@arcote.tech/arc-cli 0.7.20 → 0.7.22

package/src/builder/module-builder.ts

@@ -18,7 +18,7 @@ import {
   type BuildCache,
 } from "./build-cache";
 import type { ChunkPlan } from "./chunk-planner";
-import { SHELL_EXTERNALS } from "./framework-peers";
+import { SHELL_EXTERNALS, FRAMEWORK_PEERS } from "./framework-peers";
 import {
   readInstalledVersion,
   sha256Hex,
@@ -125,6 +125,43 @@ function serverExternalsPlugin(): import("bun").BunPlugin {
   };
 }
 
+/**
+ * SERVER bundles inline their workspace (`@ndt/*`) deps so each flattened
+ * `.arc/platform/server/<pkg>.js` is self-contained (the deploy image has no
+ * `node_modules/@ndt/*` tree). Bun would resolve a bare `@ndt/x` import through
+ * package.json `exports` to that dep's PRE-BUILT `dist/server/main/index.js` —
+ * an already-fully-inlined bundle. Nesting one fully-inlined bundle inside
+ * every consumer is catastrophic:
+ *   - diamonds duplicate the shared dep per graph edge (2^depth copies),
+ *   - dist/ is never wiped, so stale bombs from a previous dep graph keep
+ *     getting re-inlined across rebuilds.
+ * Result: bundles ballooned into the hundreds-of-MB / GB range (content =
+ * 1.1 GB, sizes lining up as powers of two by graph depth).
+ *
+ * This plugin pins every workspace package name to its SOURCE entrypoint
+ * (`src/index.ts`). The single Bun.build pass then includes each transitive
+ * module exactly once (Bun dedups by resolved path), so a server bundle is the
+ * size of its UNIQUE source closure — no nesting, no stale re-inlining.
+ *
+ * `sideEffects: true` keeps the dep's top-level `module(...).build()`
+ * registration from being tree-shaken when it's imported only for a named
+ * symbol (workspace packages ship `"sideEffects": false`).
+ */
+function workspaceSourcePlugin(srcByName: Map<string, string>): import("bun").BunPlugin {
+  return {
+    name: "workspace-source",
+    setup(build) {
+      // Bare specifiers only (skip relative `./` and absolute `/`). Non-
+      // workspace bare imports (react, @arcote.tech/*, npm deps) miss the map
+      // and fall through to the `external` list unchanged.
+      build.onResolve({ filter: /^[^./]/ }, (args) => {
+        const src = srcByName.get(args.path);
+        return src ? { path: src, sideEffects: true } : null;
+      });
+    },
+  };
+}
+
 function jsxDevShimPlugin(): import("bun").BunPlugin {
   return {
     name: "jsx-dev-runtime-shim",
@@ -145,12 +182,25 @@ export { Fragment };
   };
 }
 
-/** Clients that a context package is built for. */
+// Per-package context build is BROWSER-only. The server side is produced by a
+// single combined `buildServerApp` pass (see below) — bundling each package's
+// server context separately and inlining its deps' pre-built dist caused
+// catastrophic nested duplication (content.js hit 1.1 GB) and turned the
+// consumer's undeclared cyclic `@ndt/*` imports into broken init order. One
+// shared pass dedups every module once and is cycle-safe (same as the browser
+// app build).
 const CONTEXT_CLIENTS = [
-  { name: "server", target: "bun" as const, defines: { ONLY_SERVER: "true", ONLY_BROWSER: "false", ONLY_CLIENT: "false" } },
   { name: "browser", target: "browser" as const, defines: { ONLY_SERVER: "false", ONLY_BROWSER: "true", ONLY_CLIENT: "true" } },
 ];
 
+/** Server-side build defines — applied by the combined `buildServerApp` pass. */
+const SERVER_DEFINES = { ONLY_SERVER: "true", ONLY_BROWSER: "false", ONLY_CLIENT: "false" } as const;
+
+/** Filename of the combined server bundle entry under `<arcDir>/server/`.
+ *  loadServerContext + the access extractor import exactly this file; Bun's
+ *  auto-emitted `chunk-<hash>.js` siblings are pulled in transitively. */
+export const SERVER_ENTRY_FILE = "_server.js";
+
 export interface WorkspacePackage {
   name: string;
   path: string;
@@ -305,32 +355,16 @@ async function buildContextClient(
 
   console.log(`  building: ${pkg.name} (${client.name})`);
 
-  // Externals depend on the target client:
-  //
-  // - BROWSER client: workspace deps MUST be external. Inlining them per
-  //   package would make every context package's dist ship its own copy
-  //   of every workspace dep — the top-level browser Bun.build would see
-  //   N pre-inlined copies of context singletons (`WorkspaceContext =
-  //   createContext`) and could not dedupe them, breaking provider lookup.
-  //
-  // - SERVER client: workspace deps MUST be bundled inline. The deploy
-  //   image flattens each package's server bundle to
-  //   `.arc/platform/server/<pkg>.js` and runs them via a single
-  //   `loadServerContext()` import loop. There is no `node_modules/@ndt/*`
-  //   tree inside the image, so bare `@ndt/workspace` specifiers would
-  //   fail to resolve at startup. Inline duplication is harmless on the
-  //   server: it's a single Node/Bun process and Arc modules register via
-  //   a shared platform registry singleton (registry.ts), so two physical
-  //   copies of the workspace module still merge into one context.
+  // BROWSER client: every dep (workspace + npm + framework peers) is external.
+  // Inlining workspace deps per package would make each context package's dist
+  // ship its own copy of every workspace dep — the top-level browser Bun.build
+  // (`buildBrowserApp`) would then see N pre-inlined copies of context
+  // singletons (`WorkspaceContext = createContext`) and could not dedupe them,
+  // breaking provider lookup. The server side is handled separately by the
+  // combined `buildServerApp` pass.
   const peerDeps = Object.keys(pkg.packageJson.peerDependencies ?? {});
   const allDeps = (pkg.packageJson.dependencies ?? {}) as Record<string, string>;
-  const isBrowser = client.name === "browser";
-  const workspaceDeps = isBrowser
-    ? Object.keys(allDeps)
-    : Object.entries(allDeps)
-        .filter(([, spec]) => !spec.startsWith("workspace:"))
-        .map(([name]) => name);
-  const externals = [...peerDeps, ...workspaceDeps];
+  const externals = [...peerDeps, ...Object.keys(allDeps)];
 
   const result = await Bun.build({
     entrypoints: [pkg.entrypoint],
@@ -339,9 +373,7 @@ async function buildContextClient(
     format: "esm",
     naming: "index.[ext]",
     external: externals,
-    plugins: isBrowser
-      ? [jsxDevShimPlugin()]
-      : [jsxDevShimPlugin(), serverExternalsPlugin()],
+    plugins: [jsxDevShimPlugin()],
     define: client.defines,
   });
 
@@ -385,11 +417,13 @@ export async function buildContextPackages(
   const contexts = packages.filter((p) => isContextPackage(p.packageJson));
   if (contexts.length === 0) return { declarationErrors: [] };
 
-  // Topological order — each package's server bundle inlines its workspace
-  // deps, so those deps must have their `dist/` ready before Bun.build tries
-  // to resolve them. Without this, a fresh checkout (no dist/ yet) fails the
-  // first build because content's resolve of @ndt/strategy hits a missing
-  // file. Inside a topological level, packages are built in parallel.
+  // Topological order by declared `workspace:` deps. The browser BUNDLE
+  // externalizes every dep (order-independent), but the type-declaration pass
+  // (tsc) resolves `@ndt/x` types through that package's emitted
+  // `dist/browser/index.d.ts` — so a dep's declarations must exist before a
+  // dependent's decl build runs, else tsc reports "Cannot find module @ndt/x".
+  // The declared dep graph is acyclic; undeclared cyclic imports live in source
+  // only and don't affect this ordering. Inside a layer, packages build in parallel.
   const byName = new Map(contexts.map((p) => [p.name, p]));
   const remaining = new Set(contexts.map((p) => p.name));
   const done = new Set<string>();
@@ -440,6 +474,147 @@ export async function buildContextPackages(
   return { declarationErrors };
 }
 
+// ---------------------------------------------------------------------------
+// Combined server bundle — ONE Bun.build for ALL context packages' server side.
+//
+// Replaces N per-package server builds that each inlined their deps' PRE-BUILT
+// dist (`@ndt/x` → `x/dist/server/main/index.js`). That nested an already-
+// fully-inlined bundle inside every consumer: shared deps duplicated per graph
+// edge (content's server bundle reached 1.1 GB) and the consumer's undeclared
+// cyclic `@ndt/*` imports turned into broken module-init order.
+//
+// One shared pass with `splitting: true` — the same recipe as buildBrowserApp:
+//   - every module is bundled from SOURCE exactly once (Bun dedups by path),
+//   - `@ndt/*` workspace deps resolve to their `src/` entry (workspaceSourcePlugin)
+//     so nothing pulls a pre-built dist,
+//   - npm deps + framework peers stay external — the deploy image installs them
+//     into /app/node_modules via `.arc/platform/package.json` (collectFrameworkDeps),
+//   - splitting makes Bun emit eager top-level init, which is cycle-safe; the
+//     old non-split per-package build emitted lazy `__esm` wrappers that broke
+//     under the consumer's import cycles (`workspace.ids` was undefined).
+//
+// Output under `<arcDir>/server/`:
+//   _server.js          ← entry: side-effect-imports every context module
+//   chunk-<hash>.js × N ← auto-shared module chunks
+// loadServerContext + the access extractor import `_server.js`; chunks ride along.
+// ---------------------------------------------------------------------------
+
+export interface ServerAppResult {
+  readonly entryFile: string;
+  readonly cached: boolean;
+}
+
+export async function buildServerApp(
+  rootDir: string,
+  serverDir: string,
+  packages: WorkspacePackage[],
+  cache: BuildCache,
+  noCache: boolean,
+): Promise<ServerAppResult> {
+  void rootDir; // resolution is source-based; rootDir kept for signature parity
+  const contexts = packages.filter((p) => isContextPackage(p.packageJson));
+  mkdirSync(serverDir, { recursive: true });
+
+  // Every workspace package name → its SOURCE entry. Spans ALL packages, not
+  // just context ones — a context package imports non-context workspace libs
+  // (e.g. content-core) that must inline from source too.
+  const srcByName = new Map(packages.map((p) => [p.name, p.entrypoint]));
+
+  // External = framework peers + every non-workspace npm dep any package
+  // declares. NOT bundled; resolved at runtime from /app/node_modules (the
+  // deploy image installs exactly this set — collectFrameworkDeps). Only the
+  // `@ndt/*` workspace source is inlined.
+  const externalSet = new Set<string>(FRAMEWORK_PEERS);
+  for (const p of packages) {
+    for (const name of Object.keys(p.packageJson.peerDependencies ?? {})) {
+      externalSet.add(name);
+    }
+    for (const [name, spec] of Object.entries(
+      (p.packageJson.dependencies ?? {}) as Record<string, string>,
+    )) {
+      if (!spec.startsWith("workspace:")) externalSet.add(name);
+    }
+  }
+  const external = [...externalSet];
+
+  const unitId = "server-app";
+  const inputHash = sha256OfJson({
+    members: packages
+      .map((p) => ({ name: p.name, src: pkgSourceHash(p) }))
+      .sort((a, b) => a.name.localeCompare(b.name)),
+    contexts: contexts.map((p) => p.name).sort(),
+    external: [...external].sort(),
+    defines: SERVER_DEFINES,
+  });
+
+  const entryFileAbs = join(serverDir, SERVER_ENTRY_FILE);
+  if (!noCache && isCacheHit(cache, unitId, inputHash, [entryFileAbs])) {
+    console.log(`  ✓ cached: ${unitId}`);
+    return { entryFile: SERVER_ENTRY_FILE, cached: true };
+  }
+
+  console.log(`  building: ${unitId} (${contexts.length} server modules)`);
+
+  // Wipe stale .js — old per-package flattened bundles AND previous chunks —
+  // so a smaller rebuild never leaves orphaned content-addressed chunks behind.
+  for (const f of readdirSync(serverDir)) {
+    if (f.endsWith(".js")) rmSync(join(serverDir, f), { force: true });
+  }
+
+  // Entry side-effect-imports every context module so each registers via the
+  // platform registry singleton. Written to a tmp subdir so it isn't shipped.
+  const tmpDir = join(serverDir, "_entries");
+  mkdirSync(tmpDir, { recursive: true });
+  const entrySrc = join(tmpDir, SERVER_ENTRY_FILE.replace(/\.js$/, ".ts"));
+  writeFileSync(
+    entrySrc,
+    contexts.map((p) => `import "${p.name}";`).join("\n") + "\n",
+  );
+
+  let result;
+  try {
+    result = await Bun.build({
+      entrypoints: [entrySrc],
+      outdir: serverDir,
+      target: "bun",
+      format: "esm",
+      // splitting:true is the whole point — it makes Bun emit eager top-level
+      // init (cycle-safe) instead of lazy `__esm` wrappers. Shared modules land
+      // in chunk-<hash>.js referenced by the entry.
+      splitting: true,
+      naming: "[name].[ext]",
+      external,
+      plugins: [
+        jsxDevShimPlugin(),
+        serverExternalsPlugin(),
+        workspaceSourcePlugin(srcByName),
+      ],
+      define: SERVER_DEFINES,
+    });
+  } finally {
+    rmSync(tmpDir, { recursive: true, force: true });
+  }
+
+  if (!result.success) {
+    for (const log of result.logs) console.error(log);
+    throw new Error("Server app build failed");
+  }
+
+  const entryOut = result.outputs.find((o) => o.kind === "entry-point");
+  if (!entryOut) {
+    throw new Error("Server app build: entry not found in outputs");
+  }
+  if (basename(entryOut.path) !== SERVER_ENTRY_FILE) {
+    throw new Error(
+      `Server app build: unexpected entry name ${basename(entryOut.path)} (wanted ${SERVER_ENTRY_FILE})`,
+    );
+  }
+
+  const outputHash = sha256OfDir(serverDir);
+  updateCache(cache, unitId, inputHash, { outputHash });
+  return { entryFile: SERVER_ENTRY_FILE, cached: false };
+}
+
 
 // ---------------------------------------------------------------------------
 // Browser app build — one Bun.build with multiple entrypoints.

package/src/commands/platform-deploy.ts

@@ -13,6 +13,7 @@ import { ensurePersistedSecret } from "../deploy/env-file";
 import { buildImage, sanitizeImageName } from "../deploy/image";
 import { detectRemoteState } from "../deploy/remote-state";
 import { dockerLogin, dockerPush } from "../deploy/registry";
+import { closeSshMaster } from "../deploy/ssh";
 import { runSurvey } from "../deploy/survey";
 import {
   buildAll,
@@ -155,45 +156,51 @@ export async function platformDeploy(
   // before dockerLogin/dockerPush — without registry container + Caddy vhost
   // for it, dockerLogin would TLS-fail.
   log("Inspecting remote server...");
-  const state = await detectRemoteState(cfg);
-  log(`Remote state: ${state.kind}`);
-
-  const cliVersion = readCliVersion();
-  const configHash = await hashDeployConfig(ws.rootDir);
-  await bootstrap({
-    cfg,
-    rootDir: ws.rootDir,
-    state,
-    cliVersion,
-    configHash,
-    forceAnsible: options.forceBootstrap,
-  });
-
-  // 5. Push the image to the now-running registry.
-  if (!options.imageTag) {
-    log(`Logging in to ${cfg.registry.domain}...`);
-    await dockerLogin(cfg.registry);
-    log(`Pushing ${fullRef}...`);
-    await dockerPush(fullRef);
-    ok("Image pushed");
-  }
+  try {
+    const state = await detectRemoteState(cfg);
+    log(`Remote state: ${state.kind}`);
 
-  // 6. Update each env — atomic /opt/arc/.env line + pull + up + health
-  for (const env of targetEnvs) {
-    log(`Updating env "${env}"...`);
-    const outcome = await updateEnvDeployment({
-      target: cfg.target,
+    const cliVersion = readCliVersion();
+    const configHash = await hashDeployConfig(ws.rootDir);
+    await bootstrap({
       cfg,
-      env,
-      fullRef,
+      rootDir: ws.rootDir,
+      state,
+      cliVersion,
+      configHash,
+      forceAnsible: options.forceBootstrap,
     });
-    if (outcome.redeployed) {
-      ok(`${env}: live at ${fullRef}`);
-    } else {
-      err(
-        `${env}: deployed but health check did not pass within retries — check \`docker logs arc-${env}\``,
-      );
+
+    // 5. Push the image to the now-running registry.
+    if (!options.imageTag) {
+      log(`Logging in to ${cfg.registry.domain}...`);
+      await dockerLogin(cfg.registry);
+      log(`Pushing ${fullRef}...`);
+      await dockerPush(fullRef);
+      ok("Image pushed");
+    }
+
+    // 6. Update each env — atomic /opt/arc/.env line + pull + up + health
+    for (const env of targetEnvs) {
+      log(`Updating env "${env}"...`);
+      const outcome = await updateEnvDeployment({
+        target: cfg.target,
+        cfg,
+        env,
+        fullRef,
+      });
+      if (outcome.redeployed) {
+        ok(`${env}: live at ${fullRef}`);
+      } else {
+        err(
+          `${env}: deployed but health check did not pass within retries — check \`docker logs arc-${env}\``,
+        );
+      }
     }
+  } finally {
+    // Tear down the multiplexed SSH master so the control socket doesn't
+    // linger for ControlPersist seconds after the process exits.
+    await closeSshMaster(cfg.target);
   }
 }
 

package/src/deploy/deploy-env.ts

@@ -48,58 +48,35 @@ export async function updateEnvDeployment(
   const { target, cfg, env, fullRef } = opts;
   const upperEnv = env.toUpperCase().replace(/-/g, "_");
   const envVarName = `ARC_IMAGE_${upperEnv}`;
-
-  // Step 1 — atomic .env line update. Use awk to either replace the existing
-  // line or append a new one, write to .env.tmp, then mv. mv on the same fs
-  // is atomic, so concurrent reads see either the old or new file, never a
-  // partial write.
   const envPath = `${cfg.target.remoteDir}/.env`;
   const escapedRef = fullRef.replace(/"/g, '\\"');
-  const updateScript = [
-    `touch ${envPath} && `,
-    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" '`,
-    `  BEGIN { replaced=0 } `,
-    `  $0 ~ "^"key { print line; replaced=1; next } `,
-    `  { print } `,
-    `  END { if (!replaced) print line } `,
-    `' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
-  ].join("");
-  await assertExec(target, updateScript);
-
-  // Step 2 — pull. May be a no-op if `fullRef` was already pulled previously.
-  await assertExec(
-    target,
-    `cd ${cfg.target.remoteDir} && docker compose pull arc-${env}`,
-  );
-
-  // Step 3 — recreate. `up -d` is a no-op if the container is already running
-  // with the requested image; otherwise it recreates. Either way the container
-  // ends in "running" state with the desired image.
-  await assertExec(
-    target,
-    `cd ${cfg.target.remoteDir} && docker compose up -d arc-${env}`,
-  );
-
-  // Step 4 — retention. Find image tags for this workspace, sort by created
-  // time (newest first), drop the top N, delete the rest. `:latest` is moved
-  // by docker push and stays — we never explicitly delete it.
   const retain = opts.retainImages ?? 3;
   const imageBaseName = imageBaseFromRef(fullRef);
-  if (imageBaseName) {
-    const pruneScript = [
-      `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" `,
-      `| grep -v ":latest " `,
-      `| sort -k2,3 -r `,
-      `| tail -n +${retain + 1} `,
-      `| awk '{print $1}' `,
-      `| xargs -r docker rmi 2>/dev/null || true`,
-    ].join("");
-    await sshExec(target, pruneScript, { quiet: true });
-  }
+
+  // Steps 1-4 batched into ONE SSH round-trip (was four, each a fresh ssh
+  // handshake). `set -e` aborts on a real failure (e.g. pull) before recreate.
+  //   1. atomic .env line update — awk rewrites to .tmp then `mv` (same-fs mv is
+  //      atomic, so concurrent reads never see a partial file).
+  //   2. pull new layers, 3. recreate (`up -d` no-ops if image unchanged).
+  //   4. retention prune — best-effort (`|| true`), never fails the deploy.
+  const pruneCmd = imageBaseName
+    ? `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep -v ":latest " | sort -k2,3 -r | tail -n +${retain + 1} | awk '{print $1}' | xargs -r docker rmi 2>/dev/null || true`
+    : `true`;
+  const script = [
+    `set -e`,
+    `cd ${cfg.target.remoteDir}`,
+    `touch ${envPath}`,
+    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" 'BEGIN{replaced=0} $0 ~ "^"key {print line; replaced=1; next} {print} END{if(!replaced) print line}' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
+    `docker compose pull arc-${env}`,
+    `docker compose up -d arc-${env}`,
+    pruneCmd,
+  ].join("\n");
+  await assertExec(target, script);
 
   // Step 5 — health check. arc-<env> exposes 5005 inside the docker network;
-  // from the host we can reach it via `docker exec caddy curl -fsS ...`
-  // (no port mapped to host). Cheap, requires no public DNS.
+  // we reach it via `docker exec arc-<env> ...`. Polls separately (must retry
+  // until the container is up); on a no-op the already-running container passes
+  // on the first probe, so this stays a single round-trip.
   const ok = await healthCheck(target, env);
 
   return { env, fullRef, redeployed: ok };

package/src/deploy/observability-configs.ts

@@ -87,8 +87,13 @@ ${envNames.map((name) => `            - "https://${cfg.envs[name]!.domain}"`).jo
 
   # Per-container CPU / memory / network / block-IO + restarts straight from
   # the Docker daemon (socket bind-mounted read-only, see compose).
+  # api_version pinned: the receiver defaults to Docker API 1.25, which modern
+  # daemons (Engine 25+ require >= 1.40) reject — without this the receiver
+  # fails to start and takes the whole collector down. Quoted so YAML doesn't
+  # parse 1.40 → 1.4. Must be <= the daemon's max; 1.40 is the safe floor.
   docker_stats:
     endpoint: unix:///var/run/docker.sock
+    api_version: "1.40"
     collection_interval: 30s
     metrics:
       container.restarts:
@@ -372,6 +377,15 @@ export function generateAlloyConfig(): string {
 discovery.docker "containers" {
   host             = "unix:///var/run/docker.sock"
   refresh_interval = "15s"
+
+  // Only containers managed by a compose project (our stack). Ad-hoc / rogue
+  // containers (manual debug runs, other stacks) are excluded — one bad
+  // stream (e.g. log entries older than Loki's reject window) otherwise 400s
+  // the whole loki.write batch and drops good app logs with it.
+  filter {
+    name   = "label"
+    values = ["com.docker.compose.project"]
+  }
 }
 
 discovery.relabel "containers" {

package/src/deploy/remote-state.ts

@@ -36,8 +36,22 @@ export async function detectRemoteState(
     return { kind: "unreachable", reason: "target.host not yet set" };
   }
 
-  if (!(await canSsh(cfg.target))) {
-    // On a freshly provisioned VM, only root exists — ansible creates `deploy`
+  const composeDir = cfg.target.remoteDir;
+  // ONE round-trip instead of four (canSsh + docker check + compose ps + cat
+  // marker). The three checks run in a single delimited script; each swallows
+  // its own errors (`|| true`), so the script always exits 0 when it RUNS —
+  // a non-zero SSH exit therefore means the CONNECTION failed, not the probe.
+  const probe = [
+    `command -v docker >/dev/null 2>&1 && echo DOCKER=1 || echo DOCKER=0`,
+    `echo '---PS---'`,
+    `[ -f ${composeDir}/docker-compose.yml ] && (cd ${composeDir} && docker compose ps --format '{{.Service}}' 2>/dev/null) || true`,
+    `echo '---MARKER---'`,
+    `cat ${STATE_MARKER_PATH} 2>/dev/null || true`,
+  ].join("\n");
+
+  const res = await sshExec(cfg.target, probe, { quiet: true });
+  if (res.exitCode !== 0) {
+    // On a freshly provisioned VM only root exists — ansible creates `deploy`
     // later. If root SSH works but the configured user doesn't, treat as
     // no-docker so bootstrap re-runs ansible (idempotent) instead of spinning
     // up a duplicate server via terraform.
@@ -47,36 +61,26 @@ export async function detectRemoteState(
     return { kind: "unreachable", reason: "ssh connection failed" };
   }
 
-  const dockerCheck = await sshExec(cfg.target, "command -v docker", {
-    quiet: true,
-  });
-  if (dockerCheck.exitCode !== 0) {
+  const out = res.stdout;
+  if (!out.includes("DOCKER=1")) {
     return { kind: "no-docker" };
   }
 
-  const composeDir = `${cfg.target.remoteDir}`;
-  const psCheck = await sshExec(
-    cfg.target,
-    `test -f ${composeDir}/docker-compose.yml && cd ${composeDir} && docker compose ps --format '{{.Service}}' || true`,
-    { quiet: true },
-  );
-  if (psCheck.exitCode !== 0 || psCheck.stdout.trim() === "") {
+  const psSection = sectionBetween(out, "---PS---", "---MARKER---").trim();
+  if (psSection === "") {
     return { kind: "no-stack" };
   }
-
-  const running = psCheck.stdout
+  const running = psSection
     .split("\n")
     .map((l) => l.trim())
     .filter((l) => l.startsWith("arc-"))
     .map((l) => l.replace(/^arc-/, ""));
 
-  const markerRaw = await sshExec(cfg.target, `cat ${STATE_MARKER_PATH}`, {
-    quiet: true,
-  });
+  const markerSection = afterMarker(out, "---MARKER---").trim();
   let marker: RemoteStateMarker | null = null;
-  if (markerRaw.exitCode === 0) {
+  if (markerSection) {
     try {
-      marker = JSON.parse(markerRaw.stdout) as RemoteStateMarker;
+      marker = JSON.parse(markerSection) as RemoteStateMarker;
     } catch {
       marker = null;
     }
@@ -85,6 +89,21 @@ export async function detectRemoteState(
   return { kind: "ready", runningEnvs: running, marker };
 }
 
+/** Substring strictly between two delimiters (empty if either is absent). */
+function sectionBetween(s: string, start: string, end: string): string {
+  const i = s.indexOf(start);
+  if (i < 0) return "";
+  const from = i + start.length;
+  const j = s.indexOf(end, from);
+  return s.slice(from, j < 0 ? undefined : j);
+}
+
+/** Everything after the last delimiter (empty if absent). */
+function afterMarker(s: string, marker: string): string {
+  const i = s.indexOf(marker);
+  return i < 0 ? "" : s.slice(i + marker.length);
+}
+
 /** Write the state marker file on the remote host. */
 export async function writeStateMarker(
   target: DeployTarget,