fix(google): disable pinned dns for image generation (#59873)

* fix(google): restore proxy-safe image generation (#59873)

* fix(ssrf): preserve transport policy without pinned dns

* fix(ssrf): use undici fetch for dispatcher requests

* fix(ssrf): type dispatcher fetch path

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

extensions/google/image-generation-provider.test.ts

@@ -1,4 +1,5 @@
 import * as providerAuthRuntime from "openclaw/plugin-sdk/provider-auth-runtime";
+import * as providerHttp from "openclaw/plugin-sdk/provider-http";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import { buildGoogleImageGenerationProvider } from "./image-generation-provider.js";
 import { __testing as geminiWebSearchTesting } from "./src/gemini-web-search-provider.js";
@@ -257,6 +258,26 @@ describe("Google image-generation provider", () => {
     );
   });
 
+  it("disables DNS pinning for Google image generation requests", async () => {
+    mockGoogleApiKeyAuth();
+    installGoogleFetchMock();
+    const postJsonRequestSpy = vi.spyOn(providerHttp, "postJsonRequest");
+
+    const provider = buildGoogleImageGenerationProvider();
+    await provider.generateImage({
+      provider: "google",
+      model: "gemini-3.1-flash-image-preview",
+      prompt: "draw a fox",
+      cfg: {},
+    });
+
+    expect(postJsonRequestSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        pinDns: false,
+      }),
+    );
+  });
+
   it("normalizes a configured bare Google host to the v1beta API root", async () => {
     mockGoogleApiKeyAuth();
     const fetchMock = installGoogleFetchMock();

extensions/google/image-generation-provider.ts

@@ -160,6 +160,7 @@ export function buildGoogleImageGenerationProvider(): ImageGenerationProvider {
         },
         timeoutMs: 60_000,
         fetchFn: fetch,
+        pinDns: false,
         allowPrivateNetwork,
         dispatcherPolicy,
       });