qwen-code/docs
Tianyuan 35a8851a38
feat(core): add --insecure flag to skip TLS verification for self-signed endpoints (#3535) (#5962)
* feat(core): add --insecure flag to skip TLS verification for self-signed endpoints (#3535)

Enable skipping TLS certificate verification for outbound model API connections via a new --insecure CLI flag, QWEN_TLS_INSECURE, or NODE_TLS_REJECT_UNAUTHORIZED=0. The setting is applied to the undici dispatcher Qwen Code installs: a direct connection uses connect TLS options, while a proxied connection disables verification for the upstream origin (requestTls) and a self-signed HTTPS proxy (proxyTls). Off by default; behavior is unchanged when not enabled.

Fixes #3535

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(core): address review on --insecure (security + simplification) (#3535)

- Block project .env from enabling QWEN_TLS_INSECURE by adding it to PROJECT_ENV_HARDCODED_EXCLUSIONS, so an untrusted repo cannot silently disable TLS verification for all API connections.
- Remove the unverifiable Bun fetch `tls` special-casing; Bun users can still opt out via NODE_TLS_REJECT_UNAUTHORIZED=0, which Bun honors natively.
- Do not suggest `--insecure` in the TLS error hint when verification is already disabled; show a network/protocol-oriented message instead.
- Add tests: env-flag regex/falsy branches, loadCliConfig env side-effect, fetch hint variants, and a security guard for the project .env exclusion.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(core): harden --insecure per review (#3535)

- Block NODE_TLS_REJECT_UNAUTHORIZED from project .env too (initial load only consults PROJECT_ENV_HARDCODED_EXCLUSIONS), since isTlsVerificationDisabled() honors it.
- When opting out, set NODE_TLS_REJECT_UNAUTHORIZED=0 process-wide in loadCliConfig and emit a stderr MITM warning. This makes the opt-out effective on the Bun runtime and the proxy-creation fallback path (which the undici dispatcher does not cover), and gives a user-visible signal.
- Avoid evaluating isTlsVerificationDisabled() twice on the proxy path via a default parameter on getOrCreateSharedDispatcher.
- Update tests accordingly.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* fix(cli): broaden --insecure warning and log it; add env-path tests (#3535)

- Broaden the TLS-disabled warning to state the process-wide blast radius (API, OAuth, MCP servers, child processes), since NODE_TLS_REJECT_UNAUTHORIZED=0 is set process-wide.
- Also emit the warning via debugLogger so the state is discoverable in ~/.qwen/debug/ after terminal scrollback is gone.
- Add tests for the env-var-only path (pre-set QWEN_TLS_INSECURE) and the already-disabled guard (no duplicate assignment/warning).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 12:03:43 +00:00
..
design feat(channels): qwen tag — RFC + Phase 0 (multiplayer channel-resident agent) (#5888) 2026-06-29 07:17:13 +00:00
developers feat(channels): Add channel agent bridge abstraction (#5978) 2026-06-29 10:03:28 +00:00
e2e-tests feat(worktree): Phase D — startup --worktree flag + symlinkDirectories + PR refs (#4381) 2026-05-27 17:04:51 +08:00
plans feat(core)!: redesign auto-compaction thresholds with three-tier ladder (#4345) 2026-05-25 21:11:08 +08:00
superpowers fix(core): add streaming inactivity timeout to the OpenAI pipeline (#5827) 2026-06-24 23:33:55 +00:00
users feat(core): add --insecure flag to skip TLS verification for self-signed endpoints (#3535) (#5962) 2026-06-29 12:03:43 +00:00
verification/abort-controller-refactor fix(core): stop AbortSignal listener leak in long sessions (MaxListenersExceededWarning) (#4366) 2026-05-26 14:21:49 +08:00
_meta.ts feat: refactor docs 2025-12-05 10:51:57 +08:00
declarative-agents-port.md feat(core): port declarative-agent mcpServers + hooks (CC 2.1.168 parity follow-up) (#4996) 2026-06-12 14:15:51 +08:00
index.md fix: lint issues 2025-12-19 15:52:11 +08:00
yaml-parser-replacement.md feat(core): port declarative-agent mcpServers + hooks (CC 2.1.168 parity follow-up) (#4996) 2026-06-12 14:15:51 +08:00