@arcote.tech/arc-cli 0.7.2 → 0.7.4

package/dist/index.js

@@ -26625,7 +26625,7 @@ ${colors3.yellow}Type declaration errors:${colors3.reset}`);
 
 // src/platform/shared.ts
 import { copyFileSync, existsSync as existsSync10, mkdirSync as mkdirSync9, readdirSync as readdirSync5, readFileSync as readFileSync10, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname6, join as join11 } from "path";
+import { dirname as dirname7, join as join11 } from "path";
 
 // src/builder/module-builder.ts
 import { execSync } from "child_process";
@@ -26637,17 +26637,28 @@ import {
   rmSync,
   writeFileSync as writeFileSync6
 } from "fs";
-import { basename as basename2, dirname as dirname5, join as join8, relative as relative3 } from "path";
+import { basename as basename2, dirname as dirname6, join as join8, relative as relative3 } from "path";
 init_i18n();
 init_compile();
 
 // src/builder/build-cache.ts
 import { existsSync as existsSync5, mkdirSync as mkdirSync5, readFileSync as readFileSync5, writeFileSync as writeFileSync5 } from "fs";
-import { join as join6 } from "path";
-var CACHE_VERSION = 2;
+import { join as join6, dirname as dirname5 } from "path";
+import { fileURLToPath as fileURLToPath5 } from "url";
+var CACHE_SCHEMA_VERSION = 3;
 var CACHE_FILE = ".build-cache.json";
+function readCliVersion() {
+  try {
+    const here = dirname5(fileURLToPath5(import.meta.url));
+    const pkg = JSON.parse(readFileSync5(join6(here, "..", "package.json"), "utf-8"));
+    return typeof pkg.version === "string" ? pkg.version : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+var CACHE_FINGERPRINT = `${CACHE_SCHEMA_VERSION}:${readCliVersion()}`;
 function emptyCache() {
-  return { version: CACHE_VERSION, units: {} };
+  return { version: CACHE_FINGERPRINT, units: {} };
 }
 function loadBuildCache(arcDir) {
   const path4 = join6(arcDir, CACHE_FILE);
@@ -26655,7 +26666,7 @@ function loadBuildCache(arcDir) {
     return emptyCache();
   try {
     const raw = JSON.parse(readFileSync5(path4, "utf-8"));
-    if (raw?.version !== CACHE_VERSION || typeof raw.units !== "object") {
+    if (raw?.version !== CACHE_FINGERPRINT || typeof raw.units !== "object") {
       return emptyCache();
     }
     return raw;
@@ -26963,7 +26974,7 @@ async function buildContextClient(pkg, rootDir, client, cache, noCache) {
   }
   const globalsContent = Object.entries(client.defines).map(([k, v]) => `declare const ${k}: ${v};`).join(`
 `);
-  const declResult = await buildTypeDeclarations([pkg.entrypoint], outDir, dirname5(pkg.entrypoint), globalsContent);
+  const declResult = await buildTypeDeclarations([pkg.entrypoint], outDir, dirname6(pkg.entrypoint), globalsContent);
   const declarationErrors = !declResult.success && declResult.errors.length > 0 ? declResult.errors.map((e) => `[${pkg.name}/${client.name}] ${e}`) : [];
   const outputHash = sha256OfDir(outDir);
   updateCache(cache, unitId, inputHash, { outputHash });
@@ -27527,7 +27538,7 @@ function resolveWorkspace() {
     err("No package.json found");
     process.exit(1);
   }
-  const rootDir = dirname6(packageJsonPath);
+  const rootDir = dirname7(packageJsonPath);
   const rootPkg = JSON.parse(readFileSync10(packageJsonPath, "utf-8"));
   const appName = rootPkg.name ?? "Arc App";
   const arcDir = join11(rootDir, ".arc", "platform");
@@ -27704,7 +27715,7 @@ async function copyBrowserAssets(ws, cache, noCache) {
   const outputHashes = {};
   for (const asset of assets) {
     const dest = join11(ws.assetsDir, asset.to);
-    mkdirSync9(dirname6(dest), { recursive: true });
+    mkdirSync9(dirname7(dest), { recursive: true });
     copyFileSync(asset.src, dest);
     outputHashes[asset.to] = sha256Hex(readFileSync10(dest));
   }
@@ -27763,8 +27774,8 @@ async function platformBuild(opts = {}) {
 
 // src/commands/platform-deploy.ts
 import { existsSync as existsSync17, readFileSync as readFileSync14 } from "fs";
-import { dirname as dirname8, join as join19 } from "path";
-import { fileURLToPath as fileURLToPath6 } from "url";
+import { dirname as dirname9, join as join19 } from "path";
+import { fileURLToPath as fileURLToPath7 } from "url";
 
 // src/deploy/bootstrap.ts
 var {spawn: spawn4 } = globalThis.Bun;
@@ -28968,8 +28979,8 @@ import {
   writeFileSync as writeFileSync14
 } from "fs";
 import { tmpdir as tmpdir3 } from "os";
-import { dirname as dirname7, join as join18 } from "path";
-import { fileURLToPath as fileURLToPath5 } from "url";
+import { dirname as dirname8, join as join18 } from "path";
+import { fileURLToPath as fileURLToPath6 } from "url";
 
 // src/deploy/image-template.ts
 function generateDockerfile(inputs) {
@@ -29061,8 +29072,8 @@ function embedCliBundle(ws) {
   copyFileSync2(source, target);
 }
 function locateCliBundle() {
-  const here = fileURLToPath5(import.meta.url);
-  let cur = dirname7(here);
+  const here = fileURLToPath6(import.meta.url);
+  let cur = dirname8(here);
   while (cur !== "/" && cur !== "") {
     const candidate = join18(cur, "package.json");
     if (existsSync16(candidate)) {
@@ -29080,7 +29091,7 @@ function locateCliBundle() {
           throw e;
       }
     }
-    const parent = dirname7(cur);
+    const parent = dirname8(cur);
     if (parent === cur)
       break;
     cur = parent;
@@ -29969,7 +29980,7 @@ async function platformDeploy(envArg, options = {}) {
   log2("Inspecting remote server...");
   const state = await detectRemoteState(cfg);
   log2(`Remote state: ${state.kind}`);
-  const cliVersion = readCliVersion();
+  const cliVersion = readCliVersion2();
   const configHash = await hashDeployConfig(ws.rootDir);
   await bootstrap({
     cfg,
@@ -30001,10 +30012,10 @@ async function platformDeploy(envArg, options = {}) {
     }
   }
 }
-function readCliVersion() {
+function readCliVersion2() {
   try {
-    let cur = dirname8(fileURLToPath6(import.meta.url));
-    const root = dirname8(cur).startsWith("/") ? "/" : ".";
+    let cur = dirname9(fileURLToPath7(import.meta.url));
+    const root = dirname9(cur).startsWith("/") ? "/" : ".";
     while (cur !== root && cur !== "") {
       const candidate = join19(cur, "package.json");
       if (existsSync17(candidate)) {
@@ -30013,7 +30024,7 @@ function readCliVersion() {
           return pkg.version ?? "unknown";
         }
       }
-      const parent = dirname8(cur);
+      const parent = dirname9(cur);
       if (parent === cur)
         break;
       cur = parent;
@@ -31486,11 +31497,12 @@ async function createArcServer(config) {
 init_i18n();
 import { existsSync as existsSync18, mkdirSync as mkdirSync14 } from "fs";
 import { join as join20 } from "path";
-function generateShellHtml(appName, manifest, initial) {
+function generateShellHtml(appName, manifest, initial, stylesHash) {
   const initialUrl = initial ? `/browser/${initial.file}` : null;
   if (!initialUrl) {
     throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
+  const stylesQs = stylesHash ? `?v=${stylesHash.slice(0, 16)}` : "";
   return `<!doctype html>
 <html lang="en">
 <head>
@@ -31499,8 +31511,8 @@ function generateShellHtml(appName, manifest, initial) {
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `
   <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `
   <link rel="manifest" href="/manifest.json">` : ""}
-  <link rel="stylesheet" href="/styles.css" />
-  <link rel="stylesheet" href="/theme.css" />
+  <link rel="stylesheet" href="/styles.css${stylesQs}" />
+  <link rel="stylesheet" href="/theme.css${stylesQs}" />
   <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
@@ -31539,7 +31551,6 @@ function serveFile(filePath, headers = {}) {
   });
 }
 var MODULE_SIG_SECRET = process.env.ARC_MODULE_SECRET ?? "";
-var MODULE_SIG_TTL = 3600;
 function ensureModuleSigSecret(ws, devMode) {
   if (MODULE_SIG_SECRET)
     return;
@@ -31552,19 +31563,16 @@ function ensureModuleSigSecret(ws, devMode) {
   }
 }
 function signGroupUrl(file) {
-  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/browser/${file}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}`;
 }
-function verifyGroupSignature(file, sig, exp) {
-  if (!sig || !exp)
-    return false;
-  if (Number(exp) < Date.now() / 1000)
+function verifyGroupSignature(file, sig) {
+  if (!sig)
     return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 function decodeTokenPayload(jwt2) {
@@ -31654,8 +31662,7 @@ function staticFilesHandler(ws, devMode, getManifest) {
       const isGroupEntry = Object.values(manifest.groups).some((g3) => g3.file === file);
       if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
-        const exp = url.searchParams.get("exp");
-        if (!verifyGroupSignature(file, sig, exp)) {
+        if (!verifyGroupSignature(file, sig)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
@@ -31665,13 +31672,25 @@ function staticFilesHandler(ws, devMode, getManifest) {
       });
     }
     if (path4.startsWith("/locales/"))
-      return serveFile(join20(ws.arcDir, path4.slice(1)), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, path4.slice(1)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=300,stale-while-revalidate=3600"
+      });
     if (path4.startsWith("/assets/"))
-      return serveFile(join20(ws.assetsDir, path4.slice(8)), ctx.corsHeaders);
+      return serveFile(join20(ws.assetsDir, path4.slice(8)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if (path4 === "/styles.css")
-      return serveFile(join20(ws.arcDir, "styles.css"), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, "styles.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if (path4 === "/theme.css")
-      return serveFile(join20(ws.arcDir, "theme.css"), ctx.corsHeaders);
+      return serveFile(join20(ws.arcDir, "theme.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable"
+      });
     if ((path4 === "/manifest.json" || path4 === "/manifest.webmanifest") && ws.manifest) {
       return serveFile(ws.manifest.path, ctx.corsHeaders);
     }
@@ -31750,7 +31769,7 @@ async function startPlatformServer(opts) {
   const setManifest = (m4) => {
     manifest = m4;
   };
-  const getShellHtml = () => generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
+  const getShellHtml = () => generateShellHtml(ws.appName, ws.manifest, manifest?.initial, manifest?.stylesHash);
   const sseClients = new Set;
   const notifyReload = (m4) => {
     const data = JSON.stringify(m4);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.2",
+  "version": "0.7.4",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,12 +12,12 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.2",
-    "@arcote.tech/arc-ds": "^0.7.2",
-    "@arcote.tech/arc-react": "^0.7.2",
-    "@arcote.tech/arc-host": "^0.7.2",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.2",
-    "@arcote.tech/platform": "^0.7.2",
+    "@arcote.tech/arc": "^0.7.4",
+    "@arcote.tech/arc-ds": "^0.7.4",
+    "@arcote.tech/arc-react": "^0.7.4",
+    "@arcote.tech/arc-host": "^0.7.4",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.4",
+    "@arcote.tech/platform": "^0.7.4",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/builder/build-cache.ts

@@ -1,11 +1,30 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { join } from "path";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
 
-// v2: switched from `modules-bundle` (one unit) to `modules-chunk:<name>`
-// (one unit per chunk group). Old v1 entries are irrelevant.
-const CACHE_VERSION = 2;
+// Schema version — bump if cache entry shape changes.
+const CACHE_SCHEMA_VERSION = 3;
 const CACHE_FILE = ".build-cache.json";
 
+/**
+ * Combined cache fingerprint: schema version + CLI version. Lets a newer CLI
+ * automatically invalidate dist/ produced by an older CLI even when source
+ * hashes match. Without this, a build-logic change in the CLI (e.g.
+ * externalization rules in buildContextClient) silently kept stale dist/
+ * around — see the v0.7.3 "creatorWorkspaces not found in context" incident.
+ */
+function readCliVersion(): string {
+  try {
+    // Bundled CLI lives at `<pkg>/dist/index.js`; package.json is one level up.
+    const here = dirname(fileURLToPath(import.meta.url));
+    const pkg = JSON.parse(readFileSync(join(here, "..", "package.json"), "utf-8"));
+    return typeof pkg.version === "string" ? pkg.version : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+const CACHE_FINGERPRINT = `${CACHE_SCHEMA_VERSION}:${readCliVersion()}`;
+
 export interface CacheEntry {
   inputHash: string;
   outputHash?: string;
@@ -13,22 +32,22 @@ export interface CacheEntry {
 }
 
 export interface BuildCache {
-  version: typeof CACHE_VERSION;
+  version: string;
   units: Record<string, CacheEntry>;
 }
 
 function emptyCache(): BuildCache {
-  return { version: CACHE_VERSION, units: {} };
+  return { version: CACHE_FINGERPRINT, units: {} };
 }
 
 /** Loads cache from .arc/platform/.build-cache.json. Returns empty cache on
- *  missing file, parse error, or version mismatch. */
+ *  missing file, parse error, or fingerprint mismatch (schema OR CLI version). */
 export function loadBuildCache(arcDir: string): BuildCache {
   const path = join(arcDir, CACHE_FILE);
   if (!existsSync(path)) return emptyCache();
   try {
     const raw = JSON.parse(readFileSync(path, "utf-8"));
-    if (raw?.version !== CACHE_VERSION || typeof raw.units !== "object") {
+    if (raw?.version !== CACHE_FINGERPRINT || typeof raw.units !== "object") {
       return emptyCache();
     }
     return raw as BuildCache;

package/src/platform/server.ts

@@ -73,6 +73,7 @@ export function generateShellHtml(
   appName: string,
   manifest?: { title: string; favicon?: string },
   initial?: { file: string; hash: string },
+  stylesHash?: string,
 ): string {
   // Initial bundle carries framework, public modules, and PlatformApp re-export.
   // No importmap — single Bun.build with splitting:true inlines + dedups everything
@@ -81,14 +82,19 @@ export function generateShellHtml(
   if (!initialUrl) {
     throw new Error("generateShellHtml: initial bundle missing from manifest");
   }
+  // Append the styles content hash as a query string. Filenames are stable
+  // (/styles.css, /theme.css) but their content changes between builds; the
+  // hash invalidates the browser cache exactly when the content changes,
+  // letting us serve them with `Cache-Control: immutable`.
+  const stylesQs = stylesHash ? `?v=${stylesHash.slice(0, 16)}` : "";
   return `<!doctype html>
 <html lang="en">
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>${manifest?.title ?? appName}</title>${manifest?.favicon ? `\n  <link rel="icon" href="${manifest.favicon}">` : ""}${manifest ? `\n  <link rel="manifest" href="/manifest.json">` : ""}
-  <link rel="stylesheet" href="/styles.css" />
-  <link rel="stylesheet" href="/theme.css" />
+  <link rel="stylesheet" href="/styles.css${stylesQs}" />
+  <link rel="stylesheet" href="/theme.css${stylesQs}" />
   <link rel="modulepreload" href="${initialUrl}" />
 </head>
 <body>
@@ -148,7 +154,6 @@ function serveFile(
 // without this, every restart invalidates every signed URL in the open page).
 // Prod uses ARC_MODULE_SECRET if set, otherwise a random UUID per process.
 let MODULE_SIG_SECRET: string = process.env.ARC_MODULE_SECRET ?? "";
-const MODULE_SIG_TTL = 3600; // 1 hour
 
 function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
   if (MODULE_SIG_SECRET) return;
@@ -163,29 +168,31 @@ function ensureModuleSigSecret(ws: WorkspaceInfo, devMode: boolean): void {
 }
 
 /**
- * Signed URL for a token-group bundle. HMAC payload binds the filename so
- * a sig minted for `/browser/admin.<hash>.js` cannot be replayed for any
- * other file. Shared chunks (chunk-<hash>.js) are NEVER signed — their
- * filenames are content-hashed and they don't carry private code on their
- * own (group entries side-effect-register the modules).
+ * Signed URL for a token-group bundle. HMAC binds the filename so a sig minted
+ * for `/browser/admin.<hash>.js` cannot be replayed for any other file. Shared
+ * chunks (`chunk-<hash>.js`) are NEVER signed — their names are content-hashed
+ * and they don't carry private code on their own (group entries side-effect-
+ * register the modules).
+ *
+ * The signature is intentionally NOT time-bound. A per-request TTL would
+ * mutate the URL on every `/api/modules` poll, blowing the browser cache for
+ * the (potentially multi-megabyte) protected bundle. Without `exp`:
+ *   - Content hash in the filename invalidates URLs on deploy.
+ *   - In-process secret rotation (new UUID on restart) rotates all sigs.
+ *   - Threat model: a stolen sig only buys access to the JS code itself —
+ *     all runtime API calls re-validate the JWT independently.
  */
 function signGroupUrl(file: string): string {
-  const exp = Math.floor(Date.now() / 1000) + MODULE_SIG_TTL;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   const sig = hasher.digest("hex").slice(0, 16);
-  return `/browser/${file}?sig=${sig}&exp=${exp}`;
+  return `/browser/${file}?sig=${sig}`;
 }
 
-function verifyGroupSignature(
-  file: string,
-  sig: string | null,
-  exp: string | null,
-): boolean {
-  if (!sig || !exp) return false;
-  if (Number(exp) < Date.now() / 1000) return false;
+function verifyGroupSignature(file: string, sig: string | null): boolean {
+  if (!sig) return false;
   const hasher = new Bun.CryptoHasher("sha256");
-  hasher.update(`${file}:${exp}:${MODULE_SIG_SECRET}`);
+  hasher.update(`${file}:${MODULE_SIG_SECRET}`);
   return hasher.digest("hex").slice(0, 16) === sig;
 }
 
@@ -311,8 +318,7 @@ function staticFilesHandler(
       );
       if (isGroupEntry) {
         const sig = url.searchParams.get("sig");
-        const exp = url.searchParams.get("exp");
-        if (!verifyGroupSignature(file, sig, exp)) {
+        if (!verifyGroupSignature(file, sig)) {
           return new Response("Forbidden", { status: 403, headers: ctx.corsHeaders });
         }
       }
@@ -322,14 +328,34 @@ function staticFilesHandler(
         "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
       });
     }
+    // Locales (compiled .po → .json) — short TTL with SWR; catalogs change
+    // build-to-build but rarely within a session, and they're tiny.
     if (path.startsWith("/locales/"))
-      return serveFile(join(ws.arcDir, path.slice(1)), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, path.slice(1)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=300,stale-while-revalidate=3600",
+      });
+    // Browser assets (SQLite WASM worker, etc.) — content-addressed in their
+    // source paths, safe to cache forever in prod.
     if (path.startsWith("/assets/"))
-      return serveFile(join(ws.assetsDir, path.slice(8)), ctx.corsHeaders);
+      return serveFile(join(ws.assetsDir, path.slice(8)), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
+    // /styles.css and /theme.css have stable URLs but their CONTENT changes
+    // between builds. HTML references them with `?v=<stylesHash>` (see
+    // generateShellHtml), so the URL changes on rebuild and immutable caching
+    // is safe — the handler ignores the query string itself.
     if (path === "/styles.css")
-      return serveFile(join(ws.arcDir, "styles.css"), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, "styles.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
     if (path === "/theme.css")
-      return serveFile(join(ws.arcDir, "theme.css"), ctx.corsHeaders);
+      return serveFile(join(ws.arcDir, "theme.css"), {
+        ...ctx.corsHeaders,
+        "Cache-Control": devMode ? "no-cache" : "max-age=31536000,immutable",
+      });
 
     // Serve manifest.json from root dir
     if ((path === "/manifest.json" || path === "/manifest.webmanifest") && ws.manifest) {
@@ -442,7 +468,7 @@ export async function startPlatformServer(
   // Recompute on every request — manifest.initial.hash changes when public
   // modules are rebuilt in dev, and we want the new URL in the HTML.
   const getShellHtml = (): string =>
-    generateShellHtml(ws.appName, ws.manifest, manifest?.initial);
+    generateShellHtml(ws.appName, ws.manifest, manifest?.initial, manifest?.stylesHash);
   const sseClients = new Set<ReadableStreamDefaultController>();
 
   const notifyReload = (m: BuildManifest) => {