@arcote.tech/arc-cli 0.7.21 → 0.7.22

package/dist/index.js

@@ -38091,9 +38091,20 @@ async function streamToString(stream2) {
     return "";
   return new Response(stream2).text();
 }
+function sshMuxArgs() {
+  return [
+    "-o",
+    "ControlMaster=auto",
+    "-o",
+    `ControlPath=${join17(homedir3(), ".ssh", "cm-arc-%C")}`,
+    "-o",
+    "ControlPersist=120"
+  ];
+}
 function baseSshArgs(target) {
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -38157,6 +38168,7 @@ async function canSsh(target) {
 async function scpUpload(target, localPath, remotePath) {
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -38181,6 +38193,22 @@ async function scpUpload(target, localPath, remotePath) {
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
+async function closeSshMaster(target) {
+  try {
+    const proc2 = spawn3({
+      cmd: [
+        "ssh",
+        ...baseSshArgs(target),
+        "-O",
+        "exit",
+        `${target.user}@${target.host}`
+      ],
+      stdout: "ignore",
+      stderr: "ignore"
+    });
+    await proc2.exited;
+  } catch {}
+}
 
 // src/deploy/remote-state.ts
 var STATE_MARKER_PATH = "/opt/arc/.arc-state.json";
@@ -38188,38 +38216,55 @@ async function detectRemoteState(cfg) {
   if (cfg.target.host === "PENDING_TERRAFORM" || !cfg.target.host) {
     return { kind: "unreachable", reason: "target.host not yet set" };
   }
-  if (!await canSsh(cfg.target)) {
+  const composeDir = cfg.target.remoteDir;
+  const probe = [
+    `command -v docker >/dev/null 2>&1 && echo DOCKER=1 || echo DOCKER=0`,
+    `echo '---PS---'`,
+    `[ -f ${composeDir}/docker-compose.yml ] && (cd ${composeDir} && docker compose ps --format '{{.Service}}' 2>/dev/null) || true`,
+    `echo '---MARKER---'`,
+    `cat ${STATE_MARKER_PATH} 2>/dev/null || true`
+  ].join(`
+`);
+  const res = await sshExec(cfg.target, probe, { quiet: true });
+  if (res.exitCode !== 0) {
     if (await canSsh({ ...cfg.target, user: "root" })) {
       return { kind: "no-docker" };
     }
     return { kind: "unreachable", reason: "ssh connection failed" };
   }
-  const dockerCheck = await sshExec(cfg.target, "command -v docker", {
-    quiet: true
-  });
-  if (dockerCheck.exitCode !== 0) {
+  const out = res.stdout;
+  if (!out.includes("DOCKER=1")) {
     return { kind: "no-docker" };
   }
-  const composeDir = `${cfg.target.remoteDir}`;
-  const psCheck = await sshExec(cfg.target, `test -f ${composeDir}/docker-compose.yml && cd ${composeDir} && docker compose ps --format '{{.Service}}' || true`, { quiet: true });
-  if (psCheck.exitCode !== 0 || psCheck.stdout.trim() === "") {
+  const psSection = sectionBetween(out, "---PS---", "---MARKER---").trim();
+  if (psSection === "") {
     return { kind: "no-stack" };
   }
-  const running = psCheck.stdout.split(`
+  const running = psSection.split(`
 `).map((l) => l.trim()).filter((l) => l.startsWith("arc-")).map((l) => l.replace(/^arc-/, ""));
-  const markerRaw = await sshExec(cfg.target, `cat ${STATE_MARKER_PATH}`, {
-    quiet: true
-  });
+  const markerSection = afterMarker(out, "---MARKER---").trim();
   let marker = null;
-  if (markerRaw.exitCode === 0) {
+  if (markerSection) {
     try {
-      marker = JSON.parse(markerRaw.stdout);
+      marker = JSON.parse(markerSection);
     } catch {
       marker = null;
     }
   }
   return { kind: "ready", runningEnvs: running, marker };
 }
+function sectionBetween(s, start, end) {
+  const i = s.indexOf(start);
+  if (i < 0)
+    return "";
+  const from = i + start.length;
+  const j = s.indexOf(end, from);
+  return s.slice(from, j < 0 ? undefined : j);
+}
+function afterMarker(s, marker) {
+  const i = s.indexOf(marker);
+  return i < 0 ? "" : s.slice(i + marker.length);
+}
 async function writeStateMarker(target, marker) {
   const json = JSON.stringify(marker, null, 2);
   await assertExec(target, `sudo tee ${STATE_MARKER_PATH} > /dev/null <<'JSON'
@@ -38476,31 +38521,20 @@ async function updateEnvDeployment(opts) {
   const envVarName = `ARC_IMAGE_${upperEnv}`;
   const envPath = `${cfg.target.remoteDir}/.env`;
   const escapedRef = fullRef.replace(/"/g, "\\\"");
-  const updateScript = [
-    `touch ${envPath} && `,
-    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" '`,
-    `  BEGIN { replaced=0 } `,
-    `  $0 ~ "^"key { print line; replaced=1; next } `,
-    `  { print } `,
-    `  END { if (!replaced) print line } `,
-    `' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`
-  ].join("");
-  await assertExec(target, updateScript);
-  await assertExec(target, `cd ${cfg.target.remoteDir} && docker compose pull arc-${env2}`);
-  await assertExec(target, `cd ${cfg.target.remoteDir} && docker compose up -d arc-${env2}`);
   const retain = opts.retainImages ?? 3;
   const imageBaseName = imageBaseFromRef(fullRef);
-  if (imageBaseName) {
-    const pruneScript = [
-      `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" `,
-      `| grep -v ":latest " `,
-      `| sort -k2,3 -r `,
-      `| tail -n +${retain + 1} `,
-      `| awk '{print $1}' `,
-      `| xargs -r docker rmi 2>/dev/null || true`
-    ].join("");
-    await sshExec(target, pruneScript, { quiet: true });
-  }
+  const pruneCmd = imageBaseName ? `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep -v ":latest " | sort -k2,3 -r | tail -n +${retain + 1} | awk '{print $1}' | xargs -r docker rmi 2>/dev/null || true` : `true`;
+  const script = [
+    `set -e`,
+    `cd ${cfg.target.remoteDir}`,
+    `touch ${envPath}`,
+    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" 'BEGIN{replaced=0} $0 ~ "^"key {print line; replaced=1; next} {print} END{if(!replaced) print line}' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
+    `docker compose pull arc-${env2}`,
+    `docker compose up -d arc-${env2}`,
+    pruneCmd
+  ].join(`
+`);
+  await assertExec(target, script);
   const ok2 = await healthCheck(target, env2);
   return { env: env2, fullRef, redeployed: ok2 };
 }
@@ -39541,38 +39575,42 @@ async function platformDeploy(envArg, options = {}) {
     }
   }
   log2("Inspecting remote server...");
-  const state = await detectRemoteState(cfg);
-  log2(`Remote state: ${state.kind}`);
-  const cliVersion = readCliVersion2();
-  const configHash = await hashDeployConfig(ws.rootDir);
-  await bootstrap({
-    cfg,
-    rootDir: ws.rootDir,
-    state,
-    cliVersion,
-    configHash,
-    forceAnsible: options.forceBootstrap
-  });
-  if (!options.imageTag) {
-    log2(`Logging in to ${cfg.registry.domain}...`);
-    await dockerLogin(cfg.registry);
-    log2(`Pushing ${fullRef}...`);
-    await dockerPush(fullRef);
-    ok("Image pushed");
-  }
-  for (const env2 of targetEnvs) {
-    log2(`Updating env "${env2}"...`);
-    const outcome = await updateEnvDeployment({
-      target: cfg.target,
+  try {
+    const state = await detectRemoteState(cfg);
+    log2(`Remote state: ${state.kind}`);
+    const cliVersion = readCliVersion2();
+    const configHash = await hashDeployConfig(ws.rootDir);
+    await bootstrap({
       cfg,
-      env: env2,
-      fullRef
+      rootDir: ws.rootDir,
+      state,
+      cliVersion,
+      configHash,
+      forceAnsible: options.forceBootstrap
     });
-    if (outcome.redeployed) {
-      ok(`${env2}: live at ${fullRef}`);
-    } else {
-      err(`${env2}: deployed but health check did not pass within retries \u2014 check \`docker logs arc-${env2}\``);
+    if (!options.imageTag) {
+      log2(`Logging in to ${cfg.registry.domain}...`);
+      await dockerLogin(cfg.registry);
+      log2(`Pushing ${fullRef}...`);
+      await dockerPush(fullRef);
+      ok("Image pushed");
+    }
+    for (const env2 of targetEnvs) {
+      log2(`Updating env "${env2}"...`);
+      const outcome = await updateEnvDeployment({
+        target: cfg.target,
+        cfg,
+        env: env2,
+        fullRef
+      });
+      if (outcome.redeployed) {
+        ok(`${env2}: live at ${fullRef}`);
+      } else {
+        err(`${env2}: deployed but health check did not pass within retries \u2014 check \`docker logs arc-${env2}\``);
+      }
     }
+  } finally {
+    await closeSshMaster(cfg.target);
   }
 }
 function readCliVersion2() {
@@ -40851,6 +40889,7 @@ async function createArcServer(config) {
   const cronScheduler = new CronScheduler(contextHandler);
   cronScheduler.start();
   const connectionManager = new ConnectionManager;
+  const coep = config.coep ?? "unsafe-none";
   function buildCorsHeaders(req) {
     const origin = req?.headers.get("Origin") || "*";
     return {
@@ -40859,7 +40898,7 @@ async function createArcServer(config) {
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Scope, X-Arc-Tokens",
       "Access-Control-Allow-Credentials": "true",
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep,
       "Cross-Origin-Resource-Policy": "cross-origin"
     };
   }
@@ -41320,6 +41359,7 @@ function spaFallbackHandler(getShellHtml) {
 }
 async function startPlatformServer(opts) {
   const { ws, port, devMode, context: context2 } = opts;
+  const coep = process.env.ARC_COEP ?? opts.coep ?? "unsafe-none";
   ensureModuleSigSecret(ws, !!devMode);
   let telemetry;
   let telemetryShutdown;
@@ -41368,7 +41408,7 @@ async function startPlatformServer(opts) {
       "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, PATCH, OPTIONS",
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep ?? "unsafe-none",
       "Cross-Origin-Resource-Policy": "cross-origin"
     };
     const server = Bun.serve({
@@ -41420,6 +41460,7 @@ async function startPlatformServer(opts) {
     context: context2,
     dbAdapterFactory,
     port,
+    coep,
     httpHandlers: [
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap, telemetry),
       devReloadHandler(sseClients),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.21",
+  "version": "0.7.22",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,13 +12,13 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform --external '@opentelemetry/*' && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.21",
-    "@arcote.tech/arc-ds": "^0.7.21",
-    "@arcote.tech/arc-react": "^0.7.21",
-    "@arcote.tech/arc-host": "^0.7.21",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.21",
-    "@arcote.tech/arc-adapter-db-postgres": "^0.7.21",
-    "@arcote.tech/arc-otel": "^0.7.21",
+    "@arcote.tech/arc": "^0.7.22",
+    "@arcote.tech/arc-ds": "^0.7.22",
+    "@arcote.tech/arc-react": "^0.7.22",
+    "@arcote.tech/arc-host": "^0.7.22",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.22",
+    "@arcote.tech/arc-adapter-db-postgres": "^0.7.22",
+    "@arcote.tech/arc-otel": "^0.7.22",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/api-logs": "^0.57.0",
     "@opentelemetry/core": "^1.30.0",
@@ -31,7 +31,7 @@
     "@opentelemetry/sdk-trace-base": "^1.30.0",
     "@opentelemetry/sdk-trace-node": "^1.30.0",
     "@opentelemetry/semantic-conventions": "^1.27.0",
-    "@arcote.tech/platform": "^0.7.21",
+    "@arcote.tech/platform": "^0.7.22",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/commands/platform-deploy.ts

@@ -13,6 +13,7 @@ import { ensurePersistedSecret } from "../deploy/env-file";
 import { buildImage, sanitizeImageName } from "../deploy/image";
 import { detectRemoteState } from "../deploy/remote-state";
 import { dockerLogin, dockerPush } from "../deploy/registry";
+import { closeSshMaster } from "../deploy/ssh";
 import { runSurvey } from "../deploy/survey";
 import {
   buildAll,
@@ -155,45 +156,51 @@ export async function platformDeploy(
   // before dockerLogin/dockerPush — without registry container + Caddy vhost
   // for it, dockerLogin would TLS-fail.
   log("Inspecting remote server...");
-  const state = await detectRemoteState(cfg);
-  log(`Remote state: ${state.kind}`);
-
-  const cliVersion = readCliVersion();
-  const configHash = await hashDeployConfig(ws.rootDir);
-  await bootstrap({
-    cfg,
-    rootDir: ws.rootDir,
-    state,
-    cliVersion,
-    configHash,
-    forceAnsible: options.forceBootstrap,
-  });
-
-  // 5. Push the image to the now-running registry.
-  if (!options.imageTag) {
-    log(`Logging in to ${cfg.registry.domain}...`);
-    await dockerLogin(cfg.registry);
-    log(`Pushing ${fullRef}...`);
-    await dockerPush(fullRef);
-    ok("Image pushed");
-  }
+  try {
+    const state = await detectRemoteState(cfg);
+    log(`Remote state: ${state.kind}`);
 
-  // 6. Update each env — atomic /opt/arc/.env line + pull + up + health
-  for (const env of targetEnvs) {
-    log(`Updating env "${env}"...`);
-    const outcome = await updateEnvDeployment({
-      target: cfg.target,
+    const cliVersion = readCliVersion();
+    const configHash = await hashDeployConfig(ws.rootDir);
+    await bootstrap({
       cfg,
-      env,
-      fullRef,
+      rootDir: ws.rootDir,
+      state,
+      cliVersion,
+      configHash,
+      forceAnsible: options.forceBootstrap,
     });
-    if (outcome.redeployed) {
-      ok(`${env}: live at ${fullRef}`);
-    } else {
-      err(
-        `${env}: deployed but health check did not pass within retries — check \`docker logs arc-${env}\``,
-      );
+
+    // 5. Push the image to the now-running registry.
+    if (!options.imageTag) {
+      log(`Logging in to ${cfg.registry.domain}...`);
+      await dockerLogin(cfg.registry);
+      log(`Pushing ${fullRef}...`);
+      await dockerPush(fullRef);
+      ok("Image pushed");
+    }
+
+    // 6. Update each env — atomic /opt/arc/.env line + pull + up + health
+    for (const env of targetEnvs) {
+      log(`Updating env "${env}"...`);
+      const outcome = await updateEnvDeployment({
+        target: cfg.target,
+        cfg,
+        env,
+        fullRef,
+      });
+      if (outcome.redeployed) {
+        ok(`${env}: live at ${fullRef}`);
+      } else {
+        err(
+          `${env}: deployed but health check did not pass within retries — check \`docker logs arc-${env}\``,
+        );
+      }
     }
+  } finally {
+    // Tear down the multiplexed SSH master so the control socket doesn't
+    // linger for ControlPersist seconds after the process exits.
+    await closeSshMaster(cfg.target);
   }
 }
 

package/src/deploy/deploy-env.ts

@@ -48,58 +48,35 @@ export async function updateEnvDeployment(
   const { target, cfg, env, fullRef } = opts;
   const upperEnv = env.toUpperCase().replace(/-/g, "_");
   const envVarName = `ARC_IMAGE_${upperEnv}`;
-
-  // Step 1 — atomic .env line update. Use awk to either replace the existing
-  // line or append a new one, write to .env.tmp, then mv. mv on the same fs
-  // is atomic, so concurrent reads see either the old or new file, never a
-  // partial write.
   const envPath = `${cfg.target.remoteDir}/.env`;
   const escapedRef = fullRef.replace(/"/g, '\\"');
-  const updateScript = [
-    `touch ${envPath} && `,
-    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" '`,
-    `  BEGIN { replaced=0 } `,
-    `  $0 ~ "^"key { print line; replaced=1; next } `,
-    `  { print } `,
-    `  END { if (!replaced) print line } `,
-    `' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
-  ].join("");
-  await assertExec(target, updateScript);
-
-  // Step 2 — pull. May be a no-op if `fullRef` was already pulled previously.
-  await assertExec(
-    target,
-    `cd ${cfg.target.remoteDir} && docker compose pull arc-${env}`,
-  );
-
-  // Step 3 — recreate. `up -d` is a no-op if the container is already running
-  // with the requested image; otherwise it recreates. Either way the container
-  // ends in "running" state with the desired image.
-  await assertExec(
-    target,
-    `cd ${cfg.target.remoteDir} && docker compose up -d arc-${env}`,
-  );
-
-  // Step 4 — retention. Find image tags for this workspace, sort by created
-  // time (newest first), drop the top N, delete the rest. `:latest` is moved
-  // by docker push and stays — we never explicitly delete it.
   const retain = opts.retainImages ?? 3;
   const imageBaseName = imageBaseFromRef(fullRef);
-  if (imageBaseName) {
-    const pruneScript = [
-      `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" `,
-      `| grep -v ":latest " `,
-      `| sort -k2,3 -r `,
-      `| tail -n +${retain + 1} `,
-      `| awk '{print $1}' `,
-      `| xargs -r docker rmi 2>/dev/null || true`,
-    ].join("");
-    await sshExec(target, pruneScript, { quiet: true });
-  }
+
+  // Steps 1-4 batched into ONE SSH round-trip (was four, each a fresh ssh
+  // handshake). `set -e` aborts on a real failure (e.g. pull) before recreate.
+  //   1. atomic .env line update — awk rewrites to .tmp then `mv` (same-fs mv is
+  //      atomic, so concurrent reads never see a partial file).
+  //   2. pull new layers, 3. recreate (`up -d` no-ops if image unchanged).
+  //   4. retention prune — best-effort (`|| true`), never fails the deploy.
+  const pruneCmd = imageBaseName
+    ? `docker images "${imageBaseName}" --format "{{.Repository}}:{{.Tag}} {{.CreatedAt}}" | grep -v ":latest " | sort -k2,3 -r | tail -n +${retain + 1} | awk '{print $1}' | xargs -r docker rmi 2>/dev/null || true`
+    : `true`;
+  const script = [
+    `set -e`,
+    `cd ${cfg.target.remoteDir}`,
+    `touch ${envPath}`,
+    `awk -v line="${envVarName}=${escapedRef}" -v key="${envVarName}=" 'BEGIN{replaced=0} $0 ~ "^"key {print line; replaced=1; next} {print} END{if(!replaced) print line}' ${envPath} > ${envPath}.tmp && mv ${envPath}.tmp ${envPath}`,
+    `docker compose pull arc-${env}`,
+    `docker compose up -d arc-${env}`,
+    pruneCmd,
+  ].join("\n");
+  await assertExec(target, script);
 
   // Step 5 — health check. arc-<env> exposes 5005 inside the docker network;
-  // from the host we can reach it via `docker exec caddy curl -fsS ...`
-  // (no port mapped to host). Cheap, requires no public DNS.
+  // we reach it via `docker exec arc-<env> ...`. Polls separately (must retry
+  // until the container is up); on a no-op the already-running container passes
+  // on the first probe, so this stays a single round-trip.
   const ok = await healthCheck(target, env);
 
   return { env, fullRef, redeployed: ok };

package/src/deploy/remote-state.ts

@@ -36,8 +36,22 @@ export async function detectRemoteState(
     return { kind: "unreachable", reason: "target.host not yet set" };
   }
 
-  if (!(await canSsh(cfg.target))) {
-    // On a freshly provisioned VM, only root exists — ansible creates `deploy`
+  const composeDir = cfg.target.remoteDir;
+  // ONE round-trip instead of four (canSsh + docker check + compose ps + cat
+  // marker). The three checks run in a single delimited script; each swallows
+  // its own errors (`|| true`), so the script always exits 0 when it RUNS —
+  // a non-zero SSH exit therefore means the CONNECTION failed, not the probe.
+  const probe = [
+    `command -v docker >/dev/null 2>&1 && echo DOCKER=1 || echo DOCKER=0`,
+    `echo '---PS---'`,
+    `[ -f ${composeDir}/docker-compose.yml ] && (cd ${composeDir} && docker compose ps --format '{{.Service}}' 2>/dev/null) || true`,
+    `echo '---MARKER---'`,
+    `cat ${STATE_MARKER_PATH} 2>/dev/null || true`,
+  ].join("\n");
+
+  const res = await sshExec(cfg.target, probe, { quiet: true });
+  if (res.exitCode !== 0) {
+    // On a freshly provisioned VM only root exists — ansible creates `deploy`
     // later. If root SSH works but the configured user doesn't, treat as
     // no-docker so bootstrap re-runs ansible (idempotent) instead of spinning
     // up a duplicate server via terraform.
@@ -47,36 +61,26 @@ export async function detectRemoteState(
     return { kind: "unreachable", reason: "ssh connection failed" };
   }
 
-  const dockerCheck = await sshExec(cfg.target, "command -v docker", {
-    quiet: true,
-  });
-  if (dockerCheck.exitCode !== 0) {
+  const out = res.stdout;
+  if (!out.includes("DOCKER=1")) {
     return { kind: "no-docker" };
   }
 
-  const composeDir = `${cfg.target.remoteDir}`;
-  const psCheck = await sshExec(
-    cfg.target,
-    `test -f ${composeDir}/docker-compose.yml && cd ${composeDir} && docker compose ps --format '{{.Service}}' || true`,
-    { quiet: true },
-  );
-  if (psCheck.exitCode !== 0 || psCheck.stdout.trim() === "") {
+  const psSection = sectionBetween(out, "---PS---", "---MARKER---").trim();
+  if (psSection === "") {
     return { kind: "no-stack" };
   }
-
-  const running = psCheck.stdout
+  const running = psSection
     .split("\n")
     .map((l) => l.trim())
     .filter((l) => l.startsWith("arc-"))
     .map((l) => l.replace(/^arc-/, ""));
 
-  const markerRaw = await sshExec(cfg.target, `cat ${STATE_MARKER_PATH}`, {
-    quiet: true,
-  });
+  const markerSection = afterMarker(out, "---MARKER---").trim();
   let marker: RemoteStateMarker | null = null;
-  if (markerRaw.exitCode === 0) {
+  if (markerSection) {
     try {
-      marker = JSON.parse(markerRaw.stdout) as RemoteStateMarker;
+      marker = JSON.parse(markerSection) as RemoteStateMarker;
     } catch {
       marker = null;
     }
@@ -85,6 +89,21 @@ export async function detectRemoteState(
   return { kind: "ready", runningEnvs: running, marker };
 }
 
+/** Substring strictly between two delimiters (empty if either is absent). */
+function sectionBetween(s: string, start: string, end: string): string {
+  const i = s.indexOf(start);
+  if (i < 0) return "";
+  const from = i + start.length;
+  const j = s.indexOf(end, from);
+  return s.slice(from, j < 0 ? undefined : j);
+}
+
+/** Everything after the last delimiter (empty if absent). */
+function afterMarker(s: string, marker: string): string {
+  const i = s.indexOf(marker);
+  return i < 0 ? "" : s.slice(i + marker.length);
+}
+
 /** Write the state marker file on the remote host. */
 export async function writeStateMarker(
   target: DeployTarget,

package/src/deploy/ssh.ts

@@ -43,6 +43,27 @@ export interface SshExecResult {
   exitCode: number;
 }
 
+/**
+ * SSH connection multiplexing. Without this every remote command spawns a
+ * fresh `ssh` (full TCP + auth handshake) — a single deploy fires ~15-25 of
+ * them, so the handshake overhead alone runs into minutes. `ControlMaster=auto`
+ * makes the first connection open a master socket; every later ssh/scp to the
+ * same host reuses it with no handshake. `ControlPersist` keeps the master
+ * alive for the whole (short) deploy. The socket lives in ~/.ssh (private) and
+ * `%C` is ssh's hash of host+port+user — short enough for the ~104-byte socket
+ * path limit, and distinct per target (so the root fallback gets its own).
+ */
+function sshMuxArgs(): string[] {
+  return [
+    "-o",
+    "ControlMaster=auto",
+    "-o",
+    `ControlPath=${join(homedir(), ".ssh", "cm-arc-%C")}`,
+    "-o",
+    "ControlPersist=120",
+  ];
+}
+
 export function baseSshArgs(target: DeployTarget): string[] {
   // Pin to a single identity to avoid "Too many authentication failures":
   // the server's MaxAuthTries=3 (set by ansible) trips when ssh-agent has
@@ -50,6 +71,7 @@ export function baseSshArgs(target: DeployTarget): string[] {
   // PreferredAuthentications=publickey skips gssapi/keyboard prompts entirely.
   const key = pickSshKey(target);
   const args = [
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -159,6 +181,8 @@ export async function scpUpload(
 ): Promise<void> {
   const key = pickSshKey(target);
   const args = [
+    // Same ControlPath as baseSshArgs — scp reuses the ssh master socket.
+    ...sshMuxArgs(),
     "-o",
     "BatchMode=yes",
     "-o",
@@ -184,3 +208,28 @@ export async function scpUpload(
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
+
+/**
+ * Close the multiplexed SSH master connection (best-effort). Call once at the
+ * end of a deploy so the control socket doesn't linger for ControlPersist
+ * seconds after the process exits. Safe to call even if no master was opened —
+ * `ssh -O exit` against a missing socket just returns non-zero, which we ignore.
+ */
+export async function closeSshMaster(target: DeployTarget): Promise<void> {
+  try {
+    const proc = spawn({
+      cmd: [
+        "ssh",
+        ...baseSshArgs(target),
+        "-O",
+        "exit",
+        `${target.user}@${target.host}`,
+      ],
+      stdout: "ignore",
+      stderr: "ignore",
+    });
+    await proc.exited;
+  } catch {
+    // best-effort cleanup — a missing/already-closed master is fine.
+  }
+}

package/src/platform/server.ts

@@ -29,6 +29,13 @@ export interface PlatformServerOptions {
   dbPath?: string;
   /** If true, enables SSE reload stream + mutable manifest (dev mode) */
   devMode?: boolean;
+  /**
+   * Cross-origin isolation policy. Default `"unsafe-none"`. Apps z SQLite
+   * WASM/OPFS lub SharedArrayBuffer ustawiają `"require-corp"` w
+   * `deploy.arc.json` — wtedy każdy cross-origin resource (3rd-party
+   * widgets) musi mieć `Cross-Origin-Resource-Policy`. Patrz `ArcServerConfig.coep`.
+   */
+  coep?: "unsafe-none" | "credentialless" | "require-corp";
 }
 
 export interface PlatformServer {
@@ -507,6 +514,15 @@ export async function startPlatformServer(
   opts: PlatformServerOptions,
 ): Promise<PlatformServer> {
   const { ws, port, devMode, context } = opts;
+  // Default COEP: env var > opts > unsafe-none. Apps z SQLite WASM/OPFS
+  // muszą explicit ustawić "require-corp" (przez ARC_COEP w .env / Docker
+  // envVars). Default unsafe-none pozwala apps używać 3rd-party widgetów
+  // (PayU Secure Form, Stripe Elements, Google/Apple Pay) bez proxy.
+  const coep = (process.env.ARC_COEP as
+    | "unsafe-none"
+    | "credentialless"
+    | "require-corp"
+    | undefined) ?? opts.coep ?? "unsafe-none";
   ensureModuleSigSecret(ws, !!devMode);
 
   // OpenTelemetry — only when explicitly enabled (deploy injects the env
@@ -567,10 +583,10 @@ export async function startPlatformServer(
       "Access-Control-Allow-Methods":
         "GET, POST, PUT, DELETE, PATCH, OPTIONS",
       "Access-Control-Allow-Headers": "Content-Type, Authorization, X-Arc-Tokens",
-      // Cross-origin isolation — wymagane dla SharedArrayBuffer + OPFS
-      // (SQLite WASM persistent storage w przeglądarce).
+      // Cross-origin isolation — domyślnie unsafe-none (3rd-party widgets);
+      // require-corp tylko dla apps używających SharedArrayBuffer/OPFS.
       "Cross-Origin-Opener-Policy": "same-origin",
-      "Cross-Origin-Embedder-Policy": "require-corp",
+      "Cross-Origin-Embedder-Policy": coep ?? "unsafe-none",
       "Cross-Origin-Resource-Policy": "cross-origin",
     };
 
@@ -641,6 +657,7 @@ export async function startPlatformServer(
     context,
     dbAdapterFactory,
     port,
+    coep,
     httpHandlers: [
       // Platform-specific handlers (checked AFTER arc handlers)
       apiEndpointsHandler(ws, getManifest, null, moduleAccessMap, telemetry),