feat(security): support operator-managed network proxy routing (#70044)

* feat: support operator-managed proxy routing * docs: add network proxy changelog entry * fix(proxy): restrict gateway bypass to loopback IPs * fix(cli): harden container proxy URL checks * docs(proxy): clarify gateway bypass scope * docs: remove proxy changelog entry * fix(proxy): clear startup CI guard failures * fix(proxy): harden gateway proxy policy parsing * fix(proxy): honor update shorthand proxy policy * fix(cli): redact proxy URL suffixes * test(proxy): keep gateway help off proxy startup * fix(proxy): keep overlapping lifecycle active * docs: add proxy changelog entry --------- Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-05-10 05:40:42 +00:00 · 2026-04-28 15:20:47 +10:00
parent 025081dbc5
commit 2633b14914
36 changed files with 2737 additions and 96 deletions
--- a/src/cli/command-path-policy.ts
+++ b/src/cli/command-path-policy.ts
@@ -1,6 +1,12 @@
 import { isGatewayConfigBypassCommandPath } from "../gateway/explicit-connection-policy.js";
-import { cliCommandCatalog, type CliCommandPathPolicy } from "./command-catalog.js";
+import { getCommandPathWithRootOptions } from "./argv.js";
+import {
+  cliCommandCatalog,
+  type CliCommandPathPolicy,
+  type CliNetworkProxyPolicy,
+} from "./command-catalog.js";
 import { matchesCommandPath } from "./command-path-matches.js";
+import { resolveGatewayCatalogCommandPath } from "./gateway-run-argv.js";

 const DEFAULT_CLI_COMMAND_PATH_POLICY: CliCommandPathPolicy = {
  bypassConfigGuard: false,
@@ -8,6 +14,7 @@ const DEFAULT_CLI_COMMAND_PATH_POLICY: CliCommandPathPolicy = {
  loadPlugins: "never",
  hideBanner: false,
  ensureCliPath: true,
+  networkProxy: "default",
 };

 export function resolveCliCommandPathPolicy(commandPath: string[]): CliCommandPathPolicy {
@@ -26,3 +33,31 @@ export function resolveCliCommandPathPolicy(commandPath: string[]): CliCommandPa
  }
  return resolvedPolicy;
 }
+
+function isCommandPathPrefix(commandPath: string[], pattern: readonly string[]): boolean {
+  return pattern.every((segment, index) => commandPath[index] === segment);
+}
+
+export function resolveCliCatalogCommandPath(argv: string[]): string[] {
+  const tokens =
+    resolveGatewayCatalogCommandPath(argv) ?? getCommandPathWithRootOptions(argv, argv.length);
+  if (tokens.length === 0) {
+    return [];
+  }
+  let bestMatch: readonly string[] | null = null;
+  for (const entry of cliCommandCatalog) {
+    if (!isCommandPathPrefix(tokens, entry.commandPath)) {
+      continue;
+    }
+    if (!bestMatch || entry.commandPath.length > bestMatch.length) {
+      bestMatch = entry.commandPath;
+    }
+  }
+  return bestMatch ? [...bestMatch] : [tokens[0]];
+}
+
+export function resolveCliNetworkProxyPolicy(argv: string[]): CliNetworkProxyPolicy {
+  const commandPath = resolveCliCatalogCommandPath(argv);
+  const networkProxy = resolveCliCommandPathPolicy(commandPath).networkProxy;
+  return typeof networkProxy === "function" ? networkProxy({ argv, commandPath }) : networkProxy;
+}