@arcote.tech/arc-cli 0.6.2 → 0.7.1

package/src/platform/server.ts

@@ -11,9 +11,8 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import { createDeployApiHandler } from "./deploy-api";
-import type { BuildManifest, ModuleDescriptor, WorkspaceInfo } from "./shared";
-import type { ModuleAccess } from "@arcote.tech/platform";
+import type { BuildManifest, WorkspaceInfo } from "./shared";
+import type { BuildManifestGroup, ModuleAccess } from "@arcote.tech/platform";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -31,12 +30,6 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
-  /** If true, mounts /api/deploy/* endpoints for remote hot-swap. Off by default;
-   *  opt-in via ARC_DEPLOY_API=1 or explicit CLI flag. In production, network-layer
-   *  (Caddy + docker-compose port binding) restricts access to SSH tunnel only. */
-  deployApi?: boolean;
-  /** Arc shell entries [shortName, fullPkgName][] for import map. Auto-detected if omitted. */
-  arcEntries?: [string, string][];
 }
 
 export interface PlatformServer {
@@ -79,25 +72,15 @@ export async function initContextHandler(
 export function generateShellHtml(
   appName: string,
   manifest?: { title: string; favicon?: string },
-  arcEntries?: [string, string][],
+  initial?: { file: string; hash: string },
 ): string {
-  const arcImports: Record<string, string> = {};
-  if (arcEntries) {
-    for (const [short, pkg] of arcEntries) {
-      arcImports[pkg] = `/shell/${short}.js`;
-    }
+  // Initial bundle carries framework, public modules, and PlatformApp re-export.
+  // No importmap — single Bun.build with splitting:true inlines + dedups everything
+  // across initial and per-token group bundles via auto-emitted chunk-<hash>.js.
+  const initialUrl = initial ? `/browser/${initial.file}` : null;
+  if (!initialUrl) {
+    throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
-  const importMap = {
-    imports: {
-      react: "/shell/react.js",
-      "react/jsx-runtime": "/shell/jsx-runtime.js",
-      "react/jsx-dev-runtime": "/shell/jsx-dev-runtime.js",
-      "react-dom": "/shell/react-dom.js",
-      "react-dom/client": "/shell/react-dom-client.js",
-      ...arcImports,
-    },
-  };
-
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -106,18 +89,13 @@ export function generateShellHtml(
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `\n  <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `\n  <link rel="manifest" href="/manifest.json">` : ""}
   <link rel="stylesheet" href="/styles.css" />
   <link rel="stylesheet" href="/theme.css" />
-  <script type="importmap">${JSON.stringify(importMap)}</script>
+  <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
   <div id="root"></div>
   <script type="module">
-    import { createRoot } from "react-dom/client";
-    import { createElement } from "react";
-    import { PlatformApp } from "@arcote.tech/platform";
-
-    createRoot(document.getElementById("root")).render(
-      createElement(PlatformApp)
-    );
+    import { startApp } from "${initialUrl}";
+    startApp("root");
   </script>
 </body>
 </html>`;
@@ -165,22 +143,49 @@ function serveFile(
 // Module access — signed URLs
 // ---------------------------------------------------------------------------
 
-const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+// Secret is initialized lazily by `startPlatformServer` so dev mode can derive
+// a stable, workspace-scoped value (browser sessions survive a watcher restart;
+// without this, every restart invalidates every signed URL in the open page).
+// Prod uses ARC_MODULE_SECRET if set, otherwise a random UUID per process.
+let MODULE_SIG_SECRET: string = process.env.ARC_MODULE_SECRET ?? "";
 const MODULE_SIG_TTL = 3600; // 1 hour
 
-function signModuleUrl(filename: string): string {
+function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
+  if (MODULE_SIG_SECRET) return;
+  if (devMode) {
+    // Deterministic per workspace — restart-safe in dev.
+    const hasher = new Bun.CryptoHasher("sha256");
+    hasher.update(`arc-dev-secret:${ws.rootDir}`);
+    MODULE_SIG_SECRET = hasher.digest("hex").slice(0, 32);
+  } else {
+    MODULE_SIG_SECRET = crypto.randomUUID();
+  }
+}
+
+/**
+ * Signed URL for a token-group bundle. HMAC payload binds the filename so
+ * a sig minted for `/browser/admin.<hash>.js` cannot be replayed for any
+ * other file. Shared chunks (chunk-<hash>.js) are NEVER signed — their
+ * filenames are content-hashed and they don't carry private code on their
+ * own (group entries side-effect-register the modules).
+ */
+function signGroupUrl(file: string): string {
   const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/modules/${filename}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}&exp=${exp}`;
 }
 
-function verifyModuleSignature(filename: string, sig: string | null, exp: string | null): boolean {
+function verifyGroupSignature(
+  file: string,
+  sig: string | null,
+  exp: string | null,
+): boolean {
   if (!sig || !exp) return false;
   if (Number(exp) < Date.now() / 1000) return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${filename}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 
@@ -216,41 +221,60 @@ function parseArcTokensHeader(header: string | null): any[] {
   return payloads;
 }
 
+/**
+ * Filter manifest groups to those the caller's tokens grant access to. A
+ * group is unlocked when (a) the caller carries a token whose `tokenType`
+ * matches the group name, and (b) every per-module rule declared via
+ * `protectedBy(token, check)` passes for at least one of those tokens.
+ *
+ * Returns a manifest with `groups` filtered + each remaining entry's `url`
+ * filled with a signed URL (HMAC, 1h TTL). `initial` + `sharedChunks` ride
+ * along unchanged — those are public/content-addressed.
+ */
 async function filterManifestForTokens(
   manifest: BuildManifest,
   moduleAccessMap: Map<string, ModuleAccess>,
   tokenPayloads: any[],
 ): Promise<BuildManifest> {
-  const filtered: ModuleDescriptor[] = [];
-
-  for (const mod of manifest.modules) {
-    const access = moduleAccessMap.get(mod.name);
-
-    if (!access) {
-      filtered.push(mod);
-      continue;
-    }
-
-    if (tokenPayloads.length === 0) continue;
+  const allowedGroups = new Set<string>();
+  for (const t of tokenPayloads) {
+    if (t?.tokenType) allowedGroups.add(t.tokenType);
+  }
 
-    let granted = false;
-    for (const rule of access.rules) {
-      const matching = tokenPayloads.find(
-        (t) => t.tokenType === rule.token.name,
-      );
-      if (matching) {
+  const filteredGroups: Record<string, BuildManifestGroup> = {};
+
+  for (const [name, group] of Object.entries(manifest.groups)) {
+    if (!allowedGroups.has(name)) continue;
+
+    // Every module in the group must pass its per-rule check (if any).
+    // If all rules pass (or none declared), unlock the group bundle.
+    let allGranted = true;
+    for (const moduleName of group.modules) {
+      const access = moduleAccessMap.get(moduleName);
+      if (!access || access.rules.length === 0) continue;
+      let granted = false;
+      for (const rule of access.rules) {
+        if (rule.token.name !== name) continue;
+        const matching = tokenPayloads.find((t) => t.tokenType === name);
+        if (!matching) continue;
         granted = rule.check ? await rule.check(matching) : true;
         if (granted) break;
       }
+      if (!granted) {
+        allGranted = false;
+        break;
+      }
     }
 
-    if (granted) {
-      filtered.push({ ...mod, url: signModuleUrl(mod.file) });
+    if (allGranted) {
+      filteredGroups[name] = { ...group, url: signGroupUrl(group.file) };
     }
   }
+
   return {
-    modules: filtered,
-    shellHash: manifest.shellHash,
+    initial: manifest.initial,
+    groups: filteredGroups,
+    sharedChunks: manifest.sharedChunks,
     stylesHash: manifest.stylesHash,
     buildTime: manifest.buildTime,
   };
@@ -260,30 +284,40 @@ async function filterManifestForTokens(
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
+/** Browser bundle filenames: `initial.<hash>.js`, `<tokenName>.<hash>.js`,
+ *  `chunk-<hash>.js`. All Bun.build outputs with content-addressed hashes. */
+const BROWSER_FILE_RE = /^[A-Za-z0-9_.-]+\.js$/;
+
 function staticFilesHandler(
   ws: WorkspaceInfo,
   devMode: boolean,
-  moduleAccessMap: Map<string, ModuleAccess>,
+  getManifest: () => BuildManifest,
 ): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
-    if (path.startsWith("/shell/"))
-      return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
-    if (path.startsWith("/modules/")) {
-      const fileWithParams = path.slice(9);
-      const filename = fileWithParams.split("?")[0];
-      const moduleName = filename.replace(/\.js$/, "");
-
-      // Check access for protected modules
-      if (moduleAccessMap.has(moduleName)) {
+    // Single flat browser dir: initial bundle, per-token group entries,
+    // and auto-emitted shared chunks all live in <arcDir>/browser/.
+    if (path.startsWith("/browser/")) {
+      const file = path.slice(9);
+      if (!BROWSER_FILE_RE.test(file)) {
+        return new Response("Not Found", { status: 404, headers: ctx.corsHeaders });
+      }
+
+      // Only token-group entries are signed. The initial bundle and shared
+      // chunks are content-addressed (filename = hash) — unsigned by design.
+      const manifest = getManifest();
+      const isGroupEntry = Object.values(manifest.groups).some(
+        (g) => g.file === file,
+      );
+      if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
         const exp = url.searchParams.get("exp");
-        if (!verifyModuleSignature(filename, sig, exp)) {
+        if (!verifyGroupSignature(file, sig, exp)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
 
-      return serveFile(join(ws.modulesDir, filename), {
+      return serveFile(join(ws.browserDir, file), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
@@ -343,7 +377,7 @@ function apiEndpointsHandler(
       return Response.json(
         {
           status: "ok",
-          modules: getManifest().modules.length,
+          groups: Object.keys(getManifest().groups).length,
           clients: cm?.clientCount ?? 0,
         },
         { headers: ctx.corsHeaders },
@@ -381,9 +415,9 @@ function devReloadHandler(
   };
 }
 
-function spaFallbackHandler(shellHtml: string): ArcHttpHandler {
+function spaFallbackHandler(getShellHtml: () => string): ArcHttpHandler {
   return (_req, _url, ctx) => {
-    return new Response(shellHtml, {
+    return new Response(getShellHtml(), {
       headers: { ...ctx.corsHeaders, "Content-Type": "text/html" },
     });
   };
@@ -397,6 +431,7 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  ensureModuleSigSecret(ws, !!devMode);
   const moduleAccessMap = opts.moduleAccess ?? new Map();
   let manifest = opts.manifest;
   const getManifest = () => manifest;
@@ -404,7 +439,10 @@ export async function startPlatformServer(
     manifest = m;
   };
 
-  const shellHtml = generateShellHtml(ws.appName, ws.manifest, opts.arcEntries);
+  // Recompute on every request — manifest.initial.hash changes when public
+  // modules are rebuilt in dev, and we want the new URL in the HTML.
+  const getShellHtml = (): string =>
+    generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
   const sseClients = new Set<ReadableStreamDefaultController>();
 
   const notifyReload = (m: BuildManifest) => {
@@ -418,17 +456,6 @@ export async function startPlatformServer(
     }
   };
 
-  const deployApiEnabled =
-    opts.deployApi ?? process.env.ARC_DEPLOY_API === "1";
-  const deployApiHandler = deployApiEnabled
-    ? createDeployApiHandler({
-        ws,
-        getManifest,
-        setManifest,
-        notifyReload,
-      })
-    : null;
-
   if (!context) {
     // No context — serve static files only (no WS/commands/queries)
     const cors = {
@@ -458,11 +485,10 @@ export async function startPlatformServer(
 
         // Platform handlers only
         const handlers: ArcHttpHandler[] = [
-          ...(deployApiHandler ? [deployApiHandler] : []),
           apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           devReloadHandler(sseClients),
-          staticFilesHandler(ws, !!devMode, moduleAccessMap),
-          spaFallbackHandler(shellHtml),
+          staticFilesHandler(ws, !!devMode, getManifest),
+          spaFallbackHandler(getShellHtml),
         ];
 
         for (const handler of handlers) {
@@ -498,11 +524,10 @@ export async function startPlatformServer(
     port,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
-      ...(deployApiHandler ? [deployApiHandler] : []),
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       devReloadHandler(sseClients),
-      staticFilesHandler(ws, !!devMode, moduleAccessMap),
-      spaFallbackHandler(shellHtml),
+      staticFilesHandler(ws, !!devMode, getManifest),
+      spaFallbackHandler(getShellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),
   });