fix(core): conditionally include system CA flag in execArgv for build…

[neostfox]

… script

Issue for this PR

Closes #15021

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

This PR fixes the issue reported in #15021. It adds an env var OPENCODE_DISABLE_SYSTEM_CA to optionally bypass the --use-system-ca flag.

How did you verify your code works?

I tested it locally on Windows with enterprise security software (LHShield).

• Ran with OPENCODE_DISABLE_SYSTEM_CA="true", the CLI started successfully without the segfault crash.
• Ran without the env var, the flag --use-system-ca was included as normal.

Screenshots / recordings

N/A (This is a backend CLI fix, no UI changes)

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

If you do not follow this template your PR will be automatically rejected.

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍

[neostfox]

--use-system-ca gets compiled into the binary at build time via execArgv, so there's no way to turn it off at runtime. On Windows machines running DLL injection software (e.g. LHShield64.dll), this triggers a segfault in Bun's FFI/TCC layer.

Adds no-ca build variants for Windows that ship without the --use-system-ca flag:

opencode-windows-x64-no-ca
opencode-windows-x64-baseline-no-ca
Only uploaded to GitHub Releases (not npm). Users hitting this issue can grab the zip and point OPENCODE_BIN_PATH at it.