diff --git a/claude_bottle/backend/docker/compose.py b/claude_bottle/backend/docker/compose.py index e09614c..0a9edbc 100644 --- a/claude_bottle/backend/docker/compose.py +++ b/claude_bottle/backend/docker/compose.py @@ -59,6 +59,7 @@ from ...supervise import ( SUPERVISE_PORT, ) from ...util import expand_tilde +from ..util import AGENT_CA_BUNDLE, AGENT_CA_PATH from .bottle_plan import DockerBottlePlan from .egress import ( EGRESS_CA_IN_CONTAINER, @@ -75,7 +76,6 @@ from .pipelock import ( PIPELOCK_CA_KEY_IN_CONTAINER, PIPELOCK_PORT, ) -from .provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH from .sidecar_bundle import ( SIDECAR_BUNDLE_DOCKERFILE, SIDECAR_BUNDLE_IMAGE, diff --git a/claude_bottle/backend/docker/provision/ca.py b/claude_bottle/backend/docker/provision/ca.py index baeec25..7b95408 100644 --- a/claude_bottle/backend/docker/provision/ca.py +++ b/claude_bottle/backend/docker/provision/ca.py @@ -33,17 +33,10 @@ from __future__ import annotations import subprocess -from ...util import log_ca_fingerprint, select_ca_cert +from ...util import AGENT_CA_PATH, log_ca_fingerprint, select_ca_cert from ..bottle_plan import DockerBottlePlan -# Debian-family path for sources that `update-ca-certificates` reads. -# Bundle path is what the command rebuilds and what every standard -# TLS consumer in the image reads. -AGENT_CA_PATH = "/usr/local/share/ca-certificates/claude-bottle-mitm-ca.crt" -AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt" - - def provision_ca(plan: DockerBottlePlan, target: str) -> None: """Copy the agent-facing CA cert into the agent, rebuild the trust bundle, emit a one-line fingerprint log. Called from diff --git a/claude_bottle/backend/smolmachines/provision/ca.py b/claude_bottle/backend/smolmachines/provision/ca.py index 4464f60..e9f8b84 100644 --- a/claude_bottle/backend/smolmachines/provision/ca.py +++ b/claude_bottle/backend/smolmachines/provision/ca.py @@ -16,8 +16,12 @@ flag exists; the VM init is root), so we don't need the explicit from __future__ import annotations from ....log import die -from ...docker.provision.ca import AGENT_CA_BUNDLE, AGENT_CA_PATH -from ...util import log_ca_fingerprint, select_ca_cert +from ...util import ( + AGENT_CA_BUNDLE, + AGENT_CA_PATH, + log_ca_fingerprint, + select_ca_cert, +) from .. import smolvm as _smolvm from ..bottle_plan import SmolmachinesBottlePlan @@ -63,7 +67,6 @@ def provision_ca(plan: SmolmachinesBottlePlan, target: str) -> None: # Re-exported for the launch/provision_ca caller + tests. The path -# constants come from the docker module because they're tied to -# Debian's `update-ca-certificates` layout — same in both backends -# since both guest images are Debian-family. +# constants live in the shared `backend.util` (Debian's +# `update-ca-certificates` layout is the same in both backends). __all__ = ["AGENT_CA_BUNDLE", "AGENT_CA_PATH", "provision_ca"] diff --git a/claude_bottle/backend/util.py b/claude_bottle/backend/util.py index f88025d..f8dbbad 100644 --- a/claude_bottle/backend/util.py +++ b/claude_bottle/backend/util.py @@ -17,6 +17,15 @@ if TYPE_CHECKING: from ..pipelock import PipelockProxyPlan +# Debian-family CA layout, shared by every backend (all guest images +# are Debian-family). AGENT_CA_PATH is the source path that +# `update-ca-certificates` reads; AGENT_CA_BUNDLE is the bundle it +# rebuilds, which curl, Python `ssl`, and OpenSSL-based tools all read +# by default. +AGENT_CA_PATH = "/usr/local/share/ca-certificates/claude-bottle-mitm-ca.crt" +AGENT_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt" + + def host_skill_dir(name: str) -> str: """Return the host-side path for a named skill: `$HOME/.claude/skills/`. Dies if HOME is unset."""