c6f932988a
* MAESTRO: fix ChromaDB core issues — Python pinning, Windows paths, disable toggle, metadata sanitization, transport errors - Add --python version pinning to uvx args in both local and remote mode (fixes #1196, #1206, #1208) - Convert backslash paths to forward slashes for --data-dir on Windows (fixes #1199) - Add CLAUDE_MEM_CHROMA_ENABLED setting for SQLite-only fallback mode (fixes #707) - Sanitize metadata in addDocuments() to filter null/undefined/empty values (fixes #1183, #1188) - Wrap callTool() in try/catch for transport errors with auto-reconnect (fixes #1162) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix data integrity — content-hash deduplication, project name collision, empty project guard, stuck isProcessing - Add SHA-256 content-hash deduplication to observations INSERT (store.ts, transactions.ts, SessionStore.ts) - Add content_hash column via migration 22 with backfill and index - Fix project name collision: getCurrentProjectName() now returns parent/basename - Guard against empty project string with cwd-derived fallback - Fix stuck isProcessing: hasAnyPendingWork() resets processing messages older than 5 minutes - Add 12 new tests covering all four fixes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix hook lifecycle — stderr suppression, output isolation, conversation pollution prevention - Suppress process.stderr.write in hookCommand() to prevent Claude Code showing diagnostic output as error UI (#1181). Restores stderr in finally block for worker-continues case. - Convert console.error() to logger.warn()/error() in hook-command.ts and handlers/index.ts so all diagnostics route to log file instead of stderr. - Verified all 7 handlers return suppressOutput: true (prevents conversation pollution #598, #784). - Verified session-complete is a recognized event type (fixes #984). - Verified unknown event types return no-op handler with exit 0 (graceful degradation). - Added 10 new tests in tests/hook-lifecycle.test.ts covering event dispatch, adapter defaults, stderr suppression, and standard response constants. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix worker lifecycle — restart loop coordination, stale transport retry, ENOENT shutdown race - Add PID file mtime guard to prevent concurrent restart storms (#1145): isPidFileRecent() + touchPidFile() coordinate across sessions - Add transparent retry in ChromaMcpManager.callTool() on transport error — reconnects and retries once instead of failing (#1131) - Wrap getInstalledPluginVersion() with ENOENT/EBUSY handling (#1042) - Verified ChromaMcpManager.stop() already called on all shutdown paths Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix Windows platform support — uvx.cmd spawn, PowerShell $_ elimination, windowsHide, FTS5 fallback - Route uvx spawn through cmd.exe /c on Windows since MCP SDK lacks shell:true (#1190, #1192, #1199) - Replace all PowerShell Where-Object {$_} pipelines with WQL -Filter server-side filtering (#1024, #1062) - Add windowsHide: true to all exec/spawn calls missing it to prevent console popups (#1048) - Add FTS5 runtime probe with graceful fallback when unavailable on Windows (#791) - Guard FTS5 table creation in migrations, SessionSearch, and SessionStore with try/catch Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix skills/ distribution — build-time verification and regression tests (#1187) Add post-build verification in build-hooks.js that fails if critical distribution files (skills, hooks, plugin manifest) are missing. Add 10 regression tests covering skill file presence, YAML frontmatter, hooks.json integrity, and package.json files field. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix MigrationRunner schema initialization (#979) — version conflict between parallel migration systems Root cause: old DatabaseManager migrations 1-7 shared schema_versions table with MigrationRunner's 4-22, causing version number collisions (5=drop tables vs add column, 6=FTS5 vs prompt tracking, 7=discovery_tokens vs remove UNIQUE). initializeSchema() was gated behind maxApplied===0, so core tables were never created when old versions were present. Fixes: - initializeSchema() always creates core tables via CREATE TABLE IF NOT EXISTS - Migrations 5-7 check actual DB state (columns/constraints) not just version tracking - Crash-safe temp table rebuilds (DROP IF EXISTS _new before CREATE) - Added missing migration 21 (ON UPDATE CASCADE) to MigrationRunner - Added ON UPDATE CASCADE to FK definitions in initializeSchema() - All changes applied to both runner.ts and SessionStore.ts Tests: 13 new tests in migration-runner.test.ts covering fresh DB, idempotency, version conflicts, crash recovery, FK constraints, and data integrity. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix 21 test failures — stale mocks, outdated assertions, missing OpenClaw guards Server tests (12): Added missing workerPath and getAiStatus to ServerOptions mocks after interface expansion. ChromaSync tests (3): Updated to verify transport cleanup in ChromaMcpManager after architecture refactor. OpenClaw (2): Added memory_ tool skipping and response truncation to prevent recursive loops and oversized payloads. MarkdownFormatter (2): Updated assertions to match current output. SettingsDefaultsManager (1): Used correct default key for getBool test. Logger standards (1): Excluded CLI transcript command from background service check. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix Codex CLI compatibility (#744) — session_id fallbacks, unknown platform tolerance, undefined guard Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix Cursor IDE integration (#838, #1049) — adapter field fallbacks, tolerant session-init validation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix /api/logs OOM (#1203) — tail-read replaces full-file readFileSync Replace readFileSync (loads entire file into memory) with readLastLines() that reads only from the end of the file in expanding chunks (64KB → 10MB cap). Prevents OOM on large log files while preserving the same API response shape. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix Settings CORS error (#1029) — explicit methods and allowedHeaders in CORS config Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: add session custom_title for agent attribution (#1213) — migration 23, endpoint + store support Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: prevent CLAUDE.md/AGENTS.md writes inside .git/ directories (#1165) Add .git path guard to all 4 write sites to prevent ref corruption when paths resolve inside .git internals. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix plugin disabled state not respected (#781) — early exit check in all hook entry points Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix UserPromptSubmit context re-injection on every turn (#1079) — contextInjected session flag Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * MAESTRO: fix stale AbortController queue stall (#1099) — lastGeneratorActivity tracking + 30s timeout Three-layer fix: 1. Added lastGeneratorActivity timestamp to ActiveSession, updated by processAgentResponse (all agents), getMessageIterator (queue yields), and startGeneratorWithProvider (generator launch) 2. Added stale generator detection in ensureGeneratorRunning — if no activity for >30s, aborts stale controller, resets state, restarts 3. Added AbortSignal.timeout(30000) in deleteSession to prevent indefinite hang when awaiting a stuck generator promise Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
457 lines
16 KiB
TypeScript
457 lines
16 KiB
TypeScript
/**
|
|
* ChromaMcpManager - Singleton managing a persistent MCP connection to chroma-mcp via uvx
|
|
*
|
|
* Replaces ChromaServerManager (which spawned `npx chroma run`) with a stdio-based
|
|
* MCP client that communicates with chroma-mcp as a subprocess. The chroma-mcp server
|
|
* handles its own embedding and persistent storage, eliminating the need for a separate
|
|
* HTTP server, chromadb npm package, and ONNX/WASM embedding dependencies.
|
|
*
|
|
* Lifecycle: lazy-connects on first callTool() use, maintains a single persistent
|
|
* connection per worker lifetime, and auto-reconnects if the subprocess dies.
|
|
*
|
|
* Cross-platform: Linux, macOS, Windows
|
|
*/
|
|
|
|
import { Client } from '@modelcontextprotocol/sdk/client/index.js';
|
|
import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
|
|
import { execSync } from 'child_process';
|
|
import path from 'path';
|
|
import os from 'os';
|
|
import fs from 'fs';
|
|
import { logger } from '../../utils/logger.js';
|
|
import { SettingsDefaultsManager } from '../../shared/SettingsDefaultsManager.js';
|
|
import { USER_SETTINGS_PATH } from '../../shared/paths.js';
|
|
|
|
const CHROMA_MCP_CLIENT_NAME = 'claude-mem-chroma';
|
|
const CHROMA_MCP_CLIENT_VERSION = '1.0.0';
|
|
const MCP_CONNECTION_TIMEOUT_MS = 30_000;
|
|
const RECONNECT_BACKOFF_MS = 10_000; // Don't retry connections faster than this after failure
|
|
const DEFAULT_CHROMA_DATA_DIR = path.join(os.homedir(), '.claude-mem', 'chroma');
|
|
|
|
export class ChromaMcpManager {
|
|
private static instance: ChromaMcpManager | null = null;
|
|
private client: Client | null = null;
|
|
private transport: StdioClientTransport | null = null;
|
|
private connected: boolean = false;
|
|
private lastConnectionFailureTimestamp: number = 0;
|
|
private connecting: Promise<void> | null = null;
|
|
|
|
private constructor() {}
|
|
|
|
/**
|
|
* Get or create the singleton instance
|
|
*/
|
|
static getInstance(): ChromaMcpManager {
|
|
if (!ChromaMcpManager.instance) {
|
|
ChromaMcpManager.instance = new ChromaMcpManager();
|
|
}
|
|
return ChromaMcpManager.instance;
|
|
}
|
|
|
|
/**
|
|
* Ensure the MCP client is connected to chroma-mcp.
|
|
* Uses a connection lock to prevent concurrent connection attempts.
|
|
* If the subprocess has died since the last use, reconnects transparently.
|
|
*/
|
|
private async ensureConnected(): Promise<void> {
|
|
if (this.connected && this.client) {
|
|
return;
|
|
}
|
|
|
|
// Backoff: don't retry connections too fast after a failure
|
|
const timeSinceLastFailure = Date.now() - this.lastConnectionFailureTimestamp;
|
|
if (this.lastConnectionFailureTimestamp > 0 && timeSinceLastFailure < RECONNECT_BACKOFF_MS) {
|
|
throw new Error(`chroma-mcp connection in backoff (${Math.ceil((RECONNECT_BACKOFF_MS - timeSinceLastFailure) / 1000)}s remaining)`);
|
|
}
|
|
|
|
// If another caller is already connecting, wait for that attempt
|
|
if (this.connecting) {
|
|
await this.connecting;
|
|
return;
|
|
}
|
|
|
|
this.connecting = this.connectInternal();
|
|
try {
|
|
await this.connecting;
|
|
} catch (error) {
|
|
this.lastConnectionFailureTimestamp = Date.now();
|
|
throw error;
|
|
} finally {
|
|
this.connecting = null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Internal connection logic - spawns uvx chroma-mcp and performs MCP handshake.
|
|
* Called behind the connection lock to ensure only one connection attempt at a time.
|
|
*/
|
|
private async connectInternal(): Promise<void> {
|
|
// Clean up any stale client/transport from a dead subprocess.
|
|
// Close transport first (kills subprocess via SIGTERM) before client
|
|
// to avoid hanging on a stuck process.
|
|
if (this.transport) {
|
|
try { await this.transport.close(); } catch { /* already dead */ }
|
|
}
|
|
if (this.client) {
|
|
try { await this.client.close(); } catch { /* already dead */ }
|
|
}
|
|
this.client = null;
|
|
this.transport = null;
|
|
this.connected = false;
|
|
|
|
const commandArgs = this.buildCommandArgs();
|
|
const spawnEnvironment = this.getSpawnEnv();
|
|
|
|
// On Windows, .cmd files require shell resolution. Since MCP SDK's
|
|
// StdioClientTransport doesn't support `shell: true`, route through
|
|
// cmd.exe which resolves .cmd/.bat extensions and PATH automatically.
|
|
// This also fixes Git Bash compatibility (#1062) since cmd.exe handles
|
|
// Windows-native command resolution regardless of the calling shell.
|
|
const isWindows = process.platform === 'win32';
|
|
const uvxSpawnCommand = isWindows ? (process.env.ComSpec || 'cmd.exe') : 'uvx';
|
|
const uvxSpawnArgs = isWindows ? ['/c', 'uvx', ...commandArgs] : commandArgs;
|
|
|
|
logger.info('CHROMA_MCP', 'Connecting to chroma-mcp via MCP stdio', {
|
|
command: uvxSpawnCommand,
|
|
args: uvxSpawnArgs.join(' ')
|
|
});
|
|
|
|
this.transport = new StdioClientTransport({
|
|
command: uvxSpawnCommand,
|
|
args: uvxSpawnArgs,
|
|
env: spawnEnvironment,
|
|
stderr: 'pipe'
|
|
});
|
|
|
|
this.client = new Client(
|
|
{ name: CHROMA_MCP_CLIENT_NAME, version: CHROMA_MCP_CLIENT_VERSION },
|
|
{ capabilities: {} }
|
|
);
|
|
|
|
const mcpConnectionPromise = this.client.connect(this.transport);
|
|
let timeoutId: ReturnType<typeof setTimeout>;
|
|
const timeoutPromise = new Promise<never>((_, reject) => {
|
|
timeoutId = setTimeout(
|
|
() => reject(new Error(`MCP connection to chroma-mcp timed out after ${MCP_CONNECTION_TIMEOUT_MS}ms`)),
|
|
MCP_CONNECTION_TIMEOUT_MS
|
|
);
|
|
});
|
|
|
|
try {
|
|
await Promise.race([mcpConnectionPromise, timeoutPromise]);
|
|
} catch (connectionError) {
|
|
// Connection failed or timed out - kill the subprocess to prevent zombies
|
|
clearTimeout(timeoutId!);
|
|
logger.warn('CHROMA_MCP', 'Connection failed, killing subprocess to prevent zombie', {
|
|
error: connectionError instanceof Error ? connectionError.message : String(connectionError)
|
|
});
|
|
try { await this.transport.close(); } catch { /* best effort */ }
|
|
try { await this.client.close(); } catch { /* best effort */ }
|
|
this.client = null;
|
|
this.transport = null;
|
|
this.connected = false;
|
|
throw connectionError;
|
|
}
|
|
clearTimeout(timeoutId!);
|
|
|
|
this.connected = true;
|
|
|
|
logger.info('CHROMA_MCP', 'Connected to chroma-mcp successfully');
|
|
|
|
// Listen for transport close to mark connection as dead and apply backoff.
|
|
// CRITICAL: Guard with reference check to prevent stale onclose handlers from
|
|
// previous transports overwriting the current connection (race condition).
|
|
const currentTransport = this.transport;
|
|
this.transport.onclose = () => {
|
|
if (this.transport !== currentTransport) {
|
|
logger.debug('CHROMA_MCP', 'Ignoring stale onclose from previous transport');
|
|
return;
|
|
}
|
|
logger.warn('CHROMA_MCP', 'chroma-mcp subprocess closed unexpectedly, applying reconnect backoff');
|
|
this.connected = false;
|
|
this.client = null;
|
|
this.transport = null;
|
|
this.lastConnectionFailureTimestamp = Date.now();
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Build the uvx command arguments based on current settings.
|
|
* In local mode: uses persistent client with local data directory.
|
|
* In remote mode: uses http client with configured host/port/auth.
|
|
*/
|
|
private buildCommandArgs(): string[] {
|
|
const settings = SettingsDefaultsManager.loadFromFile(USER_SETTINGS_PATH);
|
|
const chromaMode = settings.CLAUDE_MEM_CHROMA_MODE || 'local';
|
|
const pythonVersion = process.env.CLAUDE_MEM_PYTHON_VERSION || settings.CLAUDE_MEM_PYTHON_VERSION || '3.13';
|
|
|
|
if (chromaMode === 'remote') {
|
|
const chromaHost = settings.CLAUDE_MEM_CHROMA_HOST || '127.0.0.1';
|
|
const chromaPort = settings.CLAUDE_MEM_CHROMA_PORT || '8000';
|
|
const chromaSsl = settings.CLAUDE_MEM_CHROMA_SSL === 'true';
|
|
const chromaTenant = settings.CLAUDE_MEM_CHROMA_TENANT || 'default_tenant';
|
|
const chromaDatabase = settings.CLAUDE_MEM_CHROMA_DATABASE || 'default_database';
|
|
const chromaApiKey = settings.CLAUDE_MEM_CHROMA_API_KEY || '';
|
|
|
|
const args = [
|
|
'--python', pythonVersion,
|
|
'chroma-mcp',
|
|
'--client-type', 'http',
|
|
'--host', chromaHost,
|
|
'--port', chromaPort
|
|
];
|
|
|
|
if (chromaSsl) {
|
|
args.push('--ssl');
|
|
}
|
|
|
|
if (chromaTenant !== 'default_tenant') {
|
|
args.push('--tenant', chromaTenant);
|
|
}
|
|
|
|
if (chromaDatabase !== 'default_database') {
|
|
args.push('--database', chromaDatabase);
|
|
}
|
|
|
|
if (chromaApiKey) {
|
|
args.push('--api-key', chromaApiKey);
|
|
}
|
|
|
|
return args;
|
|
}
|
|
|
|
// Local mode: persistent client with data directory
|
|
return [
|
|
'--python', pythonVersion,
|
|
'chroma-mcp',
|
|
'--client-type', 'persistent',
|
|
'--data-dir', DEFAULT_CHROMA_DATA_DIR.replace(/\\/g, '/')
|
|
];
|
|
}
|
|
|
|
/**
|
|
* Call a chroma-mcp tool by name with the given arguments.
|
|
* Lazily connects on first call. Reconnects if the subprocess has died.
|
|
*
|
|
* @param toolName - The chroma-mcp tool name (e.g. 'chroma_query_documents')
|
|
* @param toolArguments - The tool arguments as a plain object
|
|
* @returns The parsed JSON result from the tool's text output
|
|
*/
|
|
async callTool(toolName: string, toolArguments: Record<string, unknown>): Promise<unknown> {
|
|
await this.ensureConnected();
|
|
|
|
logger.debug('CHROMA_MCP', `Calling tool: ${toolName}`, {
|
|
arguments: JSON.stringify(toolArguments).slice(0, 200)
|
|
});
|
|
|
|
let result;
|
|
try {
|
|
result = await this.client!.callTool({
|
|
name: toolName,
|
|
arguments: toolArguments
|
|
});
|
|
} catch (transportError) {
|
|
// Transport error: chroma-mcp subprocess likely died (e.g., killed by orphan reaper,
|
|
// HNSW index corruption). Mark connection dead and retry once after reconnect (#1131).
|
|
// Without this retry, callers see a one-shot error even though reconnect would succeed.
|
|
this.connected = false;
|
|
this.client = null;
|
|
this.transport = null;
|
|
|
|
logger.warn('CHROMA_MCP', `Transport error during "${toolName}", reconnecting and retrying once`, {
|
|
error: transportError instanceof Error ? transportError.message : String(transportError)
|
|
});
|
|
|
|
try {
|
|
await this.ensureConnected();
|
|
result = await this.client!.callTool({
|
|
name: toolName,
|
|
arguments: toolArguments
|
|
});
|
|
} catch (retryError) {
|
|
this.connected = false;
|
|
throw new Error(`chroma-mcp transport error during "${toolName}" (retry failed): ${retryError instanceof Error ? retryError.message : String(retryError)}`);
|
|
}
|
|
}
|
|
|
|
// MCP tools signal errors via isError flag on the CallToolResult
|
|
if (result.isError) {
|
|
const errorText = (result.content as Array<{ type: string; text?: string }>)
|
|
?.find(item => item.type === 'text')?.text || 'Unknown chroma-mcp error';
|
|
throw new Error(`chroma-mcp tool "${toolName}" returned error: ${errorText}`);
|
|
}
|
|
|
|
// Extract text from MCP CallToolResult: { content: Array<{ type, text? }> }
|
|
const contentArray = result.content as Array<{ type: string; text?: string }>;
|
|
if (!contentArray || contentArray.length === 0) {
|
|
return null;
|
|
}
|
|
|
|
const firstTextContent = contentArray.find(item => item.type === 'text' && item.text);
|
|
if (!firstTextContent || !firstTextContent.text) {
|
|
return null;
|
|
}
|
|
|
|
// chroma-mcp returns JSON for query/get results, but plain text for
|
|
// mutating operations (e.g. "Successfully created collection ...").
|
|
// Try JSON parse first; if it fails, return the raw text for non-error responses.
|
|
try {
|
|
return JSON.parse(firstTextContent.text);
|
|
} catch {
|
|
// Plain text response (e.g. "Successfully created collection cm__foo")
|
|
// Return null for void-like success messages, callers don't need the text
|
|
return null;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Check if the MCP connection is alive by calling chroma_list_collections.
|
|
* Returns true if the connection is healthy, false otherwise.
|
|
*/
|
|
async isHealthy(): Promise<boolean> {
|
|
try {
|
|
await this.callTool('chroma_list_collections', { limit: 1 });
|
|
return true;
|
|
} catch {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Gracefully stop the MCP connection and kill the chroma-mcp subprocess.
|
|
* client.close() sends stdin close -> SIGTERM -> SIGKILL to the subprocess.
|
|
*/
|
|
async stop(): Promise<void> {
|
|
if (!this.client) {
|
|
logger.debug('CHROMA_MCP', 'No active MCP connection to stop');
|
|
return;
|
|
}
|
|
|
|
logger.info('CHROMA_MCP', 'Stopping chroma-mcp MCP connection');
|
|
|
|
try {
|
|
await this.client.close();
|
|
} catch (error) {
|
|
logger.debug('CHROMA_MCP', 'Error during client close (subprocess may already be dead)', {}, error as Error);
|
|
}
|
|
|
|
this.client = null;
|
|
this.transport = null;
|
|
this.connected = false;
|
|
this.connecting = null;
|
|
|
|
logger.info('CHROMA_MCP', 'chroma-mcp MCP connection stopped');
|
|
}
|
|
|
|
/**
|
|
* Reset the singleton instance (for testing).
|
|
* Awaits stop() to prevent dual subprocesses.
|
|
*/
|
|
static async reset(): Promise<void> {
|
|
if (ChromaMcpManager.instance) {
|
|
await ChromaMcpManager.instance.stop();
|
|
}
|
|
ChromaMcpManager.instance = null;
|
|
}
|
|
|
|
/**
|
|
* Get or create a combined SSL certificate bundle for Zscaler/corporate proxy environments.
|
|
* On macOS, combines the Python certifi CA bundle with any Zscaler certificates from
|
|
* the system keychain. Caches the result for 24 hours at ~/.claude-mem/combined_certs.pem.
|
|
*
|
|
* Returns the path to the combined cert file, or undefined if not needed/available.
|
|
*/
|
|
private getCombinedCertPath(): string | undefined {
|
|
const combinedCertPath = path.join(os.homedir(), '.claude-mem', 'combined_certs.pem');
|
|
|
|
if (fs.existsSync(combinedCertPath)) {
|
|
const stats = fs.statSync(combinedCertPath);
|
|
const ageMs = Date.now() - stats.mtimeMs;
|
|
if (ageMs < 24 * 60 * 60 * 1000) {
|
|
return combinedCertPath;
|
|
}
|
|
}
|
|
|
|
if (process.platform !== 'darwin') {
|
|
return undefined;
|
|
}
|
|
|
|
try {
|
|
let certifiPath: string | undefined;
|
|
try {
|
|
certifiPath = execSync(
|
|
'uvx --with certifi python -c "import certifi; print(certifi.where())"',
|
|
{ encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 10000 }
|
|
).trim();
|
|
} catch {
|
|
return undefined;
|
|
}
|
|
|
|
if (!certifiPath || !fs.existsSync(certifiPath)) {
|
|
return undefined;
|
|
}
|
|
|
|
let zscalerCert = '';
|
|
try {
|
|
zscalerCert = execSync(
|
|
'security find-certificate -a -c "Zscaler" -p /Library/Keychains/System.keychain',
|
|
{ encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 5000 }
|
|
);
|
|
} catch {
|
|
return undefined;
|
|
}
|
|
|
|
if (!zscalerCert ||
|
|
!zscalerCert.includes('-----BEGIN CERTIFICATE-----') ||
|
|
!zscalerCert.includes('-----END CERTIFICATE-----')) {
|
|
return undefined;
|
|
}
|
|
|
|
const certifiContent = fs.readFileSync(certifiPath, 'utf8');
|
|
const tempPath = combinedCertPath + '.tmp';
|
|
fs.writeFileSync(tempPath, certifiContent + '\n' + zscalerCert);
|
|
fs.renameSync(tempPath, combinedCertPath);
|
|
|
|
logger.info('CHROMA_MCP', 'Created combined SSL certificate bundle for Zscaler', {
|
|
path: combinedCertPath
|
|
});
|
|
|
|
return combinedCertPath;
|
|
} catch (error) {
|
|
logger.debug('CHROMA_MCP', 'Could not create combined cert bundle', {}, error as Error);
|
|
return undefined;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Build subprocess environment with SSL certificate overrides for enterprise proxy compatibility.
|
|
* If a combined cert bundle exists (Zscaler), injects SSL_CERT_FILE, REQUESTS_CA_BUNDLE, etc.
|
|
* Otherwise returns a plain string-keyed copy of process.env.
|
|
*/
|
|
private getSpawnEnv(): Record<string, string> {
|
|
const baseEnv: Record<string, string> = {};
|
|
for (const [key, value] of Object.entries(process.env)) {
|
|
if (value !== undefined) {
|
|
baseEnv[key] = value;
|
|
}
|
|
}
|
|
|
|
const combinedCertPath = this.getCombinedCertPath();
|
|
if (!combinedCertPath) {
|
|
return baseEnv;
|
|
}
|
|
|
|
logger.info('CHROMA_MCP', 'Using combined SSL certificates for enterprise compatibility', {
|
|
certPath: combinedCertPath
|
|
});
|
|
|
|
return {
|
|
...baseEnv,
|
|
SSL_CERT_FILE: combinedCertPath,
|
|
REQUESTS_CA_BUNDLE: combinedCertPath,
|
|
CURL_CA_BUNDLE: combinedCertPath,
|
|
NODE_EXTRA_CA_CERTS: combinedCertPath
|
|
};
|
|
}
|
|
}
|