npm - octarin-cli - Versions diffs - 0.3.1 → 0.3.2 - Mend

octarin-cli 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/assets/backfill.py +45 -1
package/assets/claude_code/hook.py +42 -1
package/assets/repo-template/dot-claude/octarin/hook.py +42 -1
package/package.json +1 -1

package/assets/backfill.py CHANGED Viewed

@@ -44,6 +44,7 @@ import getpass
 import json
 import os
 import re
+import ssl
 import subprocess
 import sys
 import urllib.error
@@ -940,6 +941,49 @@ def _filter_spans_by_cutoff(event: dict, cutoff: datetime | None) -> dict | None
     return event
+_SSL_CTX: ssl.SSLContext | None = None
+def _ssl_context() -> ssl.SSLContext:
+    """A cert-verifying TLS context that also works on Pythons whose default
+    trust store is empty — the cause of ``CERTIFICATE_VERIFY_FAILED: unable to
+    get local issuer certificate`` on many macOS (python.org) installs. Resolves
+    a CA bundle, all options verifying: ``OCTARIN_CA_BUNDLE`` / ``SSL_CERT_FILE``
+    env, then ``certifi`` if importable, then known system bundles, then the
+    interpreter default. Built once and reused.
+    """
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile: str | None = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi  # noqa: PLC0415 - optional, used only if present
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",  # macOS base system, many Linux
+                "/opt/homebrew/etc/openssl@3/cert.pem",  # Apple-silicon Homebrew
+                "/usr/local/etc/openssl@3/cert.pem",  # Intel Homebrew
+                "/etc/ssl/certs/ca-certificates.crt",  # Debian/Ubuntu
+                "/etc/pki/tls/certs/ca-bundle.crt",  # RHEL/CentOS
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
 def post_event(
     url: str, key: str, event: dict, timeout: float = 20.0
 ) -> tuple[bool, str]:
@@ -955,7 +999,7 @@ def post_event(
         method="POST",
     )
     try:
-        with urllib.request.urlopen(req, timeout=timeout) as resp:
+        with urllib.request.urlopen(req, timeout=timeout, context=_ssl_context()) as resp:
             raw = resp.read().decode("utf-8", "replace")
             try:
                 n = json.loads(raw).get("span_count")

package/assets/claude_code/hook.py CHANGED Viewed

@@ -24,6 +24,7 @@ import getpass
 import hashlib
 import json
 import os
+import ssl
 import subprocess
 import sys
 import time
@@ -476,6 +477,46 @@ def user_ref() -> str:
         return "unknown"
+_SSL_CTX = None
+def _ssl_context():
+    """Cert-verifying TLS context resilient to empty trust stores (the macOS
+    python.org ``CERTIFICATE_VERIFY_FAILED`` issue). Resolves a CA bundle —
+    OCTARIN_CA_BUNDLE / SSL_CERT_FILE env, certifi if importable, known system
+    bundles, else the interpreter default — and reuses it."""
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",
+                "/opt/homebrew/etc/openssl@3/cert.pem",
+                "/usr/local/etc/openssl@3/cert.pem",
+                "/etc/ssl/certs/ca-certificates.crt",
+                "/etc/pki/tls/certs/ca-bundle.crt",
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
 def post_event(event: dict) -> bool:
     """POST the IngestEvent. Returns True on 2xx, False otherwise (fail-open)."""
     url = os.environ.get("OCTARIN_INGEST_URL")
@@ -491,7 +532,7 @@ def post_event(event: dict) -> bool:
     if api_key:
         req.add_header("Authorization", f"Bearer {api_key}")
     try:
-        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S) as resp:
+        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S, context=_ssl_context()) as resp:
             return 200 <= resp.status < 300
     except Exception:
         return False

package/assets/repo-template/dot-claude/octarin/hook.py CHANGED Viewed

@@ -42,6 +42,7 @@ import getpass
 import hashlib
 import json
 import os
+import ssl
 import subprocess
 import sys
 import time
@@ -547,6 +548,46 @@ def _notify_auth_required_once(project: str) -> None:
     )
+_SSL_CTX = None
+def _ssl_context():
+    """Cert-verifying TLS context resilient to empty trust stores (the macOS
+    python.org ``CERTIFICATE_VERIFY_FAILED`` issue). Resolves a CA bundle —
+    OCTARIN_CA_BUNDLE / SSL_CERT_FILE env, certifi if importable, known system
+    bundles, else the interpreter default — and reuses it."""
+    global _SSL_CTX
+    if _SSL_CTX is not None:
+        return _SSL_CTX
+    cafile = None
+    for env in ("OCTARIN_CA_BUNDLE", "SSL_CERT_FILE"):
+        p = os.environ.get(env)
+        if p and os.path.exists(p):
+            cafile = p
+            break
+    if cafile is None:
+        try:
+            import certifi
+            cafile = certifi.where()
+        except Exception:
+            for p in (
+                "/etc/ssl/cert.pem",
+                "/opt/homebrew/etc/openssl@3/cert.pem",
+                "/usr/local/etc/openssl@3/cert.pem",
+                "/etc/ssl/certs/ca-certificates.crt",
+                "/etc/pki/tls/certs/ca-bundle.crt",
+            ):
+                if os.path.exists(p):
+                    cafile = p
+                    break
+    try:
+        _SSL_CTX = ssl.create_default_context(cafile=cafile)
+    except Exception:
+        _SSL_CTX = ssl.create_default_context()
+    return _SSL_CTX
 def post_event(event: dict) -> bool:
     """POST the IngestEvent. Returns True on 2xx, False otherwise (fail-open).
@@ -585,7 +626,7 @@ def post_event(event: dict) -> bool:
     elif project:
         req.add_header("X-Octarin-Project", project)
     try:
-        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S) as resp:
+        with urllib.request.urlopen(req, timeout=HTTP_TIMEOUT_S, context=_ssl_context()) as resp:
             return HTTP_OK <= resp.status < HTTP_MULTIPLE_CHOICES
     except urllib.error.HTTPError as exc:
         # Strict-auth signal from the server: print the login.sh hint, once.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "octarin-cli",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "Octarin's per-user CLI: install AI-coding capture (`octarin init` / `init-repo`) and authorize a machine (`octarin login`). Streams your Claude Code / Cursor / Codex usage to your Octarin workspace.",
   "keywords": [
     "octarin",