Proxy & Network
Configure how the local agent and the portal reach the outside world. Set under Portal → Settings → Proxy & Network.
Two layers, two configs
The portal and the agent are separate processes with separate network paths:
| Process | Outbound to | How to configure proxy |
|---|---|---|
| Browser (portal UI) | xyva.ai, your AI provider (when you use the AI Status panel) | OS / browser proxy settings |
| Local agent | AI provider, GitHub/GitLab APIs, your test target, the portal WSS bridge | HTTPS_PROXY env var on the agent process |
For most corporate networks, setting HTTPS_PROXY on the agent's terminal session is sufficient:
bash
export HTTPS_PROXY=http://proxy.corp.example:3128
export NO_PROXY=localhost,127.0.0.1
npx @xyva/agent start --project .Allowed origins
The portal maintains an allow-list for outbound calls (AI providers, MCP endpoints). Edit under Settings → Proxy & Network → Allowed Origins:
- Defaults include all officially supported AI providers
- Add custom origins for AI Proxy or in-house LLM endpoints
- Removing an origin blocks all calls to it on the next agent reconnect
TLS interception (corporate CA)
If your network injects a corporate root CA, point the agent at the bundle:
bash
export NODE_EXTRA_CA_CERTS=/path/to/corp-ca.pem
npx @xyva/agent start --project .The portal browser tab will already trust the CA via the OS trust store.
Bridge port
The agent listens on 127.0.0.1:7900 by default. Change with --port:
bash
npx @xyva/agent start --project . --port 7902The portal probes /health on that port before opening the WebSocket.
Troubleshooting
| Symptom | Fix |
|---|---|
| Agent can't reach AI provider | Set HTTPS_PROXY and NO_PROXY, verify with curl |
unable to verify the first certificate | Set NODE_EXTRA_CA_CERTS to your corp CA bundle |
Bridge connection refused | Wrong port; check --port and update in the portal agent badge |
| Proxy works for portal but not agent | Browser proxy is separate from the agent — set the env var explicitly |