Support HTTPS managed proxy CA trust (#79171)

* fix: support HTTPS managed proxy CA trust * fix: strip IP SNI for HTTPS proxy dispatchers * fix: harden managed proxy undici dispatchers * docs: refresh proxy baselines * fix: drop stale whatsapp undici dependency * fix: satisfy proxy dispatcher lint and tests --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-25 01:43:04 +00:00 · 2026-05-17 15:23:30 +10:00
parent 421b9e2819
commit 7c2425a518
53 changed files with 2003 additions and 148 deletions
--- a/src/cli/proxy-cli.runtime.test.ts
+++ b/src/cli/proxy-cli.runtime.test.ts
@@ -111,6 +111,7 @@ describe("proxy cli runtime", () => {

    await runProxyValidateCommand({
      proxyUrl: "http://override.example:3128",
+      proxyCaFile: "./ca.pem",
      allowedUrls: ["https://allowed.example/"],
      deniedUrls: ["http://127.0.0.1/"],
      apnsReachability: true,
@@ -126,6 +127,7 @@ describe("proxy cli runtime", () => {
      },
      env: process.env,
      proxyUrlOverride: "http://override.example:3128",
+      proxyCaFileOverride: "./ca.pem",
      allowedUrls: ["https://allowed.example/"],
      deniedUrls: ["http://127.0.0.1/"],
      apnsReachability: true,
@@ -278,7 +280,34 @@ describe("proxy cli runtime", () => {
        "Problems\n" +
        "  - proxyUrl must use http://\n\n" +
        "Next steps\n" +
-        "  Fix proxy.proxyUrl, OPENCLAW_PROXY_URL, or --proxy-url so it uses a reachable http:// proxy.\n",
+        "  Fix proxy.proxyUrl, OPENCLAW_PROXY_URL, or --proxy-url so it uses a reachable http:// or https:// proxy.\n",
+    );
+  });
+
+  it("prints CA-file guidance when proxy CA files cannot be read", async () => {
+    runProxyValidationMock.mockResolvedValueOnce({
+      ok: false,
+      config: {
+        enabled: true,
+        proxyUrl: "https://proxy.example:8443",
+        source: "config",
+        errors: ["proxy CA file could not be read (/missing/ca.pem): ENOENT"],
+      },
+      checks: [],
+    });
+    const { runProxyValidateCommand } = await import("./proxy-cli.runtime.js");
+
+    await runProxyValidateCommand({});
+
+    expect(process.stdout.write).toHaveBeenCalledWith(
+      "Proxy validation failed\n\n" +
+        "Proxy\n" +
+        "  Source: config\n" +
+        "  URL:    https://proxy.example:8443/\n\n" +
+        "Problems\n" +
+        "  - proxy CA file could not be read (/missing/ca.pem): ENOENT\n\n" +
+        "Next steps\n" +
+        "  Confirm proxy.tls.caFile or --proxy-ca-file points to a readable PEM CA file for the HTTPS proxy endpoint.\n",
    );
  });