adds support for CA in proxy settings

[akshaydeo]

Summary

Enhanced proxy support by adding custom CA certificate capabilities and HTTP proxy authentication, allowing Bifrost to work with SSL-intercepting proxies and authenticated proxies.

Changes

• Added support for custom CA certificates in proxy configurations
• Implemented HTTP proxy authentication using username and password
• Added UI fields for CA certificate input in both global and provider-specific proxy settings
• Updated JSON schema to include the new ca_cert_pem field
• Updated documentation site with enterprise banner and navigation links

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

1. Configure a proxy with authentication:

{
  "type": "http",
  "url": "http://proxy.example.com:8080",
  "username": "user",
  "password": "pass"
}

2. Configure a proxy with a custom CA certificate:

{
  "type": "http",
  "url": "http://proxy.example.com:8080",
  "ca_cert_pem": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}

3. Test connections through an SSL-intercepting proxy that requires a custom CA certificate

Breaking changes

• No

Security considerations

• The implementation properly handles TLS certificate validation by appending custom CA certificates to the system root CA pool
• Proxy authentication credentials are properly encoded in the proxy URL
• PEM certificate validation is performed to ensure only valid certificates are accepted

Checklist

• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added custom CA certificate support for proxy configurations to enable TLS through SSL‑intercepting proxies
  • Added CA Certificate (PEM) input field to proxy configuration settings

• Improvements

  • Improved handling of proxy credentials for HTTP and SOCKS5 proxies to ensure authenticated connections

• Documentation

  • Updated navigation with Discord and Enterprise links; added dismissible banner functionality

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds PEM CA certificate support for proxy TLS: new proxy config fields and transport schema, frontend form and types, and backend TLS utilities that append provided CA to system roots and apply the TLS config to proxy clients; also embeds proxy credentials into HTTP/SOCKS5 proxy URLs.

Changes

Cohort / File(s)	Summary
Backend provider & utils core/schemas/provider.go, core/providers/utils/utils.go	Adds CACertPEM/ca_cert_pem to ProxyConfig; implements createTLSConfigWithCA to append a PEM CA to system roots and return a TLS config (MinVersion TLS1.2); applies TLS config to fasthttp client when provided; injects credentials into HTTP and SOCKS5 proxy URLs before dialer creation; logging on TLS/CA errors.
Transport schema transports/config.schema.json	Adds optional ca_cert_pem string property to proxy_config schema (PEM-encoded CA certificate for SSL-intercepting proxies).
Frontend types & schemas ui/lib/types/config.ts, ui/lib/types/schemas.ts	Adds optional ca_cert_pem?: string to ProxyConfig and GlobalProxyConfig types and to Zod schemas (proxyConfigSchema, proxyFormConfigSchema, globalProxyConfigSchema).
Frontend UI / forms ui/app/workspace/config/views/proxyView.tsx, ui/app/workspace/providers/fragments/proxyFormFragment.tsx	Adds CA Certificate (PEM) textarea under Advanced Settings, binds to ca_cert_pem, includes in form default/reset/submit flows; renames "Skip TLS Verify" to "Skip TLS Verification" and preserves disabled-state behavior.
Docs / config docs/docs.json	Adds a top-level banner object and restructures navigation anchors under navigation.global, replacing previous Community/Blog entries with Discord and Try Enterprise links.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Potential focus areas:

• TLS/CA parsing and error handling in core/providers/utils/utils.go
• Correct appending to system root CAs and TLS config application to fasthttp client
• URL encoding/decoding edge cases when embedding credentials into proxy URLs (special characters)
• Form binding/serialization to ensure ca_cert_pem propagates through API calls and schemas

Poem

🐰 I tuck a PEM beneath my paw tonight,
So proxies nod and TLS feels right.
Roots grow longer, trust hops through each leaf,
Credentials slip in—soft, no grief.
I nibble bugs and bounce away—rejoice, brief delight!

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'adds support for CA in proxy settings' clearly summarizes the main feature addition of custom CA certificate support for proxies.
Description check	✅ Passed	The description covers all key sections: clear summary of changes, feature type selection, affected areas, testing steps with examples, security considerations, and completion checklist.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 12-19-adds_support_for_ca_in_proxy_settings

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 46b92ea and b149ea2.

📒 Files selected for processing (8)

• core/providers/utils/utils.go (3 hunks)
• core/schemas/provider.go (1 hunks)
• docs/docs.json (3 hunks)
• transports/config.schema.json (1 hunks)
• ui/app/workspace/config/views/proxyView.tsx (1 hunks)
• ui/app/workspace/providers/fragments/proxyFormFragment.tsx (5 hunks)
• ui/lib/types/config.ts (2 hunks)
• ui/lib/types/schemas.ts (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• ui/lib/types/config.ts
• ui/lib/types/schemas.ts

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

always check the stack if there is one for the current PR. do not give localized reviews for the PR, always see all changes in the light of the whole stack of PRs (if there is a stack, if there is no stack you can continue to make localized suggestions/reviews)

Files:

• core/providers/utils/utils.go
• ui/app/workspace/providers/fragments/proxyFormFragment.tsx
• docs/docs.json
• ui/app/workspace/config/views/proxyView.tsx
• core/schemas/provider.go
• transports/config.schema.json

🧠 Learnings (2)

📚 Learning: 2025-12-09T17:07:42.007Z

Learnt from: qwerty-dvorak
Repo: maximhq/bifrost PR: 1006
File: core/schemas/account.go:9-18
Timestamp: 2025-12-09T17:07:42.007Z
Learning: In core/schemas/account.go, the HuggingFaceKeyConfig field within the Key struct is currently unused and reserved for future Hugging Face inference endpoint deployments. Do not flag this field as missing from OpenAPI documentation or require its presence in the API spec until the feature is actively implemented and used. When the feature is added, update the OpenAPI docs accordingly; otherwise, treat this field as non-breaking and not part of the current API surface.

Applied to files:

• core/providers/utils/utils.go
• core/schemas/provider.go

📚 Learning: 2025-12-19T09:26:54.961Z

Learnt from: qwerty-dvorak
Repo: maximhq/bifrost PR: 1006
File: core/providers/utils/utils.go:1050-1051
Timestamp: 2025-12-19T09:26:54.961Z
Learning: Update streaming end-marker handling so HuggingFace is treated as a non-[DONE] provider for backends that do not emit a DONE marker (e.g., meta llama on novita). In core/providers/utils/utils.go, adjust ProviderSendsDoneMarker() (or related logic) to detect providers that may not emit DONE and avoid relying on DONE as the sole end signal. Add tests to cover both DONE-emitting and non-DONE backends, with clear documentation in code comments explaining the rationale and any fallback behavior.

Applied to files:

• core/providers/utils/utils.go

🧬 Code graph analysis (1)

core/schemas/provider.go (2)

core/providers/gemini/types.go (1)

• Type (782-782)

ui/lib/types/config.ts (1)

• ProxyType (126-126)

🔇 Additional comments (9)

transports/config.schema.json (1)

1846-1849: LGTM: Clean schema addition for CA certificate support.

The ca_cert_pem field is properly defined as an optional string with a clear description explaining its purpose for SSL-intercepting proxies.

core/schemas/provider.go (1)

158-163: LGTM: ProxyConfig struct properly extended with CA certificate field.

The CACertPEM field addition is clean and the JSON tag ca_cert_pem correctly aligns with the schema definition.

ui/app/workspace/providers/fragments/proxyFormFragment.tsx (1)

4-4: LGTM: Complete form integration for CA certificate field.

The CA certificate field is properly wired throughout the form lifecycle:

• Imported necessary UI components (FormDescription, Textarea)
• Initialized in defaultValues and reset logic
• Included in onSubmit payload
• UI field properly configured with monospace font, PEM placeholder, and descriptive help text

Also applies to: 7-7, 37-37, 53-53, 68-68, 159-180

ui/app/workspace/config/views/proxyView.tsx (1)

259-282: LGTM: CA certificate field properly integrated into global proxy settings.

The implementation is consistent with the provider-specific proxy form and correctly:

• Places the field in the Advanced Settings section
• Disables input when proxy is not enabled
• Uses appropriate monospace styling for PEM content
• Provides clear description of the field's purpose

core/providers/utils/utils.go (4)

7-8: LGTM: Necessary imports for TLS configuration.

Imports crypto/tls and crypto/x509 are required for custom CA certificate handling and TLS configuration.

---

117-128: LGTM: HTTP proxy authentication properly implemented.

The credential embedding uses the standard url.UserPassword approach to inject authentication into the proxy URL. Error handling correctly logs a warning and returns the unconfigured client, preventing silent failures.

---

159-167: LGTM: CA certificate configuration with appropriate error handling.

The implementation:

• Only configures CA when CACertPEM is provided (optional feature)
• Applies TLS config to the client for SSL-intercepting proxy support
• Logs warnings on failure rather than blocking proxy setup entirely

This allows graceful degradation if the CA cert is malformed.

---

172-191: LGTM: Secure TLS configuration with custom CA.

The createTLSConfigWithCA function correctly:

• Preserves system root CAs and appends the custom CA (lines 176-183)
• Falls back to an empty pool if system certs unavailable (line 179)
• Validates PEM format via AppendCertsFromPEM (lines 183-185)
• Sets MinVersion: tls.VersionTLS12 to prevent downgrade attacks (line 189)

This implementation properly supports SSL-intercepting proxies that present certificates signed by the provided CA. Note that AppendCertsFromPEM handles multiple concatenated certificates in a single PEM string if needed.

docs/docs.json (1)

8-11: Documentation updates look good.

The changes add an enterprise promotion banner and restructure the navigation anchors. While tangential to the proxy CA certificate feature, the JSON structure is valid and the updates appear intentional for documentation site improvements.

Also applies to: 29-42

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #1137

[akshaydeo]

• adds support for CA in proxy settings #1137 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

docs/docs.json (1)

8-42: Documentation changes appear unrelated to CA certificate support.

These changes (enterprise banner, navigation restructuring) don't seem related to the PR's stated objective of adding CA support in proxy settings. Consider splitting unrelated documentation/marketing changes into a separate PR for cleaner history and easier review.

ui/lib/types/schemas.ts (1)

258-258: Consider adding PEM format validation.

The ca_cert_pem field accepts any string without format validation. Adding a basic check for valid PEM certificate structure would catch user errors early and improve the user experience.

🔎 Proposed validation refinement

You can add a .refine() to validate basic PEM structure. For example, for proxyConfigSchema:

 export const proxyConfigSchema = z
 	.object({
 		type: proxyTypeSchema,
 		url: z.url("Must be a valid URL"),
 		username: z.string().optional(),
 		password: z.string().optional(),
-		ca_cert_pem: z.string().optional(),
+		ca_cert_pem: z.string().optional()
+			.refine((val) => {
+				if (!val || val.trim() === "") return true;
+				return val.includes("-----BEGIN CERTIFICATE-----") && val.includes("-----END CERTIFICATE-----");
+			}, { message: "Must be a valid PEM-encoded certificate" }),
 	})

Apply similar refinements to proxyFormConfigSchema (line 286) and globalProxyConfigSchema (line 634).

Also applies to: 286-286, 634-634

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed34784 and 46b92ea.

📒 Files selected for processing (8)

• core/providers/utils/utils.go (3 hunks)
• core/schemas/provider.go (1 hunks)
• docs/docs.json (3 hunks)
• transports/config.schema.json (1 hunks)
• ui/app/workspace/config/views/proxyView.tsx (1 hunks)
• ui/app/workspace/providers/fragments/proxyFormFragment.tsx (5 hunks)
• ui/lib/types/config.ts (2 hunks)
• ui/lib/types/schemas.ts (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

always check the stack if there is one for the current PR. do not give localized reviews for the PR, always see all changes in the light of the whole stack of PRs (if there is a stack, if there is no stack you can continue to make localized suggestions/reviews)

Files:

• ui/lib/types/config.ts
• ui/app/workspace/providers/fragments/proxyFormFragment.tsx
• transports/config.schema.json
• core/schemas/provider.go
• core/providers/utils/utils.go
• ui/lib/types/schemas.ts
• ui/app/workspace/config/views/proxyView.tsx
• docs/docs.json

🧠 Learnings (2)

📚 Learning: 2025-12-09T17:07:42.007Z

Learnt from: qwerty-dvorak
Repo: maximhq/bifrost PR: 1006
File: core/schemas/account.go:9-18
Timestamp: 2025-12-09T17:07:42.007Z
Learning: In core/schemas/account.go, the HuggingFaceKeyConfig field within the Key struct is currently unused and reserved for future Hugging Face inference endpoint deployments. Do not flag this field as missing from OpenAPI documentation or require its presence in the API spec until the feature is actively implemented and used. When the feature is added, update the OpenAPI docs accordingly; otherwise, treat this field as non-breaking and not part of the current API surface.

Applied to files:

• core/schemas/provider.go
• core/providers/utils/utils.go

📚 Learning: 2025-12-19T09:26:54.961Z

Learnt from: qwerty-dvorak
Repo: maximhq/bifrost PR: 1006
File: core/providers/utils/utils.go:1050-1051
Timestamp: 2025-12-19T09:26:54.961Z
Learning: Update streaming end-marker handling so HuggingFace is treated as a non-[DONE] provider for backends that do not emit a DONE marker (e.g., meta llama on novita). In core/providers/utils/utils.go, adjust ProviderSendsDoneMarker() (or related logic) to detect providers that may not emit DONE and avoid relying on DONE as the sole end signal. Add tests to cover both DONE-emitting and non-DONE backends, with clear documentation in code comments explaining the rationale and any fallback behavior.

Applied to files:

• core/providers/utils/utils.go

🧬 Code graph analysis (2)

ui/app/workspace/providers/fragments/proxyFormFragment.tsx (2)

ui/components/ui/form.tsx (5)

• FormItem (161-161)
• FormLabel (162-162)
• FormControl (163-163)
• FormDescription (164-164)
• FormMessage (165-165)

ui/components/ui/textarea.tsx (1)

• Textarea (18-18)

core/schemas/provider.go (2)

core/providers/gemini/types.go (1)

• Type (782-782)

ui/lib/types/config.ts (1)

• ProxyType (126-126)

🪛 ast-grep (0.40.0)

core/providers/utils/utils.go

[warning] 186-188: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{
RootCAs: rootCAs,
}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🔇 Additional comments (9)

core/schemas/provider.go (1)

157-163: LGTM!

The CACertPEM field addition is consistent with other proxy config fields and aligns with the JSON schema changes in transports/config.schema.json. The field correctly uses json:"ca_cert_pem" to match the snake_case convention used throughout.

transports/config.schema.json (1)

1845-1849: LGTM!

The ca_cert_pem property is correctly added as an optional string field. The description clearly explains its purpose for SSL-intercepting proxies, and it aligns with the Go struct definition in core/schemas/provider.go.

core/providers/utils/utils.go (1)

159-167: CA certificate integration looks correct.

The logic properly:

1. Only configures TLS when CACertPEM is provided
2. Logs a warning if CA setup fails rather than failing silently
3. Continues to return the configured client regardless of CA setup success

One consideration: if CA setup fails, the client proceeds without the custom CA, which may cause unexpected TLS errors when connecting through the proxy. Depending on use case, you may want to return early or make this behavior configurable.

ui/lib/types/config.ts (2)

128-135: LGTM!

The ca_cert_pem optional field correctly mirrors the Go ProxyConfig.CACertPEM field and maintains type consistency across the frontend-backend boundary.

---

269-283: LGTM!

The ca_cert_pem field is correctly added as optional to GlobalProxyConfig. Note that DefaultGlobalProxyConfig doesn't include this field, which is appropriate since it's optional and should default to undefined.

ui/app/workspace/config/views/proxyView.tsx (1)

259-282: LGTM! Clean implementation of the CA certificate field.

The CA certificate input is properly integrated into the Advanced Settings section with appropriate styling (monospace font for PEM format), clear placeholder text, and consistent behavior with other form fields (disabled when proxy is not enabled).

ui/app/workspace/providers/fragments/proxyFormFragment.tsx (3)

4-4: LGTM! Proper imports for the new form field.

The necessary UI components (FormDescription and Textarea) are correctly imported to support the CA certificate input field.

Also applies to: 7-7

---

37-37: LGTM! Consistent form state management for ca_cert_pem.

The ca_cert_pem field is properly wired through the form lifecycle:

• Initialized in defaultValues with fallback to empty string
• Included in reset to handle provider changes
• Correctly submitted with empty string converted to undefined

Also applies to: 53-53, 68-68

---

159-180: LGTM! CA certificate field implementation matches the global proxy view.

The form field implementation is consistent with the global proxy configuration view, using the same styling (monospace font, 6 rows), placeholder format, and description text.

[Pratham-Mishra04]

Merge activity

• Dec 19, 12:25 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Dec 19, 12:25 PM UTC: @Pratham-Mishra04 merged this pull request with Graphite.