fix(bedrock): honor VS Code proxy and custom CA to enable TLS behind corporate proxies

[pballou]

Related GitHub Issue

Closes: #4446

Description

Fix Bedrock SSL errors behind corporate proxies by:

• Using a NodeHttpHandler that:
  • Reads proxies (HTTPS_PROXY, HTTP_PROXY, ALL_PROXY) and custom CA bundles (NODE_EXTRA_CA_CERTS, AWS_CA_BUNDLE)
  • Honors VS Code settings (http.proxy and http.proxyStrictSSL)
  • Uses proxy-agent when a proxy is present and falls back to secure https.Agent otherwise
• Adding dependencies: @smithy/node-http-handler and proxy-agent
• Fixing type issues by adjusting tsconfig.json

Test Procedure

1. pnpm install && cd src && pnpm vsix, then install the generated .vsix.

2. In your shell:

   export NODE_EXTRA_CA_CERTS=/path/to/corp-root-ca.pem
   export AWS_CA_BUNDLE=/path/to/corp-root-ca.pem
   export HTTPS_PROXY=http://your.proxy:port
   export HTTP_PROXY=http://your.proxy:port
   export ALL_PROXY=http://your.proxy:port
   

3. Configure VS Code:

   • http.proxy → your corporate proxy
   • http.proxyStrictSSL → true if providing the CA

4. In Roo Code:

   • Use Amazon Bedrock provider via SSO or API key
   • Initiate a chat—expect no SSL errors.

Tested on macOS Sequoia 15.5 behind corporate proxy.

Documentation Updates

Does this PR necessitate updates to user-facing documentation?

• No documentation updates are required.

Additional Notes

Secure defaults preserved. TLS not globally disabled.

Get in Touch

Discord: pattywaggon

---

Important

Fixes Bedrock SSL errors behind corporate proxies by adding a custom NodeHttpHandler in bedrock.ts to handle proxies and custom CAs.

• Behavior:
  • Adds createNodeHttpHandler() in AwsBedrockHandler in bedrock.ts to handle proxies and custom CAs using NodeHttpHandler.
  • Honors VS Code settings (http.proxy, http.proxyStrictSSL) and environment variables (HTTPS_PROXY, HTTP_PROXY, ALL_PROXY, NODE_EXTRA_CA_CERTS, AWS_CA_BUNDLE).
  • Uses proxy-agent for proxy handling and https.Agent for direct connections.
• Dependencies:
  • Adds @smithy/node-http-handler and proxy-agent to package.json.
• Configuration:
  • Updates tsconfig.json to fix type issues.

^{This description was created by for b10e029. You can customize this summary. It will automatically update as commits are pushed.}

[roomote]

Thank you for your contribution! I've reviewed the changes and found some issues that need attention. The implementation correctly addresses the SSL validation issue with corporate proxies, but there are some critical type safety and error handling concerns that should be addressed.

[daniel-lxs]

Hey @pballou Thank you for your contribution! I think the best solution to this is to create a centralized HTTP client and define all the proxy settings there, adding it only on bedrock means we are adding technical debt that needs to be dealt with later.

I'm closing this PR but feel free to continue the discussion!