docs: add Phase 10 (Web search) design
Covers two LLM tools (web_search, fetch_url) with SearXNG as the recommended self-hosted default and Brave Search as an external alternative. Provider abstraction lives in backend/src/lib/websearch/. Compliance posture: - allow_web_search master switch defaults off, with per-workspace override (narrow-only on blocklist). - Domain allowlist and blocklist at both org and workspace levels. - Audit event for every search and every fetch, including the query text; URL only for fetches (body lives in the fetch cache for its TTL). - Banner in chat when web search is active, alongside the existing external-AI banner. SSRF defence: - Scheme/port allowlist (http/https on 80/443 only). - DNS resolution check that blocks RFC1918, loopback, link-local, ULA, cloud metadata addresses, re-checked on each redirect. - Content-type allowlist (text/html, text/plain, application/pdf, application/json). - Hard caps on bytes, chars, time, and redirect count. Two new Postgres cache tables, ten new org_settings columns, three new workspaces columns, one chats column for the per-chat toggle. Single migration 0023_web_search.sql. Includes rollout plan in five steps, risk matrix, four open questions parked for review, and full acceptance criteria.
| Repository | cpatpa/PIP |
|---|---|
| Author | Claude <noreply@anthropic.com> |
| Authored | |
| Parents | 1a998776 |
| Stats | 1 file changed , +623 |
| Part of | Phases 10-14 - design docs for web search, groups, multi-model, vector RAG, knowledge collections |
Capture this commit into my fork
Download a Markdown prompt that tells Claude how to port this
exact commit into your working tree. Run it via
claude -p < capture-commit-fb928a96.md
from inside the repo you want the change in.