Add --tls-skip-verify flag to thv llm setup, config set, and proxy start#5136
Merged
Add --tls-skip-verify flag to thv llm setup, config set, and proxy start#5136
Conversation
yrobla
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
jhrozek,
lujunsan and
rdimitrov
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a --tls-skip-verify flag and persists it in the LLM config, then threads it through llm setup, llm config set, and llm proxy start so local/self-signed TLS gateways can be used during development.
Changes:
- Persist
TLSSkipVerifyinpkg/llm.Config, apply it viaconfig set/setup, and display warnings inconfig show. - Extend tool settings patching to conditionally write/remove
NODE_TLS_REJECT_UNAUTHORIZEDviaClearWhenEmpty. - Add proxy-side support via
WithTLSSkipVerify()and thread the flag intothv llm proxy start.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/llm/config.go | Adds TLSSkipVerify to persisted LLM config. |
| pkg/llm/manage.go | Applies pointer-based TLSSkipVerify option; prints warning in Show(). |
| pkg/llm/manage_test.go | Adds unit tests for TLSSkipVerify set/clear behavior and display. |
| pkg/llm/setup.go | Threads TLSSkipVerify into tool configuration; adds warning/helper extraction. |
| pkg/llm/proxy/proxy.go | Adds Option pattern + WithTLSSkipVerify and variadic New(). |
| pkg/client/config.go | Adds NodeTLSRejectUnauthorized key spec support + ClearWhenEmpty, wires into Claude/Gemini direct-mode. |
| pkg/client/llm_gateway.go | Adds conditional add/remove logic for tool settings keys (applyLLMGatewayKeys). |
| pkg/client/test_support.go | Extends test helper to support ClearWhenEmpty per JSON pointer. |
| pkg/client/llm_gateway_test.go | Adds tests validating NODE_TLS_REJECT_UNAUTHORIZED write/no-write/removal behavior. |
| cmd/thv/app/llm.go | Wires --tls-skip-verify into config set, setup, and proxy start (override behavior). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #5136 +/- ##
==========================================
- Coverage 67.36% 67.35% -0.01%
==========================================
Files 598 598
Lines 60493 60566 +73
==========================================
+ Hits 40751 40796 +45
- Misses 16658 16679 +21
- Partials 3084 3091 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Closes #5123 Stores TLSSkipVerify in the LLM config section and threads it through to every layer: - pkg/llm/config.go: add TLSSkipVerify field to Config; SetOptions uses *bool so that --tls-skip-verify=false explicitly clears the stored value rather than being silently ignored as a zero value - pkg/llm/manage.go: SetFields applies the pointer, Show() prints a WARNING line when the flag is set - pkg/llm/setup.go: pass TLSSkipVerify through ToolApplyConfig; extract configureDetectedTools() and warnTLSSkipVerify() helpers (gocyclo) - pkg/llm/proxy/proxy.go: add Option / WithTLSSkipVerify() functional option; New() accepts variadic opts; sets InsecureSkipVerify on the upstream transport when the flag is true - pkg/client/llm_gateway.go: add TLSSkipVerify to LLMApplyConfig; add NodeTLSRejectUnauthorized case to llmValueForSpec(); extract applyLLMGatewayKeys / addLLMKey / removeLLMKey helpers (gocyclo); ClearWhenEmpty on LLMGatewayKeySpec removes the JSON key when the flag is cleared rather than leaving a stale "0" in the settings file - pkg/client/config.go: add NODE_TLS_REJECT_UNAUTHORIZED key spec (ClearWhenEmpty=true) to ClaudeCode and GeminiCli (the two direct-mode Node.js tools); proxy-mode tools (Cursor, VSCode, Xcode, …) are covered by WithTLSSkipVerify on the proxy transport - cmd/thv/app/llm.go: wire --tls-skip-verify into setup, config set, and proxy start; proxy start overrides the stored value when the flag is explicitly passed
yrobla
force-pushed
the
yolanda/llm-tls-fixes
branch
from
c72c8aa to
9b93cc3
Compare
github-actions
Bot
added
size/M
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a persisted --tls-skip-verify configuration for the LLM gateway workflow and threads it through setup/config/proxy so tools (direct mode) and the local reverse proxy (proxy mode) can optionally bypass upstream TLS verification for local development.
Changes:
- Persist
TLSSkipVerifyin the LLM config and support explicit clearing via pointer-basedSetOptions. - For direct-mode Node.js tools, conditionally write/remove
NODE_TLS_REJECT_UNAUTHORIZED=0using aClearWhenEmptykey spec. - Add proxy functional option
WithTLSSkipVerify()and wire the flag intothv llm setup,thv llm config set, andthv llm proxy start, with unit tests.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/llm/config.go | Adds TLSSkipVerify to persisted LLM config. |
| pkg/llm/manage.go | Applies TLSSkipVerify via pointer option; surfaces a warning in Show(). |
| pkg/llm/manage_test.go | Adds coverage for TLSSkipVerify pointer semantics and Show() output. |
| pkg/llm/setup.go | Threads TLSSkipVerify into tool configuration and prints mode-specific warnings. |
| pkg/llm/proxy/proxy.go | Introduces functional options; implements WithTLSSkipVerify() by adjusting upstream transport TLS verification. |
| pkg/llm/proxy/proxy_test.go | Adds a test validating default TLS verification failure vs. skip-verify success. |
| pkg/client/config.go | Extends LLMGatewayKeySpec with ClearWhenEmpty; adds Node TLS key spec for Claude Code and Gemini CLI. |
| pkg/client/test_support.go | Extends LLMTestEntry to support ClearWhenEmpty in tests. |
| pkg/client/llm_gateway.go | Refactors key application into helpers; supports conditional remove when ClearWhenEmpty and value is empty. |
| pkg/client/llm_gateway_test.go | Adds tests for writing/removing NODE_TLS_REJECT_UNAUTHORIZED based on TLSSkipVerify. |
| cmd/thv/app/llm.go | Wires --tls-skip-verify into setup/config set/proxy start, including override behavior for proxy start. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JAORMX
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stores TLSSkipVerify in the LLM config section and threads it through to every layer:
Fixes #5123
Type of change
Test plan
task test)task test-e2e)task lint-fix)API Compatibility
v1beta1API, OR theapi-break-allowedlabel is applied and the migration guidance is described above.Changes
Does this introduce a user-facing change?
Implementation plan
Approved implementation plan
Special notes for reviewers