fix: honor HTTP_PROXY / HTTPS_PROXY / NO_PROXY env vars (#35)

Node's built-in fetch (undici) ignores proxy environment variables, so
bl always connected directly and failed with ECONNRESET behind a VPN or
corporate proxy. Install an EnvHttpProxyAgent as the global dispatcher at
startup, but only when a proxy variable is actually set — behavior is
unchanged otherwise. Lowercase variables take precedence over uppercase
(curl convention) and NO_PROXY is honored.

Values are trimmed and passed explicitly to work around undici reading
env vars with ??, where an empty lowercase variable (https_proxy="")
masks a configured uppercase one. Invalid proxy URLs fail with a clear
usage error instead of a stack trace, and the ECONNRESET hint now
suggests exporting HTTPS_PROXY.

Tests are fully offline and need no credentials: unit tests cover env
parsing, and the e2e test runs a minimal probe (setupProxyFromEnv + a
bare fetch) against a .invalid host through a local CONNECT proxy to
verify traffic routes through the proxy, NO_PROXY is honored, no
dispatcher is installed when unset, and invalid values error clearly.

Author: XXPermanentXX

packages/cli/package.json

@@ -46,7 +46,8 @@
   "dependencies": {
     "bailian-cli-core": "workspace:*",
     "boxen": "catalog:",
-    "chalk": "catalog:"
+    "chalk": "catalog:",
+    "undici": "catalog:"
   },
   "devDependencies": {
     "@clack/prompts": "^0.7.0",

packages/cli/src/error-handler.ts

@@ -80,7 +80,11 @@ function pickNetworkHint(code: string | undefined): string {
     case "ECONNREFUSED":
       return "Connection refused. Check the target host/port and proxy settings.";
     case "ECONNRESET":
-      return "Connection reset by peer. Retry, or check proxy / firewall.";
+      return (
+        "Connection reset by peer. Retry, or check proxy / firewall.\n" +
+        "If you are behind a VPN or corporate proxy, route bl through it:\n" +
+        "export HTTPS_PROXY=http://127.0.0.1:<proxy-port>"
+      );
     case "ETIMEDOUT":
       return "Connection timed out. Check your network or try a different region.";
     case "CERT_HAS_EXPIRED":

packages/cli/src/main.ts

@@ -10,6 +10,7 @@ import {
   type Region,
 } from "bailian-cli-core";
 import { ensureApiKey } from "./utils/ensure-key.ts";
+import { setupProxyFromEnv } from "./proxy.ts";
 import { handleError } from "./error-handler.ts";
 import { checkForUpdate, getPendingUpdateNotification } from "./utils/update-checker.ts";
 import { maybeShowStatusBar } from "./output/status-bar.ts";
@@ -21,6 +22,13 @@ import {
   setExecutingCommandPath,
 } from "./utils/command-help.ts";
 
+// 必须在任何 fetch 发起前安装（含 update-checker / telemetry）
+try {
+  setupProxyFromEnv();
+} catch (err) {
+  handleError(err);
+}
+
 registerCommandHelpPrinter((commandPath, out) => {
   const a = process.argv.slice(2);
   const ri = a.indexOf("--region");

packages/cli/src/proxy.ts

@@ -0,0 +1,48 @@
+import { setGlobalDispatcher, EnvHttpProxyAgent } from "undici";
+import { BailianError, ExitCode } from "bailian-cli-core";
+
+export interface ProxyEnv {
+  httpProxy?: string;
+  httpsProxy?: string;
+  noProxy?: string;
+}
+
+function pick(env: NodeJS.ProcessEnv, ...keys: string[]): string | undefined {
+  for (const key of keys) {
+    const value = env[key]?.trim();
+    if (value) return value;
+  }
+  return undefined;
+}
+
+/**
+ * 读取代理环境变量（小写优先，与 curl 约定一致）。
+ * 空白值视为未设置——undici 自身用 `??` 取值，空字符串的小写变量会屏蔽
+ * 已设置的大写变量，这里统一清洗后显式传入，绕开该坑。
+ */
+export function readProxyEnv(env: NodeJS.ProcessEnv = process.env): ProxyEnv {
+  return {
+    httpProxy: pick(env, "http_proxy", "HTTP_PROXY"),
+    httpsProxy: pick(env, "https_proxy", "HTTPS_PROXY"),
+    noProxy: pick(env, "no_proxy", "NO_PROXY"),
+  };
+}
+
+// Node 内置 fetch（undici）默认不读取代理环境变量，VPN / 公司代理环境下会
+// 绕过代理直连而被拦截（见 issue #35）。仅当用户显式设置了 HTTP_PROXY /
+// HTTPS_PROXY 时才安装代理 dispatcher（同时支持 NO_PROXY），未设置时不触碰
+// 全局 dispatcher，行为与之前完全一致。
+export function setupProxyFromEnv(): void {
+  const { httpProxy, httpsProxy, noProxy } = readProxyEnv();
+  if (!httpProxy && !httpsProxy) return;
+  try {
+    setGlobalDispatcher(new EnvHttpProxyAgent({ httpProxy, httpsProxy, noProxy }));
+  } catch (err) {
+    throw new BailianError(
+      `Invalid proxy configuration: ${err instanceof Error ? err.message : String(err)}`,
+      ExitCode.USAGE,
+      "Check HTTP_PROXY / HTTPS_PROXY values, e.g. export HTTPS_PROXY=http://127.0.0.1:7890",
+      { cause: err },
+    );
+  }
+}

packages/cli/tests/e2e/proxy.e2e.test.ts

@@ -0,0 +1,124 @@
+import { execFile } from "child_process";
+import { createServer, type Server } from "http";
+import { mkdtempSync, rmSync, writeFileSync } from "fs";
+import type { AddressInfo } from "net";
+import { tmpdir } from "os";
+import { join } from "path";
+import { promisify } from "util";
+import { afterAll, beforeAll, describe, expect, test } from "vite-plus/test";
+import { cliPackageRoot } from "./helpers.ts";
+
+const execFileAsync = promisify(execFile);
+
+/**
+ * 代理支持 E2E（issue #35）：只验证 `setupProxyFromEnv()` 是否把代理 dispatcher
+ * 正确装到全局 fetch 上——设了 HTTPS_PROXY 后裸 `fetch()` 走代理，未设置时直连，
+ * NO_PROXY 命中时跳过，非法代理值给出明确报错。
+ *
+ * 不经过任何 CLI 命令（不解析凭证、不打 gateway），因此 CI 上无需 api key /
+ * access token，与既有 e2e 设计一致。全程离线：目标域名用 `.invalid`（保留顶级域，
+ * 必然无法解析），代理收到 CONNECT 后规范返回 502，不产生真实外网请求。
+ */
+
+const FAKE_HOST = "bl-proxy-e2e.invalid";
+const FAKE_URL = `https://${FAKE_HOST}/probe`;
+
+/**
+ * 最小探针脚本：调用真实的 `setupProxyFromEnv()`，再对目标发一个普通 fetch。
+ * 代理行为由进程环境变量决定，正是被测对象；fetch 成败不重要，我们只看代理是否收到 CONNECT。
+ */
+const PROBE_SCRIPT = `
+import { setupProxyFromEnv } from ${JSON.stringify(join(cliPackageRoot, "src", "proxy.ts"))};
+setupProxyFromEnv();
+try {
+  await fetch(${JSON.stringify(FAKE_URL)}, { signal: AbortSignal.timeout(5000) });
+} catch {
+  // 目标不可达/隧道被拒都正常——本测试只关心代理是否收到 CONNECT
+}
+`;
+
+let proxy: Server;
+let proxyUrl: string;
+let scriptDir: string;
+let scriptPath: string;
+const connectTargets: string[] = [];
+
+beforeAll(async () => {
+  proxy = createServer();
+  // 记录收到的 CONNECT 目标（host:port），并以 502 拒绝隧道
+  proxy.on("connect", (req, clientSocket) => {
+    connectTargets.push(req.url ?? "");
+    clientSocket.end("HTTP/1.1 502 Bad Gateway\r\n\r\n");
+  });
+  await new Promise<void>((resolve) => proxy.listen(0, "127.0.0.1", resolve));
+  proxyUrl = `http://127.0.0.1:${(proxy.address() as AddressInfo).port}`;
+
+  scriptDir = mkdtempSync(join(tmpdir(), "bl-proxy-e2e-"));
+  scriptPath = join(scriptDir, "probe.ts");
+  writeFileSync(scriptPath, PROBE_SCRIPT);
+});
+
+afterAll(async () => {
+  await new Promise<void>((resolve) => proxy.close(() => resolve()));
+  rmSync(scriptDir, { recursive: true, force: true });
+});
+
+/** 清空所有代理相关环境变量，确保每个用例只受自身设置影响 */
+const PROXY_ENV_CLEARED = {
+  HTTPS_PROXY: "",
+  https_proxy: "",
+  HTTP_PROXY: "",
+  http_proxy: "",
+  NO_PROXY: "",
+  no_proxy: "",
+};
+
+/** 以给定代理环境变量运行探针脚本，返回 { exitCode, stderr } */
+async function runProbe(
+  envOverrides: NodeJS.ProcessEnv,
+): Promise<{ exitCode: number; stderr: string }> {
+  try {
+    await execFileAsync("node", [scriptPath], {
+      cwd: cliPackageRoot,
+      encoding: "utf8",
+      env: { ...process.env, NODE_NO_WARNINGS: "1", ...PROXY_ENV_CLEARED, ...envOverrides },
+    });
+    return { exitCode: 0, stderr: "" };
+  } catch (err: unknown) {
+    const e = err as { stderr?: string; code?: number };
+    return { exitCode: typeof e.code === "number" ? e.code : 1, stderr: e.stderr ?? "" };
+  }
+}
+
+describe("e2e: proxy", () => {
+  test("设置 HTTPS_PROXY 后 fetch 经过代理（CONNECT 到目标主机）", async () => {
+    connectTargets.length = 0;
+    await runProbe({ HTTPS_PROXY: proxyUrl });
+    expect(connectTargets).toContain(`${FAKE_HOST}:443`);
+  });
+
+  test("空字符串小写变量不屏蔽大写 HTTPS_PROXY（undici ?? 取值回归）", async () => {
+    connectTargets.length = 0;
+    await runProbe({ https_proxy: "", HTTPS_PROXY: proxyUrl });
+    expect(connectTargets).toContain(`${FAKE_HOST}:443`);
+  });
+
+  test("NO_PROXY 命中目标主机时不走代理", async () => {
+    connectTargets.length = 0;
+    await runProbe({ HTTPS_PROXY: proxyUrl, NO_PROXY: FAKE_HOST });
+    expect(connectTargets.filter((t) => t.startsWith(FAKE_HOST))).toEqual([]);
+  });
+
+  test("未设置代理变量时保持直连（代理收不到任何流量）", async () => {
+    connectTargets.length = 0;
+    await runProbe({});
+    expect(connectTargets).toEqual([]);
+  });
+
+  test("代理 URL 非法时给出明确报错而非堆栈", async () => {
+    const { exitCode, stderr } = await runProbe({ HTTPS_PROXY: "::::not-a-url" });
+    expect(exitCode).not.toBe(0);
+    expect(stderr).toMatch(/Invalid proxy configuration/);
+    expect(stderr).toMatch(/HTTPS_PROXY/);
+  });
+});

packages/cli/tests/proxy.test.ts

@@ -0,0 +1,42 @@
+import { expect, test } from "vite-plus/test";
+import { readProxyEnv } from "../src/proxy.ts";
+
+test("readProxyEnv: 未设置任何代理变量时全部为 undefined", () => {
+  expect(readProxyEnv({})).toEqual({
+    httpProxy: undefined,
+    httpsProxy: undefined,
+    noProxy: undefined,
+  });
+});
+
+test("readProxyEnv: 空白值视为未设置", () => {
+  expect(readProxyEnv({ HTTPS_PROXY: "", HTTP_PROXY: "   ", NO_PROXY: "" })).toEqual({
+    httpProxy: undefined,
+    httpsProxy: undefined,
+    noProxy: undefined,
+  });
+});
+
+test("readProxyEnv: 大小写变量均可识别，小写优先", () => {
+  expect(readProxyEnv({ HTTPS_PROXY: "http://upper:1" }).httpsProxy).toBe("http://upper:1");
+  expect(readProxyEnv({ https_proxy: "http://lower:1" }).httpsProxy).toBe("http://lower:1");
+  expect(
+    readProxyEnv({ https_proxy: "http://lower:1", HTTPS_PROXY: "http://upper:1" }).httpsProxy,
+  ).toBe("http://lower:1");
+});
+
+test("readProxyEnv: 空字符串小写变量不屏蔽已设置的大写变量", () => {
+  expect(readProxyEnv({ https_proxy: "", HTTPS_PROXY: "http://upper:1" }).httpsProxy).toBe(
+    "http://upper:1",
+  );
+  expect(readProxyEnv({ http_proxy: "", HTTP_PROXY: "http://upper:2" }).httpProxy).toBe(
+    "http://upper:2",
+  );
+});
+
+test("readProxyEnv: NO_PROXY 独立读取", () => {
+  const r = readProxyEnv({ NO_PROXY: "*.aliyuncs.com" });
+  expect(r.noProxy).toBe("*.aliyuncs.com");
+  expect(r.httpProxy).toBeUndefined();
+  expect(r.httpsProxy).toBeUndefined();
+});

pnpm-lock.yaml

@@ -8,6 +8,7 @@ catalog:
   boxen: ^8.0.1
   chalk: ^5.6.2
   typescript: ^5
+  undici: ^8.4.1
   vite: npm:@voidzero-dev/vite-plus-core@latest
   vite-plus: latest
   vitest: npm:@voidzero-dev/vite-plus-test@latest