implemented suggestions

Patrick · Patrick · commit eee9659171f4 · 2025-09-07T00:25:08.000-04:00
diff --git a/src/api/providers/bedrock.ts b/src/api/providers/bedrock.ts
@@ -14,6 +14,8 @@ import * as vscode from "vscode"
 import * as fs from "fs"
 import { ProxyAgent } from "proxy-agent"
 import * as https from "https"
+import type { Agent } from "http"
+import type { Agent as HttpsAgent } from "https"
 
 import {
 	type ModelInfo,
@@ -174,6 +176,9 @@ export class AwsBedrockHandler extends BaseProvider implements SingleCompletionH
 	private client: BedrockRuntimeClient
 	private arnInfo: any
 
+	// Static cache for CA certificates to avoid repeated file I/O
+	private static cachedCertificates: Map<string, Buffer> = new Map()
+
 	constructor(options: ProviderSettings) {
 		super()
 		this.options = options
@@ -261,65 +266,35 @@ export class AwsBedrockHandler extends BaseProvider implements SingleCompletionH
 
 	/**
 	 * Create a NodeHttpHandler configured to work behind corporate proxies and with custom CAs.
-	 * - Honors VS Code settings: `http.proxy` and `http.proxyStrictSSL`
-	 * - Honors env vars: HTTPS_PROXY/HTTP_PROXY/ALL_PROXY, NODE_EXTRA_CA_CERTS, AWS_CA_BUNDLE
+	 *
+	 * The proxy-agent library automatically detects proxy settings from environment variables.
+	 * We only check VS Code settings to determine if a proxy is configured, then let proxy-agent
+	 * handle the actual proxy URL detection and protocol negotiation.
+	 *
+	 * Configuration Sources (in order of precedence):
+	 *
+	 * VS Code Settings:
+	 * - `http.proxy`: Proxy server URL (used to determine if proxy is configured)
+	 * - `http.proxyStrictSSL`: Whether to validate SSL certificates (default: true)
+	 *
+	 * Environment Variables (automatically detected by proxy-agent):
+	 * - `HTTPS_PROXY` / `https_proxy`: HTTPS proxy server URL
+	 * - `HTTP_PROXY` / `http_proxy`: HTTP proxy server URL
+	 * - `ALL_PROXY` / `all_proxy`: Fallback proxy for all protocols
+	 * - `NO_PROXY` / `no_proxy`: Comma-separated list of hosts to bypass proxy
+	 * - `NODE_EXTRA_CA_CERTS`: Path to additional CA certificates file
+	 * - `AWS_CA_BUNDLE`: Path to AWS-specific CA bundle (takes precedence over NODE_EXTRA_CA_CERTS)
+	 *
+	 * @returns {NodeHttpHandler | undefined} Configured handler for proxy/CA support, or undefined if initialization fails
+	 * @private
 	 */
 	private createNodeHttpHandler(): NodeHttpHandler | undefined {
 		try {
-			const httpConfig = vscode.workspace.getConfiguration("http")
-			const proxyUrl = (
-				httpConfig.get<string>("proxy") ||
-				process.env.HTTPS_PROXY ||
-				process.env.HTTP_PROXY ||
-				process.env.ALL_PROXY ||
-				""
-			).trim()
-			const strictSSL = httpConfig.get<boolean>("proxyStrictSSL", true)
-
-			let ca: Buffer | undefined
-			const caPath = (process.env.NODE_EXTRA_CA_CERTS || process.env.AWS_CA_BUNDLE || "").trim()
-			if (caPath) {
-				try {
-					ca = fs.readFileSync(caPath)
-				} catch (e) {
-					logger.warn("Failed to read custom CA bundle; continuing without it", {
-						ctx: "bedrock",
-						error: e instanceof Error ? e.message : String(e),
-						caPath,
-					})
-				}
-			}
+			const proxyConfig = this.getProxyConfiguration()
+			const tlsConfig = this.getTLSConfiguration()
+			const agents = this.createHTTPAgents(proxyConfig, tlsConfig)
 
-			const agentOptions: https.AgentOptions = {
-				rejectUnauthorized: strictSSL,
-				...(ca ? { ca } : {}),
-			}
-
-			let httpAgent: any | undefined
-			let httpsAgent: any | undefined
-
-			if (proxyUrl) {
-				// Use proxy-agent to support http/https/socks/PAC proxies seamlessly
-				// ProxyAgent constructor expects options object with proper TLS configuration
-				const proxyAgent = new ProxyAgent({
-					// The ProxyAgent will use the proxy URL from environment or options
-					httpsAgent: new https.Agent(agentOptions),
-					// Pass TLS options for proper certificate handling
-					rejectUnauthorized: strictSSL,
-					...(ca ? { ca } : {}),
-				})
-				// proxy-agent returns a single agent for both protocols
-				httpAgent = proxyAgent
-				httpsAgent = proxyAgent
-			} else {
-				// Direct connection agents with proper TLS options
-				httpsAgent = new https.Agent(agentOptions)
-			}
-
-			return new NodeHttpHandler({
-				httpAgent,
-				httpsAgent,
-			})
+			return new NodeHttpHandler(agents)
 		} catch (err) {
 			logger.warn("Failed to initialize custom NodeHttpHandler; falling back to default", {
 				ctx: "bedrock",
@@ -329,6 +304,100 @@ export class AwsBedrockHandler extends BaseProvider implements SingleCompletionH
 		}
 	}
 
+	/**
+	 * Get proxy configuration from VS Code settings and environment variables.
+	 * Note: We only check if a proxy is configured; proxy-agent handles URL detection.
+	 */
+	private getProxyConfiguration(): { isProxyConfigured: boolean } {
+		const httpConfig = vscode.workspace.getConfiguration("http")
+		const vscodeProxy = (httpConfig.get<string>("proxy") || "").trim()
+
+		// Check if any proxy configuration exists (VS Code or environment variables)
+		const hasProxyConfig = !!(
+			vscodeProxy ||
+			process.env.HTTPS_PROXY ||
+			process.env.https_proxy ||
+			process.env.HTTP_PROXY ||
+			process.env.http_proxy ||
+			process.env.ALL_PROXY ||
+			process.env.all_proxy
+		)
+
+		return { isProxyConfigured: hasProxyConfig }
+	}
+
+	/**
+	 * Get TLS configuration including SSL validation and CA certificates.
+	 */
+	private getTLSConfiguration(): { strictSSL: boolean; ca?: Buffer } {
+		const httpConfig = vscode.workspace.getConfiguration("http")
+		const strictSSL = httpConfig.get<boolean>("proxyStrictSSL", true)
+
+		const caPath = (process.env.NODE_EXTRA_CA_CERTS || process.env.AWS_CA_BUNDLE || "").trim()
+		const ca = caPath ? this.loadCACertificate(caPath) : undefined
+
+		return { strictSSL, ca }
+	}
+
+	/**
+	 * Load CA certificate from file system with caching to avoid repeated I/O operations.
+	 */
+	private loadCACertificate(caPath: string): Buffer | undefined {
+		if (!caPath) return undefined
+
+		// Check cache first
+		if (AwsBedrockHandler.cachedCertificates.has(caPath)) {
+			return AwsBedrockHandler.cachedCertificates.get(caPath)
+		}
+
+		try {
+			const ca = fs.readFileSync(caPath)
+			AwsBedrockHandler.cachedCertificates.set(caPath, ca)
+			return ca
+		} catch (e) {
+			logger.warn("Failed to read custom CA bundle; continuing without it", {
+				ctx: "bedrock",
+				error: e instanceof Error ? e.message : String(e),
+				caPath,
+			})
+			return undefined
+		}
+	}
+
+	/**
+	 * Create HTTP/HTTPS agents with proxy and TLS configuration.
+	 * ProxyAgent automatically detects proxy URLs from environment variables.
+	 */
+	private createHTTPAgents(
+		proxyConfig: { isProxyConfigured: boolean },
+		tlsConfig: { strictSSL: boolean; ca?: Buffer },
+	): { httpAgent?: Agent; httpsAgent?: HttpsAgent } {
+		const agentOptions: https.AgentOptions = {
+			rejectUnauthorized: tlsConfig.strictSSL,
+			...(tlsConfig.ca ? { ca: tlsConfig.ca } : {}),
+		}
+
+		if (proxyConfig.isProxyConfigured) {
+			// ProxyAgent automatically detects proxy URLs from environment variables
+			// We pass TLS configuration through the httpsAgent option
+			const proxyAgent = new ProxyAgent({
+				httpsAgent: new https.Agent(agentOptions),
+				rejectUnauthorized: tlsConfig.strictSSL,
+				...(tlsConfig.ca ? { ca: tlsConfig.ca } : {}),
+			})
+
+			return {
+				httpAgent: proxyAgent,
+				httpsAgent: proxyAgent,
+			}
+		}
+
+		// Direct connection without proxy
+		return {
+			httpsAgent: new https.Agent(agentOptions),
+		}
+	}
+
 	// Helper to guess model info from custom modelId string if not in bedrockModels
 	private guessModelInfoFromId(modelId: string): Partial<ModelInfo> {
 		// Define a mapping for model ID patterns and their configurations
