From 9126225317cc3bf9942aa0e3826d222854d19d24 Mon Sep 17 00:00:00 2001
From: hailin <hailin.zhao@gdzx.xyz>
Date: Mon, 23 Feb 2026 05:52:02 -0800
Subject: [PATCH] fix: disable TLS verification for Anthropic proxy
 (self-signed cert)

Follow iConsulting pattern: set NODE_TLS_REJECT_UNAUTHORIZED=0 when
ANTHROPIC_BASE_URL is configured, enabling connection through the
self-signed proxy at 67.223.119.33.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../claude-agent-sdk/claude-agent-sdk-engine.ts       | 11 +++++++++++
 .../engines/claude-api/claude-api-engine.ts           |  8 +++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts b/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
index 5205cc3..7acc0d1 100644
--- a/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
+++ b/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
@@ -52,6 +52,12 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
 
     // Build environment — subscription mode uses inherited CLI auth, api_key mode overrides
     const env: Record<string, string> = { ...process.env } as Record<string, string>;
+    // Disable TLS verification for proxy endpoints (self-signed certs)
+    const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
+    if (baseURL) {
+      env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+      env.ANTHROPIC_BASE_URL = baseURL;
+    }
     if (tenantConfig?.billingMode === 'api_key') {
       try {
         env.ANTHROPIC_API_KEY = this.tenantConfigService.decryptApiKey(tenantConfig);
@@ -226,6 +232,11 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
     const tenantConfig = await this.tenantConfigService.findByTenantId(tenantId);
 
     const env: Record<string, string> = { ...process.env } as Record<string, string>;
+    const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
+    if (baseURL) {
+      env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+      env.ANTHROPIC_BASE_URL = baseURL;
+    }
     if (tenantConfig?.billingMode === 'api_key') {
       try {
         env.ANTHROPIC_API_KEY = this.tenantConfigService.decryptApiKey(tenantConfig);
diff --git a/packages/services/agent-service/src/infrastructure/engines/claude-api/claude-api-engine.ts b/packages/services/agent-service/src/infrastructure/engines/claude-api/claude-api-engine.ts
index 956eb3f..7ad284f 100644
--- a/packages/services/agent-service/src/infrastructure/engines/claude-api/claude-api-engine.ts
+++ b/packages/services/agent-service/src/infrastructure/engines/claude-api/claude-api-engine.ts
@@ -47,6 +47,9 @@ export class ClaudeApiEngine implements AgentEnginePort {
     }
 
     const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
+    if (baseURL) {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+    }
     const client = new Anthropic({ apiKey, ...(baseURL ? { baseURL } : {}) });
 
     const abortController = new AbortController();
@@ -230,7 +233,10 @@ export class ClaudeApiEngine implements AgentEnginePort {
       if (!apiKey) return false;
 
       const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
-    const client = new Anthropic({ apiKey, ...(baseURL ? { baseURL } : {}) });
+      if (baseURL) {
+        process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+      }
+      const client = new Anthropic({ apiKey, ...(baseURL ? { baseURL } : {}) });
 
       // Make a minimal API call to verify connectivity
       const response = await client.messages.create({