@arcote.tech/arc-cli 0.7.20 → 0.7.22

package/dist/index.js

@@ -853,7 +853,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
         this._exitCallback = (err) => {
           if (err.code !== "commander.executeSubCommandAsync") {
             throw err;
-          } else {}
+          }
         };
       }
       return this;
@@ -34723,6 +34723,17 @@ function serverExternalsPlugin() {
     }
   };
 }
+function workspaceSourcePlugin(srcByName) {
+  return {
+    name: "workspace-source",
+    setup(build2) {
+      build2.onResolve({ filter: /^[^./]/ }, (args) => {
+        const src = srcByName.get(args.path);
+        return src ? { path: src, sideEffects: true } : null;
+      });
+    }
+  };
+}
 function jsxDevShimPlugin() {
   return {
     name: "jsx-dev-runtime-shim",
@@ -34743,9 +34754,10 @@ export { Fragment };
   };
 }
 var CONTEXT_CLIENTS = [
-  { name: "server", target: "bun", defines: { ONLY_SERVER: "true", ONLY_BROWSER: "false", ONLY_CLIENT: "false" } },
   { name: "browser", target: "browser", defines: { ONLY_SERVER: "false", ONLY_BROWSER: "true", ONLY_CLIENT: "true" } }
 ];
+var SERVER_DEFINES = { ONLY_SERVER: "true", ONLY_BROWSER: "false", ONLY_CLIENT: "false" };
+var SERVER_ENTRY_FILE = "_server.js";
 function discoverPackages(rootDir) {
   const rootPkg = JSON.parse(readFileSync7(join8(rootDir, "package.json"), "utf-8"));
   const workspaceGlobs = rootPkg.workspaces ?? [];
@@ -34838,9 +34850,7 @@ async function buildContextClient(pkg, rootDir, client, cache, noCache) {
   console.log(`  building: ${pkg.name} (${client.name})`);
   const peerDeps = Object.keys(pkg.packageJson.peerDependencies ?? {});
   const allDeps = pkg.packageJson.dependencies ?? {};
-  const isBrowser2 = client.name === "browser";
-  const workspaceDeps = isBrowser2 ? Object.keys(allDeps) : Object.entries(allDeps).filter(([, spec]) => !spec.startsWith("workspace:")).map(([name]) => name);
-  const externals = [...peerDeps, ...workspaceDeps];
+  const externals = [...peerDeps, ...Object.keys(allDeps)];
   const result = await Bun.build({
     entrypoints: [pkg.entrypoint],
     outdir: join8(outDir, "main"),
@@ -34848,7 +34858,7 @@ async function buildContextClient(pkg, rootDir, client, cache, noCache) {
     format: "esm",
     naming: "index.[ext]",
     external: externals,
-    plugins: isBrowser2 ? [jsxDevShimPlugin()] : [jsxDevShimPlugin(), serverExternalsPlugin()],
+    plugins: [jsxDevShimPlugin()],
     define: client.defines
   });
   if (!result.success) {
@@ -34911,6 +34921,80 @@ async function buildContextPackages(rootDir, packages, cache, noCache) {
   }
   return { declarationErrors };
 }
+async function buildServerApp(rootDir, serverDir, packages, cache, noCache) {
+  const contexts = packages.filter((p) => isContextPackage(p.packageJson));
+  mkdirSync6(serverDir, { recursive: true });
+  const srcByName = new Map(packages.map((p) => [p.name, p.entrypoint]));
+  const externalSet = new Set(FRAMEWORK_PEERS);
+  for (const p of packages) {
+    for (const name of Object.keys(p.packageJson.peerDependencies ?? {})) {
+      externalSet.add(name);
+    }
+    for (const [name, spec] of Object.entries(p.packageJson.dependencies ?? {})) {
+      if (!spec.startsWith("workspace:"))
+        externalSet.add(name);
+    }
+  }
+  const external = [...externalSet];
+  const unitId = "server-app";
+  const inputHash = sha256OfJson({
+    members: packages.map((p) => ({ name: p.name, src: pkgSourceHash(p) })).sort((a, b) => a.name.localeCompare(b.name)),
+    contexts: contexts.map((p) => p.name).sort(),
+    external: [...external].sort(),
+    defines: SERVER_DEFINES
+  });
+  const entryFileAbs = join8(serverDir, SERVER_ENTRY_FILE);
+  if (!noCache && isCacheHit(cache, unitId, inputHash, [entryFileAbs])) {
+    console.log(`  \u2713 cached: ${unitId}`);
+    return { entryFile: SERVER_ENTRY_FILE, cached: true };
+  }
+  console.log(`  building: ${unitId} (${contexts.length} server modules)`);
+  for (const f of readdirSync4(serverDir)) {
+    if (f.endsWith(".js"))
+      rmSync(join8(serverDir, f), { force: true });
+  }
+  const tmpDir = join8(serverDir, "_entries");
+  mkdirSync6(tmpDir, { recursive: true });
+  const entrySrc = join8(tmpDir, SERVER_ENTRY_FILE.replace(/\.js$/, ".ts"));
+  writeFileSync6(entrySrc, contexts.map((p) => `import "${p.name}";`).join(`
+`) + `
+`);
+  let result;
+  try {
+    result = await Bun.build({
+      entrypoints: [entrySrc],
+      outdir: serverDir,
+      target: "bun",
+      format: "esm",
+      splitting: true,
+      naming: "[name].[ext]",
+      external,
+      plugins: [
+        jsxDevShimPlugin(),
+        serverExternalsPlugin(),
+        workspaceSourcePlugin(srcByName)
+      ],
+      define: SERVER_DEFINES
+    });
+  } finally {
+    rmSync(tmpDir, { recursive: true, force: true });
+  }
+  if (!result.success) {
+    for (const log2 of result.logs)
+      console.error(log2);
+    throw new Error("Server app build failed");
+  }
+  const entryOut = result.outputs.find((o) => o.kind === "entry-point");
+  if (!entryOut) {
+    throw new Error("Server app build: entry not found in outputs");
+  }
+  if (basename2(entryOut.path) !== SERVER_ENTRY_FILE) {
+    throw new Error(`Server app build: unexpected entry name ${basename2(entryOut.path)} (wanted ${SERVER_ENTRY_FILE})`);
+  }
+  const outputHash = sha256OfDir(serverDir);
+  updateCache(cache, unitId, inputHash, { outputHash });
+  return { entryFile: SERVER_ENTRY_FILE, cached: false };
+}
 async function buildBrowserApp(rootDir, outDir, plan, cache, noCache, i18nCollector) {
   mkdirSync6(outDir, { recursive: true });
   const publicMembers = plan.groups.get("public") ?? [];
@@ -35216,11 +35300,8 @@ import {
   writeFileSync as writeFileSync7
 } from "fs";
 import { join as join9 } from "path";
-async function extractAccessMap(rootDir, packages) {
-  const serverBundles = packages.filter((p) => isContextPackage(p.packageJson)).map((p) => ({
-    name: p.name,
-    path: join9(p.path, "dist", "server", "main", "index.js")
-  })).filter((b) => existsSync8(b.path));
+async function extractAccessMap(rootDir, serverBundlePath) {
+  const serverBundles = existsSync8(serverBundlePath) ? [{ name: "server", path: serverBundlePath }] : [];
   const workerDir = join9(rootDir, ".arc", ".tmp");
   mkdirSync7(workerDir, { recursive: true });
   const workerPath = join9(workerDir, `access-extractor-${Date.now()}.mjs`);
@@ -35549,8 +35630,9 @@ async function buildAll(ws, opts = {}) {
   log2(`Building (concurrency parallel${noCache ? ", no-cache" : ""})...`);
   assertOneModulePerPackage(ws.packages);
   await buildContextPackages(ws.rootDir, ws.packages, cache, noCache);
-  copyContextServerBundles(ws);
-  const accessMap = await extractAccessMap(ws.rootDir, ws.packages);
+  const serverDir = join12(ws.arcDir, "server");
+  const { entryFile: serverEntry } = await buildServerApp(ws.rootDir, serverDir, ws.packages, cache, noCache);
+  const accessMap = await extractAccessMap(ws.rootDir, join12(serverDir, serverEntry));
   mkdirSync9(ws.arcDir, { recursive: true });
   writeFileSync9(join12(ws.arcDir, "access.json"), JSON.stringify(accessMap, null, 2) + `
 `);
@@ -35581,22 +35663,6 @@ function assembleManifest(ws, browser, cache) {
     buildTime: new Date().toISOString()
   };
 }
-function copyContextServerBundles(ws) {
-  const outDir = join12(ws.arcDir, "server");
-  mkdirSync9(outDir, { recursive: true });
-  for (const pkg of ws.packages) {
-    if (!isContextPackage(pkg.packageJson))
-      continue;
-    const src = join12(pkg.path, "dist", "server", "main", "index.js");
-    if (!existsSync10(src)) {
-      err(`Server bundle missing for ${pkg.name}: ${src}`);
-      continue;
-    }
-    const safeName = pkg.path.split("/").pop();
-    const dst = join12(outDir, `${safeName}.js`);
-    copyFileSync(src, dst);
-  }
-}
 function resolveAssetSource(from, pkgDir, rootDir) {
   if (from.startsWith("./") || from.startsWith("../")) {
     const resolved = join12(pkgDir, from);
@@ -35692,34 +35758,15 @@ async function loadServerContext(ws) {
   const platformPkg = JSON.parse(readFileSync11(join12(platformDir, "package.json"), "utf-8"));
   const platformEntry = join12(platformDir, platformPkg.main ?? "src/index.ts");
   await import(platformEntry);
-  const serverDir = join12(ws.arcDir, "server");
-  const bundles = existsSync10(serverDir) ? readdirSync6(serverDir).filter((f) => f.endsWith(".js")) : [];
-  if (bundles.length > 0) {
-    for (const file of bundles) {
-      const bundlePath = join12(serverDir, file);
-      try {
-        await import(bundlePath);
-      } catch (e) {
-        err(`Failed to load server bundle ${file}: ${e}`);
-      }
-    }
-  } else if (ws.packages.length > 0) {
-    const ctxPackages = ws.packages.filter((p) => isContextPackage(p.packageJson));
-    for (const ctx of ctxPackages) {
-      const serverDist = join12(ctx.path, "dist", "server", "main", "index.js");
-      if (!existsSync10(serverDist)) {
-        err(`Context server dist not found: ${serverDist}`);
-        continue;
-      }
-      try {
-        await import(serverDist);
-      } catch (e) {
-        err(`Failed to load server context from ${ctx.name}: ${e}`);
-      }
-    }
-  } else {
+  const serverEntry = join12(ws.arcDir, "server", SERVER_ENTRY_FILE);
+  if (!existsSync10(serverEntry)) {
     return { context: null, moduleAccess: new Map };
   }
+  try {
+    await import(serverEntry);
+  } catch (e) {
+    err(`Failed to load server bundle ${SERVER_ENTRY_FILE}: ${e}`);
+  }
   const { getContext, getAllModuleAccess } = await import(platformEntry);
   return {
     context: getContext() ?? null,
@@ -36553,8 +36600,13 @@ ${envNames.map((name) => `            - "https://${cfg.envs[name].domain}"`).joi
 
   # Per-container CPU / memory / network / block-IO + restarts straight from
   # the Docker daemon (socket bind-mounted read-only, see compose).
+  # api_version pinned: the receiver defaults to Docker API 1.25, which modern
+  # daemons (Engine 25+ require >= 1.40) reject \u2014 without this the receiver
+  # fails to start and takes the whole collector down. Quoted so YAML doesn't
+  # parse 1.40 \u2192 1.4. Must be <= the daemon's max; 1.40 is the safe floor.
   docker_stats:
     endpoint: unix:///var/run/docker.sock
+    api_version: "1.40"
     collection_interval: 30s
     metrics:
       container.restarts:
@@ -36824,6 +36876,15 @@ function generateAlloyConfig() {
 discovery.docker "containers" {
   host             = "unix:///var/run/docker.sock"
   refresh_interval = "15s"
+
+  // Only containers managed by a compose project (our stack). Ad-hoc / rogue
+  // containers (manual debug runs, other stacks) are excluded \u2014 one bad
+  // stream (e.g. log entries older than Loki's reject window) otherwise 400s
+  // the whole loki.write batch and drops good app logs with it.
+  filter {
+    name   = "label"
+    values = ["com.docker.compose.project"]
+  }
 }
 
 discovery.relabel "containers" {
@@ -38030,9 +38091,20 @@ async function streamToString(stream2) {
     return "";
   return new Response(stream2).text();
 }
+function sshMuxArgs() {
+  return [
+    "-o",
+    "ControlMaster=auto",
+    "-o",
+    `ControlPath=${join17(homedir3(), ".ssh", "cm-arc-%C")}`,
+    "-o",
+    "ControlPersist=120"
+  ];
+}
 function baseSshArgs(target) {
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -38096,6 +38168,7 @@ async function canSsh(target) {
 async function scpUpload(target, localPath, remotePath) {
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -38120,6 +38193,22 @@ async function scpUpload(target, localPath, remotePath) {
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
+async function closeSshMaster(target) {
+  try {
+    const proc2 = spawn3({
+      cmd: [
+        "ssh",
+        ...baseSshArgs(target),
+        "-O",
+        "exit",
+        `${target.user}@${target.host}`
+      ],
+      stdout: "ignore",
+      stderr: "ignore"
+    });
+    await proc2.exited;
+  } catch {}
+}
 
 // src/deploy/remote-state.ts
 var STATE_MARKER_PATH = "/opt/arc/.arc-state.json";
@@ -38127,38 +38216,55 @@ async function detectRemoteState(cfg) {
   if (cfg.target.host === "PENDING_TERRAFORM" || !cfg.target.host) {
     return { kind: "unreachable", reason: "target.host not yet set" };
   }
-  if (!await canSsh(cfg.target)) {
+  const composeDir = cfg.target.remoteDir;
+  const probe = [
+    `command -v docker >/dev/null 2>&1 && echo DOCKER=1 || echo DOCKER=0`,
+    `echo '---PS---'`,
+    `[ -f ${composeDir}/docker-compose.yml ] && (cd ${composeDir} && docker compose ps --format '{{.Service}}' 2>/dev/null) || true`,
+    `echo '---MARKER---'`,
+    `cat ${STATE_MARKER_PATH} 2>/dev/null || true`
+  ].join(`
+`);
+  const res = await sshExec(cfg.target, probe, { quiet: true });
+  if (res.exitCode !== 0) {
     if (await canSsh({ ...cfg.target, user: "root" })) {
       return { kind: "no-docker" };
     }
     return { kind: "unreachable", reason: "ssh connection failed" };
   }
-  const dockerCheck = await sshExec(cfg.target, "command -v docker", {
-    quiet: true
-  });
-  if (dockerCheck.exitCode !== 0) {
+  const out = res.stdout;
+  if (!out.includes("DOCKER=1")) {
     return { kind: "no-docker" };
   }
-  const composeDir = `${cfg.target.remoteDir}`;
-  const psCheck = await sshExec(cfg.target, `test -f ${composeDir}/docker-compose.yml && cd ${composeDir} && docker compose ps --format '{{.Service}}' || true`, { quiet: true });
-  if (psCheck.exitCode !== 0 || psCheck.stdout.trim() === "") {
+  const psSection = sectionBetween(out, "---PS---", "---MARKER---").trim();
+  if (psSection === "") {
     return { kind: "no-stack" };
   }
-  const running = psCheck.stdout.split(`
+  const running = psSection.split(`
 `).map((l) => l.trim()).filter((l) => l.startsWith("arc-")).map((l) => l.replace(/^arc-/, ""));
-  const markerRaw = await sshExec(cfg.target, `cat ${STATE_MARKER_PATH}`, {
-    quiet: true
-  });
+  const markerSection = afterMarker(out, "---MARKER---").trim();
   let marker = null;
-  if (markerRaw.exitCode === 0) {
+  if (markerSection) {
     try {
-      marker = JSON.parse(markerRaw.stdout);
+      marker = JSON.parse(markerSection);
     } catch {
       marker = null;
     }
   }
   return { kind: "ready", runningEnvs: running, marker };
 }
+function sectionBetween(s, start, end) {
+  const i = s.indexOf(start);
+  if (i < 0)
+    return "";
+  const from = i + start.length;
+  const j = s.indexOf(end, from);
+  return s.slice(from, j < 0 ? undefined : j);
+}
+function afterMarker(s, marker) {
+  const i = s.indexOf(marker);
+  return i < 0 ? "" : s.slice(i + marker.length);
+}
 async function writeStateMarker(target, marker) {
   const json = JSON.stringify(marker, null, 2);
   await assertExec(target, `sudo tee ${STATE_MARKER_PATH} > /dev/null <<'JSON'
@@ -38415,31 +38521,20 @@ async function updateEnvDeployment(opts) {
   const envVarName = `ARC_IMAGE_${upperEnv}`;
   const envPath = `${cfg.target.remoteDir}/.env`;
   const escapedRef = fullRef.replace(/"/g, "\\\"");
-  const updateScript = [
-    `touch ${envPath} && `,
-    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" '`,
-    `  BEGIN { replaced=0 } `,
-    `  $0 ~ "^"key { print line; replaced=1; next } `,
-    `  { print } `,
-    `  END { if (!replaced) print line } `,
-    `' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`
-  ].join("");
-  await assertExec(target, updateScript);
-  await assertExec(target, `cd ${cfg.target.remoteDir} && docker compose pull arc-${env2}`);
-  await assertExec(target, `cd ${cfg.target.remoteDir} && docker compose up -d arc-${env2}`);
   const retain = opts.retainImages ?? 3;
   const imageBaseName = imageBaseFromRef(fullRef);
-  if (imageBaseName) {
-    const pruneScript = [
-      `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" `,
-      `| grep -v ":latest " `,
-      `| sort -k2,3 -r `,
-      `| tail -n +${retain + 1} `,
-      `| awk '{print $1}' `,
-      `| xargs -r docker rmi 2>/dev/null || true`
-    ].join("");
-    await sshExec(target, pruneScript, { quiet: true });
-  }
+  const pruneCmd = imageBaseName ? `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep -v ":latest " | sort -k2,3 -r | tail -n +${retain + 1} | awk '{print $1}' | xargs -r docker rmi 2>/dev/null || true` : `true`;
+  const script = [
+    `set -e`,
+    `cd ${cfg.target.remoteDir}`,
+    `touch ${envPath}`,
+    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" 'BEGIN{replaced=0} $0 ~ "^"key {print line; replaced=1; next} {print} END{if(!replaced) print line}' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
+    `docker compose pull arc-${env2}`,
+    `docker compose up -d arc-${env2}`,
+    pruneCmd
+  ].join(`
+`);
+  await assertExec(target, script);
   const ok2 = await healthCheck(target, env2);
   return { env: env2, fullRef, redeployed: ok2 };
 }
@@ -39480,38 +39575,42 @@ async function platformDeploy(envArg, options = {}) {
     }
   }
   log2("Inspecting remote server...");
-  const state = await detectRemoteState(cfg);
-  log2(`Remote state: ${state.kind}`);
-  const cliVersion = readCliVersion2();
-  const configHash = await hashDeployConfig(ws.rootDir);
-  await bootstrap({
-    cfg,
-    rootDir: ws.rootDir,
-    state,
-    cliVersion,
-    configHash,
-    forceAnsible: options.forceBootstrap
-  });
-  if (!options.imageTag) {
-    log2(`Logging in to ${cfg.registry.domain}...`);
-    await dockerLogin(cfg.registry);
-    log2(`Pushing ${fullRef}...`);
-    await dockerPush(fullRef);
-    ok("Image pushed");
-  }
-  for (const env2 of targetEnvs) {
-    log2(`Updating env "${env2}"...`);
-    const outcome = await updateEnvDeployment({
-      target: cfg.target,
+  try {
+    const state = await detectRemoteState(cfg);
+    log2(`Remote state: ${state.kind}`);
+    const cliVersion = readCliVersion2();
+    const configHash = await hashDeployConfig(ws.rootDir);
+    await bootstrap({
       cfg,
-      env: env2,
-      fullRef
+      rootDir: ws.rootDir,
+      state,
+      cliVersion,
+      configHash,
+      forceAnsible: options.forceBootstrap
     });
-    if (outcome.redeployed) {
-      ok(`${env2}: live at ${fullRef}`);
-    } else {
-      err(`${env2}: deployed but health check did not pass within retries \u2014 check \`docker logs arc-${env2}\``);
+    if (!options.imageTag) {
+      log2(`Logging in to ${cfg.registry.domain}...`);
+      await dockerLogin(cfg.registry);
+      log2(`Pushing ${fullRef}...`);
+      await dockerPush(fullRef);
+      ok("Image pushed");
+    }
+    for (const env2 of targetEnvs) {
+      log2(`Updating env "${env2}"...`);
+      const outcome = await updateEnvDeployment({
+        target: cfg.target,
+        cfg,
+        env: env2,
+        fullRef
+      });
+      if (outcome.redeployed) {
+        ok(`${env2}: live at ${fullRef}`);
+      } else {
+        err(`${env2}: deployed but health check did not pass within retries \u2014 check \`docker logs arc-${env2}\``);
+      }
     }
+  } finally {
+    await closeSshMaster(cfg.target);
   }
 }
 function readCliVersion2() {
@@ -40790,6 +40889,7 @@ async function createArcServer(config) {
   const cronScheduler = new CronScheduler(contextHandler);
   cronScheduler.start();
   const connectionManager = new ConnectionManager;
+  const coep = config.coep ?? "unsafe-none";
   function buildCorsHeaders(req) {
     const origin = req?.headers.get("Origin") || "*";
     return {
@@ -40798,7 +40898,7 @@ async function createArcServer(config) {
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Scope, X-Arc-Tokens",
       "Access-Control-Allow-Credentials": "true",
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep,
       "Cross-Origin-Resource-Policy": "cross-origin"
     };
   }
@@ -41259,6 +41359,7 @@ function spaFallbackHandler(getShellHtml) {
 }
 async function startPlatformServer(opts) {
   const { ws, port, devMode, context: context2 } = opts;
+  const coep = process.env.ARC_COEP ?? opts.coep ?? "unsafe-none";
   ensureModuleSigSecret(ws, !!devMode);
   let telemetry;
   let telemetryShutdown;
@@ -41307,7 +41408,7 @@ async function startPlatformServer(opts) {
       "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep ?? "unsafe-none",
       "Cross-Origin-Resource-Policy": "cross-origin"
     };
     const server = Bun.serve({
@@ -41359,6 +41460,7 @@ async function startPlatformServer(opts) {
     context: context2,
     dbAdapterFactory,
     port,
+    coep,
     httpHandlers: [
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap, telemetry),
       devReloadHandler(sseClients),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.20",
+  "version": "0.7.22",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,13 +12,13 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform --external '@opentelemetry/*' && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.20",
-    "@arcote.tech/arc-ds": "^0.7.20",
-    "@arcote.tech/arc-react": "^0.7.20",
-    "@arcote.tech/arc-host": "^0.7.20",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.20",
-    "@arcote.tech/arc-adapter-db-postgres": "^0.7.20",
-    "@arcote.tech/arc-otel": "^0.7.20",
+    "@arcote.tech/arc": "^0.7.22",
+    "@arcote.tech/arc-ds": "^0.7.22",
+    "@arcote.tech/arc-react": "^0.7.22",
+    "@arcote.tech/arc-host": "^0.7.22",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.22",
+    "@arcote.tech/arc-adapter-db-postgres": "^0.7.22",
+    "@arcote.tech/arc-otel": "^0.7.22",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.57.0",
     "@opentelemetry/core": "^1.30.0",
@@ -31,7 +31,7 @@
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
-    "@arcote.tech/platform": "^0.7.20",
+    "@arcote.tech/platform": "^0.7.22",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/builder/access-extractor.ts

@@ -7,7 +7,6 @@ import {
   writeFileSync,
 } from "fs";
 import { join } from "path";
-import { isContextPackage, type WorkspacePackage } from "./module-builder";
 
 // ---------------------------------------------------------------------------
 // access-extractor — discovers per-module access rules (`protectedBy(...)`)
@@ -27,8 +26,8 @@ import { isContextPackage, type WorkspacePackage } from "./module-builder";
 // non-context (pure-browser) packages are skipped. This is sensible: access
 // checks logically belong with server state, not display components.
 //
-// Order requirement: buildContextPackages MUST run before extractAccessMap
-// — server bundles at `packages/<pkg>/dist/server/main/index.js` must exist.
+// Order requirement: buildServerApp MUST run before extractAccessMap — the
+// combined server bundle at `<arcDir>/server/_server.js` must exist.
 // ---------------------------------------------------------------------------
 
 export interface SerializedAccessRule {
@@ -44,19 +43,16 @@ export type SerializedAccessMap = Record<string, SerializedModuleAccess>;
 
 export async function extractAccessMap(
   rootDir: string,
-  packages: readonly WorkspacePackage[],
+  serverBundlePath: string,
 ): Promise<SerializedAccessMap> {
-  // Each entry: a context-package server bundle path that the worker will
-  // dynamically import. Bun resolves the bundle's internal external imports
-  // (`@arcote.tech/platform` etc.) via node_modules walking from the bundle
-  // location — workspace symlinks point back to source.
-  const serverBundles = packages
-    .filter((p) => isContextPackage(p.packageJson))
-    .map((p) => ({
-      name: p.name,
-      path: join(p.path, "dist", "server", "main", "index.js"),
-    }))
-    .filter((b) => existsSync(b.path));
+  // The combined server bundle (`<arcDir>/server/_server.js`) side-effect-
+  // registers every module via the platform singleton when imported. The
+  // worker imports just this entry; Bun resolves its `chunk-<hash>.js` siblings
+  // and external peers (`@arcote.tech/platform` etc.) by walking node_modules
+  // from the bundle's directory.
+  const serverBundles = existsSync(serverBundlePath)
+    ? [{ name: "server", path: serverBundlePath }]
+    : [];
 
   // Worker must live INSIDE the workspace tree so Bun's module resolver can
   // walk up to <rootDir>/node_modules and find @arcote.tech/platform via the