Add --tls-insecure to make TLS useless

Fixes #1

Author: jedisct1

cmd/openapi-mcp/flags.go

@@ -31,6 +31,7 @@ type cliFlags struct {
 	docFormat          string
 	postHookCmd        string
 	noConfirmDangerous bool
+	tlsInsecure        bool       // Disable TLS certificate verification
 	args               []string
 	mounts             mountFlags // slice of mountFlag
 	functionListFile   string     // Path to file listing functions to include (for filter command)
@@ -87,6 +88,7 @@ func parseFlags() *cliFlags {
 	flag.StringVar(&flags.docFormat, "doc-format", "markdown", "Documentation format: markdown (default) or html")
 	flag.StringVar(&flags.postHookCmd, "post-hook-cmd", "", "Command to post-process the generated tool schema JSON (used in --dry-run or --doc mode)")
 	flag.BoolVar(&flags.noConfirmDangerous, "no-confirm-dangerous", false, "Disable confirmation prompt for dangerous (PUT/POST/DELETE) actions in tool descriptions")
+	flag.BoolVar(&flags.tlsInsecure, "tls-insecure", false, "Disable TLS certificate verification for HTTP calls to remote APIs")
 	flag.Var(&flags.mounts, "mount", "Mount an OpenAPI spec at a base path: /base:path/to/spec.yaml (repeatable, can be used multiple times)")
 	flag.StringVar(&flags.functionListFile, "function-list-file", "", "File with list of function (operationId) names to include (one per line, for filter command)")
 	flag.StringVar(&flags.logFile, "log-file", "", "File path to log all MCP requests and responses for debugging")
@@ -191,6 +193,7 @@ Flags:
   --doc-format         Documentation format: markdown (default) or html
   --post-hook-cmd      Command to post-process the generated tool schema JSON
   --no-confirm-dangerous Disable confirmation for dangerous actions
+  --tls-insecure       Disable TLS certificate verification for HTTP calls to remote APIs
   --summary            Print a summary for CI
   --tag                Only include tools with the given tag
   --diff               Compare generated tools with a reference file

cmd/openapi-mcp/main.go

@@ -24,6 +24,11 @@ func main() {
 	// Set env vars from flags if provided
 	setEnvFromFlags(flags)
 
+	// Configure HTTP client TLS settings globally if flag is set
+	if flags.tlsInsecure {
+		openapi2mcp.SetHTTPClientTLSConfig(true)
+	}
+
 	args := flags.args
 
 	// If --mount is used with --http, do not require a positional argument

cmd/openapi-mcp/server.go

@@ -20,6 +20,10 @@ import (
 // startServer starts the MCP server in stdio or HTTP mode, based on CLI flags.
 // It registers all OpenAPI operations as MCP tools and starts the server.
 func startServer(flags *cliFlags, ops []openapi2mcp.OpenAPIOperation, doc *openapi3.T) {
+	// Configure HTTP client TLS settings
+	if flags.tlsInsecure {
+		openapi2mcp.SetHTTPClientTLSConfig(true)
+	}
 	if flags.httpAddr != "" && len(flags.mounts) > 0 {
 		// Check for duplicate base paths
 		basePathCount := make(map[string]int)

pkg/openapi2mcp/register.go

@@ -4,6 +4,7 @@ package openapi2mcp
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -22,6 +23,27 @@ import (
 	"github.com/xeipuuv/gojsonschema"
 )
 
+// httpClient is the HTTP client used for making OpenAPI calls.
+// It can be configured with custom TLS settings.
+var httpClient = http.DefaultClient
+
+// SetHTTPClientTLSConfig configures the HTTP client with custom TLS settings.
+// If tlsInsecure is true, TLS certificate verification will be disabled.
+func SetHTTPClientTLSConfig(tlsInsecure bool) {
+	if tlsInsecure {
+		transport := &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+		}
+		httpClient = &http.Client{
+			Transport: transport,
+		}
+	} else {
+		httpClient = http.DefaultClient
+	}
+}
+
 // getParameterValue retrieves a parameter value from args using the escaped parameter name.
 // It tries the escaped name first, then falls back to the original name if not found.
 func getParameterValue(args map[string]any, paramName string, paramNameMapping map[string]string) (any, bool) {
@@ -1063,7 +1085,7 @@ func RegisterOpenAPITools(server *mcpserver.MCPServer, ops []OpenAPIOperation, d
 				logHTTPRequest(httpReq, body)
 			}
 
-			resp, err := http.DefaultClient.Do(httpReq)
+			resp, err := httpClient.Do(httpReq)
 			if err != nil {
 				return nil, err
 			}