feat: add archon serve command for one-command web UI install

.github/workflows/release.yml

@@ -145,10 +145,25 @@ jobs:
           path: dist
           merge-multiple: true
 
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.11
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Build web UI
+        run: bun --filter @archon/web run build
+
+      - name: Package web dist
+        run: |
+          tar czf dist/archon-web.tar.gz -C packages/web/dist .
+
       - name: Generate checksums
         run: |
           cd dist
-          sha256sum archon-* > checksums.txt
+          sha256sum archon-* archon-web.tar.gz > checksums.txt
           cat checksums.txt
 
       - name: Get version
@@ -170,6 +185,7 @@ jobs:
           generate_release_notes: true
           files: |
             dist/archon-*
+            dist/archon-web.tar.gz
             dist/checksums.txt
           body: |
             ## Installation

CLAUDE.md

@@ -244,6 +244,11 @@ bun run cli validate commands my-command    # Single command
 bun run cli complete <branch-name>
 bun run cli complete <branch-name> --force  # Skip uncommitted-changes check
 
+# Start the web UI server (compiled binary only, downloads web UI on first run)
+bun run cli serve
+bun run cli serve --port 4000
+bun run cli serve --download-only  # Download without starting
+
 # Show version
 bun run cli version
 ```
@@ -394,11 +399,11 @@ import type { DagNode, WorkflowDefinition } from '@/lib/api';
 ### Architecture Layers
 
 **Package Split:**
-- **@archon/paths**: Path resolution utilities and Pino logger factory (no @archon/* deps)
+- **@archon/paths**: Path resolution utilities, Pino logger factory, web dist cache path (`getWebDistDir`) (no @archon/* deps)
 - **@archon/git**: Git operations - worktrees, branches, repos, exec wrappers (depends only on @archon/paths)
 - **@archon/isolation**: Worktree isolation types, providers, resolver, error classifiers (depends only on @archon/git + @archon/paths)
 - **@archon/workflows**: Workflow engine - loader, router, executor, DAG, logger, bundled defaults (depends only on @archon/git + @archon/paths + @hono/zod-openapi + zod; DB/AI/config injected via `WorkflowDeps`)
-- **@archon/cli**: Command-line interface for running workflows
+- **@archon/cli**: Command-line interface for running workflows and starting the web UI server (depends on @archon/server + @archon/adapters for the serve command)
 - **@archon/core**: Business logic, database, orchestration, AI clients (provides `createWorkflowStore()` adapter bridging core DB → `IWorkflowStore`)
 - **@archon/adapters**: Platform adapters for Slack, Telegram, GitHub, Discord (depends on @archon/core)
 - **@archon/server**: OpenAPIHono HTTP server (Zod + OpenAPI spec generation via `@hono/zod-openapi`), Web adapter (SSE), API routes, Web UI static serving (depends on @archon/adapters)
@@ -530,6 +535,7 @@ curl http://localhost:3637/api/conversations/<conversationId>/messages
 │   │   ├── runs/{id}/            # Per-run artifacts ($ARTIFACTS_DIR)
 │   │   └── uploads/{convId}/     # Web UI file uploads (ephemeral)
 │   └── logs/                     # Workflow execution logs
+├── web-dist/<version>/            # Cached web UI dist (archon serve, binary only)
 ├── archon.db                     # SQLite database (when DATABASE_URL not set)
 └── config.yaml                   # Global configuration (non-secrets)
 ```

README.md

@@ -194,7 +194,7 @@ The coding agent handles workflow selection, branch naming, and worktree isolati
 
 ## Web UI
 
-Archon includes a web dashboard for chatting with your coding agent, running workflows, and monitoring activity. To start it, ask your coding agent to run the frontend from the Archon repo, or run `bun run dev` from the repo root yourself.
+Archon includes a web dashboard for chatting with your coding agent, running workflows, and monitoring activity. Binary installs: run `archon serve` to download and start the web UI in one step. From source: ask your coding agent to run the frontend from the Archon repo, or run `bun run dev` from the repo root yourself.
 
 Register a project by clicking **+** next to "Project" in the chat sidebar - enter a GitHub URL or local path. Then start a conversation, invoke workflows, and watch progress in real time.
 

packages/cli/package.json

@@ -8,14 +8,16 @@
   },
   "scripts": {
     "cli": "bun src/cli.ts",
-    "test": "bun test src/commands/version.test.ts src/commands/setup.test.ts && bun test src/commands/workflow.test.ts && bun test src/commands/isolation.test.ts && bun test src/commands/chat.test.ts",
+    "test": "bun test src/commands/version.test.ts src/commands/setup.test.ts && bun test src/commands/workflow.test.ts && bun test src/commands/isolation.test.ts && bun test src/commands/chat.test.ts && bun test src/commands/serve.test.ts",
     "type-check": "bun x tsc --noEmit"
   },
   "dependencies": {
+    "@archon/adapters": "workspace:*",
     "@archon/core": "workspace:*",
     "@archon/git": "workspace:*",
     "@archon/isolation": "workspace:*",
     "@archon/paths": "workspace:*",
+    "@archon/server": "workspace:*",
     "@archon/workflows": "workspace:*",
     "@clack/prompts": "^1.0.0",
     "dotenv": "^17.2.3"

packages/cli/src/cli.ts

@@ -78,6 +78,7 @@ import { continueCommand } from './commands/continue';
 import { chatCommand } from './commands/chat';
 import { setupCommand } from './commands/setup';
 import { validateWorkflowsCommand, validateCommandsCommand } from './commands/validate';
+import { serveCommand } from './commands/serve';
 import { closeDatabase } from '@archon/core';
 import { setLogLevel, createLogger } from '@archon/paths';
 import * as git from '@archon/git';
@@ -110,6 +111,7 @@ Commands:
   isolation cleanup --merged Remove environments with branches merged into main
   continue <branch> [msg]    Continue work on an existing worktree with prior context
   complete <branch> [...]    Complete branch lifecycle (remove worktree + branches)
+  serve                      Start the web UI server (downloads web UI on first run)
   validate workflows [name]  Validate workflow definitions and their references
   validate commands [name]   Validate command files
   version                    Show version info
@@ -130,6 +132,8 @@ Options:
   --allow-env-keys           Grant env-key consent during auto-registration
                              (bypasses the env-leak gate for this codebase;
                              logs an audit entry)
+  --port <port>              Override server port for 'serve' (default: 3090)
+  --download-only            Download web UI without starting the server
 
 Examples:
   archon chat "What does the orchestrator do?"
@@ -194,6 +198,8 @@ async function main(): Promise<number> {
         workflow: { type: 'string' },
         'no-context': { type: 'boolean' },
         'allow-env-keys': { type: 'boolean' },
+        port: { type: 'string' },
+        'download-only': { type: 'boolean' },
       },
       allowPositionals: true,
       strict: false, // Allow unknown flags to pass through
@@ -228,7 +234,7 @@ async function main(): Promise<number> {
   const subcommand = positionals[1];
 
   // Commands that don't require git repo validation
-  const noGitCommands = ['version', 'help', 'setup', 'chat', 'continue'];
+  const noGitCommands = ['version', 'help', 'setup', 'chat', 'continue', 'serve'];
   const requiresGitRepo = !noGitCommands.includes(command ?? '');
 
   try {
@@ -534,6 +540,12 @@ async function main(): Promise<number> {
         break;
       }
 
+      case 'serve': {
+        const servePort = values.port !== undefined ? Number(values.port) : undefined;
+        const downloadOnly = Boolean(values['download-only']);
+        return await serveCommand({ port: servePort, downloadOnly });
+      }
+
       default:
         if (command === undefined) {
           console.error('Missing command');

packages/cli/src/commands/serve.test.ts

@@ -0,0 +1,118 @@
+import { describe, it, expect, mock, beforeEach, afterEach, spyOn } from 'bun:test';
+
+// Mock @archon/paths BEFORE importing the module under test.
+// This sets BUNDLED_IS_BINARY = false (dev mode) so serveCommand rejects.
+const mockLogger = {
+  fatal: mock(() => undefined),
+  error: mock(() => undefined),
+  warn: mock(() => undefined),
+  info: mock(() => undefined),
+  debug: mock(() => undefined),
+  trace: mock(() => undefined),
+};
+mock.module('@archon/paths', () => ({
+  createLogger: mock(() => mockLogger),
+  getWebDistDir: mock((version: string) => `/tmp/test-archon/web-dist/${version}`),
+  BUNDLED_IS_BINARY: false,
+  BUNDLED_VERSION: 'dev',
+}));
+
+import { serveCommand, parseChecksum } from './serve';
+
+describe('parseChecksum', () => {
+  const validHash = 'a'.repeat(64);
+
+  it('should extract hash for matching filename', () => {
+    const checksums = [
+      `${'b'.repeat(64)}  archon-linux-x64`,
+      `${validHash}  archon-web.tar.gz`,
+      `${'c'.repeat(64)}  archon-darwin-arm64`,
+    ].join('\n');
+
+    expect(parseChecksum(checksums, 'archon-web.tar.gz')).toBe(validHash);
+  });
+
+  it('should handle single-space separator', () => {
+    const checksums = `${validHash} archon-web.tar.gz\n`;
+    expect(parseChecksum(checksums, 'archon-web.tar.gz')).toBe(validHash);
+  });
+
+  it('should throw for missing filename', () => {
+    const checksums = `${validHash}  archon-linux-x64\n`;
+    expect(() => parseChecksum(checksums, 'archon-web.tar.gz')).toThrow(
+      'Checksum not found for archon-web.tar.gz'
+    );
+  });
+
+  it('should throw for empty checksums text', () => {
+    expect(() => parseChecksum('', 'archon-web.tar.gz')).toThrow('Checksum not found');
+  });
+
+  it('should skip blank lines', () => {
+    const checksums = `\n${validHash}  archon-web.tar.gz\n\n`;
+    expect(parseChecksum(checksums, 'archon-web.tar.gz')).toBe(validHash);
+  });
+
+  it('should throw for malformed hash (not 64 hex chars)', () => {
+    const checksums = 'short_hash  archon-web.tar.gz\n';
+    expect(() => parseChecksum(checksums, 'archon-web.tar.gz')).toThrow(
+      'Malformed checksum entry for archon-web.tar.gz'
+    );
+  });
+
+  it('should throw for uppercase hex hash', () => {
+    const checksums = `${'A'.repeat(64)}  archon-web.tar.gz\n`;
+    expect(() => parseChecksum(checksums, 'archon-web.tar.gz')).toThrow(
+      'Malformed checksum entry for archon-web.tar.gz'
+    );
+  });
+});
+
+describe('serveCommand', () => {
+  let consoleErrorSpy: ReturnType<typeof spyOn>;
+
+  beforeEach(() => {
+    consoleErrorSpy = spyOn(console, 'error').mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    consoleErrorSpy.mockRestore();
+  });
+
+  it('should reject in dev mode (non-binary)', async () => {
+    const exitCode = await serveCommand({});
+    expect(exitCode).toBe(1);
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      'Error: `archon serve` is for compiled binaries only.'
+    );
+  });
+
+  it('should reject with downloadOnly in dev mode', async () => {
+    const exitCode = await serveCommand({ downloadOnly: true });
+    expect(exitCode).toBe(1);
+  });
+
+  it('should reject invalid port (NaN)', async () => {
+    const exitCode = await serveCommand({ port: NaN });
+    expect(exitCode).toBe(1);
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      expect.stringContaining('--port must be an integer between 1 and 65535')
+    );
+  });
+
+  it('should reject port out of range', async () => {
+    const exitCode = await serveCommand({ port: 99999 });
+    expect(exitCode).toBe(1);
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      expect.stringContaining('--port must be an integer between 1 and 65535')
+    );
+  });
+
+  it('should reject port 0', async () => {
+    const exitCode = await serveCommand({ port: 0 });
+    expect(exitCode).toBe(1);
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      expect.stringContaining('--port must be an integer between 1 and 65535')
+    );
+  });
+});