From the 2026-06-10 review (deferred — investigation, not a fix).
k8s-client.ts builds a bearer-token kubeconfig with caFile (or skipTLSVerify: true when SANDBOX_K8S_CAFILE is unset). The file's own header notes Bun's fetch ignores kubeconfig client certs/CAs — which implies skipTLSVerify/caFile set on the KubeConfig may be equally inert under Bun, with real CA trust coming only from NODE_EXTRA_CA_CERTS. If so, the skipTLSVerify: true fallback is dead code that looks like a security relaxation, and a missing NODE_EXTRA_CA_CERTS fails with a confusing TLS error.
Task: empirically verify which kubeconfig TLS knobs @kubernetes/client-node@1.4.0 + Bun actually honor, then either remove the inert branches or document the real contract in docs/kubernetes.md.
Refs: services/sandbox/src/backend/kubernetes/k8s-client.ts (makeK8sClient + AUTH NOTE comment).
From the 2026-06-10 review (deferred — investigation, not a fix).
k8s-client.tsbuilds a bearer-token kubeconfig withcaFile(orskipTLSVerify: truewhen SANDBOX_K8S_CAFILE is unset). The file's own header notes Bun's fetch ignores kubeconfig client certs/CAs — which impliesskipTLSVerify/caFileset on the KubeConfig may be equally inert under Bun, with real CA trust coming only from NODE_EXTRA_CA_CERTS. If so, theskipTLSVerify: truefallback is dead code that looks like a security relaxation, and a missing NODE_EXTRA_CA_CERTS fails with a confusing TLS error.Task: empirically verify which kubeconfig TLS knobs @kubernetes/client-node@1.4.0 + Bun actually honor, then either remove the inert branches or document the real contract in docs/kubernetes.md.
Refs: services/sandbox/src/backend/kubernetes/k8s-client.ts (makeK8sClient + AUTH NOTE comment).