fix: guard debug proxy CONNECT under managed proxy

[jesse-merhi]

Summary

• disable debug proxy CONNECT upstream forwarding while OpenClaw managed proxy mode is active
• add an explicit local-diagnostics override via OPENCLAW_DEBUG_PROXY_ALLOW_DIRECT_CONNECT_WITH_MANAGED_PROXY=1
• document the behavior in proxy CLI and managed network proxy docs
• add regression coverage for policy helper behavior and CONNECT rejection before direct upstream forwarding

Test Plan

• OPENCLAW_LOCAL_CHECK=0 pnpm test src/proxy-capture/proxy-server.managed-proxy.test.ts src/proxy-capture/proxy-server.test.ts src/proxy-capture/runtime.test.ts src/proxy-capture/env.test.ts
• pnpm format:check src/proxy-capture/proxy-server.ts src/proxy-capture/proxy-server.managed-proxy.test.ts docs/cli/proxy.md docs/security/network-proxy.md CHANGELOG.md
• OPENCLAW_LOCAL_CHECK=0 pnpm check:changed

[clawsweeper]

Codex review: passed.

Summary
The PR adds a managed-proxy-aware debug proxy direct-upstream guard, a diagnostics override env var, regression tests, docs, and a changelog entry.

Reproducibility: yes. Source inspection on current main shows direct HTTP forwarding and CONNECT net.connect() can run while managed proxy mode is active, against the documented managed-proxy egress guardrail.

Next step before merge
No repair lane is needed; the repaired head has no blocking findings and should continue through normal automerge/check gates.

Security
Cleared: No concrete security or supply-chain regression found; the patch narrows direct egress and keeps generated CA test material under an OS temp root.

Review details

Best possible solution:

Land the repaired head after exact-head automerge gates remain green, preserving the guard, docs, tests, and changelog.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection on current main shows direct HTTP forwarding and CONNECT net.connect() can run while managed proxy mode is active, against the documented managed-proxy egress guardrail.

Is this the best way to solve the issue?

Yes. The repaired PR guards the narrow direct-upstream call sites before socket creation, documents the diagnostics override, and adds regression coverage for helper behavior plus CONNECT and HTTP denial paths.

What I checked:

• Current main direct forwarding path: Current main records the debug proxy HTTP request and then creates an upstream http/https request, and its CONNECT handler calls net.connect() without checking managed proxy state first. (src/proxy-capture/proxy-server.ts:92, e3cba91ef059)
• Managed proxy contract: The docs define managed proxy routing for normal HTTP/WebSocket egress and call out raw net/tls/http2 sockets as bypass risks; lifecycle code marks active managed proxy mode with OPENCLAW_PROXY_ACTIVE=1. Public docs: docs/security/network-proxy.md. (docs/security/network-proxy.md:30, e3cba91ef059)
• PR production guard: The repaired head adds shared truthy parsing, assertDebugProxyDirectUpstreamAllowed(), and 403 policy responses before both absolute-form proxy forwarding and CONNECT net.connect(). (src/proxy-capture/proxy-server.ts:27, aaa52a7f5fcb)
• Regression coverage and fixture repair: The added test uses mkdtemp under os.tmpdir(), verifies truthy managed-proxy parsing and override behavior, rejects CONNECT with 403 before direct sockets, and proves absolute-form HTTP requests do not reach a local canary origin. (src/proxy-capture/proxy-server.managed-proxy.test.ts:20, aaa52a7f5fcb)
• Docs updated: The repaired head documents that debug proxy direct upstream forwarding is disabled during managed proxy mode unless the explicit diagnostics override is set. Public docs: docs/cli/proxy.md. (docs/cli/proxy.md:71, aaa52a7f5fcb)
• Exact-head checks: GitHub check runs for aaa52a7 show the main check, docs, lint, type, security, build, and node lanes completed successfully; only expected skipped/neutral/cancelled non-blocking rows appeared in the summary. (aaa52a7f5fcb)

Likely related people:

• jesse-merhi: Introduced operator-managed network proxy routing and recently fixed adjacent managed-proxy TLS validation and docs, so this policy boundary is in their recent ownership area. (role: recent managed proxy maintainer; confidence: high; commits: 2633b1491413, 84a30e213e31, 9c3b7b7b151b; files: src/infra/net/proxy/proxy-lifecycle.ts, docs/security/network-proxy.md)
• Takhoffman: Introduced the proxy capture stack, including the debug proxy server surface that this PR guards. (role: debug proxy capture introducer; confidence: high; commits: 958c34e82cdb; files: src/proxy-capture/proxy-server.ts, src/proxy-capture/ca.ts, src/proxy-capture/runtime.ts)
• steipete: Recently maintained proxy lifecycle/docs behavior around local control-plane bypass and managed proxy routing hooks. (role: adjacent proxy maintainer; confidence: medium; commits: bdcd543ed78a, b113d92c6fda; files: src/infra/net/proxy/proxy-lifecycle.ts, docs/security/network-proxy.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e3cba91ef059.

[mjamiv]

Opened a tiny stacked PR for the test-fixture finding here: #77061

It moves the managed-proxy debug proxy test fixture from repo-relative .tmp-* paths to a per-test root under os.tmpdir(), so generated root-ca-key.pem/root-ca.pem are not created under the checkout if the test is interrupted.

Validation:

• pnpm exec oxfmt --check --threads=1 src/proxy-capture/proxy-server.managed-proxy.test.ts
• OPENCLAW_LOCAL_CHECK=0 pnpm test src/proxy-capture/proxy-server.managed-proxy.test.ts src/proxy-capture/proxy-server.test.ts src/proxy-capture/runtime.test.ts src/proxy-capture/env.test.ts
• OPENCLAW_LOCAL_CHECK=0 pnpm check:changed -- --base upstream/main --head HEAD

[jesse-merhi]

/clawsweeper automerge

[clawsweeper]

🦞✅
ClawSweeper merged this PR after the passing review.

Source: clawsweeper[bot]
Feedback: structured ClawSweeper verdict: pass (sha=aaa52a7f5fcb933a51b1995231d225a1cce1aed6)
Merge status: merged by ClawSweeper automerge
Merged at: 2026-05-04T03:54:19Z
Merge commit: f42a2c738c37

What merged:

• The PR adds a managed-proxy-aware debug proxy direct-upstream guard, a diagnostics override env var, regression tests, docs, and a changelog entry.
• Reproducibility: yes. Source inspection on current main shows direct HTTP forwarding and CONNECT net.connect() can run while managed proxy mode is active, against the documented managed-proxy egress guardrail.

Automerge notes:

• Ran the ClawSweeper repair loop before final review.
• Included post-review commit in the final squash: fix(clawsweeper): address review for automerge-openclaw-openclaw-7701…

The automerge loop is complete.

Automerge progress:

• 2026-05-04 03:26:48 UTC review queued f1f7ffce2c7a (queued)

• 2026-05-04 03:27:58 UTC repair queued f1f7ffce2c7a (autonomous) Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209

• 2026-05-04 03:30:51 UTC repair started (running) in 0s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 automerge-openclaw-openclaw-77010

• 2026-05-04 03:30:58 UTC validation plan (passed) in 8s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 pnpm check:changed

• 2026-05-04 03:31:11 UTC Codex write preflight (passed) in 21s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 danger-full-access

• 2026-05-04 03:32:16 UTC review requested repair f1f7ffce2c7a (structured ClawSweeper marker: fix-required (finding=security-review sha=f1f7ff...)

• 2026-05-04 03:36:00 UTC Codex edit 1 2c65383c10a9 (complete) in 5m 10s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 exit 0

• 2026-05-04 03:42:52 UTC validation and review 1 6b9ec189fe76 (base moved) in 12m 1s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 rebased

• 2026-05-04 03:45:40 UTC validation and review 2 aaa52a7f5fcb (base moved) in 14m 50s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 rebased

• 2026-05-04 03:48:01 UTC validation and review 3 aaa52a7f5fcb (complete) in 17m 11s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 already-current

• 2026-05-04 03:48:08 UTC repair completed aaa52a7f5fcb (branch updated) in 17m 18s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 initial automerge rebase is delegated to Codex repair

• 2026-05-04 03:48:08 UTC review queued aaa52a7f5fcb (after repair)

• 2026-05-04 03:54:16 UTC automerge wait aaa52a7f5fcb (ready) in 23m 26s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 checks and exact-head review are ready

• 2026-05-04 03:54:17 UTC repair finished aaa52a7f5fcb (pushed) in 23m 27s Run: https://github.com/openclaw/clawsweeper/actions/runs/25299538209 repair_contributor_branch

• 2026-05-04 03:54:09 UTC review passed aaa52a7f5fcb (structured ClawSweeper verdict: pass (sha=aaa52a7f5fcb933a51b1995231d225a1cce1a...)

• 2026-05-04 03:54:21 UTC merged aaa52a7f5fcb (merged by ClawSweeper automerge)

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Disables debug proxy CONNECT upstream forwarding while OpenClaw managed proxy mode is active, with an explicit env override for approved diagnostics, and updates docs/tests accordingly.

Changes:

• Add a managed-proxy guard (assertDebugProxyDirectConnectAllowed) that blocks CONNECT upstream forwarding unless an override env var is set.
• Record and return a 502 response when CONNECT is blocked by policy.
• Add managed-proxy regression tests and document the behavior in CLI/security docs and changelog.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/proxy-capture/proxy-server.ts	Introduces managed-proxy CONNECT policy guard + enforcement in the CONNECT handler.
src/proxy-capture/proxy-server.managed-proxy.test.ts	Adds regression coverage for allow/deny behavior and server-level CONNECT rejection.
docs/security/network-proxy.md	Documents CONNECT forwarding being disabled by default under managed proxy mode.
docs/cli/proxy.md	Documents the new default behavior and the diagnostic override env var.
CHANGELOG.md	Notes the fix and the override knob for approved diagnostics.