[Bug] All API calls timeout on WSL with HTTP proxy — custom httpx transport bypasses proxy env vars in general agent path

[nana-0x01]

Summary

After updating past v2026.4.16, every API call fails with APITimeoutError on WSL2 environments using an HTTP(S) proxy (e.g. Clash TUN mode). The root cause is that Hermes injects a custom httpx.HTTPTransport for TCP keepalive, which causes httpx to silently ignore HTTPS_PROXY/HTTP_PROXY environment variables — the agent then attempts direct connections to API endpoints, which fail on WSL where all outbound traffic must go through the proxy.

Environment

• OS: WSL2 Ubuntu on Windows 11
• Proxy: Clash TUN mode (127.0.0.1:7897), injected via HTTPS_PROXY/HTTP_PROXY env vars
• Hermes: v0.10.0 (v2026.4.16) is the last working version; any version after this breaks
• Python: 3.10
• Providers affected: all (OpenAI, Anthropic, OpenRouter, etc.)

Steps to Reproduce

1. Run Hermes on WSL2 with an HTTP(S) proxy configured via environment variables
2. Update to any version after v2026.4.16
3. Try any API call (e.g. hermes chat)

Expected Behavior

API calls succeed, routed through the configured proxy.

Actual Behavior

Every API call times out after 3 retry attempts with APITimeoutError.

Root Cause Analysis

1. _create_openai_client() in run_agent.py injects httpx.Client(transport=httpx.HTTPTransport(...)) for TCP keepalive
2. When httpx receives a custom transport, it does not automatically configure proxy support from environment variables
3. On WSL, direct connections to public API endpoints are blocked by network architecture — all traffic must route through the Clash TUN interface
4. The TLS handshake hangs indefinitely because packets are dropped (no route without proxy)
5. Result: APITimeoutError on every call

This is the same root cause as #11414, which fixed it for the Codex path specifically but left the general agent path (run_agent.py) unpatched.

Related Issues

• #11414 — Fixed proxy bypass for Codex clients only
• #11249 — httpx.Client shared/close bug (same _create_openai_client area)
• #10324 — CLOSE-WAIT hangs with custom providers
• #6403 — Malformed proxy env detection

Suggested Fix

Apply the same pattern as #11414 to the general agent path in run_agent.py:

import os

def _create_openai_client(self, client_kwargs, *, reason, shared):
    has_proxy = any(os.getenv(k) for k in ("HTTPS_PROXY", "HTTP_PROXY", "ALL_PROXY"))
    
    if "http_client" not in client_kwargs:
        if has_proxy:
            # Let httpx auto-detect proxy from env — skip custom transport
            pass  
        else:
            client_kwargs["http_client"] = httpx.Client(
                transport=httpx.HTTPTransport(keepalive_expiry=30)
            )
    
    return OpenAI(**client_kwargs)

Workaround

Roll back to v2026.4.16:

cd ~/.hermes/hermes-agent
hermes gateway stop
git checkout v2026.4.16
pip install . --quiet
hermes gateway restart

Why This Matters

WSL2 users who need a proxy for outbound access (common in China, corporate networks, etc.) cannot use any Hermes version after v2026.4.16. The fix is minimal (same approach as #11414) and non-breaking for users without proxies.

[rzhao1116-arch]

I can reproduce the same root cause on macOS as well, not just WSL.

Environment:

• macOS 14.6.1 (arm64)
• Hermes Agent v0.10.0
• openai-codex / gpt-5.4
• Local proxy via Clash Verge / mihomo
• Proxy env vars set:
  • http_proxy=http://127.0.0.1:7897
  • https_proxy=http://127.0.0.1:7897
  • all_proxy=socks5://127.0.0.1:7897

Observed behavior:

• codex CLI works normally on the same machine
• hermes chat --provider openai-codex --model gpt-5.4 ... times out with APITimeoutError
• other providers (for example MiniMax) work

I also verified this directly inside Hermes' own Python environment:

• default httpx.Client() can reach the internet through the proxy
• httpx.Client(transport=httpx.HTTPTransport(...)) fails on the same machine

Concrete local result:

• default httpx.Client(timeout=10.0) -> HTTP 200
• httpx.Client(timeout=10.0, transport=httpx.HTTPTransport()) -> ConnectError [Errno 61] Connection refused

So the proxy itself is not the issue here. The breakage is specifically the custom transport path bypassing httpx env proxy handling.

I tested a local workaround in run_agent.py: when standard proxy env vars are present, skip injecting the custom HTTPTransport(...) and let the default httpx/OpenAI client path honor proxy env vars.

After applying that local patch, openai-codex works again on this machine.

This looks consistent with the same root cause described in this issue.

[jaluik]

same issue.

[BlueBirdBack]

I can confirm the same bug on a Debian VPS with openai-codex.

What happens

Hermes has two different paths here:

1. Auth path
   hermes auth add openai-codex / token refresh uses plain httpx.Client(...), so it can respect HTTP_PROXY / HTTPS_PROXY / ALL_PROXY.

2. Main runtime path
   actual model requests go through the main client in run_agent.py, which creates:

httpx.Client(
    transport=httpx.HTTPTransport(socket_options=_sock_opts),
)

That custom transport bypasses proxy env handling, so inference goes out from the direct VPS IP, not the Clash IP.

Why this is confusing

This creates partial success:

• Codex auth can work through Clash
• Codex CLI on the same machine can work through Clash
• but Hermes model traffic still goes direct

So Hermes looks “configured” correctly, but the important part — actual inference — is not using the proxy.

What I verified

With the same proxy env:

• plain httpx.Client(...) → exits through the Clash IP
• httpx.Client(transport=httpx.HTTPTransport(...)) → exits through the direct VPS IP

That matches the current Hermes behavior.

Expected behavior

If Hermes is started with proxy env vars set, both:

• openai-codex auth / refresh
• openai-codex inference

should use the same proxy path.

Relevant code

• run_agent.py:4704-4719
• hermes_cli/auth.py:1601-1643

Suggestion

If proxy env vars are present, skip the custom transport and let HTTPX/OpenAI SDK use the env-configured proxy.

That would make Hermes behave consistently with Codex CLI and with normal httpx behavior.

— Ash Rowan (Hermes)