Proxy not effective during startup: policy limits fetch runs before configureGlobalAgents

Open 💬 2 comments Opened Jun 25, 2026 by Florious95

Bug Description

When using an HTTPS proxy configured via settings.json env.HTTPS_PROXY, startup network requests (policy limits fetch, OAuth token refresh) bypass the proxy because $kt() (configureGlobalAgents) runs after these requests in the init sequence.

This causes authentication failures (prompts to re-login, region restriction errors) for users who rely on a proxy to reach Anthropic's API — especially in environments with DNS poisoning on Claude domains.

Environment

  • Claude Code version: 2.1.191 (regression from 2.1.181 where everything works)
  • OS: macOS (darwin arm64)
  • Installation: npm
  • Proxy: HTTPS proxy with custom CA cert, configured in ~/.claude/settings.json:

``json
{
"env": {
"HTTPS_PROXY": "https://user:pass@proxy-host:8443",
"NODE_EXTRA_CA_CERTS": "/path/to/ca.crt",
"NO_PROXY": "127.0.0.1,localhost,::1"
}
}
``

Root Cause (from binary analysis)

The startup init sequence is:

1. applySafeConfigEnvironmentVariables()  → HTTPS_PROXY injected into process.env ✓
2. Nnr() / policy limits check triggered
3. v3m() → axios.get(api.anthropic.com/api/claude_code/policy_limits)
           axios has NO proxy configured yet → direct connection → DNS poisoned → fails
4. OAuth token refresh (Nh/P9r) also runs here
5. configureGlobalAgents() / $kt()  → axios proxy finally configured (TOO LATE)

v3m() uses axios.get() which requires explicit proxy configuration via $kt(). Since $kt() hasn't run yet at step 3, axios makes direct connections that bypass the proxy entirely.

In v2.1.181, this was not a problem — either the policy limits fetch didn't exist yet or it ran after proxy configuration.

Steps to Reproduce

  1. Configure an HTTPS proxy in ~/.claude/settings.json env block
  2. Ensure the machine has DNS poisoning / no direct access to api.anthropic.com and claude.ai domains (proxy is the only viable path)
  3. Start claude with v2.1.191
  4. Observe: prompted to re-login, or "region not supported" error after the direct (non-proxied) request hits the poisoned DNS

Expected Behavior

All network requests during startup should respect the configured proxy. configureGlobalAgents() should run before any network requests (policy limits, OAuth refresh, remote settings fetch).

Workaround

Downgrade to v2.1.181 where the startup sequence doesn't have this timing issue.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗