@workglow/tasks 0.2.2 → 0.2.3

package/dist/bun.js

@@ -3,16 +3,70 @@ var __require = import.meta.require;
 
 // src/task/image/imageRasterCodecNode.ts
 import { parseDataUri } from "@workglow/util/media";
-function normalizeMimeType(mimeType) {
-  const m = mimeType.toLowerCase();
-  if (m.includes("jpeg") || m.includes("jpg")) {
+
+// src/task/image/imageCodecLimits.ts
+var MAX_DECODED_PIXELS = 1e8;
+var MAX_INPUT_BYTES_NODE = 64 * 1024 * 1024;
+var MAX_INPUT_BYTES_BROWSER = 8 * 1024 * 1024;
+var REJECTED_DECODE_MIME_TYPES = new Set([
+  "image/svg+xml",
+  "image/svg",
+  "image/gif",
+  "image/apng"
+]);
+var SUPPORTED_OUTPUT_MIME_TYPES = ["image/jpeg", "image/png", "image/webp"];
+function assertWithinPixelBudget(width, height) {
+  if (!Number.isFinite(width) || !Number.isFinite(height) || width <= 0 || height <= 0) {
+    throw new Error(`Image raster codec: invalid dimensions ${width}x${height}`);
+  }
+  const pixels = width * height;
+  if (pixels > MAX_DECODED_PIXELS) {
+    throw new Error(`Image raster codec: decoded image exceeds pixel budget ` + `(${width}x${height} = ${pixels} > ${MAX_DECODED_PIXELS})`);
+  }
+}
+function assertWithinByteBudget(byteLength, limit) {
+  if (byteLength > limit) {
+    throw new Error(`Image raster codec: input exceeds byte budget (${byteLength} > ${limit})`);
+  }
+}
+function formatDataUriErrorPreview(value) {
+  if (typeof value !== "string") {
+    return String(value);
+  }
+  if (value.startsWith("data:")) {
+    const commaIndex = value.indexOf(",");
+    if (commaIndex >= 0) {
+      return `${value.slice(0, commaIndex)},[REDACTED]`;
+    }
+    return `${value.slice(0, 80)}${value.length > 80 ? "\u2026" : ""}`;
+  }
+  return `${value.slice(0, 80)}${value.length > 80 ? "\u2026" : ""}`;
+}
+function assertIsDataUri(value) {
+  if (typeof value !== "string" || !value.startsWith("data:")) {
+    const preview = formatDataUriErrorPreview(value);
+    throw new Error(`Image raster codec: expected a data: URI but received "${preview}"`);
+  }
+}
+function extractDataUriMimeType(dataUri) {
+  const match = dataUri.match(/^data:([^;,]+)/);
+  return match?.[1]?.trim().toLowerCase();
+}
+function normalizeOutputMimeType(mimeType) {
+  const m = mimeType.toLowerCase().trim();
+  if (m === "image/jpeg" || m === "image/jpg") {
     return "image/jpeg";
   }
-  if (m.includes("webp")) {
+  if (m === "image/png") {
+    return "image/png";
+  }
+  if (m === "image/webp") {
     return "image/webp";
   }
-  return "image/png";
+  throw new Error(`Image raster codec: unsupported output mime type "${mimeType}". ` + `Supported: ${SUPPORTED_OUTPUT_MIME_TYPES.join(", ")}.`);
 }
+
+// src/task/image/imageRasterCodecNode.ts
 function expandGrayAlphaToRgba(src, width, height) {
   const n = width * height;
   const dst = new Uint8ClampedArray(n * 4);
@@ -38,13 +92,24 @@ async function getSharp() {
   return _sharp;
 }
 async function decodeDataUri(dataUri) {
+  assertIsDataUri(dataUri);
+  const declaredMime = extractDataUriMimeType(dataUri);
+  if (declaredMime && REJECTED_DECODE_MIME_TYPES.has(declaredMime)) {
+    throw new Error(`Image raster codec: refusing to rasterize "${declaredMime}". Vector and animated formats lose information when converted to pixels. Convert to PNG, JPEG, or WebP before passing to the codec.`);
+  }
   const sharp = await getSharp();
   const { base64 } = parseDataUri(dataUri);
+  const estimatedBytes = Math.ceil(base64.length * 3 / 4);
+  assertWithinByteBudget(estimatedBytes, MAX_INPUT_BYTES_NODE);
   const buffer = Buffer.from(base64, "base64");
-  const { data, info } = await sharp(buffer).raw().toBuffer({ resolveWithObject: true });
+  const { data, info } = await sharp(buffer, {
+    limitInputPixels: MAX_DECODED_PIXELS,
+    sequentialRead: true
+  }).raw().toBuffer({ resolveWithObject: true });
   const width = info.width;
   const height = info.height;
   const ch = info.channels;
+  assertWithinPixelBudget(width, height);
   if (ch === 2) {
     return {
       data: expandGrayAlphaToRgba(data, width, height),
@@ -55,7 +120,7 @@ async function decodeDataUri(dataUri) {
   }
   if (ch === 1 || ch === 3 || ch === 4) {
     return {
-      data: new Uint8ClampedArray(data.buffer, data.byteOffset, data.byteLength),
+      data: new Uint8ClampedArray(data),
       width,
       height,
       channels: ch
@@ -66,7 +131,7 @@ async function decodeDataUri(dataUri) {
 async function encodeDataUri(image, mimeType) {
   const sharp = await getSharp();
   const { data, width, height, channels } = image;
-  const fmt = normalizeMimeType(mimeType);
+  const fmt = normalizeOutputMimeType(mimeType);
   const base = sharp(Buffer.from(data), { raw: { width, height, channels } });
   const out = fmt === "image/jpeg" ? await base.jpeg({ quality: 92, mozjpeg: true }).toBuffer() : fmt === "image/webp" ? await base.webp({ quality: 92 }).toBuffer() : await base.png({ compressionLevel: 6 }).toBuffer();
   return `data:${fmt};base64,${out.toString("base64")}`;
@@ -90,6 +155,405 @@ function getImageRasterCodec() {
 // src/task/image/registerImageRasterCodec.node.ts
 registerImageRasterCodec(createNodeImageRasterCodec());
 
+// src/util/SafeFetch.server.ts
+import { PermanentJobError as PermanentJobError2 } from "@workglow/job-queue";
+import { lookup as dnsLookup } from "dns/promises";
+import { Agent, fetch as undiciFetch } from "undici";
+
+// src/util/UrlClassifier.ts
+import ipaddr from "ipaddr.js";
+var PRIVATE_EXACT_HOSTS = new Set([
+  "localhost",
+  "localhost.localdomain",
+  "ip6-localhost",
+  "ip6-loopback",
+  "metadata.google.internal",
+  "metadata.internal",
+  "metadata.azure.com",
+  "instance-data"
+]);
+var PRIVATE_DOMAIN_SUFFIXES = [
+  "local",
+  "localhost",
+  "internal",
+  "lan",
+  "home.arpa",
+  "corp",
+  "intranet",
+  "private",
+  "localdomain"
+];
+var PRIVATE_IPV4_RANGES = new Set([
+  "unspecified",
+  "broadcast",
+  "multicast",
+  "linkLocal",
+  "loopback",
+  "carrierGradeNat",
+  "private",
+  "reserved",
+  "benchmarking"
+]);
+var PRIVATE_IPV6_RANGES = new Set([
+  "unspecified",
+  "linkLocal",
+  "multicast",
+  "loopback",
+  "uniqueLocal",
+  "ipv4Mapped",
+  "ipv4Compat",
+  "rfc6145",
+  "rfc6052",
+  "6to4",
+  "teredo",
+  "reserved",
+  "benchmarking",
+  "amt",
+  "as112v6",
+  "deprecated",
+  "orchid2",
+  "droneRemoteIdProtocolEntityTags"
+]);
+function tryNormalizeIPv4(host) {
+  if (host.length === 0)
+    return;
+  if (/^\d{1,3}(\.\d{1,3}){3}$/.test(host)) {
+    const octets = host.split(".").map((s) => parseInt(s, 10));
+    if (octets.every((n) => n >= 0 && n <= 255)) {
+      return octets.join(".");
+    }
+    return;
+  }
+  const parts = host.split(".");
+  if (parts.length < 1 || parts.length > 4)
+    return;
+  const nums = [];
+  for (const p of parts) {
+    if (p.length === 0)
+      return;
+    let n;
+    if (/^0[xX][0-9a-fA-F]+$/.test(p)) {
+      n = parseInt(p.slice(2), 16);
+    } else if (/^0[0-7]+$/.test(p)) {
+      n = parseInt(p, 8);
+    } else if (/^\d+$/.test(p)) {
+      n = parseInt(p, 10);
+    } else {
+      return;
+    }
+    if (!Number.isFinite(n) || n < 0)
+      return;
+    nums.push(n);
+  }
+  let addr;
+  if (nums.length === 1) {
+    if (nums[0] > 4294967295)
+      return;
+    addr = nums[0];
+  } else if (nums.length === 2) {
+    if (nums[0] > 255 || nums[1] > 16777215)
+      return;
+    addr = nums[0] * 16777216 + nums[1];
+  } else if (nums.length === 3) {
+    if (nums[0] > 255 || nums[1] > 255 || nums[2] > 65535)
+      return;
+    addr = nums[0] * 16777216 + nums[1] * 65536 + nums[2];
+  } else {
+    if (nums.some((n) => n > 255))
+      return;
+    addr = nums[0] * 16777216 + nums[1] * 65536 + nums[2] * 256 + nums[3];
+  }
+  const o1 = Math.floor(addr / 16777216) & 255;
+  const o2 = Math.floor(addr / 65536) & 255;
+  const o3 = Math.floor(addr / 256) & 255;
+  const o4 = addr & 255;
+  return `${o1}.${o2}.${o3}.${o4}`;
+}
+function classifyIpLiteral(host) {
+  if (host.includes(":")) {
+    let ipv6;
+    try {
+      ipv6 = ipaddr.IPv6.parse(host);
+    } catch {
+      return;
+    }
+    if (ipv6.isIPv4MappedAddress()) {
+      const v4 = ipv6.toIPv4Address();
+      const range3 = v4.range();
+      const canonical3 = v4.toNormalizedString();
+      if (PRIVATE_IPV4_RANGES.has(range3)) {
+        return { kind: "private", reason: `IPv4-mapped IPv6 in ${range3} range`, canonical: canonical3 };
+      }
+      return { kind: "public", canonical: canonical3 };
+    }
+    const range2 = ipv6.range();
+    const canonical2 = ipv6.toNormalizedString();
+    if (PRIVATE_IPV6_RANGES.has(range2)) {
+      return { kind: "private", reason: `IPv6 in ${range2} range`, canonical: canonical2 };
+    }
+    return { kind: "public", canonical: canonical2 };
+  }
+  const canonical = tryNormalizeIPv4(host);
+  if (canonical === undefined)
+    return;
+  let ipv4;
+  try {
+    ipv4 = ipaddr.IPv4.parse(canonical);
+  } catch {
+    return;
+  }
+  const range = ipv4.range();
+  if (PRIVATE_IPV4_RANGES.has(range)) {
+    return { kind: "private", reason: `IPv4 in ${range} range`, canonical };
+  }
+  return { kind: "public", canonical };
+}
+function normalizeHost(host) {
+  let h = host;
+  if (h.startsWith("[") && h.endsWith("]")) {
+    h = h.slice(1, -1);
+  }
+  while (h.endsWith(".")) {
+    h = h.slice(0, -1);
+  }
+  return h.toLowerCase();
+}
+function matchesPrivateHostnamePattern(host) {
+  if (PRIVATE_EXACT_HOSTS.has(host)) {
+    return `host '${host}' is a reserved private name`;
+  }
+  for (const suffix of PRIVATE_DOMAIN_SUFFIXES) {
+    if (host === suffix || host.endsWith("." + suffix)) {
+      return `host matches private suffix '.${suffix}'`;
+    }
+  }
+  return;
+}
+function classifyUrl(urlStr) {
+  if (typeof urlStr !== "string" || urlStr.length === 0) {
+    return { kind: "invalid", reason: "empty or non-string URL" };
+  }
+  let parsed;
+  try {
+    parsed = new URL(urlStr);
+  } catch {
+    return { kind: "invalid", reason: "malformed URL" };
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    return { kind: "invalid", reason: `unsupported protocol '${parsed.protocol}'` };
+  }
+  if (parsed.username.length > 0 || parsed.password.length > 0) {
+    return { kind: "invalid", reason: "URL credentials are not allowed" };
+  }
+  const host = normalizeHost(parsed.hostname);
+  if (host.length === 0) {
+    return { kind: "invalid", reason: "empty host" };
+  }
+  const ipClassification = classifyIpLiteral(host);
+  if (ipClassification !== undefined) {
+    return {
+      kind: ipClassification.kind,
+      reason: ipClassification.reason,
+      host,
+      literalIp: ipClassification.canonical
+    };
+  }
+  const hostnameReason = matchesPrivateHostnamePattern(host);
+  if (hostnameReason !== undefined) {
+    return { kind: "private", reason: hostnameReason, host };
+  }
+  return { kind: "public", host };
+}
+function urlResourcePattern(urlStr) {
+  let parsed;
+  try {
+    parsed = new URL(urlStr);
+  } catch {
+    return urlStr;
+  }
+  const origin = parsed.port.length > 0 ? `${parsed.protocol}//${parsed.host}` : `${parsed.protocol}//${parsed.hostname}`;
+  return `${origin}/*`;
+}
+
+// src/util/SafeFetch.ts
+import { PermanentJobError } from "@workglow/job-queue";
+var MAX_REDIRECT_HOPS = 20;
+function assertAllowedUrl(url, allowPrivate) {
+  const classification = classifyUrl(url);
+  if (classification.kind === "invalid") {
+    throw new PermanentJobError(`Refusing to fetch invalid URL: ${classification.reason}`);
+  }
+  if (classification.kind === "private" && !allowPrivate) {
+    throw new PermanentJobError(`Refusing to fetch private/internal URL ${url}: ${classification.reason}. ` + `Grant the 'network:private' entitlement to allow this request.`);
+  }
+}
+function isRedirectStatus(status) {
+  return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+async function defaultSafeFetch(url, options) {
+  const requestedRedirectMode = options.redirect ?? "follow";
+  const { allowPrivate, redirect: _redirect, ...fetchOptions } = options;
+  let currentUrl = url;
+  for (let hops = 0;hops <= MAX_REDIRECT_HOPS; hops += 1) {
+    assertAllowedUrl(currentUrl, allowPrivate);
+    const response = await globalThis.fetch(currentUrl, {
+      ...fetchOptions,
+      redirect: "manual"
+    });
+    if (!isRedirectStatus(response.status)) {
+      return response;
+    }
+    if (requestedRedirectMode === "manual") {
+      return response;
+    }
+    if (requestedRedirectMode === "error") {
+      throw new TypeError(`Fetch for ${currentUrl} failed because redirect mode was set to 'error'.`);
+    }
+    const location = response.headers.get("location");
+    if (!location) {
+      throw new PermanentJobError(`Refusing to follow redirect from ${currentUrl}: missing Location header.`);
+    }
+    currentUrl = new URL(location, currentUrl).toString();
+  }
+  throw new PermanentJobError(`Refusing to fetch ${url}: too many redirects.`);
+}
+var currentImpl = defaultSafeFetch;
+function registerSafeFetch(fn) {
+  const previousImpl = currentImpl;
+  currentImpl = fn;
+  return previousImpl;
+}
+function getSafeFetchImpl() {
+  return currentImpl;
+}
+function resetSafeFetch() {
+  currentImpl = defaultSafeFetch;
+}
+function safeFetch(url, options = {}) {
+  return currentImpl(url, options);
+}
+
+// src/util/SafeFetch.server.ts
+var MAX_REDIRECT_HOPS2 = 20;
+async function resolveAll(hostname) {
+  try {
+    const addrs = await dnsLookup(hostname, { all: true, verbatim: true });
+    if (!Array.isArray(addrs) || addrs.length === 0) {
+      throw new PermanentJobError2(`DNS lookup returned no addresses for '${hostname}'`);
+    }
+    return addrs.map((a) => ({ address: a.address, family: a.family }));
+  } catch (err) {
+    if (err instanceof PermanentJobError2)
+      throw err;
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new PermanentJobError2(`DNS lookup failed for '${hostname}': ${msg}`);
+  }
+}
+function isLiteralHost(host) {
+  if (host.includes(":"))
+    return true;
+  return /^[0-9a-fA-FxX.]+$/.test(host);
+}
+function isRedirectStatus2(status) {
+  return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+async function fetchOneHop(url, opts, fetchInit) {
+  const classification = classifyUrl(url);
+  if (classification.kind === "invalid") {
+    throw new PermanentJobError2(`Refusing to fetch invalid URL: ${classification.reason}`);
+  }
+  if (classification.kind === "private" && !opts.allowPrivate) {
+    throw new PermanentJobError2(`Refusing to fetch private/internal URL ${url}: ${classification.reason}. ` + `Grant the 'network:private' entitlement to allow this request.`);
+  }
+  const parsed = new URL(url);
+  const host = classification.host ?? parsed.hostname.toLowerCase();
+  let pinned;
+  if (isLiteralHost(host) && classification.literalIp !== undefined) {
+    pinned = {
+      address: classification.literalIp,
+      family: classification.literalIp.includes(":") ? 6 : 4
+    };
+  } else {
+    const addrs = await resolveAll(host);
+    for (const addr of addrs) {
+      const ipClass = classifyIpLiteral(addr.address);
+      if (ipClass === undefined) {
+        throw new PermanentJobError2(`DNS resolved '${host}' to an unparseable address '${addr.address}'`);
+      }
+      if (ipClass.kind === "private" && !opts.allowPrivate) {
+        throw new PermanentJobError2(`Refusing to fetch ${url}: hostname '${host}' resolved to private address ` + `${addr.address} (${ipClass.reason}). This may indicate DNS rebinding. ` + `Grant the 'network:private' entitlement to allow this request.`);
+      }
+    }
+    pinned = addrs[0];
+  }
+  const pinnedAddress = pinned.address;
+  const pinnedFamily = pinned.family;
+  const dispatcher = new Agent({
+    connect: {
+      lookup: (_hostname, _lookupOptions, cb) => {
+        cb(null, pinnedAddress, pinnedFamily);
+      }
+    }
+  });
+  try {
+    const response = await undiciFetch(url, {
+      ...fetchInit,
+      dispatcher,
+      redirect: "manual"
+    });
+    return { response, dispatcher };
+  } catch (err) {
+    await dispatcher.close().catch(() => {});
+    throw err;
+  }
+}
+var serverSafeFetch = async (url, options) => {
+  const opts = options ?? {};
+  const requestedRedirectMode = opts.redirect ?? "follow";
+  const { allowPrivate: _allowPrivate, redirect: _redirect, ...fetchInit } = opts;
+  let currentUrl = url;
+  let prevDispatcher;
+  for (let hops = 0;hops <= MAX_REDIRECT_HOPS2; hops += 1) {
+    const { response, dispatcher } = await fetchOneHop(currentUrl, opts, fetchInit);
+    if (prevDispatcher !== undefined) {
+      prevDispatcher.close().catch(() => {});
+    }
+    if (!isRedirectStatus2(response.status)) {
+      const body = response.body;
+      if (body !== null) {
+        const { readable, writable } = new TransformStream;
+        body.pipeTo(writable).finally(() => {
+          dispatcher.close().catch(() => {});
+        });
+        return new Response(readable, {
+          status: response.status,
+          statusText: response.statusText,
+          headers: response.headers
+        });
+      }
+      dispatcher.close().catch(() => {});
+      return response;
+    }
+    if (requestedRedirectMode === "manual") {
+      dispatcher.close().catch(() => {});
+      return response;
+    }
+    if (requestedRedirectMode === "error") {
+      dispatcher.close().catch(() => {});
+      throw new TypeError(`Fetch for ${currentUrl} failed because redirect mode was set to 'error'.`);
+    }
+    const location = response.headers.get("location");
+    if (!location) {
+      dispatcher.close().catch(() => {});
+      throw new PermanentJobError2(`Refusing to follow redirect from ${currentUrl}: missing Location header.`);
+    }
+    prevDispatcher = dispatcher;
+    currentUrl = new URL(location, currentUrl).toString();
+  }
+  throw new PermanentJobError2(`Refusing to fetch ${url}: too many redirects.`);
+};
+registerSafeFetch(serverSafeFetch);
+
 // src/task/adaptive.ts
 import { CreateAdaptiveWorkflow, Workflow as Workflow10 } from "@workglow/task-graph";
 
@@ -625,7 +1089,6 @@ Workflow10.prototype.subtract = CreateAdaptiveWorkflow(ScalarSubtractTask, Vecto
 Workflow10.prototype.multiply = CreateAdaptiveWorkflow(ScalarMultiplyTask, VectorMultiplyTask);
 Workflow10.prototype.divide = CreateAdaptiveWorkflow(ScalarDivideTask, VectorDivideTask);
 Workflow10.prototype.sum = CreateAdaptiveWorkflow(ScalarSumTask, VectorSumTask);
-
 // src/mcp-server/getMcpServerConfig.ts
 function getMcpServerConfig(configOrInput) {
   const server = configOrInput.server;
@@ -1813,7 +2276,7 @@ Workflow13.prototype.delay = CreateWorkflow12(DelayTask);
 import {
   AbortSignalJobError,
   Job,
-  PermanentJobError,
+  PermanentJobError as PermanentJobError3,
   RetryableJobError
 } from "@workglow/job-queue";
 import {
@@ -1822,52 +2285,13 @@ import {
   getJobQueueFactory,
   getTaskQueueRegistry,
   JobTaskFailedError,
+  mergeEntitlements,
   Task as Task13,
   TaskConfigSchema as TaskConfigSchema3,
   TaskConfigurationError,
   TaskInvalidInputError as TaskInvalidInputError2,
   Workflow as Workflow14
 } from "@workglow/task-graph";
-var PRIVATE_IP_RANGES = [
-  /^127\./,
-  /^10\./,
-  /^172\.(1[6-9]|2\d|3[01])\./,
-  /^192\.168\./,
-  /^169\.254\./,
-  /^0\./,
-  /^fc00:/i,
-  /^fe80:/i,
-  /^::1$/,
-  /^::$/
-];
-var PRIVATE_HOSTNAMES = new Set(["localhost", "metadata.google.internal", "metadata.internal"]);
-function isAllowPrivateUrlsEnvSet() {
-  if (globalThis?.process?.env?.WORKGLOW_ALLOW_PRIVATE_URLS === "true") {
-    return true;
-  }
-  const viteEnv = import.meta.env;
-  return viteEnv?.VITE_WORKGLOW_ALLOW_PRIVATE_URLS === "true";
-}
-function isPrivateUrl(urlStr) {
-  if (isAllowPrivateUrlsEnvSet()) {
-    return false;
-  }
-  try {
-    const parsed = new URL(urlStr);
-    const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, "");
-    if (PRIVATE_HOSTNAMES.has(hostname) || hostname.endsWith(".local")) {
-      return true;
-    }
-    for (const range of PRIVATE_IP_RANGES) {
-      if (range.test(hostname)) {
-        return true;
-      }
-    }
-    return false;
-  } catch {
-    return false;
-  }
-}
 var inputSchema13 = {
   type: "object",
   properties: {
@@ -1955,7 +2379,7 @@ async function fetchWithProgress(url, options = {}, onProgress) {
   if (!options.signal) {
     throw new TaskConfigurationError("An AbortSignal must be provided.");
   }
-  const response = await globalThis.fetch(url, options);
+  const response = await safeFetch(url, options);
   if (!response.body) {
     throw new Error("ReadableStream not supported in this environment.");
   }
@@ -2004,14 +2428,16 @@ async function fetchWithProgress(url, options = {}, onProgress) {
 class FetchUrlJob extends Job {
   static type = "FetchUrlJob";
   async execute(input, context) {
-    if (isPrivateUrl(input.url)) {
-      throw new PermanentJobError(`Requests to private/internal networks are not allowed: ${input.url}. ` + `Set WORKGLOW_ALLOW_PRIVATE_URLS=true to override.`);
+    const classification = classifyUrl(input.url);
+    if (classification.kind === "invalid") {
+      throw new PermanentJobError3(`Refusing to fetch invalid URL ${input.url}: ${classification.reason ?? "malformed"}`);
     }
     const response = await fetchWithProgress(input.url, {
       method: input.method,
       headers: input.headers,
       body: input.body,
-      signal: context.signal
+      signal: context.signal,
+      allowPrivate: classification.kind === "private"
     }, async (progress) => await context.updateProgress(progress));
     if (response.ok) {
       const contentType = response.headers.get("content-type") ?? "";
@@ -2064,7 +2490,7 @@ class FetchUrlJob extends Job {
         }
         throw new RetryableJobError(`Failed to fetch ${input.url}: ${response.status} ${response.statusText}`, retryDate);
       } else {
-        throw new PermanentJobError(`Failed to fetch ${input.url}: ${response.status} ${response.statusText}`);
+        throw new PermanentJobError3(`Failed to fetch ${input.url}: ${response.status} ${response.statusText}`);
       }
     }
   }
@@ -2088,6 +2514,7 @@ class FetchUrlTask extends Task13 {
   static title = "Fetch";
   static description = "Fetches data from a URL with progress tracking and automatic retry handling";
   static hasDynamicSchemas = true;
+  static hasDynamicEntitlements = true;
   static entitlements() {
     return {
       entitlements: [
@@ -2100,6 +2527,33 @@ class FetchUrlTask extends Task13 {
       ]
     };
   }
+  entitlements() {
+    const base = FetchUrlTask.entitlements();
+    const url = this.runInputData?.url;
+    if (typeof url !== "string" || url.length === 0) {
+      return mergeEntitlements(base, {
+        entitlements: [
+          {
+            id: Entitlements.NETWORK_PRIVATE,
+            reason: "Runtime URL is not yet available during entitlement evaluation; private/internal destinations must be explicitly allowed"
+          }
+        ]
+      });
+    }
+    const classification = classifyUrl(url);
+    if (classification.kind !== "private") {
+      return base;
+    }
+    return mergeEntitlements(base, {
+      entitlements: [
+        {
+          id: Entitlements.NETWORK_PRIVATE,
+          reason: `URL targets private/internal host: ${classification.reason ?? classification.host ?? "unknown"}`,
+          resources: [urlResourcePattern(url)]
+        }
+      ]
+    });
+  }
   static configSchema() {
     return fetchUrlTaskConfigSchema;
   }
@@ -8799,7 +9253,7 @@ Workflow38.prototype.lambda = CreateWorkflow37(LambdaTask);
 import {
   CreateWorkflow as CreateWorkflow38,
   Entitlements as Entitlements3,
-  mergeEntitlements,
+  mergeEntitlements as mergeEntitlements2,
   Task as Task37,
   Workflow as Workflow39
 } from "@workglow/task-graph";
@@ -8994,13 +9448,13 @@ class McpListTask extends Task37 {
     const base = McpListTask.entitlements();
     const transport = getMcpServerTransport(this);
     if (transport === "stdio") {
-      return mergeEntitlements(base, {
+      return mergeEntitlements2(base, {
         entitlements: [
           { id: Entitlements3.MCP_STDIO, reason: "Uses stdio transport to spawn local process" }
         ]
       });
     }
-    return mergeEntitlements(base, {
+    return mergeEntitlements2(base, {
       entitlements: [{ id: Entitlements3.NETWORK_HTTP, reason: "Connects to MCP server over HTTP" }]
     });
   }
@@ -9087,7 +9541,7 @@ Workflow39.prototype.mcpList = CreateWorkflow38(McpListTask);
 import {
   CreateWorkflow as CreateWorkflow39,
   Entitlements as Entitlements4,
-  mergeEntitlements as mergeEntitlements2,
+  mergeEntitlements as mergeEntitlements3,
   Task as Task38,
   TaskConfigSchema as TaskConfigSchema8,
   Workflow as Workflow40
@@ -9243,13 +9697,13 @@ class McpPromptGetTask extends Task38 {
     const base = McpPromptGetTask.entitlements();
     const transport = getMcpServerTransport(this);
     if (transport === "stdio") {
-      return mergeEntitlements2(base, {
+      return mergeEntitlements3(base, {
         entitlements: [
           { id: Entitlements4.MCP_STDIO, reason: "Uses stdio transport to spawn local process" }
         ]
       });
     }
-    return mergeEntitlements2(base, {
+    return mergeEntitlements3(base, {
       entitlements: [
         { id: Entitlements4.NETWORK_HTTP, reason: "Connects to MCP server over HTTP" },
         { id: Entitlements4.CREDENTIAL, reason: "May require authentication", optional: true }
@@ -9353,7 +9807,7 @@ Workflow40.prototype.mcpPromptGet = CreateWorkflow39(McpPromptGetTask);
 import {
   CreateWorkflow as CreateWorkflow40,
   Entitlements as Entitlements5,
-  mergeEntitlements as mergeEntitlements3,
+  mergeEntitlements as mergeEntitlements4,
   Task as Task39,
   TaskConfigSchema as TaskConfigSchema9,
   Workflow as Workflow41
@@ -9422,13 +9876,13 @@ class McpResourceReadTask extends Task39 {
     const base = McpResourceReadTask.entitlements();
     const transport = getMcpServerTransport(this);
     if (transport === "stdio") {
-      return mergeEntitlements3(base, {
+      return mergeEntitlements4(base, {
         entitlements: [
           { id: Entitlements5.MCP_STDIO, reason: "Uses stdio transport to spawn local process" }
         ]
       });
     }
-    return mergeEntitlements3(base, {
+    return mergeEntitlements4(base, {
       entitlements: [
         { id: Entitlements5.NETWORK_HTTP, reason: "Connects to MCP server over HTTP" },
         { id: Entitlements5.CREDENTIAL, reason: "May require authentication", optional: true }
@@ -9654,7 +10108,7 @@ Workflow42.prototype.mcpSearch = CreateWorkflow41(McpSearchTask);
 import {
   CreateWorkflow as CreateWorkflow42,
   Entitlements as Entitlements7,
-  mergeEntitlements as mergeEntitlements4,
+  mergeEntitlements as mergeEntitlements5,
   Task as Task41,
   TaskConfigSchema as TaskConfigSchema10,
   Workflow as Workflow43
@@ -9802,13 +10256,13 @@ class McpToolCallTask extends Task41 {
     const base = McpToolCallTask.entitlements();
     const transport = getMcpServerTransport(this);
     if (transport === "stdio") {
-      return mergeEntitlements4(base, {
+      return mergeEntitlements5(base, {
         entitlements: [
           { id: Entitlements7.MCP_STDIO, reason: "Uses stdio transport to spawn local process" }
         ]
       });
     }
-    return mergeEntitlements4(base, {
+    return mergeEntitlements5(base, {
       entitlements: [
         { id: Entitlements7.NETWORK_HTTP, reason: "Connects to MCP server over HTTP" },
         { id: Entitlements7.CREDENTIAL, reason: "May require authentication", optional: true }
@@ -12099,18 +12553,24 @@ var registerCommonTasks2 = () => {
   return [...tasks, FileLoaderTask2];
 };
 export {
+  urlResourcePattern,
+  tryNormalizeIPv4,
   split,
   setGlobalMcpServerRepository,
   searchMcpRegistryPage,
   searchMcpRegistry,
+  safeFetch,
   resolveImageInput,
   resolveHumanConnector,
   resolveAuthSecrets,
+  resetSafeFetch,
+  registerSafeFetch,
   registerMcpTaskDeps,
   registerMcpServer,
   registerImageRasterCodec,
   registerCommonTasks2 as registerCommonTasks,
   produceImageOutput,
+  normalizeOutputMimeType,
   merge,
   mcpTransportTypes,
   mcpToolCall,
@@ -12128,6 +12588,7 @@ export {
   json,
   javaScript,
   isDataUriImage,
+  getSafeFetchImpl,
   getMcpTaskDeps,
   getMcpServerConfig,
   getMcpServer,
@@ -12137,11 +12598,17 @@ export {
   formatImageOutput,
   fileLoader,
   fetchUrl,
+  extractDataUriMimeType,
   delay,
   debugLog,
   createMcpClient,
   createAuthProvider,
+  classifyUrl,
+  classifyIpLiteral,
   buildAuthConfig,
+  assertWithinPixelBudget,
+  assertWithinByteBudget,
+  assertIsDataUri,
   VectorSumTask,
   VectorSubtractTask,
   VectorScaleTask,
@@ -12176,7 +12643,9 @@ export {
   ScalarCeilTask,
   ScalarAddTask,
   ScalarAbsTask,
+  SUPPORTED_OUTPUT_MIME_TYPES,
   RegexTask,
+  REJECTED_DECODE_MIME_TYPES,
   OutputTask,
   MergeTask,
   McpToolCallTask,
@@ -12191,6 +12660,9 @@ export {
   MCP_TASK_DEPS,
   MCP_SERVER_REPOSITORY,
   MCP_SERVERS,
+  MAX_INPUT_BYTES_NODE,
+  MAX_INPUT_BYTES_BROWSER,
+  MAX_DECODED_PIXELS,
   LambdaTask,
   JsonTask,
   JsonPathTask,
@@ -12231,4 +12703,4 @@ export {
   ArrayTask
 };
 
-//# debugId=D5802074607EFED764756E2164756E21
+//# debugId=141DEE75E36B39CB64756E2164756E21