Module api 

API block — HTTP request via reqwest. Honors {{...}} interpolation in url, headers, and body.

Config (node.data):

• method — “GET” / “POST” / “PUT” / “DELETE” / “PATCH” (default GET)
• url — required; supports {{...}}
• headers — optional { name: value } map; values support {{...}}
• body — optional string body (POST/PUT/PATCH); supports {{...}}

Output:

{ "status": 200, "body": <parsed-json-or-text>, "headers": { ... } }

Constants

DEFAULT_TIMEOUT_MS 🔒

Statics

HTTP_CLIENT 🔒

Shared reqwest::Client so drones with multiple API blocks reuse one connection pool instead of building a new pool per request. Per-request timeouts move to the RequestBuilder. (reagent P2 on PR #755.)

Functions

http_client 🔒

is_reserved_v4 🔒

is_reserved_v6 🔒

run

validate_url_for_safety 🔒

Same checks as validate_url_safety but takes a pre-parsed reqwest::Url. The redirect-policy closure receives Url values directly, so this avoids a parse round-trip on every hop.

validate_url_safety 🔒

Validate a resolved URL before dispatching it. Phase 1 SSRF protection: rejects non-http(s) schemes and literal-IP hosts that fall into reserved / link-local / private / loopback ranges (the AWS metadata endpoint 169.254.169.254, RFC1918 space, 127.0.0.1, fc00::/7, ::1, etc.). DNS-resolved hostnames are not re-checked post-resolution — that requires a custom reqwest resolver and lands as a follow-up issue. See kimi P1 on PR #755.