SSL certificate not used by embedded PHP PHAR when installed via Scoop

[pauldossantos]

Environment

• OS: Windows
• Install method: Scoop
• Upsun CLI version: 5.9.0
• PHP version (embedded): 8.2.30

Problem

When running upsun login on a corporate network using Zscaler SSL inspection,
the CLI correctly detects the custom CA bundle for the main process:

DEBUG Determined CA bundle path: C:\Users\<user>\.cert\ZscalerRootCertificate-2048-combined.pem

However, the login flow spawns a separate PHP process to run the local OAuth listener:

Starting local web server with command:
C:\Users\<user>\AppData\Local\upsun-tmp\legacy-8.2.30-4.30.0\php\php.exe
  -dvariables_order=egps -S 127.0.0.1:5000 -t "C:\Users\<user>\.upsun-cli/oauth-listener"

This child PHP process does not inherit the CA bundle, resulting in:

[RequestException]
cURL error 60: SSL certificate problem: unable to get local issuer certificate

Root cause

The spawned php.exe from upsun-tmp uses its own bundled curl/openssl without
the curl.cainfo / CURL_CA_BUNDLE / SSL_CERT_FILE set in the parent environment.

Note: the double-load warnings below are also present and may be a related symptom:

PHP Warning: Module "curl" is already loaded in Unknown on line 0
PHP Warning: Module "openssl" is already loaded in Unknown on line 0

Steps to reproduce

1. Install Upsun CLI via Scoop on Windows
2. Be behind a Zscaler proxy with custom root CA
3. Configure CA bundle (via env var or php.ini)
4. Run upsun login -vvv
5. Observe: CA is detected in main process, but cURL error 60 on OAuth callback

Expected behavior

The custom CA bundle detected by the main CLI process should be passed to the
spawned PHP child process, e.g. via -d curl.cainfo=<path> in the PHP command
or via explicit env var injection.

Suggested fix

When spawning the local PHP server, inject the CA bundle path explicitly:

php.exe -d