@arcote.tech/arc-cli 0.7.0 → 0.7.2

package/src/deploy/image.ts

@@ -55,7 +55,7 @@ export async function buildImage(
 ): Promise<BuildImageResult> {
   await ensureDocker();
 
-  const manifestPath = join(ws.modulesDir, "manifest.json");
+  const manifestPath = join(ws.arcDir, "manifest.json");
   if (!existsSync(manifestPath)) {
     throw new Error(
       `No build manifest at ${manifestPath}. Run \`arc platform build\` first or omit --skip-build.`,
@@ -89,8 +89,14 @@ export async function buildImage(
   const dockerfilePath = join(dockerfileDir, "Dockerfile");
   writeFileSync(dockerfilePath, dockerfile);
 
+  // Always build linux/amd64. Most production servers (Hetzner cpx*, AWS x86,
+  // DigitalOcean, etc.) are x86_64. Without --platform, buildx defaults to
+  // the host arch — Apple Silicon devs produce arm64 images that fail with
+  // `exec format error` on AMD hosts. Cross-arch QEMU emulation is slow but
+  // reliable; we accept the tradeoff for portability.
   const buildArgs = [
     "build",
+    "--platform=linux/amd64",
     "-f",
     dockerfilePath,
     "-t",

package/src/deploy/ssh.ts

@@ -1,6 +1,29 @@
 import { spawn } from "bun";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
 import type { DeployTarget } from "./config";
 
+/**
+ * Pick a private SSH key to authenticate with. Honors target.sshKey if set,
+ * otherwise tries the standard candidates in ~/.ssh/. Returns null if no
+ * usable key is found — caller can then fall back to default ssh-agent
+ * behavior (i.e. omit IdentitiesOnly).
+ */
+function pickSshKey(target: DeployTarget): string | null {
+  if (target.sshKey) {
+    const expanded = target.sshKey.startsWith("~")
+      ? join(homedir(), target.sshKey.slice(1))
+      : target.sshKey;
+    return existsSync(expanded) ? expanded : null;
+  }
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const path = join(homedir(), ".ssh", name);
+    if (existsSync(path)) return path;
+  }
+  return null;
+}
+
 /** Convert a Bun subprocess stream (which may be a ReadableStream or undefined) to string. */
 async function streamToString(
   stream: ReadableStream<Uint8Array> | number | undefined,
@@ -21,15 +44,34 @@ export interface SshExecResult {
 }
 
 export function baseSshArgs(target: DeployTarget): string[] {
+  // Pin to a single identity to avoid "Too many authentication failures":
+  // the server's MaxAuthTries=3 (set by ansible) trips when ssh-agent has
+  // more than 3 keys loaded and walks all of them before reaching ours.
+  // PreferredAuthentications=publickey skips gssapi/keyboard prompts entirely.
+  const key = pickSshKey(target);
   const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
+    "-o",
+    "PreferredAuthentications=publickey",
+    // Fail fast: TCP-level connect attempts give up after 5s instead of
+    // hanging on the default ~75s when ufw drops, fail2ban bans, or the
+    // VM is briefly unreachable. ServerAlive* keeps an established
+    // connection from silently stalling on a dead route.
+    "-o",
+    "ConnectTimeout=5",
+    "-o",
+    "ServerAliveInterval=10",
+    "-o",
+    "ServerAliveCountMax=2",
     "-p",
     String(target.port),
   ];
-  if (target.sshKey) args.push("-i", target.sshKey);
+  if (key) {
+    args.push("-o", "IdentitiesOnly=yes", "-i", key);
+  }
   return args;
 }
 
@@ -115,15 +157,22 @@ export async function scpUpload(
   localPath: string,
   remotePath: string,
 ): Promise<void> {
+  const key = pickSshKey(target);
   const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
+    "-o",
+    "PreferredAuthentications=publickey",
+    "-o",
+    "ConnectTimeout=5",
     "-P",
     String(target.port),
   ];
-  if (target.sshKey) args.push("-i", target.sshKey);
+  if (key) {
+    args.push("-o", "IdentitiesOnly=yes", "-i", key);
+  }
   args.push(localPath, `${target.user}@${target.host}:${remotePath}`);
 
   const proc = spawn({ cmd: ["scp", ...args], stderr: "pipe" });

package/src/index.ts

@@ -63,6 +63,10 @@ platform
     "--image-tag <hash>",
     "Roll back / pin to an existing image tag instead of building a new one",
   )
+  .option(
+    "--force-bootstrap",
+    "Re-run Ansible host bootstrap even if the server is already configured",
+  )
   .action(
     (
       env: string | undefined,
@@ -71,6 +75,7 @@ platform
         rebuild?: boolean;
         buildOnly?: boolean;
         imageTag?: string;
+        forceBootstrap?: boolean;
       },
     ) => platformDeploy(env, opts),
   );

package/src/platform/server.ts

@@ -11,8 +11,8 @@ import {
 import { existsSync, mkdirSync } from "fs";
 import { join } from "path";
 import { readTranslationsConfig } from "../i18n";
-import type { BuildManifest, ModuleDescriptor, WorkspaceInfo } from "./shared";
-import type { ModuleAccess } from "@arcote.tech/platform";
+import type { BuildManifest, WorkspaceInfo } from "./shared";
+import type { BuildManifestGroup, ModuleAccess } from "@arcote.tech/platform";
 
 // ---------------------------------------------------------------------------
 // Types
@@ -30,8 +30,6 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
-  /** Arc shell entries [shortName, fullPkgName][] for import map. Auto-detected if omitted. */
-  arcEntries?: [string, string][];
 }
 
 export interface PlatformServer {
@@ -74,25 +72,15 @@ export async function initContextHandler(
 export function generateShellHtml(
   appName: string,
   manifest?: { title: string; favicon?: string },
-  arcEntries?: [string, string][],
+  initial?: { file: string; hash: string },
 ): string {
-  const arcImports: Record<string, string> = {};
-  if (arcEntries) {
-    for (const [short, pkg] of arcEntries) {
-      arcImports[pkg] = `/shell/${short}.js`;
-    }
+  // Initial bundle carries framework, public modules, and PlatformApp re-export.
+  // No importmap — single Bun.build with splitting:true inlines + dedups everything
+  // across initial and per-token group bundles via auto-emitted chunk-<hash>.js.
+  const initialUrl = initial ? `/browser/${initial.file}` : null;
+  if (!initialUrl) {
+    throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
-  const importMap = {
-    imports: {
-      react: "/shell/react.js",
-      "react/jsx-runtime": "/shell/jsx-runtime.js",
-      "react/jsx-dev-runtime": "/shell/jsx-dev-runtime.js",
-      "react-dom": "/shell/react-dom.js",
-      "react-dom/client": "/shell/react-dom-client.js",
-      ...arcImports,
-    },
-  };
-
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -101,18 +89,13 @@ export function generateShellHtml(
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `\n  <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `\n  <link rel="manifest" href="/manifest.json">` : ""}
   <link rel="stylesheet" href="/styles.css" />
   <link rel="stylesheet" href="/theme.css" />
-  <script type="importmap">${JSON.stringify(importMap)}</script>
+  <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
   <div id="root"></div>
   <script type="module">
-    import { createRoot } from "react-dom/client";
-    import { createElement } from "react";
-    import { PlatformApp } from "@arcote.tech/platform";
-
-    createRoot(document.getElementById("root")).render(
-      createElement(PlatformApp)
-    );
+    import { startApp } from "${initialUrl}";
+    startApp("root");
   </script>
 </body>
 </html>`;
@@ -160,25 +143,41 @@ function serveFile(
 // Module access — signed URLs
 // ---------------------------------------------------------------------------
 
-const MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? crypto.randomUUID();
+// Secret is initialized lazily by `startPlatformServer` so dev mode can derive
+// a stable, workspace-scoped value (browser sessions survive a watcher restart;
+// without this, every restart invalidates every signed URL in the open page).
+// Prod uses ARC_MODULE_SECRET if set, otherwise a random UUID per process.
+let MODULE_SIG_SECRET: string = process.env.ARC_MODULE_SECRET ?? "";
 const MODULE_SIG_TTL = 3600; // 1 hour
 
+function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
+  if (MODULE_SIG_SECRET) return;
+  if (devMode) {
+    // Deterministic per workspace — restart-safe in dev.
+    const hasher = new Bun.CryptoHasher("sha256");
+    hasher.update(`arc-dev-secret:${ws.rootDir}`);
+    MODULE_SIG_SECRET = hasher.digest("hex").slice(0, 32);
+  } else {
+    MODULE_SIG_SECRET = crypto.randomUUID();
+  }
+}
+
 /**
- * Signed URL for a chunk-scoped module file. HMAC payload includes the chunk
- * name so a sig minted for `/modules/admin/foo.js` cannot be replayed as
- * `/modules/user/foo.js` — even if the same filename exists in both groups.
- * Public chunks are NEVER signed (no protection needed).
+ * Signed URL for a token-group bundle. HMAC payload binds the filename so
+ * a sig minted for `/browser/admin.<hash>.js` cannot be replayed for any
+ * other file. Shared chunks (chunk-<hash>.js) are NEVER signed — their
+ * filenames are content-hashed and they don't carry private code on their
+ * own (group entries side-effect-register the modules).
  */
-function signChunkUrl(chunk: string, file: string): string {
+function signGroupUrl(file: string): string {
   const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${chunk}/${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/modules/${chunk}/${file}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}&exp=${exp}`;
 }
 
-function verifyChunkSignature(
-  chunk: string,
+function verifyGroupSignature(
   file: string,
   sig: string | null,
   exp: string | null,
@@ -186,7 +185,7 @@ function verifyChunkSignature(
   if (!sig || !exp) return false;
   if (Number(exp) < Date.now() / 1000) return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${chunk}/${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 
@@ -223,59 +222,59 @@ function parseArcTokensHeader(header: string | null): any[] {
 }
 
 /**
- * Filter manifest to modules the caller's tokens grant access to. Two-stage
- * check: chunk-level (token type matches chunk name → group is unlocked) +
- * per-rule async `check` callback (if declared in `protectedBy(token, check)`).
+ * Filter manifest groups to those the caller's tokens grant access to. A
+ * group is unlocked when (a) the caller carries a token whose `tokenType`
+ * matches the group name, and (b) every per-module rule declared via
+ * `protectedBy(token, check)` passes for at least one of those tokens.
  *
- * Public chunk modules pass unconditionally; non-public modules are returned
- * with a signed URL (chunk-aware HMAC, 1h TTL) — the URL is what the browser
- * fetches for the actual JS file.
+ * Returns a manifest with `groups` filtered + each remaining entry's `url`
+ * filled with a signed URL (HMAC, 1h TTL). `initial` + `sharedChunks` ride
+ * along unchanged — those are public/content-addressed.
  */
 async function filterManifestForTokens(
   manifest: BuildManifest,
   moduleAccessMap: Map<string, ModuleAccess>,
   tokenPayloads: any[],
 ): Promise<BuildManifest> {
-  const allowedChunks = new Set<string>(["public"]);
+  const allowedGroups = new Set<string>();
   for (const t of tokenPayloads) {
-    if (t?.tokenType) allowedChunks.add(t.tokenType);
+    if (t?.tokenType) allowedGroups.add(t.tokenType);
   }
 
-  const filtered: ModuleDescriptor[] = [];
+  const filteredGroups: Record<string, BuildManifestGroup> = {};
 
-  for (const mod of manifest.modules) {
-    if (!allowedChunks.has(mod.chunk)) continue;
+  for (const [name, group] of Object.entries(manifest.groups)) {
+    if (!allowedGroups.has(name)) continue;
 
-    if (mod.chunk === "public") {
-      filtered.push(mod);
-      continue;
-    }
-
-    // Caller has the right token type — run per-rule `check` if declared.
-    const access = moduleAccessMap.get(mod.name);
-    let granted = true;
-    if (access && access.rules.length > 0) {
-      granted = false;
+    // Every module in the group must pass its per-rule check (if any).
+    // If all rules pass (or none declared), unlock the group bundle.
+    let allGranted = true;
+    for (const moduleName of group.modules) {
+      const access = moduleAccessMap.get(moduleName);
+      if (!access || access.rules.length === 0) continue;
+      let granted = false;
       for (const rule of access.rules) {
-        if (rule.token.name !== mod.chunk) continue;
-        const matching = tokenPayloads.find(
-          (t) => t.tokenType === rule.token.name,
-        );
+        if (rule.token.name !== name) continue;
+        const matching = tokenPayloads.find((t) => t.tokenType === name);
         if (!matching) continue;
         granted = rule.check ? await rule.check(matching) : true;
         if (granted) break;
       }
+      if (!granted) {
+        allGranted = false;
+        break;
+      }
     }
 
-    if (granted) {
-      filtered.push({ ...mod, url: signChunkUrl(mod.chunk, mod.file) });
+    if (allGranted) {
+      filteredGroups[name] = { ...group, url: signGroupUrl(group.file) };
     }
   }
 
   return {
-    modules: filtered,
-    chunks: manifest.chunks,
-    shellHash: manifest.shellHash,
+    initial: manifest.initial,
+    groups: filteredGroups,
+    sharedChunks: manifest.sharedChunks,
     stylesHash: manifest.stylesHash,
     buildTime: manifest.buildTime,
   };
@@ -285,43 +284,40 @@ async function filterManifestForTokens(
 // Platform-specific HTTP handlers
 // ---------------------------------------------------------------------------
 
-/** Chunk names must be alphanumeric + dash/underscore — defends against
- *  path traversal in URL segments like `/modules/../../etc/passwd`. */
-const CHUNK_NAME_RE = /^[A-Za-z0-9_-]+$/;
-/** Module filenames are Bun.build outputs — `<safeName>.js` or `chunk-<hash>.js`. */
-const MODULE_FILE_RE = /^[A-Za-z0-9_.-]+\.js$/;
+/** Browser bundle filenames: `initial.<hash>.js`, `<tokenName>.<hash>.js`,
+ *  `chunk-<hash>.js`. All Bun.build outputs with content-addressed hashes. */
+const BROWSER_FILE_RE = /^[A-Za-z0-9_.-]+\.js$/;
 
 function staticFilesHandler(
   ws: WorkspaceInfo,
   devMode: boolean,
+  getManifest: () => BuildManifest,
 ): ArcHttpHandler {
   return (_req, url, ctx) => {
     const path = url.pathname;
-    if (path.startsWith("/shell/"))
-      return serveFile(join(ws.shellDir, path.slice(7)), ctx.corsHeaders);
-    if (path.startsWith("/modules/")) {
-      // Expected: /modules/<chunk>/<file>.js
-      const rest = path.slice(9);
-      const slash = rest.indexOf("/");
-      if (slash <= 0) {
+    // Single flat browser dir: initial bundle, per-token group entries,
+    // and auto-emitted shared chunks all live in <arcDir>/browser/.
+    if (path.startsWith("/browser/")) {
+      const file = path.slice(9);
+      if (!BROWSER_FILE_RE.test(file)) {
         return new Response("Not Found", { status: 404, headers: ctx.corsHeaders });
       }
-      const chunk = rest.slice(0, slash);
-      const file = rest.slice(slash + 1);
 
-      if (!CHUNK_NAME_RE.test(chunk) || !MODULE_FILE_RE.test(file)) {
-        return new Response("Not Found", { status: 404, headers: ctx.corsHeaders });
-      }
-
-      if (chunk !== "public") {
+      // Only token-group entries are signed. The initial bundle and shared
+      // chunks are content-addressed (filename = hash) — unsigned by design.
+      const manifest = getManifest();
+      const isGroupEntry = Object.values(manifest.groups).some(
+        (g) => g.file === file,
+      );
+      if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
         const exp = url.searchParams.get("exp");
-        if (!verifyChunkSignature(chunk, file, sig, exp)) {
+        if (!verifyGroupSignature(file, sig, exp)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
 
-      return serveFile(join(ws.modulesDir, chunk, file), {
+      return serveFile(join(ws.browserDir, file), {
         ...ctx.corsHeaders,
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
@@ -381,7 +377,7 @@ function apiEndpointsHandler(
       return Response.json(
         {
           status: "ok",
-          modules: getManifest().modules.length,
+          groups: Object.keys(getManifest().groups).length,
           clients: cm?.clientCount ?? 0,
         },
         { headers: ctx.corsHeaders },
@@ -419,9 +415,9 @@ function devReloadHandler(
   };
 }
 
-function spaFallbackHandler(shellHtml: string): ArcHttpHandler {
+function spaFallbackHandler(getShellHtml: () => string): ArcHttpHandler {
   return (_req, _url, ctx) => {
-    return new Response(shellHtml, {
+    return new Response(getShellHtml(), {
       headers: { ...ctx.corsHeaders, "Content-Type": "text/html" },
     });
   };
@@ -435,6 +431,7 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  ensureModuleSigSecret(ws, !!devMode);
   const moduleAccessMap = opts.moduleAccess ?? new Map();
   let manifest = opts.manifest;
   const getManifest = () => manifest;
@@ -442,7 +439,10 @@ export async function startPlatformServer(
     manifest = m;
   };
 
-  const shellHtml = generateShellHtml(ws.appName, ws.manifest, opts.arcEntries);
+  // Recompute on every request — manifest.initial.hash changes when public
+  // modules are rebuilt in dev, and we want the new URL in the HTML.
+  const getShellHtml = (): string =>
+    generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
   const sseClients = new Set<ReadableStreamDefaultController>();
 
   const notifyReload = (m: BuildManifest) => {
@@ -487,8 +487,8 @@ export async function startPlatformServer(
         const handlers: ArcHttpHandler[] = [
           apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
           devReloadHandler(sseClients),
-          staticFilesHandler(ws, !!devMode),
-          spaFallbackHandler(shellHtml),
+          staticFilesHandler(ws, !!devMode, getManifest),
+          spaFallbackHandler(getShellHtml),
         ];
 
         for (const handler of handlers) {
@@ -526,8 +526,8 @@ export async function startPlatformServer(
       // Platform-specific handlers (checked AFTER arc handlers)
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap),
       devReloadHandler(sseClients),
-      staticFilesHandler(ws, !!devMode),
-      spaFallbackHandler(shellHtml),
+      staticFilesHandler(ws, !!devMode, getManifest),
+      spaFallbackHandler(getShellHtml),
     ],
     onWsClose: (clientId) => cleanupClientSubs(clientId),
   });