@arcote.tech/arc-cli 0.4.7 → 0.4.8

package/dist/index.js

@@ -13529,14 +13529,23 @@ function apply(state, patches, applyOptions) {
 function hasLocalStorage() {
   return typeof localStorage !== "undefined";
 }
+function notifyTokenChange(scope) {
+  if (typeof window !== "undefined") {
+    queueMicrotask(() => {
+      window.dispatchEvent(new CustomEvent("arc:token-change", { detail: { scope } }));
+    });
+  }
+}
 
 class AuthAdapter {
   scopes = new Map;
   setToken(token, scope = "default") {
     if (!token) {
       this.scopes.delete(scope);
-      if (hasLocalStorage())
+      if (hasLocalStorage()) {
         localStorage.removeItem(TOKEN_PREFIX + scope);
+        notifyTokenChange(scope);
+      }
       return;
     }
     try {
@@ -13557,8 +13566,10 @@ class AuthAdapter {
           exp: payload.exp
         }
       });
-      if (hasLocalStorage())
+      if (hasLocalStorage()) {
         localStorage.setItem(TOKEN_PREFIX + scope, token);
+        notifyTokenChange(scope);
+      }
     } catch {
       this.scopes.delete(scope);
       if (hasLocalStorage())
@@ -17501,10 +17512,10 @@ var {
   Help
 } = import__.default;
 
-// ../../node_modules/find-up/index.js
+// node_modules/find-up/index.js
 import path2 from "node:path";
 
-// ../../node_modules/locate-path/index.js
+// node_modules/find-up/node_modules/locate-path/index.js
 import process2 from "node:process";
 import path from "node:path";
 import fs, { promises as fsPromises } from "node:fs";
@@ -17550,7 +17561,7 @@ function toPath2(urlOrPath) {
   return urlOrPath instanceof URL ? fileURLToPath2(urlOrPath) : urlOrPath;
 }
 
-// ../../node_modules/find-up/index.js
+// node_modules/find-up/index.js
 var findUpStop = Symbol("findUpStop");
 function findUpMultipleSync(name, options = {}) {
   let directory = path2.resolve(toPath2(options.cwd) ?? "");
@@ -26121,11 +26132,28 @@ async function buildAll(ws) {
     }
   }
   log2("Building shell...");
-  await buildShell(ws.shellDir);
+  await buildShell(ws.shellDir, ws.packages);
   ok("Shell built");
   return manifest;
 }
-async function buildShell(outDir) {
+function collectArcPeerDeps(packages) {
+  const seen = new Set;
+  for (const pkg of ["@arcote.tech/arc", "@arcote.tech/arc-ds", "@arcote.tech/arc-react", "@arcote.tech/platform"]) {
+    seen.add(pkg);
+  }
+  for (const wp of packages) {
+    const peerDeps = wp.packageJson.peerDependencies ?? {};
+    for (const dep of Object.keys(peerDeps)) {
+      if (dep.startsWith("@arcote.tech/"))
+        seen.add(dep);
+    }
+  }
+  return [...seen].map((pkg) => {
+    const short = pkg === "@arcote.tech/platform" ? "platform" : pkg.replace("@arcote.tech/", "");
+    return [short, pkg];
+  });
+}
+async function buildShell(outDir, packages) {
   mkdirSync6(outDir, { recursive: true });
   const tmpDir = join7(outDir, "_tmp");
   mkdirSync6(tmpDir, { recursive: true });
@@ -26178,13 +26206,10 @@ export const { createPortal, flushSync } = ReactDOM;`
       console.error(l);
     throw new Error("Shell React build failed");
   }
-  const arcEntries = [
+  const arcEntries = packages ? collectArcPeerDeps(packages) : [
     ["arc", "@arcote.tech/arc"],
     ["arc-ds", "@arcote.tech/arc-ds"],
     ["arc-react", "@arcote.tech/arc-react"],
-    ["arc-auth", "@arcote.tech/arc-auth"],
-    ["arc-utils", "@arcote.tech/arc-utils"],
-    ["arc-workspace", "@arcote.tech/arc-workspace"],
     ["platform", "@arcote.tech/platform"]
   ];
   const baseExternal = [
@@ -27580,7 +27605,7 @@ async function createArcServer(config) {
   const corsHeaders = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Scope"
+    "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Scope, X-Arc-Tokens"
   };
   function verifyToken(token) {
     try {
@@ -27699,7 +27724,13 @@ async function createArcServer(config) {
 // src/platform/server.ts
 import { existsSync as existsSync7, mkdirSync as mkdirSync7 } from "node:fs";
 import { join as join8 } from "node:path";
-function generateShellHtml(appName, manifest) {
+function generateShellHtml(appName, manifest, arcEntries) {
+  const arcImports = {};
+  if (arcEntries) {
+    for (const [short, pkg] of arcEntries) {
+      arcImports[pkg] = `/shell/${short}.js`;
+    }
+  }
   const importMap = {
     imports: {
       react: "/shell/react.js",
@@ -27707,13 +27738,7 @@ function generateShellHtml(appName, manifest) {
       "react/jsx-dev-runtime": "/shell/jsx-dev-runtime.js",
       "react-dom": "/shell/react-dom.js",
       "react-dom/client": "/shell/react-dom-client.js",
-      "@arcote.tech/arc": "/shell/arc.js",
-      "@arcote.tech/arc-ds": "/shell/arc-ds.js",
-      "@arcote.tech/arc-react": "/shell/arc-react.js",
-      "@arcote.tech/arc-auth": "/shell/arc-auth.js",
-      "@arcote.tech/arc-utils": "/shell/arc-utils.js",
-      "@arcote.tech/arc-workspace": "/shell/arc-workspace.js",
-      "@arcote.tech/platform": "/shell/platform.js"
+      ...arcImports
     }
   };
   return `<!doctype html>
@@ -27785,28 +27810,68 @@ function verifyModuleSignature(filename, sig, exp) {
   hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
-async function filterManifestForToken(manifest, moduleAccessMap, tokenPayload) {
+function decodeTokenPayload(jwt2) {
+  try {
+    const parts = jwt2.split(".");
+    if (parts.length !== 3)
+      return null;
+    const payload = JSON.parse(atob(parts[1]));
+    return {
+      tokenType: payload.tokenName ?? payload.tokenType,
+      params: payload.params || {},
+      iat: payload.iat,
+      exp: payload.exp
+    };
+  } catch {
+    return null;
+  }
+}
+function parseArcTokensHeader(header) {
+  if (!header)
+    return [];
+  const payloads = [];
+  for (const entry of header.split(",")) {
+    const colonIdx = entry.indexOf(":");
+    if (colonIdx < 0)
+      continue;
+    const jwt2 = entry.slice(colonIdx + 1);
+    const payload = decodeTokenPayload(jwt2);
+    if (payload)
+      payloads.push(payload);
+  }
+  return payloads;
+}
+async function filterManifestForTokens(manifest, moduleAccessMap, tokenPayloads) {
   const filtered = [];
+  console.log(`[arc:modules] Filtering ${manifest.modules.length} modules with ${tokenPayloads.length} token(s):`, tokenPayloads.map((t) => `${t.tokenType}(${JSON.stringify(t.params)})`).join(", ") || "none");
+  console.log(`[arc:modules] Protected modules:`, [...moduleAccessMap.keys()].join(", ") || "none");
   for (const mod of manifest.modules) {
     const access = moduleAccessMap.get(mod.name);
     if (!access) {
       filtered.push(mod);
       continue;
     }
-    if (!tokenPayload)
+    if (tokenPayloads.length === 0) {
+      console.log(`[arc:modules] ${mod.name}: SKIP (no tokens)`);
       continue;
+    }
     let granted = false;
     for (const rule of access.rules) {
-      if (tokenPayload.tokenType === rule.token.name) {
-        granted = rule.check ? await rule.check(tokenPayload) : true;
+      const matching = tokenPayloads.find((t) => t.tokenType === rule.token.name);
+      if (matching) {
+        granted = rule.check ? await rule.check(matching) : true;
+        console.log(`[arc:modules] ${mod.name}: rule ${rule.token.name} matched token, check=${granted}`);
         if (granted)
           break;
+      } else {
+        console.log(`[arc:modules] ${mod.name}: rule needs "${rule.token.name}", no matching token (have: ${tokenPayloads.map((t) => t.tokenType).join(",")})`);
       }
     }
     if (granted) {
       filtered.push({ ...mod, url: signModuleUrl(mod.file) });
     }
   }
+  console.log(`[arc:modules] Result: ${filtered.map((m2) => m2.name).join(", ")}`);
   return { modules: filtered, buildTime: manifest.buildTime };
 }
 function staticFilesHandler(ws, devMode, moduleAccessMap) {
@@ -27848,9 +27913,14 @@ function staticFilesHandler(ws, devMode, moduleAccessMap) {
   };
 }
 function apiEndpointsHandler(ws, getManifest, cm, moduleAccessMap) {
-  return (_req, url, ctx) => {
+  return (req, url, ctx) => {
     if (url.pathname === "/api/modules") {
-      return filterManifestForToken(getManifest(), moduleAccessMap, ctx.tokenPayload).then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
+      const arcTokensHeader = req.headers.get("X-Arc-Tokens");
+      let payloads = parseArcTokensHeader(arcTokensHeader);
+      if (payloads.length === 0 && ctx.tokenPayload) {
+        payloads = [ctx.tokenPayload];
+      }
+      return filterManifestForTokens(getManifest(), moduleAccessMap, payloads).then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
     }
     if (url.pathname === "/api/translations") {
       const config = readTranslationsConfig(ws.rootDir);
@@ -27905,13 +27975,13 @@ async function startPlatformServer(opts) {
   const moduleAccessMap = opts.moduleAccess ?? new Map;
   let manifest = opts.manifest;
   const getManifest = () => manifest;
-  const shellHtml = generateShellHtml(ws.appName, ws.manifest);
+  const shellHtml = generateShellHtml(ws.appName, ws.manifest, opts.arcEntries);
   const sseClients = new Set;
   if (!context) {
     const cors = {
       "Access-Control-Allow-Origin": "*",
       "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-      "Access-Control-Allow-Headers": "Content-Type, Authorization"
+      "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens"
     };
     const server = Bun.serve({
       port,
@@ -28014,6 +28084,7 @@ async function platformDev() {
   } else {
     log2("No context \u2014 server endpoints skipped");
   }
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform3 = await startPlatformServer({
     ws,
     port,
@@ -28021,7 +28092,8 @@ async function platformDev() {
     context,
     moduleAccess,
     dbPath: join9(ws.rootDir, ".arc", "data", "dev.db"),
-    devMode: true
+    devMode: true,
+    arcEntries
   });
   ok(`Server on http://localhost:${port}`);
   if (platform3.contextHandler)
@@ -28105,6 +28177,7 @@ async function platformStart() {
   } else {
     log2("No context \u2014 server endpoints skipped");
   }
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform3 = await startPlatformServer({
     ws,
     port,
@@ -28112,7 +28185,8 @@ async function platformStart() {
     context,
     moduleAccess,
     dbPath: join10(ws.rootDir, ".arc", "data", "prod.db"),
-    devMode: false
+    devMode: false,
+    arcEntries
   });
   ok(`Server on http://localhost:${port}`);
   if (platform3.contextHandler)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.4.7",
+  "version": "0.4.8",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",

package/src/commands/platform-dev.ts

@@ -6,6 +6,7 @@ import {
   buildAll,
   buildPackages,
   buildStyles,
+  collectArcPeerDeps,
   loadServerContext,
   log,
   ok,
@@ -29,6 +30,7 @@ export async function platformDev(): Promise<void> {
   }
 
   // Start server (dev mode = SSE reload + no-cache)
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform = await startPlatformServer({
     ws,
     port,
@@ -37,6 +39,7 @@ export async function platformDev(): Promise<void> {
     moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
     devMode: true,
+    arcEntries,
   });
 
   ok(`Server on http://localhost:${port}`);

package/src/commands/platform-start.ts

@@ -2,6 +2,7 @@ import { existsSync, readFileSync } from "fs";
 import { join } from "path";
 import { startPlatformServer } from "../platform/server";
 import {
+  collectArcPeerDeps,
   err,
   loadServerContext,
   log,
@@ -34,6 +35,7 @@ export async function platformStart(): Promise<void> {
   }
 
   // Start server (production mode = no SSE reload, aggressive caching)
+  const arcEntries = collectArcPeerDeps(ws.packages);
   const platform = await startPlatformServer({
     ws,
     port,
@@ -42,6 +44,7 @@ export async function platformStart(): Promise<void> {
     moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false,
+    arcEntries,
   });
 
   ok(`Server on http://localhost:${port}`);

package/src/platform/server.ts

@@ -30,6 +30,8 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
+  /** Arc shell entries [shortName, fullPkgName][] for import map. Auto-detected if omitted. */
+  arcEntries?: [string, string][];
 }
 
 export interface PlatformServer {
@@ -69,7 +71,17 @@ export async function initContextHandler(
 // Shell HTML
 // ---------------------------------------------------------------------------
 
-export function generateShellHtml(appName: string, manifest?: { title: string; favicon?: string }): string {
+export function generateShellHtml(
+  appName: string,
+  manifest?: { title: string; favicon?: string },
+  arcEntries?: [string, string][],
+): string {
+  const arcImports: Record<string, string> = {};
+  if (arcEntries) {
+    for (const [short, pkg] of arcEntries) {
+      arcImports[pkg] = `/shell/${short}.js`;
+    }
+  }
   const importMap = {
     imports: {
       react: "/shell/react.js",
@@ -77,13 +89,7 @@ export function generateShellHtml(appName: string, manifest?: { title: string; f
       "react/jsx-dev-runtime": "/shell/jsx-dev-runtime.js",
       "react-dom": "/shell/react-dom.js",
       "react-dom/client": "/shell/react-dom-client.js",
-      "@arcote.tech/arc": "/shell/arc.js",
-      "@arcote.tech/arc-ds": "/shell/arc-ds.js",
-      "@arcote.tech/arc-react": "/shell/arc-react.js",
-      "@arcote.tech/arc-auth": "/shell/arc-auth.js",
-      "@arcote.tech/arc-utils": "/shell/arc-utils.js",
-      "@arcote.tech/arc-workspace": "/shell/arc-workspace.js",
-      "@arcote.tech/platform": "/shell/platform.js",
+      ...arcImports,
     },
   };
 
@@ -170,30 +176,73 @@ function verifyModuleSignature(filename: string, sig: string | null, exp: string
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 
-async function filterManifestForToken(
+/** Decode JWT payload without verification (for module manifest filtering).
+ *  Normalizes tokenName → tokenType to match TokenPayload interface. */
+function decodeTokenPayload(jwt: string): any | null {
+  try {
+    const parts = jwt.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(atob(parts[1]));
+    return {
+      tokenType: payload.tokenName ?? payload.tokenType,
+      params: payload.params || {},
+      iat: payload.iat,
+      exp: payload.exp,
+    };
+  } catch {
+    return null;
+  }
+}
+
+/** Parse X-Arc-Tokens header: "scope1:jwt1,scope2:jwt2" → decoded payloads array */
+function parseArcTokensHeader(header: string | null): any[] {
+  if (!header) return [];
+  const payloads: any[] = [];
+  for (const entry of header.split(",")) {
+    const colonIdx = entry.indexOf(":");
+    if (colonIdx < 0) continue;
+    const jwt = entry.slice(colonIdx + 1);
+    const payload = decodeTokenPayload(jwt);
+    if (payload) payloads.push(payload);
+  }
+  return payloads;
+}
+
+async function filterManifestForTokens(
   manifest: BuildManifest,
   moduleAccessMap: Map<string, ModuleAccess>,
-  tokenPayload: any,
+  tokenPayloads: any[],
 ): Promise<BuildManifest> {
   const filtered: ModuleEntry[] = [];
 
+  console.log(`[arc:modules] Filtering ${manifest.modules.length} modules with ${tokenPayloads.length} token(s):`,
+    tokenPayloads.map(t => `${t.tokenType}(${JSON.stringify(t.params)})`).join(", ") || "none");
+  console.log(`[arc:modules] Protected modules:`, [...moduleAccessMap.keys()].join(", ") || "none");
+
   for (const mod of manifest.modules) {
     const access = moduleAccessMap.get(mod.name);
 
     if (!access) {
-      // Public module — always include
       filtered.push(mod);
       continue;
     }
 
-    // Protected module — check if token grants access
-    if (!tokenPayload) continue;
+    if (tokenPayloads.length === 0) {
+      console.log(`[arc:modules] ${mod.name}: SKIP (no tokens)`);
+      continue;
+    }
 
     let granted = false;
     for (const rule of access.rules) {
-      if (tokenPayload.tokenType === rule.token.name) {
-        granted = rule.check ? await rule.check(tokenPayload) : true;
+      const matching = tokenPayloads.find(
+        (t) => t.tokenType === rule.token.name,
+      );
+      if (matching) {
+        granted = rule.check ? await rule.check(matching) : true;
+        console.log(`[arc:modules] ${mod.name}: rule ${rule.token.name} matched token, check=${granted}`);
         if (granted) break;
+      } else {
+        console.log(`[arc:modules] ${mod.name}: rule needs "${rule.token.name}", no matching token (have: ${tokenPayloads.map(t => t.tokenType).join(",")})`);
       }
     }
 
@@ -202,6 +251,7 @@ async function filterManifestForToken(
     }
   }
 
+  console.log(`[arc:modules] Result: ${filtered.map(m => m.name).join(", ")}`);
   return { modules: filtered, buildTime: manifest.buildTime };
 }
 
@@ -266,10 +316,16 @@ function apiEndpointsHandler(
   cm: ConnectionManager | null,
   moduleAccessMap: Map<string, ModuleAccess>,
 ): ArcHttpHandler {
-  return (_req, url, ctx) => {
+  return (req, url, ctx) => {
     if (url.pathname === "/api/modules") {
-      // Filter manifest based on token — protected modules only for authorized users
-      return filterManifestForToken(getManifest(), moduleAccessMap, ctx.tokenPayload)
+      // Parse all tokens from X-Arc-Tokens header + Authorization fallback
+      const arcTokensHeader = req.headers.get("X-Arc-Tokens");
+      let payloads = parseArcTokensHeader(arcTokensHeader);
+      // Fallback: if no X-Arc-Tokens, use the single token from Authorization
+      if (payloads.length === 0 && ctx.tokenPayload) {
+        payloads = [ctx.tokenPayload];
+      }
+      return filterManifestForTokens(getManifest(), moduleAccessMap, payloads)
         .then((filtered) => Response.json(filtered, { headers: ctx.corsHeaders }));
     }
 
@@ -342,7 +398,7 @@ export async function startPlatformServer(
   let manifest = opts.manifest;
   const getManifest = () => manifest;
 
-  const shellHtml = generateShellHtml(ws.appName, ws.manifest);
+  const shellHtml = generateShellHtml(ws.appName, ws.manifest, opts.arcEntries);
   const sseClients = new Set<ReadableStreamDefaultController>();
 
   if (!context) {
@@ -351,7 +407,7 @@ export async function startPlatformServer(
       "Access-Control-Allow-Origin": "*",
       "Access-Control-Allow-Methods":
         "GET, POST, PUT, DELETE, PATCH, OPTIONS",
-      "Access-Control-Allow-Headers": "Content-Type, Authorization",
+      "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
     };
 
     const server = Bun.serve({

package/src/platform/shared.ts

@@ -135,7 +135,7 @@ export async function buildAll(ws: WorkspaceInfo): Promise<BuildManifest> {
   }
 
   log("Building shell...");
-  await buildShell(ws.shellDir);
+  await buildShell(ws.shellDir, ws.packages);
   ok("Shell built");
 
   return manifest;
@@ -145,7 +145,30 @@ export async function buildAll(ws: WorkspaceInfo): Promise<BuildManifest> {
 // Shell builder — framework packages for import map
 // ---------------------------------------------------------------------------
 
-async function buildShell(outDir: string): Promise<void> {
+/** Collect all @arcote.tech/* peerDependencies from workspace packages. */
+export function collectArcPeerDeps(packages: WorkspacePackage[]): [string, string][] {
+  const seen = new Set<string>();
+  // Always include core framework packages
+  for (const pkg of ["@arcote.tech/arc", "@arcote.tech/arc-ds", "@arcote.tech/arc-react", "@arcote.tech/platform"]) {
+    seen.add(pkg);
+  }
+  // Scan all workspace packages for @arcote.tech/* peerDeps
+  for (const wp of packages) {
+    const peerDeps = wp.packageJson.peerDependencies ?? {};
+    for (const dep of Object.keys(peerDeps)) {
+      if (dep.startsWith("@arcote.tech/")) seen.add(dep);
+    }
+  }
+  // Convert to [shortName, fullName] entries
+  return [...seen].map((pkg) => {
+    const short = pkg === "@arcote.tech/platform"
+      ? "platform"
+      : pkg.replace("@arcote.tech/", "");
+    return [short, pkg];
+  });
+}
+
+async function buildShell(outDir: string, packages?: WorkspacePackage[]): Promise<void> {
   mkdirSync(outDir, { recursive: true });
   const tmpDir = join(outDir, "_tmp");
   mkdirSync(tmpDir, { recursive: true });
@@ -203,15 +226,16 @@ export const { createPortal, flushSync } = ReactDOM;`,
   }
 
   // Step 2: Build Arc layer (react is EXTERNAL — resolved via import map)
-  const arcEntries: [string, string][] = [
-    ["arc", "@arcote.tech/arc"],
-    ["arc-ds", "@arcote.tech/arc-ds"],
-    ["arc-react", "@arcote.tech/arc-react"],
-    ["arc-auth", "@arcote.tech/arc-auth"],
-    ["arc-utils", "@arcote.tech/arc-utils"],
-    ["arc-workspace", "@arcote.tech/arc-workspace"],
-    ["platform", "@arcote.tech/platform"],
-  ];
+  // Dynamically collect only @arcote.tech/* packages actually used by workspace
+  const arcEntries = packages
+    ? collectArcPeerDeps(packages)
+    : [
+        // Fallback: core packages only (no workspace packages available)
+        ["arc", "@arcote.tech/arc"],
+        ["arc-ds", "@arcote.tech/arc-ds"],
+        ["arc-react", "@arcote.tech/arc-react"],
+        ["platform", "@arcote.tech/platform"],
+      ] as [string, string][];
 
   const baseExternal = [
     "react",