Skip to content

docs(corp-network): document shell no_proxy overriding .env (the #1 trap)#543

Merged
SoundMindsAI merged 2 commits into
mainfrom
claude/error-resolution-nx62qu
Jun 17, 2026
Merged

docs(corp-network): document shell no_proxy overriding .env (the #1 trap)#543
SoundMindsAI merged 2 commits into
mainfrom
claude/error-resolution-nx62qu

Conversation

@SoundMindsAI

@SoundMindsAI SoundMindsAI commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Why

A real corp-firewall install (Fidelity) lost hours to a subtle trap: the operator correctly added the Compose service names to no_proxy in .env, recreated the containers — and the engines were still unreachable (seed skipped every scenario, docker compose exec api env | grep no_proxy showed the corporate value without the service names).

Root cause: Docker Compose resolves ${no_proxy:-} from the shell environment first, and only falls back to .env when the shell doesn't define it. Corporate-managed machines export no_proxy/http_proxy globally (~/.zshrc, /etc/profile, MDM), so the shell value wins and the .env edit is silently ignored. Verified empirically (docker compose config: shell no_proxy overrides .env).

This is the #1 "I set it but it didn't take" cause for corp installs, and nothing documented it.

Changes

  • corporate-network-install.md (the symptom-first FAQ):
    • New §7 — shell no_proxy overrides .env (symptom / cause / fix / verify), establishing docker compose exec api env | grep no_proxy as the authoritative check (not the .env file).
    • Decision-tree entry under "make up succeeds, but…".
    • Callouts from §3 (where we tell people to set no_proxy in .env) and §4 (worker-unhealthy fix).
  • .env.example: ⚠️ note in the proxy section that a shell-exported no_proxy overrides the file, with the verify command + §7 pointer.
  • scripts/seed_meaningful_demos.py: the corp-proxy hint (from feat(seed): point engine-unreachable at no_proxy fix behind a corp proxy #542) now adds an "if you already added these to .env, a shell-exported no_proxy is overriding it" note with the export no_proxy=… recipe and §7 reference — it fires precisely when the operator has likely already edited .env.
  • Test asserts the hint calls out the shell-override trap + §7.

Verification

mypy --strict clean (622 files); full seed unit suite green (288 passed); ruff clean. The runbook is not a generated-guide artifact, so no freshness gate applies.

🤖 Generated with Claude Code

https://claude.ai/code/session_01MtJPQEjFqk3eipSiq8R6iS

Generated by Claude Code

@claude
docs(corp-network): document shell no_proxy overriding .env (the #1 t…
ed90ec9 
…rap)

A real corp-firewall install lost hours to this: the operator correctly added
the Compose service names to no_proxy in .env, but Docker Compose resolves
`${no_proxy:-}` from the SHELL environment first and only falls back to .env
when the shell doesn't define it. Corporate machines export no_proxy globally
(~/.zshrc, /etc/profile, MDM), so that value wins and the .env edit is silently
ignored — engines read as unreachable, worker stays unhealthy, seed skips every
scenario, all despite a correct .env.

- corporate-network-install.md: new §7 (symptom/cause/fix/verify), decision-tree
  entry, and callouts from §3 (where we tell people to set no_proxy in .env) and
  §4. Authoritative check is `docker compose exec api env | grep no_proxy`, not
  the .env file.
- .env.example: ⚠️ note in the proxy section that the shell overrides this file.
- seed_meaningful_demos.py: the corp-proxy hint now adds a 'if you already added
  these to .env, a shell-exported no_proxy is overriding it' note with the
  `export no_proxy=...` recipe and §7 reference — it fires precisely when the
  operator has likely already edited .env.
- Test asserts the hint calls out the shell-override trap + §7.

Verified the precedence empirically (docker compose config: shell no_proxy wins
over .env). Docs-only + hint text; mypy clean, full seed suite green.

Signed-off-by: Claude <noreply@anthropic.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 17, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces documentation, warning messages, and test coverage addressing a common issue where host shell environment variables (specifically no_proxy) override settings defined in the .env file, causing Docker Compose to silently ignore them. The feedback suggests correcting a technical inaccuracy regarding uppercase NO_PROXY resolution in the runbook, and wrapping an export command in backticks within the python script's console hint for better formatting and consistency.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docs/03_runbooks/corporate-network-install.md Outdated
Comment thread scripts/seed_meaningful_demos.py Outdated
@claude
docs(corp-network): clarify lowercase no_proxy override + backtick th…
2a54d4c 
…e export hint

Adopt two Gemini review findings on PR #543:
- Runbook §7: docker-compose.yml interpolates ${no_proxy} (lowercase) for both
  no_proxy/NO_PROXY container vars, and .env defines lowercase no_proxy — so only
  a non-empty LOWERCASE no_proxy in the shell triggers the override; an
  uppercase-only NO_PROXY still lets .env win. Corrected the 'if either is
  non-empty' overstatement and annotated the echo checks accordingly.
- Seed hint: wrap the `export no_proxy=...` command in backticks (matching the
  other commands) and drop the trailing em-dash to avoid copy-paste errors.

Signed-off-by: Claude <noreply@anthropic.com>
@SoundMindsAI Claude

SoundMindsAI commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

Pre-merge review adjudication

CI: green on 2a54d4c (coverage gate is the final ~20s follow-on; all 18 substantive jobs pass — both docker buildx, backend unit + contract + integration, frontend, CodeQL, gitleaks, DCO, license, freshness gates). smoke skipped as expected. No merge-skew (base is current main @ bb52cda).

Cross-model review: Opus self-review (GPT-5.5 unreachable in the remote sandbox). Gemini Code Assist reviewed; both findings adjudicated below, both threads resolved.

# Reviewer Severity Finding Verdict Resolution
1 gemini-code-assist medium §7 overstated the trap — only a non-empty lowercase no_proxy in the shell triggers it (Compose interpolates ${no_proxy} lowercase; uppercase-only NO_PROXY still lets .env win). Accept Added the lowercase clarification + annotated the echo checks. 2a54d4c
2 gemini-code-assist medium The export command in the seed hint wasn't backtick-wrapped (copy-paste risk w/ trailing em-dash). Accept Backtick-wrapped the command, dropped the em-dash. 2a54d4c

Merging via squash once the coverage gate finishes.

Generated by Claude Code

@SoundMindsAI SoundMindsAI merged commit 20f190a into main Jun 17, 2026
20 checks passed
@SoundMindsAI SoundMindsAI deleted the claude/error-resolution-nx62qu branch June 17, 2026 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SoundMindsAI @claude