npm - @arcote.tech/arc-cli - Versions diffs - 0.7.2 → 0.7.3 - Mend

@arcote.tech/arc-cli 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -31486,11 +31486,12 @@ async function createArcServer(config) {
 init_i18n();
 import { existsSync as existsSync18, mkdirSync as mkdirSync14 } from "fs";
 import { join as join20 } from "path";
-function generateShellHtml(appName, manifest, initial) {
+function generateShellHtml(appName, manifest, initial, stylesHash) {
   const initialUrl = initial ? `/browser/${initial.file}` : null;
   if (!initialUrl) {
     throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
+  const stylesQs = stylesHash ? `?v=${stylesHash.slice(0, 16)}` : "";
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -31499,8 +31500,8 @@ function generateShellHtml(appName, manifest, initial) {
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `
   <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `
   <link rel="manifest" href="/manifest.json">` : ""}
-  <link rel="stylesheet" href="/styles.css" />
-  <link rel="stylesheet" href="/theme.css" />
+  <link rel="stylesheet" href="/styles.css${stylesQs}" />
+  <link rel="stylesheet" href="/theme.css${stylesQs}" />
   <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
@@ -31539,7 +31540,6 @@ function serveFile(filePath, headers = {}) {
   });
 }
 var MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? "";
-var MODULE_SIG_TTL = 3600;
 function ensureModuleSigSecret(ws, devMode) {
   if (MODULE_SIG_SECRET)
     return;
@@ -31552,19 +31552,16 @@ function ensureModuleSigSecret(ws, devMode) {
   }
 }
 function signGroupUrl(file) {
-  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/browser/${file}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}`;
 }
-function verifyGroupSignature(file, sig, exp) {
-  if (!sig || !exp)
-    return false;
-  if (Number(exp) < Date.now() / 1000)
+function verifyGroupSignature(file, sig) {
+  if (!sig)
     return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 function decodeTokenPayload(jwt2) {
@@ -31654,8 +31651,7 @@ function staticFilesHandler(ws, devMode, getManifest) {
       const isGroupEntry = Object.values(manifest.groups).some((g3) => g3.file === file);
       if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
-        const exp = url.searchParams.get("exp");
-        if (!verifyGroupSignature(file, sig, exp)) {
+        if (!verifyGroupSignature(file, sig)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
@@ -31665,13 +31661,25 @@ function staticFilesHandler(ws, devMode, getManifest) {
       });
     }
     if (path4.startsWith("/locales/"))
-      return serveFile(join20(ws.arcDir, path4.slice(1)), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, path4.slice(1)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=300,stale-while-revalidate=3600"
+      });
     if (path4.startsWith("/assets/"))
-      return serveFile(join20(ws.assetsDir, path4.slice(8)), ctx.corsHeaders);
+      return serveFile(join20(ws.assetsDir, path4.slice(8)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if (path4 === "/styles.css")
-      return serveFile(join20(ws.arcDir, "styles.css"), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, "styles.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if (path4 === "/theme.css")
-      return serveFile(join20(ws.arcDir, "theme.css"), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, "theme.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if ((path4 === "/manifest.json" || path4 === "/manifest.webmanifest") && ws.manifest) {
       return serveFile(ws.manifest.path, ctx.corsHeaders);
     }
@@ -31750,7 +31758,7 @@ async function startPlatformServer(opts) {
   const setManifest = (m4) => {
     manifest = m4;
   };
-  const getShellHtml = () => generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
+  const getShellHtml = () => generateShellHtml(ws.appName, ws.manifest, manifest?.initial, manifest?.stylesHash);
   const sseClients = new Set;
   const notifyReload = (m4) => {
     const data = JSON.stringify(m4);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,12 +12,12 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.2",
-    "@arcote.tech/arc-ds": "^0.7.2",
-    "@arcote.tech/arc-react": "^0.7.2",
-    "@arcote.tech/arc-host": "^0.7.2",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.2",
-    "@arcote.tech/platform": "^0.7.2",
+    "@arcote.tech/arc": "^0.7.3",
+    "@arcote.tech/arc-ds": "^0.7.3",
+    "@arcote.tech/arc-react": "^0.7.3",
+    "@arcote.tech/arc-host": "^0.7.3",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.3",
+    "@arcote.tech/platform": "^0.7.3",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/platform/server.ts CHANGED Viewed

@@ -73,6 +73,7 @@ export function generateShellHtml(
   appName: string,
   manifest?: { title: string; favicon?: string },
   initial?: { file: string; hash: string },
+  stylesHash?: string,
 ): string {
   // Initial bundle carries framework, public modules, and PlatformApp re-export.
   // No importmap — single Bun.build with splitting:true inlines + dedups everything
@@ -81,14 +82,19 @@ export function generateShellHtml(
   if (!initialUrl) {
     throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
+  // Append the styles content hash as a query string. Filenames are stable
+  // (/styles.css, /theme.css) but their content changes between builds; the
+  // hash invalidates the browser cache exactly when the content changes,
+  // letting us serve them with `Cache-Control: immutable`.
+  const stylesQs = stylesHash ? `?v=${stylesHash.slice(0, 16)}` : "";
   return `<!doctype html>
 <html lang="en">
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `\n  <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `\n  <link rel="manifest" href="/manifest.json">` : ""}
-  <link rel="stylesheet" href="/styles.css" />
-  <link rel="stylesheet" href="/theme.css" />
+  <link rel="stylesheet" href="/styles.css${stylesQs}" />
+  <link rel="stylesheet" href="/theme.css${stylesQs}" />
   <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
@@ -148,7 +154,6 @@ function serveFile(
 // without this, every restart invalidates every signed URL in the open page).
 // Prod uses ARC_MODULE_SECRET if set, otherwise a random UUID per process.
 let MODULE_SIG_SECRET: string = process.env.ARC_MODULE_SECRET ?? "";
-const MODULE_SIG_TTL = 3600; // 1 hour
 function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
   if (MODULE_SIG_SECRET) return;
@@ -163,29 +168,31 @@ function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
 }
 /**
- * Signed URL for a token-group bundle. HMAC payload binds the filename so
- * a sig minted for `/browser/admin.<hash>.js` cannot be replayed for any
- * other file. Shared chunks (chunk-<hash>.js) are NEVER signed — their
- * filenames are content-hashed and they don't carry private code on their
- * own (group entries side-effect-register the modules).
+ * Signed URL for a token-group bundle. HMAC binds the filename so a sig minted
+ * for `/browser/admin.<hash>.js` cannot be replayed for any other file. Shared
+ * chunks (`chunk-<hash>.js`) are NEVER signed — their names are content-hashed
+ * and they don't carry private code on their own (group entries side-effect-
+ * register the modules).
+ *
+ * The signature is intentionally NOT time-bound. A per-request TTL would
+ * mutate the URL on every `/api/modules` poll, blowing the browser cache for
+ * the (potentially multi-megabyte) protected bundle. Without `exp`:
+ *   - Content hash in the filename invalidates URLs on deploy.
+ *   - In-process secret rotation (new UUID on restart) rotates all sigs.
+ *   - Threat model: a stolen sig only buys access to the JS code itself —
+ *     all runtime API calls re-validate the JWT independently.
  */
 function signGroupUrl(file: string): string {
-  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/browser/${file}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}`;
 }
-function verifyGroupSignature(
-  file: string,
-  sig: string | null,
-  exp: string | null,
-): boolean {
-  if (!sig || !exp) return false;
-  if (Number(exp) < Date.now() / 1000) return false;
+function verifyGroupSignature(file: string, sig: string | null): boolean {
+  if (!sig) return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
@@ -311,8 +318,7 @@ function staticFilesHandler(
       );
       if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
-        const exp = url.searchParams.get("exp");
-        if (!verifyGroupSignature(file, sig, exp)) {
+        if (!verifyGroupSignature(file, sig)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
@@ -322,14 +328,34 @@ function staticFilesHandler(
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
     }
+    // Locales (compiled .po → .json) — short TTL with SWR; catalogs change
+    // build-to-build but rarely within a session, and they're tiny.
     if (path.startsWith("/locales/"))
-      return serveFile(join(ws.arcDir, path.slice(1)), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, path.slice(1)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=300,stale-while-revalidate=3600",
+      });
+    // Browser assets (SQLite WASM worker, etc.) — content-addressed in their
+    // source paths, safe to cache forever in prod.
     if (path.startsWith("/assets/"))
-      return serveFile(join(ws.assetsDir, path.slice(8)), ctx.corsHeaders);
+      return serveFile(join(ws.assetsDir, path.slice(8)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
+    // /styles.css and /theme.css have stable URLs but their CONTENT changes
+    // between builds. HTML references them with `?v=<stylesHash>` (see
+    // generateShellHtml), so the URL changes on rebuild and immutable caching
+    // is safe — the handler ignores the query string itself.
     if (path === "/styles.css")
-      return serveFile(join(ws.arcDir, "styles.css"), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, "styles.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
     if (path === "/theme.css")
-      return serveFile(join(ws.arcDir, "theme.css"), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, "theme.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
     // Serve manifest.json from root dir
     if ((path === "/manifest.json" || path === "/manifest.webmanifest") && ws.manifest) {
@@ -442,7 +468,7 @@ export async function startPlatformServer(
   // Recompute on every request — manifest.initial.hash changes when public
   // modules are rebuilt in dev, and we want the new URL in the HTML.
   const getShellHtml = (): string =>
-    generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
+    generateShellHtml(ws.appName, ws.manifest, manifest?.initial, manifest?.stylesHash);
   const sseClients = new Set<ReadableStreamDefaultController>();
   const notifyReload = (m: BuildManifest) => {