Upstream Codebuff free tier blocks non-freebuff CLI requests and VPN/proxy traffic

[Bulat-Gumerov]

Description:

Test Results — freebuff2api proxy latest commit from the main branch

All tests run against localhost:8082 with a single auth token and no API key auth.

1. VPN/Proxy Traffic Blocked

When HTTP_PROXY is configured (e.g., routing through a WireGuard VPN), Codebuff's upstream returns:

403 {"status":"country_blocked","message":"Freebuff cannot be used from VPN or proxy traffic. Please disable it and try again.","countryCode":"AU","countryBlockReason":"anonymous_network","ipPrivacySignals":["vpn","res_proxy","hosting","anonymous"]}

All models return 502: no healthy upstream auth token available because session creation fails at the upstream.

2. "Free Mode Requires CLI" Block

With the proxy disabled (direct connection), 4 of 6 models successfully create upstream sessions but the chat completion request is rejected:

403 {"error":"free_mode_cli_required","message":"Free mode is only available through the freebuff CLI. Install it with `npm i -g freebuff`, then run `freebuff`. Calling the API directly is not supported and may get your account banned."}

3. Session Establishment Failures

Two models never establish a session and return 502: no healthy upstream auth token available:

• mimo/mimo-v2.5
• minimax/minimax-m2.7

Endpoint Summary

Endpoint	Status	Notes
GET /healthz	✅ Working	Full run/session state exposed
GET /v1/models	✅ Working	Returns 6 models
POST /v1/messages/count_tokens	✅ Working	Token estimation via tiktoken
POST /v1/chat/completions	❌ Blocked	Upstream 403 / 502 on all models
POST /v1/messages	❌ Blocked	Same upstream rejection
Container healthcheck	❌ Fails	Uses wget which is not in the container image

Models Tested

Model	Session	Chat Completion
deepseek/deepseek-v4-flash	✅ Created	❌ 403 — CLI required
deepseek/deepseek-v4-pro	✅ Created	❌ 403 — CLI required
mimo/mimo-v2.5	❌ Failed	❌ 502
mimo/mimo-v2.5-pro	✅ Created	❌ 403 — CLI required
minimax/minimax-m2.7	❌ Failed	❌ 502
moonshotai/kimi-k2.6	✅ Created	❌ 403 — CLI required

Environment

• Container: freebuff2api on :8080 (mapped :8082)
• Auth: 1 token configured
• Config: Configured config.json with a single working AUTH_TOKENS, which was copied from the freebuff CLI config file in the .env (no LLM proxy API key, no HTTP proxy in config)
• .env: AUTH_TOKENS, HTTP_PROXY (when enabled)
• Upstream: https://www.codebuff.com

Root Cause

Codebuff's free tier API endpoint now validates that requests originate from their official CLI tool (freebuff npm package). Requests sent directly to the HTTP API with standard headers are rejected with free_mode_cli_required. This makes the proxy non-functional for free-tier models regardless of session or auth token validity.