[Bug]: Please help to disable SSL for custom LLM provider

[kkksasasa]

Description

sorry I cannot pull request due my network limit:

总共做了两类修复：

1. SSL/TLS 绕过
   根本原因：Node.js 22 的内置 fetch 用的是 undici，它忽略 NODE_TLS_REJECT_UNAUTHORIZED 环境变量。
   修复：新建 apps/desktop/src/main/tls-override.ts，用 undici 的 setGlobalDispatcher API 在请求前后动态替换全局 dispatcher：
   setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false } }))

在 packages/shared/src/config.ts 的 provider schema 里加了 tlsRejectUnauthorized: boolean 字段，通过 connection-ipc.ts、index.ts 等地方传递，当 provider 配置了该字段时自动开启。

2. developer role 被 Bedrock 拒绝
   根本原因：pi-ai 库发现模型 ID 匹配 /(^|/)claude-(?:opus|sonnet)-4/i，就会把 system prompt 用 developer role 发送（OpenAI Reasoning 模型规范）。但 Own LLM 后端是 AWS Bedrock，只接受 user/assistant。
   修复：在 ~/.config/open-codesign/config.toml 的 provider 配置里加：
   capabilities = {supportsReasoning = false}

这会让 packages/providers/src/wire-policy.ts 里的 inferReasoning() 返回 false，从而关闭 developer role，system prompt 改用标准 system 字段发送。

Steps to reproduce

cfg own LLM provider find 401 error

Expected behavior

no issue

Actual behavior

Error invoking remote method 'codesign:v1:generate': CodesignError: 400 service… --

open-codesign version

0.1.4

Platform

Windows

OS version

No response

Model provider (if relevant)

None

Error code

No response

Diagnostics bundle

No response

Logs

[github-actions]

感谢反馈，也感谢你把定位思路写得这么具体。

我按当前仓库代码核对了一下，这里可以确认两件事：

1. 对于自定义 / imported provider，capabilities.supportsReasoning = false 这条路径当前代码里是存在的，而且会进入实际生成请求。
2. 但我在当前代码树里没有找到 tlsRejectUnauthorized、setGlobalDispatcher()、rejectUnauthorized 这类 TLS 绕过实现；目前只能确认到 SSL 诊断文案，没找到对应的配置字段或运行时接线。

Relevant code:

• packages/shared/src/config.ts:102 — ProviderCapabilitiesSchema 里包含 supportsReasoning
• apps/desktop/src/main/provider-settings.ts:246 — 解析 provider 的 capabilities / explicitCapabilities
• apps/desktop/src/main/index.ts:872 — 生成时把 active.capabilities 和 active.explicitCapabilities 传到 provider 层
• packages/providers/src/wire-policy.ts:75 — inferReasoning() 会尊重自定义 provider 的 supportsReasoning: false
• packages/providers/src/index.test.ts:745 — 测试覆盖了自定义网关显式关闭 reasoning 的情况
• packages/shared/src/diagnostics.ts:144 — SSL 错误会提示 “Disable TLS verify”，但当前树里我没有核实到对应功能实现

按这份代码看，如果你当前的问题是 Bedrock / 自建 OpenAI 兼容网关不接受 reasoning / developer-role，那么 capabilities.supportsReasoning = false 确实是现有实现里已经接通的一条规避路径。TLS 关闭开关这部分，在当前仓库里我这里只能确认“提示存在”，功能实现未找到。

Need more info:

• 你当前自定义 provider 选的是 openai-chat 还是 openai-responses？
• 脱敏后的 baseUrl 是什么？
• 现在实际报错到底是 SSL / 证书错误，还是 400 / 401？你贴的描述里这几种都有。
• 如果方便，请贴一下该 provider 的脱敏 capabilities 配置片段。

补充一句，项目目前还是 pre-alpha，很多路线图里的能力还没完全落地；自定义 provider / 第三方网关兼容性这块还在持续补齐。

---

open-codesign Bot

[kkksasasa]

---

Issue: Custom OpenAI-compatible providers fail with two compatibility errors

Environment

• Electron: 39.8.8
• Node.js: 22.22.1
• Provider: internal OpenAI-compatible endpoint proxied through AWS Bedrock
• Model: anthropic::claude-4-6-sonnet (via openai-chat wire)

---

Problem 1 — TLS certificate errors with internal/self-signed CA

Symptom

CodesignError: Connection error.
fetch failed — certificate verify failed

Root cause

Node.js 22’s built-in fetch is implemented by undici. Unlike legacy node-fetch, undici ignores the NODE_TLS_REJECT_UNAUTHORIZED environment variable. There is no per-request way to bypass TLS verification without replacing the global undici dispatcher.

Proposed fix

1. Add tlsRejectUnauthorized?: boolean to ProviderEntrySchema in packages/shared/src/config.ts.
2. Thread this field through:
   • provider-settings.ts → connection-ipc.ts and index.ts
3. Add apps/desktop/src/main/tls-override.ts — a reference-counted helper that swaps the global undici dispatcher before each request and restores it after:

import { Agent, getGlobalDispatcher, setGlobalDispatcher } from 'undici';

let refCount = 0;
let savedDispatcher = null;

export function acquireTlsOverride() {
  if (refCount === 0) {
    savedDispatcher = getGlobalDispatcher();
    setGlobalDispatcher(new Agent({ connect: { rejectUnauthorized: false } }));
  }
  refCount++;
}

export function releaseTlsOverride() {
  if (--refCount === 0 && savedDispatcher) {
    setGlobalDispatcher(savedDispatcher);
    savedDispatcher = null;
  }
}

Config example

[providers.my-internal-provider]
tlsRejectUnauthorized = false

---

Problem 2 — developer role rejected by non-OpenAI backends

Symptom

CodesignError: 400 service error: ValidationException:
Value 'developer' at 'messages.1.member.role' failed to satisfy constraint:
Member must satisfy enum value set: [user, assistant]

Root cause

pi-ai detects model IDs matching:

• /((^|\/)claude-(?:opus|sonnet)-4)/i

…and sets model.reasoning = true, which causes the OpenAI SDK to send system prompts as role: "developer" (OpenAI o-series reasoning convention). Backends that strictly follow OpenAI Chat Completions — including AWS Bedrock — reject this role.

Proposed fix

Expose a capabilities.supportsReasoning field in ProviderEntrySchema. When set to false, inferReasoning() in packages/providers/src/wire-policy.ts returns false regardless of model ID heuristics, suppressing the developer role.

Config example

[providers.my-internal-provider]
capabilities = { supportsReasoning = false }

---

Files changed

• packages/shared/src/config.ts

  • Add tlsRejectUnauthorized and capabilities.supportsReasoning to schema

• apps/desktop/src/main/tls-override.ts

  • New — reference-counted undici dispatcher swap

• apps/desktop/src/main/provider-settings.ts

  • Thread tlsRejectUnauthorized through resolution

• apps/desktop/src/main/connection-ipc.ts

  • Wrap test handlers with TLS override

• apps/desktop/src/main/index.ts

  • Wrap generate handler with TLS override

• apps/desktop/src/main/onboarding-ipc.ts

  • Support setting tlsRejectUnauthorized via UI

---

If submitting a PR instead of an Issue, the above can be used directly as the PR description, and you can attach the git diff below it.

---