feat(tools): add web_fetch builtin tool (HTTP fetch + readable extraction)

[yaozheng-fang]

Summary

Adds a web_fetch builtin tool at veadk/tools/builtin_tools/web_fetch.py — a plain-HTTP page reader the agent can call to read public URLs. Modeled on OpenClaw's web_fetch.

from veadk.tools.builtin_tools.web_fetch import web_fetch
agent = Agent(..., tools=[web_fetch])

What it does

• HTTP GET, no JavaScript — Chrome-like User-Agent + Accept-Language; http(s) only.
• SSRF guard — resolves the host and rejects private / loopback / link-local / reserved / multicast / unspecified addresses, and re-validates every redirect hop (HTTP 3xx and <meta refresh>), bounded to 3 hops.
• Extraction — HTML → markdown or plain text via a dependency-free coarse converter (keeps headings/links/lists); PDF → text via pypdf (detected by content-type or %PDF magic bytes).
• Limits / cache — 2 MB download cap (10 MB for PDFs), 30 s timeout, max_chars truncation (hard cap 200k), 15-minute in-process TTL cache.
• Returns {"url", "title", "content", "truncated"}, or {"error": ...} on failure.

Signature

def web_fetch(url: str, extract_mode: str = "markdown",
              max_chars: int = 50000, tool_context=None) -> dict

Tested (live)

• HTML: example.com, en.wikipedia.org/wiki/Volcano, www.sina.com.cn (Chinese decodes correctly).
• <meta refresh>: sina.com → follows to www.sina.com.cn.
• PDF: arxiv.org/pdf/1706.03762 → extracts the paper text.
• SSRF: localhost / 169.254.169.254 (cloud metadata) / 192.168.x / non-http schemes → blocked.
• Registers cleanly as a tool on a veadk Agent.

Limitations (by design)

• No JavaScript rendering — JS-only pages stay sparse.
• No socket-level DNS pinning (resolve + re-validate only) — small TOCTOU window; noted in a code comment as a hardening follow-up.