coursecode 0.1.9 → 0.1.11

package/bin/cli.js

@@ -21,23 +21,23 @@ import path from 'path';
 import fs from 'fs';
 
 // =============================================================================
-// CORPORATE NETWORK: System CA cert auto-injection
+// CORPORATE NETWORK: System CA cert injection
 //
 // On corporate machines with SSL-inspecting proxies (e.g. Zscaler), the proxy
 // presents its own CA certificate. Node.js ships its own CA bundle and ignores
 // the OS trust store, so TLS verification fails.
 //
-// Fix: export the OS root cert store to a temp PEM file and re-exec with
-// NODE_EXTRA_CA_CERTS pointing to it. Node picks it up before any TLS
-// handshakes. Transparent to users — completes in < 200ms.
-//
-// The NODE_EXTRA_CA_CERTS guard prevents an infinite re-exec loop.
+// Windows: win-ca injects certs directly into Node's TLS context (in-process,
+//          no subprocess, no re-exec). Works regardless of PowerShell policy.
+// macOS/Linux: exports OS certs to a temp PEM file and re-execs with
+//              NODE_EXTRA_CA_CERTS. The guard prevents an infinite loop.
 // =============================================================================
 
 if (!process.env.NODE_EXTRA_CA_CERTS) {
-  const { exportSystemCerts } = await import('../lib/cloud-certs.js');
-  const certPath = await exportSystemCerts();
+  const { injectSystemCerts } = await import('../lib/cloud-certs.js');
+  const certPath = await injectSystemCerts();
   if (certPath) {
+    // macOS/Linux: re-exec with NODE_EXTRA_CA_CERTS pointing to PEM file
     const { execFileSync } = await import('child_process');
     execFileSync(process.execPath, process.argv.slice(1), {
       env: { ...process.env, NODE_EXTRA_CA_CERTS: certPath },
@@ -45,6 +45,7 @@ if (!process.env.NODE_EXTRA_CA_CERTS) {
     });
     process.exit(0);
   }
+  // Windows: win-ca already injected certs in-process — continue normally
 }
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -316,10 +317,11 @@ program
   .command('logout')
   .description('Log out of CourseCode Cloud')
   .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Emit machine-readable JSON')
   .action(async (options) => {
     const { logout, setLocalMode } = await import('../lib/cloud.js');
     if (options.local) setLocalMode();
-    await logout();
+    await logout({ json: options.json });
   });
 
 program
@@ -337,33 +339,66 @@ program
   .command('courses')
   .description('List courses on CourseCode Cloud')
   .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Output raw JSON array')
   .action(async (options) => {
     const { listCourses, setLocalMode } = await import('../lib/cloud.js');
     if (options.local) setLocalMode();
-    await listCourses();
+    await listCourses({ json: options.json });
   });
 
 program
   .command('deploy')
   .description('Build and deploy course to CourseCode Cloud')
-  .option('--preview', 'Deploy as preview (expires in 7 days)')
-  .option('--password', 'Password-protect preview (interactive prompt)')
+  .option('--preview', 'Deploy as preview-only (production untouched, preview pointer always moved). Combine with --promote or --stage for a full deploy that also moves the preview pointer.')
+  .option('--promote', 'Force-promote: always move production pointer regardless of deploy_mode setting. Mutually exclusive with --stage.')
+  .option('--stage', 'Force-stage: never move production pointer regardless of deploy_mode setting. Mutually exclusive with --promote.')
+  .option('--password', 'Password-protect preview (interactive prompt, requires --preview)')
   .option('-m, --message <message>', 'Deploy reason (e.g. "Fixed accessibility issues")')
   .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Emit machine-readable JSON result')
   .action(async (options) => {
     const { deploy, setLocalMode } = await import('../lib/cloud.js');
     if (options.local) setLocalMode();
     await deploy(options);
   });
 
+program
+  .command('promote')
+  .description('Promote a deployment to production or preview pointer')
+  .option('--production', 'Promote to the production pointer')
+  .option('--preview', 'Promote to the preview pointer')
+  .option('--deployment <id>', 'Deployment ID to promote (skip interactive prompt)')
+  .option('-m, --message <message>', 'Reason for promotion')
+  .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Emit machine-readable JSON result')
+  .action(async (options) => {
+    const { promote, setLocalMode } = await import('../lib/cloud.js');
+    if (options.local) setLocalMode();
+    await promote(options);
+  });
+
+
 program
   .command('status')
   .description('Show deployment status for current course')
   .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Output raw JSON')
   .action(async (options) => {
     const { status, setLocalMode } = await import('../lib/cloud.js');
     if (options.local) setLocalMode();
-    await status();
+    await status({ json: options.json });
+  });
+
+program
+  .command('delete')
+  .description('Remove course from CourseCode Cloud (does not delete local files)')
+  .option('--force', 'Skip confirmation prompt')
+  .option('--local', 'Use local Cloud instance (http://localhost:3000)')
+  .option('--json', 'Emit machine-readable JSON result')
+  .action(async (options) => {
+    const { deleteCourse, setLocalMode } = await import('../lib/cloud.js');
+    if (options.local) setLocalMode();
+    await deleteCourse({ force: options.force, json: options.json });
   });
 
 program.parse();

package/framework/css/01-base.css

@@ -136,6 +136,30 @@ em, i {
   color: var(--color-gray-800);
 }
 
+/* Styled Scrollbars (cross-platform) */
+html {
+  scrollbar-width: thin;
+  scrollbar-color: var(--scrollbar-thumb) var(--scrollbar-track);
+}
+
+::-webkit-scrollbar {
+  width: 8px;
+  height: 8px;
+}
+
+::-webkit-scrollbar-track {
+  background: var(--scrollbar-track);
+}
+
+::-webkit-scrollbar-thumb {
+  background: var(--scrollbar-thumb);
+  border-radius: 4px;
+}
+
+::-webkit-scrollbar-thumb:hover {
+  background: var(--scrollbar-thumb-hover);
+}
+
 /* Link Styles */
 a {
   color: var(--color-primary);

package/framework/css/design-tokens.css

@@ -441,6 +441,11 @@
   --sidebar-scrollbar-thumb-hover: var(--color-gray-400); /* Sidebar scrollbar thumb (hover) */
   --sidebar-backdrop: var(--bg-overlay);                 /* Sidebar overlay backdrop color */
 
+  /* Scrollbar Tokens (global, content area) */
+  --scrollbar-thumb: var(--color-gray-300);              /* Scrollbar thumb */
+  --scrollbar-thumb-hover: var(--color-gray-400);        /* Scrollbar thumb (hover) */
+  --scrollbar-track: transparent;                        /* Scrollbar track background */
+
   /* Footer Tokens */
   --footer-bg: var(--bg-surface);                        /* Footer background */
   --footer-text: var(--text-primary);                    /* Footer text color */
@@ -678,6 +683,9 @@
   --sidebar-scrollbar-thumb: var(--color-gray-500);
   --sidebar-scrollbar-thumb-hover: var(--color-gray-400);
   --sidebar-backdrop: color-mix(in srgb, var(--palette-black) 38%, transparent);
+  --scrollbar-thumb: var(--color-gray-500);
+  --scrollbar-thumb-hover: var(--color-gray-400);
+  --scrollbar-track: transparent;
   --footer-bg: var(--bg-surface);
   --footer-text: var(--text-primary);
   --footer-border: var(--border-default);

package/framework/docs/FRAMEWORK_GUIDE.md

@@ -123,7 +123,7 @@ The browser only downloads the one chunk matching the meta tag. Unused driver ch
 | `coursecode build` | `dist/` | Universal build + format manifest + meta tag stamped |
 | `coursecode build` (with `PACKAGE=true`) | `dist/` + ZIP | Same + format-specific ZIP for LMS upload |
 | `coursecode preview --export` | `course-preview/` | Copy of `dist/` wrapped in stub player (for Netlify/GitHub Pages) |
-| `coursecode deploy` | Uploads `dist/` | Cloud hosts universal build, assembles format ZIPs on demand |
+| `coursecode deploy` | Uploads `dist/` | Cloud hosts universal build, assembles format ZIPs on demand. Flags: `--promote` (force live), `--stage` (force staged), `--preview` (preview-only: production untouched, preview always moved). `--promote`/`--stage` are mutually exclusive; `--preview` stacks with either. |
 
 The ZIP never includes preview/stub player assets. Preview is a separate concern (see below).
 

package/framework/docs/USER_GUIDE.md

@@ -723,12 +723,23 @@ Running `coursecode login` displays a URL and a short code in your terminal:
 
 Open the URL in any browser, log in with your CourseCode account, and enter the code. The terminal confirms login automatically — no redirect back required. The code is valid for 15 minutes and works from any device or browser.
 
-**What CourseCode Cloud helps with (plain English):**
-- Host your course online so learners/reviewers can access it without you manually hosting files
-- Generate the LMS package you need later (SCORM/cmi5) from the same upload
-- Share preview links for stakeholder review
-- Manage deployment updates without rebuilding separate packages for each LMS format
-- Provide cloud-managed runtime services (reporting/channel) without extra endpoint setup in your course files
+**Deploy flags:**
+
+`coursecode deploy` accepts flags that control how the production and preview pointers are updated after upload:
+
+| Command | Production pointer | Preview pointer |
+|---|---|---|
+| `cc deploy` | Follows your deploy_mode setting | Follows your preview_deploy_mode setting |
+| `cc deploy --promote` | Always moved to new version | Follows your preview_deploy_mode setting |
+| `cc deploy --stage` | Never moved (stays on old version) | Follows your preview_deploy_mode setting |
+| `cc deploy --preview` | **Untouched** (preview-only upload) | Always moved to new version |
+| `cc deploy --promote --preview` | Always moved to new version | Always moved to new version |
+| `cc deploy --stage --preview` | Never moved | Always moved to new version |
+
+- **Production pointer** — the version learners see when they launch your course.
+- **Preview pointer** — the version served on the cloud preview link (for stakeholder review).
+- **deploy_mode** — a per-course or org setting in the Cloud dashboard. Default is auto-promote (new uploads immediately go live). Can be set to staged (new uploads require a manual promote step).
+- `--promote` and `--stage` are mutually exclusive.
 
 **Typical Cloud workflow:**
 1. Run `coursecode login` once, open the URL shown, and enter the code.

package/lib/cloud-certs.js

@@ -1,15 +1,23 @@
 /**
- * cloud-certs.js — System CA certificate export for corporate network compatibility.
+ * cloud-certs.js — System CA certificate injection for corporate network compatibility.
  *
- * Exports the OS trusted root store to a temp PEM file so Node.js can verify
- * TLS connections that pass through SSL-inspecting proxies (e.g. Zscaler).
+ * On corporate machines with SSL-inspecting proxies (e.g. Zscaler), the proxy
+ * presents its own CA certificate. Node.js ships its own CA bundle and ignores
+ * the OS trust store, causing TLS verification failures.
  *
- * Returns the path to the PEM file on success, null on failure.
- * Never throws — silent fallback for non-corporate machines.
+ * Platform strategy:
+ *   - Windows: `win-ca` (native N-API addon, calls Windows CryptoAPI directly)
+ *   - macOS: `security` CLI exports system keychains to PEM
+ *   - Linux: reads well-known CA bundle file paths
+ *
+ * On macOS/Linux, returns a PEM file path for NODE_EXTRA_CA_CERTS.
+ * On Windows, injects certs directly into Node's TLS context (no file needed).
+ * Never throws — silent no-op on non-corporate machines.
  */
 
 import { execFile } from 'child_process';
 import { promisify } from 'util';
+import { createRequire } from 'module';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
@@ -17,25 +25,34 @@ import crypto from 'crypto';
 
 const execFileAsync = promisify(execFile);
 
-/** Cached result — only export once per process lifetime. */
-let _cachedCertPath = undefined;
+/** Cached result — only run once per process lifetime. */
+let _applied = false;
 
 /**
- * Export the OS system root certificate store to a temp PEM file.
+ * Inject the OS system root certificates into Node's TLS context.
+ *
+ * On Windows, win-ca patches Node's TLS in-process (no file needed, no re-exec).
+ * On macOS/Linux, returns a PEM file path for NODE_EXTRA_CA_CERTS re-exec.
  *
- * @returns {Promise<string|null>} Absolute path to the PEM file, or null if unavailable.
+ * @returns {Promise<string|null>} PEM file path (macOS/Linux) or null (Windows/unavailable).
  */
-export async function exportSystemCerts() {
-  if (_cachedCertPath !== undefined) return _cachedCertPath;
+export async function injectSystemCerts() {
+  if (_applied) return null;
+  _applied = true;
 
   try {
-    const pem = await readSystemCerts();
-    if (!pem || !pem.trim()) {
-      _cachedCertPath = null;
+    if (process.platform === 'win32') {
+      injectWindowsCerts();
       return null;
     }
 
-    // Write to a stable temp path (same content = same hash, avoids accumulation)
+    // macOS/Linux: export to PEM file for NODE_EXTRA_CA_CERTS
+    const pem = process.platform === 'darwin'
+      ? await readMacosCerts()
+      : readLinuxCerts();
+
+    if (!pem || !pem.trim()) return null;
+
     const hash = crypto.createHash('sha1').update(pem).digest('hex').slice(0, 8);
     const certPath = path.join(os.tmpdir(), `coursecode-ca-${hash}.pem`);
 
@@ -43,31 +60,26 @@ export async function exportSystemCerts() {
       fs.writeFileSync(certPath, pem, { mode: 0o600 });
     }
 
-    _cachedCertPath = certPath;
     return certPath;
   } catch {
-    _cachedCertPath = null;
     return null;
   }
 }
 
 /**
- * Read system certificates as a PEM string.
- * Platform-specific — returns null if the platform is unsupported or export fails.
+ * Windows: inject system root certs via win-ca.
+ *
+ * win-ca is a native N-API addon that calls Windows CryptoAPI directly.
+ * No PowerShell, no subprocesses, no temp files. Works regardless of
+ * execution policy, AppLocker, or PowerShell availability.
+ *
+ * The { inject: '+' } mode patches tls.createSecureContext() so system
+ * certs are used *in addition to* Node's built-in CA bundle.
  */
-async function readSystemCerts() {
-  const platform = process.platform;
-
-  if (platform === 'darwin') {
-    return readMacosCerts();
-  }
-
-  if (platform === 'win32') {
-    return readWindowsCerts();
-  }
-
-  // Linux/other: read well-known bundle paths directly
-  return readLinuxCerts();
+function injectWindowsCerts() {
+  const require = createRequire(import.meta.url);
+  const winCa = require('win-ca/api');
+  winCa({ inject: '+' });
 }
 
 /**
@@ -75,7 +87,6 @@ async function readSystemCerts() {
  * This includes all roots installed via Apple MDM / System Preferences.
  */
 async function readMacosCerts() {
-  // Export from all common keychains — ignore errors on missing keychains
   const keychains = [
     '/Library/Keychains/SystemRootCertificates.keychain',
     '/System/Library/Keychains/SystemRootCertificates.keychain',
@@ -97,28 +108,6 @@ async function readMacosCerts() {
   return pems.join('\n');
 }
 
-/**
- * Windows: export LocalMachine\Root via PowerShell.
- * This includes certs deployed via Group Policy / MDM.
- */
-async function readWindowsCerts() {
-  const script = [
-    '$certs = Get-ChildItem -Path Cert:\\LocalMachine\\Root',
-    '$pems = $certs | ForEach-Object {',
-    '  $bytes = $_.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)',
-    '  $b64 = [System.Convert]::ToBase64String($bytes, "InsertLineBreaks")',
-    '  "-----BEGIN CERTIFICATE-----`n" + $b64 + "`n-----END CERTIFICATE-----"',
-    '}',
-    '$pems -join "`n"',
-  ].join('; ');
-
-  const { stdout } = await execFileAsync('powershell', [
-    '-NoProfile', '-NonInteractive', '-Command', script,
-  ], { maxBuffer: 16 * 1024 * 1024 });
-
-  return stdout;
-}
-
 /**
  * Linux: read the system CA bundle from well-known locations.
  * No subprocess needed — just read the file directly.

package/lib/cloud.js

@@ -31,8 +31,6 @@ const LOCAL_CLOUD_URL = 'http://localhost:3000';
 let useLocal = false;
 const CREDENTIALS_DIR = path.join(os.homedir(), '.coursecode');
 const CREDENTIALS_PATH = path.join(CREDENTIALS_DIR, 'credentials.json');
-const PROJECT_CONFIG_DIR = '.coursecode';
-const PROJECT_CONFIG_PATH = path.join(PROJECT_CONFIG_DIR, 'project.json');
 
 const POLL_INTERVAL_MS = 2000;
 const POLL_TIMEOUT_MS = 15 * 60 * 1000; // 15 minutes (device code expiry)
@@ -110,29 +108,6 @@ export function setLocalMode() {
   useLocal = true;
 }
 
-// =============================================================================
-// PROJECT BINDING (local: .coursecode/project.json)
-// =============================================================================
-
-function readProjectConfig() {
-  try {
-    const fullPath = path.join(process.cwd(), PROJECT_CONFIG_PATH);
-    if (!fs.existsSync(fullPath)) return null;
-    return JSON.parse(fs.readFileSync(fullPath, 'utf-8'));
-  } catch {
-    return null;
-  }
-}
-
-function writeProjectConfig(data) {
-  const dir = path.join(process.cwd(), PROJECT_CONFIG_DIR);
-  fs.mkdirSync(dir, { recursive: true });
-  fs.writeFileSync(
-    path.join(process.cwd(), PROJECT_CONFIG_PATH),
-    JSON.stringify(data, null, 2) + '\n'
-  );
-}
-
 // =============================================================================
 // COURSE IDENTITY (committed: .coursecoderc.json → cloudId)
 // =============================================================================
@@ -151,12 +126,13 @@ function readRcConfig() {
 }
 
 /**
- * Stamp cloudId into .coursecoderc.json without clobbering other fields.
+ * Merge fields into .coursecoderc.json without clobbering unrelated fields.
+ * Use this for any cloud binding state (cloudId, orgId, etc.).
  */
-function writeRcCloudId(cloudId) {
+function writeRcConfig(fields) {
   const rcPath = path.join(process.cwd(), '.coursecoderc.json');
   const existing = readRcConfig() || {};
-  existing.cloudId = cloudId;
+  Object.assign(existing, fields);
   fs.writeFileSync(rcPath, JSON.stringify(existing, null, 2) + '\n');
 }
 
@@ -330,7 +306,7 @@ function openBrowser(url) {
   const platform = process.platform;
   const cmd = platform === 'darwin' ? 'open'
     : platform === 'win32' ? 'start'
-    : 'xdg-open';
+      : 'xdg-open';
   exec(`${cmd} "${url}"`);
 }
 
@@ -552,22 +528,11 @@ export async function ensureAuthenticated() {
  * Returns { orgId, courseId, orgName } or prompts the user.
  */
 async function resolveOrgAndCourse(slug, token) {
-  // 1. Check .coursecoderc.json for cloudId (committed, shared across team)
+  // .coursecoderc.json is committed and shared — it is the single source of truth
+  // for the cloud binding. If both cloudId and orgId are present, short-circuit.
   const rcConfig = readRcConfig();
-  if (rcConfig?.cloudId) {
-    // Still need orgId from local project.json if available
-    const projectConfig = readProjectConfig();
-    if (projectConfig?.orgId) {
-      return { orgId: projectConfig.orgId, courseId: rcConfig.cloudId };
-    }
-    // Have cloudId but no orgId — fall through to API resolution
-    // which will match on courseId
-  }
-
-  // 2. Check cached project config (gitignored, per-developer)
-  const projectConfig = readProjectConfig();
-  if (projectConfig?.orgId && projectConfig?.courseId) {
-    return { orgId: projectConfig.orgId, courseId: projectConfig.courseId };
+  if (rcConfig?.cloudId && rcConfig?.orgId) {
+    return { orgId: rcConfig.orgId, courseId: rcConfig.cloudId };
   }
 
   // Call resolve endpoint
@@ -576,8 +541,7 @@ async function resolveOrgAndCourse(slug, token) {
 
   // Found in exactly one org
   if (data.found) {
-    const binding = { orgId: data.orgId, courseId: data.courseId, slug };
-    writeProjectConfig(binding);
+    writeRcConfig({ orgId: data.orgId, cloudId: data.courseId });
     return { orgId: data.orgId, courseId: data.courseId, orgName: data.orgName };
   }
 
@@ -594,8 +558,7 @@ async function resolveOrgAndCourse(slug, token) {
       process.exit(1);
     }
     const match = data.matches[idx];
-    const binding = { orgId: match.orgId, courseId: match.courseId, slug };
-    writeProjectConfig(binding);
+    writeRcConfig({ orgId: match.orgId, cloudId: match.courseId });
     return { orgId: match.orgId, courseId: match.courseId, orgName: match.orgName };
   }
 
@@ -677,14 +640,14 @@ export async function login(options = {}) {
 /**
  * coursecode logout — delete credentials and local project.json
  */
-export async function logout() {
+export async function logout(options = {}) {
   deleteCredentials();
 
-  // Also delete local project.json if it exists
-  const localConfig = path.join(process.cwd(), PROJECT_CONFIG_PATH);
-  try { fs.unlinkSync(localConfig); } catch { /* not there */ }
-
-  console.log('\n✓ Logged out of CourseCode Cloud.\n');
+  if (options.json) {
+    process.stdout.write(JSON.stringify({ success: true }) + '\n');
+  } else {
+    console.log('\n✓ Logged out of CourseCode Cloud.\n');
+  }
 }
 
 /**
@@ -719,7 +682,7 @@ export async function whoami(options = {}) {
 /**
  * coursecode courses — list courses across all orgs
  */
-export async function listCourses() {
+export async function listCourses(options = {}) {
   await ensureAuthenticated();
 
   const makeRequest = async (_isRetry = false) => {
@@ -730,6 +693,11 @@ export async function listCourses() {
 
   const courses = await makeRequest();
 
+  if (options.json) {
+    process.stdout.write(JSON.stringify(courses) + '\n');
+    return;
+  }
+
   if (!courses.length) {
     console.log('\n  No courses found. Deploy one with: coursecode deploy\n');
     return;
@@ -763,8 +731,24 @@ export async function deploy(options = {}) {
 
   await ensureAuthenticated();
   const slug = resolveSlug();
+  const log = (...args) => { if (!options.json) console.log(...args); };
+  const logErr = (...args) => { if (!options.json) console.error(...args); };
 
-  console.log('\n📦 Building...\n');
+  // Validate mutually exclusive flags
+  if (options.promote && options.stage) {
+    logErr('\n❌ --promote and --stage are mutually exclusive.\n');
+    if (options.json) process.stdout.write(JSON.stringify({ success: false, error: '--promote and --stage are mutually exclusive' }) + '\n');
+    process.exit(1);
+  }
+
+  // Determine promote_mode and preview_force
+  const promoteMode = options.promote ? 'promote' : options.stage ? 'stage' : 'auto';
+  const previewForce = !!options.preview;
+  // --preview alone = preview_only deploy (production pointer untouched, preview always moved)
+  // --preview + --promote/--stage = full production deploy + always move preview pointer
+  const previewOnly = previewForce && promoteMode === 'auto';
+
+  log('\n📦 Building...\n');
 
   // Step 1: Build
   const { build } = await import('./build.js');
@@ -773,7 +757,8 @@ export async function deploy(options = {}) {
   // Step 2: Verify dist/ exists
   const distPath = path.join(process.cwd(), 'dist');
   if (!fs.existsSync(distPath)) {
-    console.error('\n❌ Build did not produce a dist/ directory.\n');
+    logErr('\n❌ Build did not produce a dist/ directory.\n');
+    if (options.json) process.stdout.write(JSON.stringify({ success: false, error: 'Build did not produce a dist/ directory' }) + '\n');
     process.exit(1);
   }
 
@@ -786,13 +771,28 @@ export async function deploy(options = {}) {
   await zipDirectory(distPath, zipPath);
 
   // Step 5: Upload
-  const mode = options.preview ? 'preview' : 'production';
-  console.log(`\nDeploying ${slug}${displayOrg} as ${mode}...\n`);
+  let modeLabel;
+  if (previewOnly) {
+    modeLabel = 'preview only';
+  } else if (options.promote && options.preview) {
+    modeLabel = 'force-promote + preview';
+  } else if (options.stage && options.preview) {
+    modeLabel = 'staged + preview';
+  } else if (options.promote) {
+    modeLabel = 'force-promote';
+  } else if (options.stage) {
+    modeLabel = 'staged';
+  } else {
+    modeLabel = 'production';
+  }
+  log(`\nDeploying ${slug}${displayOrg} [${modeLabel}]...\n`);
 
   const formData = new FormData();
   const zipBuffer = fs.readFileSync(zipPath);
   formData.append('file', new Blob([zipBuffer], { type: 'application/zip' }), 'deploy.zip');
   formData.append('orgId', orgId);
+  formData.append('promote_mode', promoteMode);
+  formData.append('preview_force', String(previewForce));
 
   if (options.message) {
     formData.append('message', options.message);
@@ -803,7 +803,7 @@ export async function deploy(options = {}) {
     formData.append('password', pw);
   }
 
-  const queryString = options.preview ? '?mode=preview' : '';
+  const queryString = previewOnly ? '?mode=preview' : '';
 
   const makeRequest = async (_isRetry = false) => {
     const token = readCredentials()?.token;
@@ -817,29 +817,33 @@ export async function deploy(options = {}) {
 
   const result = await makeRequest();
 
-  // Step 6: Write project.json + stamp cloudId
+  // Step 6: Stamp cloudId + orgId into .coursecoderc.json (committed, shared with team)
   const finalCourseId = result.courseId || courseId;
-  writeProjectConfig({
+  writeRcConfig({
+    cloudId: finalCourseId,
     orgId: result.orgId || orgId,
-    courseId: finalCourseId,
-    slug,
   });
 
-  // Stamp cloudId into .coursecoderc.json (committed, shared with team)
-  const rc = readRcConfig();
-  if (finalCourseId && (!rc || rc.cloudId !== finalCourseId)) {
-    writeRcCloudId(finalCourseId);
-  }
-
   // Step 7: Display result
-  if (result.mode === 'preview') {
+  if (options.json) {
+    process.stdout.write(JSON.stringify({ success: true, ...result }) + '\n');
+  } else if (result.mode === 'preview') {
+    // preview_only=true deployment (--preview alone)
     console.log(`✓ Preview deployed (${result.fileCount} files)`);
-    console.log(`  URL: ${result.url}`);
-    if (result.expiresAt) console.log(`  Expires: ${formatDate(result.expiresAt)}`);
+    console.log(`  Preview URL: ${result.url}`);
+    console.log(`  Dashboard:   ${result.dashboardUrl}`);
   } else {
-    console.log(`✓ Deployed to production (${result.fileCount} files, ${formatBytes(result.size)})`);
-    const cloudUrl = getCloudUrl();
-    console.log(`  ${cloudUrl}/dashboard/courses/${result.courseId}`);
+    const prodTag = result.promoted ? 'live' : 'staged';
+    const previewTag = result.previewPromoted ? ' + preview' : '';
+    console.log(`✓ Deployed (${result.fileCount} files) — ${prodTag}${previewTag}`);
+    if (!result.promoted) {
+      console.log(`  Production pointer not updated. Promote from Deploy History or run:`);
+      console.log(`  coursecode promote --production`);
+    }
+    if (result.previewPromoted) {
+      console.log(`  Preview pointer updated.`);
+    }
+    console.log(`  Dashboard: ${result.dashboardUrl}`);
   }
   console.log('');
 
@@ -847,15 +851,109 @@ export async function deploy(options = {}) {
   try { fs.unlinkSync(zipPath); } catch { /* fine */ }
 }
 
+/**
+ * coursecode promote — promote a deployment to production or preview
+ */
+export async function promote(options = {}) {
+  await ensureAuthenticated();
+  const slug = resolveSlug();
+  const rcConfig = readRcConfig();
+
+  // Validate target flag
+  if (!options.production && !options.preview) {
+    console.error('\n❌ Specify a target: --production or --preview\n');
+    process.exit(1);
+  }
+  if (options.production && options.preview) {
+    console.error('\n❌ Specify only one target: --production or --preview\n');
+    process.exit(1);
+  }
+  const target = options.production ? 'production' : 'preview';
+
+  // Resolve deployment ID interactively if not provided
+  let deploymentId = options.deployment;
+  if (!deploymentId) {
+    const orgQuery = rcConfig?.orgId ? `?orgId=${rcConfig.orgId}` : '';
+    const makeVersionsRequest = async (_isRetry = false) => {
+      const token = readCredentials()?.token;
+      const res = await cloudFetch(
+        `/api/cli/courses/${encodeURIComponent(slug)}/versions${orgQuery}`,
+        {},
+        token
+      );
+      return handleResponse(res, { retryFn: makeVersionsRequest, _isRetry });
+    };
+    const data = await makeVersionsRequest();
+    const deployments = data.deployments ?? [];
+
+    if (deployments.length === 0) {
+      console.error('\n❌ No deployments found for this course.\n');
+      process.exit(1);
+    }
+
+    console.log(`\n  Deployments for ${slug}:\n`);
+    deployments.slice(0, 10).forEach((d, i) => {
+      const marker = d.id === data.production_deployment_id
+        ? ' [production]'
+        : d.id === data.preview_deployment_id
+          ? ' [preview]'
+          : '';
+      console.log(`    ${i + 1}. ${new Date(d.created_at).toLocaleString()} — ${d.file_count} files${marker}`);
+    });
+
+    const answer = await prompt('\n  Which deployment to promote? ');
+    const idx = parseInt(answer, 10) - 1;
+    if (idx < 0 || idx >= deployments.length) {
+      console.error('\n❌ Invalid selection.\n');
+      process.exit(1);
+    }
+    deploymentId = deployments[idx].id;
+  }
+
+  const reason = options.message || `Promoted to ${target} via CLI`;
+
+  const makeRequest = async (_isRetry = false) => {
+    const token = readCredentials()?.token;
+    const res = await cloudFetch(
+      `/api/cli/courses/${encodeURIComponent(slug)}/promote`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ deployment_id: deploymentId, target, reason }),
+      },
+      token
+    );
+    return handleResponse(res, { retryFn: makeRequest, _isRetry });
+  };
+
+  const result = await makeRequest();
+
+  if (options.json) {
+    process.stdout.write(JSON.stringify({ success: true, ...result }) + '\n');
+    return;
+  }
+
+  if (result.already_promoted) {
+    console.log(`\n  Already the active ${target} deployment. Nothing to do.\n`);
+    return;
+  }
+
+  console.log(`\n✓ Promoted to ${target}`);
+  if (result.url) {
+    console.log(`  Preview URL: ${result.url}`);
+  }
+  console.log('');
+}
+
 /**
  * coursecode status — show deployment status for current course
  */
-export async function status() {
+export async function status(options = {}) {
   await ensureAuthenticated();
   const slug = resolveSlug();
 
-  const projectConfig = readProjectConfig();
-  const orgQuery = projectConfig?.orgId ? `?orgId=${projectConfig.orgId}` : '';
+  const rcConfig = readRcConfig();
+  const orgQuery = rcConfig?.orgId ? `?orgId=${rcConfig.orgId}` : '';
 
   const makeRequest = async (_isRetry = false) => {
     const token = readCredentials()?.token;
@@ -869,8 +967,20 @@ export async function status() {
 
   const data = await makeRequest();
 
+  if (options.json) {
+    process.stdout.write(JSON.stringify(data) + '\n');
+    return;
+  }
+
   console.log(`\n${data.slug} — ${data.name} (${data.orgName})\n`);
 
+  if (data.source_type === 'github' && data.github_repo) {
+    console.log(`Source:         GitHub — ${data.github_repo}`);
+    console.log(`                (changes deploy via GitHub, not direct upload)`);
+  } else if (data.source_type) {
+    console.log(`Source:         ${data.source_type}`);
+  }
+
   if (data.lastDeploy) {
     console.log(`Last deploy:    ${formatDate(data.lastDeploy)} (${data.lastDeployFileCount} files, ${formatBytes(data.lastDeploySize)})`);
   } else {
@@ -888,26 +998,91 @@ export async function status() {
   console.log('');
 }
 
+/**
+ * coursecode delete — remove course record from CourseCode Cloud.
+ *
+ * Cloud-only: this command does not delete local files. CLI users can remove
+ * their project directory themselves; the Desktop handles local deletion via
+ * shell.trashItem after calling this command.
+ *
+ * Response includes source_type + github_repo so callers can warn the user
+ * when the deleted course was GitHub-linked (repo is unaffected, integration
+ * is only disconnected on the Cloud side).
+ */
+export async function deleteCourse(options = {}) {
+  await ensureAuthenticated();
+  const slug = resolveSlug();
+  const log = (...args) => { if (!options.json) console.log(...args); };
+
+  const rcConfig = readRcConfig();
+  if (!rcConfig?.cloudId) {
+    if (options.json) {
+      process.stdout.write(JSON.stringify({ success: false, error: 'Course has not been deployed to Cloud. Nothing to delete.' }) + '\n');
+    } else {
+      console.error('\n❌ Course has not been deployed to Cloud. Nothing to delete.\n');
+    }
+    process.exit(1);
+  }
+
+  const orgQuery = rcConfig?.orgId ? `?orgId=${rcConfig.orgId}` : '';
+
+  if (!options.force && !options.json) {
+    const answer = await prompt(`\n  Delete "${slug}" from CourseCode Cloud? This cannot be undone. [y/N] `);
+    if (answer.toLowerCase() !== 'y') {
+      console.log('  Cancelled.\n');
+      process.exit(0);
+    }
+  }
+
+  log(`\nDeleting ${slug} from Cloud...\n`);
+
+  const makeRequest = async (_isRetry = false) => {
+    const token = readCredentials()?.token;
+    const res = await cloudFetch(
+      `/api/cli/courses/${encodeURIComponent(slug)}${orgQuery}`,
+      {
+        method: 'DELETE',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ cloudId: rcConfig.cloudId }),
+      },
+      token
+    );
+    return handleResponse(res, { retryFn: makeRequest, _isRetry });
+  };
+
+  const result = await makeRequest();
+
+  if (options.json) {
+    process.stdout.write(JSON.stringify({ success: true, ...result }) + '\n');
+    return;
+  }
+
+  console.log(`✓ "${slug}" deleted from CourseCode Cloud.`);
+  if (result.source_type === 'github' && result.github_repo) {
+    console.log(`\n  ⚠️  This course was linked to GitHub (${result.github_repo}).`);
+    console.log(`     The GitHub integration has been disconnected.`);
+    console.log(`     Your repository and its files are unaffected.`);
+  }
+  console.log('');
+}
+
 // =============================================================================
 // ZIP HELPER
 // =============================================================================
 
 /**
- * Zip a directory's contents using the system `zip` command.
- * Falls back to a tar+gzip approach if zip isn't available.
+ * Zip a directory's contents using archiver (cross-platform, no native tools needed).
  */
-function zipDirectory(sourceDir, outputPath) {
+async function zipDirectory(sourceDir, outputPath) {
+  const archiver = (await import('archiver')).default;
   return new Promise((resolve, reject) => {
-    // Use system zip: cd into dir so paths are relative
-    exec(
-      `cd "${sourceDir}" && zip -r -q "${outputPath}" .`,
-      (error) => {
-        if (error) {
-          reject(new Error(`Failed to create zip: ${error.message}. Ensure 'zip' is installed.`));
-        } else {
-          resolve();
-        }
-      }
-    );
+    const output = fs.createWriteStream(outputPath);
+    const archive = archiver('zip', { zlib: { level: 9 } });
+
+    output.on('close', () => resolve());
+    archive.on('error', reject);
+    archive.pipe(output);
+    archive.directory(sourceDir, false);
+    archive.finalize();
   });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coursecode",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Multi-format course authoring framework with CLI tools (SCORM 2004, SCORM 1.2, cmi5, LTI 1.3)",
   "type": "module",
   "bin": {
@@ -99,6 +99,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "archiver": "^7.0.1",
     "commander": "^14.0.3",
     "lz-string": "^1.5.0",
     "mammoth": "^1.8.0",
@@ -108,6 +109,7 @@
     "pdf2json": "^4.0.2",
     "pdf2md": "^1.0.2",
     "puppeteer-core": "^24.37.2",
+    "win-ca": "^3.5.1",
     "ws": "^8.18.0"
   },
   "devDependencies": {
@@ -115,7 +117,6 @@
     "@vitest/coverage-v8": "^4.0.18",
     "@xapi/cmi5": "^1.4.0",
     "acorn": "^8.15.0",
-    "archiver": "^7.0.1",
     "eslint": "^10.0.0",
     "globals": "^17.3.0",
     "jose": "^6.1.3",
@@ -124,4 +125,4 @@
     "vite-plugin-static-copy": "^3.1.4",
     "vitest": "^4.0.18"
   }
-}
+}