coursecode 0.1.9 → 0.1.10

package/bin/cli.js

@@ -21,23 +21,23 @@ import path from 'path';
 import fs from 'fs';
 
 // =============================================================================
-// CORPORATE NETWORK: System CA cert auto-injection
+// CORPORATE NETWORK: System CA cert injection
 //
 // On corporate machines with SSL-inspecting proxies (e.g. Zscaler), the proxy
 // presents its own CA certificate. Node.js ships its own CA bundle and ignores
 // the OS trust store, so TLS verification fails.
 //
-// Fix: export the OS root cert store to a temp PEM file and re-exec with
-// NODE_EXTRA_CA_CERTS pointing to it. Node picks it up before any TLS
-// handshakes. Transparent to users — completes in < 200ms.
-//
-// The NODE_EXTRA_CA_CERTS guard prevents an infinite re-exec loop.
+// Windows: win-ca injects certs directly into Node's TLS context (in-process,
+//          no subprocess, no re-exec). Works regardless of PowerShell policy.
+// macOS/Linux: exports OS certs to a temp PEM file and re-execs with
+//              NODE_EXTRA_CA_CERTS. The guard prevents an infinite loop.
 // =============================================================================
 
 if (!process.env.NODE_EXTRA_CA_CERTS) {
-  const { exportSystemCerts } = await import('../lib/cloud-certs.js');
-  const certPath = await exportSystemCerts();
+  const { injectSystemCerts } = await import('../lib/cloud-certs.js');
+  const certPath = await injectSystemCerts();
   if (certPath) {
+    // macOS/Linux: re-exec with NODE_EXTRA_CA_CERTS pointing to PEM file
     const { execFileSync } = await import('child_process');
     execFileSync(process.execPath, process.argv.slice(1), {
       env: { ...process.env, NODE_EXTRA_CA_CERTS: certPath },
@@ -45,6 +45,7 @@ if (!process.env.NODE_EXTRA_CA_CERTS) {
     });
     process.exit(0);
   }
+  // Windows: win-ca already injected certs in-process — continue normally
 }
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));

package/framework/css/01-base.css

@@ -136,6 +136,30 @@ em, i {
   color: var(--color-gray-800);
 }
 
+/* Styled Scrollbars (cross-platform) */
+html {
+  scrollbar-width: thin;
+  scrollbar-color: var(--scrollbar-thumb) var(--scrollbar-track);
+}
+
+::-webkit-scrollbar {
+  width: 8px;
+  height: 8px;
+}
+
+::-webkit-scrollbar-track {
+  background: var(--scrollbar-track);
+}
+
+::-webkit-scrollbar-thumb {
+  background: var(--scrollbar-thumb);
+  border-radius: 4px;
+}
+
+::-webkit-scrollbar-thumb:hover {
+  background: var(--scrollbar-thumb-hover);
+}
+
 /* Link Styles */
 a {
   color: var(--color-primary);

package/framework/css/design-tokens.css

@@ -441,6 +441,11 @@
   --sidebar-scrollbar-thumb-hover: var(--color-gray-400); /* Sidebar scrollbar thumb (hover) */
   --sidebar-backdrop: var(--bg-overlay);                 /* Sidebar overlay backdrop color */
 
+  /* Scrollbar Tokens (global, content area) */
+  --scrollbar-thumb: var(--color-gray-300);              /* Scrollbar thumb */
+  --scrollbar-thumb-hover: var(--color-gray-400);        /* Scrollbar thumb (hover) */
+  --scrollbar-track: transparent;                        /* Scrollbar track background */
+
   /* Footer Tokens */
   --footer-bg: var(--bg-surface);                        /* Footer background */
   --footer-text: var(--text-primary);                    /* Footer text color */
@@ -678,6 +683,9 @@
   --sidebar-scrollbar-thumb: var(--color-gray-500);
   --sidebar-scrollbar-thumb-hover: var(--color-gray-400);
   --sidebar-backdrop: color-mix(in srgb, var(--palette-black) 38%, transparent);
+  --scrollbar-thumb: var(--color-gray-500);
+  --scrollbar-thumb-hover: var(--color-gray-400);
+  --scrollbar-track: transparent;
   --footer-bg: var(--bg-surface);
   --footer-text: var(--text-primary);
   --footer-border: var(--border-default);

package/lib/cloud-certs.js

@@ -1,15 +1,23 @@
 /**
- * cloud-certs.js — System CA certificate export for corporate network compatibility.
+ * cloud-certs.js — System CA certificate injection for corporate network compatibility.
  *
- * Exports the OS trusted root store to a temp PEM file so Node.js can verify
- * TLS connections that pass through SSL-inspecting proxies (e.g. Zscaler).
+ * On corporate machines with SSL-inspecting proxies (e.g. Zscaler), the proxy
+ * presents its own CA certificate. Node.js ships its own CA bundle and ignores
+ * the OS trust store, causing TLS verification failures.
  *
- * Returns the path to the PEM file on success, null on failure.
- * Never throws — silent fallback for non-corporate machines.
+ * Platform strategy:
+ *   - Windows: `win-ca` (native N-API addon, calls Windows CryptoAPI directly)
+ *   - macOS: `security` CLI exports system keychains to PEM
+ *   - Linux: reads well-known CA bundle file paths
+ *
+ * On macOS/Linux, returns a PEM file path for NODE_EXTRA_CA_CERTS.
+ * On Windows, injects certs directly into Node's TLS context (no file needed).
+ * Never throws — silent no-op on non-corporate machines.
  */
 
 import { execFile } from 'child_process';
 import { promisify } from 'util';
+import { createRequire } from 'module';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
@@ -17,25 +25,34 @@ import crypto from 'crypto';
 
 const execFileAsync = promisify(execFile);
 
-/** Cached result — only export once per process lifetime. */
-let _cachedCertPath = undefined;
+/** Cached result — only run once per process lifetime. */
+let _applied = false;
 
 /**
- * Export the OS system root certificate store to a temp PEM file.
+ * Inject the OS system root certificates into Node's TLS context.
+ *
+ * On Windows, win-ca patches Node's TLS in-process (no file needed, no re-exec).
+ * On macOS/Linux, returns a PEM file path for NODE_EXTRA_CA_CERTS re-exec.
  *
- * @returns {Promise<string|null>} Absolute path to the PEM file, or null if unavailable.
+ * @returns {Promise<string|null>} PEM file path (macOS/Linux) or null (Windows/unavailable).
  */
-export async function exportSystemCerts() {
-  if (_cachedCertPath !== undefined) return _cachedCertPath;
+export async function injectSystemCerts() {
+  if (_applied) return null;
+  _applied = true;
 
   try {
-    const pem = await readSystemCerts();
-    if (!pem || !pem.trim()) {
-      _cachedCertPath = null;
+    if (process.platform === 'win32') {
+      injectWindowsCerts();
       return null;
     }
 
-    // Write to a stable temp path (same content = same hash, avoids accumulation)
+    // macOS/Linux: export to PEM file for NODE_EXTRA_CA_CERTS
+    const pem = process.platform === 'darwin'
+      ? await readMacosCerts()
+      : readLinuxCerts();
+
+    if (!pem || !pem.trim()) return null;
+
     const hash = crypto.createHash('sha1').update(pem).digest('hex').slice(0, 8);
     const certPath = path.join(os.tmpdir(), `coursecode-ca-${hash}.pem`);
 
@@ -43,31 +60,26 @@ export async function exportSystemCerts() {
       fs.writeFileSync(certPath, pem, { mode: 0o600 });
     }
 
-    _cachedCertPath = certPath;
     return certPath;
   } catch {
-    _cachedCertPath = null;
     return null;
   }
 }
 
 /**
- * Read system certificates as a PEM string.
- * Platform-specific — returns null if the platform is unsupported or export fails.
+ * Windows: inject system root certs via win-ca.
+ *
+ * win-ca is a native N-API addon that calls Windows CryptoAPI directly.
+ * No PowerShell, no subprocesses, no temp files. Works regardless of
+ * execution policy, AppLocker, or PowerShell availability.
+ *
+ * The { inject: '+' } mode patches tls.createSecureContext() so system
+ * certs are used *in addition to* Node's built-in CA bundle.
  */
-async function readSystemCerts() {
-  const platform = process.platform;
-
-  if (platform === 'darwin') {
-    return readMacosCerts();
-  }
-
-  if (platform === 'win32') {
-    return readWindowsCerts();
-  }
-
-  // Linux/other: read well-known bundle paths directly
-  return readLinuxCerts();
+function injectWindowsCerts() {
+  const require = createRequire(import.meta.url);
+  const winCa = require('win-ca/api');
+  winCa({ inject: '+' });
 }
 
 /**
@@ -75,7 +87,6 @@ async function readSystemCerts() {
  * This includes all roots installed via Apple MDM / System Preferences.
  */
 async function readMacosCerts() {
-  // Export from all common keychains — ignore errors on missing keychains
   const keychains = [
     '/Library/Keychains/SystemRootCertificates.keychain',
     '/System/Library/Keychains/SystemRootCertificates.keychain',
@@ -97,28 +108,6 @@ async function readMacosCerts() {
   return pems.join('\n');
 }
 
-/**
- * Windows: export LocalMachine\Root via PowerShell.
- * This includes certs deployed via Group Policy / MDM.
- */
-async function readWindowsCerts() {
-  const script = [
-    '$certs = Get-ChildItem -Path Cert:\\LocalMachine\\Root',
-    '$pems = $certs | ForEach-Object {',
-    '  $bytes = $_.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)',
-    '  $b64 = [System.Convert]::ToBase64String($bytes, "InsertLineBreaks")',
-    '  "-----BEGIN CERTIFICATE-----`n" + $b64 + "`n-----END CERTIFICATE-----"',
-    '}',
-    '$pems -join "`n"',
-  ].join('; ');
-
-  const { stdout } = await execFileAsync('powershell', [
-    '-NoProfile', '-NonInteractive', '-Command', script,
-  ], { maxBuffer: 16 * 1024 * 1024 });
-
-  return stdout;
-}
-
 /**
  * Linux: read the system CA bundle from well-known locations.
  * No subprocess needed — just read the file directly.

package/lib/cloud.js

@@ -893,21 +893,18 @@ export async function status() {
 // =============================================================================
 
 /**
- * Zip a directory's contents using the system `zip` command.
- * Falls back to a tar+gzip approach if zip isn't available.
+ * Zip a directory's contents using archiver (cross-platform, no native tools needed).
  */
-function zipDirectory(sourceDir, outputPath) {
+async function zipDirectory(sourceDir, outputPath) {
+  const archiver = (await import('archiver')).default;
   return new Promise((resolve, reject) => {
-    // Use system zip: cd into dir so paths are relative
-    exec(
-      `cd "${sourceDir}" && zip -r -q "${outputPath}" .`,
-      (error) => {
-        if (error) {
-          reject(new Error(`Failed to create zip: ${error.message}. Ensure 'zip' is installed.`));
-        } else {
-          resolve();
-        }
-      }
-    );
+    const output = fs.createWriteStream(outputPath);
+    const archive = archiver('zip', { zlib: { level: 9 } });
+
+    output.on('close', () => resolve());
+    archive.on('error', reject);
+    archive.pipe(output);
+    archive.directory(sourceDir, false);
+    archive.finalize();
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coursecode",
-  "version": "0.1.9",
+  "version": "0.1.10",
   "description": "Multi-format course authoring framework with CLI tools (SCORM 2004, SCORM 1.2, cmi5, LTI 1.3)",
   "type": "module",
   "bin": {
@@ -99,6 +99,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "archiver": "^7.0.1",
     "commander": "^14.0.3",
     "lz-string": "^1.5.0",
     "mammoth": "^1.8.0",
@@ -108,6 +109,7 @@
     "pdf2json": "^4.0.2",
     "pdf2md": "^1.0.2",
     "puppeteer-core": "^24.37.2",
+    "win-ca": "^3.5.1",
     "ws": "^8.18.0"
   },
   "devDependencies": {
@@ -115,7 +117,6 @@
     "@vitest/coverage-v8": "^4.0.18",
     "@xapi/cmi5": "^1.4.0",
     "acorn": "^8.15.0",
-    "archiver": "^7.0.1",
     "eslint": "^10.0.0",
     "globals": "^17.3.0",
     "jose": "^6.1.3",