fix(transport): use mkcert root CA for localhost TLS verification

Drop the self-signed localhost.crt approach — the server cert is signed by the mkcert CA, not self-signed, so loading it as cafile doesn't work.

_httpx_verify now calls `mkcert -CAROOT` to locate rootCA.pem, with fallbacks to the well-known macOS and Linux paths. This fixes muse pull from freshly init'd repos and from any subprocess that doesn't inherit a pre-configured SSL context.

sha256:a122df6fb14ea15df98d1d777de416c9f579fa973cd8d817c2d62827b8f74af4 sha

sha256:5225b803760927257bacd2c81ba5eeae7db8fcdfebbf07d07545264e25fcf25f parent

sha256:964c356425821effe6e3f723e30d19eac14d342b47cb2d4e577aab59f39ac58d snapshot

← Older Oldest on task/mkcert-tls-strategy

All commits

Newer → Latest on task/mkcert-tls-strategy

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:a122df6fb14ea15df98d1d777de416c9f579fa973cd8d817c2d62827b8f74af4 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:964c356425821effe6e3f723e30d19eac14d342b47cb2d4e577aab59f39ac58d

Files 0

Browse tree at this commit →

Commit

SHA sha256:a122df6fb14ea15df98d1d777de416c9f579fa973cd8d817c2d62827b8f74af4

Parent

sha256:5225b803760927257bacd2c81ba5eeae7db8fcdfebbf07d07545264e25fcf25f

Branch task/mkcert-tls-strategy