Merge pull request #499 from stakpak/fix/warden-tls-platform-verifier

fix: use platform TLS verifier for all HTTP clients

Author: kajogo777

cli/src/apikey_auth.rs

@@ -18,10 +18,12 @@ fn open_browser(url: &str) -> bool {
 async fn listen_for_callback(url: &str) -> String {
     let start_time = std::time::Instant::now();
     while start_time.elapsed() < std::time::Duration::from_secs(120) {
-        let client = stakpak_shared::tls_client::create_tls_client(
+        let client = match stakpak_shared::tls_client::create_tls_client(
             stakpak_shared::tls_client::TlsClientConfig::default(),
-        )
-        .unwrap_or_else(|_| reqwest::Client::new());
+        ) {
+            Ok(c) => c,
+            Err(_) => return "ERROR".to_string(),
+        };
         let response = client.get(url).send().await;
 
         match response {

libs/ai/src/registry/models_dev.rs

@@ -109,9 +109,7 @@ struct CacheFile {
 /// Makes an HTTP request to models.dev and returns parsed provider data.
 /// Models are filtered to only include those with tool calling support.
 pub async fn fetch_models_dev() -> Result<HashMap<String, ProviderInfo>> {
-    let client = reqwest::Client::builder()
-        .timeout(std::time::Duration::from_secs(10))
-        .build()
+    let client = crate::providers::tls::create_platform_tls_client()
         .map_err(|e| Error::NetworkError(format!("Failed to create HTTP client: {}", e)))?;
 
     let response = client

libs/shared/src/models/integrations/search_service.rs

@@ -126,7 +126,7 @@ impl SearchClient {
         let retry_policy = ExponentialBackoff::builder().build_with_max_retries(MAX_RETRIES);
         let base_client =
             crate::tls_client::create_tls_client(crate::tls_client::TlsClientConfig::default())
-                .unwrap_or_else(|_| reqwest::Client::new());
+                .expect("Failed to create TLS client for search service");
         let client = ClientBuilder::new(base_client)
             .with(RetryTransientMiddleware::new_with_policy(retry_policy))
             .build();

libs/shared/src/oauth/flow.rs

@@ -70,7 +70,7 @@ impl OAuthFlow {
 
         let client =
             crate::tls_client::create_tls_client(crate::tls_client::TlsClientConfig::default())
-                .unwrap_or_else(|_| reqwest::Client::new());
+                .expect("Failed to create TLS client for OAuth token exchange");
         let response = client
             .post(&self.config.token_url)
             .json(&serde_json::json!({
@@ -102,7 +102,7 @@ impl OAuthFlow {
     pub async fn refresh_token(&self, refresh_token: &str) -> OAuthResult<TokenResponse> {
         let client =
             crate::tls_client::create_tls_client(crate::tls_client::TlsClientConfig::default())
-                .unwrap_or_else(|_| reqwest::Client::new());
+                .expect("Failed to create TLS client for OAuth token refresh");
         let response = client
             .post(&self.config.token_url)
             .json(&serde_json::json!({

libs/shared/src/oauth/providers/anthropic.rs

@@ -45,7 +45,7 @@ impl AnthropicProvider {
     async fn create_api_key(&self, access_token: &str) -> OAuthResult<String> {
         let client =
             crate::tls_client::create_tls_client(crate::tls_client::TlsClientConfig::default())
-                .unwrap_or_else(|_| reqwest::Client::new());
+                .expect("Failed to create TLS client for Anthropic API key creation");
         let response = client
             .post("https://api.anthropic.com/api/oauth/claude_cli/create_api_key")
             .header("authorization", format!("Bearer {}", access_token))