Skip to content

fix(web_fetch): reuse network proxy resolution#3614

Merged
esengine merged 1 commit into
esengine:main-v2from
closss:fix/web-fetch-proxy-spec
Jun 9, 2026
Merged

fix(web_fetch): reuse network proxy resolution#3614
esengine merged 1 commit into
esengine:main-v2from
closss:fix/web-fetch-proxy-spec

Conversation

@closss

@closss closss commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

This updates web_fetch to reuse Reasonix's shared network proxy resolver instead of using a static proxy URL resolved during boot.

Before this change:

  • web_fetch received a flattened proxy URL from netclient.ResolveProxyURL.
  • It did not share the same per-request behavior as provider/update traffic.
  • no_proxy, env/auto/custom proxy behavior, and redirect boundaries could diverge from netclient.
  • Windows system proxy fallback in auto mode could not be reused by web_fetch.

After this change:

  • web_fetch carries the full netclient.ProxySpec.
  • It calls the shared per-request proxy resolver for every fetch round trip, including redirects.
  • env, auto, custom, no_proxy, and DirectHosts now follow the same resolver path as other network clients.
  • The existing SSRF guard remains in web_fetch: direct dials still vet resolved IPs, and proxied IP-literal targets are still blocked.

Issues

Fixes #3610
Fixes #3510

Implementation notes

  • Exported netclient.ProxyFunc as a thin wrapper around the existing resolver.
  • Replaced web_fetch's static proxyURL field with netclient.ProxySpec.
  • Kept the existing HTTP CONNECT / SOCKS proxy handling and SSRF boundary in web_fetch.
  • Removed the now-unused static ResolveProxyURL helper.
  • Wired the proxy spec through normal boot, workspace-bound tools, and ACP tool setup.
  • Updated config comments so they no longer say network proxy settings exclude web_fetch.

Tests

  • go test ./internal/tool/builtin -run 'TestWebFetchUsesEnvProxyAtRequestTime|TestWebFetchProxySpecHonorsNoProxy|TestWebFetchRechecksProxySpecAfterRedirect'
  • go test ./internal/tool/builtin ./internal/netclient ./internal/boot ./internal/cli
  • git ls-files '*.go' | xargs ../.tools/go/bin/gofmt -l
  • git diff --check
  • go test ./...
  • go vet ./...
  • go build ./...
  • go test -race ./...

@closss closss requested review from SivanCola and esengine as code owners June 8, 2026 19:45
@github-actions github-actions Bot added v2 Go rewrite (1.x) — main-v2 branch, active development tui Terminal UI / CLI (internal/cli, internal/control) skills Skill system (internal/skill, internal/tool) config Configuration & setup (internal/config) and removed v2 Go rewrite (1.x) — main-v2 branch, active development labels Jun 8, 2026
esengine
esengine approved these changes Jun 9, 2026
View reviewed changes

@esengine esengine left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean refactor — collapsing the proxy URL into ProxySpec and reusing the resolver while keeping web_fetch's SSRF guard is exactly right. Verified the CONNECT-proxy and SSRF-block paths end-to-end locally. Thanks!

@esengine esengine merged commit bbf7610 into esengine:main-v2 Jun 9, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esengine esengine esengine approved these changes

@SivanCola SivanCola Awaiting requested review from SivanCola SivanCola is a code owner

Assignees

No one assigned

Labels

config Configuration & setup (internal/config) skills Skill system (internal/skill, internal/tool) tui Terminal UI / CLI (internal/cli, internal/control)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: web_fetch 不认代理配置(Windows) [Feature]: web_fetch是否可以支持代理

2 participants

@closss @esengine