[FEATURE]: Add first-class mTLS client certificate support for HTTPS/MCP/provider connections #14696
Description
- I have verified this feature I'm about to request hasn't been suggested before.
Summary
OpenCode should support first-class mutual TLS (mTLS) for outbound HTTPS connections, including provider API calls and remote MCP servers that require client certificate authentication.
Today, users can set custom CA trust (NODE_EXTRA_CA_CERTS), but there is no clear first-class config path for client cert + key (and optional CA) across relevant network surfaces.
Why this matters
Many enterprise environments require mTLS for:
- outbound API access through secure gateways
- internal MCP endpoints
- zero-trust service-to-service access
Without mTLS support, OpenCode is difficult to use in regulated/corporate environments.
Proposed config
Add explicit config options (names are examples):
{
"network": {
"mtls": {
"cert": "/path/client-cert.pem",
"key": "/path/client-key.pem",
"ca": "/path/ca.pem",
"passphrase": "{env:MTLS_KEY_PASSPHRASE}"
}
}
}And/or allow per-target overrides, e.g. per provider or per MCP server.
Expected behavior
- OpenCode can establish HTTPS connections that require client cert authentication.
- mTLS config is supported in:
- provider requests
- remote MCP HTTP/SSE transport
- other outbound HTTPS flows used by OpenCode
- Failure messages are actionable (missing cert/key, invalid format, handshake failure, etc.).
- Paths and secrets are not logged in plaintext.
Acceptance criteria
- Documented config schema for mTLS cert/key/ca
- Works for at least provider and remote MCP connections
- Works with PEM cert+key files
- Clear troubleshooting docs for TLS handshake failures
- Tests covering success and common failure cases