feat(config): add native-tls feature to support self-signed certificates

[schtobia]

Summary

Describe this PR in 2-5 bullets:

• Base branch target (master for all contributions): master
• Problem: In certain settings I cannot access the provider, since TLS is intercepted with a custom CA certificate.
• Why it matters: I want to be able to run zeroclaw in all settings
• What changed: added a new feature, native-tls, that enables in turn reqwest/native-tls
• What did not change (scope boundary): Everything else. No code was changed.

Label Snapshot (required)

• Risk label (risk: low|medium|high): risk: low
• Size label (size: XS|S|M|L|XL, auto-managed/read-only): size: xs
• Scope labels (core|agent|channel|config|cron|daemon|doctor|gateway|health|heartbeat|integration|memory|observability|onboard|provider|runtime|security|service|skillforge|skills|tool|tunnel|docs|dependencies|ci|tests|scripts|dev, comma-separated): config
• Module labels (<module>: <component>, for example channel: telegram, provider: kimi, tool: shell):
• Contributor tier label (trusted contributor|experienced contributor|principal contributor|distinguished contributor, auto-managed/read-only; author merged PRs >=5/10/20/50):
• If any auto-label is incorrect, note requested correction:

Change Metadata

• Change type (bug|feature|refactor|docs|security|chore): feature
• Primary scope (runtime|provider|channel|memory|security|ci|docs|multi): runtime

Linked Issue

none.

Validation Evidence (required)

Commands and result summary:

cargo fmt --all -- --check
cargo clippy --all-targets -- -D warnings
cargo test

• Evidence provided (test/log/trace/screenshot/perf):

test.log

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• New external network calls? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• File system access scope changed? (Yes/No) No
• If any Yes, describe risk and mitigation:

Privacy and Data Hygiene (required)

• Data-hygiene status (pass|needs-follow-up):
• Redaction/anonymization notes:
• Neutral wording confirmation (use ZeroClaw/project-native labels if identity-like wording is needed):

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) Yes, the Cargo.toml
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps:

i18n Follow-Through (required when docs or user-facing wording changes)

• i18n follow-through triggered? (Yes/No)
• If Yes, locale navigation parity updated in README*, docs/README*, and docs/SUMMARY.md for supported locales (en, zh-CN, ja, ru, fr, vi)? (Yes/No)
• If Yes, localized runtime-contract docs updated where equivalents exist (minimum for fr/vi: commands-reference, config-reference, troubleshooting)? (Yes/No/N.A.)
• If Yes, Vietnamese canonical docs under docs/i18n/vi/** synced and compatibility shims under docs/*.vi.md validated? (Yes/No/N.A.)
• If any No/N.A., link follow-up issue/PR and explain scope decision:

Human Verification (required)

What was personally validated beyond CI:

• Verified scenarios: tested both with a intercepting SSL proxy and without
• Edge cases checked:
• What was not verified:

Side Effects / Blast Radius (required)

• Affected subsystems/workflows: http client
• Potential unintended effects: None
• Guardrails/monitoring for early detection: None

Agent Collaboration Notes (recommended)

• Agent tools used (if any): None.
• Workflow/plan summary (if any): n/a
• Verification focus: n/a
• Confirmation: naming + architecture boundaries followed (AGENTS.md + CONTRIBUTING.md): n/a

Rollback Plan (required)

• Fast rollback command/path: None
• Feature flags or config toggles (if any): None
• Observable failure symptoms: None

Risks and Mitigations

List real risks in this PR (or write None).

• Risk: None
  • Mitigation: None

[singlerider]

Hey! CI is failing on Security Audit due to RUSTSEC-2026-0098 and RUSTSEC-2026-0099, two rustls-webpki advisories published 2026-04-14. This is a repo-wide issue — not specific to your PR.

The fix landed in #5786 (merged today). Please merge upstream/master into your branch to pick up the updated .cargo/audit.toml and re-run CI:

git fetch upstream
git merge upstream/master
git push

Sorry for the noise!

[schtobia]

done. I've also done a minimal update of Cargo.lock to account for the additional packages.

[singlerider]

See review below.

Dismissed due to inline comment placement error. See corrected review.

[singlerider]

Comprehension summary: Adds an opt-in native-tls feature flag enabling reqwest/native-tls, intended for corporate environments with SSL interception using custom CA certificates.

Security/performance: No permissions or secrets changes. On Linux, native-tls links against system OpenSSL.

[singlerider]

[blocking] On Linux, native-tls dynamically links against system OpenSSL -- a runtime dependency outside the Rust toolchain. This conflicts with the project core constraint of a single static binary with no runtime deps (AGENTS.md hard reject). The use case (custom CA for corporate SSL interception) is achievable with rustls via reqwest::ClientBuilder::add_root_certificate() and a config-supplied PEM path, keeping the binary fully static. Please either show why rustls cannot satisfy the use case, or implement the custom CA path via rustls instead.

[schtobia]

Okay, but this means changing code on a whole different level. For now this PR can be canceled.