feat(arcrun): implement arcrun MVP — open-source AI workflow engine
Phase 1-5 complete per .agents/specs/u6u-core-mvp/: **Phase 1 — Cherry-pick & cleanup** - Create arcrun/ from cypher-executor, credentials, builtins, registry - Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_*, AICEO, MINI_ME) - Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error) - Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB) - Clean all KV namespace IDs and InkStone internal URLs from config files **Phase 2 — contract.yaml completeness** - Add credentials_required to gmail, google_sheets, telegram, line_notify - Add config_example to all 21 components with annotated field descriptions **Phase 3 — Credential injection** - Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV - Integrate into GraphExecutor before WASM execution - Structured errors with repair instructions when credential missing **Phase 4 — CLI (acr)** - cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora - 8 commands: init, creds push, push, run, validate, parts, list, logs - Standard mode: writes directly to user's CF KV via CF REST API - acr init: interactive setup with arcrun.dev API Key registration **Phase 5 — Open source release prep** - README.md: 5-minute quickstart, component table, workflow YAML syntax - CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow - Security audit: no InkStone internal URLs/IDs in committed files - .gitignore: exclude credentials.yaml, .wrangler, *.wasm https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
// Preservation Tests — AES-GCM Credential Round-Trip
|
||||
// Task 2: 確認基線行為(修復前執行,預期通過)
|
||||
//
|
||||
// **Validates: Requirements 3.9**
|
||||
|
||||
import { SELF } from 'cloudflare:test';
|
||||
import { describe, it, expect } from 'vitest';
|
||||
import * as fc from 'fast-check';
|
||||
|
||||
// ─────────────────────────────────────────────────────────────────────────────
|
||||
// Property: Credential round-trip
|
||||
//
|
||||
// For all non-zero credential name/secret pairs,
|
||||
// POST /credentials → GET /credentials/:name/secret returns the same secret.
|
||||
// This validates AES-GCM encrypt → decrypt round-trip correctness.
|
||||
//
|
||||
// **Validates: Requirements 3.9**
|
||||
// ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
describe('Preservation: AES-GCM credential round-trip', () => {
|
||||
it('property: POST /credentials then GET /credentials/:name/secret returns original secret', async () => {
|
||||
// Generate non-empty name and secret pairs
|
||||
const nameArb = fc.string({ minLength: 1, maxLength: 30 }).filter(s => s.trim().length > 0);
|
||||
const secretArb = fc.string({ minLength: 1, maxLength: 100 }).filter(s => s.length > 0);
|
||||
|
||||
await fc.assert(
|
||||
fc.asyncProperty(nameArb, secretArb, async (name, secret) => {
|
||||
// Use a unique suffix to avoid collisions between runs
|
||||
const uniqueName = `${name}-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
|
||||
|
||||
// POST /credentials — store encrypted credential
|
||||
const createRes = await SELF.fetch('http://localhost/credentials', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ name: uniqueName, secret, type: 'api_key' }),
|
||||
});
|
||||
|
||||
expect(createRes.status).toBe(201);
|
||||
const created = await createRes.json() as Record<string, unknown>;
|
||||
expect(created.success).toBe(true);
|
||||
|
||||
const credId = (created.data as Record<string, unknown>).id as string;
|
||||
|
||||
// GET /credentials/:name/secret — retrieve and decrypt
|
||||
const getRes = await SELF.fetch(`http://localhost/credentials/${credId}/secret`);
|
||||
expect(getRes.status).toBe(200);
|
||||
|
||||
const retrieved = await getRes.json() as Record<string, unknown>;
|
||||
expect(retrieved.success).toBe(true);
|
||||
|
||||
// The decrypted secret must equal the original
|
||||
const retrievedSecret = (retrieved.data as Record<string, unknown>).secret as string;
|
||||
expect(retrievedSecret).toBe(secret);
|
||||
}),
|
||||
{ numRuns: 5 }
|
||||
);
|
||||
});
|
||||
|
||||
it('example: specific name/secret round-trip preserves secret', async () => {
|
||||
const name = 'preservation-test-key';
|
||||
const secret = 'my-super-secret-api-key-12345';
|
||||
|
||||
const createRes = await SELF.fetch('http://localhost/credentials', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ name, secret, type: 'bearer_token' }),
|
||||
});
|
||||
|
||||
expect(createRes.status).toBe(201);
|
||||
const created = await createRes.json() as Record<string, unknown>;
|
||||
const credId = (created.data as Record<string, unknown>).id as string;
|
||||
|
||||
const getRes = await SELF.fetch(`http://localhost/credentials/${credId}/secret`);
|
||||
expect(getRes.status).toBe(200);
|
||||
|
||||
const retrieved = await getRes.json() as Record<string, unknown>;
|
||||
expect((retrieved.data as Record<string, unknown>).secret).toBe(secret);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user