@arcote.tech/arc-cli 0.7.20 → 0.7.22

package/src/deploy/ssh.ts

@@ -43,6 +43,27 @@ export interface SshExecResult {
   exitCode: number;
 }
 
+/**
+ * SSH connection multiplexing. Without this every remote command spawns a
+ * fresh `ssh` (full TCP + auth handshake) — a single deploy fires ~15-25 of
+ * them, so the handshake overhead alone runs into minutes. `ControlMaster=auto`
+ * makes the first connection open a master socket; every later ssh/scp to the
+ * same host reuses it with no handshake. `ControlPersist` keeps the master
+ * alive for the whole (short) deploy. The socket lives in ~/.ssh (private) and
+ * `%C` is ssh's hash of host+port+user — short enough for the ~104-byte socket
+ * path limit, and distinct per target (so the root fallback gets its own).
+ */
+function sshMuxArgs(): string[] {
+  return [
+    "-o",
+    "ControlMaster=auto",
+    "-o",
+    `ControlPath=${join(homedir(), ".ssh", "cm-arc-%C")}`,
+    "-o",
+    "ControlPersist=120",
+  ];
+}
+
 export function baseSshArgs(target: DeployTarget): string[] {
   // Pin to a single identity to avoid "Too many authentication failures":
   // the server's MaxAuthTries=3 (set by ansible) trips when ssh-agent has
@@ -50,6 +71,7 @@ export function baseSshArgs(target: DeployTarget): string[] {
   // PreferredAuthentications=publickey skips gssapi/keyboard prompts entirely.
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -159,6 +181,8 @@ export async function scpUpload(
 ): Promise<void> {
   const key = pickSshKey(target);
   const args = [
+    // Same ControlPath as baseSshArgs — scp reuses the ssh master socket.
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -184,3 +208,28 @@ export async function scpUpload(
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
+
+/**
+ * Close the multiplexed SSH master connection (best-effort). Call once at the
+ * end of a deploy so the control socket doesn't linger for ControlPersist
+ * seconds after the process exits. Safe to call even if no master was opened —
+ * `ssh -O exit` against a missing socket just returns non-zero, which we ignore.
+ */
+export async function closeSshMaster(target: DeployTarget): Promise<void> {
+  try {
+    const proc = spawn({
+      cmd: [
+        "ssh",
+        ...baseSshArgs(target),
+        "-O",
+        "exit",
+        `${target.user}@${target.host}`,
+      ],
+      stdout: "ignore",
+      stderr: "ignore",
+    });
+    await proc.exited;
+  } catch {
+    // best-effort cleanup — a missing/already-closed master is fine.
+  }
+}

package/src/platform/server.ts

@@ -29,6 +29,13 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
+  /**
+   * Cross-origin isolation policy. Default `"unsafe-none"`. Apps z SQLite
+   * WASM/OPFS lub SharedArrayBuffer ustawiają `"require-corp"` w
+   * `deploy.arc.json` — wtedy każdy cross-origin resource (3rd-party
+   * widgets) musi mieć `Cross-Origin-Resource-Policy`. Patrz `ArcServerConfig.coep`.
+   */
+  coep?: "unsafe-none" | "credentialless" | "require-corp";
 }
 
 export interface PlatformServer {
@@ -507,6 +514,15 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  // Default COEP: env var > opts > unsafe-none. Apps z SQLite WASM/OPFS
+  // muszą explicit ustawić "require-corp" (przez ARC_COEP w .env / Docker
+  // envVars). Default unsafe-none pozwala apps używać 3rd-party widgetów
+  // (PayU Secure Form, Stripe Elements, Google/Apple Pay) bez proxy.
+  const coep = (process.env.ARC_COEP as
+    | "unsafe-none"
+    | "credentialless"
+    | "require-corp"
+    | undefined) ?? opts.coep ?? "unsafe-none";
   ensureModuleSigSecret(ws, !!devMode);
 
   // OpenTelemetry — only when explicitly enabled (deploy injects the env
@@ -567,10 +583,10 @@ export async function startPlatformServer(
       "Access-Control-Allow-Methods":
         "GET, POST, PUT, DELETE, PATCH, OPTIONS",
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
-      // Cross-origin isolation — wymagane dla SharedArrayBuffer + OPFS
-      // (SQLite WASM persistent storage w przeglądarce).
+      // Cross-origin isolation — domyślnie unsafe-none (3rd-party widgets);
+      // require-corp tylko dla apps używających SharedArrayBuffer/OPFS.
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep ?? "unsafe-none",
       "Cross-Origin-Resource-Policy": "cross-origin",
     };
 
@@ -641,6 +657,7 @@ export async function startPlatformServer(
     context,
     dbAdapterFactory,
     port,
+    coep,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap, telemetry),

package/src/platform/shared.ts

@@ -4,10 +4,12 @@ import { dirname, join } from "path";
 import {
   buildBrowserApp,
   buildContextPackages,
+  buildServerApp,
   buildStyles,
   buildTranslations,
   discoverPackages,
   isContextPackage,
+  SERVER_ENTRY_FILE,
   type BrowserAppResult,
   type BuildManifest,
   type ModuleDescriptor,
@@ -161,20 +163,30 @@ export async function buildAll(
   // else chunk grouping (per-package) silently mis-assigns the extra module.
   assertOneModulePerPackage(ws.packages);
 
-  // Phase 1 — context packages must finish FIRST. The access-extractor
-  // subprocess imports workspace packages by name, which resolve through
-  // node_modules to packages' `main` field (typically `dist/server/main/`).
+  // Phase 1 — per-package BROWSER context bundles + type declarations.
   await buildContextPackages(ws.rootDir, ws.packages, cache, noCache);
 
-  // Phase 1b — relocate per-package server bundles into `.arc/platform/server/`
-  // so the deploy image can be self-contained (image COPY needs everything
-  // server-side under one root). loadServerContext reads from here in prod.
-  copyContextServerBundles(ws);
+  // Phase 1b — combined server bundle at `.arc/platform/server/_server.js`.
+  // ONE Bun.build for all context modules (deduped from source, cycle-safe)
+  // replaces the old per-package server bundles that nested each other's dist
+  // into multi-hundred-MB files. The deploy image COPYs this dir wholesale;
+  // loadServerContext + the access extractor import the entry, chunks ride along.
+  const serverDir = join(ws.arcDir, "server");
+  const { entryFile: serverEntry } = await buildServerApp(
+    ws.rootDir,
+    serverDir,
+    ws.packages,
+    cache,
+    noCache,
+  );
 
   // Phase 2 — extract access metadata (token name + hasCheck per module) in
-  // an isolated subprocess. This MUST run before chunk planning so we know
-  // which token group each module belongs to.
-  const accessMap = await extractAccessMap(ws.rootDir, ws.packages);
+  // an isolated subprocess that imports the combined server bundle. MUST run
+  // before chunk planning so we know which token group each module belongs to.
+  const accessMap = await extractAccessMap(
+    ws.rootDir,
+    join(serverDir, serverEntry),
+  );
 
   // Persist access map for the runtime host (server.ts reads at startup to
   // wire up moduleAccessMap for filterManifestForTokens / signed URLs).
@@ -242,34 +254,6 @@ function assembleManifest(
   };
 }
 
-// ---------------------------------------------------------------------------
-// Context server bundles — flatten to `<arcDir>/server/<safeName>.js`
-// ---------------------------------------------------------------------------
-
-/**
- * Copy each context package's compiled server bundle from
- * `packages/<pkg>/dist/server/main/index.js` to a flat location at
- * `<arcDir>/server/<safeName>.js`. The flat layout makes the deploy image
- * self-contained — `COPY .arc/platform/` pulls everything server-side, no
- * need to drag the entire `packages/` tree into the image.
- */
-function copyContextServerBundles(ws: WorkspaceInfo): void {
-  const outDir = join(ws.arcDir, "server");
-  mkdirSync(outDir, { recursive: true });
-
-  for (const pkg of ws.packages) {
-    if (!isContextPackage(pkg.packageJson)) continue;
-    const src = join(pkg.path, "dist", "server", "main", "index.js");
-    if (!existsSync(src)) {
-      err(`Server bundle missing for ${pkg.name}: ${src}`);
-      continue;
-    }
-    const safeName = pkg.path.split("/").pop()!;
-    const dst = join(outDir, `${safeName}.js`);
-    copyFileSync(src, dst);
-  }
-}
-
 // ---------------------------------------------------------------------------
 // Browser assets — @arcote.tech/* deps deklarują w `arc.browserAssets` jakie
 // pliki muszą być dostępne w przeglądarce (np. SQLite WASM worker + .wasm).
@@ -419,44 +403,21 @@ export async function loadServerContext(
 
   await import(platformEntry);
 
-  // Primary source: flattened server bundles at `<arcDir>/server/<safeName>.js`.
+  // The combined server bundle lives at `<arcDir>/server/_server.js` (entry)
+  // next to its `chunk-<hash>.js` siblings. Importing the entry pulls the
+  // chunks transitively and registers every module via the platform singleton.
   // The deploy image only has this directory — there's no workspace `packages/`
-  // tree. In dev, `copyContextServerBundles` populates this same location, so
-  // both modes go through the same code path.
-  const serverDir = join(ws.arcDir, "server");
-  const bundles = existsSync(serverDir)
-    ? readdirSync(serverDir).filter((f) => f.endsWith(".js"))
-    : [];
-
-  if (bundles.length > 0) {
-    for (const file of bundles) {
-      const bundlePath = join(serverDir, file);
-      try {
-        await import(bundlePath);
-      } catch (e) {
-        err(`Failed to load server bundle ${file}: ${e}`);
-      }
-    }
-  } else if (ws.packages.length > 0) {
-    // Fallback for the "no .arc/platform/server/ yet" case (e.g. somebody
-    // wired up loadServerContext before running the build). This path goes
-    // through workspace packages directly — only meaningful in dev.
-    const ctxPackages = ws.packages.filter((p) => isContextPackage(p.packageJson));
-    for (const ctx of ctxPackages) {
-      const serverDist = join(ctx.path, "dist", "server", "main", "index.js");
-      if (!existsSync(serverDist)) {
-        err(`Context server dist not found: ${serverDist}`);
-        continue;
-      }
-      try {
-        await import(serverDist);
-      } catch (e) {
-        err(`Failed to load server context from ${ctx.name}: ${e}`);
-      }
-    }
-  } else {
+  // tree; dev and prod go through the exact same path.
+  const serverEntry = join(ws.arcDir, "server", SERVER_ENTRY_FILE);
+  if (!existsSync(serverEntry)) {
+    // No build yet (or a static-only workspace) — nothing to register.
     return { context: null, moduleAccess: new Map() };
   }
+  try {
+    await import(serverEntry);
+  } catch (e) {
+    err(`Failed to load server bundle ${SERVER_ENTRY_FILE}: ${e}`);
+  }
 
   const { getContext, getAllModuleAccess } = await import(platformEntry);
   return {

package/src/platform/startup.ts

@@ -62,8 +62,8 @@ export async function startPlatform(
   }
 
   // 2. Server context — same code path in both modes; loadServerContext
-  // prefers .arc/platform/server/*.js (the canonical location after the
-  // copyContextServerBundles step in buildAll).
+  // imports the combined server bundle at .arc/platform/server/_server.js
+  // (produced by the buildServerApp step in buildAll).
   log("Loading server context...");
   const { context, moduleAccess } = await loadServerContext(ws);
   if (context) {