@arcote.tech/arc-cli 0.6.1 → 0.7.0

package/src/deploy/ssh.ts

@@ -20,23 +20,17 @@ export interface SshExecResult {
   exitCode: number;
 }
 
-function baseSshArgs(target: DeployTarget): string[] {
-  // IdentitiesOnly=yes pins auth to the explicit key. Without it ssh-agent
-  // offers every loaded identity and trips MaxAuthTries on hardened sshd
-  // (ansible's sshd hardening + fail2ban lowers the threshold).
-  const key = target.sshKey ?? `${process.env.HOME}/.ssh/id_ed25519`;
-  return [
+export function baseSshArgs(target: DeployTarget): string[] {
+  const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
-    "-o",
-    "IdentitiesOnly=yes",
-    "-i",
-    key,
     "-p",
     String(target.port),
   ];
+  if (target.sshKey) args.push("-i", target.sshKey);
+  return args;
 }
 
 /**
@@ -121,19 +115,15 @@ export async function scpUpload(
   localPath: string,
   remotePath: string,
 ): Promise<void> {
-  const key = target.sshKey ?? `${process.env.HOME}/.ssh/id_ed25519`;
   const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
-    "-o",
-    "IdentitiesOnly=yes",
-    "-i",
-    key,
     "-P",
     String(target.port),
   ];
+  if (target.sshKey) args.push("-i", target.sshKey);
   args.push(localPath, `${target.user}@${target.host}:${remotePath}`);
 
   const proc = spawn({ cmd: ["scp", ...args], stderr: "pipe" });
@@ -145,112 +135,3 @@ export async function scpUpload(
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
-
-/**
- * Rsync a directory to the remote host (preserving permissions, deleting stale files).
- *
- * `-L` dereferences symlinks on the source side. This is essential because Arc
- * projects typically use `bun link` for framework packages — `node_modules/@arcote.tech/*`
- * and workspace `@ndt/*` packages are symlinks pointing at paths that don't
- * exist on the remote host. Without `-L`, rsync copies them as dangling
- * symlinks and the container can't resolve `node_modules/.bin/arc`.
- */
-export async function rsyncDir(
-  target: DeployTarget,
-  localDir: string,
-  remoteDir: string,
-  opts: { delete?: boolean } = {},
-): Promise<void> {
-  const sshCmdParts = ["ssh", "-p", String(target.port)];
-  if (target.sshKey) sshCmdParts.push("-i", target.sshKey);
-  const sshCmd = sshCmdParts.join(" ");
-
-  const args: string[] = ["-azL", "-e", sshCmd];
-  if (opts.delete) args.push("--delete");
-  // Trailing slash: sync contents, not the dir itself
-  const src = localDir.endsWith("/") ? localDir : `${localDir}/`;
-  args.push(src, `${target.user}@${target.host}:${remoteDir}`);
-
-  const proc = spawn({
-    cmd: ["rsync", ...args],
-    stderr: "pipe",
-    stdout: "pipe",
-  });
-  const [stderr, exitCode] = await Promise.all([
-    streamToString(proc.stderr),
-    proc.exited,
-  ]);
-  if (exitCode !== 0) {
-    throw new Error(`rsync failed (${exitCode}): ${stderr}`);
-  }
-}
-
-/**
- * Open an SSH -L tunnel. Returns a Disposable-like object with `.close()`.
- * Caller MUST call close() (or use `using` in Bun) to release the tunnel.
- */
-export interface SshTunnel {
-  localPort: number;
-  close(): void;
-}
-
-export async function openTunnel(
-  target: DeployTarget,
-  localPort: number,
-  remoteHost: string,
-  remotePort: number,
-): Promise<SshTunnel> {
-  const args = [
-    ...baseSshArgs(target),
-    "-N",
-    "-L",
-    `${localPort}:${remoteHost}:${remotePort}`,
-    `${target.user}@${target.host}`,
-  ];
-  const proc = spawn({
-    cmd: ["ssh", ...args],
-    stdin: "ignore",
-    stdout: "pipe",
-    stderr: "pipe",
-  });
-  // Wait briefly for the tunnel to establish. ssh prints nothing on success
-  // with -N, so we poll a TCP connect on localPort.
-  const deadline = Date.now() + 10_000;
-  let lastErr: unknown;
-  while (Date.now() < deadline) {
-    if (proc.exitCode !== null) {
-      const stderr = await streamToString(proc.stderr);
-      throw new Error(`ssh tunnel exited early: ${stderr}`);
-    }
-    try {
-      const probe = await Bun.connect({
-        hostname: "127.0.0.1",
-        port: localPort,
-        socket: { data() {}, open() {}, close() {}, error() {} },
-      });
-      probe.end();
-      return {
-        localPort,
-        close() {
-          try {
-            proc.kill();
-          } catch {
-            // ignore
-          }
-        },
-      };
-    } catch (e) {
-      lastErr = e;
-      await Bun.sleep(200);
-    }
-  }
-  try {
-    proc.kill();
-  } catch {
-    // ignore
-  }
-  throw new Error(
-    `Failed to establish SSH tunnel on localhost:${localPort}: ${String(lastErr)}`,
-  );
-}
-

package/src/deploy/survey.ts

@@ -151,6 +151,55 @@ export async function runSurvey(): Promise<DeployConfig> {
   })) as string;
   if (clack.isCancel(email)) cancel();
 
+  // Phase 6: Private Docker Registry
+  clack.note(
+    "The host runs a private Docker registry behind Caddy.\nCreate an A record for the registry domain pointing to your host before deploy.",
+    "Registry",
+  );
+  const registryDomain = (await clack.text({
+    message: "Registry domain (full FQDN)",
+    placeholder: "registry.example.com",
+    validate: (v) =>
+      /^[a-z0-9.-]+\.[a-z]{2,}$/i.test(v) ? undefined : "Expected a domain",
+  })) as string;
+  if (clack.isCancel(registryDomain)) cancel();
+
+  const registryUser = (await clack.text({
+    message: "Registry username",
+    initialValue: "deploy",
+    validate: (v) =>
+      /^[a-z_][a-z0-9_-]*$/.test(v) ? undefined : "Invalid username",
+  })) as string;
+  if (clack.isCancel(registryUser)) cancel();
+
+  const registryPasswordEnv = (await clack.text({
+    message: "Env var holding the registry password",
+    initialValue: "ARC_REGISTRY_PASSWORD",
+    validate: (v) =>
+      /^[A-Z][A-Z0-9_]*$/.test(v)
+        ? undefined
+        : "Must be UPPER_SNAKE_CASE",
+  })) as string;
+  if (clack.isCancel(registryPasswordEnv)) cancel();
+
+  const generatePassword = (await clack.confirm({
+    message: "Generate a random password now?",
+    initialValue: true,
+  })) as boolean;
+  if (clack.isCancel(generatePassword)) cancel();
+  if (generatePassword) {
+    const random = generateRandomPassword(32);
+    clack.note(
+      `Save this password — you'll need it on every deploy.\n\n  export ${registryPasswordEnv}=${random}\n\nThis prompt is the only time it's shown.`,
+      "Registry password",
+    );
+  } else {
+    clack.note(
+      `Set ${registryPasswordEnv} in your shell before running deploy.`,
+      "Registry password",
+    );
+  }
+
   clack.outro("Configuration ready — writing deploy.arc.json");
 
   return {
@@ -162,10 +211,25 @@ export async function runSurvey(): Promise<DeployConfig> {
     },
     envs,
     caddy: { email },
+    registry: {
+      domain: registryDomain,
+      username: registryUser,
+      passwordEnv: registryPasswordEnv,
+    },
     provision,
   };
 }
 
+function generateRandomPassword(bytes: number): string {
+  // 32 random bytes → 43-char base64url. Plenty of entropy for a registry.
+  const buf = new Uint8Array(bytes);
+  crypto.getRandomValues(buf);
+  return btoa(String.fromCharCode(...buf))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
 function cancel(): never {
   clack.cancel("Cancelled.");
   process.exit(0);

package/src/index.ts

@@ -2,7 +2,6 @@
 
 import { Command } from "commander";
 import { build } from "./commands/build";
-import { buildShell } from "./commands/build-shell";
 import { dev } from "./commands/dev";
 import { platformBuild } from "./commands/platform-build";
 import { platformDeploy } from "./commands/platform-deploy";
@@ -59,20 +58,23 @@ platform
   )
   .option("--skip-build", "Skip local build step")
   .option("--rebuild", "Force rebuild before deploy")
-  .action((env: string | undefined, opts: { skipBuild?: boolean; rebuild?: boolean }) =>
-    platformDeploy(env, opts),
+  .option("--build-only", "Build the Docker image locally, then exit (no remote push)")
+  .option(
+    "--image-tag <hash>",
+    "Roll back / pin to an existing image tag instead of building a new one",
+  )
+  .action(
+    (
+      env: string | undefined,
+      opts: {
+        skipBuild?: boolean;
+        rebuild?: boolean;
+        buildOnly?: boolean;
+        imageTag?: string;
+      },
+    ) => platformDeploy(env, opts),
   );
 
-// Hidden subcommand used by the runtime container's entrypoint / API handlers.
-// Not shown in --help; runs against an installed node_modules tree to emit
-// browser shell bundles for the discovered framework peers.
-program
-  .command("_build-shell", { hidden: true })
-  .description("Build framework shell bundles from a node_modules dir")
-  .requiredOption("--out <dir>", "Output directory for shell .js bundles")
-  .requiredOption("--from <dir>", "node_modules directory to discover packages in")
-  .action((opts: { out: string; from: string }) => buildShell(opts));
-
 // Parse command line arguments
 program.parse(process.argv);
 

package/src/platform/server.ts

@@ -11,7 +11,6 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import { createDeployApiHandler } from "./deploy-api";
 import type { BuildManifest, ModuleDescriptor, WorkspaceInfo } from "./shared";
 import type { ModuleAccess } from "@arcote.tech/platform";
 
@@ -31,10 +30,6 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
-  /** If true, mounts /api/deploy/* endpoints for remote hot-swap. Off by default;
-   *  opt-in via ARC_DEPLOY_API=1 or explicit CLI flag. In production, network-layer
-   *  (Caddy + docker-compose port binding) restricts access to SSH tunnel only. */
-  deployApi?: boolean;
   /** Arc shell entries [shortName, fullPkgName][] for import map. Auto-detected if omitted. */
   arcEntries?: [string, string][];
 }
@@ -168,19 +163,30 @@ function serveFile(
 const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
 const MODULE_SIG_TTL = 3600; // 1 hour
 
-function signModuleUrl(filename: string): string {
+/**
+ * Signed URL for a chunk-scoped module file. HMAC payload includes the chunk
+ * name so a sig minted for `/modules/admin/foo.js` cannot be replayed as
+ * `/modules/user/foo.js` — even if the same filename exists in both groups.
+ * Public chunks are NEVER signed (no protection needed).
+ */
+function signChunkUrl(chunk: string, file: string): string {
   const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${chunk}/${file}:${exp}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+  return `/modules/${chunk}/${file}?sig=${sig}&exp=${exp}`;
 }
 
-function verifyModuleSignature(filename: string, sig: string | null, exp: string | null): boolean {
+function verifyChunkSignature(
+  chunk: string,
+  file: string,
+  sig: string | null,
+  exp: string | null,
+): boolean {
   if (!sig || !exp) return false;
   if (Number(exp) < Date.now() / 1000) return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${chunk}/${file}:${exp}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 
@@ -216,40 +222,59 @@ function parseArcTokensHeader(header: string | null): any[] {
   return payloads;
 }
 
+/**
+ * Filter manifest to modules the caller's tokens grant access to. Two-stage
+ * check: chunk-level (token type matches chunk name → group is unlocked) +
+ * per-rule async `check` callback (if declared in `protectedBy(token, check)`).
+ *
+ * Public chunk modules pass unconditionally; non-public modules are returned
+ * with a signed URL (chunk-aware HMAC, 1h TTL) — the URL is what the browser
+ * fetches for the actual JS file.
+ */
 async function filterManifestForTokens(
   manifest: BuildManifest,
   moduleAccessMap: Map<string, ModuleAccess>,
   tokenPayloads: any[],
 ): Promise<BuildManifest> {
+  const allowedChunks = new Set<string>(["public"]);
+  for (const t of tokenPayloads) {
+    if (t?.tokenType) allowedChunks.add(t.tokenType);
+  }
+
   const filtered: ModuleDescriptor[] = [];
 
   for (const mod of manifest.modules) {
-    const access = moduleAccessMap.get(mod.name);
+    if (!allowedChunks.has(mod.chunk)) continue;
 
-    if (!access) {
+    if (mod.chunk === "public") {
       filtered.push(mod);
       continue;
     }
 
-    if (tokenPayloads.length === 0) continue;
-
-    let granted = false;
-    for (const rule of access.rules) {
-      const matching = tokenPayloads.find(
-        (t) => t.tokenType === rule.token.name,
-      );
-      if (matching) {
+    // Caller has the right token type — run per-rule `check` if declared.
+    const access = moduleAccessMap.get(mod.name);
+    let granted = true;
+    if (access && access.rules.length > 0) {
+      granted = false;
+      for (const rule of access.rules) {
+        if (rule.token.name !== mod.chunk) continue;
+        const matching = tokenPayloads.find(
+          (t) => t.tokenType === rule.token.name,
+        );
+        if (!matching) continue;
         granted = rule.check ? await rule.check(matching) : true;
         if (granted) break;
       }
     }
 
     if (granted) {
-      filtered.push({ ...mod, url: signModuleUrl(mod.file) });
+      filtered.push({ ...mod, url: signChunkUrl(mod.chunk, mod.file) });
     }
   }
+
   return {
     modules: filtered,
+    chunks: manifest.chunks,
     shellHash: manifest.shellHash,
     stylesHash: manifest.stylesHash,
     buildTime: manifest.buildTime,
@@ -260,30 +285,43 @@ async function filterManifestForTokens(
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
+/** Chunk names must be alphanumeric + dash/underscore — defends against
+ *  path traversal in URL segments like `/modules/../../etc/passwd`. */
+const CHUNK_NAME_RE = /^[A-Za-z0-9_-]+$/;
+/** Module filenames are Bun.build outputs — `<safeName>.js` or `chunk-<hash>.js`. */
+const MODULE_FILE_RE = /^[A-Za-z0-9_.-]+\.js$/;
+
 function staticFilesHandler(
   ws: WorkspaceInfo,
   devMode: boolean,
-  moduleAccessMap: Map<string, ModuleAccess>,
 ): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
     if (path.startsWith("/shell/"))
       return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
     if (path.startsWith("/modules/")) {
-      const fileWithParams = path.slice(9);
-      const filename = fileWithParams.split("?")[0];
-      const moduleName = filename.replace(/\.js$/, "");
+      // Expected: /modules/<chunk>/<file>.js
+      const rest = path.slice(9);
+      const slash = rest.indexOf("/");
+      if (slash <= 0) {
+        return new Response("Not Found", { status: 404, headers: ctx.corsHeaders });
+      }
+      const chunk = rest.slice(0, slash);
+      const file = rest.slice(slash + 1);
 
-      // Check access for protected modules
-      if (moduleAccessMap.has(moduleName)) {
+      if (!CHUNK_NAME_RE.test(chunk) || !MODULE_FILE_RE.test(file)) {
+        return new Response("Not Found", { status: 404, headers: ctx.corsHeaders });
+      }
+
+      if (chunk !== "public") {
         const sig = url.searchParams.get("sig");
         const exp = url.searchParams.get("exp");
-        if (!verifyModuleSignature(filename, sig, exp)) {
+        if (!verifyChunkSignature(chunk, file, sig, exp)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
 
-      return serveFile(join(ws.modulesDir, filename), {
+      return serveFile(join(ws.modulesDir, chunk, file), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
@@ -418,17 +456,6 @@ export async function startPlatformServer(
     }
   };
 
-  const deployApiEnabled =
-    opts.deployApi ?? process.env.ARC_DEPLOY_API === "1";
-  const deployApiHandler = deployApiEnabled
-    ? createDeployApiHandler({
-        ws,
-        getManifest,
-        setManifest,
-        notifyReload,
-      })
-    : null;
-
   if (!context) {
     // No context — serve static files only (no WS/commands/queries)
     const cors = {
@@ -458,10 +485,9 @@ export async function startPlatformServer(
 
         // Platform handlers only
         const handlers: ArcHttpHandler[] = [
-          ...(deployApiHandler ? [deployApiHandler] : []),
           apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           devReloadHandler(sseClients),
-          staticFilesHandler(ws, !!devMode, moduleAccessMap),
+          staticFilesHandler(ws, !!devMode),
           spaFallbackHandler(shellHtml),
         ];
 
@@ -498,10 +524,9 @@ export async function startPlatformServer(
     port,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
-      ...(deployApiHandler ? [deployApiHandler] : []),
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       devReloadHandler(sseClients),
-      staticFilesHandler(ws, !!devMode, moduleAccessMap),
+      staticFilesHandler(ws, !!devMode),
       spaFallbackHandler(shellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),