The Upstream Proxy: How Claude Code Intercepts Subprocess HTTP Traffic

When Claude Code runs in a cloud container, every subprocess it spawns — curl, gh, python, kubectl — needs to reach external services. But the container sits behind an organization's security perimeter. The org needs to inject credentials (API keys, auth headers) into outbound HTTPS requests, log traffic for compliance, and block unauthorized endpoints. The subprocess doesn't know any of this. It just wants to curl https://api.datadog.com. The naive solution: configure a corporate proxy and tru