@ghl-ai/aw 0.1.44-beta.7 → 0.1.44-beta.9

package/c4/diagnostics.mjs

@@ -116,6 +116,12 @@ export function summarizeAsOneLine(state) {
     parts.push(`slashShim ${slashShimSummaryToken(state.slashShim.action)}`);
   }
 
+  // Proxy state — only surfaced when actually applied. Skipping the
+  // token on no-proxy harnesses keeps the summary line short.
+  if (state.proxy && state.proxy.applied && state.proxy.source) {
+    parts.push(`proxy ${state.proxy.source}`);
+  }
+
   const seconds = Number(state.durationMs ?? 0) / 1000;
   parts.push(`init ${seconds.toFixed(1)}s`);
   parts.push(state.didInit ? 'ready' : 'skipped');
@@ -484,6 +490,18 @@ export function dumpPostInitState(opts = {}) {
     lines.push('');
   }
 
+  // Proxy block (always emitted when opts.proxy is provided, so operators
+  // can confirm whether HTTPS_PROXY was honored. Codex Cloud diagnostics
+  // depends on this being present.)
+  if (opts.proxy && typeof opts.proxy === 'object') {
+    const proxy = opts.proxy;
+    lines.push('proxy:');
+    lines.push(`  applied=${proxy.applied ? 'true' : 'false'}`);
+    if (proxy.source) lines.push(`  source=${proxy.source}`);
+    if (proxy.proxyUrl) lines.push(`  url=${proxy.proxyUrl}`);
+    lines.push('');
+  }
+
   lines.push('─── end ───');
   lines.push('');
 

package/c4/gitAuth.mjs

@@ -349,12 +349,21 @@ export async function verifyAuth(mode, token, { shell = defaultShell, fetchImpl
  *   c FAIL      → 'rewrite-conflict' (the Cursor scenario)
  *   else        → 'ok'
  *
+ * Note: 'pat-invalid' is misnamed when `authStatus` is undefined (i.e. the
+ * REST `fetch()` errored out before getting an HTTP status). The Codex
+ * Cloud failure mode is exactly that: HTTPS_PROXY is set but Node fetch
+ * doesn't honor it, so the REST probe returns `{ ok:false, error:'fetch failed' }`
+ * with no status. Callers must distinguish the two by looking at
+ * `authStatus` and `lsRemoteWithAuthOk`.
+ *
  * @param {string} token
  * @param {object} [opts]
  * @returns {Promise<{
  *   apiOk: boolean,
  *   lsRemoteWithAuthOk: boolean,
  *   lsRemoteViaRewriteOk: boolean,
+ *   authStatus: number | undefined,
+ *   authError: string | undefined,
  *   diagnosis: 'ok' | 'pat-invalid' | 'rewrite-conflict' | 'helper-mismatch' | 'network'
  * }>}
  */
@@ -380,5 +389,12 @@ export async function preflightPlatformDocs(token, opts = {}) {
     diagnosis = 'ok';
   }
 
-  return { apiOk, lsRemoteWithAuthOk, lsRemoteViaRewriteOk, diagnosis };
+  return {
+    apiOk,
+    lsRemoteWithAuthOk,
+    lsRemoteViaRewriteOk,
+    authStatus: a.status,
+    authError: a.error,
+    diagnosis,
+  };
 }

package/c4/index.mjs

@@ -56,6 +56,7 @@ export { copyRepoRootInstructions } from './repoRootInstructions.mjs';
 export { ensureRepoLocalIgnore } from './repoLocalIgnore.mjs';
 export { jsonMergeWithDedup, claudeHooksMerge } from './jsonMerge.mjs';
 export { runPreflight } from './preflight.mjs';
+export { configureUndiciProxy } from './proxyConfig.mjs';
 export {
   summarizeAsOneLine,
   diagnoseAwRouterView,

package/c4/proxyConfig.mjs

@@ -0,0 +1,127 @@
+/**
+ * c4/proxyConfig.mjs — install undici proxy dispatcher from env.
+ *
+ * Why this exists:
+ *   Codex Cloud (and other corporate-MITM cloud agents) force outbound
+ *   HTTPS through a proxy via HTTPS_PROXY. Standard tools (curl, git, npm)
+ *   honor that variable transparently. Node's native fetch (undici) does
+ *   NOT honor proxy env vars before Node 24, so REST preflight in
+ *   `aw c4` fails with `fetch failed: ENETUNREACH` even though the same
+ *   PAT works fine via `git ls-remote` and `curl`.
+ *
+ *   This module reads the proxy URL from env in the documented priority
+ *   order and installs an undici ProxyAgent as the global dispatcher
+ *   exactly once at orchestrator entry. After this runs, every fetch()
+ *   call inside aw-c4 routes through the proxy.
+ *
+ * Why dynamic import:
+ *   Keeps the no-proxy fast path zero-cost (no undici namespace resolution)
+ *   and lets unit tests inject a synthetic { setGlobalDispatcher, ProxyAgent }
+ *   pair via opts.undiciImpl without going through vi.mock module-graph
+ *   plumbing.
+ *
+ * Failure isolation:
+ *   If ProxyAgent construction or setGlobalDispatcher throws, we swallow
+ *   it and report `applied: false`. A misconfigured proxy URL must NEVER
+ *   crash `aw c4` — the orchestrator continues and surfaces the failure
+ *   in diagnostics so the user can see what happened.
+ *
+ * Contract:
+ *   .aw_docs/features/aw-c4-codex-proxy-fix/spec.md::§"libs/aw/c4/proxyConfig.mjs"
+ */
+
+const PROXY_ENV_PRIORITY = Object.freeze([
+  'HTTPS_PROXY',
+  'https_proxy',
+  'HTTP_PROXY',
+  'http_proxy',
+]);
+
+/**
+ * @typedef {object} ProxyConfigResult
+ * @property {boolean} applied         True iff a global dispatcher was
+ *                                     installed successfully.
+ * @property {string|null} proxyUrl    The URL the agent was constructed
+ *                                     with, or null when no proxy env
+ *                                     var was set.
+ * @property {string|null} source      Exact env-var name the URL was
+ *                                     resolved from, or null. Useful
+ *                                     for diagnostics (so the user can
+ *                                     see "we used HTTPS_PROXY, not
+ *                                     http_proxy").
+ */
+
+/**
+ * Resolve the first non-empty proxy URL from env in priority order.
+ *
+ * @param {NodeJS.ProcessEnv} env
+ * @returns {{ url: string, source: string } | null}
+ */
+function resolveProxyFromEnv(env) {
+  for (const name of PROXY_ENV_PRIORITY) {
+    const value = env?.[name];
+    if (typeof value === 'string' && value.length > 0) {
+      return { url: value, source: name };
+    }
+  }
+  return null;
+}
+
+/**
+ * Install an undici ProxyAgent as the global fetch dispatcher when
+ * an HTTP/HTTPS proxy env var is set.
+ *
+ * Calling this with no proxy in env is safe — it returns
+ * `{ applied: false, ... }` without touching undici. Calling it twice
+ * is also safe; the second call replaces the first dispatcher.
+ *
+ * @param {NodeJS.ProcessEnv} [env]
+ * @param {object} [opts]
+ * @param {{ setGlobalDispatcher: Function, ProxyAgent: Function }} [opts.undiciImpl]
+ *   Override for tests. When omitted, undici is dynamically imported.
+ * @returns {ProxyConfigResult}
+ */
+export function configureUndiciProxy(env = process.env, opts = {}) {
+  const resolved = resolveProxyFromEnv(env);
+  if (!resolved) {
+    return { applied: false, proxyUrl: null, source: null };
+  }
+
+  const undici = opts.undiciImpl ?? loadUndiciSync();
+  if (!undici) {
+    return { applied: false, proxyUrl: resolved.url, source: resolved.source };
+  }
+
+  try {
+    const agent = new undici.ProxyAgent(resolved.url);
+    undici.setGlobalDispatcher(agent);
+    return { applied: true, proxyUrl: resolved.url, source: resolved.source };
+  } catch {
+    // ProxyAgent ctor or setGlobalDispatcher rejected the URL. The most
+    // common cause is a malformed URL ("proxy:8080" without scheme).
+    // Caller treats apply-failure same as no-proxy and continues.
+    return { applied: false, proxyUrl: resolved.url, source: resolved.source };
+  }
+}
+
+import { createRequire } from 'node:module';
+
+/**
+ * Load the bundled `undici` synchronously via createRequire so we can
+ * keep `configureUndiciProxy` synchronous (orchestrator entry must not
+ * become async just to install a dispatcher).
+ *
+ * Falls back to `null` if the import is unavailable for any reason —
+ * in which case the caller treats it as a no-op.
+ */
+let cachedUndici;
+function loadUndiciSync() {
+  if (cachedUndici !== undefined) return cachedUndici;
+  try {
+    const localRequire = createRequire(import.meta.url);
+    cachedUndici = localRequire('undici');
+  } catch {
+    cachedUndici = null;
+  }
+  return cachedUndici;
+}

package/commands/c4.mjs

@@ -210,6 +210,21 @@ export async function c4Command(rawArgs, overrides = {}) {
 
   const startTs = now();
 
+  // Step 0 — undici proxy installation.
+  // Codex Cloud (and other corporate-MITM cloud agents) force outbound
+  // HTTPS through HTTPS_PROXY. Standard tools (curl, git, npm) honor it
+  // transparently; Node's native fetch (undici) does not before Node 24.
+  // Install a global ProxyAgent dispatcher BEFORE any other step so every
+  // subsequent fetch() (preflight REST, MCP smoke probe, etc.) routes
+  // through the proxy. Defensive try/catch — proxy install failure must
+  // never crash aw-c4.
+  let proxy = { applied: false, proxyUrl: null, source: null };
+  try {
+    proxy = c4.configureUndiciProxy(env);
+  } catch (err) {
+    writer.stderr(`[aw-c4] configureUndiciProxy failed (non-fatal): ${err?.message ?? err}\n`);
+  }
+
   // Step 1 — harness detection (override wins).
   const cliHarness = args['--harness'];
   const harness = SUPPORTED_HARNESSES.includes(cliHarness) ? cliHarness : c4.detectHarness({ env }).harness;
@@ -228,6 +243,7 @@ export async function c4Command(rawArgs, overrides = {}) {
       authOk: false,
       didInit: false,
       durationMs: now() - startTs,
+      proxy,
     }) + '\n');
     return exit(0);
   }
@@ -263,6 +279,7 @@ export async function c4Command(rawArgs, overrides = {}) {
         bridge: self.view ? { ok: self.view.ok } : undefined,
         injector: self.injector ? { ok: self.injector.ok } : undefined,
         diagnose: true,
+        proxy,
       }) + '\n');
     } catch (err) {
       writer.stderr(`[aw-c4] diagnose: summary line failed: ${err?.message ?? err}\n`);
@@ -282,18 +299,39 @@ export async function c4Command(rawArgs, overrides = {}) {
   // Step 5 — preflight.
   const preflight = await c4.preflightPlatformDocs(token);
   if (preflight.diagnosis === 'pat-invalid') {
-    writer.stderr('[aw-c4] PAT invalid (REST 4xx). Refresh GITHUB_PAT and retry.\n');
-    writer.stdout(c4.summarizeAsOneLine({
-      harness,
-      hasToken: true,
-      tokenSource,
-      authOk: false,
-      didInit: false,
-      durationMs: now() - startTs,
-    }) + '\n');
-    return exit(0);
+    // Disambiguate two failure modes that both end up tagged 'pat-invalid':
+    //   (a) Real bad PAT — REST returned a 4xx HTTP status (`authStatus`
+    //       is a number). Git ls-remote also fails. Exit 0 with the
+    //       actionable "refresh PAT" message.
+    //   (b) Codex Cloud proxy gap — REST `fetch()` failed BEFORE getting
+    //       any HTTP status (`authStatus == null`, `authError` like
+    //       "fetch failed: ENETUNREACH") because Node fetch can't see
+    //       HTTPS_PROXY. Git ls-remote works (libcurl honors the proxy).
+    //       The PAT is fine; proceed with install and surface the real
+    //       cause on stderr.
+    const restStatusKnown = typeof preflight.authStatus === 'number';
+    if (!restStatusKnown && preflight.lsRemoteWithAuthOk) {
+      const cause = preflight.authError ?? 'unknown';
+      writer.stderr(
+        `[aw-c4] api.github.com unreachable from Node fetch (${cause}); ` +
+        `git auth OK, continuing.\n`,
+      );
+      // fall through into normal install flow
+    } else {
+      writer.stderr('[aw-c4] PAT invalid (REST 4xx). Refresh GITHUB_PAT and retry.\n');
+      writer.stdout(c4.summarizeAsOneLine({
+        harness,
+        hasToken: true,
+        tokenSource,
+        authOk: false,
+        didInit: false,
+        durationMs: now() - startTs,
+        proxy,
+      }) + '\n');
+      return exit(0);
+    }
   }
-  if (preflight.diagnosis !== 'ok') {
+  if (preflight.diagnosis !== 'ok' && preflight.diagnosis !== 'pat-invalid') {
     writer.stderr(`[aw-c4] preflight diagnosis: ${preflight.diagnosis} (continuing)\n`);
   }
 
@@ -306,6 +344,7 @@ export async function c4Command(rawArgs, overrides = {}) {
       authOk: preflight.diagnosis === 'ok',
       didInit: false,
       durationMs: now() - startTs,
+      proxy,
     }) + '\n');
     return exit(0);
   }
@@ -385,6 +424,7 @@ export async function c4Command(rawArgs, overrides = {}) {
     awHome,
     configPaths: [],
     slashShim: slashShim?.ok ? slashShim.value : null,
+    proxy,
   });
 
   // Step 18 — one-line summary.
@@ -399,6 +439,7 @@ export async function c4Command(rawArgs, overrides = {}) {
     injector: branch?.injector,
     mcpProbe: mcpProbe?.value?.authStatus,
     slashShim: slashShim?.ok ? slashShim.value : null,
+    proxy,
   }) + '\n');
 
   return exit(0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ghl-ai/aw",
-  "version": "0.1.44-beta.7",
+  "version": "0.1.44-beta.9",
   "description": "Agentic Workspace CLI — pull, push & manage agents, skills and commands from the registry",
   "type": "module",
   "bin": {