localssl-cli 0.1.4 → 0.1.7

package/README.md

@@ -146,6 +146,14 @@ It never stores CA private keys.
 - Team file validation blocks private-key content in `localssl.json`
 - Never share root CA private key files
 
+## Windows permissions behavior
+
+- localssl-cli first trusts certs in `CurrentUser\\Root` (no admin expected)
+- if needed, it prompts: `Admin access needed for machine-wide trust. Continue? (y/N)`
+- choosing `No` keeps safe mode and skips machine-wide trust
+- even if trust-store writes fail, localssl continues project cert setup (non-blocking)
+- rerunning `localssl-cli init` repairs trust if CA already exists
+
 ---
 
 ## Troubleshooting

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "localssl-cli",
-  "version": "0.1.4",
+  "version": "0.1.7",
   "description": "One-command local HTTPS setup for teams",
   "type": "commonjs",
   "main": "src/index.js",

package/src/bootstrap.js

@@ -99,8 +99,8 @@ async function trustSystem(certPath) {
   }
 
   if (process.platform === 'win32') {
-    await trustWindows(certPath);
-    return 'Windows Root store';
+    const scope = await trustWindows(certPath);
+    return scope;
   }
 
   await trustLinux(certPath);
@@ -138,8 +138,39 @@ async function initMachine({ quiet = false } = {}) {
 
   const hasCA = await fs.pathExists(LOCALSSL_CA_PUBLIC);
   if (hasCA) {
+    let systemResult = 'system trust skipped';
+    let nodeResult = 'NODE_EXTRA_CA_CERTS skipped';
+    let firefoxResult = { trusted: false };
+    let chromiumResult = { trusted: false };
+
+    try {
+      systemResult = await trustSystem(LOCALSSL_CA_PUBLIC);
+    } catch (error) {
+      if (!quiet) warn(`System trust repair skipped: ${error.message}`);
+    }
+
+    try {
+      firefoxResult = await trustInFirefox(LOCALSSL_CA_PUBLIC);
+    } catch {
+      firefoxResult = { trusted: false };
+    }
+
+    try {
+      chromiumResult = await trustInChromium(LOCALSSL_CA_PUBLIC);
+    } catch {
+      chromiumResult = { trusted: false };
+    }
+
+    try {
+      nodeResult = await configureNodeExtraCACerts();
+    } catch (error) {
+      if (!quiet) warn(`NODE_EXTRA_CA_CERTS repair skipped: ${error.message}`);
+    }
+
+    const repairSummary = `${systemResult}; ${nodeResult}; Firefox ${firefoxResult.trusted ? 'ok' : 'skipped'}; Chrome/Edge ${chromiumResult.trusted ? 'ok' : 'skipped'}`;
+
     if (!quiet) {
-      step(1, 1, 'Machine CA setup', 'skip', '(already configured)');
+      step(1, 1, 'Machine CA setup', 'skip', `(${repairSummary})`);
     }
     return { mkcertPath, initialized: false };
   }
@@ -154,10 +185,34 @@ async function initMachine({ quiet = false } = {}) {
     }
     warn('Java trust store update skipped (no admin access). System/browser trust still configured.');
   }
-  const systemResult = await trustSystem(LOCALSSL_CA_PUBLIC);
-  const firefoxResult = await trustInFirefox(LOCALSSL_CA_PUBLIC);
-  const chromiumResult = await trustInChromium(LOCALSSL_CA_PUBLIC);
-  const nodeResult = await configureNodeExtraCACerts();
+  let systemResult = 'system trust skipped';
+  let firefoxResult = { trusted: false, reason: 'not attempted' };
+  let chromiumResult = { trusted: false, reason: 'not attempted' };
+  let nodeResult = 'NODE_EXTRA_CA_CERTS skipped';
+
+  try {
+    systemResult = await trustSystem(LOCALSSL_CA_PUBLIC);
+  } catch (error) {
+    warn(`System trust skipped: ${error.message}`);
+  }
+
+  try {
+    firefoxResult = await trustInFirefox(LOCALSSL_CA_PUBLIC);
+  } catch (error) {
+    firefoxResult = { trusted: false, reason: error.message };
+  }
+
+  try {
+    chromiumResult = await trustInChromium(LOCALSSL_CA_PUBLIC);
+  } catch (error) {
+    chromiumResult = { trusted: false, reason: error.message };
+  }
+
+  try {
+    nodeResult = await configureNodeExtraCACerts();
+  } catch (error) {
+    warn(`NODE_EXTRA_CA_CERTS skipped: ${error.message}`);
+  }
 
   if (!quiet) {
     const firefoxText = firefoxResult.trusted ? `+ Firefox (${firefoxResult.reason})` : `+ Firefox skipped (${firefoxResult.reason})`;
@@ -165,6 +220,10 @@ async function initMachine({ quiet = false } = {}) {
     step(1, 1, 'Installing local CA', 'ok', `(${systemResult} ${firefoxText} ${chromiumText}; ${nodeResult})`);
   }
 
+  if (/unavailable|skipped/i.test(systemResult)) {
+    warn('Windows trust was not installed. You can still run HTTPS, but browser may warn until trust is added.');
+  }
+
   if (!firefoxResult.trusted) {
     warn(`Firefox trust skipped: ${firefoxResult.reason}`);
   }

package/src/prompt.js

@@ -0,0 +1,22 @@
+const readline = require('readline');
+
+async function askYesNo(question, defaultNo = true) {
+  if (process.env.LOCALSSL_ASSUME_YES === '1') {
+    return true;
+  }
+
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    return !defaultNo;
+  }
+
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(question, (answer) => {
+      rl.close();
+      const normalized = String(answer || '').trim().toLowerCase();
+      resolve(normalized === 'y' || normalized === 'yes');
+    });
+  });
+}
+
+module.exports = { askYesNo };

package/src/trust/windows.js

@@ -1,20 +1,57 @@
 const { execFile } = require('child_process');
+const { askYesNo } = require('../prompt');
+
+function run(file, args) {
+  return new Promise((resolve) => {
+    execFile(file, args, { windowsHide: true }, (error) => resolve(!error));
+  });
+}
+
+async function trustCurrentUserWithPowerShell(certPath) {
+  const command = `Import-Certificate -FilePath \"${certPath}\" -CertStoreLocation Cert:\\CurrentUser\\Root | Out-Null`;
+  return run('powershell', ['-NoProfile', '-NonInteractive', '-Command', command]);
+}
+
+async function trustMachineWithElevation(certPath) {
+  const command = `$p = Start-Process certutil -ArgumentList '-addstore','-f','ROOT','${certPath}' -Verb RunAs -Wait -PassThru; if ($p.ExitCode -eq 0) { exit 0 } else { exit 1 }`;
+  return run('powershell', ['-NoProfile', '-NonInteractive', '-Command', command]);
+}
 
 function trustCertificate(certPath) {
-  return new Promise((resolve, reject) => {
-    execFile('certutil', ['-addstore', '-f', 'ROOT', certPath], { windowsHide: true }, (error) => {
-      if (error) {
-        reject(new Error('Admin privileges required to install CA on Windows. Re-run terminal as Administrator.'));
-        return;
-      }
-      resolve();
-    });
+  return new Promise(async (resolve) => {
+    const userViaCertutil = await run('certutil', ['-user', '-addstore', '-f', 'ROOT', certPath]);
+    if (userViaCertutil) {
+      resolve('Windows CurrentUser Root');
+      return;
+    }
+
+    const userViaPowerShell = await trustCurrentUserWithPowerShell(certPath);
+    if (userViaPowerShell) {
+      resolve('Windows CurrentUser Root (PowerShell)');
+      return;
+    }
+
+    const consent = await askYesNo('  Admin access needed for machine-wide trust. Continue? (y/N): ');
+    if (!consent) {
+      resolve('Windows trust skipped (user declined admin prompt)');
+      return;
+    }
+
+    const machineStore = await trustMachineWithElevation(certPath);
+    if (machineStore) {
+      resolve('Windows LocalMachine Root (elevated)');
+      return;
+    }
+
+    resolve('Windows trust unavailable (no changes made)');
   });
 }
 
 function untrustCertificate(certPath) {
   return new Promise((resolve) => {
-    execFile('certutil', ['-delstore', 'ROOT', certPath], { windowsHide: true }, () => resolve());
+    execFile('certutil', ['-user', '-delstore', 'ROOT', certPath], { windowsHide: true }, () => {
+      execFile('certutil', ['-delstore', 'ROOT', certPath], { windowsHide: true }, () => resolve());
+    });
   });
 }