#20578: feat(browser): add proxy configuration option

## `feat(browser): add proxy configuration option` ### Summary Adds native proxy support to the browser tool. Users can route all browser traffic through HTTP, HTTPS, or SOCKS5 proxy servers via config. ### What changed **Config** (`browser.proxy`): ```json5 { browser: { proxy: "http://127.0.0.1:7890", profiles: { work: { proxy: "socks5://work-proxy:1080" } } } } ``` **Authenticated proxies** — credentials in the URL are stripped before `--proxy-server` and injected via CDP `Fetch.authRequired`: ```json5 { browser: { proxy: "http://user:pass@proxy.example.com:8080" } } ``` **Per-profile overrides** — profile proxy falls back to global when not set. ### Files changed (7) | File | Change | |---|---| | `src/config/types.browser.ts` | `proxy?: string` on `BrowserConfig` + `BrowserProfileConfig` | | `src/config/zod-schema.ts` | `proxy` + `extraArgs` added to Zod schema (extraArgs was in TS type but missing from schema — `.strict()` rejected it; required for proxy to pass validation) | | `src/browser/config.ts` | `parseProxyUrl()` with scheme validation, credential extraction, port check. Per-profile fallback to global. | | `src/browser/chrome.ts` | `--proxy-server` arg injection + `setupCdpProxyAuth()` for authenticated proxies via browser-level CDP | | `src/browser/config.test.ts` | Proxy config resolution tests: scheme validation, credential extraction, profile inheritance, edge cases | | `src/browser/chrome.proxy-launch.test.ts` | Launch-layer tests: `--proxy-server` arg injection, credential stripping, profile override | | `docs/tools/browser.md` | Proxy configuration docs with auth and per-profile examples | ### Why CDP for auth? Chrome's `--proxy-server` silently ignores inline credentials (`user:pass@host`). When a proxy returns 407, we intercept it via CDP `Fetch.authRequired` and respond with the configured credentials. This is the same underlying mechanism Puppeteer uses for `page.authenticate()`, extended to the browser level via `Target.setAutoAttach` so it covers all tabs automatically. ### Testing - `pnpm build && pnpm check && pnpm test` — all pass - Unit tests for proxy config resolution (scheme validation, credential extraction, profile inheritance, edge cases) - Launch-layer tests for `--proxy-server` arg injection and credential stripping - Manually verified with HTTP (no-auth), HTTP (auth), and SOCKS5 (auth) proxies ### AI disclosure - **AI-assisted:** Claude + Codex - **Testing degree:** fully tested (`pnpm build && pnpm check && pnpm test` + targeted proxy unit/launch tests + manual proxy verification) - **Prompts/session logs:** available on request - **Human review:** I reviewed all changes and understand the implementation Closes #8079 <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds native proxy support to the browser tool with HTTP, HTTPS, and SOCKS5 protocol support. Proxy credentials are extracted from URLs and injected via CDP's Fetch domain to handle 407 authentication challenges, since Chrome's `--proxy-server` doesn't support inline credentials. The implementation includes per-profile proxy overrides with proper fallback to global config, comprehensive test coverage for config resolution and launch behavior, and clear documentation with security notes. **Key changes:** - Config validation via `parseProxyUrl()` with scheme validation, credential extraction, and port checking - CDP-based proxy authentication via `setupCdpProxyAuth()` that attaches to all page targets - Per-profile proxy inheritance with credential override support - Full test coverage: 17 config tests + 2 launch tests covering schemes, credentials, inheritance, and edge cases **Issue found:** - CDP WebSocket in `setupCdpProxyAuth` lacks error handling and is never cleaned up (see inline comment) <h3>Confidence Score: 4/5</h3> - Safe to merge with one WebSocket cleanup issue that should be addressed - Implementation is well-designed with proper credential handling, comprehensive tests (19 total), and good documentation. The CDP-based auth approach correctly handles Chrome's limitation with inline proxy credentials. However, the WebSocket connection in setupCdpProxyAuth lacks error handling and cleanup, which could cause resource leaks during long browser sessions. This is a minor issue that doesn't affect core functionality but should be fixed. - Pay attention to src/browser/chrome.ts (WebSocket lifecycle management) _{Last reviewed commit: 78eccb7} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->