feat: enable insecure mode via INSECURE environment variable

[appleboy]

• Change INSECURE configuration to be enabled by presence of the INSECURE variable, replacing the previous true/false CURL_INSECURE approach
• Update documentation in English and Chinese (Simplified, Traditional) to reflect INSECURE variable usage
• Add usage examples showing how to enable insecure mode via INSECURE=1
• Remove validation checks for CURL_INSECURE value and all references to CURL_INSECURE in the script
• Use INSECURE_ARG for curl invocations to manage SSL verification according to the new logic

Summary by CodeRabbit

• Documentation

  • Updated installation instructions to replace the CURL_INSECURE environment variable with INSECURE across all language versions of the README.
  • Clarified that setting INSECURE to any value will skip SSL verification during installation.
  • Added example usage for enabling insecure mode.

• Chores

  • Simplified environment variable handling in the installation script for skipping SSL verification.

[coderabbitai]

Walkthrough

The environment variable controlling SSL verification in installation scripts and documentation has been renamed from CURL_INSECURE to INSECURE. The logic is simplified: if INSECURE is set, SSL verification is skipped. Documentation in English, Simplified Chinese, and Traditional Chinese README files has been updated to reflect these changes.

Changes

Cohort / File(s)	Change Summary
Documentation Updates README.md, README.zh-cn.md, README.zh-tw.md	Replaced references to CURL_INSECURE with INSECURE, clarified its usage and default, and added example usage lines.
Install Script Update install.sh	Replaced CURL_INSECURE logic with INSECURE; simplified handling and warnings; updated curl invocations accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant install.sh
    participant curl

    User->>install.sh: Set INSECURE=1 and run script
    install.sh->>install.sh: Check if INSECURE is set
    alt INSECURE is set
        install.sh->>install.sh: Set INSECURE_ARG="--insecure"
        install.sh->>User: Print warning about insecure downloads
    else INSECURE is not set
        install.sh->>install.sh: INSECURE_ARG=""
    end
    install.sh->>curl: Download files with or without --insecure

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Poem

🐇
A hop, a skip, a variable’s name,
From CURL_INSECURE, we’ve changed the game.
Now just set INSECURE, no value to fret—
Skip SSL checks with no regret!
Docs in three tongues, scripts align,
Secure or not, the install’s just fine.
—Your friendly code rabbit, on cloud nine!

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cli

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @appleboy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

I've updated the installation script to simplify how insecure mode is enabled. Instead of using CURL_INSECURE with true/false values, it now uses the presence of an INSECURE environment variable. This change streamlines the configuration and is reflected across all documentation.

Highlights

• Simplified Insecure Mode Activation: The method for enabling insecure mode has been updated from a boolean CURL_INSECURE variable to a simpler presence check of the INSECURE environment variable.
• Comprehensive Documentation Updates: All README files (English, Simplified Chinese, Traditional Chinese) have been revised to accurately reflect the new INSECURE variable usage, including new example commands.
• Refactored SSL Verification Logic: The install.sh script now dynamically sets the curl --insecure argument based on the INSECURE variable's presence, removing previous validation and explicit CURL_INSECURE checks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly changes the insecure mode activation from a CURL_INSECURE boolean-like variable to checking for the presence of the INSECURE environment variable. The documentation in all languages has been updated accordingly. My review focuses on improving the robustness of the shell script by using an array for optional curl arguments, which is a safer practice.

[gemini-code-assist]

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change

	curl -# -fSL --retry 5 --keepalive-time 2 ${INSECURE_ARG} "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"
	curl -# -fSL --retry 5 --keepalive-time 2 "${INSECURE_ARGS[@]}" "${DOWNLOAD_URL_PREFIX}/${CLIENT_BINARY}" -o "${TARGET}"

[gemini-code-assist]

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change

	latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)
	latest=$(curl "${INSECURE_ARGS[@]}" -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | jq -r .tag_name)

[gemini-code-assist]

As part of refactoring to use an array for optional arguments, please update this curl invocation. Using "${INSECURE_ARGS[@]}" ensures arguments are handled safely.

Suggested change

	latest=$(curl $INSECURE_ARG -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')
	latest=$(curl "${INSECURE_ARGS[@]}" -# --retry 5 -fSL https://api.github.com/repos/appleboy/CodeGPT/releases/latest | grep '"tag_name":' | sed -E 's/.*"tag_name": ?"v?([^"]+)".*/\1/')

[gemini-code-assist]

For better script robustness, it's recommended to use an array to handle optional command arguments. This avoids potential word-splitting issues and is generally safer. This refactoring defines INSECURE_ARGS as an array, which will be empty by default and contain --insecure when needed.

I'll add suggestions to update the curl calls accordingly.

Suggested change

	INSECURE_ARG=""
	if [[ -n "${INSECURE:-}" ]]; then
	INSECURE_ARG="--insecure"
	print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
	print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
	fi
	if [[ -n "${INSECURE:-}" ]]; then
	INSECURE_ARGS=('--insecure')
	print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
	print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
	else
	INSECURE_ARGS=()
	fi

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

README.zh-tw.md (1)

141-143: Good usage example

Example accurately shows enabling insecure mode with INSECURE=1.

Consider adding a short caution note below the example to discourage routine use:

# 注意：啟用 insecure 僅建議用於除錯或臨時情境。此操作會略過 SSL 憑證驗證，可能導致中間人攻擊風險。

README.zh-cn.md (1)

137-139: 示例正确直观

展示 INSECURE=1 的用法清晰。

建议在示例下添加一行安全提示，避免日常使用：

# 注意：仅在调试或临时场景启用 insecure。该操作会跳过 SSL 证书校验，存在中间人攻击风险。

README.md (1)

142-144: Example usage is correct

Accurately demonstrates enabling insecure mode.

Add a brief warning below to set expectations:

Warning: Enable insecure mode only for troubleshooting. It disables SSL certificate verification and may expose you to MITM attacks.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 254b21f and 6ca4c6f.

📒 Files selected for processing (4)

• README.md (1 hunks)
• README.zh-cn.md (1 hunks)
• README.zh-tw.md (1 hunks)
• install.sh (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

🔇 Additional comments (5)

README.zh-tw.md (1)

134-137: INSECURE env var doc looks good

Clear explanation that any value enables insecure mode. Matches script behavior.

README.zh-cn.md (1)

130-133: INSECURE 变量说明准确

“只要设置该变量（值不限）即跳过 SSL 验证”的描述与脚本一致。

README.md (1)

133-138: Env var table updated correctly

Wording is clear that presence of INSECURE skips SSL verification.

install.sh (2)

69-69: Good: curl download respects INSECURE_ARG

Switching to ${INSECURE_ARG} is correct and safe when unset.

---

107-110: Good: GitHub API calls also respect INSECURE_ARG

Both jq and grep branches align with new behavior.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Enable backward compatibility with deprecated CURL_INSECURE (optional)

Current behavior is correct per PR goals. To avoid breaking existing automation, optionally honor legacy CURL_INSECURE (any non-empty), and emit a deprecation warning.

 INSECURE_ARG=""
 if [[ -n "${INSECURE:-}" ]]; then
   INSECURE_ARG="--insecure"
   print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
   print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
 fi
+
+# Backward compatibility (deprecated). Prefer INSECURE=1.
+if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
+  INSECURE_ARG="--insecure"
+  print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
+fi

To ensure all old references were removed elsewhere in the repo and that curl call sites now use INSECURE_ARG, run:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "Searching for legacy CURL_INSECURE..."
rg -n --hidden --glob '!*dist*' --glob '!*build*' --glob '!*node_modules*' 'CURL_INSECURE' || true
echo "Searching for curl sites using INSECURE_ARG..."
rg -n --hidden --glob '!*dist*' --glob '!*build*' --glob '!*node_modules*' 'curl .*INSECURE_ARG'

Length of output: 876

---

Honor legacy CURL_INSECURE for backward compatibility

All curl invocations in install.sh already use ${INSECURE_ARG} and there are no other references to CURL_INSECURE in the repo. You can safely add the following block immediately after the existing INSECURE check to optionally support the deprecated variable and emit a deprecation warning:

 INSECURE_ARG=""
 if [[ -n "${INSECURE:-}" ]]; then
   INSECURE_ARG="--insecure"
   print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
   print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
 fi

+# Backward compatibility (deprecated). Prefer INSECURE=1.
+if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
+  INSECURE_ARG="--insecure"
+  print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
+fi

This ensures any existing automation relying on CURL_INSECURE continues to work while guiding users toward the new INSECURE flag.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# If INSECURE is set to any value, enable curl --insecure
	INSECURE_ARG=""
	if [[ -n "${INSECURE:-}" ]]; then
	INSECURE_ARG="--insecure"
	print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
	print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
	fi
	# If INSECURE is set to any value, enable curl --insecure
	INSECURE_ARG=""
	if [[ -n "${INSECURE:-}" ]]; then
	INSECURE_ARG="--insecure"
	print_message warning "WARNING: INSECURE mode is enabled. Proceeding with insecure download."
	print_message warning "WARNING: You are bypassing SSL certificate verification. This is insecure and may expose you to man-in-the-middle attacks."
	fi
	# Backward compatibility (deprecated). Prefer INSECURE=1.
	if [[ -z "${INSECURE:-}" && -n "${CURL_INSECURE:-}" ]]; then
	INSECURE_ARG="--insecure"
	print_message warning "WARNING: CURL_INSECURE is deprecated. Use INSECURE=1 instead."
	fi

🤖 Prompt for AI Agents

In install.sh around lines 123 to 129, add a check for the legacy CURL_INSECURE
environment variable immediately after the existing INSECURE check. If
CURL_INSECURE is set, assign "--insecure" to INSECURE_ARG and print a
deprecation warning message advising users to switch to the INSECURE variable.
This maintains backward compatibility while guiding users to update their usage.