Lines 20-60javascript
20import path from 'path';
23// =============================================================================
24// CORPORATE NETWORK: System CA cert injection
26// On corporate machines with SSL-inspecting proxies (e.g. Zscaler), the proxy
27// presents its own CA certificate. Node.js ships its own CA bundle and ignores
28// the OS trust store, so TLS verification fails.
30// Windows: win-ca injects certs directly into Node's TLS context (in-process,
31// no subprocess, no re-exec). Works regardless of PowerShell policy.
32// macOS/Linux: exports OS certs to a temp PEM file and re-execs with
33// NODE_EXTRA_CA_CERTS. The guard prevents an infinite loop.
34// =============================================================================
36if (!process.env.NODE_EXTRA_CA_CERTS) {
37 const { injectSystemCerts } = await import('../lib/cloud-certs.js');
38 const certPath = await injectSystemCerts();
40 // macOS/Linux: re-exec with NODE_EXTRA_CA_CERTS pointing to PEM file
41 const { spawnSync } = await import('child_process');
42 const result = spawnSync(process.execPath, process.argv.slice(1), {
43 env: { ...process.env, NODE_EXTRA_CA_CERTS: certPath },
46 if (result.error) throw result.error;
47 if (result.signal) process.kill(process.pid, result.signal);
48 process.exit(result.status ?? 0);
50 // Windows: win-ca already injected certs in-process — continue normally
53const __dirname = path.dirname(fileURLToPath(import.meta.url));
54const __filename = fileURLToPath(import.meta.url);
55const packageJson = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf-8'));
57// Packaged Electron + ELECTRON_RUN_AS_NODE can preserve the CLI script path
58// as the first command operand after re-execing with NODE_EXTRA_CA_CERTS.
59// Commander expects operands to start at argv[2], so remove the duplicate.
60if (process.argv[2] && path.resolve(process.argv[2]) === __filename) {