add override for TLS validation (lastmile-ai#567)

jtcorbett · andrew-lastmile · commit 1e1faefc1ac9 · 2025-11-04T13:14:09.000-05:00
### TL;DR

Added support for disabling TLS validation during deployments via environment variable.

### Why make this change?

We can't and shouldn't use TLS if we're accessing this from within the VPC (i.e. staging env). Add an undocumented override for TLS validation

&lt;!-- This is an auto-generated comment: release notes by coderabbit.ai --&gt;

## Summary by CodeRabbit

- **New Features**
    - Added option to disable TLS validation during deployment via environment variable configuration.
    - Warning message displayed when TLS validation is disabled.
    - Deployment endpoint logged in verbose mode when TLS validation is disabled.

&lt;!-- end of auto-generated comment: release notes by coderabbit.ai --&gt;
diff --git a/src/mcp_agent/cli/cloud/commands/deploy/wrangler_wrapper.py b/src/mcp_agent/cli/cloud/commands/deploy/wrangler_wrapper.py
@@ -25,6 +25,7 @@
 from .constants import (
     CLOUDFLARE_ACCOUNT_ID,
     CLOUDFLARE_EMAIL,
+    DEFAULT_DEPLOYMENTS_UPLOAD_API_BASE_URL,
     WRANGLER_SEND_METRICS,
 )
 from .settings import deployment_settings
@@ -161,6 +162,25 @@ def wrangler_deploy(
         npm_prefix.mkdir(parents=True, exist_ok=True)
         env_updates["npm_config_prefix"] = str(npm_prefix)
 
+    if os.environ.get("__MCP_DISABLE_TLS_VALIDATION", "").lower() in ("1", "true", "yes"):
+        if deployment_settings.DEPLOYMENTS_UPLOAD_API_BASE_URL == DEFAULT_DEPLOYMENTS_UPLOAD_API_BASE_URL:
+            print_error(
+                f"Cannot disable TLS validation when using {DEFAULT_DEPLOYMENTS_UPLOAD_API_BASE_URL}. "
+                "Set MCP_DEPLOYMENTS_UPLOAD_API_BASE_URL to a custom endpoint."
+            )
+            raise ValueError(
+                f"TLS validation cannot be disabled with {DEFAULT_DEPLOYMENTS_UPLOAD_API_BASE_URL}"
+            )
+
+        env_updates["NODE_TLS_REJECT_UNAUTHORIZED"] = "0"
+        print_warning(
+            "TLS certificate validation disabled (__MCP_DISABLE_TLS_VALIDATION is set)."
+        )
+        if settings.VERBOSE:
+            print_info(
+                f"Deployment endpoint: {deployment_settings.DEPLOYMENTS_UPLOAD_API_BASE_URL}"
+            )
+
     env.update(env_updates)
 
     validate_project(project_dir)
