feat(python): add enterprise HTTP configuration support

Implement HttpConfig dataclass for enterprise SSL/proxy configuration:

- Add HttpConfig with verify, proxy, timeout, no_proxy attributes
- Implement from_env() for auto-detection from environment variables
- Support HTTPS_PROXY, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, NO_PROXY
- Add get_httpx_kwargs() for seamless httpx integration
- Update all 8 Python providers to accept http_config parameter
- Include security warnings when SSL verification is disabled

Enables zero-config enterprise deployments via environment variables.

Author: saschabuehrle

cascadeflow/providers/anthropic.py

@@ -9,7 +9,7 @@
 import httpx
 
 from ..exceptions import ModelError, ProviderError
-from .base import BaseProvider, ModelResponse, RetryConfig
+from .base import BaseProvider, HttpConfig, ModelResponse, RetryConfig
 
 # ==============================================================================
 # REASONING MODEL SUPPORT
@@ -170,19 +170,43 @@ class AnthropicProvider(BaseProvider):
         ...         print(f"Args: {tool_call['arguments']}")
     """
 
-    def __init__(self, api_key: Optional[str] = None, retry_config: Optional[RetryConfig] = None):
+    def __init__(
+        self,
+        api_key: Optional[str] = None,
+        retry_config: Optional[RetryConfig] = None,
+        http_config: Optional[HttpConfig] = None,
+    ):
         """
-        Initialize Anthropic provider with automatic retry logic.
+        Initialize Anthropic provider with automatic retry logic and enterprise HTTP support.
 
         Args:
             api_key: Anthropic API key. If None, reads from ANTHROPIC_API_KEY env var.
             retry_config: Custom retry configuration (optional). If None, uses defaults:
                 - max_attempts: 3
                 - initial_delay: 1.0s
                 - rate_limit_backoff: 30.0s
+            http_config: HTTP configuration for SSL/proxy (default: auto-detect from env).
+                Supports:
+                - Custom CA bundles (SSL_CERT_FILE, REQUESTS_CA_BUNDLE)
+                - Proxy servers (HTTPS_PROXY, HTTP_PROXY)
+                - SSL verification control
+
+        Example:
+            # Auto-detect from environment (default)
+            provider = AnthropicProvider()
+
+            # Corporate environment with custom CA bundle
+            provider = AnthropicProvider(
+                http_config=HttpConfig(verify="/path/to/corporate-ca.pem")
+            )
+
+            # With proxy
+            provider = AnthropicProvider(
+                http_config=HttpConfig(proxy="http://proxy.corp.com:8080")
+            )
         """
-        # Call parent init to load API key, check logprobs support, and setup retry
-        super().__init__(api_key=api_key, retry_config=retry_config)
+        # Call parent init to load API key, check logprobs support, setup retry, and http_config
+        super().__init__(api_key=api_key, retry_config=retry_config, http_config=http_config)
 
         # Verify API key is set
         if not self.api_key:
@@ -191,16 +215,20 @@ def __init__(self, api_key: Optional[str] = None, retry_config: Optional[RetryCo
                 "variable or pass api_key parameter."
             )
 
-        # Initialize HTTP client with the loaded API key
+        # Initialize HTTP client with the loaded API key and HTTP config
         self.base_url = "https://api.anthropic.com/v1"
         self.api_version = "2023-06-01"
+
+        # Get httpx kwargs from http_config (includes verify, proxy, timeout)
+        httpx_kwargs = self.http_config.get_httpx_kwargs()
+
         self.client = httpx.AsyncClient(
             headers={
                 "x-api-key": self.api_key,
                 "anthropic-version": self.api_version,
                 "Content-Type": "application/json",
             },
-            timeout=60.0,
+            **httpx_kwargs,
         )
 
     def _load_api_key(self) -> Optional[str]:

cascadeflow/providers/base.py

@@ -11,17 +11,24 @@
     - Circuit Breaker integration for provider resilience
     - Per-provider health tracking
     - Automatic failure detection and recovery
+
+NEW in v2.7 (Dec 5, 2025):
+    - HttpConfig for enterprise SSL/proxy support
+    - Auto-detect HTTPS_PROXY, HTTP_PROXY, SSL_CERT_FILE from environment
+    - Custom CA bundle support for corporate environments
 """
 
 import asyncio
 import logging
 import math
+import os
 import random
+import warnings
 from abc import ABC, abstractmethod
 from collections.abc import AsyncIterator
 from dataclasses import dataclass, field
 from enum import Enum
-from typing import TYPE_CHECKING, Any, Optional
+from typing import TYPE_CHECKING, Any, Optional, Union
 
 if TYPE_CHECKING:
     from cascadeflow.resilience import CircuitBreaker
@@ -110,6 +117,155 @@ def get_summary(self) -> dict[str, Any]:
         }
 
 
+# ============================================================================
+# HTTP CONFIGURATION FOR ENTERPRISE (SSL, PROXY)
+# ============================================================================
+
+
+@dataclass
+class HttpConfig:
+    """
+    HTTP configuration for enterprise environments.
+
+    Supports SSL certificate verification, custom CA bundles, and proxy settings.
+    Auto-detects from standard environment variables when using from_env().
+
+    Environment Variables (auto-detected):
+        - HTTPS_PROXY, HTTP_PROXY: Proxy URL
+        - NO_PROXY: Comma-separated list of hosts to bypass proxy
+        - SSL_CERT_FILE, REQUESTS_CA_BUNDLE: Path to CA bundle file
+        - CURL_CA_BUNDLE: Alternative CA bundle path
+
+    Attributes:
+        verify: SSL verification setting:
+            - True (default): Use system CA bundle
+            - False: Disable SSL verification (WARNING: insecure!)
+            - str: Path to custom CA bundle file
+        proxy: Proxy URL (e.g., "http://proxy.corp.com:8080")
+        timeout: Request timeout in seconds
+        no_proxy: Comma-separated list of hosts to bypass proxy
+
+    Examples:
+        # Default: Auto-detect from environment
+        config = HttpConfig.from_env()
+
+        # Custom CA bundle (enterprise)
+        config = HttpConfig(verify="/path/to/corporate-ca.pem")
+
+        # Explicit proxy
+        config = HttpConfig(
+            verify=True,
+            proxy="http://proxy.corp.com:8080"
+        )
+
+        # Disable SSL verification (development only!)
+        config = HttpConfig(verify=False)  # Emits warning
+    """
+
+    verify: Union[bool, str] = True
+    proxy: Optional[str] = None
+    timeout: float = 60.0
+    no_proxy: Optional[str] = None
+
+    def __post_init__(self):
+        """Emit warning if SSL verification is disabled."""
+        if self.verify is False:
+            warnings.warn(
+                "SSL verification is DISABLED. This is insecure and should only be used "
+                "for development/testing. Set verify=True or provide a CA bundle path "
+                "for production use.",
+                UserWarning,
+                stacklevel=3,
+            )
+            logger.warning(
+                "HttpConfig: SSL verification disabled. This is insecure! "
+                "Only use for development/testing."
+            )
+
+    @classmethod
+    def from_env(cls) -> "HttpConfig":
+        """
+        Create HttpConfig from environment variables.
+
+        Auto-detects:
+            - HTTPS_PROXY or HTTP_PROXY for proxy settings
+            - NO_PROXY for proxy bypass
+            - SSL_CERT_FILE, REQUESTS_CA_BUNDLE, or CURL_CA_BUNDLE for CA bundle
+
+        Returns:
+            HttpConfig with settings from environment
+
+        Example:
+            # In shell:
+            export HTTPS_PROXY=http://proxy.corp.com:8080
+            export SSL_CERT_FILE=/path/to/ca-bundle.crt
+
+            # In Python:
+            config = HttpConfig.from_env()
+            # config.proxy = "http://proxy.corp.com:8080"
+            # config.verify = "/path/to/ca-bundle.crt"
+        """
+        # Detect proxy from environment (HTTPS_PROXY takes priority)
+        proxy = os.environ.get("HTTPS_PROXY") or os.environ.get("HTTP_PROXY")
+        if not proxy:
+            # Also check lowercase variants
+            proxy = os.environ.get("https_proxy") or os.environ.get("http_proxy")
+
+        # Detect no_proxy
+        no_proxy = os.environ.get("NO_PROXY") or os.environ.get("no_proxy")
+
+        # Detect CA bundle from environment
+        # Check multiple environment variables in priority order
+        ca_bundle = (
+            os.environ.get("SSL_CERT_FILE")
+            or os.environ.get("REQUESTS_CA_BUNDLE")
+            or os.environ.get("CURL_CA_BUNDLE")
+        )
+
+        # If CA bundle specified and file exists, use it; otherwise use system default
+        verify: Union[bool, str] = True
+        if ca_bundle:
+            if os.path.isfile(ca_bundle):
+                verify = ca_bundle
+                logger.info(f"HttpConfig: Using CA bundle from environment: {ca_bundle}")
+            else:
+                logger.warning(
+                    f"HttpConfig: CA bundle path from environment does not exist: {ca_bundle}. "
+                    f"Using system default."
+                )
+
+        if proxy:
+            logger.info(f"HttpConfig: Using proxy from environment: {proxy}")
+
+        return cls(
+            verify=verify,
+            proxy=proxy,
+            no_proxy=no_proxy,
+        )
+
+    def get_httpx_kwargs(self) -> dict[str, Any]:
+        """
+        Get kwargs for httpx.AsyncClient initialization.
+
+        Returns:
+            Dictionary of kwargs for httpx.AsyncClient
+
+        Example:
+            config = HttpConfig.from_env()
+            client = httpx.AsyncClient(**config.get_httpx_kwargs())
+        """
+        kwargs: dict[str, Any] = {
+            "verify": self.verify,
+            "timeout": self.timeout,
+        }
+
+        if self.proxy:
+            # httpx uses 'proxy' for single proxy URL
+            kwargs["proxy"] = self.proxy
+
+        return kwargs
+
+
 # ============================================================================
 # MODEL RESPONSE
 # ============================================================================
@@ -208,21 +364,44 @@ def __init__(
         api_key: Optional[str] = None,
         retry_config: Optional[RetryConfig] = None,
         enable_circuit_breaker: bool = True,
+        http_config: Optional[HttpConfig] = None,
     ):
         """
-        Initialize provider with retry logic and circuit breaker.
+        Initialize provider with retry logic, circuit breaker, and HTTP config.
 
         Args:
             api_key: API key for the provider (if needed)
             retry_config: Custom retry configuration (optional)
             enable_circuit_breaker: Enable circuit breaker for resilience (default: True)
+            http_config: HTTP configuration for SSL/proxy (default: auto-detect from env)
+
+        Example:
+            # Auto-detect proxy and SSL from environment
+            provider = OpenAIProvider()  # Uses HttpConfig.from_env()
+
+            # Custom CA bundle for corporate environment
+            provider = OpenAIProvider(
+                http_config=HttpConfig(verify="/path/to/corp-ca.pem")
+            )
+
+            # Explicit proxy configuration
+            provider = OpenAIProvider(
+                http_config=HttpConfig(
+                    proxy="http://proxy.corp.com:8080",
+                    verify=True
+                )
+            )
         """
         # Load API key from parameter or environment
         if api_key:
             self.api_key = api_key
         else:
             self.api_key = self._load_api_key()
 
+        # HTTP configuration for enterprise (SSL/proxy)
+        # Auto-detect from environment if not provided
+        self.http_config = http_config or HttpConfig.from_env()
+
         # Circuit breaker integration
         self._enable_circuit_breaker = enable_circuit_breaker
         self._circuit_breaker: Optional[CircuitBreaker] = None

cascadeflow/providers/groq.py

@@ -9,7 +9,7 @@
 import httpx
 
 from ..exceptions import ModelError, ProviderError
-from .base import BaseProvider, ModelResponse, RetryConfig
+from .base import BaseProvider, HttpConfig, ModelResponse, RetryConfig
 
 
 class GroqProvider(BaseProvider):
@@ -90,19 +90,38 @@ class GroqProvider(BaseProvider):
         ... )
     """
 
-    def __init__(self, api_key: Optional[str] = None, retry_config: Optional[RetryConfig] = None):
+    def __init__(
+        self,
+        api_key: Optional[str] = None,
+        retry_config: Optional[RetryConfig] = None,
+        http_config: Optional[HttpConfig] = None,
+    ):
         """
-        Initialize Groq provider with automatic retry logic.
+        Initialize Groq provider with automatic retry logic and enterprise HTTP support.
 
         Args:
             api_key: Groq API key. If None, reads from GROQ_API_KEY env var.
             retry_config: Custom retry configuration (optional). If None, uses defaults:
                 - max_attempts: 3
                 - initial_delay: 1.0s
                 - rate_limit_backoff: 30.0s
+            http_config: HTTP configuration for SSL/proxy (default: auto-detect from env).
+                Supports:
+                - Custom CA bundles (SSL_CERT_FILE, REQUESTS_CA_BUNDLE)
+                - Proxy servers (HTTPS_PROXY, HTTP_PROXY)
+                - SSL verification control
+
+        Example:
+            # Auto-detect from environment (default)
+            provider = GroqProvider()
+
+            # Corporate environment with custom CA bundle
+            provider = GroqProvider(
+                http_config=HttpConfig(verify="/path/to/corporate-ca.pem")
+            )
         """
-        # Call parent init to load API key, check logprobs support, and setup retry
-        super().__init__(api_key=api_key, retry_config=retry_config)
+        # Call parent init to load API key, check logprobs support, setup retry, and http_config
+        super().__init__(api_key=api_key, retry_config=retry_config, http_config=http_config)
 
         # Verify API key is set
         if not self.api_key:
@@ -112,11 +131,16 @@ def __init__(self, api_key: Optional[str] = None, retry_config: Optional[RetryCo
                 "https://console.groq.com"
             )
 
-        # Initialize HTTP client
+        # Initialize HTTP client with enterprise HTTP config
         self.base_url = "https://api.groq.com/openai/v1"
+
+        # Get httpx kwargs from http_config (includes verify, proxy, timeout)
+        httpx_kwargs = self.http_config.get_httpx_kwargs()
+        httpx_kwargs["timeout"] = 60.0  # Groq-specific timeout
+
         self.client = httpx.AsyncClient(
             headers={"Authorization": f"Bearer {self.api_key}", "Content-Type": "application/json"},
-            timeout=60.0,
+            **httpx_kwargs,
         )
 
     def _load_api_key(self) -> Optional[str]: