Ignore unsupported proxy schemes for env dispatcher

[bryce-d-greybeard]

Fixes #78007.

Summary

• restrict EnvHttpProxyAgent options to HTTP(S) proxy URLs
• ignore unsupported schemes such as socks5: for the gateway/global Undici HTTP proxy dispatcher
• preserve HTTP ALL_PROXY fallback behavior

Verification

• PATH="/tmp/openclaw-pnpm-shim:$PATH" node scripts/test-projects.mjs src/infra/net/proxy-env.test.ts src/infra/net/undici-global-dispatcher.test.ts --maxWorkers=1
• git diff --check
• PATH="/tmp/openclaw-pnpm-shim:$PATH" node scripts/check-changed.mjs

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
The PR filters EnvHttpProxyAgent env-derived proxy options to only HTTP(S) URLs and updates proxy-env/global-dispatcher tests to treat SOCKS ALL_PROXY as ignored.

Reproducibility: yes. for the PR-introduced regression: source inspection shows ALL_PROXY=socks5://... changes from configured EnvHttpProxyAgent options on current main to undefined in the PR. The exact external Weixin failure is not yet live-reproduced because the reporter's gateway proxy environment is missing.

Real behavior proof
Needs real behavior proof before merge: The PR body provides tests and checks only; it does not show after-fix gateway/plugin fetch behavior in a real setup.

Next step before merge
External PR needs contributor real behavior proof and maintainer rework because the current diff appears to introduce a SOCKS proxy bypass rather than narrowly proving/fixing #78007.

Security
Needs attention: The diff can silently bypass configured SOCKS env proxy routing for global gateway/plugin fetches.

Review findings

• [P1] Do not drop supported SOCKS proxy env URLs — src/infra/net/proxy-env.ts:95-97

Review details

Best possible solution:

Rework the fix to preserve Undici-supported SOCKS env proxy routing, then reproduce #78007 with the gateway proxy environment and fix only malformed or genuinely unsupported proxy handling with diagnostics and regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR-introduced regression: source inspection shows ALL_PROXY=socks5://... changes from configured EnvHttpProxyAgent options on current main to undefined in the PR. The exact external Weixin failure is not yet live-reproduced because the reporter's gateway proxy environment is missing.

Is this the best way to solve the issue?

No. Filtering to HTTP(S) is not the narrowest maintainable fix because the pinned Undici path supports SOCKS proxy URLs; the safer path is to preserve supported proxies and diagnose the specific invalid or unreachable proxy case from #78007.

Full review comments:

• [P1] Do not drop supported SOCKS proxy env URLs — src/infra/net/proxy-env.ts:95-97
  The new normalization turns SOCKS env proxy values into undefined, so hasEnvHttpProxyAgentConfigured() returns false and gateway/global fetches skip EnvHttpProxyAgent. Current main already tests the SOCKS ALL_PROXY fallback, and Undici 8.2.0 routes socks5:/socks: through Socks5ProxyAgent, so this would break existing proxy routing and can send traffic direct instead of through the configured proxy.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

Security concerns:

• [medium] SOCKS env proxies can be bypassed — src/infra/net/proxy-env.ts:95
  By discarding SOCKS proxy env values before EnvHttpProxyAgent is installed, the gateway can fall back to direct egress even when the operator configured a supported SOCKS proxy. That is a proxy-routing/security regression, not only a functional compatibility issue.
  Confidence: 0.88

Acceptance criteria:

• After rework, run targeted proxy env tests covering HTTP, HTTPS, ALL_PROXY, and SOCKS cases.
• Provide redacted real gateway/plugin fetch output or logs showing the Regression: external channel plugin fetch() fails with TypeError: fetch failed in 2026.5.4 #78007 path succeeds after the fix.
• Run the changed gate appropriate for src/infra/net proxy runtime changes.

What I checked:

• PR filters proxy URLs before EnvHttpProxyAgent: The changed helper would normalize non-HTTP(S) env proxy values to undefined before building EnvHttpProxyAgent options, so SOCKS-only env proxy settings stop counting as configured. (src/infra/net/proxy-env.ts:95, 23cf56a8448c)
• Current main has a SOCKS ALL_PROXY contract test: Current main explicitly expects ALL_PROXY=socks5://... to populate both httpProxy and httpsProxy for EnvHttpProxyAgent options. (src/infra/net/proxy-env.test.ts:117, e28ad6a8697b)
• Global dispatcher depends on this helper: ensureGlobalUndiciEnvProxyDispatcher returns early when hasEnvHttpProxyAgentConfigured is false, so filtering SOCKS-only env values would skip global EnvHttpProxyAgent installation and use direct dispatch instead. (src/infra/net/undici-global-dispatcher.ts:61, e28ad6a8697b)
• Pinned dependency supports SOCKS proxy URLs: OpenClaw pins undici 8.2.0; upstream v8.2.0 EnvHttpProxyAgent passes httpProxy/httpsProxy into ProxyAgent, and ProxyAgent routes socks5:/socks: through Socks5ProxyAgent. (package.json:1720, e28ad6a8697b)
• Related issue still lacks live proxy inputs: The linked regression report says gateway/plugin fetch fails while standalone fetch works, but the existing ClawSweeper review noted that the exact gateway proxy env/config is still missing.
• Real behavior proof is absent: The PR body lists targeted tests, git diff --check, and changed checks, but no after-fix gateway/plugin run, terminal output, logs, screenshot, or artifact showing the reported fetch path now succeeds. (23cf56a8448c)

Likely related people:

• steipete: Authored the current proxy-env ALL_PROXY fallback change and several recent trusted/env proxy maintenance commits on the affected helper path. (role: recent maintainer and ALL_PROXY fallback author; confidence: high; commits: dc859584a352, 66336bf7c846, ecec68d06d19; files: src/infra/net/proxy-env.ts, src/infra/net/proxy-env.test.ts, src/infra/net/undici-global-dispatcher.ts)
• jesse-merhi: Authored the operator-managed network proxy feature and multiple recent docs/fix commits around proxy routing behavior adjacent to this PR. (role: managed proxy feature contributor; confidence: medium; commits: 2633b1491413, d5b0083300a6, f42a2c738c37; files: docs/security/network-proxy.md, src/infra/net/proxy/proxy-lifecycle.ts, src/infra/net/undici-global-dispatcher.ts)
• Takhoffman: Introduced the earlier env proxy bootstrap for model traffic, including proxy env precedence follow-ups that shaped the affected runtime path. (role: env proxy bootstrap contributor; confidence: medium; commits: 87876a3e36db; files: src/infra/net/proxy-env.ts, src/infra/net/undici-global-dispatcher.ts)
• joshavant: Co-authored the managed proxy feature commit that added the broader operator proxy routing surface this dispatcher participates in. (role: adjacent co-author; confidence: low; commits: 2633b1491413; files: docs/security/network-proxy.md, src/infra/net/proxy/proxy-lifecycle.ts)

Remaining risk / open question:

• The exact Weixin/gateway failure from Regression: external channel plugin fetch() fails with TypeError: fetch failed in 2026.5.4 #78007 still lacks the reporter's redacted proxy env/config and a live reproduction.
• No tests or live commands were run because this review was explicitly read-only; the verdict is based on source, dependency, and PR-body inspection.
• If maintainers intentionally want to disallow SOCKS env proxies in this path, current tests/docs need an explicit policy update because current code and Undici 8.2.0 point the other way.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e28ad6a8697b.

[shakkernerd]

Thanks for taking a look at this.

I reproduced #78007 against OpenClaw 2026.5.4 with @tencent-weixin/openclaw-weixin 2.4.1 installed. The real failing path is:

openclaw channels login --channel openclaw-weixin

Standalone curl and Node fetch to the same Tencent QR endpoint both succeed in the same environment, while the OpenClaw command fails with TypeError: fetch failed.

A trace of the failing OpenClaw path shows the underlying Undici cause is:

UND_ERR_INVALID_ARG: invalid content-length header

The repro environment had no HTTP_PROXY, HTTPS_PROXY, ALL_PROXY, NODE_OPTIONS, or OpenClaw proxy config, so this does not appear to be caused by unsupported proxy schemes. This PR changes env proxy filtering and drops SOCKS proxy values, which is not the failing mechanism here and would risk bypassing a configured SOCKS proxy.

Closing this PR as not the right fix for #78007. The issue should stay open for a fix in the OpenClaw runtime/Undici fetch path around plugin requests with Content-Length.