pub fn safe_client_builder() -> ClientBuilderExpand description
reqwest::ClientBuilder with redirect(Policy::none()), .no_proxy(),
connect_timeout(5s), and a SafeDnsResolver baked in.
Use for clients that send to user-controllable URLs (webfetch, a2a,
rss). The caller is responsible for validating the URL via
SafeUrl::parse before issuing the request.
SECURITY (F-NET-3): .no_proxy() refuses env-driven HTTP_PROXY /
HTTPS_PROXY / ALL_PROXY by default. A misconfigured or attacker-set
proxy would otherwise route every outbound call (LLM, search, fetch)
through an attacker MITM.
SECURITY (F-NET-4): connect_timeout(5s) aborts a stalled TCP handshake
before the longer total timeout fires — slow-loris dialing only ties up
an agent slot for ~5s instead of 30–120s.
SECURITY (F-NET-2): SafeDnsResolver filters resolved IPs at connect
time, defeating DNS-rebinding bypasses of the parse-time blocklist.