mirror of
https://github.com/crewAIInc/crewAI.git
synced 2026-07-07 16:09:30 +00:00
Both platform API requests (fetch actions and execute action) set
`verify=os.environ.get("CREWAI_FACTORY","false").lower() != "true"`, so
CREWAI_FACTORY=true silently turned off TLS verification for requests that carry
the platform integration Bearer token — a MITM/token-leak footgun behind a
vaguely-named flag.
Centralize into `platform_tls_verify()`: verification is on by default and can
be disabled only via an explicit opt-out (CREWAI_PLATFORM_INSECURE_SKIP_TLS_VERIFY;
legacy CREWAI_FACTORY still honored for internal builds), and disabling now emits
a loud UserWarning pointing at REQUESTS_CA_BUNDLE for trusting a self-signed
endpoint securely. Only the exact value "true" disables (unchanged), so a stray
value can't drop verification.
Tests: default on; explicit + legacy flags disable with a loud warning; non-"true"
values stay verified. Existing factory-true tests still pass (behavior preserved).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RBYGqJHC2TMC6fonFziuuh