refactor: provider adapter system + 7 new search providers (bug-fixed) (#512)

* refactor: provider adapter system + 7 new search providers

Architecture:
- Each search backend is a small adapter implementing SearchProvider
- 12 providers: custom, tavily, exa, you, jina, bing, mojeek, linkup, firecrawl, duckduckgo + native
- WEB_SEARCH_PROVIDER controls selection: auto (fallback chain) or specific provider
- Auth always in headers, never in query strings

Bug fixes from review feedback:
- Fix applyDomainFilters catch block: keep hits with malformed URLs on blocked_domains
  (can't confirm blocked), drop on allowed_domains (can't confirm allowed)
- Add safeHostname() helper: safely extract hostname from URLs without throwing
- Replace unsafe new URL(r.url).hostname in 7 providers with safeHostname()
- Remove dead code: buildAllHeaders, buildAuthHeaders, parseExtraHeaders from types.ts
- Fix WEB_PARMS typo: consistently use WEB_QUERY_PARAM everywhere
- AbortSignal forwarded to fetch() in all 12 providers
- DuckDuckGo: wrap dynamic import in try/catch for graceful error
- Exa: remove double domain filtering (server-side already)
- runSearch(): aggregate all provider errors instead of throwing only the last one
- Retry logic: check numeric status code directly, retry 5xx/network, skip 4xx

Test coverage (44 tests, all passing):
- types.test.ts: safeHostname, normalizeHit, applyDomainFilters (20 tests)
- index.test.ts: getProviderMode, getProviderChain, getAvailableProviders (13 tests)
- custom.test.ts: extractHits flexible response parsing (11 tests)

Co-authored-by: FluxLuFFy <195792511+FluxLuFFy@users.noreply.github.com>

* security: add guardrails to custom search provider (Option B)

- HTTPS-only by default (opt-out: WEB_CUSTOM_ALLOW_HTTP=true)
- Private/localhost IPs blocked by default (opt-out: WEB_CUSTOM_ALLOW_PRIVATE=true)
- Header allowlist: only known-safe headers allowed unless WEB_CUSTOM_ALLOW_ARBITRARY_HEADERS=true
- Configurable timeout in seconds (WEB_CUSTOM_TIMEOUT_SEC, default 15)
- Configurable POST body limit (WEB_CUSTOM_MAX_BODY_KB, default 300)
- Removed max URL size restriction
- Audit log warning on first custom search call
- Updated .env.example and README_SEARCH_PROVIDERS.md with all new options

* fix: remove custom provider from auto chain (Option 1)

Remove customProvider from the auto fallback chain so it is only
available when WEB_SEARCH_PROVIDER=custom is explicitly selected.

Changes:
- Remove customProvider from ALL_PROVIDERS array in providers/index.ts
- Add 3 new tests verifying custom is excluded from auto chain
- Update README_SEARCH_PROVIDERS.md: auto priority, mode table, note
- Update .env.example: auto priority comment, custom mode annotation

All 47 tests pass (44 existing + 3 new).

Co-Authored-By: @Vasanthdev2004

* fix: address review blockers (routing, abort, config check, domain matching)

1. Native/Codex routing precedence in auto mode
   shouldUseAdapterProvider() now checks if native/first-party/vertex/foundry
   or Codex paths are available before falling back to adapter providers.
   Auto mode: native paths take precedence; adapter is fallback only.

2. AbortError stops provider chain immediately
   runSearch() now checks for AbortError/aborted signal before continuing
   the fallback chain. Cancelled searches don't create extra outbound requests.

3. Explicit provider mode fails fast on missing credentials
   runSearch() validates isConfigured() for explicit modes before attempting
   requests. Throws clear error: 'Search provider "X" is not configured.'

4. Domain filter exact-or-subdomain matching (fixes suffix collision)
   New hostMatchesDomain() helper: exact match or .subdomain match.
   badexample.com no longer matches example.com.

5. Tests: 56 pass (9 new) covering all 4 fixes

Co-Authored-By: @Vasanthdev2004

---------

Co-authored-by: Claude Fix <fix@openclaude.local>
Co-authored-by: FluxLuFFy <195792511+FluxLuFFy@users.noreply.github.com>
Co-authored-by: bot <bot@openclaw.ai>

.env.example

@@ -248,3 +248,93 @@ ANTHROPIC_API_KEY=sk-ant-your-key-here
 
 # Enable debug logging
 # CLAUDE_DEBUG=1
+
+
+# =============================================================================
+# WEB SEARCH (OPTIONAL)
+# =============================================================================
+# OpenClaude includes a web search tool. By default it uses DuckDuckGo (free)
+# or the provider's native search (Anthropic firstParty / vertex).
+#
+# Set one API key below to enable a provider. That's it.
+
+# ── Provider API keys — set ONE of these ────────────────────────────
+
+# Tavily (AI-optimized search, recommended)
+# TAVILY_API_KEY=tvly-your-key-here
+
+# Exa (neural/semantic search)
+# EXA_API_KEY=your-exa-key-here
+
+# You.com (RAG-ready snippets)
+# YOU_API_KEY=your-you-key-here
+
+# Jina (s.jina.ai endpoint)
+# JINA_API_KEY=your-jina-key-here
+
+# Bing Web Search
+# BING_API_KEY=your-bing-key-here
+
+# Mojeek (privacy-focused)
+# MOJEEK_API_KEY=your-mojeek-key-here
+
+# Linkup
+# LINKUP_API_KEY=your-linkup-key-here
+
+# Firecrawl (premium, uses @mendable/firecrawl-js)
+# FIRECRAWL_API_KEY=fc-your-key-here
+
+# ── Provider selection mode ─────────────────────────────────────────
+#
+# WEB_SEARCH_PROVIDER controls fallback behavior:
+#
+#   "auto"      (default) — try all configured providers, fall through on failure
+#   "custom"    — custom API only, throw on failure (NOT in auto chain)
+#   "firecrawl" — firecrawl only
+#   "tavily"    — tavily only
+#   "exa"       — exa only
+#   "you"       — you.com only
+#   "jina"      — jina only
+#   "bing"      — bing only
+#   "mojeek"    — mojeek only
+#   "linkup"    — linkup only
+#   "ddg"       — duckduckgo only
+#   "native"    — anthropic native / codex only
+#
+# Auto mode priority: firecrawl → tavily → exa → you → jina → bing → mojeek →
+#                     linkup → ddg
+# Note: "custom" is NOT in the auto chain. To use the custom API provider,
+# you must explicitly set WEB_SEARCH_PROVIDER=custom.
+#
+# WEB_SEARCH_PROVIDER=auto
+
+# ── Built-in custom API presets ─────────────────────────────────────
+#
+# Use with WEB_KEY for the API key:
+# WEB_PROVIDER=searxng|google|brave|serpapi
+# WEB_KEY=your-api-key-here
+
+# ── Custom API endpoint (advanced) ──────────────────────────────────
+#
+# WEB_SEARCH_API    — base URL of your search endpoint
+# WEB_QUERY_PARAM         — query parameter name (default: "q")
+# WEB_METHOD        — GET or POST (default: GET)
+# WEB_PARAMS        — extra static query params as JSON: {"lang":"en","count":"10"}
+# WEB_URL_TEMPLATE  — URL template with {query} for path embedding
+# WEB_BODY_TEMPLATE — custom POST body with {query} placeholder
+# WEB_AUTH_HEADER   — header name for API key (default: "Authorization")
+# WEB_AUTH_SCHEME   — prefix before key (default: "Bearer")
+# WEB_HEADERS       — extra headers as "Name: value; Name2: value2"
+# WEB_JSON_PATH     — dot-path to results array in response
+
+# ── Custom API security guardrails ──────────────────────────────────
+#
+# The custom provider enforces security guardrails by default.
+# Override these only if you understand the risks.
+#
+# WEB_CUSTOM_TIMEOUT_SEC=15                  — request timeout in seconds (default 15)
+# WEB_CUSTOM_MAX_BODY_KB=300                 — max POST body size in KB (default 300)
+# WEB_CUSTOM_ALLOW_ARBITRARY_HEADERS=false   — set "true" to use non-standard headers
+# WEB_CUSTOM_ALLOW_HTTP=false                — set "true" to allow http:// URLs
+# WEB_CUSTOM_ALLOW_PRIVATE=false             — set "true" to target localhost/private IPs
+#                                               (needed for self-hosted SearXNG)