Merge pull request 'feat(OpenCode TLS): 預設跳過 TLS 驗證' (#25 ) from develop into master

Reviewed-on: #25
Merge pull request 'feat(OpenCode TLS): 預設跳過 TLS 驗證' (#24 ) from ai-review-resolve/20260620134144 into develop
2026-06-20 14:10:40 +00:00 · 2026-06-20 14:09:03 +00:00 · 2026-06-20 14:08:55 +00:00 · 2026-06-20 13:56:00 +00:00 · 2026-06-20 13:56:00 +00:00 · 2026-06-20 13:56:00 +00:00
7 changed files with 62 additions and 11 deletions
@@ -1 +1,16 @@
-[]
+[
+  {
+    "level": "warning",
+    "role": "Mage",
+    "location": "app/config.test.js",
+    "suggestion": "`shouldSkipOpenCodeTLSVerify` 函式的新增測試案例未能涵蓋所有可能的輸入情境。在 `process.env.OPENCODE_SKIP_TLS_VERIFY !== 'false'` 的新邏輯下，應增加測試案例來驗證當環境變數設定為空字串 `''`、字串 `'0'` 或其他任意非 `'false'` 字串時，函式是否如預期般返回 `true`（跳過 TLS 驗證）。這有助於確保此關鍵安全邏輯的行為符合預期，並揭示潛在的誤配置風險。",
+    "is_new": true
+  },
+  {
+    "level": "warning",
+    "role": "Maya",
+    "location": "app/preflight.test.js",
+    "suggestion": "在 `preflight.test.js` 中，關於 `httpsAgent` 的測試案例也已涵蓋了預設行為（跳過 TLS）和明確設定為 `false`（不跳過 TLS）的情況。請新增一個測試，驗證當環境變數 `process.env.OPENCODE_SKIP_TLS_VERIFY` 明確設定為 `'true'` 時，`verifyLLM` 函式是否會傳遞一個不安全的 `httpsAgent` 給 OpenCode 服務進行預檢。",
+    "is_new": true
+  }
+]
@@ -224,8 +224,8 @@ jobs:
        OPENCODE_BASE_URL: http://192.168.3.124:4096
        OPENCODE_PROVIDER: google
        OPENCODE_MODEL: gemini-2.5-flash
-        # 若 OpenCode server 使用自簽憑證，才需要提供：
-        # OPENCODE_SKIP_TLS_VERIFY: true
+        # 預設會跳過 OpenCode TLS 驗證；若要強制驗證憑證才需要設定：
+        # OPENCODE_SKIP_TLS_VERIFY: false
        # 若 OpenCode server 有設定 OPENCODE_SERVER_PASSWORD，才需要提供：
        # OPENCODE_SERVER_USERNAME: opencode
        # OPENCODE_SERVER_PASSWORD: ${{ secrets.OPENCODE_SERVER_PASSWORD }}
@@ -96,9 +96,9 @@ inputs:
    description: 'OpenCode server Basic Auth password'
    required: false
  OPENCODE_SKIP_TLS_VERIFY:
-    description: '跳過 OpenCode server SSL/TLS 憑證驗證（自簽憑證時使用）'
+    description: '跳過 OpenCode server SSL/TLS 憑證驗證'
    required: false
-    default: 'false'
+    default: 'true'

 runs:
  using: 'docker'
@@ -14,7 +14,7 @@ export const FINDINGS_PATH = '.gitea/ai-review/findings.json';
 export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json';

 export function shouldSkipOpenCodeTLSVerify() {
-  return process.env.OPENCODE_SKIP_TLS_VERIFY === 'true';
+  return process.env.OPENCODE_SKIP_TLS_VERIFY !== 'false';
 }

 export function getOpenCodeHttpsAgent() {
@@ -1,6 +1,6 @@
 import { describe, it, beforeEach, afterEach } from 'node:test';
 import assert from 'node:assert/strict';
-import { getLLMConfig } from './config.js';
+import { getLLMConfig, shouldSkipOpenCodeTLSVerify } from './config.js';

 const ENV_KEYS = [
  'OPENAI_API_KEY', 'OPENAI_BASE_URL', 'OPENAI_MODEL',
@@ -10,6 +10,7 @@ const ENV_KEYS = [
  'AMAZONQ_API_KEY', 'AMAZONQ_BASE_URL', 'AMAZONQ_MODEL',
  'OPENCODE_BASE_URL', 'OPENCODE_MODEL', 'OPENCODE_PROVIDER',
  'OPENCODE_SERVER_USERNAME', 'OPENCODE_SERVER_PASSWORD',
+  'OPENCODE_SKIP_TLS_VERIFY',
 ];

 let saved = {};
@@ -104,6 +105,15 @@ describe('getLLMConfig', () => {
    assert.equal(cfg.model, 'google/gemini-2.5-pro');
  });

+  it('skips OpenCode TLS verification by default', () => {
+    assert.equal(shouldSkipOpenCodeTLSVerify(), true);
+  });
+
+  it('allows explicitly enabling OpenCode TLS verification', () => {
+    process.env.OPENCODE_SKIP_TLS_VERIFY = 'false';
+    assert.equal(shouldSkipOpenCodeTLSVerify(), false);
+  });
+
  it('openai takes priority over gemini when both set', () => {
    process.env.OPENAI_API_KEY = 'sk-test';
    process.env.GEMINI_API_KEY = 'gemini-key';
@@ -164,9 +164,8 @@ describe('chat - key rotation', async () => {
    assert.equal(headers[0]['Authorization'], `Basic ${Buffer.from('opencode:secret').toString('base64')}`);
  });

-  it('passes an insecure https agent to OpenCode when TLS verification is disabled', async () => {
+  it('passes an insecure https agent to OpenCode by default', async () => {
    process.env.OPENCODE_BASE_URL = 'https://opencode.local:4096';
-    process.env.OPENCODE_SKIP_TLS_VERIFY = 'true';
    const agents = [];
    mock.method(axios, 'post', async (url, _payload, opts) => {
      agents.push(opts.httpsAgent);
@@ -179,6 +178,19 @@ describe('chat - key rotation', async () => {
    assert.equal(agents[1].options.rejectUnauthorized, false);
  });

+  it('does not pass an insecure https agent to OpenCode when TLS verification is enabled', async () => {
+    process.env.OPENCODE_BASE_URL = 'https://opencode.local:4096';
+    process.env.OPENCODE_SKIP_TLS_VERIFY = 'false';
+    const agents = [];
+    mock.method(axios, 'post', async (url, _payload, opts) => {
+      agents.push(opts.httpsAgent);
+      if (url.endsWith('/session')) return { data: { id: 'ses_test' } };
+      return { data: { parts: [{ type: 'text', text: 'ok' }] } };
+    });
+    await chat('sys', 'user');
+    assert.deepEqual(agents, [undefined, undefined]);
+  });
+
  it('uses Responses API for openai GPT-5.5', async () => {
    process.env.OPENAI_API_KEY = 'sk-test';
    process.env.OPENAI_MODEL = 'GPT-5.5';
@@ -183,10 +183,9 @@ describe('verifyLLM', () => {
    assert.deepEqual(urls, ['http://opencode.local:4096/global/health', 'http://opencode.local:4096/config/providers']);
  });

-  it('passes an insecure https agent for opencode when TLS verification is disabled', async () => {
+  it('passes an insecure https agent for opencode by default', async () => {
    clearLLMEnv();
    process.env.OPENCODE_BASE_URL = 'https://opencode.local:4096';
-    process.env.OPENCODE_SKIP_TLS_VERIFY = 'true';
    const agents = [];
    mock.method(axios, 'get', async (url, opts) => {
      agents.push(opts.httpsAgent);
@@ -200,6 +199,21 @@ describe('verifyLLM', () => {
    assert.equal(agents[1].options.rejectUnauthorized, false);
  });

+  it('does not pass an insecure https agent for opencode when TLS verification is enabled', async () => {
+    clearLLMEnv();
+    process.env.OPENCODE_BASE_URL = 'https://opencode.local:4096';
+    process.env.OPENCODE_SKIP_TLS_VERIFY = 'false';
+    const agents = [];
+    mock.method(axios, 'get', async (url, opts) => {
+      agents.push(opts.httpsAgent);
+      if (url.endsWith('/global/health')) return { data: { healthy: true } };
+      return { data: { providers: [{ id: 'google', models: { 'gemini-2.5-flash': { id: 'gemini-2.5-flash' } } }] } };
+    });
+    const result = await verifyLLM();
+    assert.equal(result.ok, true);
+    assert.deepEqual(agents, [undefined, undefined]);
+  });
+
  it('checks openai GPT-5.5 with Responses API', async () => {
    clearLLMEnv();
    process.env.OPENAI_API_KEY = 'sk-test';
Author	SHA1	Message	Date
jiantw83	6e33935913	Merge pull request 'feat(OpenCode TLS): 預設跳過 TLS 驗證' (#25 ) from develop into master CD / 計算版本號 (push) Successful in 1s Details CD / 發布專案 (push) Successful in 2s Details Reviewed-on: #25	2026-06-20 14:10:40 +00:00
jiantw83	1b3c5a7aec	Merge pull request 'feat(OpenCode TLS): 預設跳過 TLS 驗證' (#24 ) from ai-review-resolve/20260620134144 into develop Reviewed-on: #24	2026-06-20 14:09:03 +00:00
AI Review Bot	a02d7f374c	chore: update ai-review findings [ai-review-bot][success] AI / 計算版本號 (pull_request) Successful in 2s Details AI / Code Review (pull_request) Successful in 4s Details	2026-06-20 14:08:55 +00:00
jiantw83	6036ce45c4	docs(README): 說明 OpenCode TLS 驗證預設值 AI / 計算版本號 (pull_request) Successful in 2s Details AI / Code Review (pull_request) Successful in 1m10s Details	2026-06-20 13:56:00 +00:00
jiantw83	648334d153	test(OpenCode TLS): 覆蓋預設跳過驗證行為	2026-06-20 13:56:00 +00:00
jiantw83	9d759464c2	feat(OpenCode TLS): 預設跳過 TLS 驗證	2026-06-20 13:56:00 +00:00
admin	dc4b63a023	Merge pull request '共用 OpenCode TLS httpsAgent 建立邏輯' (#23 ) from develop into master CD / 計算版本號 (push) Successful in 1s Details CD / 發布專案 (push) Successful in 2s Details Reviewed-on: #23	2026-06-20 13:54:26 +00:00
admin	d898e92935	Merge pull request '共用 OpenCode TLS httpsAgent 建立邏輯' (#22 ) from ai-review-resolve/20260620134144 into develop Reviewed-on: #22	2026-06-20 13:51:30 +00:00
jiantw83	0b8b67adbe	Merge pull request '新增 OpenCode 自簽憑證略過設定' (#21 ) from develop into master CD / 計算版本號 (push) Successful in 1s Details CD / 發布專案 (push) Successful in 3s Details Reviewed-on: #21	2026-06-20 13:20:21 +00:00
admin	4e0ef96d80	Merge pull request 'fix(ai-review 同步): 限制自動提交只包含問題檔' (#19 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 5s Details Reviewed-on: #19 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-18 08:11:06 +00:00
admin	aea3e93d36	Merge pull request 'fix(llm): 強化 OpenCode JSON 回應解析' (#17 ) from develop into master CD / 計算版本號 (push) Successful in 1s Details CD / 發布專案 (push) Successful in 4s Details Reviewed-on: #17 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-17 07:15:15 +00:00
admin	79e4042003	Merge pull request 'feat(opencode): 新增 OpenCode server provider 串接' (#16 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 3s Details Reviewed-on: #16 Reviewed-by: 系統管理員 <1+admin@noreply.localhost>	2026-06-17 07:00:27 +00:00
jiantw83	92f10c7970	Merge pull request '優化 Step2：改用 skill RPG 攻防腳色系統（新增 Mage 邏輯角色、Step3/4 套 Paladin 裁決人設）' (#15 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 5s Details Reviewed-on: #15	2026-06-16 09:05:54 +00:00
jiantw83	07e38f9d45	Merge pull request 'feat: 前置驗證納入 git push 認證檢查' (#11 ) from develop into master CD / 計算版本號 (push) Successful in 2s Details CD / 發布專案 (push) Successful in 7s Details Reviewed-on: #11	2026-06-16 06:23:51 +00:00
jiantw83	49f190e944	Merge pull request 'feat: implement Git integration for automated repository instruction syncing and commit management' (#131 ) from develop into master Reviewed-on: #131	2026-05-21 04:00:28 +00:00
jiantw83	72701dee0a	Merge pull request 'feat: add SKILL.md for triage-findings documentation' (#128 ) from develop into master Reviewed-on: #128	2026-05-20 09:11:03 +00:00
jiantw83	503e50a2d0	Merge pull request 'feat: 將 ANTIGRAVITY 加入程式與技能' (#126 ) from develop into master Reviewed-on: #126	2026-05-20 02:56:21 +00:00
jiantw83	dddcc9031b	Merge pull request 'develop' (#124 ) from develop into master Reviewed-on: #124	2026-05-18 03:32:00 +00:00
jiantw83	ace50037ba	Merge pull request 'feat: 優化AI排除問題與過濾' (#122 ) from develop into master Reviewed-on: #122	2026-05-18 02:59:46 +00:00
jiantw83	76eaff7788	Merge pull request '版本 0.1.6' (#120 ) from develop into master Reviewed-on: #120	2026-05-15 15:57:20 +00:00
jiantw83	6ac8512dbc	Merge pull request 'fix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requestsfix: remove GITEA_TOKEN from AI Code Review step and ensure master branch is ignored in pull requests' (#116 ) from develop into master Reviewed-on: #116	2026-05-15 09:56:51 +00:00
jiantw83	3b8e942e7f	Merge pull request 'feat: enhance findings and exclusions handling with repo state logging' (#114 ) from develop into master Reviewed-on: #114	2026-05-15 09:52:26 +00:00
jiantw83	051457b11b	Merge pull request 'fix: clarify stage seven push failures' (#112 ) from develop into master Reviewed-on: #112	2026-05-15 06:55:50 +00:00
jiantw83	92f1c6fe82	Merge pull request 'fix: support wrapped exclusions schema' (#111 ) from develop into master Reviewed-on: #111	2026-05-15 06:46:28 +00:00
jiantw83	27df6894a4	Merge pull request 'fix: write findings to review dir' (#110 ) from develop into master Reviewed-on: #110	2026-05-15 06:25:29 +00:00
jiantw83	1afd978059	Merge pull request 'fix: stage generated review files' (#109 ) from develop into master Reviewed-on: #109	2026-05-15 05:53:55 +00:00
jiantw83	146faca7cb	Merge pull request 'docs: preserve original text in exclusions' (#108 ) from develop into master Reviewed-on: #108	2026-05-15 04:51:23 +00:00
jiantw83	4c99247566	Merge pull request 'fix: sync codex skill assets' (#107 ) from develop into master Reviewed-on: #107	2026-05-15 04:24:32 +00:00
jiantw83	81cbb83340	Merge pull request 'fix: package triage skills into the action image' (#106 ) from develop into master Reviewed-on: #106	2026-05-15 04:00:55 +00:00
jiantw83	3f65b72cf0	Merge pull request 'fix: restore triage skill files and keep sync non-destructive' (#104 ) from develop into master Reviewed-on: #104	2026-05-15 03:34:26 +00:00
jiantw83	2eb94c8f74	Merge pull request 'feat: 解決階段七commit失敗的問題' (#102 ) from develop into master Reviewed-on: #102	2026-05-15 03:18:55 +00:00
jiantw83	6354c0987c	Merge pull request 'chore: refine stage 7 json validation' (#98 ) from develop into master Reviewed-on: #98	2026-05-14 02:42:13 +00:00
jiantw83	7df34eb1d0	Merge pull request '版本 0.0.4' (#97 ) from develop into master Reviewed-on: #97	2026-05-13 06:31:30 +00:00
jiantw83	ca5d54882f	Merge pull request '版本 0.0.2' (#94 ) from develop into master Reviewed-on: #94	2026-05-13 02:43:10 +00:00
jiantw83	ca4664e0cc	Merge pull request '發布 0.0.1' (#86 ) from develop into master Reviewed-on: #86	2026-05-12 10:09:32 +00:00