@arcote.tech/arc-cli 0.7.16 → 0.7.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.16",
+  "version": "0.7.17",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,13 +12,13 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform --external '@opentelemetry/*' && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.16",
-    "@arcote.tech/arc-ds": "^0.7.16",
-    "@arcote.tech/arc-react": "^0.7.16",
-    "@arcote.tech/arc-host": "^0.7.16",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.16",
-    "@arcote.tech/arc-adapter-db-postgres": "^0.7.16",
-    "@arcote.tech/arc-otel": "^0.7.16",
+    "@arcote.tech/arc": "^0.7.17",
+    "@arcote.tech/arc-ds": "^0.7.17",
+    "@arcote.tech/arc-react": "^0.7.17",
+    "@arcote.tech/arc-host": "^0.7.17",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.17",
+    "@arcote.tech/arc-adapter-db-postgres": "^0.7.17",
+    "@arcote.tech/arc-otel": "^0.7.17",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.57.0",
     "@opentelemetry/core": "^1.30.0",
@@ -31,7 +31,7 @@
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
-    "@arcote.tech/platform": "^0.7.16",
+    "@arcote.tech/platform": "^0.7.17",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/builder/chunk-planner.ts

@@ -1,4 +1,5 @@
-import { basename } from "path";
+import { readFileSync, readdirSync, statSync } from "fs";
+import { basename, join } from "path";
 import type { SerializedAccessMap } from "./access-extractor";
 import type { WorkspacePackage } from "./module-builder";
 
@@ -79,6 +80,78 @@ export function planChunks(
   return { assignments, groups, chunks };
 }
 
+// ---------------------------------------------------------------------------
+// Single-module-per-package invariant
+//
+// Chunk grouping is per workspace PACKAGE (planChunks reads the access of the
+// one module derived from the package name and assigns the whole package to
+// that token's chunk). A second `module()` in the same package is invisible to
+// the planner — it silently rides the first module's chunk and token gating.
+// That's how a public/userToken onboarding page can end up trapped in a
+// workspaceToken chunk. Fail the build loudly instead.
+// ---------------------------------------------------------------------------
+
+const MODULE_CALL = /\bmodule\(\s*["'`]([a-zA-Z0-9_-]+)["'`]/g;
+
+function collectModuleNames(dir: string, acc: Set<string>): void {
+  let entries: string[];
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return;
+  }
+  for (const e of entries) {
+    if (e === "node_modules" || e === "dist") continue;
+    const full = join(dir, e);
+    let isDir = false;
+    try {
+      isDir = statSync(full).isDirectory();
+    } catch {
+      continue;
+    }
+    if (isDir) {
+      collectModuleNames(full, acc);
+    } else if (e.endsWith(".ts") || e.endsWith(".tsx")) {
+      const src = readFileSync(full, "utf-8");
+      MODULE_CALL.lastIndex = 0;
+      let m: RegExpExecArray | null;
+      while ((m = MODULE_CALL.exec(src))) acc.add(m[1]);
+    }
+  }
+}
+
+/**
+ * Assert every workspace package declares at most one `module()`. Throws a
+ * build error listing offenders, with the fix (split each extra module into
+ * its own package). Call before chunk planning.
+ */
+export function assertOneModulePerPackage(
+  packages: readonly WorkspacePackage[],
+): void {
+  const offenders: { pkg: string; modules: string[] }[] = [];
+  for (const pkg of packages) {
+    const names = new Set<string>();
+    collectModuleNames(join(pkg.path, "src"), names);
+    if (names.size > 1) {
+      offenders.push({ pkg: pkg.name, modules: [...names].sort() });
+    }
+  }
+  if (offenders.length === 0) return;
+
+  const detail = offenders
+    .map((o) => `  • ${o.pkg} declares ${o.modules.length}: ${o.modules.join(", ")}`)
+    .join("\n");
+  throw new Error(
+    `Arc build: a workspace package must declare at most ONE module().\n` +
+      `Chunk grouping is per-package — a second module() silently inherits the ` +
+      `first module's token protection and chunk, so e.g. a public onboarding ` +
+      `page sharing a package with a workspaceToken-gated module becomes ` +
+      `unreachable for users without that token.\n${detail}\n` +
+      `Fix: move each extra module() into its own workspace package ` +
+      `(declare its own protectedBy there).`,
+  );
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -95,13 +168,24 @@ function resolveChunk(
   if (!access || access.rules.length === 0) return PUBLIC_CHUNK;
 
   const tokenNames = new Set(access.rules.map((r) => r.token.name));
-  if (tokenNames.size === 1) {
-    return [...tokenNames][0];
+  if (tokenNames.size > 1) {
+    const list = [...tokenNames].sort().join(", ");
+    throw new Error(
+      `Module "${moduleName}" has access rules for multiple tokens [${list}]. ` +
+        `Multi-token modules are not supported — split the module or unify on a single token type.`,
+    );
   }
 
-  const list = [...tokenNames].sort().join(", ");
-  throw new Error(
-    `Module "${moduleName}" has access rules for multiple tokens [${list}]. ` +
-      `Multi-token modules are not supported — split the module or unify on a single token type.`,
-  );
+  const tokenName = [...tokenNames][0];
+  const hasCheck = access.rules.some((r) => r.hasCheck);
+
+  // A module with a check (e.g. `protectedBy(userToken, t => t.role==='admin')`)
+  // has NARROWER access than the bare token. The server grants a chunk
+  // all-or-nothing: it's served only if EVERY module in it passes its check.
+  // So a checked module sharing a chunk with token-only modules would block
+  // them for users who hold the token but fail the check (an admin gate
+  // trapping an onboarding page). Give each checked module its own chunk;
+  // token-only modules group together under the token name. Chunk name must
+  // be filesystem/URL-safe (BROWSER_FILE_RE) — `__` separator, not `:`.
+  return hasCheck ? `${tokenName}__${moduleName}` : tokenName;
 }

package/src/platform/server.ts

@@ -266,9 +266,11 @@ function parseArcTokensHeader(header: string | null): any[] {
 
 /**
  * Filter manifest groups to those the caller's tokens grant access to. A
- * group is unlocked when (a) the caller carries a token whose `tokenType`
- * matches the group name, and (b) every per-module rule declared via
- * `protectedBy(token, check)` passes for at least one of those tokens.
+ * group is unlocked when EVERY module in it is granted: the caller holds a
+ * token whose name matches one of the module's `protectedBy(token, check)`
+ * rules, and the rule's check (if any) passes. Group names are not 1:1 with
+ * token names — a checked module gets its own chunk (`<token>__<module>`),
+ * so grants are resolved per-module via the access map, not by group name.
  *
  * Returns a manifest with `groups` filtered + each remaining entry's `url`
  * filled with a signed URL (HMAC, 1h TTL). `initial` + `sharedChunks` ride
@@ -279,26 +281,27 @@ async function filterManifestForTokens(
   moduleAccessMap: Map<string, ModuleAccess>,
   tokenPayloads: any[],
 ): Promise<BuildManifest> {
-  const allowedGroups = new Set<string>();
+  // Chunk group names are no longer 1:1 with token names (a checked module
+  // gets its own chunk `<token>__<module>`), so grant by the per-module
+  // access rules, not by the group name. Look tokens up by their name.
+  const tokensByName = new Map<string, any>();
   for (const t of tokenPayloads) {
-    if (t?.tokenType) allowedGroups.add(t.tokenType);
+    if (t?.tokenType) tokensByName.set(t.tokenType, t);
   }
 
   const filteredGroups: Record<string, BuildManifestGroup> = {};
 
   for (const [name, group] of Object.entries(manifest.groups)) {
-    if (!allowedGroups.has(name)) continue;
-
-    // Every module in the group must pass its per-rule check (if any).
-    // If all rules pass (or none declared), unlock the group bundle.
+    // Every module in the group must be granted by a held token (and pass
+    // its check, if any). Chunks are homogeneous post-split — a checked
+    // module is alone in its chunk, so its check can't block other modules.
     let allGranted = true;
     for (const moduleName of group.modules) {
       const access = moduleAccessMap.get(moduleName);
       if (!access || access.rules.length === 0) continue;
       let granted = false;
       for (const rule of access.rules) {
-        if (rule.token.name !== name) continue;
-        const matching = tokenPayloads.find((t) => t.tokenType === name);
+        const matching = tokensByName.get(rule.token.name);
         if (!matching) continue;
         granted = rule.check ? await rule.check(matching) : true;
         if (granted) break;

package/src/platform/shared.ts

@@ -21,7 +21,7 @@ import {
   type BuildCache,
 } from "../builder/build-cache";
 import { extractAccessMap } from "../builder/access-extractor";
-import { planChunks } from "../builder/chunk-planner";
+import { assertOneModulePerPackage, planChunks } from "../builder/chunk-planner";
 import { collectFrameworkDeps } from "../builder/dependency-collector";
 import {
   mtimeOf,
@@ -157,6 +157,10 @@ export async function buildAll(
 
   log(`Building (concurrency parallel${noCache ? ", no-cache" : ""})...`);
 
+  // Phase 0 — invariant check before any work: one module() per package,
+  // else chunk grouping (per-package) silently mis-assigns the extra module.
+  assertOneModulePerPackage(ws.packages);
+
   // Phase 1 — context packages must finish FIRST. The access-extractor
   // subprocess imports workspace packages by name, which resolve through
   // node_modules to packages' `main` field (typically `dist/server/main/`).