.length;
+                if (newTotal > maxBytes) {
+                    const remaining = maxBytes - total;
+                    if (remaining > 0) {
+                        chunks.push(chunk.subarray(0, remaining));
+                        total += remaining;
+                    }
+                    await this.cancelReaderQuietly(reader);
+                    break;
+                }
+                chunks.push(chunk);
+                total = newTotal;
+                result = await this.readNext(reader, abortRace.abortPromise);
             }
         }
         catch (error) {
             await this.cancelReaderQuietly(reader);
-            if (signal?.aborted)
-                throw new FetchError('Request was aborted during response read', url, 499, { reason: 'aborted' });
-            throw error;
+            this.handleReadingError(error, url, signal);
         }
         finally {
+            abortRace.cleanup();
             reader.releaseLock();
         }
-        const final = decoder.decode();
-        if (final)
-            parts.push(final);
-        return { text: parts.join(''), size: total };
+        return {
+            buffer: Buffer.concat(chunks, total),
+            encoding: effectiveEncoding ?? 'utf-8',
+            size: total,
+        };
     }
-    async throwIfAborted(signal, url, reader) {
-        if (!signal?.aborted)
-            return;
-        await this.cancelReaderQuietly(reader);
-        throw new FetchError('Request was aborted during response read', url, 499, {
-            reason: 'aborted',
-        });
+    handleReadingError(error, url, signal) {
+        if (error instanceof FetchError)
+            throw error;
+        if (signal?.aborted)
+            throw createAbortedFetchError(url);
+        throw error;
     }
     async cancelReaderQuietly(reader) {
         try {
             await reader.cancel();
         }
         catch {
-            // ignore
+            // Ignore cancellation failures; stream teardown must proceed.
         }
     }
 }
-const responseReader = new ResponseTextReader();
-/** Backwards-compatible export */
-export async function readResponseText(response, url, maxBytes, signal) {
-    return responseReader.read(response, url, maxBytes, signal);
-}
-/* -------------------------------------------------------------------------------------------------
- * HTTP fetcher (headers, signals, response handling)
- * ------------------------------------------------------------------------------------------------- */
 const DEFAULT_HEADERS = {
     'User-Agent': config.fetcher.userAgent,
     Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
@@ -820,57 +1113,370 @@ const DEFAULT_HEADERS = {
     Connection: 'keep-alive',
 };
 function buildHeaders() {
-    return { ...DEFAULT_HEADERS };
+    return DEFAULT_HEADERS;
 }
 function buildRequestSignal(timeoutMs, external) {
+    if (timeoutMs <= 0)
+        return external;
     const timeoutSignal = AbortSignal.timeout(timeoutMs);
     return external ? AbortSignal.any([external, timeoutSignal]) : timeoutSignal;
 }
 function buildRequestInit(headers, signal) {
-    return { method: 'GET', headers, signal };
+    return {
+        method: 'GET',
+        headers,
+        ...(signal ? { signal } : {}),
+    };
 }
 function resolveResponseError(response, finalUrl) {
     if (response.status === 429) {
-        return fetchErrors.rateLimited(finalUrl, response.headers.get('retry-after'));
+        return createRateLimitedFetchError(finalUrl, response.headers.get('retry-after'));
     }
     return response.ok
         ? null
-        : fetchErrors.http(finalUrl, response.status, response.statusText);
+        : createHttpFetchError(finalUrl, response.status, response.statusText);
+}
+function resolveMediaType(contentType) {
+    if (!contentType)
+        return null;
+    const semiIndex = contentType.indexOf(';');
+    const mediaType = semiIndex === -1 ? contentType : contentType.slice(0, semiIndex);
+    const trimmed = mediaType.trim();
+    return trimmed ? trimmed.toLowerCase() : null;
+}
+const TEXTUAL_MEDIA_TYPES = new Set([
+    'application/json',
+    'application/ld+json',
+    'application/xml',
+    'application/xhtml+xml',
+    'application/javascript',
+    'application/ecmascript',
+    'application/x-javascript',
+    'application/x-yaml',
+    'application/yaml',
+    'application/markdown',
+]);
+function isTextLikeMediaType(mediaType) {
+    if (mediaType.startsWith('text/'))
+        return true;
+    if (TEXTUAL_MEDIA_TYPES.has(mediaType))
+        return true;
+    return (mediaType.endsWith('+json') ||
+        mediaType.endsWith('+xml') ||
+        mediaType.endsWith('+yaml') ||
+        mediaType.endsWith('+text') ||
+        mediaType.endsWith('+markdown'));
+}
+function assertSupportedContentType(contentType, url) {
+    const mediaType = resolveMediaType(contentType);
+    if (!mediaType)
+        return;
+    if (!isTextLikeMediaType(mediaType)) {
+        throw new FetchError(`Unsupported content type: ${mediaType}`, url);
+    }
+}
+function extractEncodingTokens(value) {
+    const tokens = [];
+    let i = 0;
+    const len = value.length;
+    while (i < len) {
+        while (i < len &&
+            (value.charCodeAt(i) === 44 || value.charCodeAt(i) <= 32)) {
+            i += 1;
+        }
+        if (i >= len)
+            break;
+        const start = i;
+        while (i < len && value.charCodeAt(i) !== 44)
+            i += 1;
+        const token = value.slice(start, i).trim().toLowerCase();
+        if (token)
+            tokens.push(token);
+        if (i < len && value.charCodeAt(i) === 44)
+            i += 1;
+    }
+    return tokens;
+}
+function parseSingleContentEncoding(value) {
+    if (!value)
+        return null;
+    const tokens = extractEncodingTokens(value);
+    if (tokens.length === 0)
+        return null;
+    if (tokens.length > 1)
+        return undefined;
+    return tokens[0] ?? null;
+}
+function createUnsupportedContentEncodingError(url, encodingHeader) {
+    return new FetchError(`Unsupported Content-Encoding: ${encodingHeader}`, url, 415, {
+        reason: 'unsupported_content_encoding',
+        encoding: encodingHeader,
+    });
+}
+function createPumpedStream(initialChunk, reader) {
+    return new ReadableStream({
+        start(controller) {
+            if (initialChunk.byteLength > 0) {
+                controller.enqueue(initialChunk);
+            }
+        },
+        async pull(controller) {
+            try {
+                const { done, value } = await reader.read();
+                if (done) {
+                    controller.close();
+                }
+                else {
+                    controller.enqueue(value);
+                }
+            }
+            catch (error) {
+                controller.error(error);
+            }
+        },
+        cancel(reason) {
+            void reader.cancel(reason).catch(() => undefined);
+        },
+    });
+}
+function isLikelyCompressed(chunk, encoding) {
+    if (chunk.byteLength === 0)
+        return false;
+    if (encoding === 'gzip') {
+        return chunk.byteLength >= 2 && chunk[0] === 0x1f && chunk[1] === 0x8b;
+    }
+    if (encoding === 'deflate') {
+        if (chunk.byteLength < 2)
+            return false;
+        const byte0 = chunk[0] ?? 0;
+        const byte1 = chunk[1] ?? 0;
+        const cm = byte0 & 0x0f;
+        if (cm !== 8)
+            return false;
+        return (byte0 * 256 + byte1) % 31 === 0;
+    }
+    let nonPrintable = 0;
+    const limit = Math.min(chunk.length, 50);
+    for (let i = 0; i < limit; i += 1) {
+        const b = chunk[i] ?? 0;
+        if (b < 0x09 || (b > 0x0d && b < 0x20) || b === 0x7f)
+            nonPrintable += 1;
+    }
+    return nonPrintable / limit > 0.1;
 }
-async function handleFetchResponse(response, finalUrl, ctx, signal) {
+async function decodeResponseIfNeeded(response, url, signal) {
+    const encodingHeader = response.headers.get('content-encoding');
+    const encoding = parseSingleContentEncoding(encodingHeader);
+    if (encoding === null || encoding === 'identity')
+        return response;
+    if (encoding === undefined) {
+        throw createUnsupportedContentEncodingError(url, encodingHeader ?? '');
+    }
+    if (encoding !== 'gzip' && encoding !== 'deflate' && encoding !== 'br') {
+        throw createUnsupportedContentEncodingError(url, encodingHeader ?? encoding);
+    }
+    if (!response.body)
+        return response;
+    // Peek at first chunk to check if actually compressed
+    const reader = response.body.getReader();
+    let initialChunk;
+    try {
+        const { done, value } = await reader.read();
+        if (done) {
+            return new Response(null, {
+                status: response.status,
+                statusText: response.statusText,
+                headers: response.headers,
+            });
+        }
+        initialChunk = value;
+    }
+    catch (error) {
+        // If read fails, throw properly
+        throw new FetchError(`Failed to read response body: ${isError(error) ? error.message : String(error)}`, url, 502);
+    }
+    if (!isLikelyCompressed(initialChunk, encoding)) {
+        const body = createPumpedStream(initialChunk, reader);
+        const headers = new Headers(response.headers);
+        headers.delete('content-encoding');
+        headers.delete('content-length');
+        return new Response(body, {
+            status: response.status,
+            statusText: response.statusText,
+            headers,
+        });
+    }
+    // Set up decompression
+    let decompressor = null;
+    switch (encoding) {
+        case 'gzip':
+            decompressor = createGunzip();
+            break;
+        case 'deflate':
+            decompressor = createInflate();
+            break;
+        case 'br':
+            decompressor = createBrotliDecompress();
+            break;
+        default:
+            // Should have been caught by parseSingleContentEncoding check, but safe fallback
+            decompressor = null;
+    }
+    if (!decompressor) {
+        // Should be unreachable if encoding valid
+        throw createUnsupportedContentEncodingError(url, encodingHeader ?? encoding);
+    }
+    const sourceStream = Readable.fromWeb(createPumpedStream(initialChunk, reader));
+    const decodedNodeStream = sourceStream.pipe(decompressor);
+    const abortHandler = () => {
+        sourceStream.destroy();
+        decompressor.destroy();
+        decodedNodeStream.destroy();
+    };
+    if (signal) {
+        signal.addEventListener('abort', abortHandler, { once: true });
+    }
+    const decodedBody = Readable.toWeb(decodedNodeStream);
+    const headers = new Headers(response.headers);
+    headers.delete('content-encoding');
+    headers.delete('content-length');
+    if (signal) {
+        decodedNodeStream.once('close', () => {
+            signal.removeEventListener('abort', abortHandler);
+        });
+        decodedNodeStream.once('error', () => {
+            signal.removeEventListener('abort', abortHandler);
+        });
+    }
+    return new Response(decodedBody, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+async function readAndRecordDecodedResponse(response, finalUrl, ctx, telemetry, reader, maxBytes, mode, signal) {
     const responseError = resolveResponseError(response, finalUrl);
     if (responseError) {
         cancelResponseBody(response);
         throw responseError;
     }
-    const { text, size } = await responseReader.read(response, finalUrl, config.fetcher.maxContentLength, signal);
-    telemetry.recordResponse(ctx, response, size);
-    return text;
+    const decodedResponse = await decodeResponseIfNeeded(response, finalUrl, signal);
+    const contentType = decodedResponse.headers.get('content-type');
+    assertSupportedContentType(contentType, finalUrl);
+    const declaredEncoding = getCharsetFromContentType(contentType ?? null);
+    if (mode === 'text') {
+        const { text, size } = await reader.read(decodedResponse, finalUrl, maxBytes, signal, declaredEncoding);
+        telemetry.recordResponse(ctx, decodedResponse, size);
+        return { kind: 'text', text, size };
+    }
+    const { buffer, encoding, size } = await reader.readBuffer(decodedResponse, finalUrl, maxBytes, signal, declaredEncoding);
+    telemetry.recordResponse(ctx, decodedResponse, size);
+    return { kind: 'buffer', buffer, encoding, size };
+}
+function extractHostname(url) {
+    if (!URL.canParse(url)) {
+        throw createErrorWithCode('Invalid URL', 'EINVAL');
+    }
+    return new URL(url).hostname;
+}
+function createDnsPreflight(dnsResolver) {
+    return async (url, signal) => {
+        const hostname = extractHostname(url);
+        await dnsResolver.assertSafeHostname(hostname, signal);
+    };
 }
 class HttpFetcher {
+    fetcherConfig;
+    dnsResolver;
+    redirectFollower;
+    reader;
+    telemetry;
+    constructor(fetcherConfig, dnsResolver, redirectFollower, reader, telemetry) {
+        this.fetcherConfig = fetcherConfig;
+        this.dnsResolver = dnsResolver;
+        this.redirectFollower = redirectFollower;
+        this.reader = reader;
+        this.telemetry = telemetry;
+    }
     async fetchNormalizedUrl(normalizedUrl, options) {
-        const { hostname } = new URL(normalizedUrl);
-        await assertSafeDnsLookup(hostname);
-        const timeoutMs = config.fetcher.timeout;
+        return this.fetchNormalized(normalizedUrl, 'text', options);
+    }
+    async fetchNormalizedUrlBuffer(normalizedUrl, options) {
+        return this.fetchNormalized(normalizedUrl, 'buffer', options);
+    }
+    async fetchNormalized(normalizedUrl, mode, options) {
+        const hostname = extractHostname(normalizedUrl);
+        const timeoutMs = this.fetcherConfig.timeout;
         const headers = buildHeaders();
         const signal = buildRequestSignal(timeoutMs, options?.signal);
         const init = buildRequestInit(headers, signal);
-        const ctx = telemetry.start(normalizedUrl, 'GET');
+        const ctx = this.telemetry.start(normalizedUrl, 'GET');
         try {
-            const { response, url: finalUrl } = await redirectFollower.fetchWithRedirects(normalizedUrl, init, config.fetcher.maxRedirects);
-            ctx.url = finalUrl;
-            return await handleFetchResponse(response, finalUrl, ctx, init.signal ?? undefined);
+            await this.dnsResolver.assertSafeHostname(hostname, signal ?? undefined);
+            const { response, url: finalUrl } = await this.redirectFollower.fetchWithRedirects(normalizedUrl, init, this.fetcherConfig.maxRedirects);
+            ctx.url = this.telemetry.redact(finalUrl);
+            const payload = await readAndRecordDecodedResponse(response, finalUrl, ctx, this.telemetry, this.reader, this.fetcherConfig.maxContentLength, mode, init.signal ?? undefined);
+            if (payload.kind === 'text')
+                return payload.text;
+            return { buffer: payload.buffer, encoding: payload.encoding };
         }
         catch (error) {
             const mapped = mapFetchError(error, normalizedUrl, timeoutMs);
-            ctx.url = mapped.url;
-            telemetry.recordError(ctx, mapped, mapped.statusCode);
+            ctx.url = this.telemetry.redact(mapped.url);
+            this.telemetry.recordError(ctx, mapped, mapped.statusCode);
             throw mapped;
         }
     }
 }
-const httpFetcher = new HttpFetcher();
-/** Backwards-compatible export */
+const ipBlocker = new IpBlocker(config.security);
+const urlNormalizer = new UrlNormalizer(config.constants, config.security, ipBlocker, BLOCKED_HOST_SUFFIXES);
+const rawUrlTransformer = new RawUrlTransformer(defaultLogger);
+const dnsResolver = new SafeDnsResolver(ipBlocker, config.security, BLOCKED_HOST_SUFFIXES);
+const telemetry = new FetchTelemetry(defaultLogger, defaultContext, defaultRedactor);
+const normalizeRedirectUrl = (url) => urlNormalizer.validateAndNormalize(url);
+const dnsPreflight = createDnsPreflight(dnsResolver);
+// Redirect follower with per-hop DNS preflight.
+const secureRedirectFollower = new RedirectFollower(defaultFetch, normalizeRedirectUrl, dnsPreflight);
+const responseReader = new ResponseTextReader();
+const httpFetcher = new HttpFetcher(config.fetcher, dnsResolver, secureRedirectFollower, responseReader, telemetry);
+export function isBlockedIp(ip) {
+    return ipBlocker.isBlockedIp(ip);
+}
+export function normalizeUrl(urlString) {
+    return urlNormalizer.normalize(urlString);
+}
+export function validateAndNormalizeUrl(urlString) {
+    return urlNormalizer.validateAndNormalize(urlString);
+}
+export function transformToRawUrl(url) {
+    return rawUrlTransformer.transformToRawUrl(url);
+}
+export function isRawTextContentUrl(url) {
+    return rawUrlTransformer.isRawTextContentUrl(url);
+}
+export function startFetchTelemetry(url, method) {
+    return telemetry.start(url, method);
+}
+export function recordFetchResponse(context, response, contentSize) {
+    telemetry.recordResponse(context, response, contentSize);
+}
+export function recordFetchError(context, error, status) {
+    telemetry.recordError(context, error, status);
+}
+export async function fetchWithRedirects(url, init, maxRedirects) {
+    return secureRedirectFollower.fetchWithRedirects(url, init, maxRedirects);
+}
+export async function readResponseText(response, url, maxBytes, signal, encoding) {
+    const decodedResponse = await decodeResponseIfNeeded(response, url, signal);
+    return responseReader.read(decodedResponse, url, maxBytes, signal, encoding);
+}
+export async function readResponseBuffer(response, url, maxBytes, signal, encoding) {
+    const decodedResponse = await decodeResponseIfNeeded(response, url, signal);
+    return responseReader.readBuffer(decodedResponse, url, maxBytes, signal, encoding);
+}
 export async function fetchNormalizedUrl(normalizedUrl, options) {
     return httpFetcher.fetchNormalizedUrl(normalizedUrl, options);
 }
+export async function fetchNormalizedUrlBuffer(normalizedUrl, options) {
+    return httpFetcher.fetchNormalizedUrlBuffer(normalizedUrl, options);
+}