feat(security): support operator-managed network proxy routing (#70044)

* feat: support operator-managed proxy routing * docs: add network proxy changelog entry * fix(proxy): restrict gateway bypass to loopback IPs * fix(cli): harden container proxy URL checks * docs(proxy): clarify gateway bypass scope * docs: remove proxy changelog entry * fix(proxy): clear startup CI guard failures * fix(proxy): harden gateway proxy policy parsing * fix(proxy): honor update shorthand proxy policy * fix(cli): redact proxy URL suffixes * test(proxy): keep gateway help off proxy startup * fix(proxy): keep overlapping lifecycle active * docs: add proxy changelog entry --------- Co-authored-by: joshavant <830519+joshavant@users.noreply.github.com>
2026-04-29 23:21:28 +00:00 · 2026-04-28 15:20:47 +10:00 · 2026-04-28 15:20:47 +10:00 · 2633b14914
commit 2633b14914
parent 025081dbc5
36 changed files with 2737 additions and 96 deletions
--- a/src/config/zod-schema.proxy.test.ts
+++ b/src/config/zod-schema.proxy.test.ts
@ -0,0 +1,56 @@
+import { describe, it, expect } from "vitest";
+import { ProxyConfigSchema } from "./zod-schema.proxy.js";
+
+describe("ProxyConfigSchema", () => {
+  it("accepts undefined (optional)", () => {
+    expect(ProxyConfigSchema.parse(undefined)).toBeUndefined();
+  });
+
+  it("accepts an empty object", () => {
+    expect(ProxyConfigSchema.parse({})).toEqual({});
+  });
+
+  it("accepts a full valid config", () => {
+    const result = ProxyConfigSchema.parse({
+      enabled: true,
+      proxyUrl: "http://127.0.0.1:3128",
+    });
+    expect(result).toMatchObject({
+      enabled: true,
+      proxyUrl: "http://127.0.0.1:3128",
+    });
+  });
+
+  it("rejects HTTPS proxy URLs because the node:http routing layer requires HTTP proxies", () => {
+    expect(() =>
+      ProxyConfigSchema.parse({
+        enabled: true,
+        proxyUrl: "https://proxy.example.com:8443",
+      }),
+    ).toThrow(/http:\/\//i);
+  });
+
+  it("does not expose bundled-proxy or unsupported upstream proxy keys", () => {
+    const keys = ProxyConfigSchema.unwrap().keyof().options;
+    expect(keys).not.toContain("binaryPath");
+    expect(keys).not.toContain("extraBlockedCidrs");
+    expect(keys).not.toContain("extraAllowedHosts");
+    expect(keys).not.toContain("userProxy");
+  });
+
+  it("rejects proxyUrl values that are not HTTP forward proxies", () => {
+    expect(() =>
+      ProxyConfigSchema.parse({ enabled: true, proxyUrl: "socks5://127.0.0.1" }),
+    ).toThrow();
+    expect(() => ProxyConfigSchema.parse({ enabled: true, proxyUrl: "not-a-url" })).toThrow();
+  });
+
+  it("rejects unknown keys (strict)", () => {
+    expect(() => ProxyConfigSchema.parse({ unknownKey: true })).toThrow();
+  });
+
+  it("accepts enabled: false to disable the proxy", () => {
+    const result = ProxyConfigSchema.parse({ enabled: false });
+    expect(result?.enabled).toBe(false);
+  });
+});