From 7f87265ce66389d9bb2ebcf04fa0f0569dff90c8 Mon Sep 17 00:00:00 2001
From: sunkinux <sunkinux@users.noreply.github.com>
Date: Mon, 9 Mar 2026 23:04:19 +0800
Subject: [PATCH] refactor: remove redundant allowRfc2544BenchmarkRange from
 trusted policy

As pointed out by Greptile, dangerouslyAllowPrivateNetwork: true already
permits all private network addresses including RFC 2544 range. The
allowRfc2544BenchmarkRange flag has no effect when skipPrivateNetworkChecks
is true, so it's dead code that could mislead readers.
---
 src/agents/tools/web-guarded-fetch.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/agents/tools/web-guarded-fetch.ts b/src/agents/tools/web-guarded-fetch.ts
index f427eabcab3..2f905a215c0 100644
--- a/src/agents/tools/web-guarded-fetch.ts
+++ b/src/agents/tools/web-guarded-fetch.ts
@@ -7,7 +7,6 @@ import type { SsrFPolicy } from "../../infra/net/ssrf.js";
 
 const WEB_TOOLS_TRUSTED_NETWORK_SSRF_POLICY: SsrFPolicy = {
   dangerouslyAllowPrivateNetwork: true,
-  allowRfc2544BenchmarkRange: true,
 };
 
 type WebToolGuardedFetchOptions = Omit<GuardedFetchOptions, "proxy"> & {