@arcote.tech/arc-cli 0.4.5 → 0.4.7

package/dist/index.js

@@ -9353,7 +9353,7 @@ var require_buffer_equal_constant_time = __commonJS((exports, module) => {
 // ../../node_modules/jwa/index.js
 var require_jwa = __commonJS((exports, module) => {
   var Buffer2 = require_safe_buffer().Buffer;
-  var crypto = __require("node:crypto");
+  var crypto2 = __require("node:crypto");
   var formatEcdsa = require_ecdsa_sig_formatter();
   var util = __require("node:util");
   var MSG_INVALID_ALGORITHM = `"%s" is not a valid algorithm.
@@ -9362,7 +9362,7 @@ var require_jwa = __commonJS((exports, module) => {
   var MSG_INVALID_SECRET = "secret must be a string or buffer";
   var MSG_INVALID_VERIFIER_KEY = "key must be a string or a buffer";
   var MSG_INVALID_SIGNER_KEY = "key must be a string, a buffer or an object";
-  var supportsKeyObjects = typeof crypto.createPublicKey === "function";
+  var supportsKeyObjects = typeof crypto2.createPublicKey === "function";
   if (supportsKeyObjects) {
     MSG_INVALID_VERIFIER_KEY += " or a KeyObject";
     MSG_INVALID_SECRET += "or a KeyObject";
@@ -9452,17 +9452,17 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, secret) {
       checkIsSecretKey(secret);
       thing = normalizeInput(thing);
-      var hmac = crypto.createHmac("sha" + bits, secret);
+      var hmac = crypto2.createHmac("sha" + bits, secret);
       var sig = (hmac.update(thing), hmac.digest("base64"));
       return fromBase64(sig);
     };
   }
   var bufferEqual;
-  var timingSafeEqual = "timingSafeEqual" in crypto ? function timingSafeEqual(a, b) {
+  var timingSafeEqual = "timingSafeEqual" in crypto2 ? function timingSafeEqual(a, b) {
     if (a.byteLength !== b.byteLength) {
       return false;
     }
-    return crypto.timingSafeEqual(a, b);
+    return crypto2.timingSafeEqual(a, b);
   } : function timingSafeEqual(a, b) {
     if (!bufferEqual) {
       bufferEqual = require_buffer_equal_constant_time();
@@ -9479,7 +9479,7 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, privateKey) {
       checkIsPrivateKey(privateKey);
       thing = normalizeInput(thing);
-      var signer = crypto.createSign("RSA-SHA" + bits);
+      var signer = crypto2.createSign("RSA-SHA" + bits);
       var sig = (signer.update(thing), signer.sign(privateKey, "base64"));
       return fromBase64(sig);
     };
@@ -9489,7 +9489,7 @@ var require_jwa = __commonJS((exports, module) => {
       checkIsPublicKey(publicKey);
       thing = normalizeInput(thing);
       signature = toBase64(signature);
-      var verifier = crypto.createVerify("RSA-SHA" + bits);
+      var verifier = crypto2.createVerify("RSA-SHA" + bits);
       verifier.update(thing);
       return verifier.verify(publicKey, signature, "base64");
     };
@@ -9498,11 +9498,11 @@ var require_jwa = __commonJS((exports, module) => {
     return function sign(thing, privateKey) {
       checkIsPrivateKey(privateKey);
       thing = normalizeInput(thing);
-      var signer = crypto.createSign("RSA-SHA" + bits);
+      var signer = crypto2.createSign("RSA-SHA" + bits);
       var sig = (signer.update(thing), signer.sign({
         key: privateKey,
-        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST
+        padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
       }, "base64"));
       return fromBase64(sig);
     };
@@ -9512,12 +9512,12 @@ var require_jwa = __commonJS((exports, module) => {
       checkIsPublicKey(publicKey);
       thing = normalizeInput(thing);
       signature = toBase64(signature);
-      var verifier = crypto.createVerify("RSA-SHA" + bits);
+      var verifier = crypto2.createVerify("RSA-SHA" + bits);
       verifier.update(thing);
       return verifier.verify({
         key: publicKey,
-        padding: crypto.constants.RSA_PKCS1_PSS_PADDING,
-        saltLength: crypto.constants.RSA_PSS_SALTLEN_DIGEST
+        padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
       }, signature, "base64");
     };
   }
@@ -14340,15 +14340,15 @@ function typeValidatorBuilder(typeName, comparatorStrategy) {
 function string() {
   return new ArcString;
 }
-function id(name, generateFn) {
-  return new ArcId(name, generateFn);
-}
 
 class ArcFragmentBase {
   is(type) {
     return this.types.includes(type);
   }
 }
+function id(name, generateFn) {
+  return new ArcId(name, generateFn);
+}
 
 class AggregateBase {
   value;
@@ -15957,7 +15957,7 @@ var Operation, PROXY_DRAFT, RAW_RETURN_SYMBOL, iteratorSymbol, dataTypes, intern
     }
     return returnValue(result);
   };
-}, create, constructorString, TOKEN_PREFIX = "arc:token:", eventWireInstanceCounter = 0, EVENT_TABLES, arrayValidator, ArcArray, objectValidator, ArcObject, ArcPrimitive, ArcBoolean, stringValidator, ArcString, ArcId, numberValidator, ArcNumber, ArcContextElement, ArcEvent, ForkedStoreState, ForkedDataStorage, MasterStoreState, MasterDataStorage2, dateValidator, SQLiteReadWriteTransaction, createSQLiteAdapterFactory = (db) => {
+}, create, constructorString, TOKEN_PREFIX = "arc:token:", eventWireInstanceCounter = 0, EVENT_TABLES, arrayValidator, ArcArray, objectValidator, ArcObject, ArcPrimitive, stringValidator, ArcString, ArcContextElement, ArcBoolean, ArcId, numberValidator, ArcNumber, ArcEvent, ForkedStoreState, ForkedDataStorage, MasterStoreState, MasterDataStorage2, dateValidator, SQLiteReadWriteTransaction, createSQLiteAdapterFactory = (db) => {
   return async (context) => {
     const adapter = new SQLiteAdapter(db, context);
     await adapter.initialize();
@@ -16648,37 +16648,6 @@ var init_dist = __esm(() => {
       return value;
     }
   };
-  ArcBoolean = class ArcBoolean extends ArcPrimitive {
-    hasToBeTrue() {
-      return this.validation("hasToBeTrue", (value) => {
-        if (!value)
-          return {
-            current: value
-          };
-      });
-    }
-    validation(name, validator) {
-      const instance = this.pipeValidation(name, validator);
-      return instance;
-    }
-    toJsonSchema() {
-      const schema = { type: "boolean" };
-      if (this._description) {
-        schema.description = this._description;
-      }
-      return schema;
-    }
-    getColumnData() {
-      const storeData = this.getStoreData();
-      return {
-        type: "boolean",
-        storeData: {
-          ...storeData,
-          isNullable: false
-        }
-      };
-    }
-  };
   stringValidator = typeValidatorBuilder("string");
   ArcString = class ArcString extends ArcPrimitive {
     constructor() {
@@ -16826,6 +16795,52 @@ var init_dist = __esm(() => {
       };
     }
   };
+  ArcContextElement = class ArcContextElement extends ArcFragmentBase {
+    name;
+    types = ["context-element"];
+    get id() {
+      return this.name;
+    }
+    constructor(name) {
+      super();
+      this.name = name;
+    }
+    _seeds;
+    getSeeds() {
+      return this._seeds;
+    }
+  };
+  ArcBoolean = class ArcBoolean extends ArcPrimitive {
+    hasToBeTrue() {
+      return this.validation("hasToBeTrue", (value) => {
+        if (!value)
+          return {
+            current: value
+          };
+      });
+    }
+    validation(name, validator) {
+      const instance = this.pipeValidation(name, validator);
+      return instance;
+    }
+    toJsonSchema() {
+      const schema = { type: "boolean" };
+      if (this._description) {
+        schema.description = this._description;
+      }
+      return schema;
+    }
+    getColumnData() {
+      const storeData = this.getStoreData();
+      return {
+        type: "boolean",
+        storeData: {
+          ...storeData,
+          isNullable: false
+        }
+      };
+    }
+  };
   ArcId = class ArcId extends ArcBranded {
     generateFn;
     constructor(name, generateFn) {
@@ -16891,17 +16906,6 @@ var init_dist = __esm(() => {
       };
     }
   };
-  ArcContextElement = class ArcContextElement extends ArcFragmentBase {
-    name;
-    types = ["context-element"];
-    get id() {
-      return this.name;
-    }
-    constructor(name) {
-      super();
-      this.name = name;
-    }
-  };
   ArcEvent = class ArcEvent extends ArcContextElement {
     data;
     eventId = id("event");
@@ -25541,6 +25545,7 @@ function parsePo(content) {
   let msgid = "";
   let msgstr = "";
   let obsolete = false;
+  let inManual = false;
   const flush = () => {
     if (msgid) {
       entries.push({
@@ -25548,7 +25553,8 @@ function parsePo(content) {
         msgstr,
         locations,
         hash: hash || hashMsgid(msgid),
-        obsolete
+        obsolete,
+        ...inManual ? { manual: true } : {}
       });
     }
     locations = [];
@@ -25559,6 +25565,16 @@ function parsePo(content) {
   };
   for (const line of lines) {
     const trimmed = line.trim();
+    if (trimmed === "# manual") {
+      inManual = true;
+      continue;
+    }
+    if (trimmed === "# end manual") {
+      if (msgid)
+        flush();
+      inManual = false;
+      continue;
+    }
     if (trimmed === "" || trimmed.startsWith("#,")) {
       if (msgid)
         flush();
@@ -25601,8 +25617,19 @@ function parsePo(content) {
 }
 function writePo(entries) {
   const lines = [];
-  const active = entries.filter((e) => !e.obsolete);
+  const manual = entries.filter((e) => e.manual);
+  const active = entries.filter((e) => !e.obsolete && !e.manual);
   const obsolete = entries.filter((e) => e.obsolete);
+  if (manual.length > 0) {
+    lines.push("# manual");
+    for (const entry of manual) {
+      lines.push(`msgid ${quoteString(entry.msgid)}`);
+      lines.push(`msgstr ${quoteString(entry.msgstr)}`);
+      lines.push("");
+    }
+    lines.push("# end manual");
+    lines.push("");
+  }
   for (const entry of active) {
     for (const loc of entry.locations) {
       lines.push(`#: ${loc}`);
@@ -25629,10 +25656,14 @@ function mergeCatalog(existing, extracted) {
   for (const entry of existing) {
     existingMap.set(entry.msgid, entry);
   }
+  const manualEntries = existing.filter((e) => e.manual);
+  const manualIds = new Set(manualEntries.map((e) => e.msgid));
   const result = [];
   const seen = new Set;
   for (const [msgid, locations] of extracted) {
     seen.add(msgid);
+    if (manualIds.has(msgid))
+      continue;
     const prev = existingMap.get(msgid);
     result.push({
       msgid,
@@ -25643,7 +25674,7 @@ function mergeCatalog(existing, extracted) {
     });
   }
   for (const entry of existing) {
-    if (!seen.has(entry.msgid) && !entry.obsolete && entry.msgstr) {
+    if (!seen.has(entry.msgid) && !entry.obsolete && !entry.manual && entry.msgstr) {
       result.push({
         ...entry,
         obsolete: true,
@@ -25651,7 +25682,8 @@ function mergeCatalog(existing, extracted) {
       });
     }
   }
-  return result;
+  result.sort((a, b) => a.msgid.localeCompare(b.msgid));
+  return [...manualEntries, ...result];
 }
 function extractQuoted(s) {
   const trimmed = s.trim();
@@ -25678,7 +25710,11 @@ function compileCatalog(poPath) {
       result[entry.msgid] = entry.msgstr;
     }
   }
-  return result;
+  const sorted = {};
+  for (const key of Object.keys(result).sort()) {
+    sorted[key] = result[key];
+  }
+  return sorted;
 }
 function compileAllCatalogs(localesDir, outDir) {
   mkdirSync3(outDir, { recursive: true });
@@ -25806,6 +25842,9 @@ var SHELL_EXTERNALS = [
   "@arcote.tech/arc",
   "@arcote.tech/arc-ds",
   "@arcote.tech/arc-react",
+  "@arcote.tech/arc-auth",
+  "@arcote.tech/arc-utils",
+  "@arcote.tech/arc-workspace",
   "@arcote.tech/platform"
 ];
 function discoverPackages(rootDir) {
@@ -25881,8 +25920,11 @@ async function buildPackages(rootDir, outDir, packages) {
   const tmpDir = join6(outDir, "_entries");
   mkdirSync5(tmpDir, { recursive: true });
   const entrypoints = [];
+  const fileToName = new Map;
   for (const pkg of packages) {
     const safeName = pkg.path.split("/").pop();
+    const moduleName = pkg.name.includes("/") ? pkg.name.split("/").pop() : pkg.name;
+    fileToName.set(safeName, moduleName);
     const wrapperFile = join6(tmpDir, `${safeName}.ts`);
     writeFileSync5(wrapperFile, `export * from "${pkg.name}";
 `);
@@ -25890,6 +25932,14 @@ async function buildPackages(rootDir, outDir, packages) {
   }
   console.log(`  Bundling ${entrypoints.length} package(s)...`);
   const i18nCollector = new Map;
+  const arcExternalPlugin = {
+    name: "arc-external",
+    setup(build2) {
+      build2.onResolve({ filter: /^@arcote\.tech\// }, (args) => {
+        return { path: args.path, external: true };
+      });
+    }
+  };
   const result = await Bun.build({
     entrypoints,
     outdir: outDir,
@@ -25897,7 +25947,7 @@ async function buildPackages(rootDir, outDir, packages) {
     format: "esm",
     target: "browser",
     external: SHELL_EXTERNALS,
-    plugins: [i18nExtractPlugin(i18nCollector, rootDir)],
+    plugins: [arcExternalPlugin, i18nExtractPlugin(i18nCollector, rootDir)],
     naming: "[name].[ext]",
     define: {
       ONLY_SERVER: "false",
@@ -25914,9 +25964,13 @@ async function buildPackages(rootDir, outDir, packages) {
   await finalizeTranslations(rootDir, join6(outDir, ".."), i18nCollector);
   const { rmSync } = await import("node:fs");
   rmSync(tmpDir, { recursive: true, force: true });
-  const moduleFiles = result.outputs.filter((o) => o.kind === "entry-point").map((o) => o.path.split("/").pop());
+  const moduleEntries = result.outputs.filter((o) => o.kind === "entry-point").map((o) => {
+    const file = o.path.split("/").pop();
+    const safeName = file.replace(/\.js$/, "");
+    return { file, name: fileToName.get(safeName) ?? safeName };
+  });
   const manifest = {
-    modules: moduleFiles,
+    modules: moduleEntries,
     buildTime: new Date().toISOString()
   };
   writeFileSync5(join6(outDir, "manifest.json"), JSON.stringify(manifest, null, 2));
@@ -26128,34 +26182,44 @@ export const { createPortal, flushSync } = ReactDOM;`
     ["arc", "@arcote.tech/arc"],
     ["arc-ds", "@arcote.tech/arc-ds"],
     ["arc-react", "@arcote.tech/arc-react"],
+    ["arc-auth", "@arcote.tech/arc-auth"],
+    ["arc-utils", "@arcote.tech/arc-utils"],
+    ["arc-workspace", "@arcote.tech/arc-workspace"],
     ["platform", "@arcote.tech/platform"]
   ];
-  const arcEps = [];
+  const baseExternal = [
+    "react",
+    "react-dom",
+    "react/jsx-runtime",
+    "react/jsx-dev-runtime",
+    "react-dom/client"
+  ];
+  const allArcPkgs = arcEntries.map(([, pkg]) => pkg);
   for (const [name, pkg] of arcEntries) {
     const f = join7(tmpDir, `${name}.ts`);
     Bun.write(f, `export * from "${pkg}";
 `);
-    arcEps.push(f);
-  }
-  const r2 = await Bun.build({
-    entrypoints: arcEps,
-    outdir: outDir,
-    splitting: true,
-    format: "esm",
-    target: "browser",
-    naming: "[name].[ext]",
-    external: [
-      "react",
-      "react-dom",
-      "react/jsx-runtime",
-      "react/jsx-dev-runtime",
-      "react-dom/client"
-    ]
-  });
-  if (!r2.success) {
-    for (const l of r2.logs)
-      console.error(l);
-    throw new Error("Shell Arc build failed");
+    const r2 = await Bun.build({
+      entrypoints: [f],
+      outdir: outDir,
+      format: "esm",
+      target: "browser",
+      naming: "[name].[ext]",
+      external: [
+        ...baseExternal,
+        ...allArcPkgs.filter((p) => p !== pkg)
+      ],
+      define: {
+        ONLY_SERVER: "false",
+        ONLY_BROWSER: "true",
+        ONLY_CLIENT: "true"
+      }
+    });
+    if (!r2.success) {
+      for (const l of r2.logs)
+        console.error(l);
+      throw new Error(`Shell build failed for ${pkg}`);
+    }
   }
   const { rmSync } = await import("node:fs");
   rmSync(tmpDir, { recursive: true, force: true });
@@ -26163,10 +26227,14 @@ export const { createPortal, flushSync } = ReactDOM;`
 async function loadServerContext(packages) {
   const ctxPackages = packages.filter((p) => isContextPackage(p.packageJson));
   if (ctxPackages.length === 0)
-    return null;
+    return { context: null, moduleAccess: new Map };
   globalThis.ONLY_SERVER = true;
   globalThis.ONLY_BROWSER = false;
   globalThis.ONLY_CLIENT = false;
+  const platformDir = join7(process.cwd(), "node_modules", "@arcote.tech", "platform");
+  const platformPkg = JSON.parse(readFileSync6(join7(platformDir, "package.json"), "utf-8"));
+  const platformEntry = join7(platformDir, platformPkg.main ?? "src/index.ts");
+  await import(platformEntry);
   for (const ctx of ctxPackages) {
     const serverDist = join7(ctx.path, "dist", "server", "main", "index.js");
     if (!existsSync6(serverDist)) {
@@ -26179,8 +26247,17 @@ async function loadServerContext(packages) {
       err(`Failed to load server context from ${ctx.name}: ${e}`);
     }
   }
-  const { getContext } = await import("@arcote.tech/platform");
-  return getContext() ?? null;
+  const nonCtxPackages = packages.filter((p) => !isContextPackage(p.packageJson));
+  for (const pkg of nonCtxPackages) {
+    try {
+      await import(pkg.entrypoint);
+    } catch {}
+  }
+  const { getContext, getAllModuleAccess } = await import(platformEntry);
+  return {
+    context: getContext() ?? null,
+    moduleAccess: getAllModuleAccess()
+  };
 }
 
 // src/commands/platform-build.ts
@@ -26389,8 +26466,33 @@ class ContextHandler {
     if (this.initialized)
       return;
     await this.model.init();
+    await this.runSeeds();
     this.initialized = true;
   }
+  async runSeeds() {
+    for (const element of this.context.elements) {
+      if (!("getSeeds" in element))
+        continue;
+      const seedInfo = element.getSeeds();
+      if (!seedInfo)
+        continue;
+      const { data, idFactory } = seedInfo;
+      const tableName = element.name;
+      const store = this.dataStorage.getStore(tableName);
+      const existing = await store.find({});
+      if (existing.length > 0)
+        continue;
+      const changes = data.map((row) => ({
+        type: "set",
+        data: {
+          ...row,
+          _id: row._id ?? idFactory.generate()
+        }
+      }));
+      await store.applyChanges(changes);
+      console.log(`[ARC:Seed] Seeded ${data.length} row(s) into ${tableName}`);
+    }
+  }
   async executeCommand(commandName, params, rawToken) {
     const scoped = new ScopedModel(this.model, "request");
     if (rawToken)
@@ -27608,6 +27710,9 @@ function generateShellHtml(appName, manifest) {
       "@arcote.tech/arc": "/shell/arc.js",
       "@arcote.tech/arc-ds": "/shell/arc-ds.js",
       "@arcote.tech/arc-react": "/shell/arc-react.js",
+      "@arcote.tech/arc-auth": "/shell/arc-auth.js",
+      "@arcote.tech/arc-utils": "/shell/arc-utils.js",
+      "@arcote.tech/arc-workspace": "/shell/arc-workspace.js",
       "@arcote.tech/platform": "/shell/platform.js"
     }
   };
@@ -27662,16 +27767,69 @@ function serveFile(filePath, headers = {}) {
     headers: { "Content-Type": getMime(filePath), ...headers }
   });
 }
-function staticFilesHandler(ws, devMode) {
+var MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+var MODULE_SIG_TTL = 3600;
+function signModuleUrl(filename) {
+  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  const sig = hasher.digest("hex").slice(0, 16);
+  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+}
+function verifyModuleSignature(filename, sig, exp) {
+  if (!sig || !exp)
+    return false;
+  if (Number(exp) < Date.now() / 1000)
+    return false;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  return hasher.digest("hex").slice(0, 16) === sig;
+}
+async function filterManifestForToken(manifest, moduleAccessMap, tokenPayload) {
+  const filtered = [];
+  for (const mod of manifest.modules) {
+    const access = moduleAccessMap.get(mod.name);
+    if (!access) {
+      filtered.push(mod);
+      continue;
+    }
+    if (!tokenPayload)
+      continue;
+    let granted = false;
+    for (const rule of access.rules) {
+      if (tokenPayload.tokenType === rule.token.name) {
+        granted = rule.check ? await rule.check(tokenPayload) : true;
+        if (granted)
+          break;
+      }
+    }
+    if (granted) {
+      filtered.push({ ...mod, url: signModuleUrl(mod.file) });
+    }
+  }
+  return { modules: filtered, buildTime: manifest.buildTime };
+}
+function staticFilesHandler(ws, devMode, moduleAccessMap) {
   return (_req, url, ctx) => {
     const path4 = url.pathname;
     if (path4.startsWith("/shell/"))
       return serveFile(join8(ws.shellDir, path4.slice(7)), ctx.corsHeaders);
-    if (path4.startsWith("/modules/"))
-      return serveFile(join8(ws.modulesDir, path4.slice(9)), {
+    if (path4.startsWith("/modules/")) {
+      const fileWithParams = path4.slice(9);
+      const filename = fileWithParams.split("?")[0];
+      const moduleName = filename.replace(/\.js$/, "");
+      if (moduleAccessMap.has(moduleName)) {
+        const sig = url.searchParams.get("sig");
+        const exp = url.searchParams.get("exp");
+        if (!verifyModuleSignature(filename, sig, exp)) {
+          return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
+        }
+      }
+      return serveFile(join8(ws.modulesDir, filename), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
       });
+    }
     if (path4.startsWith("/locales/"))
       return serveFile(join8(ws.arcDir, path4.slice(1)), ctx.corsHeaders);
     if (path4 === "/styles.css")
@@ -27689,10 +27847,11 @@ function staticFilesHandler(ws, devMode) {
     return null;
   };
 }
-function apiEndpointsHandler(ws, getManifest, cm) {
+function apiEndpointsHandler(ws, getManifest, cm, moduleAccessMap) {
   return (_req, url, ctx) => {
-    if (url.pathname === "/api/modules")
-      return Response.json(getManifest(), { headers: ctx.corsHeaders });
+    if (url.pathname === "/api/modules") {
+      return filterManifestForToken(getManifest(), moduleAccessMap, ctx.tokenPayload).then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
+    }
     if (url.pathname === "/api/translations") {
       const config = readTranslationsConfig(ws.rootDir);
       return Response.json(config ?? { locales: [], sourceLocale: "" }, {
@@ -27743,6 +27902,7 @@ function spaFallbackHandler(shellHtml) {
 }
 async function startPlatformServer(opts) {
   const { ws, port, devMode, context } = opts;
+  const moduleAccessMap = opts.moduleAccess ?? new Map;
   let manifest = opts.manifest;
   const getManifest = () => manifest;
   const shellHtml = generateShellHtml(ws.appName, ws.manifest);
@@ -27765,9 +27925,9 @@ async function startPlatformServer(opts) {
           corsHeaders: cors
         };
         const handlers = [
-          apiEndpointsHandler(ws, getManifest, null),
+          apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           ...devMode ? [devReloadHandler(sseClients)] : [],
-          staticFilesHandler(ws, !!devMode),
+          staticFilesHandler(ws, !!devMode, moduleAccessMap),
           spaFallbackHandler(shellHtml)
         ];
         for (const handler of handlers) {
@@ -27812,9 +27972,9 @@ async function startPlatformServer(opts) {
     dbAdapterFactory: createBunSQLiteAdapterFactory2(dbPath),
     port,
     httpHandlers: [
-      apiEndpointsHandler(ws, getManifest, null),
+      apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       ...devMode ? [devReloadHandler(sseClients)] : [],
-      staticFilesHandler(ws, !!devMode),
+      staticFilesHandler(ws, !!devMode, moduleAccessMap),
       spaFallbackHandler(shellHtml)
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId)
@@ -27848,7 +28008,7 @@ async function platformDev() {
   const port = 5005;
   let manifest = await buildAll(ws);
   log2("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -27859,6 +28019,7 @@ async function platformDev() {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join9(ws.rootDir, ".arc", "data", "dev.db"),
     devMode: true
   });
@@ -27938,7 +28099,7 @@ async function platformStart() {
   }
   const manifest = JSON.parse(readFileSync7(manifestPath, "utf-8"));
   log2("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -27949,6 +28110,7 @@ async function platformStart() {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join10(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.4.5",
+  "version": "0.4.7",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",

package/src/builder/module-builder.ts

@@ -84,6 +84,9 @@ export const SHELL_EXTERNALS = [
   "@arcote.tech/arc",
   "@arcote.tech/arc-ds",
   "@arcote.tech/arc-react",
+  "@arcote.tech/arc-auth",
+  "@arcote.tech/arc-utils",
+  "@arcote.tech/arc-workspace",
   "@arcote.tech/platform",
 ];
 
@@ -94,8 +97,13 @@ export interface WorkspacePackage {
   packageJson: Record<string, any>;
 }
 
+export interface ModuleEntry {
+  file: string;
+  name: string;
+}
+
 export interface BuildManifest {
-  modules: string[];
+  modules: ModuleEntry[];
   buildTime: string;
 }
 
@@ -200,9 +208,13 @@ export async function buildPackages(
   mkdirSync(tmpDir, { recursive: true });
 
   const entrypoints: string[] = [];
+  const fileToName = new Map<string, string>(); // safeName → module name
 
   for (const pkg of packages) {
     const safeName = pkg.path.split("/").pop()!;
+    // Module name: strip scope (e.g. @ndt/admin → admin)
+    const moduleName = pkg.name.includes("/") ? pkg.name.split("/").pop()! : pkg.name;
+    fileToName.set(safeName, moduleName);
 
     // All packages get a simple re-export wrapper.
     // Context packages that use module().build() self-register via side effects.
@@ -217,6 +229,17 @@ export async function buildPackages(
   // i18n extraction — collect translatable strings during bundling
   const i18nCollector = new Map<string, Set<string>>();
 
+  // Plugin to force all @arcote.tech/* imports as external,
+  // even when resolved through symlinks (bun link)
+  const arcExternalPlugin: import("bun").BunPlugin = {
+    name: "arc-external",
+    setup(build) {
+      build.onResolve({ filter: /^@arcote\.tech\// }, (args) => {
+        return { path: args.path, external: true };
+      });
+    },
+  };
+
   const result = await Bun.build({
     entrypoints,
     outdir: outDir,
@@ -224,7 +247,7 @@ export async function buildPackages(
     format: "esm",
     target: "browser",
     external: SHELL_EXTERNALS,
-    plugins: [i18nExtractPlugin(i18nCollector, rootDir)],
+    plugins: [arcExternalPlugin, i18nExtractPlugin(i18nCollector, rootDir)],
     naming: "[name].[ext]",
     define: {
       ONLY_SERVER: "false",
@@ -248,12 +271,16 @@ export async function buildPackages(
   rmSync(tmpDir, { recursive: true, force: true });
 
   // Build manifest
-  const moduleFiles = result.outputs
+  const moduleEntries: ModuleEntry[] = result.outputs
     .filter((o) => o.kind === "entry-point")
-    .map((o) => o.path.split("/").pop()!);
+    .map((o) => {
+      const file = o.path.split("/").pop()!;
+      const safeName = file.replace(/\.js$/, "");
+      return { file, name: fileToName.get(safeName) ?? safeName };
+    });
 
   const manifest: BuildManifest = {
-    modules: moduleFiles,
+    modules: moduleEntries,
     buildTime: new Date().toISOString(),
   };
 

package/src/commands/platform-dev.ts

@@ -21,7 +21,7 @@ export async function platformDev(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -34,6 +34,7 @@ export async function platformDev(): Promise<void> {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
     devMode: true,
   });

package/src/commands/platform-start.ts

@@ -26,7 +26,7 @@ export async function platformStart(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -39,6 +39,7 @@ export async function platformStart(): Promise<void> {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false,
   });

package/src/i18n/catalog.ts

@@ -18,6 +18,7 @@ export interface CatalogEntry {
   locations: string[];
   hash: string;
   obsolete: boolean;
+  manual?: boolean;
 }
 
 /** Short hash from msgid for change tracking */
@@ -37,6 +38,7 @@ export function parsePo(content: string): CatalogEntry[] {
   let msgid = "";
   let msgstr = "";
   let obsolete = false;
+  let inManual = false;
 
   const flush = () => {
     if (msgid) {
@@ -46,6 +48,7 @@ export function parsePo(content: string): CatalogEntry[] {
         locations,
         hash: hash || hashMsgid(msgid),
         obsolete,
+        ...(inManual ? { manual: true } : {}),
       });
     }
     locations = [];
@@ -58,6 +61,17 @@ export function parsePo(content: string): CatalogEntry[] {
   for (const line of lines) {
     const trimmed = line.trim();
 
+    // Manual section markers
+    if (trimmed === "# manual") {
+      inManual = true;
+      continue;
+    }
+    if (trimmed === "# end manual") {
+      if (msgid) flush();
+      inManual = false;
+      continue;
+    }
+
     if (trimmed === "" || trimmed.startsWith("#,")) {
       // Empty line or flags — boundary between entries
       if (msgid) flush();
@@ -110,10 +124,23 @@ export function parsePo(content: string): CatalogEntry[] {
 export function writePo(entries: CatalogEntry[]): string {
   const lines: string[] = [];
 
-  // Active entries first, then obsolete
-  const active = entries.filter((e) => !e.obsolete);
+  const manual = entries.filter((e) => e.manual);
+  const active = entries.filter((e) => !e.obsolete && !e.manual);
   const obsolete = entries.filter((e) => e.obsolete);
 
+  // Manual section
+  if (manual.length > 0) {
+    lines.push("# manual");
+    for (const entry of manual) {
+      lines.push(`msgid ${quoteString(entry.msgid)}`);
+      lines.push(`msgstr ${quoteString(entry.msgstr)}`);
+      lines.push("");
+    }
+    lines.push("# end manual");
+    lines.push("");
+  }
+
+  // Extracted entries
   for (const entry of active) {
     for (const loc of entry.locations) {
       lines.push(`#: ${loc}`);
@@ -124,6 +151,7 @@ export function writePo(entries: CatalogEntry[]): string {
     lines.push("");
   }
 
+  // Obsolete entries
   if (obsolete.length > 0) {
     lines.push("# Obsolete entries");
     lines.push("");
@@ -152,12 +180,18 @@ export function mergeCatalog(
     existingMap.set(entry.msgid, entry);
   }
 
+  // Preserve manual entries as-is
+  const manualEntries = existing.filter((e) => e.manual);
+  const manualIds = new Set(manualEntries.map((e) => e.msgid));
+
   const result: CatalogEntry[] = [];
   const seen = new Set<string>();
 
-  // Process all extracted messages
+  // Process all extracted messages (skip those in manual section)
   for (const [msgid, locations] of extracted) {
     seen.add(msgid);
+    if (manualIds.has(msgid)) continue;
+
     const prev = existingMap.get(msgid);
 
     result.push({
@@ -171,7 +205,7 @@ export function mergeCatalog(
 
   // Mark removed entries as obsolete (keep their translations)
   for (const entry of existing) {
-    if (!seen.has(entry.msgid) && !entry.obsolete && entry.msgstr) {
+    if (!seen.has(entry.msgid) && !entry.obsolete && !entry.manual && entry.msgstr) {
       result.push({
         ...entry,
         obsolete: true,
@@ -180,7 +214,11 @@ export function mergeCatalog(
     }
   }
 
-  return result;
+  // Sort extracted entries alphabetically for deterministic output
+  result.sort((a, b) => a.msgid.localeCompare(b.msgid));
+
+  // Manual entries first, then sorted extracted, then obsolete
+  return [...manualEntries, ...result];
 }
 
 function extractQuoted(s: string): string {

package/src/i18n/compile.ts

@@ -18,7 +18,12 @@ export function compileCatalog(poPath: string): Record<string, string> {
     }
   }
 
-  return result;
+  // Sort keys for deterministic JSON output
+  const sorted: Record<string, string> = {};
+  for (const key of Object.keys(result).sort()) {
+    sorted[key] = result[key];
+  }
+  return sorted;
 }
 
 /**

package/src/platform/server.ts

@@ -11,7 +11,8 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import type { BuildManifest, WorkspaceInfo } from "./shared";
+import type { BuildManifest, ModuleEntry, WorkspaceInfo } from "./shared";
+import type { ModuleAccess } from "@arcote.tech/platform";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -23,6 +24,8 @@ export interface PlatformServerOptions {
   manifest: BuildManifest;
   /** Server context (from loadServerContext). If null, static-only mode. */
   context?: any;
+  /** Module access rules (from registry after loadServerContext). */
+  moduleAccess?: Map<string, ModuleAccess>;
   /** Path to SQLite database file */
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
@@ -77,6 +80,9 @@ export function generateShellHtml(appName: string, manifest?: { title: string; f
       "@arcote.tech/arc": "/shell/arc.js",
       "@arcote.tech/arc-ds": "/shell/arc-ds.js",
       "@arcote.tech/arc-react": "/shell/arc-react.js",
+      "@arcote.tech/arc-auth": "/shell/arc-auth.js",
+      "@arcote.tech/arc-utils": "/shell/arc-utils.js",
+      "@arcote.tech/arc-workspace": "/shell/arc-workspace.js",
       "@arcote.tech/platform": "/shell/platform.js",
     },
   };
@@ -141,20 +147,96 @@ function serveFile(
   });
 }
 
+// ---------------------------------------------------------------------------
+// Module access — signed URLs
+// ---------------------------------------------------------------------------
+
+const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+const MODULE_SIG_TTL = 3600; // 1 hour
+
+function signModuleUrl(filename: string): string {
+  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  const sig = hasher.digest("hex").slice(0, 16);
+  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+}
+
+function verifyModuleSignature(filename: string, sig: string | null, exp: string | null): boolean {
+  if (!sig || !exp) return false;
+  if (Number(exp) < Date.now() / 1000) return false;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  return hasher.digest("hex").slice(0, 16) === sig;
+}
+
+async function filterManifestForToken(
+  manifest: BuildManifest,
+  moduleAccessMap: Map<string, ModuleAccess>,
+  tokenPayload: any,
+): Promise<BuildManifest> {
+  const filtered: ModuleEntry[] = [];
+
+  for (const mod of manifest.modules) {
+    const access = moduleAccessMap.get(mod.name);
+
+    if (!access) {
+      // Public module — always include
+      filtered.push(mod);
+      continue;
+    }
+
+    // Protected module — check if token grants access
+    if (!tokenPayload) continue;
+
+    let granted = false;
+    for (const rule of access.rules) {
+      if (tokenPayload.tokenType === rule.token.name) {
+        granted = rule.check ? await rule.check(tokenPayload) : true;
+        if (granted) break;
+      }
+    }
+
+    if (granted) {
+      filtered.push({ ...mod, url: signModuleUrl(mod.file) } as any);
+    }
+  }
+
+  return { modules: filtered, buildTime: manifest.buildTime };
+}
+
 // ---------------------------------------------------------------------------
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
-function staticFilesHandler(ws: WorkspaceInfo, devMode: boolean): ArcHttpHandler {
+function staticFilesHandler(
+  ws: WorkspaceInfo,
+  devMode: boolean,
+  moduleAccessMap: Map<string, ModuleAccess>,
+): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
     if (path.startsWith("/shell/"))
       return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
-    if (path.startsWith("/modules/"))
-      return serveFile(join(ws.modulesDir, path.slice(9)), {
+    if (path.startsWith("/modules/")) {
+      const fileWithParams = path.slice(9);
+      const filename = fileWithParams.split("?")[0];
+      const moduleName = filename.replace(/\.js$/, "");
+
+      // Check access for protected modules
+      if (moduleAccessMap.has(moduleName)) {
+        const sig = url.searchParams.get("sig");
+        const exp = url.searchParams.get("exp");
+        if (!verifyModuleSignature(filename, sig, exp)) {
+          return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
+        }
+      }
+
+      return serveFile(join(ws.modulesDir, filename), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
+    }
     if (path.startsWith("/locales/"))
       return serveFile(join(ws.arcDir, path.slice(1)), ctx.corsHeaders);
     if (path === "/styles.css")
@@ -182,10 +264,14 @@ function apiEndpointsHandler(
   ws: WorkspaceInfo,
   getManifest: () => BuildManifest,
   cm: ConnectionManager | null,
+  moduleAccessMap: Map<string, ModuleAccess>,
 ): ArcHttpHandler {
   return (_req, url, ctx) => {
-    if (url.pathname === "/api/modules")
-      return Response.json(getManifest(), { headers: ctx.corsHeaders });
+    if (url.pathname === "/api/modules") {
+      // Filter manifest based on token — protected modules only for authorized users
+      return filterManifestForToken(getManifest(), moduleAccessMap, ctx.tokenPayload)
+        .then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
+    }
 
     if (url.pathname === "/api/translations") {
       const config = readTranslationsConfig(ws.rootDir);
@@ -252,6 +338,7 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  const moduleAccessMap = opts.moduleAccess ?? new Map();
   let manifest = opts.manifest;
   const getManifest = () => manifest;
 
@@ -282,9 +369,9 @@ export async function startPlatformServer(
 
         // Platform handlers only
         const handlers: ArcHttpHandler[] = [
-          apiEndpointsHandler(ws, getManifest, null),
+          apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           ...(devMode ? [devReloadHandler(sseClients)] : []),
-          staticFilesHandler(ws, !!devMode),
+          staticFilesHandler(ws, !!devMode, moduleAccessMap),
           spaFallbackHandler(shellHtml),
         ];
 
@@ -328,9 +415,9 @@ export async function startPlatformServer(
     port,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
-      apiEndpointsHandler(ws, getManifest, null),
+      apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       ...(devMode ? [devReloadHandler(sseClients)] : []),
-      staticFilesHandler(ws, !!devMode),
+      staticFilesHandler(ws, !!devMode, moduleAccessMap),
       spaFallbackHandler(shellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),

package/src/platform/shared.ts

@@ -7,12 +7,13 @@ import {
   discoverPackages,
   isContextPackage,
   type BuildManifest,
+  type ModuleEntry,
   type WorkspacePackage,
 } from "../builder/module-builder";
 
 // Re-export for convenience
 export { buildPackages, buildStyles, isContextPackage };
-export type { BuildManifest, WorkspacePackage };
+export type { BuildManifest, ModuleEntry, WorkspacePackage };
 
 // ---------------------------------------------------------------------------
 // Logging
@@ -206,34 +207,48 @@ export const { createPortal, flushSync } = ReactDOM;`,
     ["arc", "@arcote.tech/arc"],
     ["arc-ds", "@arcote.tech/arc-ds"],
     ["arc-react", "@arcote.tech/arc-react"],
+    ["arc-auth", "@arcote.tech/arc-auth"],
+    ["arc-utils", "@arcote.tech/arc-utils"],
+    ["arc-workspace", "@arcote.tech/arc-workspace"],
     ["platform", "@arcote.tech/platform"],
   ];
 
-  const arcEps: string[] = [];
+  const baseExternal = [
+    "react",
+    "react-dom",
+    "react/jsx-runtime",
+    "react/jsx-dev-runtime",
+    "react-dom/client",
+  ];
+  const allArcPkgs = arcEntries.map(([, pkg]) => pkg);
+
+  // Build each arc entry separately so it can import sibling arc packages
+  // as externals (resolved via import map) without circular self-reference.
   for (const [name, pkg] of arcEntries) {
     const f = join(tmpDir, `${name}.ts`);
     Bun.write(f, `export * from "${pkg}";\n`);
-    arcEps.push(f);
-  }
 
-  const r2 = await Bun.build({
-    entrypoints: arcEps,
-    outdir: outDir,
-    splitting: true,
-    format: "esm",
-    target: "browser",
-    naming: "[name].[ext]",
-    external: [
-      "react",
-      "react-dom",
-      "react/jsx-runtime",
-      "react/jsx-dev-runtime",
-      "react-dom/client",
-    ],
-  });
-  if (!r2.success) {
-    for (const l of r2.logs) console.error(l);
-    throw new Error("Shell Arc build failed");
+    const r2 = await Bun.build({
+      entrypoints: [f],
+      outdir: outDir,
+      format: "esm",
+      target: "browser",
+      naming: "[name].[ext]",
+      external: [
+        ...baseExternal,
+        // Other arc packages are external (not self)
+        ...allArcPkgs.filter((p) => p !== pkg),
+      ],
+      define: {
+        ONLY_SERVER: "false",
+        ONLY_BROWSER: "true",
+        ONLY_CLIENT: "true",
+      },
+    });
+    if (!r2.success) {
+      for (const l of r2.logs) console.error(l);
+      throw new Error(`Shell build failed for ${pkg}`);
+    }
   }
 
   // Clean tmp
@@ -247,9 +262,9 @@ export const { createPortal, flushSync } = ReactDOM;`,
 
 export async function loadServerContext(
   packages: WorkspacePackage[],
-): Promise<any | null> {
+): Promise<{ context: any | null; moduleAccess: Map<string, any> }> {
   const ctxPackages = packages.filter((p) => isContextPackage(p.packageJson));
-  if (ctxPackages.length === 0) return null;
+  if (ctxPackages.length === 0) return { context: null, moduleAccess: new Map() };
 
   // Set globals for server context — framework packages (arc-auth etc.)
   // use these at runtime to tree-shake browser/server code paths.
@@ -259,6 +274,18 @@ export async function loadServerContext(
 
   // Import all context packages — side effects from module().build()
   // register context elements into the global registry via setContext().
+  // Resolve platform from the project's node_modules using an absolute path.
+  // When CLI is bun-linked, `import("@arcote.tech/platform")` would resolve to
+  // the CLI's own copy, creating a separate module instance from what context
+  // packages use. Using an absolute path ensures a single shared instance.
+  const platformDir = join(process.cwd(), "node_modules", "@arcote.tech", "platform");
+  const platformPkg = JSON.parse(readFileSync(join(platformDir, "package.json"), "utf-8"));
+  const platformEntry = join(platformDir, platformPkg.main ?? "src/index.ts");
+
+  // Pre-import platform so it's cached with this absolute path
+  await import(platformEntry);
+
+  // Import context packages from server dist (has server-only code paths)
   for (const ctx of ctxPackages) {
     const serverDist = join(ctx.path, "dist", "server", "main", "index.js");
     if (!existsSync(serverDist)) {
@@ -273,8 +300,20 @@ export async function loadServerContext(
     }
   }
 
-  // After all imports, module().build() side effects have called setContext()
-  // in the arc-ui registry. Retrieve the merged context from there.
-  const { getContext } = await import("@arcote.tech/platform");
-  return getContext() ?? null;
+  // Import non-context packages from source to capture module().protectedBy() metadata
+  const nonCtxPackages = packages.filter((p) => !isContextPackage(p.packageJson));
+  for (const pkg of nonCtxPackages) {
+    try {
+      await import(pkg.entrypoint);
+    } catch {
+      // Non-context packages may fail on server (React components etc.) — that's OK,
+      // module().protectedBy().build() runs synchronously before any rendering
+    }
+  }
+
+  const { getContext, getAllModuleAccess } = await import(platformEntry);
+  return {
+    context: getContext() ?? null,
+    moduleAccess: getAllModuleAccess(),
+  };
 }