`session.create` fails with "fetch failed" in SDK headless mode behind corporate proxy (v1.0.36)

[mohan3006]

Describe the bug

When using @github/copilot-sdk v0.3.0 (CLI v1.0.36) in headless mode behind a corporate HTTP proxy, session.create fails with "fetch failed". The CLI subprocess receives all proxy env vars correctly, and standalone undici 7.22 can reach api.github.com through the same proxy from the same container — but the CLI's internal fetch ignores the proxy.

This is a regression from CLI v0.0.394 where the same setup worked.

Key evidence

1. Standalone undici works — from inside the Docker container:

   undici version: 7.22.0
   Status: 200
   Body: {"login":"...", "copilot_plan":"copilot_for_business"...}
   

2. curl works — through the same proxy:

   curl -x http://proxy:443 https://api.github.com/copilot_internal/user → 200
   

3. CLI subprocess gets proxy env — confirmed by intercepting child_process.spawn:

   SPAWN command: node /app/node_modules/@github/copilot/index.js --headless --no-auto-update
   SPAWN HTTPS_PROXY: http://proxy:443
   SPAWN HTTP_PROXY: http://proxy:443
   SPAWN NODE_TLS_REJECT_UNAUTHORIZED: 0
   SPAWN env: COPILOT_SDK_AUTH_TOKEN = gho_xxx...
   

4. CLI fails anyway:

   FAILED: Request session.create failed with message: fetch failed
   

5. No TLS MITM — the proxy does transparent CONNECT (real *.github.com cert from Sectigo, not a proxy-injected cert):

   subject=CN = *.github.com
   issuer=C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV E36
   

6. NODE_EXTRA_CA_CERTS doesn't help — tested with the full cert chain, same result

Version comparison

Component	Working	Broken
@github/copilot-sdk	0.1.19	0.3.0
@github/copilot CLI	0.0.394	1.0.36
Node.js	v22.22.0	v22.22.0
Result	Sessions work	"fetch failed"

Affected version

GitHub Copilot CLI 1.0.36

Steps to reproduce the behavior

1. Run in a Docker container with HTTPS_PROXY set to a corporate HTTP CONNECT proxy
2. Install @github/copilot-sdk@0.3.0 + @github/copilot@1.0.36
3. Create a CopilotClient with gitHubToken and start it:

   const { CopilotClient } = require("@github/copilot-sdk");
   const client = new CopilotClient({ gitHubToken: token, useLoggedInUser: false });
   await client.start();

4. Call createSession with gitHubToken:

   const session = await client.createSession({
     model: "gpt-4o",
     gitHubToken: token,
     streaming: false,
     systemMessage: { content: "Be brief." },
     onPermissionRequest: () => ({ result: "allow" }),
   });

5. Observe: Request session.create failed with message: fetch failed

Expected behavior

session.create should respect HTTPS_PROXY / HTTP_PROXY environment variables for its internal auth fetch to api.github.com, the same way standalone undici 7.22 does from the same container.

Additional context

• Environment: Docker (node:22-alpine), Linux x86_64
• Proxy: Corporate HTTP CONNECT proxy on port 443, no TLS interception
• Use case: Server-side SDK integration for automated coding agent (not interactive CLI)
• The specific failing path in CLI: resolveSessionAuth() → internal token validation fetch to api.github.com/copilot_internal/user — this fetch does not go through the proxy
• Startup auth also fails silently: client.start() → trySdkTokenLogin() → same fetch failure, but caught silently. CLI boots with no auth. The session-level auth then fails loudly.
• BYOK provider works: Using provider: { type: "openai", baseUrl: "https://api.business.githubcopilot.com", bearerToken: token } in createSession bypasses the failing fetch and works — but only for GPT models (Claude/Gemini not available via this endpoint)
• Related issues: GitHub Copilot CLI fails with "fetch failed" error in corporate environments with SSL inspection #333, web_fetch and auto-update fail with TypeError: fetch failed behind corporate proxy #2395, Failed to list available models due to duplicate CA certificates from combined system and bundled certs #869
• Workaround: Downgrade to @github/copilot-sdk@0.1.19 / @github/copilot@0.0.394