feat: Add HTTP proxy support for corporate/enterprise users

Add HTTPS_PROXY/HTTP_PROXY environment variable support to the CLI
bootstrap scripts so users behind corporate proxies can download the
codebuff binary.

Code changes (applied to release, staging, and freebuff variants):
- Add HTTP CONNECT tunnel proxy support (zero new dependencies)
- Support both http:// and https:// proxy URLs
- Support proxy authentication via URL credentials
- Respect NO_PROXY/no_proxy with port-suffix stripping
- Drain redirect responses before following to prevent socket leaks
- Use agent:false + createConnection for clean per-request tunneling
- Show proxy configuration hint on timeout/connection errors

Documentation:
- Add Corporate Proxy / Firewall section to CLI README
- Update WINDOWS.md troubleshooting with HTTPS_PROXY as primary fix

Fixes: Users behind corporate proxies getting "Request timeout" errors

Author: jahooma

WINDOWS.md

@@ -54,21 +54,40 @@ Codebuff checks GitHub for the latest release on first run. This fails when:
 
 **Solutions**:
 
-1. **Verify GitHub access**:
+1. **Set the `HTTPS_PROXY` environment variable** (if behind corporate proxy):
+
+   Codebuff natively supports proxy environment variables. This is the recommended fix:
+
+   **PowerShell:**
+   ```powershell
+   $env:HTTPS_PROXY = "http://your-proxy-server:port"
+   codebuff
+   ```
+
+   **CMD:**
+   ```cmd
+   set HTTPS_PROXY=http://your-proxy-server:port
+   codebuff
+   ```
+
+   To make it permanent, add `HTTPS_PROXY` to your Windows System Environment Variables (Settings → System → Advanced → Environment Variables).
+
+2. **Verify network access**:
    ```powershell
-   curl https://github.com/CodebuffAI/codebuff/releases.atom
+   curl https://registry.npmjs.org/codebuff/latest
    ```
    If this fails, you have a network/firewall issue.
 
-2. **Configure npm proxy** (if behind corporate proxy):
+3. **Configure npm proxy** (for the `npm install` step only):
    ```powershell
    npm config set proxy http://your-proxy-server:port
    npm config set https-proxy http://your-proxy-server:port
    ```
+   Note: This only helps with `npm install`. Codebuff's own downloads use `HTTPS_PROXY` instead.
 
-3. **Disable VPN temporarily** or whitelist GitHub in your firewall
+4. **Disable VPN temporarily** or whitelist `registry.npmjs.org` and `codebuff.com` in your firewall
 
-4. **Clear npm cache and reinstall**:
+5. **Clear npm cache and reinstall**:
    ```powershell
    npm cache clean --force
    npm uninstall -g codebuff

cli/release-staging/index.js

@@ -6,6 +6,7 @@ const http = require('http')
 const https = require('https')
 const os = require('os')
 const path = require('path')
+const tls = require('tls')
 const zlib = require('zlib')
 
 const tar = require('tar')
@@ -96,6 +97,76 @@ function trackUpdateFailed(errorMessage, version, context = {}) {
   }
 }
 
+function getProxyUrl() {
+  return (
+    process.env.HTTPS_PROXY ||
+    process.env.https_proxy ||
+    process.env.HTTP_PROXY ||
+    process.env.http_proxy ||
+    null
+  )
+}
+
+function shouldBypassProxy(hostname) {
+  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''
+  if (!noProxy) return false
+  const domains = noProxy.split(',').map((d) => d.trim().toLowerCase().replace(/:\d+$/, ''))
+  const host = hostname.toLowerCase()
+  return domains.some((d) => {
+    if (d === '*') return true
+    if (d.startsWith('.')) return host.endsWith(d) || host === d.slice(1)
+    return host === d || host.endsWith('.' + d)
+  })
+}
+
+function connectThroughProxy(proxyUrl, targetHost, targetPort) {
+  return new Promise((resolve, reject) => {
+    const proxy = new URL(proxyUrl)
+    const isHttpsProxy = proxy.protocol === 'https:'
+    const connectOptions = {
+      hostname: proxy.hostname,
+      port: proxy.port || (isHttpsProxy ? 443 : 80),
+      method: 'CONNECT',
+      path: `${targetHost}:${targetPort}`,
+      headers: {
+        Host: `${targetHost}:${targetPort}`,
+      },
+    }
+
+    if (proxy.username || proxy.password) {
+      const auth = Buffer.from(
+        `${decodeURIComponent(proxy.username || '')}:${decodeURIComponent(proxy.password || '')}`,
+      ).toString('base64')
+      connectOptions.headers['Proxy-Authorization'] = `Basic ${auth}`
+    }
+
+    const transport = isHttpsProxy ? https : http
+    const req = transport.request(connectOptions)
+
+    req.on('connect', (res, socket) => {
+      if (res.statusCode === 200) {
+        resolve(socket)
+      } else {
+        socket.destroy()
+        reject(
+          new Error(`Proxy CONNECT failed with status ${res.statusCode}`),
+        )
+      }
+    })
+
+    req.on('error', (err) => {
+      reject(new Error(`Proxy connection failed: ${err.message}`))
+    })
+
+    req.setTimeout(CONFIG.requestTimeout, () => {
+      req.destroy()
+      reject(new Error('Proxy connection timeout.'))
+    })
+
+    req.end()
+  })
+}
+
 const PLATFORM_TARGETS = {
   'linux-x64': `${packageName}-linux-x64.tar.gz`,
   'linux-arm64': `${packageName}-linux-arm64.tar.gz`,
@@ -120,20 +191,37 @@ const term = {
   },
 }
 
-function httpGet(url, options = {}) {
-  return new Promise((resolve, reject) => {
-    const parsedUrl = new URL(url)
-    const reqOptions = {
-      hostname: parsedUrl.hostname,
-      path: parsedUrl.pathname + parsedUrl.search,
-      headers: {
-        'User-Agent': CONFIG.userAgent,
-        ...options.headers,
-      },
-    }
+async function httpGet(url, options = {}) {
+  const parsedUrl = new URL(url)
+  const proxyUrl = getProxyUrl()
+
+  const reqOptions = {
+    hostname: parsedUrl.hostname,
+    path: parsedUrl.pathname + parsedUrl.search,
+    headers: {
+      'User-Agent': CONFIG.userAgent,
+      ...options.headers,
+    },
+  }
+
+  if (proxyUrl && !shouldBypassProxy(parsedUrl.hostname)) {
+    const tunnelSocket = await connectThroughProxy(
+      proxyUrl,
+      parsedUrl.hostname,
+      parsedUrl.port || 443,
+    )
+    reqOptions.agent = false
+    reqOptions.createConnection = () =>
+      tls.connect({
+        socket: tunnelSocket,
+        servername: parsedUrl.hostname,
+      })
+  }
 
+  return new Promise((resolve, reject) => {
     const req = https.get(reqOptions, (res) => {
       if (res.statusCode === 302 || res.statusCode === 301) {
+        res.resume()
         return httpGet(new URL(res.headers.location, url).href, options)
           .then(resolve)
           .catch(reject)
@@ -401,6 +489,11 @@ async function ensureBinaryExists() {
   if (!version) {
     console.error('❌ Failed to determine latest version')
     console.error('Please check your internet connection and try again')
+    if (!getProxyUrl()) {
+      console.error(
+        'If you are behind a proxy, set the HTTPS_PROXY environment variable',
+      )
+    }
     process.exit(1)
   }
 
@@ -410,6 +503,11 @@ async function ensureBinaryExists() {
     term.clearLine()
     console.error('❌ Failed to download codecane:', error.message)
     console.error('Please check your internet connection and try again')
+    if (!getProxyUrl()) {
+      console.error(
+        'If you are behind a proxy, set the HTTPS_PROXY environment variable',
+      )
+    }
     process.exit(1)
   }
 }

cli/release/README.md

@@ -56,6 +56,8 @@ Some have said every change should be paired with a unit test. In 2024, every ch
 
 ## Troubleshooting
 
+### Permission Errors
+
 If you are getting permission errors during installation, try using sudo:
 
 ```
@@ -64,6 +66,42 @@ sudo npm install -g codebuff
 
 If you still have errors, it's a good idea to [reinstall Node](https://nodejs.org/en/download).
 
+### Corporate Proxy / Firewall
+
+If you see `Failed to download codebuff: Request timeout` or `Failed to determine latest version`, you may be behind a corporate proxy or firewall.
+
+Codebuff respects standard proxy environment variables. Set `HTTPS_PROXY` to route traffic through your proxy:
+
+**Linux / macOS (bash/zsh):**
+```bash
+export HTTPS_PROXY=http://your-proxy-server:port
+codebuff
+```
+
+**Windows (PowerShell):**
+```powershell
+$env:HTTPS_PROXY = "http://your-proxy-server:port"
+codebuff
+```
+
+**Windows (CMD):**
+```cmd
+set HTTPS_PROXY=http://your-proxy-server:port
+codebuff
+```
+
+To make it permanent, add the `export` or `set` line to your shell profile (e.g. `~/.bashrc`, `~/.zshrc`, or Windows System Environment Variables).
+
+**Supported environment variables:**
+
+| Variable | Purpose |
+|---|---|
+| `HTTPS_PROXY` / `https_proxy` | Proxy for HTTPS requests (recommended) |
+| `HTTP_PROXY` / `http_proxy` | Fallback proxy for HTTP requests |
+| `NO_PROXY` / `no_proxy` | Comma-separated list of hostnames to bypass the proxy (port suffixes are ignored) |
+
+Both `http://` and `https://` proxy URLs are supported. Proxy authentication is supported via URL credentials (e.g. `http://user:password@proxy:port`).
+
 ## Feedback
 
 We value your input! Please email your feedback to `founders@codebuff.com`. Thank you for using Codebuff!