feat(auth): auth_static_key WASM primitive + host functions

- wasi-shim gains kv_get / crypto_decrypt / crypto_sign_rs256 host
  functions with strict boundary (ENCRYPTION_KEY never exits Worker).
- registry/components/auth_static_key: TinyGo impl for API-key /
  Bearer / Basic Auth recipes (80% of supported services).
- .component-builds/auth_static_key: independent Worker at
  auth-static-key.arcrun.dev, imports wasi-shim cross-directory.
- cypher-executor/auth-dispatcher routes static_key recipes to the
  new Worker instead of credential-injector TS.

Replaces TS credential injection per
.agents/specs/arcrun/credential-primitives-wasm Phase 1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.component-builds/auth_static_key/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "arcrun-auth-static-key",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "hono": "^4.7.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250408.0",
+    "typescript": "^5.4.0",
+    "wrangler": "^4.0.0"
+  }
+}

.component-builds/auth_static_key/src/index.ts

@@ -0,0 +1,83 @@
+/**
+ * arcrun auth_static_key Worker
+ *
+ * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
+ *
+ * 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
+ * 確保 AES-GCM 解密邏輯只存在於一個檔案(rule 02 §2.2)。
+ *
+ * 安全邊界:
+ *   - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
+ *   - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
+ */
+
+import componentWasm from '../component.wasm' assert { type: 'webassembly' };
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import {
+  createWasiShim,
+  createArcrunHostFunctions,
+  type ArcrunHostEnv,
+} from '../../../cypher-executor/src/lib/wasi-shim';
+
+type Env = ArcrunHostEnv;
+
+const app = new Hono<{ Bindings: Env }>();
+app.use('*', cors());
+
+app.get('/', (c) => c.json({ ok: true, component: 'auth_static_key' }));
+
+app.post('/', async (c) => {
+  let input: Record<string, unknown>;
+  try {
+    input = await c.req.json();
+  } catch {
+    return c.json({ success: false, error: 'request body must be JSON' }, 400);
+  }
+
+  const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
+  if (!apiKey) {
+    return c.json({ success: false, error: 'api_key 必填' }, 400);
+  }
+
+  try {
+    const result = await runWasm(c.env, apiKey, input);
+    return c.json(result);
+  } catch (e) {
+    return c.json(
+      { success: false, error: e instanceof Error ? e.message : String(e) },
+      500,
+    );
+  }
+});
+
+export default app;
+
+// ── WASM runner ──────────────────────────────────────────────────────────────
+
+async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
+  const stdinData = JSON.stringify(input);
+  const hostFunctions = createArcrunHostFunctions(env, apiKey);
+  const shim = createWasiShim(stdinData, hostFunctions);
+
+  const instance = await WebAssembly.instantiate(
+    componentWasm as WebAssembly.Module,
+    shim.imports,
+  );
+  shim.setMemory(instance.exports.memory as WebAssembly.Memory);
+
+  const start = (instance.exports._start ?? instance.exports.main) as () => void;
+  if (typeof start !== 'function') {
+    throw new Error('WASM missing _start or main export');
+  }
+
+  try {
+    start();
+  } catch (e) {
+    if (!(e instanceof Error && e.message === 'wasm exit: 0')) throw e;
+  }
+
+  const stdout = shim.getStdout().trim();
+  if (!stdout) throw new Error('WASM component produced no output');
+  return JSON.parse(stdout);
+}

.component-builds/auth_static_key/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ES2022",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noEmit": true
+  }
+}

.component-builds/auth_static_key/wrangler.toml

@@ -0,0 +1,23 @@
+name = "arcrun-auth-static-key"
+main = "src/index.ts"
+compatibility_date = "2025-02-19"
+compatibility_flags = ["nodejs_compat"]
+
+[vars]
+COMPONENT_ID = "auth_static_key"
+
+[[routes]]
+pattern = "auth-static-key.arcrun.dev/*"
+zone_name = "arcrun.dev"
+
+# 與 cypher-executor/wrangler.toml 同一組 KV namespace
+[[kv_namespaces]]
+binding = "CREDENTIALS_KV"
+id = "e7f4320f88d343f187e35e3543dd74c9"
+
+[[kv_namespaces]]
+binding = "RECIPES"
+id = "9cf9db905c6241f78503199e58b2ffe0"
+
+# ENCRYPTION_KEY 透過 wrangler secret set 設定
+# wrangler secret put ENCRYPTION_KEY