Proxy not effective during startup: policy limits fetch runs before configureGlobalAgents
Bug Description
When using an HTTPS proxy configured via settings.json env.HTTPS_PROXY, startup network requests (policy limits fetch, OAuth token refresh) bypass the proxy because $kt() (configureGlobalAgents) runs after these requests in the init sequence.
This causes authentication failures (prompts to re-login, region restriction errors) for users who rely on a proxy to reach Anthropic's API — especially in environments with DNS poisoning on Claude domains.
Environment
- Claude Code version: 2.1.191 (regression from 2.1.181 where everything works)
- OS: macOS (darwin arm64)
- Installation: npm
- Proxy: HTTPS proxy with custom CA cert, configured in
~/.claude/settings.json:
``json``
{
"env": {
"HTTPS_PROXY": "https://user:pass@proxy-host:8443",
"NODE_EXTRA_CA_CERTS": "/path/to/ca.crt",
"NO_PROXY": "127.0.0.1,localhost,::1"
}
}
Root Cause (from binary analysis)
The startup init sequence is:
1. applySafeConfigEnvironmentVariables() → HTTPS_PROXY injected into process.env ✓
2. Nnr() / policy limits check triggered
3. v3m() → axios.get(api.anthropic.com/api/claude_code/policy_limits)
axios has NO proxy configured yet → direct connection → DNS poisoned → fails
4. OAuth token refresh (Nh/P9r) also runs here
5. configureGlobalAgents() / $kt() → axios proxy finally configured (TOO LATE)
v3m() uses axios.get() which requires explicit proxy configuration via $kt(). Since $kt() hasn't run yet at step 3, axios makes direct connections that bypass the proxy entirely.
In v2.1.181, this was not a problem — either the policy limits fetch didn't exist yet or it ran after proxy configuration.
Steps to Reproduce
- Configure an HTTPS proxy in
~/.claude/settings.jsonenvblock - Ensure the machine has DNS poisoning / no direct access to
api.anthropic.comandclaude.aidomains (proxy is the only viable path) - Start
claudewith v2.1.191 - Observe: prompted to re-login, or "region not supported" error after the direct (non-proxied) request hits the poisoned DNS
Expected Behavior
All network requests during startup should respect the configured proxy. configureGlobalAgents() should run before any network requests (policy limits, OAuth refresh, remote settings fetch).
Workaround
Downgrade to v2.1.181 where the startup sequence doesn't have this timing issue.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗