fix(auth): add undici instrumentation for Squid proxy

Without it, NextAuth's Keycloak issuer-discovery fetch goes direct
and Calico default-deny drops it → /access-denied?error=Configuration.
EnvHttpProxyAgent reads HTTP(S)_PROXY at startup.

Mirrors gscAdmin/src/instrumentation.ts. + undici ^6.25.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

k8s/deployment.yaml

@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: my-ui
-          image: registry.gosec.internal/gsc-my/ui:v0.1.0
+          image: registry.gosec.internal/gsc-my/ui:v0.1.1
           imagePullPolicy: Always
           ports:
             - containerPort: 3000

package.json

@@ -25,6 +25,7 @@
     "pg": "^8.20.0",
     "react": "^19.2.3",
     "react-dom": "^19.2.3",
+    "undici": "^6.25.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {

src/instrumentation.ts

@@ -0,0 +1,24 @@
+/**
+ * Server startup hook. Next.js calls register() once per Node process
+ * when the server boots (App Router convention).
+ *
+ * We use this to install undici's ProxyAgent as the global dispatcher
+ * so the in-cluster web-proxy (Squid at web-proxy.web-proxy.svc:3128)
+ * is honored by Node's built-in `fetch()`. Without this, fetch() goes
+ * direct → Calico default-deny-external drops outbound TCP → NextAuth
+ * issuer discovery times out → /api/auth/error?error=Configuration.
+ *
+ * HTTP_PROXY / HTTPS_PROXY / NO_PROXY env vars are read by EnvHttpProxyAgent.
+ * If neither is set (e.g., local `next dev`), no proxy is configured.
+ */
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== "nodejs") return;
+  if (!process.env.HTTPS_PROXY && !process.env.HTTP_PROXY) return;
+
+  const { setGlobalDispatcher, EnvHttpProxyAgent } = await import("undici");
+  setGlobalDispatcher(new EnvHttpProxyAgent());
+  // eslint-disable-next-line no-console
+  console.log(
+    `[instrumentation] undici proxy via ${process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY}`,
+  );
+}