From ec540d2a0dfe28619db80f4d5d83bae37f029393 Mon Sep 17 00:00:00 2001
From: Rolando Santamaria Maso <kyberneees@gmail.com>
Date: Wed, 10 Jun 2026 09:13:03 +0200
Subject: [PATCH 1/4] feat(web_search): add SearXNG-backed web_search tool +
 compose sidecar

Gives the agent local-first web search with no cloud API or keys, matching the
transcribe/vision zero-setup pattern.

Tool (cmd/odek/web_search_tool.go):
- Native Go tool querying a self-hosted SearXNG JSON API; returns ranked
  results (title/url/snippet/engine) + direct answers, capped by max_results.
- Output wrapped as untrusted content (SERP snippets can carry injection).
- Gated as network_egress (prompt in restricted, allow in godmode), consistent
  with browser/http_batch. The backend URL is fixed config, not agent-supplied,
  so the tool has no SSRF surface (only a query string is accepted).
- Registered only when web_search.base_url is set, so plain installs without a
  SearXNG instance don't see a dead tool.

Config (internal/config):
- WebSearchConfig{BaseURL, Categories, Language, MaxResults, Timeout} threaded
  end-to-end (FileConfig, ResolvedConfig, resolveWebSearch, overlayFile).

Wiring (cmd/odek):
- builtinTools' growing positional config params (Transcription, Vision) are
  bundled into a toolConfig struct to stop per-tool signature churn; all ~10
  call sites updated. web_search is threaded into run/serve/repl/telegram/
  schedule/subagent/mcp.

Docker:
- New `searxng` compose sidecar (pinned image), co-starting with every profile,
  internal-only (no host port), with depends_on wired on each odek service.
- docker/searxng/settings.yml enables the JSON API and disables the anti-bot
  limiter, so no Redis/Valkey is needed. SEARXNG_SECRET added to .env.example.
- Both bundled configs set web_search.base_url=http://searxng:8080.

Tests: hermetic httptest SearXNG mock covering happy path, max_results override
vs config cap, untrusted wrapping, JSON-disabled 403, unreachable backend,
policy denial, empty query, schema; resolveWebSearch defaults/merge. Full suite
green under -race.

Docs: README, SECURITY, CHEATSHEET, CONFIG, TELEGRAM, docker/README,
DOCKER_COMPOSE_USER_GUIDE.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 README.md                            |   2 +-
 cmd/odek/injection_hardening_test.go |   3 +-
 cmd/odek/main.go                     |  27 +++-
 cmd/odek/main_test.go                |   2 +-
 cmd/odek/mcp.go                      |   2 +-
 cmd/odek/repl.go                     |   2 +-
 cmd/odek/schedule.go                 |   2 +-
 cmd/odek/serve.go                    |   2 +-
 cmd/odek/subagent.go                 |   2 +-
 cmd/odek/subagent_contract_test.go   |   7 +-
 cmd/odek/telegram.go                 |   2 +-
 cmd/odek/web_search_tool.go          | 227 +++++++++++++++++++++++++++
 cmd/odek/web_search_tool_test.go     | 187 ++++++++++++++++++++++
 docker/.env.example                  |   6 +
 docker/README.md                     |  18 +++
 docker/config.godmode.json           |   4 +
 docker/config.restricted.json        |   4 +
 docker/docker-compose.yml            |  24 +++
 docker/searxng/settings.yml          |  43 +++++
 docs/CHEATSHEET.md                   |  22 +++
 docs/CONFIG.md                       |   2 +-
 docs/DOCKER_COMPOSE_USER_GUIDE.md    |  12 ++
 docs/SECURITY.md                     |   1 +
 docs/TELEGRAM.md                     |   2 +-
 internal/config/loader.go            |  51 ++++++
 internal/config/websearch_test.go    |  54 +++++++
 26 files changed, 689 insertions(+), 21 deletions(-)
 create mode 100644 cmd/odek/web_search_tool.go
 create mode 100644 cmd/odek/web_search_tool_test.go
 create mode 100644 docker/searxng/settings.yml
 create mode 100644 internal/config/websearch_test.go

diff --git a/README.md b/README.md
index b93a577..15b5af5 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ odek is not a framework. It's a **runtime** — the smallest possible surface ar
 Every session can run in an isolated Docker container: no network, no host mounts beyond the working directory, zero capabilities, destroyed on exit. `odek serve` enables the sandbox **by default**; `odek run` keeps it opt-in but warns when running unsandboxed. `--ctx` files are auto-injected into the container at `/workspace/`. Full security model in [docs/SANDBOXING.md](docs/SANDBOXING.md).
 
 ### 🛡️ Prompt-Injection-Aware
-External content the agent ingests (`browser`, `read_file`, `shell`, `search_files`, `multi_grep`, `transcribe`, `vision`, `session_search`, MCP tools) is wrapped in per-call nonce'd `<untrusted_content>` boundaries so the model can distinguish data from instructions. Redirect hops are re-classified (`browser`/`http_batch`), MCP tool descriptions are scanned for injection at registration, and the MCP error channel is wrapped too. The danger classifier resists 8 known shell-evasion tricks (`$()`, backticks, `$IFS`, `command`/`exec`, `\rm`, basenamed absolute paths). Approvers engage friction mode after 3 same-class approvals in 60 s. Memory episodes from tainted sessions are stored but never auto-replayed. Skill auto-save tracks provenance and pins untrusted suggestions for explicit `odek skill promote`. `odek audit <session-id>` surfaces every ingest + per-turn divergence heuristic. Full threat model in [docs/SECURITY.md](docs/SECURITY.md).
+External content the agent ingests (`browser`, `read_file`, `shell`, `search_files`, `multi_grep`, `transcribe`, `vision`, `web_search`, `session_search`, MCP tools) is wrapped in per-call nonce'd `<untrusted_content>` boundaries so the model can distinguish data from instructions. Redirect hops are re-classified (`browser`/`http_batch`), MCP tool descriptions are scanned for injection at registration, and the MCP error channel is wrapped too. The danger classifier resists 8 known shell-evasion tricks (`$()`, backticks, `$IFS`, `command`/`exec`, `\rm`, basenamed absolute paths). Approvers engage friction mode after 3 same-class approvals in 60 s. Memory episodes from tainted sessions are stored but never auto-replayed. Skill auto-save tracks provenance and pins untrusted suggestions for explicit `odek skill promote`. `odek audit <session-id>` surfaces every ingest + per-turn divergence heuristic. Full threat model in [docs/SECURITY.md](docs/SECURITY.md).
 
 ### 🧩 Sub-Agent Delegation
 Parallel OS-process sub-agents via `delegate_tasks`. True isolation — each sub-agent is a fresh `odek subagent` process with its own config, tools, and termination timeout. Up to 8 concurrent workers. [docs/SUBAGENTS.md](docs/SUBAGENTS.md)
diff --git a/cmd/odek/injection_hardening_test.go b/cmd/odek/injection_hardening_test.go
index d19a220..d890fea 100644
--- a/cmd/odek/injection_hardening_test.go
+++ b/cmd/odek/injection_hardening_test.go
@@ -9,7 +9,6 @@ import (
 	"testing"
 
 	"github.com/BackendStack21/odek"
-	"github.com/BackendStack21/odek/internal/config"
 	"github.com/BackendStack21/odek/internal/danger"
 )
 
@@ -244,7 +243,7 @@ func TestBuiltinTools_SessionSearchWrappedAsUntrusted(t *testing.T) {
 	store, cleanup := seedSessionStore(t)
 	defer cleanup()
 
-	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 4, "", config.TranscriptionConfig{}, config.VisionConfig{}, store)
+	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 4, "", toolConfig{}, store)
 
 	var ss odek.Tool
 	for _, tool := range tools {
diff --git a/cmd/odek/main.go b/cmd/odek/main.go
index 4830d09..a18e799 100644
--- a/cmd/odek/main.go
+++ b/cmd/odek/main.go
@@ -779,7 +779,7 @@ func run(args []string) error {
 
 	// Sandbox setup
 	var sandboxCleanup func() error
-	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, resolved.Transcription, resolved.Vision, nil)
+	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{Transcription: resolved.Transcription, Vision: resolved.Vision, WebSearch: resolved.WebSearch}, nil)
 
 	// MCP server tools
 	var mcpCleanup func()
@@ -1054,7 +1054,17 @@ func setupSandbox(tools []odek.Tool, cfg sandboxConfig) (containerName string, c
 	return containerName, cleanup, nil
 }
 
-func builtinTools(dc danger.DangerousConfig, sm *skills.SkillManager, approver danger.Approver, maxConcurrency int, apiKey string, tc config.TranscriptionConfig, vc config.VisionConfig, store *session.Store) []odek.Tool {
+// toolConfig bundles the per-tool configuration sections threaded into
+// builtinTools. Grouping them keeps the builtinTools signature stable as new
+// configurable tools are added (rather than growing a positional parameter
+// per tool).
+type toolConfig struct {
+	Transcription config.TranscriptionConfig
+	Vision        config.VisionConfig
+	WebSearch     config.WebSearchConfig
+}
+
+func builtinTools(dc danger.DangerousConfig, sm *skills.SkillManager, approver danger.Approver, maxConcurrency int, apiKey string, tcfg toolConfig, store *session.Store) []odek.Tool {
 	tools := []odek.Tool{
 		&shellTool{
 			dangerousConfig: dc,
@@ -1088,8 +1098,8 @@ func builtinTools(dc danger.DangerousConfig, sm *skills.SkillManager, approver d
 		&base64Tool{dangerousConfig: dc},
 		&trTool{dangerousConfig: dc},
 		&wordCountTool{dangerousConfig: dc},
-		newTranscribeTool(dc, tc),
-		newVisionTool(dc, vc),
+		newTranscribeTool(dc, tcfg.Transcription),
+		newVisionTool(dc, tcfg.Vision),
 		// session_search returns content from arbitrary past sessions —
 		// including sessions that ingested untrusted content. That path
 		// otherwise bypasses the memory taint gate and the audit log, so
@@ -1098,6 +1108,13 @@ func builtinTools(dc danger.DangerousConfig, sm *skills.SkillManager, approver d
 		newBrowserTool(dc),
 	}
 
+	// web_search is registered only when a SearXNG backend is configured —
+	// without a base_url there is no instance to query, so the tool would just
+	// confuse the agent. The Docker compose setup sets this automatically.
+	if tcfg.WebSearch.BaseURL != "" {
+		tools = append(tools, newWebSearchTool(dc, tcfg.WebSearch))
+	}
+
 	if sm != nil {
 		tools = append(tools,
 			&skills.SkillLoadTool{Manager: sm},
@@ -1599,7 +1616,7 @@ func continueCmd(args []string) error {
 			"./.odek/skills",
 		)
 	}
-	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, resolved.Transcription, resolved.Vision, store)
+	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{Transcription: resolved.Transcription, Vision: resolved.Vision, WebSearch: resolved.WebSearch}, store)
 	var sandboxCleanup func() error
 
 	// MCP server tools
diff --git a/cmd/odek/main_test.go b/cmd/odek/main_test.go
index 619d412..2d253e7 100644
--- a/cmd/odek/main_test.go
+++ b/cmd/odek/main_test.go
@@ -203,7 +203,7 @@ func TestRun_NoAPIKey(t *testing.T) {
 }
 
 func TestBuiltinTools(t *testing.T) {
-	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", toolConfig{}, nil)
 	if len(tools) == 0 {
 		t.Fatal("builtinTools() returned empty slice")
 	}
diff --git a/cmd/odek/mcp.go b/cmd/odek/mcp.go
index 55f604f..36c9e1d 100644
--- a/cmd/odek/mcp.go
+++ b/cmd/odek/mcp.go
@@ -73,7 +73,7 @@ Flags:
 	}
 
 	// Build tools
-	toolSet := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	toolSet := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{WebSearch: resolved.WebSearch}, nil)
 
 	// MCP server tools — connect and discover before sandbox
 	var mcpCleanup func()
diff --git a/cmd/odek/repl.go b/cmd/odek/repl.go
index bd2fcae..142b348 100644
--- a/cmd/odek/repl.go
+++ b/cmd/odek/repl.go
@@ -77,7 +77,7 @@ func replCmd(args []string) error {
 			"./.odek/skills",
 		)
 	}
-	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{WebSearch: resolved.WebSearch}, nil)
 	var sandboxCleanup func() error
 
 	// MCP server tools
diff --git a/cmd/odek/schedule.go b/cmd/odek/schedule.go
index 2858370..1ebdf4d 100644
--- a/cmd/odek/schedule.go
+++ b/cmd/odek/schedule.go
@@ -570,7 +570,7 @@ func runTaskHeadless(ctx context.Context, resolved config.ResolvedConfig, system
 		resolved.Dangerous.NonInteractive = &deny
 	}
 
-	tools := builtinTools(resolved.Dangerous, nil, nil, resolved.MaxConcurrency, resolved.APIKey, resolved.Transcription, resolved.Vision, nil)
+	tools := builtinTools(resolved.Dangerous, nil, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{Transcription: resolved.Transcription, Vision: resolved.Vision, WebSearch: resolved.WebSearch}, nil)
 	tools = append(tools, mcpTools...)
 
 	// Capture cumulative token usage from the final iteration so the Runner
diff --git a/cmd/odek/serve.go b/cmd/odek/serve.go
index b37a06d..bca8138 100644
--- a/cmd/odek/serve.go
+++ b/cmd/odek/serve.go
@@ -267,7 +267,7 @@ func newServeAgent(resolved config.ResolvedConfig, system string, sendFn func(v
 	approver := newWSApprover(sendFn)
 	resolved.Dangerous.Approver = approver
 
-	tools := builtinTools(resolved.Dangerous, sm, approver, resolved.MaxConcurrency, resolved.APIKey, config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(resolved.Dangerous, sm, approver, resolved.MaxConcurrency, resolved.APIKey, toolConfig{WebSearch: resolved.WebSearch}, nil)
 
 	// Find the delegateTasksTool to wire up sub-agent log streaming
 	var subagentTool *delegateTasksTool
diff --git a/cmd/odek/subagent.go b/cmd/odek/subagent.go
index b4f8275..6c52013 100644
--- a/cmd/odek/subagent.go
+++ b/cmd/odek/subagent.go
@@ -291,7 +291,7 @@ func subagentCmd(args []string) error {
 			"./.odek/skills",
 		)
 	}
-	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(resolved.Dangerous, sm, nil, resolved.MaxConcurrency, resolved.APIKey, toolConfig{WebSearch: resolved.WebSearch}, nil)
 	var sandboxCleanup func() error
 
 	// MCP server tools
diff --git a/cmd/odek/subagent_contract_test.go b/cmd/odek/subagent_contract_test.go
index ffb9221..340205f 100644
--- a/cmd/odek/subagent_contract_test.go
+++ b/cmd/odek/subagent_contract_test.go
@@ -12,7 +12,6 @@ import (
 	"time"
 
 	"github.com/BackendStack21/odek"
-	"github.com/BackendStack21/odek/internal/config"
 	"github.com/BackendStack21/odek/internal/danger"
 	"github.com/BackendStack21/odek/internal/llm"
 )
@@ -320,7 +319,7 @@ func TestSubagent_ExitCodeThree(t *testing.T) {
 // ── 4. delegate_tasks Tool Schema ───────────────────────────────────
 
 func TestDelegateTasksTool_Exists(t *testing.T) {
-	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", toolConfig{}, nil)
 	if len(tools) == 0 {
 		t.Fatal("builtinTools() returned empty slice")
 	}
@@ -338,7 +337,7 @@ func TestDelegateTasksTool_Exists(t *testing.T) {
 }
 
 func TestDelegateTasksTool_HasSchema(t *testing.T) {
-	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", toolConfig{}, nil)
 
 	var tool odek.Tool
 	for _, t2 := range tools {
@@ -432,7 +431,7 @@ func TestDelegateTasksTool_HasSchema(t *testing.T) {
 }
 
 func TestDelegateTasksTool_Description(t *testing.T) {
-	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", config.TranscriptionConfig{}, config.VisionConfig{}, nil)
+	tools := builtinTools(danger.DangerousConfig{}, nil, nil, 3, "", toolConfig{}, nil)
 
 	var tool odek.Tool
 	for _, t2 := range tools {
diff --git a/cmd/odek/telegram.go b/cmd/odek/telegram.go
index ab48e4c..4dbbb70 100644
--- a/cmd/odek/telegram.go
+++ b/cmd/odek/telegram.go
@@ -1113,7 +1113,7 @@ func handleChatMessage(
 	}
 
 	// Build the agent with Telegram approver.
-	tools := builtinTools(resolved.Dangerous, nil, approver, resolved.MaxConcurrency, resolved.APIKey, resolved.Transcription, resolved.Vision, sessionManager.Store)
+	tools := builtinTools(resolved.Dangerous, nil, approver, resolved.MaxConcurrency, resolved.APIKey, toolConfig{Transcription: resolved.Transcription, Vision: resolved.Vision, WebSearch: resolved.WebSearch}, sessionManager.Store)
 
 	modelLabel := odek.ProfileLabel(resolved.Model)
 	if modelLabel == "" {
diff --git a/cmd/odek/web_search_tool.go b/cmd/odek/web_search_tool.go
new file mode 100644
index 0000000..d4b6669
--- /dev/null
+++ b/cmd/odek/web_search_tool.go
@@ -0,0 +1,227 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/BackendStack21/odek"
+	"github.com/BackendStack21/odek/internal/config"
+	"github.com/BackendStack21/odek/internal/danger"
+)
+
+// maxSearXNGBody caps the response body read from SearXNG (defensive — a
+// metasearch JSON payload is small; this guards against a misbehaving backend).
+const maxSearXNGBody = 4 << 20 // 4 MiB
+
+// ═════════════════════════════════════════════════════════════════════════
+// web_search Tool (SearXNG JSON API backend)
+// ═════════════════════════════════════════════════════════════════════════
+
+type webSearchTool struct {
+	dangerousConfig danger.DangerousConfig
+	cfg             config.WebSearchConfig
+	client          *http.Client
+}
+
+func newWebSearchTool(dc danger.DangerousConfig, cfg config.WebSearchConfig) *webSearchTool {
+	timeout := cfg.Timeout
+	if timeout <= 0 {
+		timeout = 15
+	}
+	return &webSearchTool{
+		dangerousConfig: dc,
+		cfg:             cfg,
+		client:          &http.Client{Timeout: time.Duration(timeout) * time.Second},
+	}
+}
+
+func (t *webSearchTool) Name() string { return "web_search" }
+
+func (t *webSearchTool) Description() string {
+	return `Search the web via a self-hosted SearXNG metasearch instance. Returns ranked results (title, url, snippet, engine) plus any direct answers. Use this to find pages, then fetch the most relevant URLs with the browser or http_batch tools. Results come from external search engines and are treated as untrusted content.`
+}
+
+type webSearchArgs struct {
+	Query      string `json:"query"`
+	Category   string `json:"category,omitempty"`
+	MaxResults int    `json:"max_results,omitempty"`
+}
+
+func (t *webSearchTool) Schema() any {
+	return map[string]any{
+		"type": "object",
+		"properties": map[string]any{
+			"query": map[string]any{
+				"type":        "string",
+				"description": "The search query.",
+			},
+			"category": map[string]any{
+				"type":        "string",
+				"description": "Optional SearXNG category to restrict the search (e.g. \"general\", \"news\", \"science\", \"it\"). Defaults to the instance configuration.",
+			},
+			"max_results": map[string]any{
+				"type":        "integer",
+				"description": "Optional cap on the number of results returned. Defaults to the configured maximum.",
+			},
+		},
+		"required": []string{"query"},
+	}
+}
+
+// searxngResponse models the subset of the SearXNG JSON API we surface.
+type searxngResponse struct {
+	Query   string `json:"query"`
+	Results []struct {
+		Title   string `json:"title"`
+		URL     string `json:"url"`
+		Content string `json:"content"`
+		Engine  string `json:"engine"`
+	} `json:"results"`
+	Answers     []json.RawMessage `json:"answers"`
+	Infoboxes   []json.RawMessage `json:"infoboxes"`
+	Suggestions []string          `json:"suggestions"`
+}
+
+type webSearchResult struct {
+	Title   string `json:"title"`
+	URL     string `json:"url"`
+	Snippet string `json:"snippet,omitempty"`
+	Engine  string `json:"engine,omitempty"`
+}
+
+type webSearchOutput struct {
+	Query   string            `json:"query"`
+	Results []webSearchResult `json:"results"`
+	Answers []string          `json:"answers,omitempty"`
+	Count   int               `json:"count"`
+	Error   string            `json:"error,omitempty"`
+}
+
+func (t *webSearchTool) Call(argsJSON string) (result string, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("web_search: panic: %v", r)
+			result = `{"error":"internal error"}`
+		}
+	}()
+
+	var args webSearchArgs
+	if err := json.Unmarshal([]byte(argsJSON), &args); err != nil {
+		return jsonError("invalid arguments: " + err.Error())
+	}
+	query := strings.TrimSpace(args.Query)
+	if query == "" {
+		return jsonError("query is required")
+	}
+	if t.cfg.BaseURL == "" {
+		return jsonError("web_search is not configured: set web_search.base_url to a SearXNG instance")
+	}
+
+	// Security: a web search ultimately fans out to external search engines and
+	// leaks the query terms beyond the trust boundary, so gate it as network
+	// egress — consistent with the browser/http_batch tools. The backend URL is
+	// fixed config (not agent-controlled), so there is no SSRF surface here.
+	if err := t.dangerousConfig.CheckOperation(danger.ToolOperation{
+		Name: "web_search", Resource: query, Risk: danger.NetworkEgress,
+	}, nil); err != nil {
+		return jsonError(err.Error())
+	}
+
+	maxResults := args.MaxResults
+	if maxResults <= 0 {
+		maxResults = t.cfg.MaxResults
+	}
+	if maxResults <= 0 {
+		maxResults = 10
+	}
+
+	resp, err := t.query(query, args.Category)
+	if err != nil {
+		return jsonResult(webSearchOutput{Query: query, Error: err.Error()})
+	}
+
+	out := webSearchOutput{Query: query}
+	for _, r := range resp.Results {
+		if len(out.Results) >= maxResults {
+			break
+		}
+		out.Results = append(out.Results, webSearchResult{
+			Title:   r.Title,
+			URL:     r.URL,
+			Snippet: r.Content,
+			Engine:  r.Engine,
+		})
+	}
+	out.Count = len(out.Results)
+	for _, a := range resp.Answers {
+		if s := strings.TrimSpace(string(a)); s != "" && s != "null" {
+			out.Answers = append(out.Answers, strings.Trim(s, `"`))
+		}
+	}
+
+	raw, mErr := json.Marshal(out)
+	if mErr != nil {
+		return jsonError("marshal error: " + mErr.Error())
+	}
+	// Results are external web content — wrap so the model distinguishes data
+	// from instructions (a SERP snippet could carry an injection payload).
+	return wrapUntrusted("web_search:"+query, string(raw)), nil
+}
+
+// query performs the SearXNG JSON request and decodes the response.
+func (t *webSearchTool) query(query, category string) (*searxngResponse, error) {
+	endpoint, err := url.Parse(strings.TrimRight(t.cfg.BaseURL, "/") + "/search")
+	if err != nil {
+		return nil, fmt.Errorf("invalid web_search base_url %q: %v", t.cfg.BaseURL, err)
+	}
+	q := endpoint.Query()
+	q.Set("q", query)
+	q.Set("format", "json")
+	if cat := strings.TrimSpace(category); cat != "" {
+		q.Set("categories", cat)
+	} else if t.cfg.Categories != "" {
+		q.Set("categories", t.cfg.Categories)
+	}
+	if t.cfg.Language != "" {
+		q.Set("language", t.cfg.Language)
+	}
+	endpoint.RawQuery = q.Encode()
+
+	req, err := http.NewRequest(http.MethodGet, endpoint.String(), nil)
+	if err != nil {
+		return nil, fmt.Errorf("build request: %v", err)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	httpResp, err := t.client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("cannot reach SearXNG at %s — is the service running? (%v)", t.cfg.BaseURL, err)
+	}
+	defer httpResp.Body.Close()
+
+	if httpResp.StatusCode == http.StatusForbidden {
+		return nil, fmt.Errorf("SearXNG returned 403 for format=json — enable the JSON API in settings.yml (search.formats must include \"json\")")
+	}
+	if httpResp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("SearXNG returned HTTP %d", httpResp.StatusCode)
+	}
+
+	body, err := io.ReadAll(io.LimitReader(httpResp.Body, maxSearXNGBody))
+	if err != nil {
+		return nil, fmt.Errorf("read response: %v", err)
+	}
+
+	var resp searxngResponse
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return nil, fmt.Errorf("decode SearXNG JSON (got %d bytes): %v", len(body), err)
+	}
+	return &resp, nil
+}
+
+// Ensure webSearchTool implements odek.Tool
+var _ odek.Tool = (*webSearchTool)(nil)
diff --git a/cmd/odek/web_search_tool_test.go b/cmd/odek/web_search_tool_test.go
new file mode 100644
index 0000000..de330b6
--- /dev/null
+++ b/cmd/odek/web_search_tool_test.go
@@ -0,0 +1,187 @@
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/BackendStack21/odek/internal/config"
+	"github.com/BackendStack21/odek/internal/danger"
+)
+
+// allowAll is a danger config that permits network egress without prompting,
+// so the tool's gating doesn't block the hermetic test.
+func allowAllDanger() danger.DangerousConfig {
+	return danger.DangerousConfig{Classes: map[danger.RiskClass]danger.Action{
+		danger.NetworkEgress: danger.Allow,
+	}}
+}
+
+// mockSearXNG returns a test server that serves a canned JSON SERP and records
+// the last query it received.
+func mockSearXNG(t *testing.T, results int) (*httptest.Server, *string) {
+	t.Helper()
+	var lastQuery string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Query().Get("format") != "json" {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+		lastQuery = r.URL.Query().Get("q")
+		resp := map[string]any{"query": lastQuery}
+		var rs []map[string]string
+		for i := 0; i < results; i++ {
+			rs = append(rs, map[string]string{
+				"title":   "Result " + string(rune('A'+i)),
+				"url":     "https://example.com/" + string(rune('a'+i)),
+				"content": "snippet text",
+				"engine":  "duckduckgo",
+			})
+		}
+		resp["results"] = rs
+		resp["answers"] = []string{"42"}
+		_ = json.NewEncoder(w).Encode(resp)
+	}))
+	t.Cleanup(srv.Close)
+	return srv, &lastQuery
+}
+
+func decodeWebSearch(t *testing.T, raw string) webSearchOutput {
+	t.Helper()
+	// Strip the untrusted_content wrapper to get at the JSON payload.
+	start := strings.IndexByte(raw, '{')
+	end := strings.LastIndexByte(raw, '}')
+	if start < 0 || end < start {
+		t.Fatalf("no JSON object found in output: %q", raw)
+	}
+	var out webSearchOutput
+	if err := json.Unmarshal([]byte(raw[start:end+1]), &out); err != nil {
+		t.Fatalf("decode webSearchOutput: %v (raw=%q)", err, raw)
+	}
+	return out
+}
+
+func TestWebSearch_HappyPath(t *testing.T) {
+	srv, lastQuery := mockSearXNG(t, 3)
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: srv.URL, MaxResults: 10})
+
+	raw, err := tool.Call(`{"query":"golang generics"}`)
+	if err != nil {
+		t.Fatalf("Call error: %v", err)
+	}
+	if !strings.Contains(raw, "<untrusted_content_") {
+		t.Errorf("output not wrapped as untrusted: %q", raw)
+	}
+	out := decodeWebSearch(t, raw)
+	if out.Count != 3 || len(out.Results) != 3 {
+		t.Fatalf("Count = %d, len = %d, want 3", out.Count, len(out.Results))
+	}
+	if out.Results[0].URL == "" || out.Results[0].Title == "" {
+		t.Errorf("result missing fields: %+v", out.Results[0])
+	}
+	if len(out.Answers) != 1 || out.Answers[0] != "42" {
+		t.Errorf("answers = %v, want [42]", out.Answers)
+	}
+	if *lastQuery != "golang generics" {
+		t.Errorf("SearXNG received query %q, want %q", *lastQuery, "golang generics")
+	}
+}
+
+func TestWebSearch_MaxResultsTruncation(t *testing.T) {
+	srv, _ := mockSearXNG(t, 10)
+	// config cap of 2; the request overrides to 4 — request wins.
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: srv.URL, MaxResults: 2})
+
+	raw, err := tool.Call(`{"query":"x","max_results":4}`)
+	if err != nil {
+		t.Fatalf("Call error: %v", err)
+	}
+	out := decodeWebSearch(t, raw)
+	if out.Count != 4 {
+		t.Errorf("Count = %d, want 4 (request override)", out.Count)
+	}
+
+	// No request override → config cap applies.
+	raw2, _ := tool.Call(`{"query":"x"}`)
+	out2 := decodeWebSearch(t, raw2)
+	if out2.Count != 2 {
+		t.Errorf("Count = %d, want 2 (config cap)", out2.Count)
+	}
+}
+
+func TestWebSearch_EmptyQuery(t *testing.T) {
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: "http://unused"})
+	raw, err := tool.Call(`{"query":"   "}`)
+	if err != nil {
+		t.Fatalf("Call error: %v", err)
+	}
+	if !strings.Contains(raw, "query is required") {
+		t.Errorf("expected 'query is required', got %q", raw)
+	}
+}
+
+func TestWebSearch_NotConfigured(t *testing.T) {
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{})
+	raw, _ := tool.Call(`{"query":"x"}`)
+	if !strings.Contains(raw, "not configured") {
+		t.Errorf("expected 'not configured' error, got %q", raw)
+	}
+}
+
+func TestWebSearch_JSONDisabled403(t *testing.T) {
+	// Server that always 403s (simulates JSON format not enabled).
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusForbidden)
+	}))
+	t.Cleanup(srv.Close)
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: srv.URL})
+
+	raw, _ := tool.Call(`{"query":"x"}`)
+	out := decodeWebSearch(t, raw)
+	if !strings.Contains(out.Error, "search.formats") {
+		t.Errorf("expected JSON-format hint in error, got %q", out.Error)
+	}
+}
+
+func TestWebSearch_BackendUnreachable(t *testing.T) {
+	// Point at a closed port on localhost.
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: "http://127.0.0.1:1"})
+	raw, _ := tool.Call(`{"query":"x"}`)
+	out := decodeWebSearch(t, raw)
+	if !strings.Contains(out.Error, "cannot reach SearXNG") {
+		t.Errorf("expected unreachable error, got %q", out.Error)
+	}
+}
+
+func TestWebSearch_DeniedByPolicy(t *testing.T) {
+	// NetworkEgress denied → the tool returns the denial as an error result.
+	dc := danger.DangerousConfig{Classes: map[danger.RiskClass]danger.Action{
+		danger.NetworkEgress: danger.Deny,
+	}}
+	tool := newWebSearchTool(dc, config.WebSearchConfig{BaseURL: "http://unused"})
+	raw, _ := tool.Call(`{"query":"secret terms"}`)
+	if !strings.Contains(raw, "denied") {
+		t.Errorf("expected denial, got %q", raw)
+	}
+}
+
+func TestWebSearch_SchemaShape(t *testing.T) {
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{})
+	schema, ok := tool.Schema().(map[string]any)
+	if !ok {
+		t.Fatal("schema is not a map")
+	}
+	props, ok := schema["properties"].(map[string]any)
+	if !ok {
+		t.Fatal("schema has no properties")
+	}
+	if _, ok := props["query"]; !ok {
+		t.Error("schema missing 'query' property")
+	}
+	req, _ := schema["required"].([]string)
+	if len(req) != 1 || req[0] != "query" {
+		t.Errorf("required = %v, want [query]", req)
+	}
+}
diff --git a/docker/.env.example b/docker/.env.example
index dc561e4..c59654b 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -60,3 +60,9 @@ GIT_COMMITTER_EMAIL=you@example.com
 # ODEK_SCHEDULES_TIMEZONE=UTC                 # default tz for jobs without their own
 # ODEK_SCHEDULES_CATCHUP=false                # run a missed fire once on startup
 # ODEK_SCHEDULES_ALLOW_TELEGRAM_MANAGEMENT=true  # set false to make /schedule read-only (CLI-manages)
+
+# ── Web search (SearXNG sidecar; see docs/DOCKER_COMPOSE_USER_GUIDE.md) ──
+# The compose file runs a private SearXNG instance backing the `web_search`
+# tool. Set a strong random secret (e.g. `openssl rand -hex 32`). Required by
+# SearXNG; the instance is internal-only (no host port) but set it anyway.
+SEARXNG_SECRET=change-me-run-openssl-rand-hex-32
diff --git a/docker/README.md b/docker/README.md
index 2b3f9ed..8d34039 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -169,6 +169,24 @@ API, no host install, no first-run download.
 - To point at models installed on the host instead, set `vision.models_dir` in
   config to the directory containing `model.gguf` and `mmproj.gguf`.
 
+## Web search (out of the box)
+
+The compose setup runs a **private [SearXNG](https://docs.searxng.org/) metasearch
+sidecar** backing the `web_search` tool — no cloud search API, no keys.
+
+- The `searxng` service co-starts with every profile and is reachable only by the
+  odek containers at `http://searxng:8080` (**no host port is published** — the
+  agent is the only consumer). Both bundled configs set `web_search.base_url` to it.
+- `docker/searxng/settings.yml` enables the JSON API (`search.formats: [html, json]`)
+  and disables the anti-bot limiter, so **no Redis/Valkey is required**.
+- Set **`SEARXNG_SECRET`** in `.env` (e.g. `openssl rand -hex 32`).
+- The agent searches, gets ranked results, then fetches the URLs it wants with the
+  `browser` / `http_batch` tools. Results are wrapped as untrusted content.
+- SearXNG needs outbound internet to reach upstream engines (Google, Bing,
+  DuckDuckGo, …). If you front the stack with an allowlisting egress proxy, permit those.
+- To run **without** web search: comment out the `searxng` service (and the
+  `depends_on: [searxng]` lines), and remove the `web_search` block from the configs.
+
 ## Verify the profiles differ
 
 - **Restricted**: ask it to `rm -rf` everything in `/workspace` → denied, never runs.
diff --git a/docker/config.godmode.json b/docker/config.godmode.json
index 4f3b2da..5418a3b 100644
--- a/docker/config.godmode.json
+++ b/docker/config.godmode.json
@@ -16,6 +16,10 @@
     "auto_describe": true,
     "models_dir": "/usr/local/share/minicpm-v/models"
   },
+  "web_search": {
+    "base_url": "http://searxng:8080",
+    "max_results": 10
+  },
   "memory": {
     "enabled": true,
     "facts_limit_user": 1500,
diff --git a/docker/config.restricted.json b/docker/config.restricted.json
index f8f0b77..26e406b 100644
--- a/docker/config.restricted.json
+++ b/docker/config.restricted.json
@@ -16,6 +16,10 @@
     "auto_describe": true,
     "models_dir": "/usr/local/share/minicpm-v/models"
   },
+  "web_search": {
+    "base_url": "http://searxng:8080",
+    "max_results": 10
+  },
   "memory": {
     "enabled": true,
     "facts_limit_user": 1500,
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index dc4d5cc..9a38d7f 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -30,6 +30,7 @@ services:
       - ./workspace:/workspace
       - ./config.restricted.json:/home/odek/.odek/config.json:ro
     restart: "no"
+    depends_on: [searxng]
 
   # ── Godmode (all permissions) — non-interactive, disposable container ──
   odek-godmode:
@@ -49,6 +50,7 @@ services:
       - ./workspace:/workspace
       - ./config.godmode.json:/home/odek/.odek/config.json:ro
     restart: "no"
+    depends_on: [searxng]
 
   # ── Telegram bot — Restricted (approvals via inline keyboards) ──
   # State (sessions, skills, telegram.pid) lives in the local ./.odek folder —
@@ -72,6 +74,7 @@ services:
       - ./.odek:/home/odek/.odek
       - ./config.restricted.json:/home/odek/.odek/config.json:ro
     restart: unless-stopped
+    depends_on: [searxng]
 
   # ── Telegram bot — Godmode (no prompts; unrestricted) ──
   # Same ./.odek state folder; config.godmode.json is layered on top of
@@ -90,3 +93,24 @@ services:
       - ./.odek:/home/odek/.odek
       - ./config.godmode.json:/home/odek/.odek/config.json:ro
     restart: unless-stopped
+    depends_on: [searxng]
+
+  # ── SearXNG — self-hosted metasearch backing the `web_search` tool ──
+  # Co-starts with every odek profile so web search works out of the box.
+  # Reachable only by the odek containers over the compose network at
+  # http://searxng:8080 — NO host port is published (the agent is the only
+  # consumer). The bundled config enables the JSON API and disables the
+  # anti-bot limiter, so no Redis/Valkey is needed (single trusted consumer).
+  # Set SEARXNG_SECRET in .env. To run without web search, comment this service
+  # and the depends_on lines above, and drop "web_search" from the configs.
+  searxng:
+    profiles: ["restricted", "godmode", "telegram-restricted", "telegram-godmode"]
+    image: searxng/searxng:2026.6.8-f3fab143b   # pinned; bump deliberately
+    environment:
+      - SEARXNG_BASE_URL=http://searxng:8080/
+      - SEARXNG_SECRET=${SEARXNG_SECRET:-change-me-in-dot-env}
+    volumes:
+      - ./searxng/settings.yml:/etc/searxng/settings.yml:ro
+    # SearXNG needs outbound internet to query upstream engines (Google, Bing,
+    # DuckDuckGo, …). Behind the advanced allowlisting egress proxy, permit those.
+    restart: unless-stopped
diff --git a/docker/searxng/settings.yml b/docker/searxng/settings.yml
new file mode 100644
index 0000000..6afe475
--- /dev/null
+++ b/docker/searxng/settings.yml
@@ -0,0 +1,43 @@
+# SearXNG configuration for the odek `web_search` tool.
+#
+# This is a minimal PRIVATE instance: the only consumer is the odek agent on
+# the internal compose network. Two settings make that work:
+#   1. search.formats includes `json`  → enables the JSON API the tool calls.
+#      (Upstream defaults to HTML-only; without this you get HTTP 403 on
+#       ?format=json.)
+#   2. server.limiter: false + public_instance: false → no anti-bot rate
+#      limiter, so no Redis/Valkey dependency is required.
+#
+# If you ever expose this instance beyond the compose network, re-enable the
+# limiter and add a Valkey service (see SearXNG docs), and set a strong secret.
+
+use_default_settings: true
+
+general:
+  instance_name: "odek-search"
+  # Don't leak instance metadata to the agent's results.
+  enable_metrics: false
+
+server:
+  # Must be overridden from the default; injected via $SEARXNG_SECRET in compose.
+  secret_key: "change-me-in-dot-env"
+  bind_address: "0.0.0.0"
+  port: 8080
+  # Single trusted consumer on a private network — disable the bot limiter
+  # (this is what removes the Redis/Valkey requirement).
+  limiter: false
+  public_instance: false
+  image_proxy: false
+
+search:
+  # ENABLES THE JSON API used by the web_search tool. Do not remove `json`.
+  formats:
+    - html
+    - json
+  # Reasonable defaults; the tool can override per request.
+  autocomplete: ""
+  default_lang: "auto"
+  safe_search: 0
+
+# Keep the default engine set (general web search). Tune here if you want to
+# disable specific engines or add categories.
diff --git a/docs/CHEATSHEET.md b/docs/CHEATSHEET.md
index 0b98d9e..0ec64ca 100644
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -106,6 +106,28 @@ Settings: `model` (tiny/base/small/medium), `language` (ISO code, empty=auto), `
 
 Settings: `auto_describe` (Telegram photo → description before the agent answers, default true), `models_dir` (dir with `model.gguf` + `mmproj.gguf`), `binary_path` (llama-mtmd-cli path), `video_frames` (frames to sample from video, default 8).
 
+### Web Search
+- **`web_search`** tool queries a self-hosted **SearXNG** metasearch instance — no cloud search API, no keys
+- Returns ranked results (title, url, snippet, engine) + direct answers; results are wrapped as untrusted content
+- The agent then fetches the URLs it wants with `browser` / `http_batch`
+- **Registered only when `web_search.base_url` is set.** The Docker compose setup runs a SearXNG sidecar and sets it automatically; outside Docker, run SearXNG yourself and point `base_url` at it
+- Gated as `network_egress` (prompts in restricted, allowed in godmode) — the backend URL is fixed config, so there is no SSRF surface
+- Configure via `web_search` section:
+
+```json
+{
+  "web_search": {
+    "base_url": "http://searxng:8080",
+    "categories": "general",
+    "language": "en",
+    "max_results": 10,
+    "timeout_seconds": 15
+  }
+}
+```
+
+Settings: `base_url` (SearXNG instance; empty = tool disabled), `categories` (optional SearXNG categories), `language` (optional language code), `max_results` (default 10), `timeout_seconds` (default 15).
+
 ## Memory System Architecture
 
 ### Three Tiers
diff --git a/docs/CONFIG.md b/docs/CONFIG.md
index 03f973e..b693e73 100644
--- a/docs/CONFIG.md
+++ b/docs/CONFIG.md
@@ -434,7 +434,7 @@ The progress system is an evolving single message that gets edited in-place (sim
 ```
 
 Key behaviors:
-- **Smart previews** — instead of showing raw JSON args, the system extracts meaningful context: filename for file tools, the command text for shell, URL for browser, query text for memory/search tools, audio filename for transcribe, file path for vision
+- **Smart previews** — instead of showing raw JSON args, the system extracts meaningful context: filename for file tools, the command text for shell, URL for browser, query text for memory/search tools, audio filename for transcribe, file path for vision, query for web_search
 - **Edit throttling** — edits are rate-limited to one every 1.5 seconds to avoid hitting Telegram's flood control limits. Rapid tool chains don't produce 429 errors
 - **Tool dedup** — when the same tool runs consecutively (common with parallel batch tools like `batch_read`), identical lines are collapsed into a `(×N)` counter instead of repeating N times
 - **Flood control fallback** — if an edit message fails with "flood" or "retry after", the system automatically switches to sending new messages instead of editing. This prevents the bot from becoming unresponsive under heavy load
diff --git a/docs/DOCKER_COMPOSE_USER_GUIDE.md b/docs/DOCKER_COMPOSE_USER_GUIDE.md
index d9ab1ef..6546234 100644
--- a/docs/DOCKER_COMPOSE_USER_GUIDE.md
+++ b/docs/DOCKER_COMPOSE_USER_GUIDE.md
@@ -127,8 +127,20 @@ ODEK_SUPPRESS_SANDBOX_WARNING=1
 # Anthropic (OpenAI-compatible endpoint; matches the claude-sonnet-4 profile):
 # ODEK_MODEL=claude-sonnet-4-5
 # ODEK_BASE_URL=https://api.anthropic.com/v1
+
+# Web search: secret for the bundled SearXNG sidecar (web_search tool).
+# Generate with `openssl rand -hex 32`. The instance is internal-only.
+SEARXNG_SECRET=change-me-run-openssl-rand-hex-32
 ```
 
+The compose file also runs a private **SearXNG** metasearch sidecar that backs the
+`web_search` tool (see [docker/README.md](../docker/README.md#web-search-out-of-the-box)).
+It co-starts with every profile, is reachable only by the odek containers at
+`http://searxng:8080` (no host port), and needs only `SEARXNG_SECRET` set above —
+no Redis/Valkey. To disable web search, comment the `searxng` service and the
+`depends_on: [searxng]` lines in the compose file and drop the `web_search` block
+from the config files.
+
 ---
 
 ## 5. Permission policy files
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 9c66f83..bc2407d 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -59,6 +59,7 @@ Tools that wrap:
 | `shell` | `$ <command>` |
 | `transcribe` | `transcribe:<audio path>` (full transcript + each segment) |
 | `vision` | `vision:<file path>` (full description) |
+| `web_search` | `web_search:<query>` (results + answers from SearXNG) |
 | `session_search` | `session_search` (whole result — past sessions may be tainted) |
 | any MCP tool | `mcp:<server>:<tool>` |
 
diff --git a/docs/TELEGRAM.md b/docs/TELEGRAM.md
index 7d0accf..b944c4a 100644
--- a/docs/TELEGRAM.md
+++ b/docs/TELEGRAM.md
@@ -345,7 +345,7 @@ Tool progress shows what the agent is doing in real time. Controlled by the `too
 **Key features:**
 - **Reasoning-first progress** — the first sentence of the LLM's internal reasoning (under 20 words) appears at the top of the progress bubble, followed by individual tool previews. The LLM is prompted to make this sentence user-facing, specific, and engaging
 - **Language matching** — the bot always replies in the same language the user writes in, including the thinking message and progress indicator
-- **Smart previews** — extracts meaningful context: filename for file tools, command for shell, URL for browser, query for memory, filename for transcribe, file path for vision
+- **Smart previews** — extracts meaningful context: filename for file tools, command for shell, URL for browser, query for memory, filename for transcribe, file path for vision, query for web_search
 - **Edit throttling** — 1.5s minimum between edits prevents Telegram flood control (429 errors)
 - **Tool dedup** — if the same tool runs N times in a row (common with parallel batches), shows `📝 read_file: "main.go" (×5)` instead of 5 identical lines
 - **Flood fallback** — if an edit fails with "flood" or "retry after", automatically switches to sending new messages
diff --git a/internal/config/loader.go b/internal/config/loader.go
index fc70927..e4a4169 100644
--- a/internal/config/loader.go
+++ b/internal/config/loader.go
@@ -116,6 +116,27 @@ type VisionConfig struct {
 	AutoDescribe bool `json:"auto_describe,omitempty"`
 }
 
+// WebSearchConfig controls the web_search tool (self-hosted SearXNG backend).
+// Populated from the "web_search" section of odek.json or ~/.odek/config.json.
+// The tool is registered only when BaseURL is non-empty — without a reachable
+// SearXNG instance there is no backend, so the tool stays hidden by default
+// (a plain `go install` has no sidecar; the Docker compose setup sets BaseURL).
+type WebSearchConfig struct {
+	// BaseURL is the SearXNG instance the tool queries, e.g.
+	// "http://searxng:8080" (Docker compose) or "http://127.0.0.1:8888"
+	// (host). Empty disables the tool.
+	BaseURL string `json:"base_url,omitempty"`
+	// Categories optionally restricts the SearXNG categories queried
+	// (comma-separated, e.g. "general" or "general,news"). Empty = SearXNG default.
+	Categories string `json:"categories,omitempty"`
+	// Language optionally sets the SearXNG language code (e.g. "en"). Empty = SearXNG default.
+	Language string `json:"language,omitempty"`
+	// MaxResults caps how many results are returned to the agent. Default: 10.
+	MaxResults int `json:"max_results,omitempty"`
+	// Timeout is the per-request timeout in seconds. Default: 15.
+	Timeout int `json:"timeout_seconds,omitempty"`
+}
+
 // FileConfig is the JSON schema used by ~/.odek/config.json and ./odek.json.
 // Pointer booleans distinguish "explicitly set to false" from "not set".
 type FileConfig struct {
@@ -186,6 +207,9 @@ type FileConfig struct {
 	// Vision configures local image/video understanding (MiniCPM-V 4.6 via llama-mtmd-cli).
 	Vision *VisionConfig `json:"vision,omitempty"`
 
+	// WebSearch configures the web_search tool (self-hosted SearXNG backend).
+	WebSearch *WebSearchConfig `json:"web_search,omitempty"`
+
 	// Schedules configures the native in-process task scheduler.
 	Schedules *SchedulesConfig `json:"schedules,omitempty"`
 
@@ -298,6 +322,10 @@ type ResolvedConfig struct {
 	// Default: VideoFrames=8, ModelsDir="" (auto-detect), BinaryPath="" (PATH lookup).
 	Vision VisionConfig
 
+	// WebSearch is the resolved web_search config.
+	// Default: MaxResults=10, Timeout=15, BaseURL="" (tool disabled until set).
+	WebSearch WebSearchConfig
+
 	// Schedules is the resolved scheduler config.
 	// Default: enabled=true, max_concurrent=2, timezone="UTC", catchup=false.
 	Schedules ScheduleConfig
@@ -689,6 +717,7 @@ func LoadConfig(cli CLIFlags) ResolvedConfig {
 		Telegram:        resolveTelegram(cfg.Telegram),
 		Transcription:   resolveTranscription(cfg.Transcription),
 		Vision:          resolveVision(cfg.Vision),
+		WebSearch:       resolveWebSearch(cfg.WebSearch),
 		Schedules:       resolveSchedules(cfg.Schedules),
 		InteractionMode: ifZero(cfg.InteractionMode, "engaging"),
 		ToolProgress:    ifZero(cfg.ToolProgress, "all"),
@@ -977,6 +1006,25 @@ func resolveVision(cfg *VisionConfig) VisionConfig {
 	}
 }
 
+// resolveWebSearch returns the resolved web_search config, filling zero-valued
+// numeric fields with defaults. BaseURL has no default — it stays empty (and
+// the tool stays unregistered) until the operator points it at a SearXNG instance.
+func resolveWebSearch(cfg *WebSearchConfig) WebSearchConfig {
+	if cfg != nil {
+		if cfg.MaxResults == 0 {
+			cfg.MaxResults = 10
+		}
+		if cfg.Timeout == 0 {
+			cfg.Timeout = 15
+		}
+		return *cfg
+	}
+	return WebSearchConfig{
+		MaxResults: 10,
+		Timeout:    15,
+	}
+}
+
 // SchedulesConfig is the file-level scheduler configuration. Tri-state fields
 // use pointers so "unset" is distinguishable from an explicit false.
 type SchedulesConfig struct {
@@ -1133,6 +1181,9 @@ func overlayFile(base, override FileConfig) FileConfig {
 	if override.Vision != nil {
 		base.Vision = override.Vision
 	}
+	if override.WebSearch != nil {
+		base.WebSearch = override.WebSearch
+	}
 	if override.Schedules != nil {
 		base.Schedules = override.Schedules
 	}
diff --git a/internal/config/websearch_test.go b/internal/config/websearch_test.go
new file mode 100644
index 0000000..6e8674b
--- /dev/null
+++ b/internal/config/websearch_test.go
@@ -0,0 +1,54 @@
+package config
+
+import "testing"
+
+func TestResolveWebSearch_Defaults(t *testing.T) {
+	w := resolveWebSearch(nil)
+	if w.MaxResults != 10 {
+		t.Errorf("MaxResults = %d, want 10", w.MaxResults)
+	}
+	if w.Timeout != 15 {
+		t.Errorf("Timeout = %d, want 15", w.Timeout)
+	}
+	if w.BaseURL != "" {
+		t.Errorf("BaseURL = %q, want empty (tool disabled until set)", w.BaseURL)
+	}
+}
+
+func TestResolveWebSearch_ZeroNumericsFilled(t *testing.T) {
+	w := resolveWebSearch(&WebSearchConfig{BaseURL: "http://searxng:8080"})
+	if w.MaxResults != 10 {
+		t.Errorf("MaxResults = %d, want 10 (zero filled)", w.MaxResults)
+	}
+	if w.Timeout != 15 {
+		t.Errorf("Timeout = %d, want 15 (zero filled)", w.Timeout)
+	}
+	if w.BaseURL != "http://searxng:8080" {
+		t.Errorf("BaseURL = %q, want preserved", w.BaseURL)
+	}
+}
+
+func TestResolveWebSearch_CustomValues(t *testing.T) {
+	w := resolveWebSearch(&WebSearchConfig{
+		BaseURL:    "http://127.0.0.1:8888",
+		Categories: "general,news",
+		Language:   "en",
+		MaxResults: 5,
+		Timeout:    30,
+	})
+	if w.BaseURL != "http://127.0.0.1:8888" {
+		t.Errorf("BaseURL = %q", w.BaseURL)
+	}
+	if w.Categories != "general,news" {
+		t.Errorf("Categories = %q", w.Categories)
+	}
+	if w.Language != "en" {
+		t.Errorf("Language = %q", w.Language)
+	}
+	if w.MaxResults != 5 {
+		t.Errorf("MaxResults = %d, want 5", w.MaxResults)
+	}
+	if w.Timeout != 30 {
+		t.Errorf("Timeout = %d, want 30", w.Timeout)
+	}
+}

From 4ba8c3eb2d0179ab8fe72ddf6736bbc82f2f4e8a Mon Sep 17 00:00:00 2001
From: Rolando Santamaria Maso <kyberneees@gmail.com>
Date: Wed, 10 Jun 2026 10:03:11 +0200
Subject: [PATCH 2/4] fix(web_search): address code-review findings (answers,
 SSRF, secret, cold-start)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Code review of the SearXNG integration surfaced four actionable issues; fixes:

#2 (confirmed) — answers parsing emitted raw answer-object JSON. SearXNG
`answers` are objects ({"answer":"...","url":...,"template":...}), not bare
strings, so strings.Trim(rawJSON,'"') left the {...} blob intact. Decode the
`answer` field out of each object instead (also drops the fragile Trim). The
test mock used a string array, masking this — corrected to objects.

#3 (defense-in-depth) — the http.Client had no CheckRedirect. A compromised
or misconfigured SearXNG could 3xx the client toward an internal/metadata
endpoint (SSRF). Install the same per-hop re-classification guard browser and
http_batch use, capped at 10 hops. New TestWebSearch_RedirectToInternalBlocked.

#1 (hardening) — the mounted settings.yml hardcoded secret_key
"change-me-in-dot-env". Deeper tracing showed SEARXNG_SECRET *does* override
the file at app load (searx/settings_defaults.py environ_name), so the env
wiring worked — but the placeholder defeated SearXNG's built-in "secret_key
is not changed" warning, which only fires for the canonical "ultrasecretkey".
Switch the placeholder + the compose env fallback to "ultrasecretkey" so an
unset secret is loudly flagged rather than silently weak. Comments/.env.example
corrected to describe the real (app-load) override mechanism.

#4 (reliability) — `depends_on: [searxng]` only waits for container start, so
the first web_search after `compose up` could race SearXNG readiness. Rather
than a Docker healthcheck (whose probe tooling I can't verify in the upstream
image — a broken probe would deadlock odek startup), make the tool resilient:
retry only on ECONNREFUSED (the precise "up but not yet listening" signal),
2 extra attempts with a 1s backoff. Timeouts / genuine-down fail fast.

#5 (overlay whole-pointer replace) intentionally deferred — it is consistent
with the existing Skills/Memory/Transcription/Vision merge behavior; fixing
only web_search would be inconsistent.

Full suite green under -race; vet/gofmt clean; compose config validates.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 cmd/odek/web_search_tool.go      | 61 +++++++++++++++++++++++++++-----
 cmd/odek/web_search_tool_test.go | 37 ++++++++++++++++++-
 docker/.env.example              |  6 ++--
 docker/docker-compose.yml        |  6 +++-
 docker/searxng/settings.yml      |  9 +++--
 5 files changed, 105 insertions(+), 14 deletions(-)

diff --git a/cmd/odek/web_search_tool.go b/cmd/odek/web_search_tool.go
index d4b6669..0003da2 100644
--- a/cmd/odek/web_search_tool.go
+++ b/cmd/odek/web_search_tool.go
@@ -2,11 +2,13 @@ package main
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/BackendStack21/odek"
@@ -18,6 +20,15 @@ import (
 // metasearch JSON payload is small; this guards against a misbehaving backend).
 const maxSearXNGBody = 4 << 20 // 4 MiB
 
+// Cold-start retry: how many extra attempts (and the delay between them) to
+// make when SearXNG refuses the connection — covers the compose startup race
+// where the container is up but the app isn't yet listening. Vars (not consts)
+// so tests can shrink the delay.
+var (
+	searxngConnectRetries = 2
+	searxngRetryDelay     = time.Second
+)
+
 // ═════════════════════════════════════════════════════════════════════════
 // web_search Tool (SearXNG JSON API backend)
 // ═════════════════════════════════════════════════════════════════════════
@@ -33,11 +44,30 @@ func newWebSearchTool(dc danger.DangerousConfig, cfg config.WebSearchConfig) *we
 	if timeout <= 0 {
 		timeout = 15
 	}
-	return &webSearchTool{
-		dangerousConfig: dc,
-		cfg:             cfg,
-		client:          &http.Client{Timeout: time.Duration(timeout) * time.Second},
+	t := &webSearchTool{dangerousConfig: dc, cfg: cfg}
+	t.client = &http.Client{
+		Timeout:       time.Duration(timeout) * time.Second,
+		CheckRedirect: t.checkRedirect,
 	}
+	return t
+}
+
+// checkRedirect re-classifies every redirect hop. The configured base_url is
+// trusted, but a compromised, buggy, or misconfigured SearXNG could 3xx the
+// client toward an internal/metadata endpoint (SSRF). Re-classifying each hop —
+// the same guard browser/http_batch install — closes that. Installing
+// CheckRedirect disables Go's implicit 10-hop cap, so we re-impose it.
+func (t *webSearchTool) checkRedirect(req *http.Request, via []*http.Request) error {
+	if len(via) >= 10 {
+		return fmt.Errorf("stopped after 10 redirects")
+	}
+	target := req.URL.String()
+	if err := t.dangerousConfig.CheckOperation(danger.ToolOperation{
+		Name: "web_search", Resource: target, Risk: danger.ClassifyURL(target),
+	}, nil); err != nil {
+		return fmt.Errorf("redirect to %s blocked: %w", target, err)
+	}
+	return nil
 }
 
 func (t *webSearchTool) Name() string { return "web_search" }
@@ -82,7 +112,11 @@ type searxngResponse struct {
 		Content string `json:"content"`
 		Engine  string `json:"engine"`
 	} `json:"results"`
-	Answers     []json.RawMessage `json:"answers"`
+	// SearXNG answers are objects ({"answer": "...", "url": ..., "template": ...}),
+	// not bare strings — decode the answer text out of each.
+	Answers []struct {
+		Answer string `json:"answer"`
+	} `json:"answers"`
 	Infoboxes   []json.RawMessage `json:"infoboxes"`
 	Suggestions []string          `json:"suggestions"`
 }
@@ -159,8 +193,8 @@ func (t *webSearchTool) Call(argsJSON string) (result string, err error) {
 	}
 	out.Count = len(out.Results)
 	for _, a := range resp.Answers {
-		if s := strings.TrimSpace(string(a)); s != "" && s != "null" {
-			out.Answers = append(out.Answers, strings.Trim(s, `"`))
+		if s := strings.TrimSpace(a.Answer); s != "" {
+			out.Answers = append(out.Answers, s)
 		}
 	}
 
@@ -198,7 +232,18 @@ func (t *webSearchTool) query(query, category string) (*searxngResponse, error)
 	}
 	req.Header.Set("Accept", "application/json")
 
-	httpResp, err := t.client.Do(req)
+	// Retry only on connection-refused — the precise signal that the SearXNG
+	// sidecar is up as a container but not yet accepting connections (the
+	// startup race when both come up together under compose). Other errors
+	// (timeouts, DNS, genuine "down") fail fast on the first attempt.
+	var httpResp *http.Response
+	for attempt := 0; ; attempt++ {
+		httpResp, err = t.client.Do(req)
+		if err == nil || attempt >= searxngConnectRetries || !errors.Is(err, syscall.ECONNREFUSED) {
+			break
+		}
+		time.Sleep(searxngRetryDelay)
+	}
 	if err != nil {
 		return nil, fmt.Errorf("cannot reach SearXNG at %s — is the service running? (%v)", t.cfg.BaseURL, err)
 	}
diff --git a/cmd/odek/web_search_tool_test.go b/cmd/odek/web_search_tool_test.go
index de330b6..37d8b38 100644
--- a/cmd/odek/web_search_tool_test.go
+++ b/cmd/odek/web_search_tool_test.go
@@ -6,6 +6,7 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/BackendStack21/odek/internal/config"
 	"github.com/BackendStack21/odek/internal/danger"
@@ -41,7 +42,10 @@ func mockSearXNG(t *testing.T, results int) (*httptest.Server, *string) {
 			})
 		}
 		resp["results"] = rs
-		resp["answers"] = []string{"42"}
+		// SearXNG answers are objects with an "answer" field, not bare strings.
+		resp["answers"] = []map[string]any{
+			{"answer": "42", "url": nil, "template": "answer/legacy.html"},
+		}
 		_ = json.NewEncoder(w).Encode(resp)
 	}))
 	t.Cleanup(srv.Close)
@@ -146,6 +150,12 @@ func TestWebSearch_JSONDisabled403(t *testing.T) {
 }
 
 func TestWebSearch_BackendUnreachable(t *testing.T) {
+	// Connection-refused triggers the cold-start retry; shrink the delay so the
+	// test exercises the retry path without the 1s production backoff.
+	orig := searxngRetryDelay
+	searxngRetryDelay = time.Millisecond
+	t.Cleanup(func() { searxngRetryDelay = orig })
+
 	// Point at a closed port on localhost.
 	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: "http://127.0.0.1:1"})
 	raw, _ := tool.Call(`{"query":"x"}`)
@@ -155,6 +165,31 @@ func TestWebSearch_BackendUnreachable(t *testing.T) {
 	}
 }
 
+func TestWebSearch_RedirectToInternalBlocked(t *testing.T) {
+	// A compromised/misconfigured SearXNG that 302s toward an internal host must
+	// be stopped by the CheckRedirect guard, not followed (SSRF defense).
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, "http://169.254.169.254/latest/meta-data/", http.StatusFound)
+	}))
+	t.Cleanup(srv.Close)
+
+	// Deny network egress so the redirect-hop re-classification blocks the hop.
+	dc := danger.DangerousConfig{Classes: map[danger.RiskClass]danger.Action{
+		danger.NetworkEgress: danger.Allow, // initial query allowed
+		danger.SystemWrite:   danger.Deny,  // internal/metadata target denied
+	}}
+	tool := newWebSearchTool(dc, config.WebSearchConfig{BaseURL: srv.URL})
+
+	raw, _ := tool.Call(`{"query":"x"}`)
+	out := decodeWebSearch(t, raw)
+	if out.Error == "" {
+		t.Fatalf("expected redirect to internal host to be blocked, got results: %+v", out)
+	}
+	if !strings.Contains(out.Error, "blocked") && !strings.Contains(out.Error, "cannot reach") {
+		t.Errorf("expected a redirect-blocked error, got %q", out.Error)
+	}
+}
+
 func TestWebSearch_DeniedByPolicy(t *testing.T) {
 	// NetworkEgress denied → the tool returns the denial as an error result.
 	dc := danger.DangerousConfig{Classes: map[danger.RiskClass]danger.Action{
diff --git a/docker/.env.example b/docker/.env.example
index c59654b..8665ea0 100644
--- a/docker/.env.example
+++ b/docker/.env.example
@@ -63,6 +63,8 @@ GIT_COMMITTER_EMAIL=you@example.com
 
 # ── Web search (SearXNG sidecar; see docs/DOCKER_COMPOSE_USER_GUIDE.md) ──
 # The compose file runs a private SearXNG instance backing the `web_search`
-# tool. Set a strong random secret (e.g. `openssl rand -hex 32`). Required by
-# SearXNG; the instance is internal-only (no host port) but set it anyway.
+# tool. SearXNG reads this as server.secret_key at app load and it overrides
+# settings.yml. Set a strong random secret (e.g. `openssl rand -hex 32`). The
+# instance is internal-only (no host port) but set it anyway — left unset,
+# SearXNG runs with the "ultrasecretkey" sentinel and logs a warning.
 SEARXNG_SECRET=change-me-run-openssl-rand-hex-32
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 9a38d7f..9542df4 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -108,7 +108,11 @@ services:
     image: searxng/searxng:2026.6.8-f3fab143b   # pinned; bump deliberately
     environment:
       - SEARXNG_BASE_URL=http://searxng:8080/
-      - SEARXNG_SECRET=${SEARXNG_SECRET:-change-me-in-dot-env}
+      # SearXNG reads server.secret_key from this env var at app load, overriding
+      # settings.yml. Set SEARXNG_SECRET in .env. The fallback is the canonical
+      # "ultrasecretkey" sentinel so an unset secret triggers SearXNG's own
+      # "secret_key is not changed" warning rather than a silent weak literal.
+      - SEARXNG_SECRET=${SEARXNG_SECRET:-ultrasecretkey}
     volumes:
       - ./searxng/settings.yml:/etc/searxng/settings.yml:ro
     # SearXNG needs outbound internet to query upstream engines (Google, Bing,
diff --git a/docker/searxng/settings.yml b/docker/searxng/settings.yml
index 6afe475..88b74dc 100644
--- a/docker/searxng/settings.yml
+++ b/docker/searxng/settings.yml
@@ -19,8 +19,13 @@ general:
   enable_metrics: false
 
 server:
-  # Must be overridden from the default; injected via $SEARXNG_SECRET in compose.
-  secret_key: "change-me-in-dot-env"
+  # SearXNG reads server.secret_key from the SEARXNG_SECRET env var at app load
+  # (searx/settings_defaults.py: environ_name='SEARXNG_SECRET'), which overrides
+  # this value — set SEARXNG_SECRET in .env. Keep this as the canonical
+  # "ultrasecretkey" placeholder so that, if SEARXNG_SECRET is ever left unset,
+  # SearXNG logs its built-in "secret_key is not changed" warning instead of
+  # silently running with a custom-but-weak literal.
+  secret_key: "ultrasecretkey"
   bind_address: "0.0.0.0"
   port: 8080
   # Single trusted consumer on a private network — disable the bot limiter

From 3ee8a7418655e105c3a69494a1e01eda2f272d4b Mon Sep 17 00:00:00 2001
From: Rolando Santamaria Maso <kyberneees@gmail.com>
Date: Wed, 10 Jun 2026 10:10:47 +0200
Subject: [PATCH 3/4] docs(web_search): surface in README + add standalone
 SearXNG recipe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Close two documentation gaps from the feature review:

- README discoverability: web_search was only mentioned in the prompt-injection
  paragraph and absent from the feature list. Add a "🌐 Local Web Search"
  strategic-feature blurb linking to the CHEATSHEET config reference.
- Non-Docker path: the CHEATSHEET only said "run SearXNG yourself" with no
  recipe. Add a concrete `docker run` snippet (reusing the repo's ready-made
  docker/searxng/settings.yml), the matching odek config, and the two settings
  that matter (search.formats json + limiter off) for bring-your-own configs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 README.md          |  3 +++
 docs/CHEATSHEET.md | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/README.md b/README.md
index 15b5af5..287ae71 100644
--- a/README.md
+++ b/README.md
@@ -74,6 +74,9 @@ Attach files to any prompt with `--ctx` / `-c` (CLI), `@filename` inline referen
 ### 🔍 Native Tools
 Built-in `read_file`, `write_file`, `search_files`, `patch`, `shell`, and `browser` tools. All gated by a unified security layer (`dangerous` config) — classify operations as `allow` / `deny` / `prompt` per risk class. No third-party dependencies. [docs/SECURITY.md](docs/SECURITY.md)
 
+### 🌐 Local Web Search
+`web_search` queries a **self-hosted [SearXNG](https://docs.searxng.org/) metasearch instance** — no cloud search API, no keys. Returns ranked results (title, url, snippet) the agent then fetches with `browser` / `http_batch`; results are wrapped as untrusted content and gated as `network_egress`. The Docker Compose setup runs a SearXNG sidecar and enables it out of the box; standalone installs point `web_search.base_url` at any SearXNG instance. [docs/CHEATSHEET.md](docs/CHEATSHEET.md#web-search)
+
 ---
 
 ## Quick Start
diff --git a/docs/CHEATSHEET.md b/docs/CHEATSHEET.md
index 0ec64ca..8c63da4 100644
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -128,6 +128,29 @@ Settings: `auto_describe` (Telegram photo → description before the agent answe
 
 Settings: `base_url` (SearXNG instance; empty = tool disabled), `categories` (optional SearXNG categories), `language` (optional language code), `max_results` (default 10), `timeout_seconds` (default 15).
 
+**Run SearXNG standalone (outside the bundled Compose):** the only non-default
+requirement is enabling the JSON API — SearXNG ships HTML-only, so a stock
+instance returns HTTP 403 for `format=json`. Reuse the repo's ready-made minimal
+config (`docker/searxng/settings.yml` — JSON API on, anti-bot limiter off so no
+Redis/Valkey is needed):
+
+```bash
+docker run -d --name searxng -p 8888:8080 \
+  -e SEARXNG_SECRET="$(openssl rand -hex 32)" \
+  -v "$PWD/docker/searxng/settings.yml:/etc/searxng/settings.yml:ro" \
+  searxng/searxng:latest
+```
+
+Then point odek at it (global `~/.odek/config.json` or project `./odek.json`):
+
+```json
+{ "web_search": { "base_url": "http://127.0.0.1:8888" } }
+```
+
+If you bring your own `settings.yml`, the two settings that matter are
+`search.formats: [html, json]` (enables the API) and, for a private single-user
+instance, `server.limiter: false` (drops the Redis/Valkey dependency).
+
 ## Memory System Architecture
 
 ### Three Tiers

From a1a1ad1106cc67047169178caac6f416eab0c072 Mon Sep 17 00:00:00 2001
From: Rolando Santamaria Maso <kyberneees@gmail.com>
Date: Wed, 10 Jun 2026 11:34:31 +0200
Subject: [PATCH 4/4] =?UTF-8?q?fix(web=5Fsearch):=20vprotocol=20auto-repai?=
 =?UTF-8?q?r=20=E2=80=94=20tolerant=20answer=20decode=20+=20doc=20consiste?=
 =?UTF-8?q?ncy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

vprotocol v5.2.7 verification of the feat/searxng-web-search branch. Three
confirmed findings repaired; others refuted (redirect hop-count matches the
httpBatch pattern; :ro mount is non-fatal per the SearXNG entrypoint; all
settings.yml keys verified valid).

F1 (robustness) — the typed `answers []struct{Answer string}` decode coupled
the critical `results` parse to the answers shape: a non-string "answer" value
(or any foreign answer type) would fail the whole json.Unmarshal and drop ALL
results. Restore the original immunity by keeping answers as []json.RawMessage
and decoding each element tolerantly — a non-conforming answer is skipped, never
fatal. New TestWebSearch_HeterogeneousAnswersDoNotLoseResults locks it in.

F2 (consistency) — the CHEATSHEET standalone recipe used searxng/searxng:latest
while compose pins 2026.6.8-f3fab143b. Pin the recipe to the same tag.

F3 (docs) — the standalone recipe's `$PWD/docker/searxng/...` volume path
assumed the repo root without saying so. State "run from the repo root".

Full suite green under -race; vet/gofmt clean; compose validates.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 cmd/odek/web_search_tool.go      | 21 +++++++++++++------
 cmd/odek/web_search_tool_test.go | 36 ++++++++++++++++++++++++++++++++
 docs/CHEATSHEET.md               |  5 +++--
 3 files changed, 54 insertions(+), 8 deletions(-)

diff --git a/cmd/odek/web_search_tool.go b/cmd/odek/web_search_tool.go
index 0003da2..908c033 100644
--- a/cmd/odek/web_search_tool.go
+++ b/cmd/odek/web_search_tool.go
@@ -112,11 +112,11 @@ type searxngResponse struct {
 		Content string `json:"content"`
 		Engine  string `json:"engine"`
 	} `json:"results"`
-	// SearXNG answers are objects ({"answer": "...", "url": ..., "template": ...}),
-	// not bare strings — decode the answer text out of each.
-	Answers []struct {
-		Answer string `json:"answer"`
-	} `json:"answers"`
+	// SearXNG answers are heterogeneous objects (simple {"answer": "..."} plus
+	// other shapes like weather/translations). Keep them raw and decode each
+	// element tolerantly (see Call) so an unexpected answer shape can never fail
+	// the whole response and lose the results.
+	Answers     []json.RawMessage `json:"answers"`
 	Infoboxes   []json.RawMessage `json:"infoboxes"`
 	Suggestions []string          `json:"suggestions"`
 }
@@ -192,7 +192,16 @@ func (t *webSearchTool) Call(argsJSON string) (result string, err error) {
 		})
 	}
 	out.Count = len(out.Results)
-	for _, a := range resp.Answers {
+	for _, raw := range resp.Answers {
+		// Decode each answer element on its own: a non-conforming shape (e.g. a
+		// weather/translation answer with no string "answer" field) is skipped,
+		// never failing the whole response.
+		var a struct {
+			Answer string `json:"answer"`
+		}
+		if json.Unmarshal(raw, &a) != nil {
+			continue
+		}
 		if s := strings.TrimSpace(a.Answer); s != "" {
 			out.Answers = append(out.Answers, s)
 		}
diff --git a/cmd/odek/web_search_tool_test.go b/cmd/odek/web_search_tool_test.go
index 37d8b38..08db8a2 100644
--- a/cmd/odek/web_search_tool_test.go
+++ b/cmd/odek/web_search_tool_test.go
@@ -93,6 +93,42 @@ func TestWebSearch_HappyPath(t *testing.T) {
 	}
 }
 
+func TestWebSearch_HeterogeneousAnswersDoNotLoseResults(t *testing.T) {
+	// SearXNG answers are polymorphic. A non-string "answer" and a foreign shape
+	// must be skipped tolerantly — never failing the whole decode and dropping
+	// the results.
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"query": "x",
+			"results": []map[string]string{
+				{"title": "R1", "url": "https://example.com/1", "content": "c", "engine": "e"},
+			},
+			"answers": []any{
+				map[string]any{"answer": "good"},                          // valid → kept
+				map[string]any{"answer": 42},                              // non-string → skipped, not fatal
+				map[string]any{"translations": []string{"x"}, "url": "u"}, // foreign shape → skipped
+			},
+		})
+	}))
+	t.Cleanup(srv.Close)
+	tool := newWebSearchTool(allowAllDanger(), config.WebSearchConfig{BaseURL: srv.URL})
+
+	raw, err := tool.Call(`{"query":"x"}`)
+	if err != nil {
+		t.Fatalf("Call error: %v", err)
+	}
+	out := decodeWebSearch(t, raw)
+	if out.Error != "" {
+		t.Fatalf("a malformed answer must not fail the response, got error: %q", out.Error)
+	}
+	if out.Count != 1 || len(out.Results) != 1 {
+		t.Fatalf("results lost: Count=%d len=%d, want 1", out.Count, len(out.Results))
+	}
+	if len(out.Answers) != 1 || out.Answers[0] != "good" {
+		t.Errorf("answers = %v, want only [good]", out.Answers)
+	}
+}
+
 func TestWebSearch_MaxResultsTruncation(t *testing.T) {
 	srv, _ := mockSearXNG(t, 10)
 	// config cap of 2; the request overrides to 4 — request wins.
diff --git a/docs/CHEATSHEET.md b/docs/CHEATSHEET.md
index 8c63da4..f17d796 100644
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -132,13 +132,14 @@ Settings: `base_url` (SearXNG instance; empty = tool disabled), `categories` (op
 requirement is enabling the JSON API — SearXNG ships HTML-only, so a stock
 instance returns HTTP 403 for `format=json`. Reuse the repo's ready-made minimal
 config (`docker/searxng/settings.yml` — JSON API on, anti-bot limiter off so no
-Redis/Valkey is needed):
+Redis/Valkey is needed). Run from the **repo root** so the relative volume path
+resolves (the image tag matches the one pinned in `docker/docker-compose.yml`):
 
 ```bash
 docker run -d --name searxng -p 8888:8080 \
   -e SEARXNG_SECRET="$(openssl rand -hex 32)" \
   -v "$PWD/docker/searxng/settings.yml:/etc/searxng/settings.yml:ro" \
-  searxng/searxng:latest
+  searxng/searxng:2026.6.8-f3fab143b
 ```
 
 Then point odek at it (global `~/.odek/config.json` or project `./odek.json`):