Add codeforge proxy command for mitmproxy traffic inspection

New CLI command that launches Claude Code through mitmweb, enabling
raw API request/response inspection via a browser UI. Auto-installs
mitmproxy via pipx, manages CA certificate trust, and cleans up on exit.

Usage: codeforge proxy [--setup] [--no-web] [-- <claude-args>]

Author: AnExiledDev

cli/src/commands/proxy.ts

@@ -0,0 +1,132 @@
+import chalk from "chalk";
+import type { Command } from "commander";
+import { isInsideContainer } from "../utils/context.js";
+import {
+	ensureCaCert,
+	findMitmproxy,
+	installCaToSystem,
+	installMitmproxy,
+	isCaInstalled,
+	isPortInUse,
+	launchClaude,
+	startMitmdump,
+	startMitmweb,
+} from "../utils/mitmproxy.js";
+
+export function registerProxyCommand(parent: Command): void {
+	parent
+		.command("proxy")
+		.description("Launch Claude Code through mitmproxy for traffic inspection")
+		.option("--proxy-port <port>", "mitmproxy listen port", "8080")
+		.option("--web-port <port>", "mitmweb UI port", "8081")
+		.option("--web-host <host>", "mitmweb bind address", "0.0.0.0")
+		.option("--setup", "Install mitmproxy and CA certificate only")
+		.option("--no-web", "Use mitmdump instead of mitmweb (headless)")
+		.allowUnknownOption(true)
+		.allowExcessArguments(true)
+		.action(async (options) => {
+			try {
+				if (!isInsideContainer()) {
+					console.error(
+						`${chalk.red("✗")} codeforge proxy must be run inside a devcontainer.`,
+					);
+					console.error(
+						"  Use `codeforge container shell` to enter a container first.",
+					);
+					process.exit(1);
+				}
+
+				if (!findMitmproxy()) {
+					console.error(
+						`${chalk.yellow("⚡")} mitmproxy not found. Installing via pipx...`,
+					);
+					await installMitmproxy();
+					if (!findMitmproxy()) {
+						console.error(`${chalk.red("✗")} Failed to install mitmproxy.`);
+						process.exit(1);
+					}
+				}
+
+				const caCertPath = await ensureCaCert();
+				if (!isCaInstalled()) {
+					console.error(
+						`${chalk.yellow("⚡")} Installing CA certificate to system trust store...`,
+					);
+					await installCaToSystem(caCertPath);
+				}
+
+				if (options.setup) {
+					console.error(
+						`${chalk.green("✓")} mitmproxy and CA certificate are ready.`,
+					);
+					process.exit(0);
+				}
+
+				const proxyPort = parseInt(options.proxyPort, 10);
+				const webPort = parseInt(options.webPort, 10);
+				const webHost: string = options.webHost;
+
+				if (isNaN(proxyPort) || isNaN(webPort)) {
+					console.error(`${chalk.red("✗")} Invalid port number.`);
+					process.exit(1);
+				}
+
+				if (await isPortInUse(proxyPort)) {
+					console.error(
+						`${chalk.red("✗")} Port ${proxyPort} is already in use.`,
+					);
+					process.exit(1);
+				}
+				if (options.web && (await isPortInUse(webPort))) {
+					console.error(`${chalk.red("✗")} Port ${webPort} is already in use.`);
+					process.exit(1);
+				}
+
+				const dashDashIndex = process.argv.indexOf("--");
+				const claudeArgs =
+					dashDashIndex !== -1 ? process.argv.slice(dashDashIndex + 1) : [];
+
+				let proxyProc;
+				if (options.web) {
+					proxyProc = startMitmweb({ proxyPort, webPort, webHost });
+					console.error(
+						`${chalk.green("✓")} mitmweb UI: http://localhost:${webPort}`,
+					);
+				} else {
+					proxyProc = startMitmdump({ proxyPort });
+					console.error(
+						`${chalk.green("✓")} mitmdump running (traffic logged to terminal)`,
+					);
+				}
+				console.error(
+					`${chalk.green("✓")} Proxy listening on port ${proxyPort}`,
+				);
+
+				const cleanup = () => {
+					try {
+						proxyProc.kill();
+					} catch {}
+				};
+				process.on("SIGINT", () => {
+					cleanup();
+					process.exit(130);
+				});
+				process.on("SIGTERM", () => {
+					cleanup();
+					process.exit(143);
+				});
+
+				console.error(
+					`${chalk.blue("→")} Launching Claude Code through proxy...\n`,
+				);
+				const exitCode = await launchClaude(claudeArgs, proxyPort, caCertPath);
+
+				cleanup();
+				process.exit(exitCode);
+			} catch (err) {
+				const message = err instanceof Error ? err.message : String(err);
+				console.error(`${chalk.red("✗")} ${message}`);
+				process.exit(1);
+			}
+		});
+}

cli/src/index.ts

@@ -23,6 +23,7 @@ import { registerPluginHooksCommand } from "./commands/plugin/hooks.js";
 import { registerPluginListCommand } from "./commands/plugin/list.js";
 import { registerPluginShowCommand } from "./commands/plugin/show.js";
 import { registerPluginSkillsCommand } from "./commands/plugin/skills.js";
+import { registerProxyCommand } from "./commands/proxy.js";
 import { registerListCommand } from "./commands/session/list.js";
 import { registerSearchCommand } from "./commands/session/search.js";
 import { registerShowCommand } from "./commands/session/show.js";
@@ -100,6 +101,8 @@ registerContainerExecCommand(container);
 registerContainerLsCommand(container);
 registerContainerShellCommand(container);
 
+registerProxyCommand(program);
+
 // Proxy middleware: when outside container and not --local, proxy existing commands into container
 program.hook("preAction", async (_thisCommand, actionCommand) => {
 	const opts = program.opts();
@@ -112,7 +115,7 @@ program.hook("preAction", async (_thisCommand, actionCommand) => {
 	while (cmd.parent && cmd.parent !== program) {
 		cmd = cmd.parent;
 	}
-	if (cmd.name() === "container") return;
+	if (cmd.name() === "container" || cmd.name() === "proxy") return;
 
 	// Proxy into running container
 	try {

cli/src/utils/mitmproxy.ts

@@ -0,0 +1,181 @@
+import type { Subprocess } from "bun";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+
+/**
+ * Check if mitmweb is available on PATH.
+ * Returns the path if found, null otherwise.
+ */
+export function findMitmproxy(): string | null {
+	const result = Bun.spawnSync(["which", "mitmweb"], {
+		stdout: "pipe",
+		stderr: "pipe",
+	});
+	if (result.exitCode === 0) {
+		return new TextDecoder().decode(result.stdout).trim();
+	}
+	return null;
+}
+
+/**
+ * Install mitmproxy via pipx.
+ */
+export async function installMitmproxy(): Promise<void> {
+	const proc = Bun.spawn(["pipx", "install", "mitmproxy"], {
+		stdout: "inherit",
+		stderr: "inherit",
+	});
+	const exitCode = await proc.exited;
+	if (exitCode !== 0) {
+		throw new Error("Failed to install mitmproxy via pipx.");
+	}
+}
+
+/**
+ * Ensure the mitmproxy CA certificate exists.
+ * If it doesn't, briefly run mitmdump to trigger generation.
+ * Returns the absolute path to the CA cert PEM.
+ */
+export async function ensureCaCert(): Promise<string> {
+	const certPath = join(homedir(), ".mitmproxy", "mitmproxy-ca-cert.pem");
+	if (existsSync(certPath)) {
+		return certPath;
+	}
+
+	const proc = Bun.spawn(["mitmdump", "-q"], {
+		stdout: "pipe",
+		stderr: "pipe",
+	});
+	await new Promise((resolve) => setTimeout(resolve, 2000));
+	proc.kill();
+
+	if (!existsSync(certPath)) {
+		throw new Error(
+			`CA certificate was not generated at ${certPath}. Is mitmproxy installed correctly?`,
+		);
+	}
+	return certPath;
+}
+
+/**
+ * Check if the mitmproxy CA is installed in the system trust store.
+ */
+export function isCaInstalled(): boolean {
+	return existsSync("/usr/local/share/ca-certificates/mitmproxy.crt");
+}
+
+/**
+ * Install the mitmproxy CA cert to the system trust store.
+ * Prints a warning instead of throwing if update-ca-certificates fails.
+ */
+export async function installCaToSystem(certPath: string): Promise<void> {
+	const cp = Bun.spawn(
+		["sudo", "cp", certPath, "/usr/local/share/ca-certificates/mitmproxy.crt"],
+		{ stdout: "pipe", stderr: "pipe" },
+	);
+	if ((await cp.exited) !== 0) {
+		console.error(
+			"Warning: failed to copy CA cert. Run manually:\n  sudo cp " +
+				certPath +
+				" /usr/local/share/ca-certificates/mitmproxy.crt && sudo update-ca-certificates",
+		);
+		return;
+	}
+
+	const update = Bun.spawn(["sudo", "update-ca-certificates"], {
+		stdout: "pipe",
+		stderr: "pipe",
+	});
+	if ((await update.exited) !== 0) {
+		console.error(
+			"Warning: update-ca-certificates failed. Run manually:\n  sudo update-ca-certificates",
+		);
+	}
+}
+
+/**
+ * Start mitmweb as a background process.
+ */
+export function startMitmweb(opts: {
+	proxyPort: number;
+	webPort: number;
+	webHost: string;
+}): Subprocess {
+	return Bun.spawn(
+		[
+			"mitmweb",
+			"--mode",
+			"regular",
+			"--listen-port",
+			String(opts.proxyPort),
+			"--web-host",
+			opts.webHost,
+			"--web-port",
+			String(opts.webPort),
+			"--set",
+			"connection_strategy=lazy",
+			"--set",
+			"web_password=123",
+		],
+		{ stdout: "pipe", stderr: "pipe" },
+	);
+}
+
+/**
+ * Start mitmdump with output to the terminal.
+ */
+export function startMitmdump(opts: { proxyPort: number }): Subprocess {
+	return Bun.spawn(
+		[
+			"mitmdump",
+			"--mode",
+			"regular",
+			"--listen-port",
+			String(opts.proxyPort),
+			"--set",
+			"connection_strategy=lazy",
+		],
+		{ stdout: "inherit", stderr: "inherit" },
+	);
+}
+
+/**
+ * Launch claude with proxy env vars. Returns the exit code.
+ */
+export async function launchClaude(
+	args: string[],
+	proxyPort: number,
+	caCertPath: string,
+): Promise<number> {
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
+	const nodeOptions = existingNodeOptions
+		? `${existingNodeOptions} --use-system-ca`
+		: "--use-system-ca";
+
+	const cmd = args.length > 0 ? ["claude", ...args] : ["claude"];
+	const proc = Bun.spawn(cmd, {
+		stdout: "inherit",
+		stderr: "inherit",
+		stdin: "inherit",
+		env: {
+			...process.env,
+			HTTPS_PROXY: `http://127.0.0.1:${proxyPort}`,
+			NODE_EXTRA_CA_CERTS: caCertPath,
+			NODE_OPTIONS: nodeOptions,
+		},
+	});
+	return proc.exited;
+}
+
+/**
+ * Check if a port is currently in use.
+ */
+export async function isPortInUse(port: number): Promise<boolean> {
+	const proc = Bun.spawn(["lsof", "-i", `:${port}`], {
+		stdout: "pipe",
+		stderr: "pipe",
+	});
+	const exitCode = await proc.exited;
+	return exitCode === 0;
+}