Problem
When thv llm setup --tls-skip-verify is used for Claude Code, the setup writes:
{ "env": { "NODE_TLS_REJECT_UNAUTHORIZED": "0" } }to ~/.claude/settings.json. This disables TLS certificate verification for the entire Claude Code Node.js process, not just connections to the LLM gateway. Claude Code also connects to api.anthropic.com, the MCP registry, and other endpoints — all of these lose certificate verification while this setting is in place.
NODE_TLS_REJECT_UNAUTHORIZED=0 is the only widely-supported way to skip TLS for a Node.js process targeting a specific host, so a fully targeted solution (per-host override) isn't straightforward. However, the risk should be documented and the UX should make the scope of the setting explicit.
Proposed mitigations
- Stronger warning — When writing
NODE_TLS_REJECT_UNAUTHORIZED=0, print a clearly scoped warning: "This disables TLS verification for all of Claude Code's outbound connections, not just the LLM gateway. Use only in isolated local environments."
- Document in help text — The
--tls-skip-verify flag description on setup should note this scope.
- (Future / ideal) — Investigate whether a per-origin TLS override is feasible via a custom
apiKeyHelper wrapper or proxy-side passthrough to avoid setting the global flag at all.
Acceptance Criteria
References
pkg/llm/setup.go — setupClaudeCodeAt (sets NODE_TLS_REJECT_UNAUTHORIZED)cmd/thv/app/llm.go — newLLMSetupCmd flag description
Problem
When
thv llm setup --tls-skip-verifyis used for Claude Code, the setup writes:{ "env": { "NODE_TLS_REJECT_UNAUTHORIZED": "0" } }to
~/.claude/settings.json. This disables TLS certificate verification for the entire Claude Code Node.js process, not just connections to the LLM gateway. Claude Code also connects toapi.anthropic.com, the MCP registry, and other endpoints — all of these lose certificate verification while this setting is in place.NODE_TLS_REJECT_UNAUTHORIZED=0is the only widely-supported way to skip TLS for a Node.js process targeting a specific host, so a fully targeted solution (per-host override) isn't straightforward. However, the risk should be documented and the UX should make the scope of the setting explicit.Proposed mitigations
NODE_TLS_REJECT_UNAUTHORIZED=0, print a clearly scoped warning: "This disables TLS verification for all of Claude Code's outbound connections, not just the LLM gateway. Use only in isolated local environments."--tls-skip-verifyflag description onsetupshould note this scope.apiKeyHelperwrapper or proxy-side passthrough to avoid setting the global flag at all.Acceptance Criteria
thv llm setup --tls-skip-verifyprints a visible warning explaining the overly broad scope ofNODE_TLS_REJECT_UNAUTHORIZED=0--tls-skip-verifyflag description onthv llm setupmentions that it affects all Claude Code TLS connectionsReferences
pkg/llm/setup.go—setupClaudeCodeAt(setsNODE_TLS_REJECT_UNAUTHORIZED)cmd/thv/app/llm.go—newLLMSetupCmdflag description