Add URL validation and redirect limits to web_fetch tool to prevent potential security issues:
- Add _validate_url() function to validate URLs before fetching
- Only allow http:// and https:// schemes (prevent file://, ftp://, etc.)
- Verify URL has valid scheme and domain
- Return descriptive error messages for invalid URLs
- Limit HTTP redirects to 5 (down from default 20) to prevent DoS attacks
- Add MAX_REDIRECTS constant for easy configuration
- Explicitly configure httpx.AsyncClient with max_redirects parameter
- Improve error handling with JSON error responses for validation failures
This addresses security concerns identified in code review where web_fetch
had no URL validation or redirect limits, potentially allowing:
- Unsafe URL schemes (file://, etc.)
- Redirect-based DoS attacks
- Invalid URL formats causing unclear errors
- Add vllm provider configuration in config schema
- Auto-detect vLLM endpoints and use hosted_vllm/ prefix for LiteLLM
- Pass api_base directly to acompletion for custom endpoints
- Add vLLM status display in CLI status command
- Add vLLM setup documentation in README
