fix: mcp ssl verification

paulnegz · paulnegz · commit d2e32acfbccc · 2025-07-30T00:15:37.000-05:00
This commit squashes two fixes:

- fix(config-yaml): Handles the 'api_key' field in config.yaml, allowing for snake_case, which fixes authentication for providers like OpenRouter and Groq.
- fix(mcp): Passes the 'verifySsl' option to sse and streamable-http MCP transports, allowing users to disable SSL verification for debugging.
diff --git a/core/context/mcp/MCPConnection.ts b/core/context/mcp/MCPConnection.ts
@@ -1,3 +1,4 @@
+import { HttpsProxyAgent } from "https-proxy-agent";
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
 
@@ -346,29 +347,48 @@ class MCPConnection {
         return transport;
       case "websocket":
         return new WebSocketClientTransport(new URL(options.transport.url));
-      case "sse":
-        return new SSEClientTransport(new URL(options.transport.url), {
+      case "sse": {
+        const { url, requestOptions } = options.transport;
+        const agent =
+          typeof requestOptions?.verifySsl === "boolean" &&
+          !requestOptions.verifySsl
+            ? new HttpsProxyAgent({ rejectUnauthorized: false })
+            : undefined;
+
+        const customFetch = (
+          input: RequestInfo | URL,
+          init?: RequestInit,
+        ): Promise<Response> => {
+          return fetch(input, {
+            ...init,
+            // @ts-ignore
+            agent,
+          });
+        };
+
+        return new SSEClientTransport(new URL(url), {
           eventSourceInit: {
-            fetch: (input, init) =>
-              fetch(input, {
-                ...init,
-                headers: {
-                  ...init?.headers,
-                  ...(options.transport.requestOptions?.headers as
-                    | Record<string, string>
-                    | undefined),
-                },
-              }),
+            // @ts-ignore
+            fetch: customFetch,
+            headers: requestOptions?.headers as Record<string, string>,
           },
-          requestInit: { headers: options.transport.requestOptions?.headers },
+          requestInit: { headers: requestOptions?.headers },
         });
-      case "streamable-http":
-        return new StreamableHTTPClientTransport(
-          new URL(options.transport.url),
-          {
-            requestInit: { headers: options.transport.requestOptions?.headers },
-          },
-        );
+      }
+      case "streamable-http": {
+        const { url, requestOptions } = options.transport;
+        const agent =
+          typeof requestOptions?.verifySsl === "boolean" &&
+          !requestOptions.verifySsl
+            ? new HttpsProxyAgent({ rejectUnauthorized: false })
+            : undefined;
+
+        return new StreamableHTTPClientTransport(new URL(url), {
+          // @ts-ignore
+          agent,
+          requestInit: { headers: requestOptions?.headers },
+        });
+      }
       default:
         throw new Error(
           `Unsupported transport type: ${(options.transport as any).type}`,
diff --git a/packages/config-yaml/src/schemas/models.ts b/packages/config-yaml/src/schemas/models.ts
@@ -134,6 +134,7 @@ const baseModelFields = {
   name: z.string(),
   model: z.string(),
   apiKey: z.string().optional(),
+  api_key: z.string().optional(),
   apiBase: z.string().optional(),
   maxStopWords: z.number().optional(),
   roles: modelRolesSchema.array().optional(),
@@ -151,37 +152,53 @@ const baseModelFields = {
   autocompleteOptions: autocompleteOptionsSchema.optional(),
 };
 
-export const modelSchema = z.union([
-  z.object({
-    ...baseModelFields,
-    provider: z.literal("continue-proxy"),
-    apiKeyLocation: z.string().optional(),
-    envSecretLocations: z.record(z.string(), z.string()).optional(),
-    orgScopeId: z.string().nullable(),
-    onPremProxyUrl: z.string().nullable(),
-  }),
-  z.object({
-    ...baseModelFields,
-    provider: z.string().refine((val) => val !== "continue-proxy"),
-    sourceFile: z.string().optional(),
-  }),
-]);
-
-export const partialModelSchema = z.union([
-  z
-    .object({
+export const modelSchema = z
+  .union([
+    z.object({
       ...baseModelFields,
       provider: z.literal("continue-proxy"),
       apiKeyLocation: z.string().optional(),
       envSecretLocations: z.record(z.string(), z.string()).optional(),
-    })
-    .partial(),
-  z
-    .object({
+      orgScopeId: z.string().nullable(),
+      onPremProxyUrl: z.string().nullable(),
+    }),
+    z.object({
       ...baseModelFields,
       provider: z.string().refine((val) => val !== "continue-proxy"),
-    })
-    .partial(),
-]);
+      sourceFile: z.string().optional(),
+    }),
+  ])
+  .transform((val) => {
+    if (val.api_key && !val.apiKey) {
+      val.apiKey = val.api_key;
+    }
+    delete val.api_key;
+    return val;
+  });
+
+export const partialModelSchema = z
+  .union([
+    z
+      .object({
+        ...baseModelFields,
+        provider: z.literal("continue-proxy"),
+        apiKeyLocation: z.string().optional(),
+        envSecretLocations: z.record(z.string(), z.string()).optional(),
+      })
+      .partial(),
+    z
+      .object({
+        ...baseModelFields,
+        provider: z.string().refine((val) => val !== "continue-proxy"),
+      })
+      .partial(),
+  ])
+  .transform((val) => {
+    if (val.api_key && !val.apiKey) {
+      val.apiKey = val.api_key;
+    }
+    delete val.api_key;
+    return val;
+  });
 
 export type ModelConfig = z.infer<typeof modelSchema>;
