@arcote.tech/arc-cli 0.4.6 → 0.4.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",

package/src/builder/module-builder.ts

@@ -97,8 +97,13 @@ export interface WorkspacePackage {
   packageJson: Record<string, any>;
 }
 
+export interface ModuleEntry {
+  file: string;
+  name: string;
+}
+
 export interface BuildManifest {
-  modules: string[];
+  modules: ModuleEntry[];
   buildTime: string;
 }
 
@@ -203,9 +208,13 @@ export async function buildPackages(
   mkdirSync(tmpDir, { recursive: true });
 
   const entrypoints: string[] = [];
+  const fileToName = new Map<string, string>(); // safeName → module name
 
   for (const pkg of packages) {
     const safeName = pkg.path.split("/").pop()!;
+    // Module name: strip scope (e.g. @ndt/admin → admin)
+    const moduleName = pkg.name.includes("/") ? pkg.name.split("/").pop()! : pkg.name;
+    fileToName.set(safeName, moduleName);
 
     // All packages get a simple re-export wrapper.
     // Context packages that use module().build() self-register via side effects.
@@ -262,12 +271,16 @@ export async function buildPackages(
   rmSync(tmpDir, { recursive: true, force: true });
 
   // Build manifest
-  const moduleFiles = result.outputs
+  const moduleEntries: ModuleEntry[] = result.outputs
     .filter((o) => o.kind === "entry-point")
-    .map((o) => o.path.split("/").pop()!);
+    .map((o) => {
+      const file = o.path.split("/").pop()!;
+      const safeName = file.replace(/\.js$/, "");
+      return { file, name: fileToName.get(safeName) ?? safeName };
+    });
 
   const manifest: BuildManifest = {
-    modules: moduleFiles,
+    modules: moduleEntries,
     buildTime: new Date().toISOString(),
   };
 

package/src/commands/platform-dev.ts

@@ -21,7 +21,7 @@ export async function platformDev(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -34,6 +34,7 @@ export async function platformDev(): Promise<void> {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
     devMode: true,
   });

package/src/commands/platform-start.ts

@@ -26,7 +26,7 @@ export async function platformStart(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -39,6 +39,7 @@ export async function platformStart(): Promise<void> {
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false,
   });

package/src/i18n/catalog.ts

@@ -18,6 +18,7 @@ export interface CatalogEntry {
   locations: string[];
   hash: string;
   obsolete: boolean;
+  manual?: boolean;
 }
 
 /** Short hash from msgid for change tracking */
@@ -37,6 +38,7 @@ export function parsePo(content: string): CatalogEntry[] {
   let msgid = "";
   let msgstr = "";
   let obsolete = false;
+  let inManual = false;
 
   const flush = () => {
     if (msgid) {
@@ -46,6 +48,7 @@ export function parsePo(content: string): CatalogEntry[] {
         locations,
         hash: hash || hashMsgid(msgid),
         obsolete,
+        ...(inManual ? { manual: true } : {}),
       });
     }
     locations = [];
@@ -58,6 +61,17 @@ export function parsePo(content: string): CatalogEntry[] {
   for (const line of lines) {
     const trimmed = line.trim();
 
+    // Manual section markers
+    if (trimmed === "# manual") {
+      inManual = true;
+      continue;
+    }
+    if (trimmed === "# end manual") {
+      if (msgid) flush();
+      inManual = false;
+      continue;
+    }
+
     if (trimmed === "" || trimmed.startsWith("#,")) {
       // Empty line or flags — boundary between entries
       if (msgid) flush();
@@ -110,10 +124,23 @@ export function parsePo(content: string): CatalogEntry[] {
 export function writePo(entries: CatalogEntry[]): string {
   const lines: string[] = [];
 
-  // Active entries first, then obsolete
-  const active = entries.filter((e) => !e.obsolete);
+  const manual = entries.filter((e) => e.manual);
+  const active = entries.filter((e) => !e.obsolete && !e.manual);
   const obsolete = entries.filter((e) => e.obsolete);
 
+  // Manual section
+  if (manual.length > 0) {
+    lines.push("# manual");
+    for (const entry of manual) {
+      lines.push(`msgid ${quoteString(entry.msgid)}`);
+      lines.push(`msgstr ${quoteString(entry.msgstr)}`);
+      lines.push("");
+    }
+    lines.push("# end manual");
+    lines.push("");
+  }
+
+  // Extracted entries
   for (const entry of active) {
     for (const loc of entry.locations) {
       lines.push(`#: ${loc}`);
@@ -124,6 +151,7 @@ export function writePo(entries: CatalogEntry[]): string {
     lines.push("");
   }
 
+  // Obsolete entries
   if (obsolete.length > 0) {
     lines.push("# Obsolete entries");
     lines.push("");
@@ -152,12 +180,18 @@ export function mergeCatalog(
     existingMap.set(entry.msgid, entry);
   }
 
+  // Preserve manual entries as-is
+  const manualEntries = existing.filter((e) => e.manual);
+  const manualIds = new Set(manualEntries.map((e) => e.msgid));
+
   const result: CatalogEntry[] = [];
   const seen = new Set<string>();
 
-  // Process all extracted messages
+  // Process all extracted messages (skip those in manual section)
   for (const [msgid, locations] of extracted) {
     seen.add(msgid);
+    if (manualIds.has(msgid)) continue;
+
     const prev = existingMap.get(msgid);
 
     result.push({
@@ -171,7 +205,7 @@ export function mergeCatalog(
 
   // Mark removed entries as obsolete (keep their translations)
   for (const entry of existing) {
-    if (!seen.has(entry.msgid) && !entry.obsolete && entry.msgstr) {
+    if (!seen.has(entry.msgid) && !entry.obsolete && !entry.manual && entry.msgstr) {
       result.push({
         ...entry,
         obsolete: true,
@@ -180,7 +214,11 @@ export function mergeCatalog(
     }
   }
 
-  return result;
+  // Sort extracted entries alphabetically for deterministic output
+  result.sort((a, b) => a.msgid.localeCompare(b.msgid));
+
+  // Manual entries first, then sorted extracted, then obsolete
+  return [...manualEntries, ...result];
 }
 
 function extractQuoted(s: string): string {

package/src/i18n/compile.ts

@@ -18,7 +18,12 @@ export function compileCatalog(poPath: string): Record<string, string> {
     }
   }
 
-  return result;
+  // Sort keys for deterministic JSON output
+  const sorted: Record<string, string> = {};
+  for (const key of Object.keys(result).sort()) {
+    sorted[key] = result[key];
+  }
+  return sorted;
 }
 
 /**

package/src/platform/server.ts

@@ -11,7 +11,8 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import type { BuildManifest, WorkspaceInfo } from "./shared";
+import type { BuildManifest, ModuleEntry, WorkspaceInfo } from "./shared";
+import type { ModuleAccess } from "@arcote.tech/platform";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -23,6 +24,8 @@ export interface PlatformServerOptions {
   manifest: BuildManifest;
   /** Server context (from loadServerContext). If null, static-only mode. */
   context?: any;
+  /** Module access rules (from registry after loadServerContext). */
+  moduleAccess?: Map<string, ModuleAccess>;
   /** Path to SQLite database file */
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
@@ -144,20 +147,96 @@ function serveFile(
   });
 }
 
+// ---------------------------------------------------------------------------
+// Module access — signed URLs
+// ---------------------------------------------------------------------------
+
+const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+const MODULE_SIG_TTL = 3600; // 1 hour
+
+function signModuleUrl(filename: string): string {
+  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  const sig = hasher.digest("hex").slice(0, 16);
+  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+}
+
+function verifyModuleSignature(filename: string, sig: string | null, exp: string | null): boolean {
+  if (!sig || !exp) return false;
+  if (Number(exp) < Date.now() / 1000) return false;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  return hasher.digest("hex").slice(0, 16) === sig;
+}
+
+async function filterManifestForToken(
+  manifest: BuildManifest,
+  moduleAccessMap: Map<string, ModuleAccess>,
+  tokenPayload: any,
+): Promise<BuildManifest> {
+  const filtered: ModuleEntry[] = [];
+
+  for (const mod of manifest.modules) {
+    const access = moduleAccessMap.get(mod.name);
+
+    if (!access) {
+      // Public module — always include
+      filtered.push(mod);
+      continue;
+    }
+
+    // Protected module — check if token grants access
+    if (!tokenPayload) continue;
+
+    let granted = false;
+    for (const rule of access.rules) {
+      if (tokenPayload.tokenType === rule.token.name) {
+        granted = rule.check ? await rule.check(tokenPayload) : true;
+        if (granted) break;
+      }
+    }
+
+    if (granted) {
+      filtered.push({ ...mod, url: signModuleUrl(mod.file) } as any);
+    }
+  }
+
+  return { modules: filtered, buildTime: manifest.buildTime };
+}
+
 // ---------------------------------------------------------------------------
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
-function staticFilesHandler(ws: WorkspaceInfo, devMode: boolean): ArcHttpHandler {
+function staticFilesHandler(
+  ws: WorkspaceInfo,
+  devMode: boolean,
+  moduleAccessMap: Map<string, ModuleAccess>,
+): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
     if (path.startsWith("/shell/"))
       return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
-    if (path.startsWith("/modules/"))
-      return serveFile(join(ws.modulesDir, path.slice(9)), {
+    if (path.startsWith("/modules/")) {
+      const fileWithParams = path.slice(9);
+      const filename = fileWithParams.split("?")[0];
+      const moduleName = filename.replace(/\.js$/, "");
+
+      // Check access for protected modules
+      if (moduleAccessMap.has(moduleName)) {
+        const sig = url.searchParams.get("sig");
+        const exp = url.searchParams.get("exp");
+        if (!verifyModuleSignature(filename, sig, exp)) {
+          return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
+        }
+      }
+
+      return serveFile(join(ws.modulesDir, filename), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
+    }
     if (path.startsWith("/locales/"))
       return serveFile(join(ws.arcDir, path.slice(1)), ctx.corsHeaders);
     if (path === "/styles.css")
@@ -185,10 +264,14 @@ function apiEndpointsHandler(
   ws: WorkspaceInfo,
   getManifest: () => BuildManifest,
   cm: ConnectionManager | null,
+  moduleAccessMap: Map<string, ModuleAccess>,
 ): ArcHttpHandler {
   return (_req, url, ctx) => {
-    if (url.pathname === "/api/modules")
-      return Response.json(getManifest(), { headers: ctx.corsHeaders });
+    if (url.pathname === "/api/modules") {
+      // Filter manifest based on token — protected modules only for authorized users
+      return filterManifestForToken(getManifest(), moduleAccessMap, ctx.tokenPayload)
+        .then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
+    }
 
     if (url.pathname === "/api/translations") {
       const config = readTranslationsConfig(ws.rootDir);
@@ -255,6 +338,7 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  const moduleAccessMap = opts.moduleAccess ?? new Map();
   let manifest = opts.manifest;
   const getManifest = () => manifest;
 
@@ -285,9 +369,9 @@ export async function startPlatformServer(
 
         // Platform handlers only
         const handlers: ArcHttpHandler[] = [
-          apiEndpointsHandler(ws, getManifest, null),
+          apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           ...(devMode ? [devReloadHandler(sseClients)] : []),
-          staticFilesHandler(ws, !!devMode),
+          staticFilesHandler(ws, !!devMode, moduleAccessMap),
           spaFallbackHandler(shellHtml),
         ];
 
@@ -331,9 +415,9 @@ export async function startPlatformServer(
     port,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
-      apiEndpointsHandler(ws, getManifest, null),
+      apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       ...(devMode ? [devReloadHandler(sseClients)] : []),
-      staticFilesHandler(ws, !!devMode),
+      staticFilesHandler(ws, !!devMode, moduleAccessMap),
       spaFallbackHandler(shellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),

package/src/platform/shared.ts

@@ -7,12 +7,13 @@ import {
   discoverPackages,
   isContextPackage,
   type BuildManifest,
+  type ModuleEntry,
   type WorkspacePackage,
 } from "../builder/module-builder";
 
 // Re-export for convenience
 export { buildPackages, buildStyles, isContextPackage };
-export type { BuildManifest, WorkspacePackage };
+export type { BuildManifest, ModuleEntry, WorkspacePackage };
 
 // ---------------------------------------------------------------------------
 // Logging
@@ -212,36 +213,42 @@ export const { createPortal, flushSync } = ReactDOM;`,
     ["platform", "@arcote.tech/platform"],
   ];
 
-  const arcEps: string[] = [];
+  const baseExternal = [
+    "react",
+    "react-dom",
+    "react/jsx-runtime",
+    "react/jsx-dev-runtime",
+    "react-dom/client",
+  ];
+  const allArcPkgs = arcEntries.map(([, pkg]) => pkg);
+
+  // Build each arc entry separately so it can import sibling arc packages
+  // as externals (resolved via import map) without circular self-reference.
   for (const [name, pkg] of arcEntries) {
     const f = join(tmpDir, `${name}.ts`);
     Bun.write(f, `export * from "${pkg}";\n`);
-    arcEps.push(f);
-  }
 
-  const r2 = await Bun.build({
-    entrypoints: arcEps,
-    outdir: outDir,
-    splitting: true,
-    format: "esm",
-    target: "browser",
-    naming: "[name].[ext]",
-    external: [
-      "react",
-      "react-dom",
-      "react/jsx-runtime",
-      "react/jsx-dev-runtime",
-      "react-dom/client",
-    ],
-    define: {
-      ONLY_SERVER: "false",
-      ONLY_BROWSER: "true",
-      ONLY_CLIENT: "true",
-    },
-  });
-  if (!r2.success) {
-    for (const l of r2.logs) console.error(l);
-    throw new Error("Shell Arc build failed");
+    const r2 = await Bun.build({
+      entrypoints: [f],
+      outdir: outDir,
+      format: "esm",
+      target: "browser",
+      naming: "[name].[ext]",
+      external: [
+        ...baseExternal,
+        // Other arc packages are external (not self)
+        ...allArcPkgs.filter((p) => p !== pkg),
+      ],
+      define: {
+        ONLY_SERVER: "false",
+        ONLY_BROWSER: "true",
+        ONLY_CLIENT: "true",
+      },
+    });
+    if (!r2.success) {
+      for (const l of r2.logs) console.error(l);
+      throw new Error(`Shell build failed for ${pkg}`);
+    }
   }
 
   // Clean tmp
@@ -255,9 +262,9 @@ export const { createPortal, flushSync } = ReactDOM;`,
 
 export async function loadServerContext(
   packages: WorkspacePackage[],
-): Promise<any | null> {
+): Promise<{ context: any | null; moduleAccess: Map<string, any> }> {
   const ctxPackages = packages.filter((p) => isContextPackage(p.packageJson));
-  if (ctxPackages.length === 0) return null;
+  if (ctxPackages.length === 0) return { context: null, moduleAccess: new Map() };
 
   // Set globals for server context — framework packages (arc-auth etc.)
   // use these at runtime to tree-shake browser/server code paths.
@@ -278,6 +285,7 @@ export async function loadServerContext(
   // Pre-import platform so it's cached with this absolute path
   await import(platformEntry);
 
+  // Import context packages from server dist (has server-only code paths)
   for (const ctx of ctxPackages) {
     const serverDist = join(ctx.path, "dist", "server", "main", "index.js");
     if (!existsSync(serverDist)) {
@@ -292,6 +300,20 @@ export async function loadServerContext(
     }
   }
 
-  const { getContext } = await import(platformEntry);
-  return getContext() ?? null;
+  // Import non-context packages from source to capture module().protectedBy() metadata
+  const nonCtxPackages = packages.filter((p) => !isContextPackage(p.packageJson));
+  for (const pkg of nonCtxPackages) {
+    try {
+      await import(pkg.entrypoint);
+    } catch {
+      // Non-context packages may fail on server (React components etc.) — that's OK,
+      // module().protectedBy().build() runs synchronously before any rendering
+    }
+  }
+
+  const { getContext, getAllModuleAccess } = await import(platformEntry);
+  return {
+    context: getContext() ?? null,
+    moduleAccess: getAllModuleAccess(),
+  };
 }