Normalize proxy env for Remote-SSH backend spawns

[QR-0W]

Summary

Normalize proxy-related environment variables before spawning the bundled kilo serve backend from the VS Code extension.

Remote-SSH extension hosts can expose only one proxy casing/value (for example lowercase http_proxy) to process.env. If the backend child only receives http_proxy, HTTPS streaming clients may miss https_proxy / HTTPS_PROXY and fail behind local/corporate proxies.

This patch mirrors non-empty proxy values across common lowercase/uppercase variants after merging process.env and VS Code http.proxy settings:

• http_proxy <-> HTTP_PROXY
• https_proxy <-> HTTPS_PROXY, deriving from HTTP proxy when HTTPS proxy is missing
• all_proxy <-> ALL_PROXY
• no_proxy <-> NO_PROXY

It also strips a trailing slash from proxy URLs to avoid http://127.0.0.1:58119/ vs http://127.0.0.1:58119 inconsistencies.

Why

Fixes/addresses #10086.

Testing

• Added unit coverage in tests/unit/server-manager-proxy-env.test.ts for:
  • Remote-SSH-style lowercase-only http_proxy
  • uppercase HTTPS/ALL proxy mirroring
  • no_proxy casing mirroring
  • preserving explicit empty proxy clears
• Locally ran an equivalent JS behavior check for the normalization cases.

Not run: bun test tests/unit/server-manager-proxy-env.test.ts because the current container does not have bun installed (/bin/bash: bun: command not found).

[kilo-code-bot]

WARNING: httpsProxy silently inherits httpProxy as its fallback — this means if a user has only set http_proxy (no HTTPS proxy at all), normalizeProxyEnv will write HTTPS_PROXY=<http_proxy_value> and https_proxy=<http_proxy_value> into the child env.

This is intentional per the PR description, but it can break setups where HTTP and HTTPS traffic must route differently (e.g. HTTPS goes direct while HTTP is proxied). It also silently overrides an explicit HTTPS_PROXY='' clear written by buildProxyEnv() — if proxySupport=off sets HTTPS_PROXY='' but http_proxy is non-empty in process.env, the fallback will reinstate a non-empty value.

Consider guarding the fallback: only derive httpsProxy from httpProxy when there is no existing HTTPS proxy key in the input at all (including empty-string ones):

const httpsProxy =
  normalizeProxyUrl(next.https_proxy) ??
  normalizeProxyUrl(next.HTTPS_PROXY) ??
  (!("https_proxy" in env) && !("HTTPS_PROXY" in env) ? httpProxy : undefined)

[QR-0W]

Fixed in 20e613a90e58a7ac49b4f19a575f28aba965c5d4: HTTPS now derives from HTTP only when neither HTTPS_PROXY nor https_proxy exists in the final env. Empty HTTPS keys are treated as explicit clears.

[kilo-code-bot]

SUGGESTION: normalizeProxyUrl only strips a single trailing slash. A URL like http://proxy:8080// (double slash) would pass through as http://proxy:8080/, still carrying a trailing slash. Replace replace(/\/$/, "") with replace(/\/+$/, "") to handle the degenerate case:

Suggested change

	return trimmed.replace(/\/$/, "")
	return trimmed.replace(/\/+$/, "")

[QR-0W]

Fixed in 20e613a90e58a7ac49b4f19a575f28aba965c5d4: normalizeProxyUrl now uses /\/+$/ to strip multiple trailing slashes.

[kilo-code-bot]

WARNING: The "preserves explicit empty proxy clears" test passes today but does not actually exercise the intended guard against the proxySupport=off + ambient http_proxy interaction described above (line 290 in server-manager.ts). The input has no non-empty http_proxy / HTTP_PROXY, so the fallback path is never reached. A dedicated test with { HTTP_PROXY: '', http_proxy: '', http_proxy_lower: 'http://ambient:3128' } (or similar) would expose the bug and verify the fix.

[QR-0W]

Fixed in 20e613a90e58a7ac49b4f19a575f28aba965c5d4: added a regression case for ambient http_proxy plus explicitly cleared HTTPS_PROXY/https_proxy, which verifies the guard does not reintroduce HTTPS proxying.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Resolved Issues (from previous review)

All 3 previously flagged issues were addressed in commit 20e613a9:

Severity	File	Issue	Status
WARNING	server-manager.ts:290	httpsProxy fallback could override explicit HTTPS_PROXY='' clear	✅ Fixed — hasHttpsProxyKey guard added
WARNING	server-manager-proxy-env.test.ts:171	No test for proxySupport=off + ambient http_proxy interaction	✅ Fixed — new test case added
SUGGESTION	server-manager.ts:275	Single trailing slash strip (/\/$/ )	✅ Fixed — changed to /\/+$/

Files Reviewed (2 files)

• packages/kilo-vscode/src/services/cli-backend/server-manager.ts
• packages/kilo-vscode/tests/unit/server-manager-proxy-env.test.ts

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 445,909 tokens}

[QR-0W]

Addressed the review feedback in 20e613a90e58a7ac49b4f19a575f28aba965c5d4:

• normalizeProxyUrl now strips multiple trailing slashes with /\/+$/.
• HTTPS derivation now respects explicit clears: if HTTPS_PROXY or https_proxy exists but is empty, normalization does not derive HTTPS from ambient http_proxy.
• Added a targeted regression test for ambient http_proxy with explicitly cleared HTTPS proxy variables.

Validation in my environment:

proxy normalization behavior OK

bun test is still not available in this environment (bun: command not found), so I validated the normalization cases with an equivalent Node behavior check.

[QR-0W]

Current status after the review-fix commit:

• The bot review now reports No Issues Found and recommends merge.
• The branch allows maintainer edits (maintainer_can_modify: true).
• GitHub is still blocking merge because the forked-PR workflows are awaiting maintainer approval and the protected checks have not reported yet:
  • test (linux)
  • typecheck
  • unit (linux)
  • Visual Regression (kilo-ui)
  • Visual Regression (kilo-vscode webview)

Could a maintainer with write access please approve the workflows and review when available?