From 6a69b47b8a56d1edff48364f88901ba2601980d7 Mon Sep 17 00:00:00 2001
From: harald <harald@fedora.fritz.box>
Date: Sat, 21 Feb 2026 10:15:28 +0100
Subject: [PATCH] feat(http_request): support wildcard "*" in allowed_domains

Allow ["*"] in http_request.allowed_domains to permit all public
domains without listing each one individually. Private/localhost
hosts remain blocked regardless.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/tools/http_request.rs | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/tools/http_request.rs b/src/tools/http_request.rs
index fe1a48e..3e1c590 100644
--- a/src/tools/http_request.rs
+++ b/src/tools/http_request.rs
@@ -46,17 +46,19 @@ impl HttpRequestTool {
 
         if self.allowed_domains.is_empty() {
             anyhow::bail!(
-                "HTTP request tool is enabled but no allowed_domains are configured. Add [http_request].allowed_domains in config.toml"
+                "HTTP request tool is enabled but no allowed_domains are configured. Add [http_request].allowed_domains in config.toml or use [\"*\"] to allow all domains"
             );
         }
 
+        let allow_all = self.allowed_domains.iter().any(|d| d == "*");
+
         let host = extract_host(url)?;
 
         if is_private_or_local_host(&host) {
             anyhow::bail!("Blocked local/private host: {host}");
         }
 
-        if !host_matches_allowlist(&host, &self.allowed_domains) {
+        if !allow_all && !host_matches_allowlist(&host, &self.allowed_domains) {
             anyhow::bail!("Host '{host}' is not in http_request.allowed_domains");
         }