fix(memory): apply env proxy guard to withRemoteHttpResponse

[XIYBHK]

Summary

• Problem: withRemoteHttpResponse() calls fetchWithSsrFGuard() without setting a mode, defaulting to STRICT. In strict mode, local DNS pre-resolution via dns.lookup() runs before the HTTP request, which fails with getaddrinfo ENOTFOUND in proxy environments where DNS must go through the proxy.
• Why it matters: Memory embeddings are completely unusable for users behind HTTP proxies (Clash TUN fake-IP, corporate proxies with DNS-over-proxy), even though all other proxy-aware code paths work correctly on the same machine.
• What changed: withRemoteHttpResponse() now checks hasProxyEnvConfigured() and, when true, wraps fetch options with withTrustedEnvProxyGuardedFetchMode() so fetchWithSsrFGuard() uses EnvHttpProxyAgent instead of pinned DNS.
• What did NOT change: Non-proxy environments still get the default strict SSRF guard behavior. No changes to fetchWithSsrFGuard() itself, SSRF policy, or any other code path.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: memory_search remote embeddings fail with ENOTFOUND when env proxy is configured — withRemoteHttpResponse skips TRUSTED_ENV_PROXY mode #52162

User-visible / Behavior Changes

openclaw memory status --deep and openclaw memory search now work correctly when environment proxy variables (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are configured and local DNS cannot resolve the embedding provider hostname.

Security Impact (required)

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No — same fetchWithSsrFGuard is used, only the mode changes from STRICT to TRUSTED_ENV_PROXY when env proxy is detected, which is the same pattern already used by fetchWithWebToolsNetworkGuard in src/agents/tools/web-guarded-fetch.ts.
• Command/tool execution surface changed? No
• Data access scope changed? No

Repro + Verification

Environment

• OS: Windows 11 Pro 10.0.22631
• Runtime: Node.js via npm global install
• Model/provider: openai/text-embedding-3-small (remote OpenAI-compatible endpoint)
• Relevant config: HTTPS_PROXY=http://127.0.0.1:7890 (Clash TUN with fake-IP mode)

Steps

1. Configure HTTPS_PROXY env var pointing to an HTTP proxy
2. Use a proxy setup where local DNS cannot resolve the embedding provider hostname (e.g. Clash TUN fake-IP)
3. Run openclaw memory status --deep --agent main

Expected

Embeddings status shows as available

Actual (before fix)

getaddrinfo ENOTFOUND <hostname> — Embeddings: unavailable

Evidence

• Trace/log snippets — see issue [Bug]: memory_search remote embeddings fail with ENOTFOUND when env proxy is configured — withRemoteHttpResponse skips TRUSTED_ENV_PROXY mode #52162 for full reproduction logs
• Failing test/log before + passing after — existing unit tests pass (post-json.test.ts, embeddings-remote-fetch.test.ts); TypeScript type check passes

Human Verification (required)

• Verified scenarios: Code review confirmed the fix follows the exact same pattern as fetchWithWebToolsNetworkGuard in src/agents/tools/web-guarded-fetch.ts (line 46-48). Unit tests and type check pass.
• Edge cases checked: When no proxy env is configured, hasProxyEnvConfigured() returns false and behavior is unchanged (default strict mode).
• What you did not verify: End-to-end test in a Clash TUN environment (do not have the setup in CI). Manual verification by the reporter would be appreciated.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? No
• Migration needed? No

Failure Recovery (if this breaks)

• How to revert: Revert the single commit; withRemoteHttpResponse() goes back to calling fetchWithSsrFGuard() without a mode.
• Known bad symptoms: If TRUSTED_ENV_PROXY mode somehow causes issues, embedding requests may fail differently (proxy errors instead of DNS errors). Reverting restores previous behavior.

Risks and Mitigations

• Risk: In TRUSTED_ENV_PROXY mode, SSRF DNS pinning is bypassed for the embedding endpoint when a proxy is configured, relying on the proxy for network-level access control.
  • Mitigation: This is the same trade-off already accepted for web tool fetches (web-guarded-fetch.ts). The SSRF policy (allowed hostnames from buildRemoteBaseUrlPolicy) is still validated by resolvePinnedHostnameWithPolicy before the mode branch. The proxy itself provides the network boundary.

---

This PR was prepared with AI assistance (Claude Code). The change was code-reviewed and the pattern was verified against the existing proxy-aware code path in web-guarded-fetch.ts.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 42db2bf351

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Skip the pre-DNS lookup before enabling trusted proxy mode

withTrustedEnvProxyGuardedFetchMode() only changes mode, but fetchWithSsrFGuard() still unconditionally calls resolvePinnedHostnameWithPolicy() before the mode check (src/infra/net/fetch-guard.ts:192-199). That resolver always performs dns.lookup() (src/infra/net/ssrf.ts:310-335), so the fake-IP / DNS-over-proxy setups described in this commit will still fail with ENOTFOUND before EnvHttpProxyAgent is even created. In other words, this branch changes the dispatcher after the failing local-resolution step, so memory status --deep and memory search remain broken for the reported proxy environments.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Require a real HTTP(S) proxy before switching modes

hasProxyEnvConfigured() is broader than the transport selected here: it returns true for ALL_PROXY and any non-empty proxy var, while EnvHttpProxyAgent only honors HTTP(S) proxy vars with per-protocol semantics (src/infra/net/proxy-env.ts:28-55, and src/infra/net/proxy-env.test.ts:69-80). With only ALL_PROXY set—or with an http:// memory endpoint plus only HTTPS_PROXY—this code still enters trusted_env_proxy mode, drops the pinned dispatcher, and then makes a direct request. That means a sizable set of proxy configurations still will not work, and in the ALL_PROXY case the request can bypass the user's proxy entirely when local DNS happens to resolve.

Useful? React with 👍 / 👎.

[greptile-apps]

Greptile Summary

This PR fixes memory embedding failures for users behind HTTP proxies by applying the same proxy-env guard already used in the web-tools fetch path. withRemoteHttpResponse() now calls fetchWithSsrFGuard with TRUSTED_ENV_PROXY mode (via withTrustedEnvProxyGuardedFetchMode) when hasProxyEnvConfigured() is true, causing undici's EnvHttpProxyAgent to be used instead of the default DNS-pinned strict dispatcher.

• The one-line logic change mirrors fetchWithWebToolsNetworkGuard in src/agents/tools/web-guarded-fetch.ts exactly — it's the established pattern for proxy-aware fetches in this codebase.
• SSRF hostname policy (from buildRemoteBaseUrlPolicy) is still validated through resolvePinnedHostnameWithPolicy; only the downstream dispatcher changes.
• Non-proxy environments are unaffected: hasProxyEnvConfigured() returns false and the original strict-mode path is taken.
• Worth noting: resolvePinnedHostnameWithPolicy performs a dns.lookup() unconditionally in fetchWithSsrFGuard before the mode branch is evaluated. The fix therefore resolves the case where Clash TUN fake-IP DNS returns private-range IPs that are then SSRF-blocked, but will not help in environments where local DNS completely fails to resolve the hostname (ENOTFOUND). That is a pre-existing limitation shared with all TRUSTED_ENV_PROXY callers and is out of scope for this PR.

Confidence Score: 4/5

• Safe to merge; change is minimal, pattern-consistent, and doesn't weaken SSRF enforcement.
• The fix is a well-scoped two-import / one-conditional change that directly mirrors the existing proxy-aware code path in web-guarded-fetch.ts. SSRF policy validation is preserved, non-proxy environments are unaffected, and existing unit tests cover the changed surface. The one P2 observation (that resolvePinnedHostnameWithPolicy still performs a DNS lookup before the mode branch, so true ENOTFOUND scenarios may not be fully resolved) is a pre-existing infrastructure limitation rather than a regression introduced here.
• No files require special attention.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: src/memory/remote-http.ts
Line: 39-41

Comment:
**Fix covers SSRF-blocked fake-IPs but may not resolve true DNS failures**

The PR description states the root cause is `getaddrinfo ENOTFOUND` — DNS truly failing to resolve the embedding-provider hostname. However, looking at `fetchWithSsrFGuard` in `fetch-guard.ts` (lines 192–201), `resolvePinnedHostnameWithPolicy` is called **unconditionally before** the mode branch is evaluated:

```typescript
// fetch-guard.ts — runs in both STRICT and TRUSTED_ENV_PROXY modes
const pinned = await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
  lookupFn: params.lookupFn,
  policy: params.policy,
});
const canUseTrustedEnvProxy =
  mode === GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY && hasProxyEnvConfigured();
```

`resolvePinnedHostnameWithPolicy` always calls `dnsLookup` (see `ssrf.ts` line 332), so if the OS cannot resolve the hostname at all (`ENOTFOUND`), the error is thrown before `EnvHttpProxyAgent` is ever used — in both modes.

The fix **does** correctly handle the more common Clash TUN fake-IP scenario where DNS resolves to a private range IP (e.g. `198.18.x.x`) that would be blocked by the SSRF Phase-2 check in strict mode. With `allowedHostnames` matching the configured hostname, `skipPrivateNetworkChecks` becomes `true`, the Phase-2 check is skipped, and `EnvHttpProxyAgent` routes the request through the proxy.

If there are environments where local DNS cannot resolve the hostname at all (e.g. certain corporate split-DNS setups), users would still hit `ENOTFOUND`. Skipping `resolvePinnedHostnameWithPolicy` (or making its DNS step conditional on `canUseTrustedEnvProxy`) in `fetch-guard.ts` would be required to address that scenario — but that's out of scope for this PR and the same limitation already exists in the web-tools proxy path.

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "fix(memory): apply proxy guard to withRe..." | Re-trigger Greptile}

[greptile-apps]

Fix covers SSRF-blocked fake-IPs but may not resolve true DNS failures

The PR description states the root cause is getaddrinfo ENOTFOUND — DNS truly failing to resolve the embedding-provider hostname. However, looking at fetchWithSsrFGuard in fetch-guard.ts (lines 192–201), resolvePinnedHostnameWithPolicy is called unconditionally before the mode branch is evaluated:

// fetch-guard.ts — runs in both STRICT and TRUSTED_ENV_PROXY modes
const pinned = await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
  lookupFn: params.lookupFn,
  policy: params.policy,
});
const canUseTrustedEnvProxy =
  mode === GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY && hasProxyEnvConfigured();

resolvePinnedHostnameWithPolicy always calls dnsLookup (see ssrf.ts line 332), so if the OS cannot resolve the hostname at all (ENOTFOUND), the error is thrown before EnvHttpProxyAgent is ever used — in both modes.

The fix does correctly handle the more common Clash TUN fake-IP scenario where DNS resolves to a private range IP (e.g. 198.18.x.x) that would be blocked by the SSRF Phase-2 check in strict mode. With allowedHostnames matching the configured hostname, skipPrivateNetworkChecks becomes true, the Phase-2 check is skipped, and EnvHttpProxyAgent routes the request through the proxy.

If there are environments where local DNS cannot resolve the hostname at all (e.g. certain corporate split-DNS setups), users would still hit ENOTFOUND. Skipping resolvePinnedHostnameWithPolicy (or making its DNS step conditional on canUseTrustedEnvProxy) in fetch-guard.ts would be required to address that scenario — but that's out of scope for this PR and the same limitation already exists in the web-tools proxy path.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/memory/remote-http.ts
Line: 39-41

Comment:
**Fix covers SSRF-blocked fake-IPs but may not resolve true DNS failures**

The PR description states the root cause is `getaddrinfo ENOTFOUND` — DNS truly failing to resolve the embedding-provider hostname. However, looking at `fetchWithSsrFGuard` in `fetch-guard.ts` (lines 192–201), `resolvePinnedHostnameWithPolicy` is called **unconditionally before** the mode branch is evaluated:

```typescript
// fetch-guard.ts — runs in both STRICT and TRUSTED_ENV_PROXY modes
const pinned = await resolvePinnedHostnameWithPolicy(parsedUrl.hostname, {
  lookupFn: params.lookupFn,
  policy: params.policy,
});
const canUseTrustedEnvProxy =
  mode === GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY && hasProxyEnvConfigured();
```

`resolvePinnedHostnameWithPolicy` always calls `dnsLookup` (see `ssrf.ts` line 332), so if the OS cannot resolve the hostname at all (`ENOTFOUND`), the error is thrown before `EnvHttpProxyAgent` is ever used — in both modes.

The fix **does** correctly handle the more common Clash TUN fake-IP scenario where DNS resolves to a private range IP (e.g. `198.18.x.x`) that would be blocked by the SSRF Phase-2 check in strict mode. With `allowedHostnames` matching the configured hostname, `skipPrivateNetworkChecks` becomes `true`, the Phase-2 check is skipped, and `EnvHttpProxyAgent` routes the request through the proxy.

If there are environments where local DNS cannot resolve the hostname at all (e.g. certain corporate split-DNS setups), users would still hit `ENOTFOUND`. Skipping `resolvePinnedHostnameWithPolicy` (or making its DNS step conditional on `canUseTrustedEnvProxy`) in `fetch-guard.ts` would be required to address that scenario — but that's out of scope for this PR and the same limitation already exists in the web-tools proxy path.

How can I resolve this? If you propose a fix, please make it concise.

[XIYBHK]

Thanks for the thorough analysis, @greptile-apps.

Re: the P2 observation on unconditional dns.lookup() — Agreed. resolvePinnedHostnameWithPolicy runs before the mode branch in fetchWithSsrFGuard, so true ENOTFOUND (where local DNS cannot resolve the hostname at all) would still fail. This PR targets the more common Clash TUN fake-IP scenario where DNS resolves to a private-range IP that gets SSRF-blocked in strict mode. Making the DNS step conditional on canUseTrustedEnvProxy would be a separate change to fetchWithSsrFGuard itself and is out of scope here — consistent with the existing behavior of fetchWithWebToolsNetworkGuard.

Re: CI failures — The 2 failing jobs (checks (node, test, 2, 2) and checks-windows (node, test, 6, 6)) are both src/plugin-sdk/subpaths.test.ts > keeps runtime entry subpaths importable failing with Cannot find module dist/plugin-sdk/core.js. This is a pre-existing issue on main (recent CI runs on main also show failure) and is unrelated to this PR's change.

[greptile-apps]

Good clarification on both points.

On the P2 DNS observation: Makes sense to keep this scoped. The Clash TUN fake-IP → private IP → SSRF block is the real-world failure mode you're fixing, and making DNS conditional on proxy mode would indeed be a broader change to fetchWithSsrFGuard. Your fix addresses the immediate blocker without expanding the blast radius.

On CI failures: Acknowledged. If those subpath tests are failing on main, that's a separate issue. The changes here (withRemoteHttpResponse + guard logic) don't touch plugin SDK subpaths, so no reason to block this on unrelated CI noise.

The approach is sound — you're applying the same pattern already validated in web-guarded-fetch.ts, keeping the SSRF policy checks intact, and only swapping the mode when env proxy is detected. Merging this will unblock proxy users for embeddings without changing behavior for non-proxy setups.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5919180e75

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Move trusted-proxy branch before pinned DNS resolution

Fresh evidence from this commit is that withRemoteHttpResponse() now sets trusted proxy mode at src/memory/remote-http.ts:40, but fetchWithSsrFGuard() still performs resolvePinnedHostnameWithPolicy() before it checks mode (src/infra/net/fetch-guard.ts:210-216). In the exact proxy setups this patch targets (where local DNS cannot resolve the remote embedding host), that unconditional pre-resolution still fails with ENOTFOUND, so memory calls remain unavailable even when proxy env vars are present.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Require protocol-matching HTTP proxy before trusted mode

Fresh evidence from this commit is that the mode switch now keys off hasProxyEnvConfigured() at src/memory/remote-http.ts:40, which treats ALL_PROXY as sufficient, while the EnvHttpProxyAgent path only supports HTTP(S)-style proxy vars (src/infra/net/proxy-env.ts:29-55, with coverage in src/infra/net/proxy-env.test.ts:69-78). With only ALL_PROXY (or protocol-mismatched vars), this branch drops pinned DNS dispatch but may not actually proxy the request, creating direct unpinned traffic and bypassing expected proxy routing.

Useful? React with 👍 / 👎.

[XIYBHK]

Rebased onto current main to resolve the merge conflict introduced by dbf78de (refactor: move memory engine behind plugin adapters).

The fix has been ported to the new file location — packages/memory-host-sdk/src/host/remote-http.ts — with import paths updated from ../infra/net/ to ../../../../src/infra/net/ to match the new directory depth. The logic change is identical to the original commit; no other files were touched.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 725261b6a0

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Move trusted-proxy mode before DNS pre-resolution

Fresh evidence from this commit is the new withTrustedEnvProxyGuardedFetchMode(...) path at withRemoteHttpResponse, but fetchWithSsrFGuard still calls resolvePinnedHostnameWithPolicy before checking mode (src/infra/net/fetch-guard.ts:176-183). In the exact proxy environments this patch targets (where local DNS cannot resolve the remote host), the request still fails with ENOTFOUND before EnvHttpProxyAgent is selected, so memory remote calls remain broken despite the mode switch.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Require a protocol-matching env HTTP proxy before mode switch

This new condition uses hasProxyEnvConfigured(), which treats any non-empty proxy var (including ALL_PROXY) as sufficient, but EnvHttpProxyAgent follows HTTP(S)-specific vars and ignores ALL_PROXY (src/infra/net/proxy-env.ts:29-47, plus src/infra/net/proxy-env.test.ts). With only ALL_PROXY set, or with protocol-mismatched vars (for example HTTPS_PROXY for an http:// endpoint), this code still enters trusted mode and can send the request directly without pinned DNS, bypassing the intended proxy path.

Useful? React with 👍 / 👎.

[steipete]

Closing this as implemented after Codex review.

Current main already contains a stronger implementation of this proxy fix via commit f408bba9de720d79ffdab6a420f3199f8610035e (#71506), so PR #52191 is superseded.

What I checked:

• Current memory helper enables trusted env-proxy mode on main: withRemoteHttpResponse() now sets mode: GUARDED_FETCH_MODE.TRUSTED_ENV_PROXY when shouldUseEnvHttpProxyForUrl(params.url) is true, covering the requested memory-host proxy path. (packages/memory-host-sdk/src/host/remote-http.ts:30, bc73141e8284)
• Main fixes the review-thread footgun around ALL_PROXY/NO_PROXY: shouldUseEnvHttpProxyForUrl() only returns true when Undici would actually proxy that HTTP(S) target and excludes NO_PROXY matches, avoiding the protocol-mismatch and ALL_PROXY bypass concerns raised on this PR. (src/infra/net/proxy-env.ts:57, bc73141e8284)
• Trusted env-proxy branch is taken before DNS pinning: In current fetchWithSsrFGuard(), the trusted env-proxy branch is evaluated before any resolvePinnedHostnameWithPolicy() call, so proxied requests no longer go through the pinned-DNS path that reviewers flagged here. (src/infra/net/fetch-guard.ts:357, bc73141e8284)
• Regression coverage landed with the mainline fix: Main now includes targeted tests for the memory helper's trusted env-proxy mode and for preserving strict DNS pinning when only ALL_PROXY is configured or NO_PROXY matches. (packages/memory-host-sdk/src/host/remote-http.test.ts:42, f408bba9de72)
• Superseding commit and changelog entry already exist on main: Commit f408bba9de720d79ffdab6a420f3199f8610035e (fix(memory-host-sdk): use TRUSTED_ENV_PROXY mode for remote embeddings in proxy environments (#71506)) is on main, and CHANGELOG.md records it as fixing #52162 in Unreleased. (CHANGELOG.md:31, f408bba9de72)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against bc73141e8284; fix evidence: commit f408bba9de72.