fix: guard debug proxy CONNECT under managed proxy (#77010)

Summary: - The PR adds a managed-proxy-aware debug proxy direct-upstream guard, a diagnostics override env var, regression tests, docs, and a changelog entry. - Reproducibility: yes. Source inspection on current main shows direct HTTP forwarding and CONNECT net.connect() can run while managed proxy mode is active, against the documented managed-proxy egress guardrail. Automerge notes: - Ran the ClawSweeper repair loop before final review. - Included post-review commit in the final squash: fix(clawsweeper): address review for automerge-openclaw-openclaw-7701… Validation: - ClawSweeper review passed for head aaa52a7f5f. - Required merge gates passed before the squash merge. Prepared head SHA: aaa52a7f5f Review: https://github.com/openclaw/openclaw/pull/77010#issuecomment-4367600656 Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: clawsweeper <274271284+clawsweeper[bot]@users.noreply.github.com>
2026-05-06 07:20:43 +00:00 · 2026-05-04 13:54:18 +10:00
parent 973e240bb3
commit f42a2c738c
5 changed files with 266 additions and 0 deletions
--- a/docs/cli/proxy.md
+++ b/docs/cli/proxy.md
@@ -68,6 +68,7 @@ semantics.

 - `start` defaults to `127.0.0.1` unless `--host` is set.
 - `run` starts a local debug proxy and then runs the command after `--`.
+- The debug proxy's direct upstream forwarding opens upstream sockets for diagnostics. When OpenClaw managed proxy mode is active, direct forwarding for proxy requests and CONNECT tunnels is disabled by default; set `OPENCLAW_DEBUG_PROXY_ALLOW_DIRECT_CONNECT_WITH_MANAGED_PROXY=1` only for approved local diagnostics.
 - `validate` exits with code 1 when proxy config or destination checks fail.
 - Captures are local debugging data; use `openclaw proxy purge` when finished.