feat(ai): add proxy and custom CA support for enterprise environments

[himanshu2394i]

What

Add enterprise-grade HTTP client support for AI providers, including:

• Explicit proxy configuration support
• Custom CA certificate loading
• Shared reusable HTTP client for Anthropic, OpenAI, and Ollama providers
• Improved TLS verification error messages
• Configurable AI request timeout support

Why

Fixes #47

AI features are a core differentiator for Kerno, but enterprise deployments often route outbound HTTPS traffic through TLS-inspecting corporate proxies using custom root CAs. Without configurable proxy and CA support, AI integrations fail in regulated and Fortune 500 environments.

How

• Added internal/ai/http_client.go to centralize HTTP client creation
• Added support for:
  • ai.proxy
  • ai.ca_cert_file
  • ai.insecure_skip_verify
  • ai.timeout
• Preserved support for standard proxy environment variables:
  • HTTPS_PROXY
  • HTTP_PROXY
  • NO_PROXY
• Appended custom CA certificates to the system trust store instead of replacing it
• Updated Anthropic, OpenAI, and Ollama providers to use the shared HTTP client
• Added actionable TLS verification error formatting for enterprise debugging
• Added tests covering:
  • TLS verification failures
  • custom CA trust
  • proxy configuration
  • insecure skip verify behavior

Testing

• go build ./... passes

• go test ./... passes

• go vet ./... passes

• golangci-lint run ./... passes

• Tested locally with: go test ./internal/ai/... -v

• N/A — pure docs/refactor

Checklist

• PR title follows Conventional Commits (feat(scope): subject)
• All commits are DCO-signed (git commit -s)
• Documentation updated where user-visible behavior changed
• Added/updated tests for new code paths

[github-actions]

🚀 First PR — welcome aboard!

A few things to expect:

1. CI: every PR runs build + race tests + lint + (eventually) the kernel matrix. If something fails, the log will tell you exactly which gate.
2. DCO: every commit needs Signed-off-by: — git commit -s adds it automatically.
3. Conventional Commits: PR titles like feat(doctor): add new rule or fix(bpf): handle X. We squash-merge by default.
4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.

[himanshu2394i]

@btwshivam Can you review it?

[btwshivam]

the http client and config are solid, but the new fields are never wired into the real providers, so custom CA, proxy, and timeout do nothing in production. thread them through buildAnalyzer and explain, details inline.

[btwshivam]

these new fields are never populated by the real callers. buildAnalyzer (doctor.go:413) and explain.go:88 both build ProviderConfig{Name, Model, APIKey, Endpoint, MaxTokens, Temperature} and don't copy aiCfg.Timeout / Proxy / CACertFile / InsecureSkipVerify, and this PR doesn't touch either file. so every provider gets the zero values: Timeout: 0 (no timeout), CACertFile: "" (custom CA does nothing), Proxy: "". the headline #47 features are dead through the only paths that build providers. your tests pass because they call NewHTTPClient directly with explicit args. add the four fields to both ProviderConfig literals.

[btwshivam]

CA load failures are swallowed here. if os.ReadFile errors or AppendCertsFromPEM returns false (bad path, wrong perms, malformed PEM), the function silently keeps the system pool and returns a client as if nothing happened. the operator then gets a confusing TLS failure with no hint the CA was never loaded. Validate os.Stats the file but doesn't parse it. since NewHTTPClient can't return an error today, either change the signature to return one, or validate the PEM in config so a bad cert fails fast.

[btwshivam]

#47 asked for proxy and custom CA, not a TLS-verification bypass. insecure_skip_verify is a footgun in a tool that runs as root, and it's not in the issue's scope. the nolint and the "local/dev" comment don't change that someone sets it in prod and forgets. drop it, or raise it on #47 first.

[btwshivam]

any updates?