@mirinjs/cli 0.0.1-alpha.14 → 0.0.1-alpha.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mirinjs/cli",
-  "version": "0.0.1-alpha.14",
+  "version": "0.0.1-alpha.15",
   "description": "CLI for mirin apps: dev, build, init.",
   "type": "module",
   "license": "MIT",
@@ -27,11 +27,11 @@
     "bun": ">=1.2.0"
   },
   "dependencies": {
-    "create-mirinjs": "0.0.1-alpha.14",
-    "mirinjs": "0.0.1-alpha.14"
+    "create-mirinjs": "0.0.1-alpha.15",
+    "mirinjs": "0.0.1-alpha.15"
   },
   "optionalDependencies": {
-    "@mirinjs/darwin-arm64": "0.0.1-alpha.14"
+    "@mirinjs/darwin-arm64": "0.0.1-alpha.15"
   },
   "publishConfig": {
     "access": "public"

package/src/build.ts

@@ -21,6 +21,7 @@ import { join } from "node:path";
 import { buildAppBundle } from "./bundle.ts";
 import { resolveArtifacts } from "./artifacts.ts";
 import { sweepBuildTemps } from "./temps.ts";
+import { normalizeSidecars, compileWorkers } from "./extras.ts";
 
 export interface BuildResult {
   /** Path to the assembled .app. */
@@ -87,6 +88,10 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
   await $`bun build --compile --minify ${artifacts.hostEntry} --outfile ${hostExe}`.cwd(projectDir);
   await $`bun build ${mainEntry} --target=bun --minify --outfile ${workerJs}`.cwd(projectDir);
 
+  // Extra assets: resolve sidecar binaries + compile any extra worker entries.
+  const sidecars = normalizeSidecars(projectDir, config.sidecars);
+  const extraWorkers = await compileWorkers(projectDir, config.workers, join(work, "workers"), true);
+
   // 5. assemble + sign
   console.log("[mirin build] assembling .app…");
   rmSync(join(outDir, `${appName}.app`), { recursive: true, force: true });
@@ -111,6 +116,8 @@ export async function build(projectDir = process.cwd()): Promise<BuildResult> {
       workerJs,
       manifestJson: JSON.stringify({ windows: config.windows }),
       versionJson,
+      sidecars,
+      workers: extraWorkers,
     },
   });
 

package/src/bundle.ts

@@ -12,7 +12,7 @@
  */
 
 import { $ } from "bun";
-import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync } from "node:fs";
+import { cpSync, mkdirSync, rmSync, writeFileSync, existsSync, readdirSync, chmodSync } from "node:fs";
 import { join } from "node:path";
 
 const FRAMEWORK = "Chromium Embedded Framework.framework";
@@ -45,9 +45,43 @@ export interface BundleOptions {
     workerJs?: string; // bundled main-process Worker entry -> Resources/worker.js
     manifestJson?: string; // serialized manifest -> Resources/mirin.manifest.json
     versionJson?: string; // serialized version.json -> Resources/version.json (updater)
+    /** Bundled sidecar binaries -> Resources/sidecars/<name> (copied + signed). */
+    sidecars?: SidecarBundle[];
+    /** Compiled extra-worker JS (name -> abs path) -> Resources/workers/<name>.js. */
+    workers?: Record<string, string>;
   };
 }
 
+/** A sidecar binary to bundle: logical name, source path, hardened-runtime entitlements. */
+export interface SidecarBundle {
+  name: string;
+  src: string;
+  entitlements: string[];
+}
+
+/** Short entitlement name -> the full `com.apple.security.cs.*` key. */
+const SIDECAR_ENTITLEMENT_KEYS: Record<string, string> = {
+  "allow-jit": "com.apple.security.cs.allow-jit",
+  "allow-unsigned-executable-memory": "com.apple.security.cs.allow-unsigned-executable-memory",
+  "disable-library-validation": "com.apple.security.cs.disable-library-validation",
+};
+
+function entitlementsPlist(names: string[]): string {
+  const keys = names
+    .map((n) => SIDECAR_ENTITLEMENT_KEYS[n])
+    .filter(Boolean)
+    .map((k) => `  <key>${k}</key><true/>`)
+    .join("\n");
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+${keys}
+</dict>
+</plist>
+`;
+}
+
 /** The 10 standard iconset renditions (point size + @1x/@2x pixel size). */
 const ICONSET_RENDITIONS = [
   { name: "icon_16x16.png", px: 16 },
@@ -182,6 +216,28 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
   if (opts.resources?.versionJson != null) {
     writeFileSync(join(resources, "version.json"), opts.resources.versionJson);
   }
+  // Extra Bun Worker bundles -> Resources/workers/<name>.js (resolveWorker()).
+  if (opts.resources?.workers && Object.keys(opts.resources.workers).length) {
+    const workersDir = join(resources, "workers");
+    mkdirSync(workersDir, { recursive: true });
+    for (const [name, src] of Object.entries(opts.resources.workers)) {
+      cpSync(src, join(workersDir, `${name}.js`));
+    }
+  }
+  // Sidecar binaries -> Resources/sidecars/<name> (chmod +x; signed below). Paths
+  // collected here so the codesign loop can sign them inside-out with the app.
+  const sidecarDests: SidecarBundle[] = [];
+  if (opts.resources?.sidecars?.length) {
+    const sidecarsDir = join(resources, "sidecars");
+    mkdirSync(sidecarsDir, { recursive: true });
+    for (const sc of opts.resources.sidecars) {
+      if (!existsSync(sc.src)) throw new Error(`sidecar "${sc.name}" not found: ${sc.src}`);
+      const dest = join(sidecarsDir, sc.name);
+      cpSync(sc.src, dest);
+      chmodSync(dest, 0o755);
+      sidecarDests.push({ name: sc.name, src: dest, entitlements: sc.entitlements });
+    }
+  }
 
   for (const { suffix, id } of HELPER_TYPES) {
     const name = `${appName} Helper${suffix}`;
@@ -249,6 +305,18 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
     await sign(cef);
     // 3. our FFI core dylib.
     await sign(join(macos, "libmirin_core.dylib"));
+    // 3b. sidecars: hardened runtime + timestamp; per-binary entitlements only
+    //     when the spec asks (most CLIs need none — over-entitling is a smell).
+    for (const sc of sidecarDests) {
+      if (sc.entitlements.length) {
+        const ent = join(opts.outDir, `_sidecar_${sc.name}.plist`);
+        writeFileSync(ent, entitlementsPlist(sc.entitlements));
+        await $`codesign --force --timestamp --options runtime --entitlements ${ent} --sign ${identity} ${sc.src}`.quiet();
+        rmSync(ent, { force: true });
+      } else {
+        await sign(sc.src);
+      }
+    }
     // 4. each helper: the inner executable, then the .app wrapper (entitlements
     //    on both — the renderer/GPU helpers are what actually JIT).
     for (const { suffix } of HELPER_TYPES) {
@@ -263,6 +331,9 @@ export async function buildAppBundle(opts: BundleOptions): Promise<{ app: string
   } else {
     // Ad-hoc: enough to launch locally; not distributable or notarizable.
     await $`codesign --force --sign ${identity} ${cef}`.quiet();
+    for (const sc of sidecarDests) {
+      await $`codesign --force --sign ${identity} ${sc.src}`.quiet();
+    }
     for (const { suffix } of HELPER_TYPES) {
       await $`codesign --force --sign ${identity} ${join(frameworks, `${appName} Helper${suffix}.app`)}`.quiet();
     }

package/src/dev.ts

@@ -9,13 +9,17 @@
  */
 
 import { $ } from "bun";
-import { mkdirSync } from "node:fs";
+import { mkdirSync, rmSync, symlinkSync, existsSync } from "node:fs";
+import { createServer } from "node:net";
 import { join } from "node:path";
 import { buildAppBundle } from "./bundle.ts";
 import { resolveArtifacts } from "./artifacts.ts";
 import { sweepBuildTemps } from "./temps.ts";
+import { normalizeSidecars, compileWorkers } from "./extras.ts";
 
-const DEV_URL = "http://localhost:5173";
+/** Vite's default port. `mirin dev` probes upward from here for a free one, so a
+ *  second dev session (or anything already on 5173) doesn't collide. */
+const DEV_PORT_BASE = 5173;
 
 export async function dev(projectDir = process.cwd()): Promise<number> {
   const work = join(projectDir, ".mirin");
@@ -40,6 +44,19 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
   await $`bun build --compile ${artifacts.hostEntry} --outfile ${hostExe}`.cwd(projectDir);
   await $`bun build ${mainEntry} --target=bun --outfile ${workerJs}`.cwd(projectDir);
 
+  // Extra assets (dev): compile workers into .mirin/workers and symlink sidecar
+  // binaries into .mirin/sidecars (no copy/sign in dev — they run unsigned locally).
+  const workersDir = join(work, "workers");
+  await compileWorkers(projectDir, config.workers, workersDir, false);
+  const sidecarsDir = join(work, "sidecars");
+  mkdirSync(sidecarsDir, { recursive: true });
+  for (const sc of normalizeSidecars(projectDir, config.sidecars)) {
+    const link = join(sidecarsDir, sc.name);
+    rmSync(link, { force: true });
+    if (existsSync(sc.src)) symlinkSync(sc.src, link);
+    else console.warn(`[mirin dev] sidecar "${sc.name}" not found: ${sc.src}`);
+  }
+
   // --- assemble the dev .app ---
   console.log("[mirin dev] assembling dev bundle…");
   const { app, exe } = await buildAppBundle({
@@ -53,13 +70,21 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
     icon: config.icon ? join(projectDir, config.icon) : undefined,
   });
 
-  // --- start Vite ---
-  console.log("[mirin dev] starting Vite dev server…");
-  const vite = Bun.spawn(["bunx", "vite", "--clearScreen", "false"], {
-    cwd: projectDir,
-    stdio: ["ignore", "inherit", "inherit"],
-  });
-  await waitForUrl(DEV_URL, 15_000);
+  // --- start Vite on a free port so concurrent dev sessions don't collide ---
+  // `--port <free> --strictPort` pins Vite to the port we probed (overriding any
+  // port/strictPort in the app's vite.config) and passes the real URL to the app,
+  // so the host and Vite never disagree about which port is in use.
+  const port = await findFreePort(DEV_PORT_BASE);
+  const devUrl = `http://localhost:${port}`;
+  console.log(`[mirin dev] starting Vite dev server on ${devUrl}…`);
+  const vite = Bun.spawn(
+    ["bunx", "vite", "--clearScreen", "false", "--port", String(port), "--strictPort"],
+    {
+      cwd: projectDir,
+      stdio: ["ignore", "inherit", "inherit"],
+    },
+  );
+  await waitForUrl(devUrl, 15_000);
 
   // --- launch the app ---
   console.log(`[mirin dev] launching ${appName}…`);
@@ -69,9 +94,11 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
       ...process.env,
       MIRIN_CORE: join(app, "Contents", "MacOS", "libmirin_core.dylib"),
       MIRIN_WORKER: workerJs,
-      MIRIN_DEV_URL: DEV_URL,
+      MIRIN_DEV_URL: devUrl,
       MIRIN_MANIFEST_JSON: JSON.stringify({ windows: config.windows }),
       MIRIN_CONFIG_JSON: "{}",
+      MIRIN_SIDECAR_DIR: sidecarsDir,
+      MIRIN_WORKERS_DIR: workersDir,
     },
     stdio: ["ignore", "inherit", "inherit"],
   });
@@ -88,6 +115,32 @@ export async function dev(projectDir = process.cwd()): Promise<number> {
   return code;
 }
 
+/** First free TCP port at or above `start` on loopback. */
+async function findFreePort(start: number): Promise<number> {
+  for (let port = start; port < start + 100; port++) {
+    if (await isPortFree(port)) return port;
+  }
+  throw new Error(`[mirin dev] no free port in ${start}–${start + 99}`);
+}
+
+/** Free only if neither IPv4 nor IPv6 loopback reports the port in use — Vite
+ *  binds `localhost` (often `::1`), so a v4-only probe would miss an IPv6 holder. */
+async function isPortFree(port: number): Promise<boolean> {
+  const [v4, v6] = await Promise.all([portInUse(port, "127.0.0.1"), portInUse(port, "::1")]);
+  return !v4 && !v6;
+}
+
+function portInUse(port: number, host: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    const srv = createServer();
+    // Only EADDRINUSE means taken; other errors (e.g. EADDRNOTAVAIL when IPv6 is
+    // off) just mean we can't test that family — treat as not-in-use.
+    srv.once("error", (err: NodeJS.ErrnoException) => resolve(err.code === "EADDRINUSE"));
+    srv.once("listening", () => srv.close(() => resolve(false)));
+    srv.listen(port, host);
+  });
+}
+
 async function waitForUrl(url: string, timeoutMs: number): Promise<void> {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {

package/src/extras.ts

@@ -0,0 +1,61 @@
+/**
+ * Shared helpers for the two "extra asset" config blocks — `sidecars` (bundled
+ * binaries) and `workers` (extra Bun Worker entries) — used by both `mirin build`
+ * and `mirin dev`. Keeps the config normalization + worker compilation in one
+ * place so the two CLI paths stay in sync.
+ */
+
+import { $ } from "bun";
+import { join } from "node:path";
+
+/** Config shapes (mirrors packages/mirin/src/config.ts; CLI can't import the runtime). */
+export type SidecarConfig = Record<string, string | { bin: string; entitlements?: string[] }>;
+export type WorkersConfig = Record<string, string>;
+
+/** A sidecar resolved to an absolute source path + its requested entitlements. */
+export interface NormalizedSidecar {
+  name: string;
+  /** Absolute path to the source binary. */
+  src: string;
+  /** Short entitlement names (e.g. "allow-jit"); empty for most CLIs. */
+  entitlements: string[];
+}
+
+/** Resolve `config.sidecars` to absolute source paths. */
+export function normalizeSidecars(
+  projectDir: string,
+  sidecars: SidecarConfig | undefined,
+): NormalizedSidecar[] {
+  return Object.entries(sidecars ?? {}).map(([name, value]) => {
+    const spec = typeof value === "string" ? { bin: value } : value;
+    return {
+      name,
+      src: join(projectDir, spec.bin),
+      entitlements: spec.entitlements ?? [],
+    };
+  });
+}
+
+/**
+ * Compile each extra-worker entry to `<outDir>/<name>.js`. Returns name → path.
+ * `minify` matches the surrounding build (prod minifies; dev doesn't).
+ */
+export async function compileWorkers(
+  projectDir: string,
+  workers: WorkersConfig | undefined,
+  outDir: string,
+  minify: boolean,
+): Promise<Record<string, string>> {
+  const out: Record<string, string> = {};
+  for (const [name, entry] of Object.entries(workers ?? {})) {
+    const js = join(outDir, `${name}.js`);
+    const src = join(projectDir, entry);
+    if (minify) {
+      await $`bun build ${src} --target=bun --minify --outfile ${js}`.cwd(projectDir);
+    } else {
+      await $`bun build ${src} --target=bun --outfile ${js}`.cwd(projectDir);
+    }
+    out[name] = js;
+  }
+  return out;
+}