fix(security): remove GIT_SSL_NO_VERIFY=true from sfw-free shims

cursoragent · cursoragent · commit 6216e6d7dbdc · 2026-04-10T01:44:59.000Z
The sfw-free shims were injecting `export GIT_SSL_NO_VERIFY=true` into
every generated bash shim, disabling SSL certificate verification for all
git operations performed by wrapped package manager commands (npm, yarn,
pnpm, pip, uv, cargo). This exposed users to man-in-the-middle attacks
on any git-over-HTTPS connection.

Remove the workaround entirely — disabling TLS verification is far more
dangerous than the GIT_SSL_CAINFO issue it was intended to work around.
diff --git a/.claude/hooks/setup-security-tools/index.mts b/.claude/hooks/setup-security-tools/index.mts
@@ -273,10 +273,6 @@ async function setupSfw(apiKey: string | undefined): Promise<boolean> {
         'fi',
       )
     }
-    if (!isEnterprise) {
-      // Workaround: sfw-free does not yet set GIT_SSL_CAINFO (temporary).
-      bashLines.push('export GIT_SSL_NO_VERIFY=true')
-    }
     bashLines.push(`exec "${binaryPath}" "${realBin}" "$@"`)
     const bashContent = bashLines.join('\n') + '\n'
     const bashPath = path.join(shimDir, cmd)

Original file line number	Diff line number	Diff line change
`@@ -273,10 +273,6 @@ async function setupSfw(apiKey: string \| undefined): Promise<boolean> {`
`273`	`273`	`'fi',`
`274`	`274`	`)`
`275`	`275`	`}`
`276`		`- if (!isEnterprise) {`
`277`		`- // Workaround: sfw-free does not yet set GIT_SSL_CAINFO (temporary).`
`278`		`- bashLines.push('export GIT_SSL_NO_VERIFY=true')`
`279`		`- }`
`280`	`276`	bashLines.push(`exec "${binaryPath}" "${realBin}" "$@"`)
`281`	`277`	`const bashContent = bashLines.join('\n') + '\n'`
`282`	`278`	`const bashPath = path.join(shimDir, cmd)`