feat: protocol-aware proxy validation with HTTPS support#72
Closed
Cainiaooo wants to merge 60 commits intonmhjklnm:masterfrom
Closed
feat: protocol-aware proxy validation with HTTPS support#72Cainiaooo wants to merge 60 commits intonmhjklnm:masterfrom
Cainiaooo wants to merge 60 commits intonmhjklnm:masterfrom
Conversation
Comprehensive evaluation of current Windows support status including: - Completed capabilities checklist (14 items) - 6 known issues with severity ratings and recommendations - Priority action plan with effort/impact matrix - Suggested testing checklist for Windows validation
- Dynamic npm prefix detection in install-local-win.ps1 (supports nvm-windows/fnm/volta) - Add disown fallback (2>/dev/null || true) for Git Bash edge cases in relay - Block Docker mode on Windows with clear error message - Update windows-support-assessment.md to reflect resolved status Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix: resolve 3 Windows support issues and update assessment
Three Windows support fixes discovered during a review of the 2026-04-10
assessment report.
1. IPv6 detection locale safety (src/cmd_check.sh)
Previously matched grep -ci "IPv6 Address" against ipconfig.exe output,
which silently returned 0 on Chinese ("IPv6 地址"), Japanese ("IPv6
アドレス"), and other localized Windows installs — causing cac env
check to display "no global address" even when a real public IPv6 was
present. A silent privacy regression in a privacy tool.
Fix: match the IPv6 global unicast address pattern (2000::/3) directly
instead of the localized label. The 4-hex-char anchor in the first
group prevents false positives on DHCP time strings like "23:30:00".
2. install-local-win.ps1 npm prefix detection
Hardcoded %APPDATA%\npm, which broke for users on nvm-windows, fnm,
volta, or Scoop (their npm global bin lives elsewhere and is not in
PATH). Now resolves dynamically via "npm config get prefix", with a
fallback to %APPDATA%\npm if npm itself is unavailable.
3. src/mtls.sh _openssl() helper
Removed /c/Development/Git/mingw64/bin/openssl.exe — a contributor's
personal install path that was dead code for every other user. The
candidate list now only contains standard Git for Windows and MSYS2
locations. tests/test-windows.sh T18 updated accordingly.
Rebuilt cac via build.sh. tests/test-windows.sh shows 28 pass / 2 fail,
where the 2 failures (T06, T19) are pre-existing and unrelated to this
change — see docs/windows/known-issues.md for details.
- CLAUDE.md: note that shim-bin/ is Unix-only on Windows; add coding style section and test commands - README.md: rewrite Windows sections (CN + EN) for clarity; add update-sync instructions for both npm-install and local-checkout users; add Windows known limitations section; restructure install/uninstall flow - docs/windows/windows-support-assessment.md: bump completion to 92-95%, mark 5 items as RESOLVED, add 2 new resolved entries (IPv6 localization, mtls personal path) - docs/windows/known-issues.md: new doc covering T06/T19 pre-existing test failures and relay disown lifecycle on Git Bash (with full reproduction steps and suggested fixes) - docs/windows/ipv6-test-guide.md: new doc with 6 test scenarios (unit + end-to-end), Git Bash / PowerShell / CMD equivalents, and regression checklist Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix(windows): IPv6 locale fix, installer cleanup, docs refresh
# Conflicts: # README.md
feat(claude): add env auto-update management
…ogic - Fix $? being clobbered by `local` in _claude_env_auto_update_on_activate, ensuring non-interactive (rc=2) fallback paths work correctly - Strip pre-release suffix in _claude_version_is_newer before numeric sort - Move _timer_start after auto-update check to avoid download time pollution - Filter non-semver dirs in _claude_unused_versions to prevent accidental prune Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ogic - Fix $? being clobbered by `local` in _claude_env_auto_update_on_activate, ensuring non-interactive (rc=2) fallback paths work correctly - Strip pre-release suffix in _claude_version_is_newer before numeric sort - Move _timer_start after auto-update check to avoid download time pollution - Filter non-semver dirs in _claude_unused_versions to prevent accidental prune Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Pre-1.5.5 installs left ~/.cac/bin/claude (bash) without claude.cmd, never added cac/bin to User PATH, and never created ~/.bashrc on Windows — so typing `claude` hit the real binary directly, leaving CLAUDE_CONFIG_DIR unset and skipping the proxy preflight. The wrapper template also called _tcp_check / _native_path / _count_claude_processes without defining them, which would crash any wrapper that did get invoked under set -euo pipefail. - inline _native_path / _tcp_check / _count_claude_processes into the wrapper template (standalone script, can't source utils.sh) - _ensure_initialized: regenerate wrapper + re-add PATH when claude.cmd is missing on Windows, even if CAC_WRAPPER_VER matches - _add_to_user_path: prepend (and dedupe) so cac wins over ~/.local/bin - _write_path_to_rc: touch ~/.bashrc on Windows when no rc file exists - bump CAC_VERSION 1.5.4 → 1.5.5 so existing installs auto-upgrade - tests/test-windows.sh T04/T05: allow /dev/tcp and pgrep inside the inlined wrapper helpers in templates.sh Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…NODE_OPTIONS Two regressions in the Windows wrapper: 1. _version_binary was called in the wrapper heredoc but only defined in src/utils.sh. The wrapper is a standalone script — helpers must be inlined. Inline it next to the other helpers. 2. NODE_OPTIONS / BUN_OPTIONS paths were built with cygpath -w, producing C:\Users\... Node's options parser treats '\' as an escape character and silently strips the backslashes, leaving "C:UsersAdmin.cacfingerprint-hook.js" and failing with "preload not found". Add _node_require_path using cygpath -m (mixed mode, forward slashes) for the two require/preload injections only; other env vars keep _native_path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l .cmd shim issue The previous approach called npm via Get-Command .Source which returns a .cmd path; PowerShell mishandles arguments to .cmd files in some setups, returning "Unknown command" instead of the prefix path. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…aller-docs Brings in auto-update logic fixes: pre-release version comparison, non-interactive prompt fallback, and unused version cleanup filter. Resolved README.md conflicts by keeping bilingual structure and incorporating autoupdate command documentation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Explain the steps and common pitfalls (stale build, JS sync) for users who already have cac installed and are updating to a new version. Covers both Chinese and English sections. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
MSYS2/Git Bash converts -subj "/CN=..." path-like strings into Windows paths, causing certificate generation to fail silently. Set MSYS_NO_PATHCONV=1 before invoking OpenSSL on Windows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…l .cmd shim issue The previous approach called npm via Get-Command .Source which returns a .cmd path; PowerShell mishandles arguments to .cmd files in some setups, returning "Unknown command" instead of the prefix path. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Explain the steps and common pitfalls (stale build, JS sync) for users who already have cac installed and are updating to a new version. Covers both Chinese and English sections. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
MSYS2/Git Bash converts -subj "/CN=..." path-like strings into Windows paths, causing certificate generation to fail silently. Set MSYS_NO_PATHCONV=1 before invoking OpenSSL on Windows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…tions - Replace rm commands with reactivation-based auto-repair flow - Add Git Bash troubleshooting for WSL confusion - Add mTLS cert backfill explanation - Sync both Chinese and English sections Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
MSYS_NO_PATHCONV=1 fixes -subj path mangling but breaks file path resolution for MinGW OpenSSL (/c/Users/... becomes unrecognizable). Add _openssl_path helper using cygpath -w to convert all file paths passed to OpenSSL, including cert generation and verification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace simple TCP port check with protocol-level validation that verifies the proxy actually processes CONNECT/SOCKS5 requests instead of just listening on a port. Also adds HTTPS upstream proxy support to relay.js. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
添加了协议感知的代理验证 (_proxy_check),支持 HTTP/SOCKS5/HTTPS,同时 relay.js 也支持了 HTTPS