DanCodeInc · daniel-lxs · Oct 2, 2025
diff --git a/docs/upstream-prs/8357.md b/docs/upstream-prs/8357.md
@@ -0,0 +1,75 @@
+# feat: add certificate trust configuration for MCP servers
+
+## Summary
+
+This PR addresses Issue #8355 by adding certificate trust configuration support for MCP servers using HTTPS connections (SSE and StreamableHTTP transports).
+
+## Problem
+
+MCP servers using self-signed or internal CA-signed certificates cannot be used because there's no way to specify trust information for these certificates. This prevents users from connecting to MCP servers in development environments or corporate networks with internal certificate authorities.
+
+## Solution
+
+Added a `certificateTrust` configuration option for SSE and StreamableHTTP server types with three settings:
+
+- `allowSelfSigned`: Allow self-signed certificates (for development)
+- `caCertPath`: Path to custom CA certificate file (for internal CAs)
+- `rejectUnauthorized`: Control certificate validation (defaults to true for security)
+
+## Changes
+
+- ✅ Added `CertificateTrustSchema` to validate certificate trust configuration
+- ✅ Implemented HTTPS agent configuration for SSE transport using custom fetch
+- ✅ Implemented HTTPS agent configuration for StreamableHTTP transport
+- ✅ Added comprehensive test coverage for all configuration scenarios
+- ✅ Created detailed documentation with examples and security considerations
+
+## Testing
+
+- All existing tests pass
+- Added 6 new test cases covering certificate trust configuration
+- TypeScript type checking passes
+- Linting passes
+
+## Security Considerations
+
+- Defaults to secure settings (`rejectUnauthorized: true`)
+- Documentation includes clear warnings about development-only settings
+- Proper error handling for certificate file loading
+
+## Documentation
+
+Added comprehensive documentation in `docs/mcp-certificate-trust.md` including:
+
+- Configuration examples for all scenarios
+- Security best practices
+- Certificate format conversion instructions
+- Troubleshooting guide
+
+Fixes #8355
+
+<!-- ELLIPSIS_HIDDEN -->
+
+---
+
+> [!IMPORTANT]
+> Adds certificate trust configuration for MCP servers using HTTPS, with support for self-signed and custom CA certificates.
+>
+> - **Behavior**:
+>     - Adds `certificateTrust` configuration for SSE and StreamableHTTP transports in `McpHub.ts`.
+>     - Supports `allowSelfSigned`, `caCertPath`, and `rejectUnauthorized` options.
+>     - Defaults `rejectUnauthorized` to true for security.
+> - **Schema**:
+>     - Introduces `CertificateTrustSchema` for validating certificate trust settings.
+> - **Implementation**:
+>     - Configures HTTPS agent in `connectToServer()` for `streamable-http` and `sse` types.
+>     - Handles certificate loading and error logging.
+> - **Testing**:
+>     - Adds tests in `McpHub.spec.ts` for various certificate trust configurations.
+>     - Ensures correct behavior for SSE and StreamableHTTP with and without certificate trust.
+> - **Documentation**:
+>     - Adds `mcp-certificate-trust.md` with configuration examples and security notes.
+>
+> <sup>This description was created by </sup>[<img alt="Ellipsis" src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=RooCodeInc%2FRoo-Code&utm_source=github&utm_medium=referral)<sup> for b73bd7cdedea6a3463892171e89c41b4a1ffad0c. You can customize this summary. It will automatically update as commits are pushed.</sup>
+
+<!-- ELLIPSIS_HIDDEN -->