From ad0ee04b83b1905b2df9057333c3dcf740c348c3 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Tue, 3 Mar 2026 13:56:06 +0000
Subject: [PATCH] chore: make TLS skip detect any non-public TLD, not just .lan
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prepares for lthn.lan → lthn.sh migration. Once real certs are
deployed, verifySsl will always be true and this logic becomes
a no-op safety net for .lan/.lab/.local/.test domains.

Co-Authored-By: Virgil <virgil@lethean.io>
---
 Boot.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Boot.php b/Boot.php
index 0d87e72..341e3c4 100644
--- a/Boot.php
+++ b/Boot.php
@@ -77,8 +77,12 @@ class Boot extends ServiceProvider
             $ollamaUrl = config('mcp.brain.ollama_url', 'http://localhost:11434');
             $qdrantUrl = config('mcp.brain.qdrant_url', 'http://localhost:6334');
 
-            // Skip TLS verification for .lan domains (self-signed certs behind Traefik)
-            $verifySsl = ! (str_contains($ollamaUrl, '.lan') || str_contains($qdrantUrl, '.lan'));
+            // Skip TLS verification for non-public TLDs (self-signed certs behind Traefik)
+            $hasLocalTld = static fn (string $url): bool => (bool) preg_match(
+                '/\.(lan|lab|local|test)(?:[:\/]|$)/',
+                parse_url($url, PHP_URL_HOST) ?? ''
+            );
+            $verifySsl = ! ($hasLocalTld($ollamaUrl) || $hasLocalTld($qdrantUrl));
 
             return new \Core\Mod\Agentic\Services\BrainService(
                 ollamaUrl: $ollamaUrl,