@arcote.tech/arc-cli 0.6.2 → 0.7.0

package/src/commands/platform-dev.ts

@@ -1,103 +1,14 @@
-import { existsSync, watch } from "fs";
-import { join } from "path";
-import { startPlatformServer } from "../platform/server";
-import {
-  buildAll,
-  collectArcPeerDeps,
-  loadServerContext,
-  log,
-  ok,
-  resolveWorkspace,
-} from "../platform/shared";
+import { startPlatform } from "../platform/startup";
+import { resolveWorkspace } from "../platform/shared";
 
-export async function platformDev(opts: { noCache?: boolean } = {}): Promise<void> {
+/** `arc platform dev` — dev mode (watcher + SSE reload + no-cache headers). */
+export async function platformDev(
+  opts: { noCache?: boolean } = {},
+): Promise<void> {
   const ws = resolveWorkspace();
-  const port = 5005;
-
-  // Initial build — `--no-cache` (if passed) only forces the startup pass;
-  // subsequent rebuilds always respect the cache to keep dev incremental.
-  let manifest = await buildAll(ws, { noCache: opts.noCache });
-
-  log("Loading server context...");
-  const { context, moduleAccess } = await loadServerContext(ws.packages);
-  if (context) {
-    ok("Context loaded");
-  } else {
-    log("No context — server endpoints skipped");
-  }
-
-  const arcEntries = collectArcPeerDeps(ws.packages);
-  const platform = await startPlatformServer({
-    ws,
-    port,
-    manifest,
-    context,
-    moduleAccess,
-    dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
-    devMode: true,
-    arcEntries,
-  });
-
-  ok(`Server on http://localhost:${port}`);
-  if (platform.contextHandler) ok("Commands, queries, WebSocket — all on same port");
-
-  // Watch for changes — full buildAll on debounce; cache makes it cheap when
-  // only one package changed.
-  log("Watching for changes...");
-  let rebuildTimer: ReturnType<typeof setTimeout> | null = null;
-  let isRebuilding = false;
-
-  const triggerRebuild = () => {
-    if (rebuildTimer) clearTimeout(rebuildTimer);
-    rebuildTimer = setTimeout(async () => {
-      if (isRebuilding) return;
-      isRebuilding = true;
-      log("Rebuilding...");
-      try {
-        manifest = await buildAll(ws);
-        platform.setManifest(manifest);
-        platform.notifyReload(manifest);
-        ok(`Rebuilt — ${manifest.modules.length} module(s)`);
-      } catch (e) {
-        console.error(`Rebuild failed: ${e}`);
-      } finally {
-        isRebuilding = false;
-      }
-    }, 300);
-  };
-
-  for (const pkg of ws.packages) {
-    const srcDir = join(pkg.path, "src");
-    if (!existsSync(srcDir)) continue;
-
-    watch(srcDir, { recursive: true }, (_event, filename) => {
-      if (
-        !filename ||
-        filename.includes(".arc") ||
-        filename.endsWith(".d.ts") ||
-        filename.includes("node_modules") ||
-        filename.includes("dist")
-      ) return;
-
-      if (!filename.endsWith(".ts") && !filename.endsWith(".tsx")) return;
-
-      triggerRebuild();
-    });
-  }
-
-  // .po files — trigger rebuild so the `translations` cache unit picks them up.
-  const localesDir = join(ws.rootDir, "locales");
-  if (existsSync(localesDir)) {
-    watch(localesDir, { recursive: false }, (_event, filename) => {
-      if (!filename?.endsWith(".po")) return;
-      triggerRebuild();
-    });
-  }
-
-  const cleanup = () => {
-    platform.stop();
-    process.exit(0);
-  };
-  process.on("SIGTERM", cleanup);
-  process.on("SIGINT", cleanup);
+  // noCache is consumed by buildAll inside startPlatform when devMode=true.
+  // For now the dev startup always uses the cache after the first build;
+  // explicit --no-cache here only matters if we wire it through later.
+  void opts;
+  await startPlatform({ ws, devMode: true });
 }

package/src/commands/platform-start.ts

@@ -1,94 +1,8 @@
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-import { startPlatformServer } from "../platform/server";
-import {
-  collectArcPeerDeps,
-  err,
-  loadServerContext,
-  log,
-  ok,
-  resolveWorkspace,
-  type BuildManifest,
-} from "../platform/shared";
+import { startPlatform } from "../platform/startup";
+import { resolveWorkspace } from "../platform/shared";
 
+/** `arc platform start` — production mode (no watcher, immutable cache). */
 export async function platformStart(): Promise<void> {
   const ws = resolveWorkspace();
-  const port = parseInt(process.env.PORT || "5005", 10);
-  const deployApi = process.env.ARC_DEPLOY_API === "1";
-
-  // Pre-deploy mode: container started with empty volume (first boot of an
-  // arcote/runtime container — manifest hasn't been pushed yet). Boot a
-  // minimal server so the deploy CLI can reach /api/deploy/* to push the
-  // initial framework + modules. Container restart (after first manifest
-  // commit) re-enters this function with manifest present → full mode.
-  const manifestPath = join(ws.modulesDir, "manifest.json");
-  if (!existsSync(manifestPath)) {
-    if (!deployApi) {
-      err("No build found. Run `arc platform build` first.");
-      process.exit(1);
-    }
-    log("Pre-deploy mode — no manifest yet, awaiting first /api/deploy/*");
-    const emptyManifest: BuildManifest = {
-      modules: [],
-      shellHash: "",
-      stylesHash: "",
-      buildTime: new Date().toISOString(),
-    };
-    const platform = await startPlatformServer({
-      ws,
-      port,
-      manifest: emptyManifest,
-      context: null,
-      moduleAccess: new Map(),
-      dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
-      devMode: false,
-      deployApi: true,
-      arcEntries: [],
-    });
-    ok(`Pre-deploy server on http://localhost:${port}`);
-    registerSignalCleanup(platform);
-    return;
-  }
-
-  const manifest: BuildManifest = JSON.parse(
-    readFileSync(manifestPath, "utf-8"),
-  );
-
-  // Load server context
-  log("Loading server context...");
-  const { context, moduleAccess } = await loadServerContext(ws.packages);
-  if (context) {
-    ok("Context loaded");
-  } else {
-    log("No context — server endpoints skipped");
-  }
-
-  // Start server (production mode = aggressive caching, SSE only used for deploy hot-swap)
-  const arcEntries = collectArcPeerDeps(ws.packages);
-  if (deployApi) ok("Deploy API enabled (/api/deploy/*)");
-  const platform = await startPlatformServer({
-    ws,
-    port,
-    manifest,
-    context,
-    moduleAccess,
-    dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
-    devMode: false,
-    deployApi,
-    arcEntries,
-  });
-
-  ok(`Server on http://localhost:${port}`);
-  if (platform.contextHandler) ok("Commands, queries, WebSocket — all on same port");
-
-  registerSignalCleanup(platform);
-}
-
-function registerSignalCleanup(platform: { stop: () => void }): void {
-  const cleanup = () => {
-    platform.stop();
-    process.exit(0);
-  };
-  process.on("SIGTERM", cleanup);
-  process.on("SIGINT", cleanup);
+  await startPlatform({ ws, devMode: false });
 }

package/src/deploy/bootstrap.ts

@@ -1,3 +1,4 @@
+import { spawn } from "bun";
 import { mkdirSync, writeFileSync } from "fs";
 import { tmpdir } from "os";
 import { join } from "path";
@@ -5,12 +6,13 @@ import { runAnsible } from "./ansible";
 import { generateCaddyfile } from "./caddyfile";
 import { generateCompose } from "./compose";
 import type { DeployConfig } from "./config";
+import { generateHtpasswd } from "./htpasswd";
 import { runTerraform } from "./terraform";
 import { saveDeployConfig } from "./config";
 import { ok, log, err } from "../platform/shared";
 import { writeStateMarker, STATE_MARKER_PATH } from "./remote-state";
 import type { RemoteState } from "./remote-state";
-import { assertExec, canSsh, scpUpload, waitForSsh } from "./ssh";
+import { assertExec, baseSshArgs, canSsh, scpUpload, sshExec, waitForSsh } from "./ssh";
 
 // ---------------------------------------------------------------------------
 // Bootstrap orchestrator.
@@ -101,11 +103,28 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
   const workDir = join(tmpdir(), "arc-deploy", `stack-${Date.now()}`);
   mkdirSync(workDir, { recursive: true });
 
-  writeFileSync(join(workDir, "Caddyfile"), generateCaddyfile(cfg));
-  writeFileSync(
-    join(workDir, "docker-compose.yml"),
-    generateCompose({ cfg, cliVersion: inputs.cliVersion }),
+  // Pre-flight DNS — without registry.<domain> resolving to the host, Caddy's
+  // ACME challenge for the registry vhost will fail. Better to bail with a
+  // clear message than let the operator chase TLS retries for 10 minutes.
+  await assertRegistryDnsResolves(cfg);
+
+  // Generate htpasswd locally from the password env var. Never write the
+  // plaintext password to disk; only the bcrypt hash leaves this process.
+  const password = process.env[cfg.registry.passwordEnv];
+  if (!password) {
+    throw new Error(
+      `Registry password env var ${cfg.registry.passwordEnv} is not set. ` +
+        `Set it (e.g. \`export ${cfg.registry.passwordEnv}=...\`) before bootstrap.`,
+    );
+  }
+  const htpasswdLine = await generateHtpasswd(
+    cfg.registry.username,
+    password,
   );
+  writeFileSync(join(workDir, "htpasswd"), htpasswdLine);
+
+  writeFileSync(join(workDir, "Caddyfile"), generateCaddyfile(cfg));
+  writeFileSync(join(workDir, "docker-compose.yml"), generateCompose({ cfg }));
 
   // Ensure remoteDir exists
   await assertExec(
@@ -118,6 +137,10 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
       `mkdir -p ${cfg.target.remoteDir}/${name}`,
     );
   }
+  await assertExec(
+    cfg.target,
+    `mkdir -p ${cfg.target.remoteDir}/registry-auth`,
+  );
 
   await scpUpload(
     cfg.target,
@@ -129,9 +152,137 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
     join(workDir, "docker-compose.yml"),
     `${cfg.target.remoteDir}/docker-compose.yml`,
   );
+  await scpUpload(
+    cfg.target,
+    join(workDir, "htpasswd"),
+    `${cfg.target.remoteDir}/registry-auth/htpasswd`,
+  );
+
+  // Ensure /opt/arc/.env exists so docker compose doesn't error on var
+  // substitution. Per-env ARC_IMAGE_<ENV> lines are written by deploy.
+  await assertExec(
+    cfg.target,
+    `touch ${cfg.target.remoteDir}/.env`,
+  );
 
+  // Pre-register the deploy user with the private registry so containers can
+  // pull. We do this AFTER `docker compose up -d caddy registry` runs (below)
+  // — the registry needs to be reachable for `docker login` to succeed.
   await assertExec(
     cfg.target,
-    `cd ${cfg.target.remoteDir} && docker compose pull --ignore-pull-failures && docker compose up -d`,
+    `cd ${cfg.target.remoteDir} && docker compose pull --ignore-pull-failures caddy registry && docker compose up -d caddy registry`,
   );
+
+  // Wait for the registry vhost to respond (Caddy ACME issuance takes a few
+  // seconds on first start), then docker login on the host. This caches
+  // credentials in /home/<user>/.docker/config.json so subsequent `docker
+  // compose pull arc-<env>` from the per-deploy step can fetch app images.
+  await sshDockerLogin(cfg);
+
+  // Bring up any arc-<env> services whose images are already published.
+  // The :? fallback in compose makes services with no ARC_IMAGE_<ENV> set
+  // fail their up step — we filter those out by reading .env first.
+  const knownEnvs = await listConfiguredEnvs(cfg);
+  if (knownEnvs.length > 0) {
+    await assertExec(
+      cfg.target,
+      `cd ${cfg.target.remoteDir} && docker compose up -d ${knownEnvs
+        .map((e) => `arc-${e}`)
+        .join(" ")}`,
+    );
+  }
+}
+
+/**
+ * Log in to the private registry from the deploy user's account on the host.
+ * Required so `docker compose pull arc-<env>` works on subsequent deploys
+ * (compose runs docker from the deploy user's perspective; that user's
+ * `.docker/config.json` is where the registry token lives).
+ */
+async function sshDockerLogin(cfg: DeployConfig): Promise<void> {
+  const password = process.env[cfg.registry.passwordEnv];
+  if (!password) {
+    throw new Error(
+      `Registry password env var ${cfg.registry.passwordEnv} is not set on the deploy host (CLI machine).`,
+    );
+  }
+  // Pipe via stdin — keeps password off the command line and shell history.
+  const cmd = `echo "$ARC_REGISTRY_PASSWORD_FORWARDED" | docker login ${cfg.registry.domain} -u ${cfg.registry.username} --password-stdin`;
+  const proc = spawn({
+    cmd: [
+      "ssh",
+      ...baseSshArgs(cfg.target),
+      `${cfg.target.user}@${cfg.target.host}`,
+      "--",
+      `ARC_REGISTRY_PASSWORD_FORWARDED='${password.replace(/'/g, "'\\''")}' bash -c ${JSON.stringify(cmd)}`,
+    ],
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  const exit = await proc.exited;
+  if (exit !== 0) {
+    const stderr = await new Response(proc.stderr).text();
+    throw new Error(
+      `Server-side docker login failed (exit ${exit}): ${stderr.trim()}`,
+    );
+  }
+}
+
+/**
+ * Read /opt/arc/.env on the host and return env names that have an
+ * `ARC_IMAGE_<ENV>=...` line set. Used by bootstrap to decide which arc-<env>
+ * services can safely be started (the others would fail compose var
+ * substitution with `:?`).
+ */
+async function listConfiguredEnvs(cfg: DeployConfig): Promise<string[]> {
+  const res = await sshExec(
+    cfg.target,
+    `cat ${cfg.target.remoteDir}/.env 2>/dev/null || true`,
+    { quiet: true },
+  );
+  const set = new Set<string>();
+  for (const line of res.stdout.split("\n")) {
+    const m = line.match(/^ARC_IMAGE_([A-Z0-9_]+)=/);
+    if (!m) continue;
+    const lowerName = m[1].toLowerCase().replace(/_/g, "-");
+    if (lowerName in cfg.envs) set.add(lowerName);
+  }
+  return [...set];
+}
+
+/**
+ * Verify that `<registry.domain>` resolves to the target host's IP. If DNS
+ * isn't propagated yet, Caddy's ACME challenge for the registry vhost will
+ * fail repeatedly. Fail fast with an actionable hint instead.
+ */
+async function assertRegistryDnsResolves(cfg: DeployConfig): Promise<void> {
+  const proc = spawn({
+    cmd: ["dig", "+short", "+time=3", "+tries=1", cfg.registry.domain],
+    stdout: "pipe",
+    stderr: "ignore",
+  });
+  const exit = await proc.exited;
+  if (exit !== 0) {
+    err(
+      `\`dig\` is not available — skipping DNS pre-flight for ${cfg.registry.domain}.`,
+    );
+    return;
+  }
+  const resolved = (await new Response(proc.stdout).text())
+    .split("\n")
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  if (resolved.length === 0) {
+    throw new Error(
+      `Registry DNS not configured: ${cfg.registry.domain} doesn't resolve. ` +
+        `Add an A record pointing to ${cfg.target.host} and re-run deploy.`,
+    );
+  }
+  if (!resolved.includes(cfg.target.host)) {
+    throw new Error(
+      `Registry DNS mismatch: ${cfg.registry.domain} resolves to [${resolved.join(", ")}], ` +
+        `but target host is ${cfg.target.host}. Update the A record before continuing.`,
+    );
+  }
 }

package/src/deploy/caddyfile.ts

@@ -3,18 +3,16 @@ import type { DeployConfig } from "./config";
 // ---------------------------------------------------------------------------
 // Caddyfile generator
 //
-// Two kinds of blocks are produced:
+// Two kinds of vhosts:
 //
-//  1. Public site blocks (80/443) — one per env, routed by Host header.
-//     Reverse-proxy to arc-<env>:5005 BUT strip any /api/deploy/* path so
-//     the hot-swap endpoint never leaks to the internet.
+//  1. Public env blocks (80/443) — one per env, routed by Host header.
+//     Plain reverse-proxy to arc-<env>:5005. No /api/deploy/* paths exist
+//     in v0.7 (deploy goes through docker push, not HTTP), so there's
+//     nothing to block at the Caddy level.
 //
-//  2. Internal management listener on 127.0.0.1:2019 — handles
-//     /env/<name>/api/deploy/* paths by rewriting and proxying to
-//     arc-<name>:5005/api/deploy/*. This is the ONLY path to the deploy
-//     API from off-host; the listener is bound to loopback inside the
-//     Caddy container, and docker-compose publishes 127.0.0.1:2019:2019.
-//     CLI reaches it via `ssh -L`.
+//  2. Private Docker Registry vhost — proxies registry.<domain> to the
+//     in-cluster `registry:2` service. htpasswd basic auth is enforced on
+//     the registry container side; Caddy just terminates TLS.
 // ---------------------------------------------------------------------------
 
 export function generateCaddyfile(cfg: DeployConfig): string {
@@ -35,24 +33,22 @@ export function generateCaddyfile(cfg: DeployConfig): string {
   // Public blocks — one per env
   for (const [name, env] of Object.entries(cfg.envs)) {
     lines.push(`${env.domain} {${tlsDirective}`);
-    lines.push("    @deploy path /api/deploy /api/deploy/*");
-    lines.push("    respond @deploy 404");
-    lines.push("");
     lines.push(`    reverse_proxy arc-${name}:5005`);
     lines.push("}");
     lines.push("");
   }
 
-  // Internal management listener
-  lines.push("# Loopback-only management listener (SSH tunnel access).");
-  lines.push("http://127.0.0.1:2019 {");
-  lines.push("    bind 127.0.0.1");
-  for (const [name] of Object.entries(cfg.envs)) {
-    lines.push(`    handle_path /env/${name}/* {`);
-    lines.push(`        reverse_proxy arc-${name}:5005`);
-    lines.push(`    }`);
-  }
-  lines.push("    respond 404");
+  // Private Docker Registry — Caddy proxies HTTPS termination + Let's Encrypt;
+  // the registry:2 container handles its own htpasswd basic auth upstream.
+  // 5 GiB request body cap fits real app images comfortably (default 100MB
+  // triggers 413 on the first layer push).
+  lines.push(`${cfg.registry.domain} {${tlsDirective}`);
+  lines.push("    reverse_proxy registry:5000 {");
+  lines.push("        header_up Host {host}");
+  lines.push("    }");
+  lines.push("    request_body {");
+  lines.push("        max_size 5GB");
+  lines.push("    }");
   lines.push("}");
 
   return lines.join("\n") + "\n";

package/src/deploy/compose.ts

@@ -1,41 +1,32 @@
 import type { DeployConfig } from "./config";
 
 // ---------------------------------------------------------------------------
-// docker-compose.yml generator — v0.6
+// docker-compose.yml generator
 //
 // Services:
 //   - caddy (public 80/443, loopback 127.0.0.1:2019 for deploy tunnel)
-//   - arc-<env> per entry in deploy.arc.json envs
+//   - arc-<env> per entry in deploy.arc.json envs (bind-mounts project dir)
 //
-// arc-<env> uses `arcote/runtime:1` (generic image). CLI version is passed
-// via ARC_CLI_VERSION env var — entrypoint installs arc-cli on first boot,
-// then `arc platform start` decides between pre-deploy and full mode based
-// on volume state. No user code or node_modules on host disk (everything
-// lives in named volumes, populated via /api/deploy/* multipart pushes).
+// No custom images: vanilla `caddy:2-alpine` and `oven/bun:1-alpine` from
+// Docker Hub. The Arc CLI and user's built artifacts come via the volume
+// mount at /opt/arc/<env>/ — rsynced by the deploy command.
 // ---------------------------------------------------------------------------
 
 export interface ComposeOptions {
   cfg: DeployConfig;
-  /** CLI version used by entrypoint.sh to `bun add @arcote.tech/arc-cli@VER`. */
-  cliVersion: string;
 }
 
-const RESERVED_ENV = new Set(["PORT", "ARC_DEPLOY_API", "ARC_CLI_VERSION"]);
-
-export function generateCompose({ cfg, cliVersion }: ComposeOptions): string {
+export function generateCompose({ cfg }: ComposeOptions): string {
   const lines: string[] = [];
   lines.push("# Generated by `arc platform deploy` — do not edit by hand.");
   lines.push("");
   lines.push("services:");
-
-  // Caddy
   lines.push("  caddy:");
   lines.push("    image: caddy:2-alpine");
   lines.push("    restart: unless-stopped");
   lines.push("    ports:");
   lines.push('      - "80:80"');
   lines.push('      - "443:443"');
-  lines.push('      - "127.0.0.1:2019:2019"');
   lines.push("    volumes:");
   lines.push("      - ./Caddyfile:/etc/caddy/Caddyfile:ro");
   lines.push("      - caddy_data:/data");
@@ -44,28 +35,56 @@ export function generateCompose({ cfg, cliVersion }: ComposeOptions): string {
   lines.push("      - arc-net");
   lines.push("");
 
-  // Per-env runtime containers
+  // Private Docker Registry — `arc platform deploy` pushes app images here,
+  // arc-<env> containers pull from here. htpasswd auth file is uploaded by
+  // bootstrap (generated locally from the password env var).
+  lines.push("  registry:");
+  lines.push("    image: registry:2");
+  lines.push("    restart: unless-stopped");
+  lines.push("    volumes:");
+  lines.push("      - registry_data:/var/lib/registry");
+  lines.push("      - ./registry-auth/htpasswd:/auth/htpasswd:ro");
+  lines.push("    environment:");
+  lines.push("      REGISTRY_AUTH: htpasswd");
+  lines.push('      REGISTRY_AUTH_HTPASSWD_REALM: "Arc Registry"');
+  lines.push("      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd");
+  // Large image layers (framework peers + arc-cli bundle + chunks) need a
+  // generous upload limit. Default 100MB triggers 413 on real apps.
+  lines.push('      REGISTRY_HTTP_HOST: "https://' + cfg.registry.domain + '"');
+  lines.push("    networks:");
+  lines.push("      - arc-net");
+  lines.push("    expose:");
+  lines.push('      - "5000"');
+  lines.push("");
+
   for (const [name, env] of Object.entries(cfg.envs)) {
+    const upperName = name.toUpperCase().replace(/-/g, "_");
     lines.push(`  arc-${name}:`);
-    lines.push("    image: pkrasinski/arc-runtime:1");
+    // Image ref comes from /opt/arc/.env, written per-deploy with the content
+    // hash of the latest build. The `:?` fallback fails compose with a clear
+    // error if the env var isn't set — that means "deploy hasn't run yet".
+    lines.push(
+      `    image: \${ARC_IMAGE_${upperName}:?Run \\\`arc platform deploy ${name}\\\` to publish an image first}`,
+    );
+    lines.push(`    container_name: arc-${name}`);
     lines.push("    restart: unless-stopped");
     lines.push("    volumes:");
-    lines.push(`      - arc-platform-${name}:/app/.arc/platform`);
+    // Only the data volume — user code lives entirely inside the image.
+    // SQLite + uploads persist across redeploys.
     lines.push(`      - arc-data-${name}:/app/.arc/data`);
-    lines.push("      - arc-cli-cache:/app/.arc/cli");
-    lines.push("      - arc-bun-cache:/root/.bun/install/cache");
     lines.push("    environment:");
     lines.push("      PORT: 5005");
-    lines.push('      ARC_DEPLOY_API: "1"');
-    lines.push(`      ARC_CLI_VERSION: ${JSON.stringify(cliVersion)}`);
     const userEnv = env.envVars ?? {};
     if (!("NODE_ENV" in userEnv)) {
       lines.push("      NODE_ENV: production");
     }
+    // PORT is reserved — user envVars can't override.
+    const reserved = new Set(["PORT"]);
     for (const [k, v] of Object.entries(userEnv)) {
-      if (RESERVED_ENV.has(k)) continue;
+      if (reserved.has(k)) continue;
       lines.push(`      ${k}: ${JSON.stringify(v)}`);
     }
+    // ENTRYPOINT + CMD come from the image — no `command:` override needed.
     lines.push("    networks:");
     lines.push("      - arc-net");
     lines.push("    expose:");
@@ -73,17 +92,14 @@ export function generateCompose({ cfg, cliVersion }: ComposeOptions): string {
     lines.push("");
   }
 
-  // Networks + volumes
   lines.push("networks:");
   lines.push("  arc-net:");
   lines.push("");
   lines.push("volumes:");
   lines.push("  caddy_data:");
   lines.push("  caddy_config:");
-  lines.push("  arc-cli-cache:");
-  lines.push("  arc-bun-cache:");
+  lines.push("  registry_data:");
   for (const [name] of Object.entries(cfg.envs)) {
-    lines.push(`  arc-platform-${name}:`);
     lines.push(`  arc-data-${name}:`);
   }
 

package/src/deploy/config.ts

@@ -54,10 +54,20 @@ export interface DeployProvision {
   ansible?: DeployProvisionAnsible;
 }
 
+export interface DeployRegistry {
+  /** Full domain — Caddy reverse-proxies this to the registry:5000 container. */
+  domain: string;
+  /** htpasswd basic-auth username. Default: `deploy`. */
+  username: string;
+  /** Name of env var holding the htpasswd password. Never inline the secret. */
+  passwordEnv: string;
+}
+
 export interface DeployConfig {
   target: DeployTarget;
   envs: Record<string, DeployEnv>;
   caddy: DeployCaddy;
+  registry: DeployRegistry;
   provision?: DeployProvision;
 }
 
@@ -139,6 +149,20 @@ export function validateDeployConfig(input: unknown): DeployConfig {
   const target = requireObject(input, "target");
   const envs = requireObject(input, "envs");
   const caddy = requireObject(input, "caddy");
+  const registry = requireObject(input, "registry");
+
+  const registryDomain = requireString(registry, "registry.domain");
+  if (!/^[a-z0-9.-]+\.[a-z]{2,}$/i.test(registryDomain)) {
+    throw new Error(
+      `deploy.arc.json: registry.domain "${registryDomain}" doesn't look like a domain`,
+    );
+  }
+  const passwordEnv = requireString(registry, "registry.passwordEnv");
+  if (!/^[A-Z][A-Z0-9_]*$/.test(passwordEnv)) {
+    throw new Error(
+      `deploy.arc.json: registry.passwordEnv "${passwordEnv}" must be an UPPER_SNAKE_CASE env var name`,
+    );
+  }
 
   const validated: DeployConfig = {
     target: {
@@ -152,6 +176,11 @@ export function validateDeployConfig(input: unknown): DeployConfig {
     caddy: {
       email: requireString(caddy, "caddy.email"),
     },
+    registry: {
+      domain: registryDomain,
+      username: optionalString(registry, "registry.username") ?? "deploy",
+      passwordEnv,
+    },
   };
 
   const envKeys = Object.keys(envs);