Skip to content

Add per-invocation TLS config for HTTP tools #286

Open
Open
Add per-invocation TLS config for HTTP tools#286
Labels
area/mcpfileIssues related to the mcp file formatarea/serverIssues related to the generated mcp serverenhancementNew feature or requestsize/medium
@Cali0707

Description

@Cali0707
Cali0707
opened on Jan 21, 2026

Description

Add clientTlsConfig support at the HTTP invocation level, allowing per-tool TLS configuration instead of only global configuration.

This addresses concerns raised in #285 about the global-only approach:

  • Security: Global config grants the same trust to ALL HTTP requests (violates principle of least privilege)
  • Flexibility: Can't mix scenarios (e.g., one tool calling public API, another calling internal API with custom CA)
  • Testing: If one tool needs insecureSkipVerify: true for testing, it currently affects everything

Requirements

  • Add clientTlsConfig field to HttpInvocationConfig in pkg/config/definitions/types.go
  • Per-invocation config should override global config when specified
  • Support inheritance from top-level invocation block (via extends feature)
  • Update HTTP client creation to check invocation-level config first, then fall back to global

Example Config

# Define reusable invocation base with TLS config for internal APIs
invocationBases:
  internal-api:
    type: http
    baseUrl: https://internal.corp.example.com
    clientTlsConfig:
      caCertFiles:
        - /etc/ssl/certs/corporate-ca.pem

tools:
  # Inherits TLS config from invocationBase
  - name: get-user-data
    invocation:
      extends:
        from: internal-api
      method: GET
      path: /api/users/{{.userId}}

  # Also inherits from internal-api base
  - name: create-order
    invocation:
      extends:
        from: internal-api
      method: POST
      path: /api/orders

  # Override with insecureSkipVerify for dev/testing tool
  - name: call-dev-api
    invocation:
      type: http
      baseUrl: https://dev.example.com
      clientTlsConfig:
        insecureSkipVerify: true  # Override just for this tool

  # Different CA for partner API
  - name: call-partner-api
    invocation:
      type: http
      baseUrl: https://api.partner.com
      clientTlsConfig:
        caCertFiles: [/etc/ssl/partner-ca.pem]

  # Public API - no custom TLS config needed
  - name: fetch-weather
    invocation:
      type: http
      baseUrl: https://api.weather.gov
      method: GET
      path: /points/{{.lat}},{{.lon}}

Acceptance Criteria

  • clientTlsConfig can be set on HttpInvocationConfig
  • Per-invocation config overrides global runtime.clientTlsConfig
  • Works with invocation inheritance (extends / invocationBases)
  • Schema files updated
  • Documentation updated
  • Unit tests for override behavior

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/mcpfileIssues related to the mcp file formatarea/serverIssues related to the generated mcp serverenhancementNew feature or requestsize/medium

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions