veryfront 0.1.63 → 0.1.65

package/src/src/channels/control-plane.ts

@@ -0,0 +1,332 @@
+import * as dntShim from "../../_dnt.shims.js";
+import type { Agent } from "../agent/index.js";
+import type { HandlerContext } from "../types/index.js";
+import { skillRegistry } from "../skill/registry.js";
+import { base64urlEncodeBytes } from "../utils/base64url.js";
+import { z } from "zod";
+
+const SIGNATURE_SKEW_SECONDS = 5;
+
+const compactJwsHeaderSchema = z.object({
+  alg: z.literal("EdDSA"),
+  typ: z.string().optional(),
+  kid: z.string().optional(),
+});
+
+export const ControlPlaneSurfaceSchema = z.enum(["studio", "channels", "a2a", "mcp"]);
+
+export const ControlPlaneAgentsListRequestSchema = z.object({
+  requestId: z.string().min(1),
+  projectId: z.string().min(1),
+  surface: ControlPlaneSurfaceSchema,
+});
+
+export const RuntimeAgentSkillSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  description: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  examples: z.array(z.string()).optional(),
+});
+
+export const RuntimeAgentSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  description: z.string().nullable().optional(),
+  model: z.string().nullable().optional(),
+  version: z.string().nullable().optional(),
+  skills: z.array(RuntimeAgentSkillSchema).optional(),
+});
+
+export const RuntimeAgentListResponseSchema = z.object({
+  agents: z.array(RuntimeAgentSchema),
+});
+
+const dispatchClaimsSchema = z.object({
+  iss: z.string(),
+  aud: z.string(),
+  sub: z.string(),
+  project_id: z.string(),
+  platform: z.string(),
+  body_sha256: z.string(),
+  iat: z.number().int(),
+  exp: z.number().int(),
+});
+
+const controlPlaneClaimsSchema = z.object({
+  iss: z.string(),
+  aud: z.string(),
+  sub: z.string(),
+  surface: ControlPlaneSurfaceSchema,
+  project_id: z.string(),
+  request_hash: z.string(),
+  iat: z.number().int(),
+  exp: z.number().int(),
+});
+
+export type ControlPlaneSurface = z.infer<typeof ControlPlaneSurfaceSchema>;
+export type ControlPlaneAgentsListRequest = z.infer<typeof ControlPlaneAgentsListRequestSchema>;
+export type RuntimeAgentSkill = z.infer<typeof RuntimeAgentSkillSchema>;
+export type RuntimeAgent = z.infer<typeof RuntimeAgentSchema>;
+export type RuntimeAgentListResponse = z.infer<typeof RuntimeAgentListResponseSchema>;
+export type DispatchClaims = z.infer<typeof dispatchClaimsSchema>;
+export type ControlPlaneClaims = z.infer<typeof controlPlaneClaimsSchema>;
+
+export interface RuntimeAgentDiscoveryDeps {
+  ensureProjectDiscovery: (ctx: HandlerContext) => Promise<void>;
+  getAgent: (id: string) => Agent | undefined;
+  getAllAgentIds: () => string[];
+}
+
+type SignedRequestClaims = {
+  aud: string;
+  exp: number;
+  iat: number;
+  project_id: string;
+  sub: string;
+} & Record<string, unknown>;
+
+function base64urlDecodeToBytes(input: string): ArrayBuffer {
+  const normalized = input
+    .replaceAll("-", "+")
+    .replaceAll("_", "/")
+    .padEnd(Math.ceil(input.length / 4) * 4, "=");
+
+  return toArrayBuffer(Uint8Array.from(atob(normalized), (char) => char.charCodeAt(0)));
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  const buffer = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(buffer).set(bytes);
+  return buffer;
+}
+
+function pemToDer(pem: string, label: string): ArrayBuffer {
+  const body = pem
+    .replace(`-----BEGIN ${label}-----`, "")
+    .replace(`-----END ${label}-----`, "")
+    .replace(/\s/g, "");
+
+  return toArrayBuffer(Uint8Array.from(atob(body), (char) => char.charCodeAt(0)));
+}
+
+async function importEd25519PublicKey(pem: string): Promise<dntShim.CryptoKey> {
+  return dntShim.crypto.subtle.importKey(
+    "spki",
+    pemToDer(pem, "PUBLIC KEY"),
+    "Ed25519",
+    false,
+    ["verify"],
+  );
+}
+
+async function sha256Base64url(body: string): Promise<string> {
+  const hash = await dntShim.crypto.subtle.digest("SHA-256", new TextEncoder().encode(body));
+  return base64urlEncodeBytes(new Uint8Array(hash));
+}
+
+async function verifySignedRequestJws<TClaims extends SignedRequestClaims>(
+  jws: string,
+  body: string,
+  options: {
+    audience: string;
+    claimsSchema: z.ZodType<TClaims>;
+    expectedProjectId?: string;
+    expectedSubject?: string;
+    hashClaimKey: keyof TClaims & string;
+    maxAgeSeconds: number;
+    publicKeyPem: string;
+    scopedClaim?: {
+      key: keyof TClaims & string;
+      label: string;
+      value: string;
+    };
+  },
+): Promise<TClaims> {
+  const parts = jws.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Control-plane signature must be a compact JWS");
+  }
+
+  const encodedHeader = parts[0];
+  const encodedPayload = parts[1];
+  const encodedSignature = parts[2];
+  if (!encodedHeader || !encodedPayload || !encodedSignature) {
+    throw new Error("Control-plane signature must include header, payload, and signature");
+  }
+
+  const header = compactJwsHeaderSchema.parse(
+    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedHeader))),
+  );
+  const claims = options.claimsSchema.parse(
+    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedPayload))),
+  );
+
+  if (header.alg !== "EdDSA") {
+    throw new Error("Unsupported control-plane JWS algorithm");
+  }
+
+  const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
+  const signature = base64urlDecodeToBytes(encodedSignature);
+  const publicKey = await importEd25519PublicKey(options.publicKeyPem);
+  const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
+
+  if (!verified) {
+    throw new Error("Control-plane signature verification failed");
+  }
+
+  if (claims.iss !== "veryfront-api") {
+    throw new Error("Control-plane issuer mismatch");
+  }
+
+  if (claims.aud !== options.audience) {
+    throw new Error("Control-plane audience mismatch");
+  }
+
+  if (options.expectedProjectId && claims.project_id !== options.expectedProjectId) {
+    throw new Error("Control-plane project mismatch");
+  }
+
+  if (options.expectedSubject && claims.sub !== options.expectedSubject) {
+    throw new Error("Control-plane subject mismatch");
+  }
+
+  if (options.scopedClaim && claims[options.scopedClaim.key] !== options.scopedClaim.value) {
+    throw new Error(`Control-plane ${options.scopedClaim.label} mismatch`);
+  }
+
+  const now = Math.floor(Date.now() / 1000);
+  if (claims.exp <= now) {
+    throw new Error("Control-plane signature expired");
+  }
+
+  if (claims.iat > now + SIGNATURE_SKEW_SECONDS) {
+    throw new Error("Control-plane signature issued in the future");
+  }
+
+  if (now - claims.iat > options.maxAgeSeconds) {
+    throw new Error("Control-plane signature is too old");
+  }
+
+  const requestHash = claims[options.hashClaimKey];
+  if (typeof requestHash !== "string") {
+    throw new Error("Control-plane request hash is missing");
+  }
+
+  const bodyHash = await sha256Base64url(body);
+  if (requestHash !== bodyHash) {
+    throw new Error("Control-plane body hash mismatch");
+  }
+
+  return claims;
+}
+
+function resolveAgentSkills(agent: Agent): RuntimeAgentSkill[] {
+  if (!agent.config.skills) {
+    return [];
+  }
+
+  return Array.from(skillRegistry.resolveForAgent(agent.config.skills).values())
+    .map((skill) =>
+      RuntimeAgentSkillSchema.parse({
+        id: skill.id,
+        name: skill.metadata.name || skill.id,
+        ...(skill.metadata.description ? { description: skill.metadata.description } : {}),
+      })
+    )
+    .sort((left, right) => left.name.localeCompare(right.name));
+}
+
+function getRuntimeAgentMetadata(agent: Agent): RuntimeAgent {
+  const rawConfig = agent.config as unknown as Record<string, unknown>;
+
+  return RuntimeAgentSchema.parse({
+    id: agent.id,
+    name: typeof rawConfig.name === "string" && rawConfig.name.trim().length > 0
+      ? rawConfig.name
+      : agent.id,
+    description: typeof rawConfig.description === "string" ? rawConfig.description : null,
+    model: agent.config.model ?? null,
+    version: typeof rawConfig.version === "string" ? rawConfig.version : null,
+    skills: resolveAgentSkills(agent),
+  });
+}
+
+export async function listRuntimeAgents(
+  ctx: HandlerContext,
+  deps: RuntimeAgentDiscoveryDeps,
+): Promise<RuntimeAgentListResponse> {
+  await deps.ensureProjectDiscovery(ctx);
+
+  const agents = deps.getAllAgentIds()
+    .map((id) => deps.getAgent(id))
+    .filter((agent): agent is Agent => Boolean(agent))
+    .map(getRuntimeAgentMetadata)
+    .sort((left, right) => left.name.localeCompare(right.name));
+
+  return RuntimeAgentListResponseSchema.parse({ agents });
+}
+
+export async function verifyDispatchJws(
+  jws: string,
+  body: string,
+  options: {
+    audience: string;
+    expectedPlatform?: string;
+    expectedProjectId?: string;
+    expectedSubject?: string;
+    maxAgeSeconds: number;
+    publicKeyPem: string;
+  },
+): Promise<DispatchClaims> {
+  return verifySignedRequestJws(jws, body, {
+    audience: options.audience,
+    claimsSchema: dispatchClaimsSchema,
+    expectedProjectId: options.expectedProjectId,
+    ...(options.expectedSubject ? { expectedSubject: options.expectedSubject } : {}),
+    hashClaimKey: "body_sha256",
+    maxAgeSeconds: options.maxAgeSeconds,
+    publicKeyPem: options.publicKeyPem,
+    ...(options.expectedPlatform
+      ? {
+        scopedClaim: {
+          key: "platform" as const,
+          label: "platform",
+          value: options.expectedPlatform,
+        },
+      }
+      : {}),
+  });
+}
+
+export async function verifyControlPlaneJws(
+  jws: string,
+  body: string,
+  options: {
+    audience: string;
+    expectedProjectId?: string;
+    expectedSubject?: string;
+    expectedSurface?: ControlPlaneSurface;
+    maxAgeSeconds: number;
+    publicKeyPem: string;
+  },
+): Promise<ControlPlaneClaims> {
+  return verifySignedRequestJws(jws, body, {
+    audience: options.audience,
+    claimsSchema: controlPlaneClaimsSchema,
+    expectedProjectId: options.expectedProjectId,
+    ...(options.expectedSubject ? { expectedSubject: options.expectedSubject } : {}),
+    hashClaimKey: "request_hash",
+    maxAgeSeconds: options.maxAgeSeconds,
+    publicKeyPem: options.publicKeyPem,
+    ...(options.expectedSurface
+      ? {
+        scopedClaim: {
+          key: "surface" as const,
+          label: "surface",
+          value: options.expectedSurface,
+        },
+      }
+      : {}),
+  });
+}

package/src/src/channels/invoke.ts

@@ -1,18 +1,16 @@
-import * as dntShim from "../../_dnt.shims.js";
 import type { Agent, AgentMessage as Message, AgentResponse } from "../agent/index.js";
 import { fromError } from "../errors/veryfront-error.js";
 import type { HandlerContext } from "../types/index.js";
 import { serverLogger } from "../utils/index.js";
-import { base64urlEncodeBytes } from "../utils/base64url.js";
 import { z } from "zod";
 import {
   getAgent as getRegisteredAgent,
   getAllAgentIds as getRegisteredAgentIds,
 } from "../agent/composition/composition.js";
+import { listRuntimeAgents, type RuntimeAgentDiscoveryDeps } from "./control-plane.js";
 import { ensureProjectDiscovery as ensureProjectDiscoveryForProject } from "../server/handlers/request/api/project-discovery.js";
 
 const logger = serverLogger.component("channels-invoke");
-const SIGNATURE_SKEW_SECONDS = 5;
 
 const rawHistoryPartSchema = z.object({
   type: z.string(),
@@ -34,11 +32,11 @@ const channelInvokeHistoryMessageSchema = z.object({
   createdAt: z.string().optional(),
 });
 
-export const ChannelInvokeRequestSchema = z.object({
+const channelInvokeRequestWireSchema = z.object({
   dispatchId: z.string().min(1),
   conversationId: z.string().min(1),
   projectId: z.string().min(1),
-  agentConfigId: z.string().min(1),
+  assistantId: z.string().min(1),
   platform: z.literal("slack"),
   inboundMessage: z.object({
     text: z.string(),
@@ -53,6 +51,25 @@ export const ChannelInvokeRequestSchema = z.object({
   }).optional(),
 });
 
+export const ChannelInvokeRequestSchema = channelInvokeRequestWireSchema;
+
+export const ChannelAssistantsRequestSchema = z.object({
+  requestId: z.string().min(1),
+  projectId: z.string().min(1),
+  platform: z.literal("slack"),
+});
+
+export const ChannelAssistantSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1),
+  description: z.string().nullable().optional(),
+  model: z.string().nullable().optional(),
+});
+
+export const ChannelAssistantsResponseSchema = z.object({
+  assistants: z.array(ChannelAssistantSchema),
+});
+
 const channelTextPartSchema = z.object({
   type: z.literal("text"),
   text: z.string(),
@@ -106,34 +123,13 @@ export const ChannelInvokeResponseSchema = z.object({
   }).optional(),
 });
 
-const dispatchHeaderSchema = z.object({
-  alg: z.literal("EdDSA"),
-  typ: z.string().optional(),
-  kid: z.string().optional(),
-});
-
-const dispatchClaimsSchema = z.object({
-  iss: z.string(),
-  aud: z.string(),
-  sub: z.string(),
-  project_id: z.string(),
-  platform: z.string(),
-  body_sha256: z.string(),
-  iat: z.number().int(),
-  exp: z.number().int(),
-});
-
 export type ChannelInvokeRequest = z.infer<typeof ChannelInvokeRequestSchema>;
 export type ChannelInvokeResponse = z.infer<typeof ChannelInvokeResponseSchema>;
+export type ChannelAssistantsRequest = z.infer<typeof ChannelAssistantsRequestSchema>;
+export type ChannelAssistantsResponse = z.infer<typeof ChannelAssistantsResponseSchema>;
 
 type ChannelResponsePart = z.infer<typeof ChannelResponsePartSchema>;
-type DispatchClaims = z.infer<typeof dispatchClaimsSchema>;
-
-export interface ChannelInvokeDeps {
-  ensureProjectDiscovery: (ctx: HandlerContext) => Promise<void>;
-  getAgent: (id: string) => Agent | undefined;
-  getAllAgentIds: () => string[];
-}
+export interface ChannelInvokeDeps extends RuntimeAgentDiscoveryDeps {}
 
 export const defaultChannelInvokeDeps: ChannelInvokeDeps = {
   ensureProjectDiscovery: ensureProjectDiscoveryForProject,
@@ -141,114 +137,23 @@ export const defaultChannelInvokeDeps: ChannelInvokeDeps = {
   getAllAgentIds: getRegisteredAgentIds,
 };
 
-function base64urlDecodeToBytes(input: string): ArrayBuffer {
-  const normalized = input
-    .replaceAll("-", "+")
-    .replaceAll("_", "/")
-    .padEnd(Math.ceil(input.length / 4) * 4, "=");
-
-  return toArrayBuffer(Uint8Array.from(atob(normalized), (char) => char.charCodeAt(0)));
-}
-
-function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
-  const buffer = new ArrayBuffer(bytes.byteLength);
-  new Uint8Array(buffer).set(bytes);
-  return buffer;
-}
-
-function pemToDer(pem: string, label: string): ArrayBuffer {
-  const body = pem
-    .replace(`-----BEGIN ${label}-----`, "")
-    .replace(`-----END ${label}-----`, "")
-    .replace(/\s/g, "");
-
-  return toArrayBuffer(Uint8Array.from(atob(body), (char) => char.charCodeAt(0)));
-}
-
-async function importEd25519PublicKey(pem: string): Promise<dntShim.CryptoKey> {
-  return dntShim.crypto.subtle.importKey(
-    "spki",
-    pemToDer(pem, "PUBLIC KEY"),
-    "Ed25519",
-    false,
-    ["verify"],
-  );
-}
-
-async function sha256Base64url(body: string): Promise<string> {
-  const hash = await dntShim.crypto.subtle.digest("SHA-256", new TextEncoder().encode(body));
-  return base64urlEncodeBytes(new Uint8Array(hash));
-}
-
-export async function verifyDispatchJws(
-  jws: string,
-  body: string,
-  options: {
-    audience: string;
-    publicKeyPem: string;
-    maxAgeSeconds: number;
-    expectedProjectId?: string;
-  },
-): Promise<DispatchClaims> {
-  const parts = jws.split(".");
-  if (parts.length !== 3) {
-    throw new Error("Channel dispatch signature must be a compact JWS");
-  }
-
-  const encodedHeader = parts[0];
-  const encodedPayload = parts[1];
-  const encodedSignature = parts[2];
-  if (!encodedHeader || !encodedPayload || !encodedSignature) {
-    throw new Error("Channel dispatch signature must include header, payload, and signature");
-  }
-  const header = dispatchHeaderSchema.parse(
-    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedHeader))),
-  );
-  const claims = dispatchClaimsSchema.parse(
-    JSON.parse(new TextDecoder().decode(base64urlDecodeToBytes(encodedPayload))),
+export async function listChannelAssistants(
+  ctx: HandlerContext,
+  deps: ChannelInvokeDeps,
+): Promise<ChannelAssistantsResponse> {
+  const response = await listRuntimeAgents(ctx, deps);
+  const assistants = response.agents.map((agent) =>
+    ChannelAssistantSchema.parse({
+      id: agent.id,
+      name: agent.name,
+      description: agent.description ?? null,
+      model: agent.model ?? null,
+    })
   );
 
-  if (header.alg !== "EdDSA") {
-    throw new Error("Unsupported channel dispatch JWS algorithm");
-  }
-
-  const signingInput = new TextEncoder().encode(`${encodedHeader}.${encodedPayload}`);
-  const signature = base64urlDecodeToBytes(encodedSignature);
-  const publicKey = await importEd25519PublicKey(options.publicKeyPem);
-  const verified = await dntShim.crypto.subtle.verify("Ed25519", publicKey, signature, signingInput);
-
-  if (!verified) {
-    throw new Error("Channel dispatch signature verification failed");
-  }
-
-  if (claims.aud !== options.audience) {
-    throw new Error("Channel dispatch audience mismatch");
-  }
-
-  if (options.expectedProjectId && claims.project_id !== options.expectedProjectId) {
-    throw new Error("Channel dispatch project mismatch");
-  }
-
-  const now = Math.floor(Date.now() / 1000);
-  if (claims.exp <= now) {
-    throw new Error("Channel dispatch signature expired");
-  }
-
-  if (claims.iat > now + SIGNATURE_SKEW_SECONDS) {
-    throw new Error("Channel dispatch signature issued in the future");
-  }
-
-  if (now - claims.iat > options.maxAgeSeconds) {
-    throw new Error("Channel dispatch signature is too old");
-  }
-
-  const bodySha256 = await sha256Base64url(body);
-  if (claims.body_sha256 !== bodySha256) {
-    throw new Error("Channel dispatch body hash mismatch");
-  }
-
-  return claims;
+  return ChannelAssistantsResponseSchema.parse({ assistants });
 }
+export { verifyDispatchJws } from "./control-plane.js";
 
 function normalizeConversationPart(
   part: z.infer<typeof rawHistoryPartSchema>,
@@ -300,35 +205,10 @@ export function normalizeConversationHistoryForRuntime(
 }
 
 export function resolveChannelInvokeAgent(
-  agentConfigId: string,
+  assistantId: string,
   deps: Pick<ChannelInvokeDeps, "getAgent" | "getAllAgentIds">,
 ): Agent | undefined {
-  const exactAgent = deps.getAgent(agentConfigId);
-  if (exactAgent) {
-    return exactAgent;
-  }
-
-  const agentIds = deps.getAllAgentIds();
-  if (agentIds.length !== 1) {
-    return undefined;
-  }
-
-  const onlyAgentId = agentIds[0];
-  if (!onlyAgentId) {
-    return undefined;
-  }
-  const onlyAgent = deps.getAgent(onlyAgentId);
-  if (onlyAgent) {
-    logger.warn(
-      "Channel invoke fell back to the only discovered runtime agent because agentConfigId did not match a registry id",
-      {
-        requestedAgentConfigId: agentConfigId,
-        resolvedAgentId: onlyAgentId,
-      },
-    );
-  }
-
-  return onlyAgent;
+  return deps.getAgent(assistantId);
 }
 
 function normalizeToolCallState(status: string): "pending" | "completed" | "error" {
@@ -455,10 +335,10 @@ export async function executeChannelInvoke(
 ): Promise<ChannelInvokeResponse> {
   await deps.ensureProjectDiscovery(ctx);
 
-  const agent = resolveChannelInvokeAgent(payload.agentConfigId, deps);
+  const agent = resolveChannelInvokeAgent(payload.assistantId, deps);
   if (!agent) {
     logger.error("Channel invoke could not resolve a runtime agent for the request", {
-      requestedAgentConfigId: payload.agentConfigId,
+      requestedAssistantId: payload.assistantId,
       discoveredAgentIds: deps.getAllAgentIds(),
       projectSlug: ctx.projectSlug,
       projectId: ctx.projectId,
@@ -483,7 +363,7 @@ export async function executeChannelInvoke(
         dispatchId: payload.dispatchId,
         conversationId: payload.conversationId,
         projectId: payload.projectId,
-        agentConfigId: payload.agentConfigId,
+        assistantId: payload.assistantId,
         channel: payload.inboundMessage,
       },
       ...(payload.generation?.maxResponseTokens

package/src/src/integrations/endpoint-executor.ts

@@ -12,6 +12,53 @@ import { logger } from "../utils/index.js";
 import type { IntegrationEndpoint } from "./types.js";
 import { INVALID_ARGUMENT } from "../errors/index.js";
 
+const PRIVATE_IP_RANGES = [
+  /^127\./, // 127.0.0.0/8
+  /^10\./, // 10.0.0.0/8
+  /^172\.(1[6-9]|2\d|3[01])\./, // 172.16.0.0/12
+  /^192\.168\./, // 192.168.0.0/16
+  /^169\.254\./, // 169.254.0.0/16
+  /^0\./, // 0.0.0.0/8
+  /^::1$/, // IPv6 loopback
+  /^f[cd][0-9a-f]{2}:/i, // IPv6 unique local (fc00::/7)
+  /^fe80:/i, // IPv6 link-local (fe80::/10)
+];
+
+export function validateEndpointUrl(url: string): void {
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw INVALID_ARGUMENT.create({ detail: `Invalid endpoint URL: ${url}` });
+  }
+
+  if (parsed.protocol !== "https:") {
+    throw INVALID_ARGUMENT.create({
+      detail: `Endpoint URL must use HTTPS: ${parsed.protocol}`,
+    });
+  }
+
+  const hostname = parsed.hostname.toLowerCase();
+  if (hostname === "localhost") {
+    throw INVALID_ARGUMENT.create({
+      detail: "Endpoint URL must not target localhost",
+    });
+  }
+
+  // Strip IPv6 brackets for regex matching
+  const bare = hostname.startsWith("[") && hostname.endsWith("]")
+    ? hostname.slice(1, -1)
+    : hostname;
+
+  for (const range of PRIVATE_IP_RANGES) {
+    if (range.test(bare)) {
+      throw INVALID_ARGUMENT.create({
+        detail: "Endpoint URL must not target private/internal networks",
+      });
+    }
+  }
+}
+
 interface ExecutionContext {
   integration: string;
   toolId: string;
@@ -63,6 +110,8 @@ async function executeGraphQL(
     }
   }
 
+  validateEndpointUrl(endpoint.url);
+
   logger.debug("Executing GraphQL endpoint", {
     integration: ctx.integration,
     tool: ctx.toolId,
@@ -149,6 +198,8 @@ async function executeRest(
     headers["Content-Type"] = endpoint.contentType ?? "application/json";
   }
 
+  validateEndpointUrl(urlObj.toString());
+
   logger.debug("Executing REST endpoint", {
     integration: ctx.integration,
     tool: ctx.toolId,