michaelklishin
diff --git a/‎AGENTS.md‎
Lines changed: 14 additions & 2 deletions b/‎AGENTS.md‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 54 additions & 7 deletions b/‎CONTRIBUTING.md‎
Lines changed: 54 additions & 7 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/api/client.rs‎
Lines changed: 49 additions & 8 deletions b/‎src/api/client.rs‎
Lines changed: 49 additions & 8 deletions
diff --git a/‎src/api/mod.rs‎
Lines changed: 2 additions & 0 deletions b/‎src/api/mod.rs‎
Lines changed: 2 additions & 0 deletions
@@ -3,6 +3,7 @@
 ## What is This Codebase?
 
 This is a Rust client for the [RabbitMQ HTTP API](https://www.rabbitmq.com/docs/http-api-reference).
+See [CONTRIBUTING.md](./CONTRIBUTING.md) for test running instructions and development setup.
 
 ## Build System
 
@@ -45,15 +46,26 @@ They have very similar APIs except that all functions of the async client are, w
  * `tests/*proptests.rs` are property-based tests
  * `tests/test_helpers.rs` contains helper functions shared by multiple test modules
 
-Use `cargo nextest run --profile default --all-features '--' --exact [test module name]` to run
+### `nextest` Test Filters
+
+Key [`nextest` filterset predicates](https://nexte.st/docs/filtersets/reference/):
+
+ * `test(pattern)`: matches test names using a substring (e.g. `test(list_nodes)`)
+ * `binary(pattern)`: matches the test binary name (e.g. `binary(async_tls_tests)`)
+ * `package(name)`: matches by package (e.g. `package(rabbitmq_http_client)`)
+ * `test(=exact_name)`: an exact test name match
+ * `test(/regex/)`: like `test(pattern)` but uses regular expression matching
+ * Set operations: `expr1 + expr2` (union), `expr1 - expr2` (difference), `not expr` (negation)
+
+For example, use `cargo nextest run --all-features -E 'binary(=test_module_name)'` to run
 all tests in a specific module.
 
 ### Property-based Tests
 
 Property-based tests are written using [proptest](https://docs.rs/proptest/latest/proptest/) and
 use a naming convention: they begin with `prop_`.
 
-To run the property-based tests specifically, use `cargo nextest run --all-features 'prop_'`.
+To run the property-based tests specifically, use `cargo nextest run --all-features -E 'test(~prop_)'`.
 
 ## Source of Domain Knowledge
 
 
@@ -2,7 +2,15 @@
 
 ## v0.82.0 (in development)
 
-(no changes yet)
+### Breaking Changes
+
+ * SSRF hardening: `ClientBuilder#build` now returns `Result<Client, EndpointValidationError>`
+   and rejects endpoints that do not use an `http` or `https` scheme
+### Enhancements
+
+ * `ClientBuilder#with_redirect_policy` controls the HTTP redirect policy.
+   `with_recommended_defaults` now also disables redirects
+ * `EndpointValidationError` and `RedirectPolicy` are re-exported from both `api` and `blocking_api`
 
 
 ## v0.81.0 (Feb 17, 2026)
 
@@ -1,10 +1,26 @@
 # Contributing
 
+See also [AGENTS.md](./AGENTS.md) for a high-level codebase overview and conventions.
+
 ## Running Tests
 
 While tests support the standard `cargo test` option, another option
 for running tests is [cargo-nextest](https://nexte.st/).
 
+### `nextest` Test Filters
+
+Key [`nextest` filterset predicates](https://nexte.st/docs/filtersets/reference/):
+
+* `test(pattern)`: matches test names using a substring (e.g. `test(list_nodes)`)
+* `binary(pattern)`: matches the test binary name (e.g. `binary(async_tls_tests)`)
+* `package(name)`: matches by package (e.g. `package(rabbitmq_http_client)`)
+* `test(=exact_name)`: an exact test name match
+* `test(/regex/)`: like `test(pattern)` but uses regular expression matching
+* Set operations: `expr1 + expr2` (union), `expr1 - expr2` (difference), `not expr` (negation)
+
+For example, use `cargo nextest run --all-features -E 'binary(=test_module_name)'` to run
+all tests in a specific module.
+
 ### Run All Tests
 
 ``` bash
@@ -14,21 +30,52 @@ NEXTEST_RETRIES=3 cargo nextest run --all-features
 ### Run All Async Client Tests
 
 ```bash
-cargo test async --all-features
+cargo nextest run --all-features -E 'binary(~async)'
+```
+
+### Run All Blocking Client Tests
+
+```bash
+cargo nextest run --all-features -E 'binary(~blocking)'
+```
+
+### Run All Unit Tests
+
+```bash
+cargo nextest run --all-features -E 'binary(~unit)'
 ```
 
-### Run All Sync Client Tests
+### Run All Tests in a Specific Module
+
+Use the `binary(=name)` predicate with the test module name:
 
 ```bash
-cargo test blocking --all-features
+cargo nextest run --all-features -E 'binary(=unit_endpoint_validation_tests)'
 ```
 
-### Run a Specific Test
+### Run a Specific Test by Name
+
+Use the `test(=name)` predicate for an exact match:
 
 ``` bash
-NEXTEST_RETRIES=3 cargo nextest run -E "test(test_list_all_vhost_limits)"
+cargo nextest run --all-features -E 'test(=test_list_all_vhost_limits)'
+```
+
+Or use `test(~substring)` for a substring match:
+
+```bash
+cargo nextest run --all-features -E 'test(~list_vhost)'
+```
+
+### Run Property-based Tests
+
+```bash
+cargo nextest run --all-features -E 'test(~prop_)'
 ```
 
+See the [nextest filtersets documentation](https://nexte.st/docs/selecting/) for more
+filter expression predicates and operators.
+
 ## Running TLS Integration Tests
 
 TLS-enabled tests require a set of certificate and private key pairs, plus
@@ -51,7 +98,7 @@ export TLS_CERTS_DIR=/path/to/tls-gen/basic/result
 Finally, run the tests in question only:
 
 ```shell
-cargo nextest run -E 'binary(async_tls_tests)' --run-ignored=only --all-features
+cargo nextest run --all-features --run-ignored=only -E 'binary(=async_tls_tests)'
 
-cargo nextest run -E 'binary(blocking_tls_tests)' --run-ignored=only --all-features
+cargo nextest run --all-features --run-ignored=only -E 'binary(=blocking_tls_tests)'
 ```
@@ -63,7 +63,7 @@ blocking = [
 tabled = ["dep:tabled"]
 default-tls = ["reqwest?/default-tls"]
 native-tls = ["reqwest?/native-tls"]
-rustls-tls = ["reqwest?/rustls"]
+rustls = ["reqwest?/rustls"]
 hickory-dns = ["reqwest?/hickory-dns"]
 
 [profile.ci]
 
@@ -15,13 +15,14 @@
 
 use crate::commons::RetrySettings;
 use crate::error::{
+    EndpointValidationError,
     Error::{ClientErrorResponse, NotFound, ServerErrorResponse},
     ErrorDetails,
 };
 use crate::responses;
 use backtrace::Backtrace;
 use log::trace;
-use reqwest::{Client as HttpClient, StatusCode, header::HeaderMap};
+use reqwest::{Client as HttpClient, StatusCode, header::HeaderMap, redirect};
 use serde::Serialize;
 use serde::de::DeserializeOwned;
 use std::fmt::Display;
@@ -44,7 +45,11 @@ pub type Result<T> = result::Result<T, HttpClientError>;
 /// let endpoint = "http://localhost:15672/api";
 /// let username = "username";
 /// let password = "password";
-/// let rc = ClientBuilder::new().with_endpoint(&endpoint).with_basic_auth_credentials(&username, &password).build();
+/// let rc = ClientBuilder::new()
+///     .with_endpoint(&endpoint)
+///     .with_basic_auth_credentials(&username, &password)
+///     .build()
+///     .unwrap();
 /// // list cluster nodes
 /// rc.list_nodes().await;
 /// // list user connections
@@ -60,6 +65,7 @@ pub struct ClientBuilder<E = &'static str, U = &'static str, P = &'static str> {
     retry_settings: RetrySettings,
     connect_timeout: Option<Duration>,
     request_timeout: Option<Duration>,
+    redirect_policy: Option<redirect::Policy>,
 }
 
 impl Default for ClientBuilder {
@@ -85,6 +91,7 @@ impl ClientBuilder {
             retry_settings: RetrySettings::default(),
             connect_timeout: None,
             request_timeout: None,
+            redirect_policy: None,
         }
     }
 }
@@ -96,14 +103,16 @@ where
     P: Display,
 {
     /// Applies recommended default settings: 60 second request timeout,
-    /// 3 retry attempts with 1 second delay between retries.
+    /// 3 retry attempts with 1 second delay between retries,
+    /// and no redirects (the RabbitMQ HTTP API does not use redirects).
     pub fn with_recommended_defaults(self) -> Self {
         Self {
             request_timeout: Some(Duration::from_secs(60)),
             retry_settings: RetrySettings {
                 max_attempts: 3,
                 delay_ms: 1000,
             },
+            redirect_policy: Some(redirect::Policy::none()),
             ..self
         }
     }
@@ -126,6 +135,7 @@ where
             retry_settings: self.retry_settings,
             connect_timeout: self.connect_timeout,
             request_timeout: self.request_timeout,
+            redirect_policy: self.redirect_policy,
         }
     }
 
@@ -145,6 +155,7 @@ where
             retry_settings: self.retry_settings,
             connect_timeout: self.connect_timeout,
             request_timeout: self.request_timeout,
+            redirect_policy: self.redirect_policy,
         }
     }
 
@@ -194,7 +205,8 @@ where
     ///     .with_endpoint("http://localhost:15672/api")
     ///     .with_basic_auth_credentials("user", "password")
     ///     .with_request_timeout(Duration::from_secs(30))
-    ///     .build();
+    ///     .build()
+    ///     .unwrap();
     /// ```
     pub fn with_request_timeout(self, timeout: Duration) -> Self {
         ClientBuilder {
@@ -213,10 +225,34 @@ where
         }
     }
 
+    /// Sets the redirect policy for HTTP requests.
+    ///
+    /// By default, `reqwest` follows up to 10 redirects. Use
+    /// `reqwest::redirect::Policy::none()` to disable redirects entirely,
+    /// which is recommended when the endpoint comes from a potentially untrusted source.
+    ///
+    /// This setting is ignored if a custom HTTP client is used
+    /// via [`Self::with_client`].
+    pub fn with_redirect_policy(self, policy: redirect::Policy) -> Self {
+        ClientBuilder {
+            redirect_policy: Some(policy),
+            ..self
+        }
+    }
+
     /// Builds and returns a configured `Client`.
     ///
+    /// Returns an error if the endpoint scheme is not `http` or `https`.
+    ///
     /// This consumes the `ClientBuilder`.
-    pub fn build(self) -> Client<E, U, P> {
+    pub fn build(self) -> result::Result<Client<E, U, P>, EndpointValidationError> {
+        let endpoint_str = self.endpoint.to_string();
+        if !endpoint_str.starts_with("http://") && !endpoint_str.starts_with("https://") {
+            return Err(EndpointValidationError::UnsupportedScheme {
+                endpoint: endpoint_str,
+            });
+        }
+
         let client = match self.client {
             Some(c) => c,
             None => {
@@ -227,17 +263,22 @@ where
                 if let Some(timeout) = self.request_timeout {
                     builder = builder.timeout(timeout);
                 }
-                builder.build().unwrap()
+                if let Some(policy) = self.redirect_policy {
+                    builder = builder.redirect(policy);
+                }
+                builder
+                    .build()
+                    .map_err(|e| EndpointValidationError::ClientBuildError { source: e })?
             }
         };
 
-        Client::from_http_client_with_retry(
+        Ok(Client::from_http_client_with_retry(
             client,
             self.endpoint,
             self.username,
             self.password,
             self.retry_settings,
-        )
+        ))
     }
 }
 
 
@@ -44,4 +44,6 @@ mod vhosts;
 
 // Re-export for backwards compatibility.
 pub use crate::commons::RetrySettings;
+pub use crate::error::EndpointValidationError;
 pub use client::{Client, ClientBuilder, HttpClientError, HttpClientResponse, Result};
+pub use reqwest::redirect::Policy as RedirectPolicy;