( baseUrl: string, systemCaPath: string, outPath: string, )
| 252 | } |
| 253 | |
| 254 | async function downloadCaBundle( |
| 255 | baseUrl: string, |
| 256 | systemCaPath: string, |
| 257 | outPath: string, |
| 258 | ): Promise<boolean> { |
| 259 | try { |
| 260 | // eslint-disable-next-line eslint-plugin-n/no-unsupported-features/node-builtins |
| 261 | const resp = await fetch(`${baseUrl}/v1/code/upstreamproxy/ca-cert`, { |
| 262 | // Bun has no default fetch timeout — a hung endpoint would block CLI |
| 263 | // startup forever. 5s is generous for a small PEM. |
| 264 | signal: AbortSignal.timeout(5000), |
| 265 | }) |
| 266 | if (!resp.ok) { |
| 267 | logForDebugging( |
| 268 | `[upstreamproxy] ca-cert fetch ${resp.status}; proxy disabled`, |
| 269 | { level: 'warn' }, |
| 270 | ) |
| 271 | return false |
| 272 | } |
| 273 | const ccrCa = await resp.text() |
| 274 | const systemCa = await readFile(systemCaPath, 'utf8').catch(() => '') |
| 275 | await mkdir(join(outPath, '..'), { recursive: true }) |
| 276 | await writeFile(outPath, systemCa + '\n' + ccrCa, 'utf8') |
| 277 | return true |
| 278 | } catch (err) { |
| 279 | logForDebugging( |
| 280 | `[upstreamproxy] ca-cert download failed: ${err instanceof Error ? err.message : String(err)}; proxy disabled`, |
| 281 | { level: 'warn' }, |
| 282 | ) |
| 283 | return false |
| 284 | } |
| 285 | } |
| 286 |
no test coverage detected