[Feature]: Feishu channel needs per-channel proxy bypass for mixed Windows proxy setups

[kunpeng-ai-lab]

Summary

Allow Feishu/Lark channel traffic to use a channel-specific proxy policy so model-provider traffic can keep using env proxy while Feishu token/WebSocket traffic can go direct when needed.

Problem to solve

In a Windows setup where model-provider traffic needs HTTP_PROXY / HTTPS_PROXY, the Feishu channel can fail if Feishu/Lark API traffic inherits the same ambient proxy.

The practical mixed-proxy need is:

• LLM/provider requests: use env proxy
• Feishu/Lark token and WebSocket traffic: go direct, or follow an explicit channel policy

Today the workaround is awkward. Clearing proxy env globally can restore Feishu connectivity, but then provider requests may lose network access. A global proxy toggle is too coarse for this setup.

Proposed solution

A few possible solutions would work:

1. Document NO_PROXY guidance for Feishu/Lark endpoints in docs/channels/feishu.md.
2. Add a channel-level option, for example:

{
  "channels": {
    "feishu": {
      "proxyMode": "ambient" // or "direct"
    }
  }
}

3. Ensure Feishu HTTP and WebSocket paths use the same proxy policy and are covered by tests.

The main goal is to let provider traffic keep using env proxy while Feishu/Lark official endpoints can bypass that proxy when required.

Alternatives considered

Alternatives I tried/considered:

• Clearing all proxy env for the gateway process: helps Feishu, but can break model-provider traffic.
• Forcing Feishu SDK HTTP calls and WebSocket to direct locally: works for my machine, but a hard-coded proxy: false may break enterprise users who need Feishu/Lark through a corporate proxy.
• Asking users to manually tune env vars: possible, but this is easy to misconfigure and hard to diagnose from channel logs.

Impact

Affected users/systems/channels:

• Windows users running OpenClaw with Feishu/Lark channel in WebSocket mode
• Users whose model provider needs HTTP_PROXY / HTTPS_PROXY
• Mixed network environments where provider traffic and Feishu/Lark traffic need different routing

Severity: blocks workflow when it happens, because the Feishu bot receives no usable replies even though the gateway and channel config appear to be running.

Frequency: environment-dependent, but likely repeatable for users with incompatible local/corporate proxy routing.

Consequence: users spend time debugging Feishu credentials/events when the root cause is actually transport routing.

Evidence/examples

Observed in a local Windows setup:

• Feishu channel configured in WebSocket mode
• Gateway running
• Proxy env present: HTTP_PROXY, HTTPS_PROXY, ALL_PROXY
• Feishu token request failed against:

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

with:

400 The plain HTTP request was sent to HTTPS port

After forcing Feishu SDK HTTP calls and Feishu WebSocket connection to bypass the ambient proxy, Feishu started receiving and replying again. Keeping proxy env for the gateway process was still necessary for model-provider traffic.

I also checked current source: Feishu WebSocket already intentionally uses ambient env proxy, and shared NO_PROXY helpers already exist. So this seems better handled as an explicit/documented Feishu channel proxy policy rather than a blanket direct-connect patch.

Additional information

No credentials, tokens, app IDs, or app secrets are included here.

If maintainers agree on the preferred direction, I can help with either a docs-only PR for NO_PROXY guidance or a small implementation PR for a channel-level proxy policy.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open. Current main still has no Feishu/Lark mixed-proxy docs or Feishu-owned direct/ambient proxy policy, and same-author docs PR #75050 remains open as the active mitigation path while runtime egress policy needs maintainer review.

Reproducibility: yes. source inspection provides a high-confidence path for the missing behavior: Feishu has no proxy config key, SDK HTTP has no channel override, and WebSocket always follows ambient proxy env when configured. The specific Windows proxy error was not live-reproduced in this read-only review.

Next step
Needs maintainer product/security choice, and same-author docs PR #75050 is already the active low-risk mitigation path.

Security
Needs attention: The requested runtime bypass is security-sensitive because it can route Feishu traffic outside ambient managed proxy controls.

Review details

Best possible solution:

Land #75050 if docs-only NO_PROXY guidance is accepted; otherwise implement a Feishu-owned proxy policy covering SDK HTTP, guarded fetch, and WebSocket paths with tests and docs.

Do we have a high-confidence way to reproduce the issue?

Yes, source inspection provides a high-confidence path for the missing behavior: Feishu has no proxy config key, SDK HTTP has no channel override, and WebSocket always follows ambient proxy env when configured. The specific Windows proxy error was not live-reproduced in this read-only review.

Is this the best way to solve the issue?

Unclear. Docs-only NO_PROXY guidance is the lowest-risk mitigation and already has an open PR, while a proxyMode-style runtime option is more complete but changes channel egress policy and needs maintainer approval.

Security concerns:

• [medium] Review direct egress policy before adding runtime bypass — extensions/feishu/src/client.ts:214
  A direct/ambient Feishu proxy option would intentionally bypass process proxy settings for channel traffic. That may be correct for mixed Windows setups, but it should be explicit, documented, and covered by tests so enterprise proxy and audit controls are not bypassed accidentally.
  Confidence: 0.82

Acceptance criteria:

• Docs-only path: pnpm docs:check-mdx -- docs/channels/feishu.md
• Runtime path: pnpm test extensions/feishu/src/client.test.ts extensions/feishu/src/config-schema.test.ts extensions/feishu/src/streaming-card.test.ts
• Targeted formatting: pnpm exec oxfmt --check --threads=1 extensions/feishu/src/client.ts extensions/feishu/src/client.test.ts extensions/feishu/src/config-schema.ts extensions/feishu/src/config-schema.test.ts extensions/feishu/src/streaming-card.ts docs/channels/feishu.md

What I checked:

• Current main checked: Read-only inspection was against current main 39bc94e; final git status remained clean. (39bc94e4ddf5)
• Feishu docs still lack mixed-proxy guidance: The Feishu troubleshooting and configuration reference sections mention common bot setup issues and config keys, but not NO_PROXY, HTTP_PROXY, HTTPS_PROXY, mixed-proxy routing, or tenant_access_token proxy failures. Public docs: docs/channels/feishu.md. (docs/channels/feishu.md:198, 39bc94e4ddf5)
• No Feishu proxy config exists: The shared and per-account Feishu config schema includes httpTimeoutMs and channel behavior flags, but no proxyMode/direct/ambient key that could express the requested channel policy. (extensions/feishu/src/config-schema.ts:173, 39bc94e4ddf5)
• SDK HTTP path has no channel policy: createFeishuClient wraps the Lark SDK defaultHttpInstance only for timeout/User-Agent behavior and passes that instance to Lark.Client without a Feishu-specific proxy override. (extensions/feishu/src/client.ts:121, 39bc94e4ddf5)
• WebSocket path is ambient-only: createFeishuWSClient always asks the shared ambient proxy helper for an agent when proxy env is configured; tests cover env-proxy use and absence, but there is no account/channel override to force direct. (extensions/feishu/src/client.ts:214, 39bc94e4ddf5)
• Shared proxy helper honors ambient env: resolveAmbientNodeProxyAgent returns undefined only when no HTTPS proxy env is configured; otherwise it constructs a proxy-agent instance, so the Feishu WS path currently follows process proxy env rather than channel policy. (src/plugin-sdk/extension-shared.ts:237, 39bc94e4ddf5)

Likely related people:

• steipete: Recent merged history includes the shared ambient proxy helper used by Feishu WebSocket handling and the proxy-env/guarded-fetch refactor that shapes the available policy surface. (role: recent maintainer and shared proxy helper owner; confidence: high; commits: 380a39626687, c973b053a5e2; files: src/plugin-sdk/extension-shared.ts, src/infra/net/proxy-env.ts, src/infra/net/fetch-guard.ts)
• colin719: Merged PR fix(feishu): pass proxy agent to WSClient for proxy environments #26397 added Feishu WSClient proxy-agent support directly adjacent to the requested per-channel direct/ambient policy. (role: introduced adjacent WebSocket proxy handling; confidence: high; commits: 0a23739c3795; files: extensions/feishu/src/client.ts, extensions/feishu/src/client.test.ts)
• m1heng: The Feishu plugin package metadata lists community maintenance by @m1heng, and the issue timeline shows @m1heng was mentioned/subscribed during this discussion. (role: Feishu channel routing candidate; confidence: medium; files: extensions/feishu/package.json)

Remaining risk / open question:

• No live Windows Feishu/Lark connectivity test was run in this read-only review, so the exact proxy failure remains reporter-supplied even though the missing policy is source-visible.
• A runtime direct mode could conflict with managed proxy or audit expectations unless it is explicit, opt-in, documented, and tested.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 39bc94e4ddf5.