Files
crewAI/lib
Joao Moura 8afc97d1f5 fix(platform-tools): stop silently disabling TLS verification via CREWAI_FACTORY
Both platform API requests (fetch actions and execute action) set
`verify=os.environ.get("CREWAI_FACTORY","false").lower() != "true"`, so
CREWAI_FACTORY=true silently turned off TLS verification for requests that carry
the platform integration Bearer token — a MITM/token-leak footgun behind a
vaguely-named flag.

Centralize into `platform_tls_verify()`: verification is on by default and can
be disabled only via an explicit opt-out (CREWAI_PLATFORM_INSECURE_SKIP_TLS_VERIFY;
legacy CREWAI_FACTORY still honored for internal builds), and disabling now emits
a loud UserWarning pointing at REQUESTS_CA_BUNDLE for trusting a self-signed
endpoint securely. Only the exact value "true" disables (unchanged), so a stray
value can't drop verification.

Tests: default on; explicit + legacy flags disable with a loud warning; non-"true"
values stay verified. Existing factory-true tests still pass (behavior preserved).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RBYGqJHC2TMC6fonFziuuh
2026-07-07 00:35:07 -07:00
..