From c8f8907f15bd3f1d01acf5216e6f3b3e54892137 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sun, 31 May 2026 23:18:01 +0100
Subject: [PATCH] fix(feishu): guard webhook readiness fetch

---
 .../src/monitor.webhook.test-helpers.ts       | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/extensions/feishu/src/monitor.webhook.test-helpers.ts b/extensions/feishu/src/monitor.webhook.test-helpers.ts
index c98d751012a..6edfd76304b 100644
--- a/extensions/feishu/src/monitor.webhook.test-helpers.ts
+++ b/extensions/feishu/src/monitor.webhook.test-helpers.ts
@@ -1,5 +1,9 @@
 import { createServer } from "node:http";
 import type { AddressInfo } from "node:net";
+import {
+  fetchWithSsrFGuard,
+  ssrfPolicyFromDangerouslyAllowPrivateNetwork,
+} from "openclaw/plugin-sdk/ssrf-runtime";
 import { vi } from "vitest";
 import type { ClawdbotConfig } from "../runtime-api.js";
 import type { monitorFeishuProvider } from "./monitor.js";
@@ -26,9 +30,18 @@ export async function getFreePort(): Promise<number> {
 async function waitUntilServerReady(url: string): Promise<void> {
   for (let i = 0; i < WEBHOOK_READY_MAX_ATTEMPTS; i += 1) {
     try {
-      const response = await fetch(url, { method: "GET" });
-      if (response.status >= 200 && response.status < 500) {
-        return;
+      const { response, release } = await fetchWithSsrFGuard({
+        url,
+        init: { method: "GET" },
+        policy: ssrfPolicyFromDangerouslyAllowPrivateNetwork(true),
+        auditContext: "feishu-webhook-test-ready",
+      });
+      try {
+        if (response.status >= 200 && response.status < 500) {
+          return;
+        }
+      } finally {
+        await release();
       }
     } catch {
       // retry