From d294e0295b9d7e32a96a8440c2036657244d9927 Mon Sep 17 00:00:00 2001 From: busya Date: Fri, 29 May 2026 11:10:11 +0300 Subject: [PATCH] =?UTF-8?q?fix:=20QA=20findings=20=E2=80=94=20GRACE=20cont?= =?UTF-8?q?racts=20for=20=5Fget=5Fverify,=20fix=20=5Fllm=5Fhttp.py=20struc?= =?UTF-8?q?ture?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added #region/#endregion contracts with @RATIONALE/@REJECTED to _get_verify() in both translate plugins (P1 HIGH, P2 MEDIUM) - Removed orphaned duplicates #endregion in _llm_http.py (P1 HIGH, P6 HIGH) --- backend/src/plugins/translate/_llm_http.py | 20 +++++++++---------- .../plugins/translate/preview_llm_client.py | 17 +++++++++------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/backend/src/plugins/translate/_llm_http.py b/backend/src/plugins/translate/_llm_http.py index 77b683ea..f602172e 100644 --- a/backend/src/plugins/translate/_llm_http.py +++ b/backend/src/plugins/translate/_llm_http.py @@ -18,18 +18,21 @@ from typing import Any from ...core.logger import logger +# #region _get_verify [C:1] [TYPE Function] [SEMANTICS translate, ssl, verify] +# @BRIEF Resolve SSL verification path from LLM_SSL_VERIFY env var. +# @RATIONALE Используем capath=/etc/ssl/certs/ вместо cafile, потому что +# OpenSSL 3.x не использует intermediate CA сертификаты из cafile для +# построения цепочки (verify code 20). capath с хеш-симлинками работает +# корректно (verify code 0). +# @REJECTED cafile отвергнут — OpenSSL 3.x не использует intermediate CA +# из единого bundle-файла. Только capath с хеш-симлинками даёт code 0. +# @POST Returns path to /etc/ssl/certs/ when enabled, False when disabled. def _get_verify() -> str | bool: - """Resolve SSL verify from LLM_SSL_VERIFY env var. - - Returns: - - Path to system CA directory when verification enabled - (uses capath, not cafile — OpenSSL 3.x ignores intermediates in cafile) - - False when LLM_SSL_VERIFY is set to false/0/no/off - """ raw = os.getenv("LLM_SSL_VERIFY", "true").strip().lower() if raw in ("false", "0", "no", "off"): return False return "/etc/ssl/certs/" +# #endregion _get_verify # #region call_openai_compatible [C:3] [TYPE Function] [SEMANTICS translate, llm, http, openai] @@ -200,7 +203,4 @@ def _handle_response_format_fallback( response.encoding = new_response.encoding response.headers = new_response.headers # #endregion _handle_response_format_fallback -# #endregion LLMHttpClient - response.headers = new_response.headers -# #endregion _handle_response_format_fallback # #endregion LLMHttpClient diff --git a/backend/src/plugins/translate/preview_llm_client.py b/backend/src/plugins/translate/preview_llm_client.py index d4aa58ae..9a145149 100644 --- a/backend/src/plugins/translate/preview_llm_client.py +++ b/backend/src/plugins/translate/preview_llm_client.py @@ -10,18 +10,21 @@ from typing import Any from ...core.logger import logger +# #region _get_verify [C:1] [TYPE Function] [SEMANTICS translate, ssl, verify] +# @BRIEF Resolve SSL verification path from LLM_SSL_VERIFY env var. +# @RATIONALE Используем capath=/etc/ssl/certs/ вместо cafile, потому что +# OpenSSL 3.x не использует intermediate CA сертификаты из cafile для +# построения цепочки (verify code 20). capath с хеш-симлинками работает +# корректно (verify code 0). +# @REJECTED cafile отвергнут — OpenSSL 3.x не использует intermediate CA +# из единого bundle-файла. Только capath с хеш-симлинками даёт code 0. +# @POST Returns path to /etc/ssl/certs/ when enabled, False when disabled. def _get_verify() -> str | bool: - """Resolve SSL verify from LLM_SSL_VERIFY env var. - - Returns: - - Path to system CA directory when verification enabled - (uses capath, not cafile — OpenSSL 3.x ignores intermediates in cafile) - - False when LLM_SSL_VERIFY is set to false/0/no/off - """ raw = os.getenv("LLM_SSL_VERIFY", "true").strip().lower() if raw in ("false", "0", "no", "off"): return False return "/etc/ssl/certs/" +# #endregion _get_verify class LLMClient: