@aion0/forge 0.10.87 → 0.10.88

package/RELEASE_NOTES.md

@@ -1,14 +1,8 @@
-# Forge v0.10.87
+# Forge v0.10.88
 
 Released: 2026-06-17
 
-## Changes since v0.10.86
+## Changes since v0.10.87
 
-### Other
-- feat(pipeline): log attached skills in task init line
-- feat(skills): per-skill source badge in marketplace (#354)
-- feat(skills): multi-source sync + install (enterprise + public) — #354
-- feat(pipeline): workflow-level skills: field + template _skills auto-install
 
-
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.86...v0.10.87
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.87...v0.10.88

package/bin/forge-server.mjs

@@ -28,6 +28,17 @@ import { homedir } from 'node:os';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const ROOT = join(__dirname, '..');
 
+// Pre-install EnvHttpProxyAgent before any dynamic import('undici') can
+// clobber Node's NODE_USE_ENV_PROXY agent (see lib/proxy-setup.ts).
+// No-op off-corp (no proxy env), so non-docker deployments are unchanged.
+if (process.env.HTTPS_PROXY || process.env.HTTP_PROXY ||
+    process.env.https_proxy || process.env.http_proxy) {
+  try {
+    const { setGlobalDispatcher, EnvHttpProxyAgent } = await import('undici');
+    setGlobalDispatcher(new EnvHttpProxyAgent());
+  } catch { /* undici unavailable — leave Node's default dispatcher */ }
+}
+
 /** Build Next.js — install devDependencies first if missing */
 function buildNext() {
   // Check if devDependencies are installed (e.g. @tailwindcss/postcss)

package/instrumentation.ts

@@ -2,6 +2,8 @@
  * Next.js instrumentation — runs once when the server starts.
  * Loads .env.local and prints login password.
  */
+import './lib/proxy-setup';   // MUST be first — see proxy-setup.ts header.
+
 export async function register() {
   // Only run on server, not Edge
   if (process.env.NEXT_RUNTIME === 'nodejs') {

package/lib/browser-bridge-standalone.ts

@@ -39,6 +39,7 @@
  * Usage: npx tsx lib/browser-bridge-standalone.ts [--forge-port=8403]
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
 import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';
 import { WebSocket, WebSocketServer } from 'ws';
 import { randomUUID, createHash } from 'node:crypto';

package/lib/chat/protocols/http.ts

@@ -241,8 +241,14 @@ async function exchangeBearerToken(
   const exchangeFetchInit = { method: auth.exchange_method || 'POST', headers, body };
   let res: Response;
   if (verifyTls === false) {
-    const { fetch: undiciFetch, Agent } = await import('undici');
-    const dispatcher = new Agent({ connect: { rejectUnauthorized: false } });
+    // Per-call dispatcher bypasses the global proxy agent — route via
+    // ProxyAgent when a proxy is set (corp), else plain Agent (direct).
+    const { fetch: undiciFetch, Agent, ProxyAgent } = await import('undici');
+    const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy ||
+                     process.env.HTTP_PROXY || process.env.http_proxy;
+    const dispatcher = proxyUrl
+      ? new ProxyAgent({ uri: proxyUrl, requestTls: { rejectUnauthorized: false } })
+      : new Agent({ connect: { rejectUnauthorized: false } });
     res = await undiciFetch(exchangeUrl, { ...exchangeFetchInit, dispatcher }) as unknown as Response;
   } else {
     res = await fetch(exchangeUrl, exchangeFetchInit);
@@ -488,8 +494,14 @@ export async function runHttp({ tool, settings, args, connectorAuth, noTruncatio
       // fetch are version-matched; passing an external undici Agent
       // into Node's bundled global fetch fails with UND_ERR_INVALID_ARG
       // because Node 22 ships an older undici than the installed one.
-      const { fetch: undiciFetch, Agent } = await import('undici');
-      const dispatcher = new Agent({ connect: { rejectUnauthorized: false } });
+      // Per-call dispatcher bypasses the global proxy agent — route via
+      // ProxyAgent when a proxy is set (corp), else plain Agent (direct).
+      const { fetch: undiciFetch, Agent, ProxyAgent } = await import('undici');
+      const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy ||
+                       process.env.HTTP_PROXY || process.env.http_proxy;
+      const dispatcher = proxyUrl
+        ? new ProxyAgent({ uri: proxyUrl, requestTls: { rejectUnauthorized: false } })
+        : new Agent({ connect: { rejectUnauthorized: false } });
       res = await undiciFetch(url, { method, headers, body, signal: controller.signal, dispatcher }) as unknown as Response;
     } else {
       res = await fetch(url, { method, headers, body, signal: controller.signal });

package/lib/chat-standalone.ts

@@ -30,6 +30,7 @@
  *   keep their existing WS path; HTTP-only surfaces use SSE.
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
 import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';
 import {
   createSession, getSession, listSessions, updateSession, deleteSession, listMessages,

package/lib/connectors/test-runner.ts

@@ -134,8 +134,14 @@ async function runHttpProbe(
     // NAC, ESXi …) need undici with rejectUnauthorized:false, same as http.ts.
     const fetchInit = { method, headers, body, signal: ctrl.signal };
     if (def.http?.verify_tls === false) {
-      const { fetch: undiciFetch, Agent } = await import('undici');
-      const dispatcher = new Agent({ connect: { rejectUnauthorized: false } });
+      // A per-call dispatcher bypasses the global proxy agent, so when a proxy
+      // is set (corp) route through ProxyAgent; else plain Agent (direct).
+      const { fetch: undiciFetch, Agent, ProxyAgent } = await import('undici');
+      const proxyUrl = process.env.HTTPS_PROXY || process.env.https_proxy ||
+                       process.env.HTTP_PROXY || process.env.http_proxy;
+      const dispatcher = proxyUrl
+        ? new ProxyAgent({ uri: proxyUrl, requestTls: { rejectUnauthorized: false } })
+        : new Agent({ connect: { rejectUnauthorized: false } });
       res = await undiciFetch(url, { ...fetchInit, dispatcher } as any) as unknown as Response;
     } else {
       res = await fetch(url, fetchInit);

package/lib/help-docs/10-troubleshooting.md

@@ -76,6 +76,19 @@ The WebSocket dropped (system suspend, network blip). Forge auto-reconnects afte
 gh auth login
 ```
 
+### Connector Test fails with `ENETUNREACH` behind a corp proxy
+Symptom: a brand-new deployment behind a corporate proxy/ZTNA, configure a
+connector (e.g. GitLab) → **Test** → `request failed: fetch failed: connect
+ENETUNREACH <backend-ip>:443`.
+
+Forge honours `HTTPS_PROXY` / `HTTP_PROXY` / `NO_PROXY` automatically — every
+entry point pre-installs an `EnvHttpProxyAgent` before any code makes a request,
+so a proxy set in the environment is used for all connector calls (including
+`verify_tls: false` self-signed appliances like FortiNAC). Just make sure the
+proxy env vars are exported for the Forge process (in Docker, via the
+container's environment). Off-corp deployments with no proxy env are unaffected
+— requests go direct as before.
+
 ### Skills not syncing
 Click "Sync" in Skills tab. Check `skillsRepoUrl` in Settings points to valid registry.
 

package/lib/memory-standalone.ts

@@ -18,6 +18,8 @@
  * next sub-task still runs in the same cycle.
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
+
 const MEMORY_TICK_SEC = 120;
 
 export interface MemorySubTask {

package/lib/proxy-setup.ts

@@ -0,0 +1,21 @@
+/**
+ * Pre-install an EnvHttpProxyAgent on undici's global dispatcher BEFORE
+ * anything dynamic-imports the npm undici (8.x).
+ *
+ * Why: Node honours NODE_USE_ENV_PROXY by putting EnvHttpProxyAgent on
+ * undici v1's dispatcher symbol. The npm undici uses v2; on load its
+ * `if (getGlobalDispatcher() === undefined) setGlobalDispatcher(new Agent())`
+ * reads v2 (undefined) and writes a plain Agent into BOTH v1 and v2,
+ * silently clobbering Node's proxy agent — after which every fetch ignores
+ * HTTPS_PROXY and direct-connects (ENETUNREACH behind corp ZTNA).
+ * Setting v2 here makes that check non-undefined, so npm undici skips it.
+ *
+ * MUST be the FIRST import in every entry point. Off-corp (no proxy env)
+ * this is a no-op, so non-docker / standalone deployments are unchanged.
+ */
+import { setGlobalDispatcher, EnvHttpProxyAgent } from 'undici';
+
+if (process.env.HTTPS_PROXY || process.env.HTTP_PROXY ||
+    process.env.https_proxy || process.env.http_proxy) {
+  setGlobalDispatcher(new EnvHttpProxyAgent());
+}

package/lib/telegram-standalone.ts

@@ -4,6 +4,7 @@
  * Runs as a single process — no duplication from Next.js workers.
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
 import { loadSettings } from './settings';
 
 const settings = loadSettings();

package/lib/terminal-standalone.ts

@@ -24,6 +24,7 @@
  * Usage: npx tsx lib/terminal-standalone.ts
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
 import { WebSocketServer, WebSocket } from 'ws';
 import * as pty from 'node-pty';
 import { execSync } from 'node:child_process';

package/lib/workspace-standalone.ts

@@ -12,6 +12,7 @@
  *   FORGE_DATA_DIR  — data directory
  */
 
+import './proxy-setup';   // MUST be first — see proxy-setup.ts header.
 import { createServer, type IncomingMessage, type ServerResponse } from 'node:http';
 import { readdirSync, statSync } from 'node:fs';
 import { join, resolve } from 'node:path';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.87",
+  "version": "0.10.88",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {