arrhes · 656d696c65 · May 19, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
@@ -0,0 +1,174 @@
+name: Release CLI
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      publish_npm:
+        description: "Publish to npm"
+        type: boolean
+        default: false
+
+jobs:
+  build-binaries:
+    name: Build binary (${{ matrix.asset_name }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            asset_name: arrhes-linux-x64
+            node_version: 22
+          - os: macos-13
+            asset_name: arrhes-macos-x64
+            node_version: 22
+          - os: macos-15
+            asset_name: arrhes-macos-arm64
+            node_version: 22
+          - os: windows-2025
+            asset_name: arrhes-windows-x64.exe
+            node_version: 22
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: ${{ matrix.node_version }}
+
+      - name: Install pnpm
+        run: npm install -g pnpm
+
+      - name: Install dependencies
+        run: CI=true pnpm install --no-frozen-lockfile
+
+      - name: Build metadata
+        run: pnpm --filter @arrhes/application-metadata build
+
+      - name: Bundle CLI (inline all deps)
+        working-directory: packages/cli
+        run: pnpm bundle
+
+      - name: Generate SEA blob
+        working-directory: packages/cli
+        run: node --experimental-sea-config sea-config.json
+
+      - name: Create standalone binary (Linux / macOS)
+        if: runner.os != 'Windows'
+        working-directory: packages/cli
+        run: |
+          mkdir -p binaries
+          cp $(which node) binaries/${{ matrix.asset_name }}
+          node_modules/.bin/postject binaries/${{ matrix.asset_name }} NODE_SEA_BLOB sea-prep.blob \
+            --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
+          if [[ "$RUNNER_OS" == "macOS" ]]; then
+            # macOS: codesign BEFORE UPX (UPX is skipped on macOS — breaks signing)
+            codesign --sign - binaries/${{ matrix.asset_name }}
+          fi
+
+      - name: Create standalone binary (Windows)
+        if: runner.os == 'Windows'
+        working-directory: packages/cli
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path binaries
+          $nodePath = (Get-Command node).Source
+          Copy-Item $nodePath binaries\${{ matrix.asset_name }}
+          node_modules\.bin\postject binaries\${{ matrix.asset_name }} NODE_SEA_BLOB sea-prep.blob `
+            --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
+
+      # UPX compresses ~60-65% (123 MB → ~40 MB).
+      # Skipped on macOS: UPX invalidates the codesignature and Gatekeeper rejects the binary.
+      - name: Compress binary with UPX (Linux)
+        if: runner.os == 'Linux'
+        working-directory: packages/cli
+        run: |
+          sudo apt-get install -y upx-ucl -q
+          upx --best --lzma binaries/${{ matrix.asset_name }}
+
+      - name: Compress binary with UPX (Windows)
+        if: runner.os == 'Windows'
+        working-directory: packages/cli
+        shell: pwsh
+        run: |
+          choco install upx -y --no-progress
+          upx --best --lzma binaries\${{ matrix.asset_name }}
+
+      - name: Upload binary to release
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: packages/cli/binaries/${{ matrix.asset_name }}
+          asset_name: ${{ matrix.asset_name }}
+          asset_content_type: application/octet-stream
+
+      # Upload install scripts once (only from the Linux runner to avoid duplicates)
+      - name: Upload install.sh to release
+        if: runner.os == 'Linux'
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: packages/cli/install.sh
+          asset_name: install.sh
+          asset_content_type: text/plain
+
+      - name: Upload install.ps1 to release
+        if: runner.os == 'Linux'
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: packages/cli/install.ps1
+          asset_name: install.ps1
+          asset_content_type: text/plain
+
+  publish-npm:
+    name: Publish to npm
+    runs-on: ubuntu-22.04
+    needs: build-binaries
+    if: github.event_name == 'release' || inputs.publish_npm
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v5
+        with:
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+
+      - name: Install pnpm
+        run: npm install -g pnpm
+
+      - name: Install dependencies
+        run: CI=true pnpm install --no-frozen-lockfile
+
+      - name: Build metadata
+        run: pnpm --filter @arrhes/application-metadata build
+
+      - name: Build CLI (tsc)
+        working-directory: packages/cli
+        run: pnpm build
+
+      - name: Set version from release tag
+        if: github.event_name == 'release'
+        working-directory: packages/cli
+        run: |
+          VERSION="${{ github.event.release.tag_name }}"
+          VERSION="${VERSION#v}"  # strip leading 'v'
+          npm pkg set version="$VERSION"
+
+      - name: Publish
+        working-directory: packages/cli
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -9,6 +9,10 @@ build
 .vscode
 .agents
 
+packages/cli/binaries/
+packages/cli/dist/
+packages/cli/sea-prep.blob
+
 .pnpm-store
 
 *.tsbuildinfo

diff --git a/.workflows/build/compose.start.yml b/.workflows/build/compose.start.yml
@@ -135,6 +135,11 @@ services:
   worker:
     container_name: arrhes-prod-worker
     image: arrhes-worker:${ARRHES_VERSION:-dev}
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
     environment:
       ENV: development
       VERBOSE: "true"

diff --git a/.workflows/dev/compose.yml b/.workflows/dev/compose.yml
@@ -161,6 +161,12 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:' + process.env.PORT, r => process.exit(r.statusCode < 500 ? 0 : 1)).on('error', () => process.exit(1))\""]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 60s
 
   # Website - Frontend interface (React + Vite)
   website:
@@ -191,6 +197,11 @@ services:
   worker:
     container_name: arrhes-worker
     image: arrhes-dev-worker:latest
+    logging:
+      driver: json-file
+      options:
+        max-size: "50m"
+        max-file: "5"
     build:
       context: ../..
       dockerfile: .workflows/dev/packages/worker/Dockerfile

diff --git a/.workflows/dev/packages/api/start.sh b/.workflows/dev/packages/api/start.sh
@@ -2,14 +2,17 @@
 # ==============================================================================
 # Start API Server
 # ==============================================================================
-# Starts the API development server with hot reload.
-# Builds workspace dependencies first (tsc --build follows project references).
+# 1. Runs a one-off schema drift check (plain tsx, no watch).
+#    If the DB is out of sync with the Drizzle models the script exits non-zero,
+#    the container stops, and `docker compose up --wait` surfaces the error.
+# 2. Starts the API dev server with hot reload (tsx watch).
+#    tsx is started with --conditions source so that @arrhes/application-metadata
+#    resolves to ./src/index.ts directly — no build step needed in dev.
 # ==============================================================================
 set -e
 
-echo "Building workspace dependencies..."
-cd /workspace/packages/api
-pnpm run build
+echo "Checking database schema..."
+SCHEMA_CHECK_ONLY=1 pnpm --filter="@arrhes/application-api" exec tsx --conditions source ./src/server.ts
 
 echo "Starting API dev server..."
 exec pnpm --filter="@arrhes/application-api" dev
diff --git a/.workflows/dev/up.sh b/.workflows/dev/up.sh
@@ -84,15 +84,28 @@ POSTGRES_HOST_PORT=$postgres_host_port
 REDIS_HOST_PORT=$redis_host_port
 EOF
 
-WEBSITE_HOST_PORT="$website_host_port" \
-API_HOST_PORT="$api_host_port" \
-STORAGE_HOST_PORT="$storage_host_port" \
-RUSTFS_UI_HOST_PORT="$rustfs_ui_host_port" \
-MAILPIT_UI_HOST_PORT="$mailpit_ui_host_port" \
-MAILPIT_SMTP_HOST_PORT="$mailpit_smtp_host_port" \
-POSTGRES_HOST_PORT="$postgres_host_port" \
-REDIS_HOST_PORT="$redis_host_port" \
-    "${DC[@]}" up --detach --build --force-recreate
+if ! WEBSITE_HOST_PORT="$website_host_port" \
+   API_HOST_PORT="$api_host_port" \
+   STORAGE_HOST_PORT="$storage_host_port" \
+   RUSTFS_UI_HOST_PORT="$rustfs_ui_host_port" \
+   MAILPIT_UI_HOST_PORT="$mailpit_ui_host_port" \
+   MAILPIT_SMTP_HOST_PORT="$mailpit_smtp_host_port" \
+   POSTGRES_HOST_PORT="$postgres_host_port" \
+   REDIS_HOST_PORT="$redis_host_port" \
+       "${DC[@]}" up --detach --build --force-recreate --wait; then
+    echo ""
+    echo "=============================================="
+    echo "  ERROR: one or more services failed to start"
+    echo "=============================================="
+    echo ""
+    # Print logs for every exited container so the error is visible
+    for container in $("${DC[@]}" ps --all --filter status=exited --format '{{.Name}}' 2>/dev/null); do
+        echo "--- Logs for $container ---"
+        docker logs "$container" 2>&1 | tail -30
+        echo ""
+    done
+    exit 1
+fi
 
 echo ""
 echo "=============================================="

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v1.2.0
+v1.3.0
diff --git a/biome.json b/biome.json
@@ -6,7 +6,7 @@
         "useIgnoreFile": true
     },
     "files": {
-        "includes": ["**", "!**/dist", "!**/build", "!**/styled-system", "!**/.workflows"]
+        "includes": ["**", "!**/dist", "!**/build", "!**/styled-system", "!**/.workflows", "!scripts"]
     },
     "assist": { "actions": { "source": { "organizeImports": "on" } } },
     "formatter": {

diff --git a/node_modules_old/.pnpm-workspace-state-v1.json b/node_modules_old/.pnpm-workspace-state-v1.json
@@ -0,0 +1,48 @@
+{
+    "lastValidatedTimestamp": 1779115049031,
+    "projects": {
+        "/workspace": {
+            "name": "arrhes"
+        },
+        "/workspace/packages/api": {
+            "name": "@arrhes/application-api"
+        },
+        "/workspace/packages/metadata": {
+            "name": "@arrhes/application-metadata"
+        },
+        "/workspace/packages/tools": {
+            "name": "@arrhes/application-tools"
+        },
+        "/workspace/packages/ui": {
+            "name": "@arrhes/ui",
+            "version": "0.0.1"
+        },
+        "/workspace/packages/website": {
+            "name": "@arrhes/application-website"
+        },
+        "/workspace/packages/worker": {
+            "name": "@evidensy/worker"
+        }
+    },
+    "pnpmfiles": [],
+    "settings": {
+        "autoInstallPeers": true,
+        "catalogs": {},
+        "dedupeDirectDeps": false,
+        "dedupeInjectedDeps": true,
+        "dedupePeerDependents": true,
+        "dev": true,
+        "excludeLinksFromLockfile": false,
+        "hoistPattern": ["*"],
+        "hoistWorkspacePackages": true,
+        "injectWorkspacePackages": false,
+        "linkWorkspacePackages": false,
+        "nodeLinker": "isolated",
+        "optional": true,
+        "preferWorkspacePackages": false,
+        "production": true,
+        "publicHoistPattern": [],
+        "workspacePackagePatterns": ["./packages/*"]
+    },
+    "filteredInstall": false
+}
diff --git a/packages/api/package.json b/packages/api/package.json
@@ -3,7 +3,7 @@
     "type": "module",
     "private": false,
     "scripts": {
-        "dev": "tsx watch --env-file=.env ./src/server.ts",
+        "dev": "tsx watch --conditions source --env-file=.env ./src/server.ts",
         "build": "tsc --build",
         "start": "node --env-file=.env ./build/server.js",
         "test": "vitest run",

diff --git a/packages/api/src/middlewares/checkAdminUserSessionMiddleware.ts b/packages/api/src/middlewares/checkAdminUserSessionMiddleware.ts
@@ -5,10 +5,10 @@ import { parseCookies } from "../utilities/cookies/parseCookies.js"
 import { unsignString } from "../utilities/cookies/unsignString.js"
 import { Exception } from "../utilities/exception.js"
 import { productName } from "../utilities/variables.js"
-import { checkUserSessionMiddleware } from "./checkUserSessionMiddleware.js"
+import { checkAuthMiddleware } from "./checkAuthMiddleware.js"
 
 async function trySuperAdminDashboardFallback(parameters: { context: Context<any> }) {
-    const userSession = await checkUserSessionMiddleware({
+    const userSession = await checkAuthMiddleware({
         context: parameters.context,
     })
     if (userSession.user.isSuperAdmin !== true) {