v1.11.8: web_search + web_fetch tools via SearXNG

Adds two new tools registered through the existing ALL_TOOLS registry:
  - web_search hits SearXNG's JSON API (Fathom, internal Tailscale URL,
    no auth) and returns top results
  - web_fetch retrieves a URL's text content, gated by isPublicUrl
    (url_guard.ts) which blocks loopback / RFC1918 / Tailscale CGNAT /
    link-local / .local / .internal / non-http schemes

Both tools are opt-in via the existing session.web_search_enabled flag
(plumbed in v1.9, activated here). Default off. UI labels updated to
"Enable web search and fetch" / "Web search and fetch" since fetch joins
the same store. Counts against the v1.8.2 per-turn budget; covered by
the v1.11.6 doom-loop guard.

Native Node 20 fetch — no new prod dep. HTML stripping via regex (script
and style content elided wholesale). 5MB body cap, 15s fetch timeout,
8000-char default output, 32000-char cap.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/server/src/services/inference.ts

@@ -673,7 +673,10 @@ async function executeStreamPhase(
   session: Session,
   messages: OpenAiMessage[],
   state: StreamPhaseState,
-  agent: Agent | null
+  agent: Agent | null,
+  // v1.11.8: when false, web_search and web_fetch are stripped from the
+  // tool list sent to the LLM, so the model can't even attempt them.
+  webToolsEnabled: boolean,
 ): Promise<StreamResult> {
   const { sessionId, chatId, assistantMessageId, signal } = args;
 
@@ -717,9 +720,14 @@ async function executeStreamPhase(
   // Tool whitelist: if an agent is set, filter the global tool list to only the
   // tool names it allows. Unknown names in agent.tools are dropped silently
   // (handled here by intersection). When no agent: send all tools.
-  const effectiveTools: ToolJsonSchema[] = agent
+  // v1.11.8: a second filter strips web_search + web_fetch unless the chat
+  // has them explicitly enabled. Counts as an opt-in security boundary: the
+  // model can't summon a tool that wasn't offered to it.
+  const WEB_TOOL_NAMES: ReadonlySet<string> = new Set(['web_search', 'web_fetch']);
+  const effectiveTools: ToolJsonSchema[] = (agent
     ? toolJsonSchemas().filter((t) => agent.tools.includes(t.function.name))
-    : toolJsonSchemas();
+    : toolJsonSchemas()
+  ).filter((t) => webToolsEnabled || !WEB_TOOL_NAMES.has(t.function.name));
   const effectiveTemperature = agent?.temperature;
 
   try {
@@ -1098,10 +1106,20 @@ async function runAssistantTurn(
 
   const messages = buildMessagesPayload(session, project, history, agent);
 
+  // v1.11.8: resolve per-chat web-tools opt-in. Tri-state on the wire:
+  //   - session.web_search_enabled = null → inherit project default
+  //   - session.web_search_enabled = true/false → explicit
+  // Both web_search and web_fetch are gated by this single flag (the UI
+  // label is "Enable web search and fetch" — same store, both tools).
+  // Default is false unless explicitly opted in, matching the v1.9
+  // plumbing intent ("inert until Batch 8 ships the actual tools").
+  const webToolsEnabled =
+    session.web_search_enabled ?? project.default_web_search_enabled ?? false;
+
   const state: StreamPhaseState = { accumulated: '', startedAt: null };
   let result: StreamResult;
   try {
-    result = await executeStreamPhase(ctx, args, session, messages, state, agent);
+    result = await executeStreamPhase(ctx, args, session, messages, state, agent, webToolsEnabled);
   } catch (err) {
     await handleAbortOrError(ctx, args, state.accumulated, err);
     return;