Some adaptations"

packages/safe-chain/src/packagemanager/pip/runPipCommand.js

@@ -3,10 +3,6 @@ import { safeSpawn } from "../../utils/safeSpawn.js";
 import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
 import { installSafeChainCA } from "../../registryProxy/certUtils.js";
 
-function shouldMockCAInstall() {
-  return process.env.SAFE_CHAIN_TEST_SKIP_CA_INSTALL === "1";
-}
-
 /**
  * @param {string} command
  * @param {string[]} args
@@ -15,10 +11,9 @@ function shouldMockCAInstall() {
  */
 export async function runPip(command, args) {
   try {
-    // Install Safe Chain CA in OS trust store before running pip, unless in test mode
-    if (!shouldMockCAInstall()) {
-      await installSafeChainCA();
-    }
+    // Install Safe Chain CA in OS trust store before running pip
+    // Py 3.14 requires that certs are properly installed in the OS trust store
+    await installSafeChainCA();
     const env = mergeSafeChainProxyEnvironmentVariables(process.env);
     const result = await safeSpawn(command, args, {
       stdio: "inherit",

packages/safe-chain/src/packagemanager/pip/runPipCommand.spec.js

@@ -36,67 +36,10 @@ describe("runPipCommand environment variable handling", () => {
     mock.reset();
   });
 
-  it("should set REQUESTS_CA_BUNDLE and SSL_CERT_FILE for default PyPI (no explicit index)", async () => {
-    const res = await runPip("pip3", ["install", "requests"]);
-    assert.strictEqual(res.status, 0);
-
-    assert.ok(capturedArgs, "safeSpawn should have been called");
-    
-    // Check environment variables are set
-    assert.strictEqual(
-      capturedArgs.options.env.REQUESTS_CA_BUNDLE,
-      "/tmp/test-combined-ca.pem",
-      "REQUESTS_CA_BUNDLE should be set to combined bundle path"
-    );
-    assert.strictEqual(
-      capturedArgs.options.env.SSL_CERT_FILE,
-      "/tmp/test-combined-ca.pem",
-      "SSL_CERT_FILE should be set to combined bundle path"
-    );
-    
-    // Args should be unchanged (no arg injection)
-    assert.deepStrictEqual(capturedArgs.args, ["install", "requests"]);
-  });
-
-  it("should set CA environment variables even for external/test PyPI mirror (covers non-CLI traffic)", async () => {
-    const res = await runPip("pip3", [
-      "install",
-      "certifi",
-      "--index-url",
-      "https://test.pypi.org/simple",
-    ]);
-    assert.strictEqual(res.status, 0);
-    // Env vars should be set unconditionally
-    assert.strictEqual(
-      capturedArgs.options.env.REQUESTS_CA_BUNDLE,
-      "/tmp/test-combined-ca.pem"
-    );
-    assert.strictEqual(
-      capturedArgs.options.env.SSL_CERT_FILE,
-      "/tmp/test-combined-ca.pem"
-    );
-  });
-
-  it("should still set CA env vars for PyPI even with user --cert flag", async () => {
-    // For default PyPI, we still set env vars; pip CLI --cert takes precedence
-    const res = await runPip("pip3", ["install", "requests"]);
-    assert.strictEqual(res.status, 0);
-    
-    // Environment variables still set (pip CLI --cert takes precedence)
-    assert.strictEqual(
-      capturedArgs.options.env.REQUESTS_CA_BUNDLE,
-      "/tmp/test-combined-ca.pem"
-    );
-    assert.strictEqual(
-      capturedArgs.options.env.SSL_CERT_FILE,
-      "/tmp/test-combined-ca.pem"
-    );
-  });
-
   it("should preserve HTTPS_PROXY from proxy merge", async () => {
     const res = await runPip("pip3", ["install", "requests"]);
     assert.strictEqual(res.status, 0);
-    
+
     assert.strictEqual(
       capturedArgs.options.env.HTTPS_PROXY,
       "http://localhost:8080",