taken from /root/.ccr/README.md on a claude web vm
Outbound HTTPS from this session goes through a local proxy at http://127.0.0.1:38925 (set via HTTPS_PROXY) which tunnels to a policy-enforcing egress proxy. TLS is re-terminated there, so every tool must trust the CA bundle at /root/.ccr/ca-bundle.crt. The standard CA environment variables, the system trust store (where possible), a JVM truststore, the Bazel system bazelrc, the browser NSS store, and gsutil's boto config are already set up.