feat: add proxy validation command

Adds `openclaw proxy validate` for operator-managed proxy preflight checks, including allowed/denied destination validation, CLI output, tests, docs, and changelog coverage. Maintainer follow-ups before landing: - validate custom allowed URLs before probing; - use a temporary loopback canary for default denied checks and fail custom denied transport errors as unverifiable; - redact proxy URL userinfo, query strings, and fragments from text/JSON validation output. Validation: - `pnpm test src/infra/net/proxy/proxy-validation.test.ts src/cli/proxy-cli.runtime.test.ts src/cli/proxy-cli.test.ts -- --reporter=verbose` - `pnpm exec oxfmt --check --threads=1 CHANGELOG.md src/cli/proxy-cli.ts src/cli/proxy-cli.runtime.ts src/cli/proxy-cli.test.ts src/cli/proxy-cli.runtime.test.ts src/infra/net/proxy/proxy-validation.ts src/infra/net/proxy/proxy-validation.test.ts docs/cli/proxy.md docs/security/network-proxy.md` - `pnpm exec oxlint src/cli/proxy-cli.runtime.ts src/cli/proxy-cli.runtime.test.ts` - `git diff --check` - Testbox `pnpm install && OPENCLAW_TESTBOX=1 pnpm check:changed` on `tbx_01kqgz68ff20n3dtrgq0j1mykt` - GitHub CI success on `321b3aaf2b8be27dec6ce2ac5e4007ed064218b5`
2026-05-09 18:30:43 +00:00 · 2026-05-01 15:19:55 +10:00
parent 214b3d3336
commit 4ea0556f64
9 changed files with 1428 additions and 11 deletions
--- a/src/cli/proxy-cli.ts
+++ b/src/cli/proxy-cli.ts
@@ -18,6 +18,10 @@ function parseOptionalNumber(value: string | undefined): number | undefined {
  return Number.isFinite(parsed) ? parsed : undefined;
 }

+function collectOption(value: string, previous: string[] | undefined): string[] {
+  return [...(previous ?? []), value];
+}
+
 export function registerProxyCli(program: Command) {
  const proxy = program
    .command("proxy")
@@ -50,6 +54,37 @@ export function registerProxyCli(program: Command) {
      });
    });

+  proxy
+    .command("validate")
+    .description("Validate the operator-managed network proxy")
+    .option("--json", "Print machine-readable JSON")
+    .option("--proxy-url <url>", "Proxy URL to validate instead of config/env")
+    .option(
+      "--allowed-url <url>",
+      "Destination expected to succeed through the proxy",
+      collectOption,
+    )
+    .option("--denied-url <url>", "Destination expected to be blocked by the proxy", collectOption)
+    .option("--timeout-ms <ms>", "Per-request timeout in milliseconds", parseOptionalNumber)
+    .action(
+      async (opts: {
+        json?: boolean;
+        proxyUrl?: string;
+        allowedUrl?: string[];
+        deniedUrl?: string[];
+        timeoutMs?: number;
+      }) => {
+        const runtime = await loadProxyCliRuntime();
+        await runtime.runProxyValidateCommand({
+          json: opts.json,
+          proxyUrl: opts.proxyUrl,
+          allowedUrls: opts.allowedUrl,
+          deniedUrls: opts.deniedUrl,
+          timeoutMs: opts.timeoutMs,
+        });
+      },
+    );
+
  proxy
    .command("coverage")
    .description("Report current debug proxy transport coverage and remaining gaps")