Mike Swanson
8119292bcd
All checks were successful
The auto-update path built both reqwest clients with an unconditional danger_accept_invalid_certs(true), so a network MITM could serve an arbitrary update .exe (checksum is no defense — same unverified channel) and gain RCE on every managed endpoint. Replace with dev_insecure_tls() = cfg!(debug_assertions) && env GURUCONNECT_DEV_INSECURE_TLS: the cfg gate compiles out of release builds, so a shipped agent ALWAYS verifies certs; dev keeps a self-signed escape hatch. Loud warn when the insecure path is taken; verify_checksum kept + documented as transport-integrity (not tamper) defense; TODO + follow-up for embedded-key update signing (defense-in-depth). Release-invariant unit test added. cargo fmt/clippy(-D warnings)/test green on GURU-5070 (90 tests). Closes the 2026-05-30 security-audit HIGH (reports/2026-05-30-gc-audit.md). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>