@arcote.tech/arc-cli 0.4.6 → 0.4.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.4.6",
+  "version": "0.4.8",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",

package/src/builder/module-builder.ts

@@ -97,8 +97,13 @@ export interface WorkspacePackage {
   packageJson: Record<string, any>;
 }
 
+export interface ModuleEntry {
+  file: string;
+  name: string;
+}
+
 export interface BuildManifest {
-  modules: string[];
+  modules: ModuleEntry[];
   buildTime: string;
 }
 
@@ -203,9 +208,13 @@ export async function buildPackages(
   mkdirSync(tmpDir, { recursive: true });
 
   const entrypoints: string[] = [];
+  const fileToName = new Map<string, string>(); // safeName → module name
 
   for (const pkg of packages) {
     const safeName = pkg.path.split("/").pop()!;
+    // Module name: strip scope (e.g. @ndt/admin → admin)
+    const moduleName = pkg.name.includes("/") ? pkg.name.split("/").pop()! : pkg.name;
+    fileToName.set(safeName, moduleName);
 
     // All packages get a simple re-export wrapper.
     // Context packages that use module().build() self-register via side effects.
@@ -262,12 +271,16 @@ export async function buildPackages(
   rmSync(tmpDir, { recursive: true, force: true });
 
   // Build manifest
-  const moduleFiles = result.outputs
+  const moduleEntries: ModuleEntry[] = result.outputs
     .filter((o) => o.kind === "entry-point")
-    .map((o) => o.path.split("/").pop()!);
+    .map((o) => {
+      const file = o.path.split("/").pop()!;
+      const safeName = file.replace(/\.js$/, "");
+      return { file, name: fileToName.get(safeName) ?? safeName };
+    });
 
   const manifest: BuildManifest = {
-    modules: moduleFiles,
+    modules: moduleEntries,
     buildTime: new Date().toISOString(),
   };
 

package/src/commands/platform-dev.ts

@@ -6,6 +6,7 @@ import {
   buildAll,
   buildPackages,
   buildStyles,
+  collectArcPeerDeps,
   loadServerContext,
   log,
   ok,
@@ -21,7 +22,7 @@ export async function platformDev(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -29,13 +30,16 @@ export async function platformDev(): Promise<void> {
   }
 
   // Start server (dev mode = SSE reload + no-cache)
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform = await startPlatformServer({
     ws,
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
     devMode: true,
+    arcEntries,
   });
 
   ok(`Server on http://localhost:${port}`);

package/src/commands/platform-start.ts

@@ -2,6 +2,7 @@ import { existsSync, readFileSync } from "fs";
 import { join } from "path";
 import { startPlatformServer } from "../platform/server";
 import {
+  collectArcPeerDeps,
   err,
   loadServerContext,
   log,
@@ -26,7 +27,7 @@ export async function platformStart(): Promise<void> {
 
   // Load server context
   log("Loading server context...");
-  const context = await loadServerContext(ws.packages);
+  const { context, moduleAccess } = await loadServerContext(ws.packages);
   if (context) {
     ok("Context loaded");
   } else {
@@ -34,13 +35,16 @@ export async function platformStart(): Promise<void> {
   }
 
   // Start server (production mode = no SSE reload, aggressive caching)
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform = await startPlatformServer({
     ws,
     port,
     manifest,
     context,
+    moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false,
+    arcEntries,
   });
 
   ok(`Server on http://localhost:${port}`);

package/src/i18n/catalog.ts

@@ -18,6 +18,7 @@ export interface CatalogEntry {
   locations: string[];
   hash: string;
   obsolete: boolean;
+  manual?: boolean;
 }
 
 /** Short hash from msgid for change tracking */
@@ -37,6 +38,7 @@ export function parsePo(content: string): CatalogEntry[] {
   let msgid = "";
   let msgstr = "";
   let obsolete = false;
+  let inManual = false;
 
   const flush = () => {
     if (msgid) {
@@ -46,6 +48,7 @@ export function parsePo(content: string): CatalogEntry[] {
         locations,
         hash: hash || hashMsgid(msgid),
         obsolete,
+        ...(inManual ? { manual: true } : {}),
       });
     }
     locations = [];
@@ -58,6 +61,17 @@ export function parsePo(content: string): CatalogEntry[] {
   for (const line of lines) {
     const trimmed = line.trim();
 
+    // Manual section markers
+    if (trimmed === "# manual") {
+      inManual = true;
+      continue;
+    }
+    if (trimmed === "# end manual") {
+      if (msgid) flush();
+      inManual = false;
+      continue;
+    }
+
     if (trimmed === "" || trimmed.startsWith("#,")) {
       // Empty line or flags — boundary between entries
       if (msgid) flush();
@@ -110,10 +124,23 @@ export function parsePo(content: string): CatalogEntry[] {
 export function writePo(entries: CatalogEntry[]): string {
   const lines: string[] = [];
 
-  // Active entries first, then obsolete
-  const active = entries.filter((e) => !e.obsolete);
+  const manual = entries.filter((e) => e.manual);
+  const active = entries.filter((e) => !e.obsolete && !e.manual);
   const obsolete = entries.filter((e) => e.obsolete);
 
+  // Manual section
+  if (manual.length > 0) {
+    lines.push("# manual");
+    for (const entry of manual) {
+      lines.push(`msgid ${quoteString(entry.msgid)}`);
+      lines.push(`msgstr ${quoteString(entry.msgstr)}`);
+      lines.push("");
+    }
+    lines.push("# end manual");
+    lines.push("");
+  }
+
+  // Extracted entries
   for (const entry of active) {
     for (const loc of entry.locations) {
       lines.push(`#: ${loc}`);
@@ -124,6 +151,7 @@ export function writePo(entries: CatalogEntry[]): string {
     lines.push("");
   }
 
+  // Obsolete entries
   if (obsolete.length > 0) {
     lines.push("# Obsolete entries");
     lines.push("");
@@ -152,12 +180,18 @@ export function mergeCatalog(
     existingMap.set(entry.msgid, entry);
   }
 
+  // Preserve manual entries as-is
+  const manualEntries = existing.filter((e) => e.manual);
+  const manualIds = new Set(manualEntries.map((e) => e.msgid));
+
   const result: CatalogEntry[] = [];
   const seen = new Set<string>();
 
-  // Process all extracted messages
+  // Process all extracted messages (skip those in manual section)
   for (const [msgid, locations] of extracted) {
     seen.add(msgid);
+    if (manualIds.has(msgid)) continue;
+
     const prev = existingMap.get(msgid);
 
     result.push({
@@ -171,7 +205,7 @@ export function mergeCatalog(
 
   // Mark removed entries as obsolete (keep their translations)
   for (const entry of existing) {
-    if (!seen.has(entry.msgid) && !entry.obsolete && entry.msgstr) {
+    if (!seen.has(entry.msgid) && !entry.obsolete && !entry.manual && entry.msgstr) {
       result.push({
         ...entry,
         obsolete: true,
@@ -180,7 +214,11 @@ export function mergeCatalog(
     }
   }
 
-  return result;
+  // Sort extracted entries alphabetically for deterministic output
+  result.sort((a, b) => a.msgid.localeCompare(b.msgid));
+
+  // Manual entries first, then sorted extracted, then obsolete
+  return [...manualEntries, ...result];
 }
 
 function extractQuoted(s: string): string {

package/src/i18n/compile.ts

@@ -18,7 +18,12 @@ export function compileCatalog(poPath: string): Record<string, string> {
     }
   }
 
-  return result;
+  // Sort keys for deterministic JSON output
+  const sorted: Record<string, string> = {};
+  for (const key of Object.keys(result).sort()) {
+    sorted[key] = result[key];
+  }
+  return sorted;
 }
 
 /**

package/src/platform/server.ts

@@ -11,7 +11,8 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import type { BuildManifest, WorkspaceInfo } from "./shared";
+import type { BuildManifest, ModuleEntry, WorkspaceInfo } from "./shared";
+import type { ModuleAccess } from "@arcote.tech/platform";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -23,10 +24,14 @@ export interface PlatformServerOptions {
   manifest: BuildManifest;
   /** Server context (from loadServerContext). If null, static-only mode. */
   context?: any;
+  /** Module access rules (from registry after loadServerContext). */
+  moduleAccess?: Map<string, ModuleAccess>;
   /** Path to SQLite database file */
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
+  /** Arc shell entries [shortName, fullPkgName][] for import map. Auto-detected if omitted. */
+  arcEntries?: [string, string][];
 }
 
 export interface PlatformServer {
@@ -66,7 +71,17 @@ export async function initContextHandler(
 // Shell HTML
 // ---------------------------------------------------------------------------
 
-export function generateShellHtml(appName: string, manifest?: { title: string; favicon?: string }): string {
+export function generateShellHtml(
+  appName: string,
+  manifest?: { title: string; favicon?: string },
+  arcEntries?: [string, string][],
+): string {
+  const arcImports: Record<string, string> = {};
+  if (arcEntries) {
+    for (const [short, pkg] of arcEntries) {
+      arcImports[pkg] = `/shell/${short}.js`;
+    }
+  }
   const importMap = {
     imports: {
       react: "/shell/react.js",
@@ -74,13 +89,7 @@ export function generateShellHtml(appName: string, manifest?: { title: string; f
       "react/jsx-dev-runtime": "/shell/jsx-dev-runtime.js",
       "react-dom": "/shell/react-dom.js",
       "react-dom/client": "/shell/react-dom-client.js",
-      "@arcote.tech/arc": "/shell/arc.js",
-      "@arcote.tech/arc-ds": "/shell/arc-ds.js",
-      "@arcote.tech/arc-react": "/shell/arc-react.js",
-      "@arcote.tech/arc-auth": "/shell/arc-auth.js",
-      "@arcote.tech/arc-utils": "/shell/arc-utils.js",
-      "@arcote.tech/arc-workspace": "/shell/arc-workspace.js",
-      "@arcote.tech/platform": "/shell/platform.js",
+      ...arcImports,
     },
   };
 
@@ -144,20 +153,140 @@ function serveFile(
   });
 }
 
+// ---------------------------------------------------------------------------
+// Module access — signed URLs
+// ---------------------------------------------------------------------------
+
+const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+const MODULE_SIG_TTL = 3600; // 1 hour
+
+function signModuleUrl(filename: string): string {
+  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  const sig = hasher.digest("hex").slice(0, 16);
+  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+}
+
+function verifyModuleSignature(filename: string, sig: string | null, exp: string | null): boolean {
+  if (!sig || !exp) return false;
+  if (Number(exp) < Date.now() / 1000) return false;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  return hasher.digest("hex").slice(0, 16) === sig;
+}
+
+/** Decode JWT payload without verification (for module manifest filtering).
+ *  Normalizes tokenName → tokenType to match TokenPayload interface. */
+function decodeTokenPayload(jwt: string): any | null {
+  try {
+    const parts = jwt.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(atob(parts[1]));
+    return {
+      tokenType: payload.tokenName ?? payload.tokenType,
+      params: payload.params || {},
+      iat: payload.iat,
+      exp: payload.exp,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/** Parse X-Arc-Tokens header: "scope1:jwt1,scope2:jwt2" → decoded payloads array */
+function parseArcTokensHeader(header: string | null): any[] {
+  if (!header) return [];
+  const payloads: any[] = [];
+  for (const entry of header.split(",")) {
+    const colonIdx = entry.indexOf(":");
+    if (colonIdx < 0) continue;
+    const jwt = entry.slice(colonIdx + 1);
+    const payload = decodeTokenPayload(jwt);
+    if (payload) payloads.push(payload);
+  }
+  return payloads;
+}
+
+async function filterManifestForTokens(
+  manifest: BuildManifest,
+  moduleAccessMap: Map<string, ModuleAccess>,
+  tokenPayloads: any[],
+): Promise<BuildManifest> {
+  const filtered: ModuleEntry[] = [];
+
+  console.log(`[arc:modules] Filtering ${manifest.modules.length} modules with ${tokenPayloads.length} token(s):`,
+    tokenPayloads.map(t => `${t.tokenType}(${JSON.stringify(t.params)})`).join(", ") || "none");
+  console.log(`[arc:modules] Protected modules:`, [...moduleAccessMap.keys()].join(", ") || "none");
+
+  for (const mod of manifest.modules) {
+    const access = moduleAccessMap.get(mod.name);
+
+    if (!access) {
+      filtered.push(mod);
+      continue;
+    }
+
+    if (tokenPayloads.length === 0) {
+      console.log(`[arc:modules] ${mod.name}: SKIP (no tokens)`);
+      continue;
+    }
+
+    let granted = false;
+    for (const rule of access.rules) {
+      const matching = tokenPayloads.find(
+        (t) => t.tokenType === rule.token.name,
+      );
+      if (matching) {
+        granted = rule.check ? await rule.check(matching) : true;
+        console.log(`[arc:modules] ${mod.name}: rule ${rule.token.name} matched token, check=${granted}`);
+        if (granted) break;
+      } else {
+        console.log(`[arc:modules] ${mod.name}: rule needs "${rule.token.name}", no matching token (have: ${tokenPayloads.map(t => t.tokenType).join(",")})`);
+      }
+    }
+
+    if (granted) {
+      filtered.push({ ...mod, url: signModuleUrl(mod.file) } as any);
+    }
+  }
+
+  console.log(`[arc:modules] Result: ${filtered.map(m => m.name).join(", ")}`);
+  return { modules: filtered, buildTime: manifest.buildTime };
+}
+
 // ---------------------------------------------------------------------------
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
-function staticFilesHandler(ws: WorkspaceInfo, devMode: boolean): ArcHttpHandler {
+function staticFilesHandler(
+  ws: WorkspaceInfo,
+  devMode: boolean,
+  moduleAccessMap: Map<string, ModuleAccess>,
+): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
     if (path.startsWith("/shell/"))
       return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
-    if (path.startsWith("/modules/"))
-      return serveFile(join(ws.modulesDir, path.slice(9)), {
+    if (path.startsWith("/modules/")) {
+      const fileWithParams = path.slice(9);
+      const filename = fileWithParams.split("?")[0];
+      const moduleName = filename.replace(/\.js$/, "");
+
+      // Check access for protected modules
+      if (moduleAccessMap.has(moduleName)) {
+        const sig = url.searchParams.get("sig");
+        const exp = url.searchParams.get("exp");
+        if (!verifyModuleSignature(filename, sig, exp)) {
+          return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
+        }
+      }
+
+      return serveFile(join(ws.modulesDir, filename), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
+    }
     if (path.startsWith("/locales/"))
       return serveFile(join(ws.arcDir, path.slice(1)), ctx.corsHeaders);
     if (path === "/styles.css")
@@ -185,10 +314,20 @@ function apiEndpointsHandler(
   ws: WorkspaceInfo,
   getManifest: () => BuildManifest,
   cm: ConnectionManager | null,
+  moduleAccessMap: Map<string, ModuleAccess>,
 ): ArcHttpHandler {
-  return (_req, url, ctx) => {
-    if (url.pathname === "/api/modules")
-      return Response.json(getManifest(), { headers: ctx.corsHeaders });
+  return (req, url, ctx) => {
+    if (url.pathname === "/api/modules") {
+      // Parse all tokens from X-Arc-Tokens header + Authorization fallback
+      const arcTokensHeader = req.headers.get("X-Arc-Tokens");
+      let payloads = parseArcTokensHeader(arcTokensHeader);
+      // Fallback: if no X-Arc-Tokens, use the single token from Authorization
+      if (payloads.length === 0 && ctx.tokenPayload) {
+        payloads = [ctx.tokenPayload];
+      }
+      return filterManifestForTokens(getManifest(), moduleAccessMap, payloads)
+        .then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
+    }
 
     if (url.pathname === "/api/translations") {
       const config = readTranslationsConfig(ws.rootDir);
@@ -255,10 +394,11 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  const moduleAccessMap = opts.moduleAccess ?? new Map();
   let manifest = opts.manifest;
   const getManifest = () => manifest;
 
-  const shellHtml = generateShellHtml(ws.appName, ws.manifest);
+  const shellHtml = generateShellHtml(ws.appName, ws.manifest, opts.arcEntries);
   const sseClients = new Set<ReadableStreamDefaultController>();
 
   if (!context) {
@@ -267,7 +407,7 @@ export async function startPlatformServer(
       "Access-Control-Allow-Origin": "*",
       "Access-Control-Allow-Methods":
         "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-      "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
     };
 
     const server = Bun.serve({
@@ -285,9 +425,9 @@ export async function startPlatformServer(
 
         // Platform handlers only
         const handlers: ArcHttpHandler[] = [
-          apiEndpointsHandler(ws, getManifest, null),
+          apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           ...(devMode ? [devReloadHandler(sseClients)] : []),
-          staticFilesHandler(ws, !!devMode),
+          staticFilesHandler(ws, !!devMode, moduleAccessMap),
           spaFallbackHandler(shellHtml),
         ];
 
@@ -331,9 +471,9 @@ export async function startPlatformServer(
     port,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
-      apiEndpointsHandler(ws, getManifest, null),
+      apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       ...(devMode ? [devReloadHandler(sseClients)] : []),
-      staticFilesHandler(ws, !!devMode),
+      staticFilesHandler(ws, !!devMode, moduleAccessMap),
       spaFallbackHandler(shellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),