@arcote.tech/platform 0.7.0 → 0.7.1

package/package.json

@@ -1,34 +1,24 @@
 {
   "name": "@arcote.tech/platform",
   "type": "module",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "private": false,
   "author": "Przemysław Krasiński [arcote.tech]",
   "description": "Arc Platform — module system, router, layout, theme, i18n, platform app shell",
   "main": "./src/index.ts",
   "types": "./src/index.ts",
   "exports": {
-    ".": {
-      "types": "./src/index.ts",
-      "bun": "./src/index.server.ts",
-      "node": "./src/index.server.ts",
-      "browser": "./src/index.ts",
-      "default": "./src/index.ts"
-    },
-    "./server": {
-      "types": "./src/index.server.ts",
-      "default": "./src/index.server.ts"
-    }
+    ".": "./src/index.ts"
   },
   "scripts": {
     "type-check": "tsc --noEmit"
   },
   "dependencies": {
-    "@arcote.tech/arc-ds": "^0.7.0",
-    "@arcote.tech/arc-react": "^0.7.0"
+    "@arcote.tech/arc-ds": "^0.7.1",
+    "@arcote.tech/arc-react": "^0.7.1"
   },
   "peerDependencies": {
-    "@arcote.tech/arc": "^0.7.0",
+    "@arcote.tech/arc": "^0.7.1",
     "@lingui/core": "^5.0.0",
     "@lingui/react": "^5.0.0",
     "framer-motion": "^12.0.0",

package/src/index.ts

@@ -97,6 +97,7 @@ export { loadModules, reloadModules, syncModules, useModuleLoader } from "./modu
 export type { ModuleLoaderState, ModuleManifest } from "./module-loader";
 export { PlatformApp } from "./platform-app";
 export type { PlatformAppProps } from "./platform-app";
+export { startApp } from "./start-app";
 export type { PlatformConfig, PlatformStorageConfig } from "./registry";
 export {
   PlatformModelProvider,
@@ -113,6 +114,7 @@ export type {
   ArcLayoutComponent,
   ArcModule,
   BuildManifest,
+  BuildManifestGroup,
   BuiltModule,
   ContextElementFragment,
   ModuleAccess,

package/src/module-loader.ts

@@ -1,5 +1,5 @@
 import { clearModules, getAllRegisteredModules, getContext, setActiveModules } from "./registry";
-import type { BuildManifest, ModuleDescriptor } from "./types";
+import type { BuildManifest, BuildManifestGroup } from "./types";
 import { useCallback, useEffect, useRef, useState } from "react";
 
 /** @deprecated Use BuildManifest from "./types" */
@@ -8,35 +8,60 @@ export type ModuleManifest = BuildManifest;
 export type ModuleLoaderState = "loading" | "ready" | "error";
 
 /**
- * URL for a module's JS file with cache-bust based on its content hash.
- * When a module's bytes change, hash changes → URL changes → ES module cache invalidated.
- * For explicit full reloads, pass `bust` (e.g. timestamp) to override.
- *
- * Server-filtered descriptors carry a signed `mod.url` (chunk-aware HMAC) for
- * non-public chunks. Otherwise the path is `/modules/<chunk>/<file>` — public
- * chunks are served without a signature.
+ * URL for a token-group bundle. Server-filtered manifests carry a signed
+ * `group.url` (HMAC, 1h TTL); we use that directly. `bust` overrides the
+ * content-hash cache key during dev full-reloads.
  */
-function moduleUrl(baseUrl: string, mod: ModuleDescriptor, bust?: string): string {
-  const base = mod.url
-    ? `${baseUrl}${mod.url}`
-    : `${baseUrl}/modules/${mod.chunk}/${mod.file}`;
+function groupUrl(baseUrl: string, group: BuildManifestGroup, bust?: string): string {
+  const base = group.url
+    ? `${baseUrl}${group.url}`
+    : `${baseUrl}/browser/${group.file}`;
   const busterKey = bust ? "t" : "v";
-  const busterVal = bust ?? mod.hash;
+  const busterVal = bust ?? group.hash;
   if (!busterVal) return base;
   return `${base}${base.includes("?") ? "&" : "?"}${busterKey}=${busterVal}`;
 }
 
-/** Read all persisted arc tokens from localStorage */
+/**
+ * Decode a JWT payload (base64url) without verifying signature. Returns
+ * null if the token is malformed. Used purely to read the `exp` claim so
+ * we can drop expired tokens client-side before they hit the server.
+ */
+function decodeJwtPayload(jwt: string): { exp?: number } | null {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = b64 + "=".repeat((4 - (b64.length % 4)) % 4);
+    return JSON.parse(atob(padded));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Read all persisted arc tokens from localStorage, dropping any whose `exp`
+ * claim is in the past. Stale tokens are removed from localStorage so they
+ * don't keep ghosting in subsequent reads.
+ */
 function getAllPersistedTokens(): Record<string, string> {
   if (typeof localStorage === "undefined") return {};
   const tokens: Record<string, string> = {};
+  const stale: string[] = [];
+  const nowSec = Math.floor(Date.now() / 1000);
   for (let i = 0; i < localStorage.length; i++) {
     const key = localStorage.key(i);
-    if (key?.startsWith("arc:token:")) {
-      const raw = localStorage.getItem(key);
-      if (raw) tokens[key.slice(10)] = raw;
+    if (!key?.startsWith("arc:token:")) continue;
+    const raw = localStorage.getItem(key);
+    if (!raw) continue;
+    const payload = decodeJwtPayload(raw);
+    if (payload?.exp && payload.exp < nowSec) {
+      stale.push(key);
+      continue;
     }
+    tokens[key.slice(10)] = raw;
   }
+  for (const key of stale) localStorage.removeItem(key);
   return tokens;
 }
 
@@ -70,8 +95,40 @@ async function fetchManifest(
   return res.json();
 }
 
-/** Track hashes of modules we've already imported so hot-swaps re-import on change. */
-const importedModuleHashes = new Map<string, string>();
+/** Track hashes of token-group bundles already imported so hot-swaps re-import on change. */
+const importedGroupHashes = new Map<string, string>();
+
+/** Names of every module ever observed inside a protected group. Used to compute
+ *  the active-modules set: hide previously-loaded group members that the caller
+ *  no longer has access to. Public modules (from the initial bundle) are never
+ *  in this set, so they stay visible across token changes. */
+const knownGroupModuleNames = new Set<string>();
+
+/**
+ * Attempt a dynamic import. If it fails (network error, evaluation error,
+ * stale signed URL), discard the token tied to this module's chunk and let
+ * the next reload refetch a clean manifest. Without this, a single stale
+ * token bricks the entire boot path because Promise.all rejects on first
+ * failure.
+ */
+async function safeImportGroup(
+  baseUrl: string,
+  groupName: string,
+  group: BuildManifestGroup,
+  bust?: string,
+): Promise<void> {
+  try {
+    await import(/* @vite-ignore */ groupUrl(baseUrl, group, bust));
+  } catch (err) {
+    console.error(
+      `[arc] Failed to load group "${groupName}". Clearing token; refresh to retry without it.`,
+      err,
+    );
+    if (typeof localStorage !== "undefined") {
+      localStorage.removeItem(`arc:token:${groupName}`);
+    }
+  }
+}
 
 /**
  * Load all modules from manifest. Each module auto-registers via module().build().
@@ -83,9 +140,9 @@ export async function loadModules(
   const manifest = await fetchManifest(baseUrl, tokens);
 
   await Promise.all(
-    manifest.modules.map((mod) => {
-      importedModuleHashes.set(mod.name, mod.hash);
-      return import(/* @vite-ignore */ moduleUrl(baseUrl, mod));
+    Object.entries(manifest.groups).map(([name, group]) => {
+      importedGroupHashes.set(name, group.hash);
+      return safeImportGroup(baseUrl, name, group);
     }),
   );
 
@@ -104,25 +161,35 @@ export async function syncModules(
 ): Promise<BuildManifest> {
   const manifest = await fetchManifest(baseUrl, tokens);
 
-  const manifestNames = new Set(manifest.modules.map((m) => m.name));
-
-  // A module needs reimporting if it's new OR its hash changed since last import
-  const toImport = manifest.modules.filter((m) => {
-    const prevHash = importedModuleHashes.get(m.name);
-    return prevHash !== m.hash;
-  });
+  const toImport = Object.entries(manifest.groups).filter(
+    ([name, g]) => importedGroupHashes.get(name) !== g.hash,
+  );
 
   if (toImport.length > 0) {
     await Promise.all(
-      toImport.map((mod) => {
-        importedModuleHashes.set(mod.name, mod.hash);
-        return import(/* @vite-ignore */ moduleUrl(baseUrl, mod));
+      toImport.map(([name, group]) => {
+        importedGroupHashes.set(name, group.hash);
+        return safeImportGroup(baseUrl, name, group);
       }),
     );
   }
 
-  // Set active filter — only modules in the manifest are visible
-  setActiveModules(manifestNames);
+  // Compute active set: every registered module EXCEPT protected-group members
+  // not present in the current manifest (e.g. after logout). Public modules,
+  // never observed in a group, stay visible automatically.
+  const currentlyAllowed = new Set<string>();
+  for (const group of Object.values(manifest.groups)) {
+    for (const name of group.modules) {
+      currentlyAllowed.add(name);
+      knownGroupModuleNames.add(name);
+    }
+  }
+  const active = new Set<string>();
+  for (const m of getAllRegisteredModules()) {
+    if (knownGroupModuleNames.has(m.name) && !currentlyAllowed.has(m.name)) continue;
+    active.add(m.name);
+  }
+  setActiveModules(active);
 
   return manifest;
 }
@@ -142,8 +209,8 @@ export async function reloadModules(
   clearModules();
 
   await Promise.all(
-    manifest.modules.map(
-      (mod) => import(/* @vite-ignore */ moduleUrl(baseUrl, mod, bust)),
+    Object.entries(manifest.groups).map(([name, group]) =>
+      safeImportGroup(baseUrl, name, group, bust),
     ),
   );
 

package/src/registry.ts

@@ -92,35 +92,28 @@ function notifyContext(): void {
 }
 
 /** Set the active Arc context (called by arc() or module().build()).
- *  If a context is already set, merges new elements into it
- *  while preserving the ArcContext instance (with .get() method). */
+ *  If a context is already set, merges new elements into it.
+ *
+ *  CRITICAL: must mutate the existing ArcContext in place (push to .elements,
+ *  set in .elementMap) — NOT construct a new instance. Mutation is the
+ *  contract relied on by PlatformApp, which captures `getContext()` into a
+ *  ref at first render and assumes that reference stays valid as additional
+ *  modules register later (e.g. token-gated chunks loaded after login). If
+ *  we returned a fresh context object, the ref would go stale and lookups
+ *  like `model.context.get("strategyConsultation")` would yield undefined
+ *  for any module registered after the model was created. */
 export function setContext(ctx: any): void {
   if (currentContext && ctx && currentContext !== ctx) {
-    // Merge: append new elements that aren't already present
     const existingNames = new Set(
       currentContext.elements.map((e: any) => e.name ?? e.id ?? e),
     );
-    const newElements = ctx.elements.filter(
-      (e: any) => !existingNames.has(e.name ?? e.id ?? e),
-    );
-    if (newElements.length > 0) {
-      // Rebuild using the context constructor to preserve .get() and other methods
-      const allElements = [...currentContext.elements, ...newElements];
-      const Ctor = currentContext.constructor;
-      if (typeof Ctor === "function" && Ctor !== Object) {
-        currentContext = new Ctor(allElements);
-      } else {
-        // Fallback: create context-like object with get() method
-        const elementMap = new Map(
-          allElements.map((e: any) => [e.name, e]),
-        );
-        currentContext = {
-          elements: allElements,
-          elementMap,
-          get(name: string) {
-            return elementMap.get(name);
-          },
-        };
+    for (const el of ctx.elements) {
+      const key = el.name ?? el.id ?? el;
+      if (existingNames.has(key)) continue;
+      existingNames.add(key);
+      currentContext.elements.push(el);
+      if (typeof el.name === "string" && currentContext.elementMap) {
+        currentContext.elementMap.set(el.name, el);
       }
     }
   } else {

package/src/start-app.ts

@@ -0,0 +1,17 @@
+import { createElement } from "react";
+import { createRoot } from "react-dom/client";
+import { PlatformApp } from "./platform-app";
+
+/**
+ * Mount the platform app into the DOM. Bundled inside the platform module so
+ * that the single Bun.build pass keeps react + react-dom in ONE shared chunk
+ * (the one platform lives in). If the host HTML entry imported react/react-dom
+ * directly, Bun would copy them into the entry chunk alongside the existing
+ * platform-chunk copy — producing two React instances and the classic
+ * "Invalid hook call" crash.
+ */
+export function startApp(elementId: string): void {
+  const el = document.getElementById(elementId);
+  if (!el) throw new Error(`startApp: #${elementId} not found`);
+  createRoot(el).render(createElement(PlatformApp));
+}

package/src/types.ts

@@ -115,13 +115,37 @@ export interface ModuleDescriptor {
   readonly url?: string;
 }
 
-/** Build manifest written to .arc/platform/modules/manifest.json. */
+/** Per-group entry in the build manifest. */
+export interface BuildManifestGroup {
+  /** Filename relative to `/browser/` static root. */
+  readonly file: string;
+  readonly hash: string;
+  /** Module names this group registers when loaded. */
+  readonly modules: readonly string[];
+  /** Signed URL — server fills this for protected groups when filtering per request. */
+  readonly url?: string;
+}
+
+/** Build manifest written to .arc/platform/manifest.json. */
 export interface BuildManifest {
-  readonly modules: readonly ModuleDescriptor[];
-  /** All chunk group names present in this build (sorted). Always includes `"public"`. */
-  readonly chunks: readonly string[];
-  /** sha256 hex over all shell bundle outputs concatenated. */
-  readonly shellHash: string;
+  /**
+   * Single bundle with all public-chunk modules + framework bootstrap.
+   * Loaded eagerly on every page. Filename is content-addressed.
+   */
+  readonly initial: {
+    readonly file: string;
+    readonly hash: string;
+  };
+  /**
+   * Token-gated groups keyed by `token.name`. One bundle per group containing
+   * all that group's modules. Loaded lazily after the user obtains the token.
+   */
+  readonly groups: Readonly<Record<string, BuildManifestGroup>>;
+  /**
+   * Shared chunks auto-emitted by Bun.build splitting (workspace ctx,
+   * framework, common deps). Public, unsigned (filename is content-hashed).
+   */
+  readonly sharedChunks: readonly string[];
   /** sha256 hex over styles.css (+ theme.css if present). */
   readonly stylesHash: string;
   readonly buildTime: string;

package/src/index.server.ts

@@ -1,84 +0,0 @@
-// Arc Platform — server entry (bun/node runtime)
-//
-// Subset of the public API that is safe to import in a server context:
-// pure data + functions, no React, no DOM, no JSX runtime imports at top
-// level. Used by:
-//   - access-extractor subprocess (PRE-bundle discovery of protectedBy rules)
-//   - server bundles per context package (resolve @arcote.tech/platform
-//     through Bun's `bun` export condition)
-//
-// Shares the same `registry` module instance with the browser entry — both
-// reference the SAME ./registry file, so `module().build()` in user code
-// and `getAllModuleAccess()` in extractor observe a single source of truth.
-
-// Module system
-export {
-  module,
-  page,
-  wrapper,
-  slot,
-  contextElement,
-  contextFragments,
-} from "./arc";
-/** @deprecated Use module() instead */
-export { arc } from "./arc";
-
-// Registry
-export {
-  clearModules,
-  clearRegistry,
-  forceRegisterModule,
-  getAllFragments,
-  getAllModuleAccess,
-  getAllModules,
-  getAllRegisteredModules,
-  getContext,
-  getModuleAccess,
-  getContextElementFragments,
-  getDefaultLayout,
-  getModule,
-  getPageByPath,
-  getPlatformConfig,
-  getPageFragments,
-  getSlotFragments,
-  getVariantOverrides,
-  getWrapperFragments,
-  registerModule,
-  setContext,
-  setDefaultLayout,
-  setPlatformConfig,
-  setVariantOverrides,
-  subscribe,
-  subscribeContext,
-  unregisterModule,
-} from "./registry";
-
-export type { PlatformConfig, PlatformStorageConfig } from "./registry";
-
-// Types
-export type {
-  ArcComponent,
-  ArcFactory,
-  ArcFactoryMethods,
-  ArcFragment,
-  ArcLayoutComponent,
-  ArcModule,
-  BuildManifest,
-  BuiltModule,
-  ContextElementFragment,
-  ModuleAccess,
-  ModuleAccessRule,
-  ModuleDescriptor,
-  ExtractPages,
-  FragmentOrdering,
-  PageFragment,
-  PageOptions,
-  PageShellProps,
-  PublicArcFragment,
-  PublicPaths,
-  SlotFragment,
-  SlotId,
-  SlotOptions,
-  WrapperFragment,
-  WrapperOptions,
-} from "./types";