fix: WebFetch fails ~30% of the time due to TLS fingerprint mismatch with spoofed browser UA #302
Description
Problem
The WebFetch tool uses a fake Chrome User-Agent string, but Bun's TLS fingerprint doesn't match a real Chrome browser. Anti-bot systems (Cloudflare, Anubis, etc.) detect the mismatch and return 403/404 as a soft block, causing ~30% of fetches to fail.
Root Cause
- Upstream OpenCode issue: WebFetch UserAgent identifies as user, not as agent / bot anomalyco/opencode#14453, [FEATURE]: Allow overriding WebFetch tool’s User-Agent header anomalyco/opencode#9013
- The old retry logic only handled one specific Cloudflare pattern (
cf-mitigated: challengeheader on 403) - Many sites use different bot detection that wasn't caught
Proposed Fix
Invert the UA strategy: honest bot UA first (altimate-code/1.0), browser UA as fallback on 403/406. This matches industry practice (ChatGPT, Perplexity use honest bot UAs).
Benchmark Results
- Honest UA solo: 20/20 (100%) vs Browser UA solo: 14/20 (70%)
- New retry strategy: 19/20 (95%) vs Old retry strategy: 17/20 (85%)
- 0 regressions