[bug] WebFetch tool URL validation is a no-op: invalid URLs pass through silently

[LifetimeVip]

Description

The WebFetch tool (packages/core/src/tool/webfetch.ts, line ~164-166) validates the URL protocol using �ssertHttpUrl wrapped in Effect.try({ try: () => assertHttpUrl(new URL(input.url)), catch: (error) => error }). The catch branch returns the error object as a SUCCESS value instead of failing the Effect. This means URL validation is effectively a no-op: invalid URLs pass through silently.

The execution continues to permission.assert and then tries to fetch the invalid URL. The network request eventually fails, but the error message is the generic "Unable to fetch " regardless of whether the URL was malformed or the network was unreachable.

Code location

https://github.com/anomalyco/opencode/blob/dev/packages/core/src/tool/webfetch.ts#L164-L166

Steps to reproduce

1. Call webfetch with an invalid URL such as "not-a-url" or "ftp://example.com\"
2. The URL validation passes silently
3. The permission assertion still runs
4. The fetch eventually fails with a generic error message

Expected behavior

Invalid URLs should fail with a clear error message distinguishing format errors from network errors.

Environment

OpenCode Desktop 1.17.8, Windows 11

[rekram1-node]

STOP SPAMMING ISSUES.