npm - cclawd - Versions diffs - 1.0.2 → 1.0.4 - Mend

cclawd 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/dist/build-info.json +3 -3
package/dist/plugin-sdk/active-listener-CN-tMEvN.js +35 -0
package/dist/plugin-sdk/api-key-rotation-CimGYMBc.js +176 -0
package/dist/plugin-sdk/audio-preflight-C-xXBoE2.js +51 -0
package/dist/plugin-sdk/audio-transcription-runner-CTIHpebA.js +2173 -0
package/dist/plugin-sdk/audit-membership-runtime-BFatB2LJ.js +58 -0
package/dist/plugin-sdk/channel-activity-DO0FEzyj.js +95 -0
package/dist/plugin-sdk/channel-web-Da-__nUF.js +2238 -0
package/dist/plugin-sdk/commands-registry-6no2NNrY.js +1118 -0
package/dist/plugin-sdk/compact.runtime-CCoclu5e.js +35 -0
package/dist/plugin-sdk/config-B9ODwgpz.js +37426 -0
package/dist/plugin-sdk/deliver-B1fFpKjV.js +1757 -0
package/dist/plugin-sdk/deliver-runtime-DB-VRMe1.js +15 -0
package/dist/plugin-sdk/deps-send-discord.runtime-DklqycYG.js +15 -0
package/dist/plugin-sdk/deps-send-imessage.runtime-Chs8zeon.js +14 -0
package/dist/plugin-sdk/deps-send-signal.runtime-clW9aSJP.js +13 -0
package/dist/plugin-sdk/deps-send-slack.runtime-BUx0LYY1.js +13 -0
package/dist/plugin-sdk/deps-send-telegram.runtime-LECSHgMG.js +16 -0
package/dist/plugin-sdk/deps-send-whatsapp.runtime-D2d65fw0.js +40 -0
package/dist/plugin-sdk/diagnostic-CxIvS-C2.js +315 -0
package/dist/plugin-sdk/dispatch-BqlR4dPx.js +105863 -0
package/dist/plugin-sdk/env-b9k1PHMI.js +34 -0
package/dist/plugin-sdk/fetch-PoxzAANT.js +326 -0
package/dist/plugin-sdk/fetch-guard-4UVSZ0uS.js +164 -0
package/dist/plugin-sdk/image-Ch6M4tnJ.js +2420 -0
package/dist/plugin-sdk/image-runtime-CSh2o5wY.js +8 -0
package/dist/plugin-sdk/index.js +35 -35
package/dist/plugin-sdk/ir-CugsqGH8.js +1312 -0
package/dist/plugin-sdk/local-roots-adnEg9zb.js +217 -0
package/dist/plugin-sdk/logger-D6zRubj0.js +1164 -0
package/dist/plugin-sdk/login-CYvkQ0At.js +54 -0
package/dist/plugin-sdk/login-qr-ll4NtaT5.js +316 -0
package/dist/plugin-sdk/manager-CHy8IclH.js +3959 -0
package/dist/plugin-sdk/manager-runtime-C70EkEr7.js +11 -0
package/dist/plugin-sdk/outbound-Wzs2iN7X.js +216 -0
package/dist/plugin-sdk/outbound-attachment-khXJwucX.js +17 -0
package/dist/plugin-sdk/paths-BtVqCdw4.js +3063 -0
package/dist/plugin-sdk/pi-model-discovery-Dh4ziodY.js +131 -0
package/dist/plugin-sdk/pi-model-discovery-runtime-b83Xe-HT.js +8 -0
package/dist/plugin-sdk/pi-tools.before-tool-call.runtime-C1z5CDBF.js +349 -0
package/dist/plugin-sdk/proxy-fetch-CJEmoBxi.js +54 -0
package/dist/plugin-sdk/pw-ai-Dj3Cvlzl.js +1990 -0
package/dist/plugin-sdk/qmd-manager-egHUAseQ.js +1581 -0
package/dist/plugin-sdk/resolve-outbound-target-BiICvIKs.js +38 -0
package/dist/plugin-sdk/runtime-whatsapp-login.runtime-DNApufzW.js +9 -0
package/dist/plugin-sdk/runtime-whatsapp-outbound.runtime-CBmtfIQ8.js +13 -0
package/dist/plugin-sdk/send-CScblaI4.js +532 -0
package/dist/plugin-sdk/send-CeHhnld6.js +407 -0
package/dist/plugin-sdk/send-DP_c8JfR.js +3277 -0
package/dist/plugin-sdk/send-Dc5fI6e8.js +495 -0
package/dist/plugin-sdk/send-l-77_s1_.js +2507 -0
package/dist/plugin-sdk/session-CkOKZaqa.js +166 -0
package/dist/plugin-sdk/signal.js +2 -2
package/dist/plugin-sdk/skill-commands-BohYCgkq.js +336 -0
package/dist/plugin-sdk/slash-commands.runtime-DpLfVTM6.js +8 -0
package/dist/plugin-sdk/slash-dispatch.runtime-CASMHwpm.js +35 -0
package/dist/plugin-sdk/slash-skill-commands.runtime-D7rrJEci.js +9 -0
package/dist/plugin-sdk/sqlite-CJE3X7Mv.js +1005 -0
package/dist/plugin-sdk/subagent-registry-runtime-B1oo5bih.js +35 -0
package/dist/plugin-sdk/tables-D5VgpTmm.js +53 -0
package/dist/plugin-sdk/target-errors-C6zZ_OpA.js +191 -0
package/dist/plugin-sdk/tokens-DUnJnpMS.js +50 -0
package/dist/plugin-sdk/web-TfUM1nSi.js +39 -0
package/dist/plugin-sdk/whatsapp-actions-DuWJ0j1r.js +71 -0
package/extensions/mfa-auth/index.ts +36 -17
package/extensions/mfa-auth/src/auth-manager.ts +4 -0
package/extensions/mfa-auth/src/notification-service.ts +5 -1
package/package.json +1 -1

package/dist/plugin-sdk/env-b9k1PHMI.js ADDED Viewed

@@ -0,0 +1,34 @@
+import { a as createSubsystemLogger } from "./logger-D6zRubj0.js";
+//#region src/utils/boolean.ts
+const DEFAULT_TRUTHY = [
+	"true",
+	"1",
+	"yes",
+	"on"
+];
+const DEFAULT_FALSY = [
+	"false",
+	"0",
+	"no",
+	"off"
+];
+const DEFAULT_TRUTHY_SET = new Set(DEFAULT_TRUTHY);
+const DEFAULT_FALSY_SET = new Set(DEFAULT_FALSY);
+function parseBooleanValue(value, options = {}) {
+	if (typeof value === "boolean") return value;
+	if (typeof value !== "string") return;
+	const normalized = value.trim().toLowerCase();
+	if (!normalized) return;
+	const truthy = options.truthy ?? DEFAULT_TRUTHY;
+	const falsy = options.falsy ?? DEFAULT_FALSY;
+	const truthySet = truthy === DEFAULT_TRUTHY ? DEFAULT_TRUTHY_SET : new Set(truthy);
+	const falsySet = falsy === DEFAULT_FALSY ? DEFAULT_FALSY_SET : new Set(falsy);
+	if (truthySet.has(normalized)) return true;
+	if (falsySet.has(normalized)) return false;
+}
+createSubsystemLogger("env");
+function isTruthyEnvValue(value) {
+	return parseBooleanValue(value) === true;
+}
+//#endregion
+export { parseBooleanValue as n, isTruthyEnvValue as t };

package/dist/plugin-sdk/fetch-PoxzAANT.js ADDED Viewed

@@ -0,0 +1,326 @@
+import { a as createSubsystemLogger } from "./logger-D6zRubj0.js";
+import { t as isTruthyEnvValue } from "./env-b9k1PHMI.js";
+import { t as resolveFetch } from "./fetch-BSKpf2dM.js";
+import { t as getProxyUrlFromFetch } from "./proxy-fetch-CJEmoBxi.js";
+import { readFileSync } from "node:fs";
+import "node:fs/promises";
+import process$1 from "node:process";
+import * as dns from "node:dns";
+import { Agent, EnvHttpProxyAgent, ProxyAgent, fetch } from "undici";
+//#region src/infra/wsl.ts
+function isWSLEnv() {
+	if (process.env.WSL_INTEROP || process.env.WSL_DISTRO_NAME || process.env.WSLENV) return true;
+	return false;
+}
+/**
+* Synchronously check if running in WSL.
+* Checks env vars first, then /proc/version.
+*/
+function isWSLSync() {
+	if (process.platform !== "linux") return false;
+	if (isWSLEnv()) return true;
+	try {
+		const release = readFileSync("/proc/version", "utf8").toLowerCase();
+		return release.includes("microsoft") || release.includes("wsl");
+	} catch {
+		return false;
+	}
+}
+/**
+* Synchronously check if running in WSL2.
+*/
+function isWSL2Sync() {
+	if (!isWSLSync()) return false;
+	try {
+		const version = readFileSync("/proc/version", "utf8").toLowerCase();
+		return version.includes("wsl2") || version.includes("microsoft-standard");
+	} catch {
+		return false;
+	}
+}
+//#endregion
+//#region src/telegram/network-config.ts
+const TELEGRAM_DISABLE_AUTO_SELECT_FAMILY_ENV = "OPENCLAW_TELEGRAM_DISABLE_AUTO_SELECT_FAMILY";
+const TELEGRAM_ENABLE_AUTO_SELECT_FAMILY_ENV = "OPENCLAW_TELEGRAM_ENABLE_AUTO_SELECT_FAMILY";
+const TELEGRAM_DNS_RESULT_ORDER_ENV = "OPENCLAW_TELEGRAM_DNS_RESULT_ORDER";
+let wsl2SyncCache;
+function isWSL2SyncCached() {
+	if (typeof wsl2SyncCache === "boolean") return wsl2SyncCache;
+	wsl2SyncCache = isWSL2Sync();
+	return wsl2SyncCache;
+}
+function resolveTelegramAutoSelectFamilyDecision(params) {
+	const env = params?.env ?? process$1.env;
+	const nodeMajor = typeof params?.nodeMajor === "number" ? params.nodeMajor : Number(process$1.versions.node.split(".")[0]);
+	if (isTruthyEnvValue(env["OPENCLAW_TELEGRAM_ENABLE_AUTO_SELECT_FAMILY"])) return {
+		value: true,
+		source: `env:${TELEGRAM_ENABLE_AUTO_SELECT_FAMILY_ENV}`
+	};
+	if (isTruthyEnvValue(env["OPENCLAW_TELEGRAM_DISABLE_AUTO_SELECT_FAMILY"])) return {
+		value: false,
+		source: `env:${TELEGRAM_DISABLE_AUTO_SELECT_FAMILY_ENV}`
+	};
+	if (typeof params?.network?.autoSelectFamily === "boolean") return {
+		value: params.network.autoSelectFamily,
+		source: "config"
+	};
+	if (isWSL2SyncCached()) return {
+		value: false,
+		source: "default-wsl2"
+	};
+	if (Number.isFinite(nodeMajor) && nodeMajor >= 22) return {
+		value: true,
+		source: "default-node22"
+	};
+	return { value: null };
+}
+/**
+* Resolve DNS result order setting for Telegram network requests.
+* Some networks/ISPs have issues with IPv6 causing fetch failures.
+* Setting "ipv4first" prioritizes IPv4 addresses in DNS resolution.
+*
+* Priority:
+* 1. Environment variable OPENCLAW_TELEGRAM_DNS_RESULT_ORDER
+* 2. Config: channels.telegram.network.dnsResultOrder
+* 3. Default: "ipv4first" on Node 22+ (to work around common IPv6 issues)
+*/
+function resolveTelegramDnsResultOrderDecision(params) {
+	const env = params?.env ?? process$1.env;
+	const nodeMajor = typeof params?.nodeMajor === "number" ? params.nodeMajor : Number(process$1.versions.node.split(".")[0]);
+	const envValue = env[TELEGRAM_DNS_RESULT_ORDER_ENV]?.trim().toLowerCase();
+	if (envValue === "ipv4first" || envValue === "verbatim") return {
+		value: envValue,
+		source: `env:${TELEGRAM_DNS_RESULT_ORDER_ENV}`
+	};
+	const configValue = (params?.network)?.dnsResultOrder?.trim().toLowerCase();
+	if (configValue === "ipv4first" || configValue === "verbatim") return {
+		value: configValue,
+		source: "config"
+	};
+	if (Number.isFinite(nodeMajor) && nodeMajor >= 22) return {
+		value: "ipv4first",
+		source: "default-node22"
+	};
+	return { value: null };
+}
+//#endregion
+//#region src/telegram/fetch.ts
+const log = createSubsystemLogger("telegram/network");
+const TELEGRAM_AUTO_SELECT_FAMILY_ATTEMPT_TIMEOUT_MS = 300;
+const TELEGRAM_API_HOSTNAME = "api.telegram.org";
+const FALLBACK_RETRY_ERROR_CODES = [
+	"ETIMEDOUT",
+	"ENETUNREACH",
+	"EHOSTUNREACH",
+	"UND_ERR_CONNECT_TIMEOUT",
+	"UND_ERR_SOCKET"
+];
+const IPV4_FALLBACK_RULES = [{
+	name: "fetch-failed-envelope",
+	matches: ({ message }) => message.includes("fetch failed")
+}, {
+	name: "known-network-code",
+	matches: ({ codes }) => FALLBACK_RETRY_ERROR_CODES.some((code) => codes.has(code))
+}];
+function normalizeDnsResultOrder(value) {
+	if (value === "ipv4first" || value === "verbatim") return value;
+	return null;
+}
+function createDnsResultOrderLookup(order) {
+	if (!order) return;
+	const lookup = dns.lookup;
+	return (hostname, options, callback) => {
+		lookup(hostname, {
+			...typeof options === "number" ? { family: options } : options ? { ...options } : {},
+			order,
+			verbatim: order === "verbatim"
+		}, callback);
+	};
+}
+function buildTelegramConnectOptions(params) {
+	const connect = {};
+	if (params.forceIpv4) {
+		connect.family = 4;
+		connect.autoSelectFamily = false;
+	} else if (typeof params.autoSelectFamily === "boolean") {
+		connect.autoSelectFamily = params.autoSelectFamily;
+		connect.autoSelectFamilyAttemptTimeout = TELEGRAM_AUTO_SELECT_FAMILY_ATTEMPT_TIMEOUT_MS;
+	}
+	const lookup = createDnsResultOrderLookup(params.dnsResultOrder);
+	if (lookup) connect.lookup = lookup;
+	return Object.keys(connect).length > 0 ? connect : null;
+}
+function shouldBypassEnvProxyForTelegramApi(env = process.env) {
+	const noProxyValue = env.no_proxy ?? env.NO_PROXY ?? "";
+	if (!noProxyValue) return false;
+	if (noProxyValue === "*") return true;
+	const targetHostname = TELEGRAM_API_HOSTNAME.toLowerCase();
+	const targetPort = 443;
+	const noProxyEntries = noProxyValue.split(/[,\s]/);
+	for (let i = 0; i < noProxyEntries.length; i++) {
+		const entry = noProxyEntries[i];
+		if (!entry) continue;
+		const parsed = entry.match(/^(.+):(\d+)$/);
+		const entryHostname = (parsed ? parsed[1] : entry).replace(/^\*?\./, "").toLowerCase();
+		const entryPort = parsed ? Number.parseInt(parsed[2], 10) : 0;
+		if (entryPort && entryPort !== targetPort) continue;
+		if (targetHostname === entryHostname || targetHostname.slice(-(entryHostname.length + 1)) === `.${entryHostname}`) return true;
+	}
+	return false;
+}
+function hasEnvHttpProxyForTelegramApi(env = process.env) {
+	const httpProxy = env.http_proxy ?? env.HTTP_PROXY;
+	const httpsProxy = env.https_proxy ?? env.HTTPS_PROXY;
+	return Boolean(httpProxy) || Boolean(httpsProxy);
+}
+function createTelegramDispatcher(params) {
+	const connect = buildTelegramConnectOptions({
+		autoSelectFamily: params.autoSelectFamily,
+		dnsResultOrder: params.dnsResultOrder,
+		forceIpv4: params.forceIpv4
+	});
+	const explicitProxyUrl = params.proxyUrl?.trim();
+	if (explicitProxyUrl) {
+		const proxyOptions = connect ? {
+			uri: explicitProxyUrl,
+			proxyTls: connect
+		} : explicitProxyUrl;
+		try {
+			return {
+				dispatcher: new ProxyAgent(proxyOptions),
+				mode: "explicit-proxy"
+			};
+		} catch (err) {
+			const reason = err instanceof Error ? err.message : String(err);
+			throw new Error(`explicit proxy dispatcher init failed: ${reason}`, { cause: err });
+		}
+	}
+	if (params.useEnvProxy) {
+		const proxyOptions = connect ? {
+			connect,
+			proxyTls: connect
+		} : void 0;
+		try {
+			return {
+				dispatcher: new EnvHttpProxyAgent(proxyOptions),
+				mode: "env-proxy"
+			};
+		} catch (err) {
+			log.warn(`env proxy dispatcher init failed; falling back to direct dispatcher: ${err instanceof Error ? err.message : String(err)}`);
+		}
+	}
+	return {
+		dispatcher: new Agent(connect ? { connect } : void 0),
+		mode: "direct"
+	};
+}
+function withDispatcherIfMissing(init, dispatcher) {
+	if (init?.dispatcher) return init ?? {};
+	return init ? {
+		...init,
+		dispatcher
+	} : { dispatcher };
+}
+function resolveWrappedFetch(fetchImpl) {
+	return resolveFetch(fetchImpl) ?? fetchImpl;
+}
+function logResolverNetworkDecisions(params) {
+	if (params.autoSelectDecision.value !== null) {
+		const sourceLabel = params.autoSelectDecision.source ? ` (${params.autoSelectDecision.source})` : "";
+		log.info(`autoSelectFamily=${params.autoSelectDecision.value}${sourceLabel}`);
+	}
+	if (params.dnsDecision.value !== null) {
+		const sourceLabel = params.dnsDecision.source ? ` (${params.dnsDecision.source})` : "";
+		log.info(`dnsResultOrder=${params.dnsDecision.value}${sourceLabel}`);
+	}
+}
+function collectErrorCodes(err) {
+	const codes = /* @__PURE__ */ new Set();
+	const queue = [err];
+	const seen = /* @__PURE__ */ new Set();
+	while (queue.length > 0) {
+		const current = queue.shift();
+		if (!current || seen.has(current)) continue;
+		seen.add(current);
+		if (typeof current === "object") {
+			const code = current.code;
+			if (typeof code === "string" && code.trim()) codes.add(code.trim().toUpperCase());
+			const cause = current.cause;
+			if (cause && !seen.has(cause)) queue.push(cause);
+			const errors = current.errors;
+			if (Array.isArray(errors)) {
+				for (const nested of errors) if (nested && !seen.has(nested)) queue.push(nested);
+			}
+		}
+	}
+	return codes;
+}
+function formatErrorCodes(err) {
+	const codes = [...collectErrorCodes(err)];
+	return codes.length > 0 ? codes.join(",") : "none";
+}
+function shouldRetryWithIpv4Fallback(err) {
+	const ctx = {
+		message: err && typeof err === "object" && "message" in err ? String(err.message).toLowerCase() : "",
+		codes: collectErrorCodes(err)
+	};
+	for (const rule of IPV4_FALLBACK_RULES) if (!rule.matches(ctx)) return false;
+	return true;
+}
+function resolveTelegramFetch(proxyFetch, options) {
+	const autoSelectDecision = resolveTelegramAutoSelectFamilyDecision({ network: options?.network });
+	const dnsDecision = resolveTelegramDnsResultOrderDecision({ network: options?.network });
+	logResolverNetworkDecisions({
+		autoSelectDecision,
+		dnsDecision
+	});
+	const explicitProxyUrl = proxyFetch ? getProxyUrlFromFetch(proxyFetch) : void 0;
+	const undiciSourceFetch = resolveWrappedFetch(fetch);
+	const sourceFetch = explicitProxyUrl ? undiciSourceFetch : proxyFetch ? resolveWrappedFetch(proxyFetch) : undiciSourceFetch;
+	if (proxyFetch && !explicitProxyUrl) return sourceFetch;
+	const dnsResultOrder = normalizeDnsResultOrder(dnsDecision.value);
+	const useEnvProxy = !explicitProxyUrl && hasEnvHttpProxyForTelegramApi();
+	const defaultDispatcherResolution = createTelegramDispatcher({
+		autoSelectFamily: autoSelectDecision.value,
+		dnsResultOrder,
+		useEnvProxy,
+		forceIpv4: false,
+		proxyUrl: explicitProxyUrl
+	});
+	const defaultDispatcher = defaultDispatcherResolution.dispatcher;
+	const shouldBypassEnvProxy = shouldBypassEnvProxyForTelegramApi();
+	const allowStickyIpv4Fallback = defaultDispatcherResolution.mode === "direct" || defaultDispatcherResolution.mode === "env-proxy" && shouldBypassEnvProxy;
+	const stickyShouldUseEnvProxy = defaultDispatcherResolution.mode === "env-proxy";
+	let stickyIpv4FallbackEnabled = false;
+	let stickyIpv4Dispatcher = null;
+	const resolveStickyIpv4Dispatcher = () => {
+		if (!stickyIpv4Dispatcher) stickyIpv4Dispatcher = createTelegramDispatcher({
+			autoSelectFamily: false,
+			dnsResultOrder: "ipv4first",
+			useEnvProxy: stickyShouldUseEnvProxy,
+			forceIpv4: true,
+			proxyUrl: explicitProxyUrl
+		}).dispatcher;
+		return stickyIpv4Dispatcher;
+	};
+	return (async (input, init) => {
+		const callerProvidedDispatcher = Boolean(init?.dispatcher);
+		const initialInit = withDispatcherIfMissing(init, stickyIpv4FallbackEnabled ? resolveStickyIpv4Dispatcher() : defaultDispatcher);
+		try {
+			return await sourceFetch(input, initialInit);
+		} catch (err) {
+			if (shouldRetryWithIpv4Fallback(err)) {
+				if (callerProvidedDispatcher) return sourceFetch(input, init ?? {});
+				if (!allowStickyIpv4Fallback) throw err;
+				if (!stickyIpv4FallbackEnabled) {
+					stickyIpv4FallbackEnabled = true;
+					log.warn(`fetch fallback: enabling sticky IPv4-only dispatcher (codes=${formatErrorCodes(err)})`);
+				}
+				return sourceFetch(input, withDispatcherIfMissing(init, resolveStickyIpv4Dispatcher()));
+			}
+			throw err;
+		}
+	});
+}
+//#endregion
+export { isWSLSync as i, isWSL2Sync as n, isWSLEnv as r, resolveTelegramFetch as t };

package/dist/plugin-sdk/fetch-guard-4UVSZ0uS.js ADDED Viewed

@@ -0,0 +1,164 @@
+import { $s as createPinnedDispatcher, Qs as closeDispatcher, Xs as hasProxyEnvConfigured, Zs as SsrFBlockedError, rc as resolvePinnedHostnameWithPolicy } from "./config-B9ODwgpz.js";
+import { i as logWarn } from "./logger-D6zRubj0.js";
+import { t as bindAbortRelay } from "./fetch-timeout-D2j7yeE1.js";
+import { EnvHttpProxyAgent } from "undici";
+//#region src/infra/net/fetch-guard.ts
+const GUARDED_FETCH_MODE = {
+	STRICT: "strict",
+	TRUSTED_ENV_PROXY: "trusted_env_proxy"
+};
+const DEFAULT_MAX_REDIRECTS = 3;
+const CROSS_ORIGIN_REDIRECT_SAFE_HEADERS = new Set([
+	"accept",
+	"accept-encoding",
+	"accept-language",
+	"cache-control",
+	"content-language",
+	"content-type",
+	"if-match",
+	"if-modified-since",
+	"if-none-match",
+	"if-unmodified-since",
+	"pragma",
+	"range",
+	"user-agent"
+]);
+function withStrictGuardedFetchMode(params) {
+	return {
+		...params,
+		mode: GUARDED_FETCH_MODE.STRICT
+	};
+}
+function withTrustedEnvProxyGuardedFetchMode(params) {
+	return {
+		...params,
+		mode: GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY
+	};
+}
+function resolveGuardedFetchMode(params) {
+	if (params.mode) return params.mode;
+	if (params.proxy === "env" && params.dangerouslyAllowEnvProxyWithoutPinnedDns === true) return GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY;
+	return GUARDED_FETCH_MODE.STRICT;
+}
+function isRedirectStatus(status) {
+	return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+function retainSafeHeadersForCrossOriginRedirect(init) {
+	if (!init?.headers) return init;
+	const incoming = new Headers(init.headers);
+	const headers = new Headers();
+	for (const [key, value] of incoming.entries()) if (CROSS_ORIGIN_REDIRECT_SAFE_HEADERS.has(key.toLowerCase())) headers.set(key, value);
+	return {
+		...init,
+		headers
+	};
+}
+function buildAbortSignal(params) {
+	const { timeoutMs, signal } = params;
+	if (!timeoutMs && !signal) return {
+		signal: void 0,
+		cleanup: () => {}
+	};
+	if (!timeoutMs) return {
+		signal,
+		cleanup: () => {}
+	};
+	const controller = new AbortController();
+	const timeoutId = setTimeout(controller.abort.bind(controller), timeoutMs);
+	const onAbort = bindAbortRelay(controller);
+	if (signal) if (signal.aborted) controller.abort();
+	else signal.addEventListener("abort", onAbort, { once: true });
+	const cleanup = () => {
+		clearTimeout(timeoutId);
+		if (signal) signal.removeEventListener("abort", onAbort);
+	};
+	return {
+		signal: controller.signal,
+		cleanup
+	};
+}
+async function fetchWithSsrFGuard(params) {
+	const fetcher = params.fetchImpl ?? globalThis.fetch;
+	if (!fetcher) throw new Error("fetch is not available");
+	const maxRedirects = typeof params.maxRedirects === "number" && Number.isFinite(params.maxRedirects) ? Math.max(0, Math.floor(params.maxRedirects)) : DEFAULT_MAX_REDIRECTS;
+	const mode = resolveGuardedFetchMode(params);
+	const { signal, cleanup } = buildAbortSignal({
+		timeoutMs: params.timeoutMs,
+		signal: params.signal
+	});
+	let released = false;
+	const release = async (dispatcher) => {
+		if (released) return;
+		released = true;
+		cleanup();
+		await closeDispatcher(dispatcher ?? void 0);
+	};
+	const visited = /* @__PURE__ */ new Set();
+	let currentUrl = params.url;
+	let currentInit = params.init ? { ...params.init } : void 0;
+	let redirectCount = 0;
+	while (true) {
+		let parsedUrl;
+		try {
+			parsedUrl = new URL(currentUrl);
+		} catch {
+			await release();
+			throw new Error("Invalid URL: must be http or https");
+		}
+		if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+			await release();
+			throw new Error("Invalid URL: must be http or https");
+		}
+		let dispatcher = null;
+		try {
+			const pinned = await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
+				lookupFn: params.lookupFn,
+				policy: params.policy
+			});
+			if (mode === GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY && hasProxyEnvConfigured()) dispatcher = new EnvHttpProxyAgent();
+			else if (params.pinDns !== false) dispatcher = createPinnedDispatcher(pinned);
+			const init = {
+				...currentInit ? { ...currentInit } : {},
+				redirect: "manual",
+				...dispatcher ? { dispatcher } : {},
+				...signal ? { signal } : {}
+			};
+			const response = await fetcher(parsedUrl.toString(), init);
+			if (isRedirectStatus(response.status)) {
+				const location = response.headers.get("location");
+				if (!location) {
+					await release(dispatcher);
+					throw new Error(`Redirect missing location header (${response.status})`);
+				}
+				redirectCount += 1;
+				if (redirectCount > maxRedirects) {
+					await release(dispatcher);
+					throw new Error(`Too many redirects (limit: ${maxRedirects})`);
+				}
+				const nextParsedUrl = new URL(location, parsedUrl);
+				const nextUrl = nextParsedUrl.toString();
+				if (visited.has(nextUrl)) {
+					await release(dispatcher);
+					throw new Error("Redirect loop detected");
+				}
+				if (nextParsedUrl.origin !== parsedUrl.origin) currentInit = retainSafeHeadersForCrossOriginRedirect(currentInit);
+				visited.add(nextUrl);
+				response.body?.cancel();
+				await closeDispatcher(dispatcher);
+				currentUrl = nextUrl;
+				continue;
+			}
+			return {
+				response,
+				finalUrl: currentUrl,
+				release: async () => release(dispatcher)
+			};
+		} catch (err) {
+			if (err instanceof SsrFBlockedError) logWarn(`security: blocked URL fetch (${params.auditContext ?? "url-fetch"}) target=${parsedUrl.origin}${parsedUrl.pathname} reason=${err.message}`);
+			await release(dispatcher);
+			throw err;
+		}
+	}
+}
+//#endregion
+export { withStrictGuardedFetchMode as n, withTrustedEnvProxyGuardedFetchMode as r, fetchWithSsrFGuard as t };