fix: pre-release blockers — bridge scope, course drift, example-q rebind (v3.5.39)#157
Merged
Conversation
…q, release docs) — v3.5.39 [security] Scope the Puter page bridge + AI tutor to anthropic.skilljar.com. The bridge's postMessage nonce is readable by any page-world script, so it must not run on Skilljar tenants we don't control. Other AI-detected tenants keep dictionary + Google Translate; only the trusted host gets the bridge/tutor. [fix] closeSubPanel re-binds the example-question chips (handlers were lost after opening+closing a sub-panel). [fix] Wire ai-fluency-for-small-businesses (18th course) into FLASHCARD_COURSE_MAP (clears check:academy) and re-enable the 12h academy-courses-drift cron — the scraper parses the current catalog again, restoring POSITIONING.md's SLA claim. [docs] Store listing -> 18 courses (EN/ko/ja); RELEASE_CHECKLIST refreshed (icon resolved, v3.5.39, bundled zip rebuilt). Bump 3.5.38 -> 3.5.39.
The anthropic-only gate disabled the sidebar/bridge on the E2E fixture (served from localhost), breaking the tutor/cache specs. Trust localhost/ 127.0.0.1 too — the production manifest only matches *.skilljar.com, so the content script never runs on localhost in a real install (no added surface). Verified: idb-cache, tutor-chat, chat-history, stream-cancel pass locally.
heznpc
added a commit
that referenced
this pull request
Jun 1, 2026
ko/ja STORE_LISTING headers were bumped to "18 courses" in #157 but their course enumeration still listed only 17 — "AI Fluency for Small Businesses" (the course #157 actually added) was missing from both localized lists. Also corrects three stale "v3.5.34" references in RELEASE_CHECKLIST to v3.5.39 (the shipping version), including the SNS-launch gate that told us to wait for the listing to reflect a version that will never be uploaded.
heznpc
added a commit
that referenced
this pull request
Jun 1, 2026
…le checklist/TODO) (#158) * docs(store): fix ko/ja course count drift + stale checklist version ko/ja STORE_LISTING headers were bumped to "18 courses" in #157 but their course enumeration still listed only 17 — "AI Fluency for Small Businesses" (the course #157 actually added) was missing from both localized lists. Also corrects three stale "v3.5.34" references in RELEASE_CHECKLIST to v3.5.39 (the shipping version), including the SNS-launch gate that told us to wait for the listing to reflect a version that will never be uploaded. * docs: scope AI Tutor in README, refresh TODO, fix stale raw-zip fallback Second-pass /code-review findings on the v3.5.39 release-readiness docs: - README: AI Tutor section + intro now state the tutor/Puter bridge run on anthropic.skilljar.com only; other detected Skilljar AI tenants get dictionary + Google Translate but no tutor (matches the v3.5.39 host gate). - TODO.md: mark the shipped learning-companion items (bookmarks, resume, Tools-menu overlay, TOC) and the small-businesses course wiring done; refresh the stale v3.5.36 header/date. - RELEASE_CHECKLIST: the raw `skillbridge.zip` fallback is gitignored and not rebuilt by build:bundle:zip, so it silently lagged at 3.5.38 while the bundle was 3.5.39. Note it must be regenerated with `npm run build:zip` immediately before use. * docs(checklist): privacy-tab gotchas — URL case, remote-code=No, data disclosure The CWS submit was blocked by "개인정보처리방침 링크에 연결할 수 없습니다": the dashboard had the lowercase github.io path, which 404s (GitHub Pages repo paths are case-sensitive; capital-B `skillBridge` returns 200). Replace the misleading "/privacy (lowercase) verified 200" note with the case-sensitivity warning. Add a Privacy-tab subsection capturing the v1.0.1→v3.5.39 deltas that trigger re-review: remote code is now NO (Puter bundled as src/bridge/puter.js, loaded via chrome.runtime.getURL, no remote fallback), "Website content" data type must be checked (page text → Google Translate, lesson context → Puter/Gemini/Claude), and alarms / api.github.com need fresh justifications while activeTab/tabs drop off. Also flag that the live store-listing icon is still the old radial-spark and must be re-uploaded separately from the package.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the three P1s + the P2 from review, before CWS re-publication.
[P1 security] Scope the Puter page bridge + AI tutor to
anthropic.skilljar.com— its postMessage nonce is page-readable, so it must not run on untrusted Skilljar tenants. Other AI-detected tenants keep dictionary + Google Translate.[P1 drift] Wire
ai-fluency-for-small-businesses(18th course) intoFLASHCARD_COURSE_MAP(clearscheck:academy); re-enable the 12h drift cron (scraper works again); store listing 18 courses.[P1 release docs]
RELEASE_CHECKLIST.mdrefreshed (icon resolved, v3.5.39); bundled upload zip rebuilt at v3.5.39.[P2]
closeSubPanelre-binds example-question chips.Bump 3.5.38 → 3.5.39. Green locally: eslint, prettier, 488 unit, check:academy, check:dict-coverage.