devcopilot 0.2.0__py3-none-any.whl

api/routes.py

@@ -0,0 +1,156 @@
+"""FastAPI route handlers."""
+
+from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from loguru import logger
+
+from config.settings import Settings
+from core.anthropic import get_token_count
+from core.trace import trace_event
+from providers.registry import ProviderRegistry
+
+from . import dependencies
+from .dependencies import get_settings, require_api_key
+from .model_catalog import build_models_list_response
+from .models.anthropic import MessagesRequest, TokenCountRequest
+from .models.openai_responses import OpenAIResponsesRequest
+from .models.responses import ModelsListResponse
+from .request_pipeline import ApiRequestPipeline
+
+router = APIRouter()
+
+
+def get_request_pipeline(
+    request: Request,
+    settings: Settings = Depends(get_settings),
+) -> ApiRequestPipeline:
+    """Build the API request pipeline for route handlers."""
+    return ApiRequestPipeline(
+        settings,
+        provider_getter=lambda provider_type: dependencies.resolve_provider(
+            provider_type, app=request.app, settings=settings
+        ),
+        token_counter=get_token_count,
+    )
+
+
+def _probe_response(allow: str) -> Response:
+    """Return an empty success response for compatibility probes."""
+    return Response(status_code=204, headers={"Allow": allow})
+
+
+# =============================================================================
+# Routes
+# =============================================================================
+@router.post("/v1/messages")
+async def create_message(
+    request_data: MessagesRequest,
+    pipeline: ApiRequestPipeline = Depends(get_request_pipeline),
+    _auth=Depends(require_api_key),
+):
+    """Create a message (always streaming)."""
+    return pipeline.create_message(request_data)
+
+
+@router.api_route("/v1/messages", methods=["HEAD", "OPTIONS"])
+async def probe_messages(_auth=Depends(require_api_key)):
+    """Respond to Claude compatibility probes for the messages endpoint."""
+    return _probe_response("POST, HEAD, OPTIONS")
+
+
+@router.post("/v1/responses")
+async def create_response(
+    request_data: OpenAIResponsesRequest,
+    pipeline: ApiRequestPipeline = Depends(get_request_pipeline),
+    _auth=Depends(require_api_key),
+):
+    """Create an OpenAI Responses-compatible response through this proxy."""
+    return await pipeline.create_response(request_data)
+
+
+@router.api_route("/v1/responses", methods=["HEAD", "OPTIONS"])
+async def probe_responses(_auth=Depends(require_api_key)):
+    """Respond to OpenAI Responses compatibility probes."""
+    return _probe_response("POST, HEAD, OPTIONS")
+
+
+@router.post("/v1/messages/count_tokens")
+async def count_tokens(
+    request_data: TokenCountRequest,
+    pipeline: ApiRequestPipeline = Depends(get_request_pipeline),
+    _auth=Depends(require_api_key),
+):
+    """Count tokens for a request."""
+    return pipeline.count_tokens(request_data)
+
+
+@router.api_route("/v1/messages/count_tokens", methods=["HEAD", "OPTIONS"])
+async def probe_count_tokens(_auth=Depends(require_api_key)):
+    """Respond to Claude compatibility probes for the token count endpoint."""
+    return _probe_response("POST, HEAD, OPTIONS")
+
+
+@router.get("/")
+async def root(
+    settings: Settings = Depends(get_settings), _auth=Depends(require_api_key)
+):
+    """Root endpoint."""
+    return {
+        "status": "ok",
+        "provider": settings.provider_type,
+        "model": settings.model,
+    }
+
+
+@router.api_route("/", methods=["HEAD", "OPTIONS"])
+async def probe_root():
+    """Respond to unauthenticated local compatibility probes for the root endpoint."""
+    return _probe_response("GET, HEAD, OPTIONS")
+
+
+@router.get("/health")
+async def health():
+    """Health check endpoint."""
+    return {"status": "healthy"}
+
+
+@router.api_route("/health", methods=["HEAD", "OPTIONS"])
+async def probe_health():
+    """Respond to compatibility probes for the health endpoint."""
+    return _probe_response("GET, HEAD, OPTIONS")
+
+
+@router.get("/v1/models", response_model=ModelsListResponse)
+async def list_models(
+    request: Request,
+    settings: Settings = Depends(get_settings),
+    _auth=Depends(require_api_key),
+):
+    """List the model ids this proxy advertises to Claude-compatible clients."""
+    trace_event(stage="ingress", event="api.models.list", source="api")
+    registry = getattr(request.app.state, "provider_registry", None)
+    provider_registry = registry if isinstance(registry, ProviderRegistry) else None
+    return build_models_list_response(settings, provider_registry)
+
+
+@router.post("/stop")
+async def stop_cli(request: Request, _auth=Depends(require_api_key)):
+    """Stop all CLI sessions and pending tasks."""
+    workflow = getattr(request.app.state, "messaging_workflow", None)
+    if not workflow:
+        # Fallback if messaging not initialized
+        cli_manager = getattr(request.app.state, "cli_manager", None)
+        if cli_manager:
+            await cli_manager.stop_all()
+            logger.info("STOP_CLI: source=cli_manager cancelled_count=N/A")
+            return {"status": "stopped", "source": "cli_manager"}
+        raise HTTPException(status_code=503, detail="Messaging system not initialized")
+
+    count = await workflow.stop_all_tasks()
+    trace_event(
+        stage="ingress",
+        event="api.cli.stop_via_messaging_workflow",
+        source="api",
+        cancelled_nodes=count,
+    )
+    logger.info("STOP_CLI: source=messaging_workflow cancelled_count={}", count)
+    return {"status": "stopped", "cancelled_count": count}

api/runtime.py

@@ -0,0 +1,334 @@
+"""Application runtime composition and lifecycle ownership."""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import os
+from dataclasses import dataclass, field
+from typing import TYPE_CHECKING, Any
+
+from fastapi import FastAPI
+from loguru import logger
+
+from api.admin_urls import local_admin_url
+from config.settings import Settings, get_settings
+from providers.exceptions import ServiceUnavailableError
+from providers.registry import ProviderRegistry
+
+if TYPE_CHECKING:
+    from cli.managed import ManagedClaudeSessionManager
+    from messaging.platforms.base import MessagingPlatform
+    from messaging.session import SessionStore
+    from messaging.workflow import MessagingWorkflow
+
+_SHUTDOWN_TIMEOUT_S = 5.0
+
+
+async def best_effort(
+    name: str,
+    awaitable: Any,
+    timeout_s: float = _SHUTDOWN_TIMEOUT_S,
+    *,
+    log_verbose_errors: bool = False,
+) -> None:
+    """Run a shutdown step with timeout; never raise to callers."""
+    try:
+        await asyncio.wait_for(awaitable, timeout=timeout_s)
+    except TimeoutError:
+        logger.warning("Shutdown step timed out: {} ({}s)", name, timeout_s)
+    except Exception as e:
+        if log_verbose_errors:
+            logger.warning(
+                "Shutdown step failed: {}: {}: {}",
+                name,
+                type(e).__name__,
+                e,
+            )
+        else:
+            logger.warning(
+                "Shutdown step failed: {}: exc_type={}",
+                name,
+                type(e).__name__,
+            )
+
+
+def warn_if_process_auth_token(settings: Settings) -> None:
+    """Warn when server auth was implicitly inherited from the shell."""
+    if settings.uses_process_anthropic_auth_token():
+        logger.warning(
+            "ANTHROPIC_AUTH_TOKEN is set in the process environment but not in "
+            "a configured .env file. The proxy will require that token. Add "
+            "ANTHROPIC_AUTH_TOKEN= to .env to disable proxy auth, or set the "
+            "same token in .env to make server auth explicit."
+        )
+
+
+def log_startup_failure(settings: Settings, exc: Exception) -> None:
+    """Log startup failures without traceback noise unless verbose diagnostics are enabled."""
+    message = startup_failure_message(settings, exc)
+    logger.error("Startup failed:\n{}", message)
+
+
+def startup_failure_message(settings: Settings, exc: Exception) -> str:
+    """Return a concise startup failure message for logs and ASGI lifespan failure."""
+    if isinstance(exc, ServiceUnavailableError):
+        return exc.message.strip() or "Server startup failed."
+
+    if settings.log_api_error_tracebacks:
+        return f"{type(exc).__name__}: {exc}"
+
+    return f"Server startup failed: exc_type={type(exc).__name__}"
+
+
+@dataclass(slots=True)
+class AppRuntime:
+    """Own optional messaging, CLI, session, and provider runtime resources."""
+
+    app: FastAPI
+    settings: Settings
+    _provider_registry: ProviderRegistry | None = field(default=None, init=False)
+    messaging_platform: MessagingPlatform | None = None
+    messaging_workflow: MessagingWorkflow | None = None
+    cli_manager: ManagedClaudeSessionManager | None = None
+
+    @classmethod
+    def for_app(
+        cls,
+        app: FastAPI,
+        settings: Settings | None = None,
+    ) -> AppRuntime:
+        return cls(app=app, settings=settings or get_settings())
+
+    async def startup(self) -> None:
+        logger.info("Starting Claude Code Proxy...")
+        admin_url = local_admin_url(self.settings)
+        self._provider_registry = ProviderRegistry()
+        self.app.state.provider_registry = self._provider_registry
+        try:
+            warn_if_process_auth_token(self.settings)
+            await self._validate_configured_models_best_effort()
+            self._provider_registry.start_model_list_refresh(self.settings)
+            await self._start_messaging_if_configured()
+            self._publish_state()
+            logging.getLogger("uvicorn.error").info(
+                "Admin UI: %s (local-only)", admin_url
+            )
+        except Exception as exc:
+            log_startup_failure(self.settings, exc)
+            await best_effort(
+                "provider_registry.cleanup",
+                self._provider_registry.cleanup(),
+                log_verbose_errors=self.settings.log_api_error_tracebacks,
+            )
+            raise
+
+    async def _validate_configured_models_best_effort(self) -> None:
+        """Warm validation status without blocking first-run/admin access."""
+        if self._provider_registry is None:
+            return
+        try:
+            await self._provider_registry.validate_configured_models(self.settings)
+        except ServiceUnavailableError as exc:
+            self.app.state.startup_validation_error = exc.message
+            logger.warning(
+                "Configured provider model validation failed during startup; "
+                "server will continue and requests will fail at provider resolution "
+                "when config is incomplete. {}",
+                exc.message,
+            )
+
+    async def shutdown(self) -> None:
+        verbose = self.settings.log_api_error_tracebacks
+        if self.messaging_workflow is not None:
+            try:
+                self.messaging_workflow.session_store.flush_pending_save()
+            except Exception as e:
+                if verbose:
+                    logger.warning("Session store flush on shutdown: {}", e)
+                else:
+                    logger.warning(
+                        "Session store flush on shutdown: exc_type={}",
+                        type(e).__name__,
+                    )
+
+        logger.info("Shutdown requested, cleaning up...")
+        if self.messaging_platform:
+            await best_effort(
+                "messaging_platform.stop",
+                self.messaging_platform.stop(),
+                log_verbose_errors=verbose,
+            )
+        if self.cli_manager:
+            await best_effort(
+                "cli_manager.stop_all",
+                self.cli_manager.stop_all(),
+                log_verbose_errors=verbose,
+            )
+        if self._provider_registry is not None:
+            await best_effort(
+                "provider_registry.cleanup",
+                self._provider_registry.cleanup(),
+                log_verbose_errors=verbose,
+            )
+        await self._shutdown_limiter()
+        logger.info("Server shut down cleanly")
+
+    async def _start_messaging_if_configured(self) -> None:
+        try:
+            from messaging.platforms.factory import (
+                MessagingPlatformOptions,
+                create_messaging_platform,
+            )
+
+            self.messaging_platform = create_messaging_platform(
+                self.settings.messaging_platform,
+                MessagingPlatformOptions(
+                    telegram_bot_token=self.settings.telegram_bot_token,
+                    allowed_telegram_user_id=self.settings.allowed_telegram_user_id,
+                    discord_bot_token=self.settings.discord_bot_token,
+                    allowed_discord_channels=self.settings.allowed_discord_channels,
+                    voice_note_enabled=self.settings.voice_note_enabled,
+                    whisper_model=self.settings.whisper_model,
+                    whisper_device=self.settings.whisper_device,
+                    hf_token=self.settings.hf_token,
+                    nvidia_nim_api_key=self.settings.nvidia_nim_api_key,
+                    messaging_rate_limit=self.settings.messaging_rate_limit,
+                    messaging_rate_window=self.settings.messaging_rate_window,
+                    log_raw_messaging_content=self.settings.log_raw_messaging_content,
+                    log_api_error_tracebacks=self.settings.log_api_error_tracebacks,
+                ),
+            )
+
+            if self.messaging_platform:
+                await self._start_messaging_workflow()
+
+        except ImportError as e:
+            if self.settings.log_api_error_tracebacks:
+                logger.warning("Messaging module import error: {}", e)
+            else:
+                logger.warning(
+                    "Messaging module import error: exc_type={}",
+                    type(e).__name__,
+                )
+        except Exception as e:
+            if self.settings.log_api_error_tracebacks:
+                logger.error("Failed to start messaging platform: {}", e)
+                import traceback
+
+                logger.error(traceback.format_exc())
+            else:
+                logger.error(
+                    "Failed to start messaging platform: exc_type={}",
+                    type(e).__name__,
+                )
+
+    async def _start_messaging_workflow(self) -> None:
+        from cli.managed import ManagedClaudeSessionManager
+        from messaging.session import SessionStore
+        from messaging.workflow import MessagingWorkflow
+
+        workspace = (
+            os.path.abspath(self.settings.allowed_dir)
+            if self.settings.allowed_dir
+            else os.getcwd()
+        )
+        os.makedirs(workspace, exist_ok=True)
+
+        data_path = os.path.abspath(self.settings.claude_workspace)
+        os.makedirs(data_path, exist_ok=True)
+
+        api_url = f"http://{self.settings.host}:{self.settings.port}/v1"
+        allowed_dirs = [workspace] if self.settings.allowed_dir else []
+        plans_dir_abs = os.path.abspath(
+            os.path.join(self.settings.claude_workspace, "plans")
+        )
+        plans_directory = os.path.relpath(plans_dir_abs, workspace)
+        self.cli_manager = ManagedClaudeSessionManager(
+            workspace_path=workspace,
+            api_url=api_url,
+            allowed_dirs=allowed_dirs,
+            plans_directory=plans_directory,
+            claude_bin=self.settings.claude_cli_bin,
+            auth_token=getattr(self.settings, "anthropic_auth_token", ""),
+            log_raw_cli_diagnostics=self.settings.log_raw_cli_diagnostics,
+            log_messaging_error_details=self.settings.log_messaging_error_details,
+        )
+
+        session_store = SessionStore(
+            storage_path=os.path.join(data_path, "sessions.json"),
+            message_log_cap=self.settings.max_message_log_entries_per_chat,
+        )
+        platform = self.messaging_platform
+        assert platform is not None
+        self.messaging_workflow = MessagingWorkflow(
+            platform=platform,
+            cli_manager=self.cli_manager,
+            session_store=session_store,
+            debug_platform_edits=self.settings.debug_platform_edits,
+            debug_subagent_stack=self.settings.debug_subagent_stack,
+            log_raw_messaging_content=self.settings.log_raw_messaging_content,
+            log_raw_cli_diagnostics=self.settings.log_raw_cli_diagnostics,
+            log_messaging_error_details=self.settings.log_messaging_error_details,
+        )
+        self._restore_tree_state(session_store)
+
+        platform.on_message(self.messaging_workflow.handle_message)
+        await platform.start()
+        logger.info(f"{platform.name} platform started with messaging workflow")
+
+    def _restore_tree_state(self, session_store: SessionStore) -> None:
+        saved_trees = session_store.get_all_trees()
+        if not saved_trees:
+            return
+        if self.messaging_workflow is None:
+            return
+
+        logger.info(f"Restoring {len(saved_trees)} conversation trees...")
+        from messaging.trees import TreeQueueManager
+
+        self.messaging_workflow.replace_tree_queue(
+            TreeQueueManager.from_dict(
+                {
+                    "trees": saved_trees,
+                    "node_to_tree": session_store.get_node_mapping(),
+                },
+                queue_update_callback=self.messaging_workflow.update_queue_positions,
+                node_started_callback=self.messaging_workflow.mark_node_processing,
+            )
+        )
+        if self.messaging_workflow.tree_queue.cleanup_stale_nodes() > 0:
+            tree_data = self.messaging_workflow.tree_queue.to_dict()
+            session_store.sync_from_tree_data(
+                tree_data["trees"], tree_data["node_to_tree"]
+            )
+
+    def _publish_state(self) -> None:
+        self.app.state.messaging_platform = self.messaging_platform
+        self.app.state.messaging_workflow = self.messaging_workflow
+        self.app.state.cli_manager = self.cli_manager
+
+    async def _shutdown_limiter(self) -> None:
+        verbose = self.settings.log_api_error_tracebacks
+        try:
+            from messaging.limiter import MessagingRateLimiter
+        except Exception as e:
+            if verbose:
+                logger.debug(
+                    "Rate limiter shutdown skipped (import failed): {}: {}",
+                    type(e).__name__,
+                    e,
+                )
+            else:
+                logger.debug(
+                    "Rate limiter shutdown skipped (import failed): exc_type={}",
+                    type(e).__name__,
+                )
+            return
+
+        await best_effort(
+            "MessagingRateLimiter.shutdown_instance",
+            MessagingRateLimiter.shutdown_instance(),
+            timeout_s=2.0,
+            log_verbose_errors=verbose,
+        )

api/validation_log.py

@@ -0,0 +1,48 @@
+"""Safe metadata summaries for HTTP 422 validation logging (no raw text content)."""
+
+from __future__ import annotations
+
+from typing import Any
+
+
+def summarize_request_validation_body(
+    body: Any,
+) -> tuple[list[dict[str, Any]], list[str]]:
+    """Return message shape summary and tool name list for debug logs."""
+    messages = body.get("messages") if isinstance(body, dict) else None
+    message_summary: list[dict[str, Any]] = []
+    if isinstance(messages, list):
+        for msg in messages:
+            if not isinstance(msg, dict):
+                message_summary.append({"message_kind": type(msg).__name__})
+                continue
+            content = msg.get("content")
+            item: dict[str, Any] = {
+                "role": msg.get("role"),
+                "content_kind": type(content).__name__,
+            }
+            if isinstance(content, list):
+                item["block_types"] = [
+                    block.get("type", "dict")
+                    if isinstance(block, dict)
+                    else type(block).__name__
+                    for block in content[:12]
+                ]
+                item["block_keys"] = [
+                    sorted(str(key) for key in block)[:12]
+                    for block in content[:5]
+                    if isinstance(block, dict)
+                ]
+            elif isinstance(content, str):
+                item["content_length"] = len(content)
+            message_summary.append(item)
+
+    tool_names: list[str] = []
+    if isinstance(body, dict) and isinstance(body.get("tools"), list):
+        tool_names = [
+            str(tool.get("name", ""))
+            for tool in body["tools"]
+            if isinstance(tool, dict)
+        ]
+
+    return message_summary, tool_names

api/web_server_tools.py

@@ -0,0 +1,22 @@
+"""Compatibility re-exports for :mod:`api.web_tools` (web_search / web_fetch)."""
+
+from __future__ import annotations
+
+import httpx
+
+from api.web_tools.egress import (
+    WebFetchEgressPolicy,
+    WebFetchEgressViolation,
+    enforce_web_fetch_egress,
+)
+from api.web_tools.request import is_web_server_tool_request
+from api.web_tools.streaming import stream_web_server_tool_response
+
+__all__ = [
+    "WebFetchEgressPolicy",
+    "WebFetchEgressViolation",
+    "enforce_web_fetch_egress",
+    "httpx",
+    "is_web_server_tool_request",
+    "stream_web_server_tool_response",
+]

api/web_tools/__init__.py

@@ -0,0 +1,17 @@
+"""Submodules for Anthropic web server tool handling (search/fetch, egress, streaming)."""
+
+from .egress import (
+    WebFetchEgressPolicy,
+    WebFetchEgressViolation,
+    enforce_web_fetch_egress,
+)
+from .request import is_web_server_tool_request
+from .streaming import stream_web_server_tool_response
+
+__all__ = [
+    "WebFetchEgressPolicy",
+    "WebFetchEgressViolation",
+    "enforce_web_fetch_egress",
+    "is_web_server_tool_request",
+    "stream_web_server_tool_response",
+]

api/web_tools/constants.py

@@ -0,0 +1,15 @@
+"""Limits and defaults for outbound web server tool HTTP."""
+
+_REQUEST_TIMEOUT_S = 20.0
+_MAX_SEARCH_RESULTS = 10
+_MAX_FETCH_CHARS = 24_000
+# Hard cap on raw bytes read from HTTP responses before decode / HTML parse (memory bound).
+_MAX_WEB_FETCH_RESPONSE_BYTES = 2 * 1024 * 1024
+# Drain at most this many bytes from redirect responses before following Location.
+_REDIRECT_RESPONSE_BODY_CAP_BYTES = 65_536
+_MAX_WEB_FETCH_REDIRECTS = 10
+_WEB_FETCH_REDIRECT_STATUSES = frozenset({301, 302, 303, 307, 308})
+
+_WEB_TOOL_HTTP_HEADERS = {
+    "User-Agent": "Mozilla/5.0 compatible; devcopilot/2.0",
+}

api/web_tools/egress.py

@@ -0,0 +1,99 @@
+"""Egress policy for user-controlled web_fetch URLs (SSRF guard)."""
+
+from __future__ import annotations
+
+import ipaddress
+import socket
+from dataclasses import dataclass
+from urllib.parse import urlparse
+
+
+@dataclass(frozen=True, slots=True)
+class WebFetchEgressPolicy:
+    """Egress rules for user-influenced web_fetch URLs."""
+
+    allow_private_network_targets: bool
+    allowed_schemes: frozenset[str]
+
+
+class WebFetchEgressViolation(ValueError):
+    """Raised when a web_fetch URL is rejected by egress policy (SSRF guard)."""
+
+
+def _port_for_url(parsed) -> int:
+    if parsed.port is not None:
+        return parsed.port
+    return 443 if (parsed.scheme or "").lower() == "https" else 80
+
+
+def _stream_getaddrinfo_or_raise(host: str, port: int) -> list[tuple]:
+    try:
+        return socket.getaddrinfo(
+            host, port, type=socket.SOCK_STREAM, proto=socket.IPPROTO_TCP
+        )
+    except OSError as exc:
+        raise WebFetchEgressViolation(
+            f"Could not resolve host {host!r}: {exc}"
+        ) from exc
+
+
+def get_validated_stream_addrinfos_for_egress(
+    url: str, policy: WebFetchEgressPolicy
+) -> list[tuple]:
+    """Resolve and validate a URL for web_fetch, returning getaddrinfo rows for pinning.
+
+    Each HTTP connect pins to only these `getaddrinfo` results so a malicious DNS
+    server cannot rebind to a disallowed address between resolution and the TCP
+    connect (used by :func:`api.web_tools.outbound._run_web_fetch`).
+    """
+    parsed = urlparse(url)
+    scheme = (parsed.scheme or "").lower()
+    if scheme not in policy.allowed_schemes:
+        raise WebFetchEgressViolation(
+            f"URL scheme {scheme!r} is not allowed for web_fetch"
+        )
+
+    host = parsed.hostname
+    if host is None or host == "":
+        raise WebFetchEgressViolation("web_fetch URL must include a host")
+
+    port = _port_for_url(parsed)
+
+    if policy.allow_private_network_targets:
+        return _stream_getaddrinfo_or_raise(host, port)
+
+    host_lower = host.lower()
+    if host_lower == "localhost" or host_lower.endswith(".localhost"):
+        raise WebFetchEgressViolation("localhost targets are not allowed for web_fetch")
+    if host_lower.endswith(".local"):
+        raise WebFetchEgressViolation(".local hostnames are not allowed for web_fetch")
+
+    try:
+        parsed_ip = ipaddress.ip_address(host)
+    except ValueError:
+        parsed_ip = None
+
+    if parsed_ip is not None:
+        if not parsed_ip.is_global:
+            raise WebFetchEgressViolation(
+                f"Non-public IP host {host!r} is not allowed for web_fetch"
+            )
+        return _stream_getaddrinfo_or_raise(host, port)
+
+    infos = _stream_getaddrinfo_or_raise(host, port)
+    for *_, sockaddr in infos:
+        addr = sockaddr[0]
+        try:
+            resolved = ipaddress.ip_address(addr)
+        except ValueError:
+            continue
+        if not resolved.is_global:
+            raise WebFetchEgressViolation(
+                f"Host {host!r} resolves to a non-public address ({resolved})"
+            )
+    return infos
+
+
+def enforce_web_fetch_egress(url: str, policy: WebFetchEgressPolicy) -> None:
+    """Validate ``url`` (scheme, host, and resolved addresses) for web_fetch."""
+    get_validated_stream_addrinfos_for_egress(url, policy)