feat(arcrun): implement arcrun MVP — open-source AI workflow engine

Phase 1-5 complete per .agents/specs/u6u-core-mvp/: **Phase 1 — Cherry-pick & cleanup** - Create arcrun/ from cypher-executor, credentials, builtins, registry - Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_*, AICEO, MINI_ME) - Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error) - Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB) - Clean all KV namespace IDs and InkStone internal URLs from config files **Phase 2 — contract.yaml completeness** - Add credentials_required to gmail, google_sheets, telegram, line_notify - Add config_example to all 21 components with annotated field descriptions **Phase 3 — Credential injection** - Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV - Integrate into GraphExecutor before WASM execution - Structured errors with repair instructions when credential missing **Phase 4 — CLI (acr)** - cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora - 8 commands: init, creds push, push, run, validate, parts, list, logs - Standard mode: writes directly to user's CF KV via CF REST API - acr init: interactive setup with arcrun.dev API Key registration **Phase 5 — Open source release prep** - README.md: 5-minute quickstart, component table, workflow YAML syntax - CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow - Security audit: no InkStone internal URLs/IDs in committed files - .gitignore: exclude credentials.yaml, .wrangler, *.wasm https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT
2026-04-16 04:06:25 +00:00
commit 2707fca32b
155 changed files with 17413 additions and 0 deletions
@@ -0,0 +1,93 @@
+// 單元測試：sandboxAcceptance
+// Requirements: 2.1, 2.2
+
+import { describe, it, expect } from 'vitest';
+import { runSandboxAcceptance } from '../src/actions/sandboxAcceptance';
+import type { ComponentContract } from '../src/types';
+
+const BASE_CONTRACT: ComponentContract = {
+  canonical_id: 'validate_json',
+  display_name: 'JSON 格式驗證器',
+  category: 'logic',
+  version: 'v1',
+  wasi_target: 'preview1',
+  stability: 'floating',
+  runtime_compat: ['cf-workers', 'wazero'],
+  constraints: {
+    max_size_kb: 100,
+    max_cold_start_ms: 50,
+    no_network_syscall: true,
+    io_model: 'stdin_stdout_json',
+  },
+  input_schema: { type: 'object' },
+  output_schema: { type: 'object' },
+  gherkin_tests: [
+    { scenario: 'happy', given: '{}', then_contains: '{}' },
+    { scenario: 'error', given: '{}', then_contains: '{}' },
+  ],
+};
+
+// 建立合法的小型 WASM（最小 WASM magic + version header）
+function makeMinimalWasm(extraBytes = 0): Uint8Array {
+  const magic = [0x00, 0x61, 0x73, 0x6d]; // \0asm
+  const version = [0x01, 0x00, 0x00, 0x00];
+  const padding = new Array(extraBytes).fill(0x00);
+  return new Uint8Array([...magic, ...version, ...padding]);
+}
+
+describe('runSandboxAcceptance', () => {
+  it('合法小型 WASM 通過所有步驟', () => {
+    const wasm = makeMinimalWasm(10);
+    const result = runSandboxAcceptance(wasm, BASE_CONTRACT);
+    expect(result.success).toBe(true);
+    expect(result.component_id).toBe('validate_json');
+    expect(result.version).toBe('v1');
+  });
+
+  it('步驟 (a)：體積超過上限時失敗', () => {
+    // max_size_kb = 1，但 wasm 超過 1KB
+    const contract = { ...BASE_CONTRACT, constraints: { ...BASE_CONTRACT.constraints, max_size_kb: 1 } };
+    const wasm = makeMinimalWasm(2000); // > 1KB
+    const result = runSandboxAcceptance(wasm, contract);
+    expect(result.success).toBe(false);
+    expect(result.failed_step).toBe('size_check');
+    expect(result.reason).toContain('超過上限');
+    expect(result.guide_anchor).toBeDefined();
+    expect(result.component_id).toBe('validate_json');
+    expect(result.version).toBe('v1');
+  });
+
+  it('步驟 (c)：含禁止 syscall 時失敗', () => {
+    // 在 wasm bytes 中嵌入禁止的 syscall 字串
+    const syscallStr = 'sock_connect';
+    const encoder = new TextEncoder();
+    const syscallBytes = encoder.encode(syscallStr);
+    const wasm = new Uint8Array([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, ...syscallBytes]);
+    const result = runSandboxAcceptance(wasm, BASE_CONTRACT);
+    expect(result.success).toBe(false);
+    expect(result.failed_step).toBe('syscall_scan');
+    expect(result.reason).toContain('sock_connect');
+    expect(result.guide_anchor).toBe('#syscall-constraints');
+  });
+
+  it('步驟 (c)：含 path_open 時失敗', () => {
+    const encoder = new TextEncoder();
+    const syscallBytes = encoder.encode('path_open');
+    const wasm = new Uint8Array([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, ...syscallBytes]);
+    const result = runSandboxAcceptance(wasm, BASE_CONTRACT);
+    expect(result.success).toBe(false);
+    expect(result.failed_step).toBe('syscall_scan');
+  });
+
+  it('size_check 失敗後不執行後續步驟（含禁止 syscall 的大型 wasm）', () => {
+    // 同時違反 size_check 和 syscall_scan
+    const encoder = new TextEncoder();
+    const syscallBytes = encoder.encode('sock_connect');
+    const padding = new Uint8Array(2000); // > 1KB
+    const wasm = new Uint8Array([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, ...syscallBytes, ...padding]);
+    const contract = { ...BASE_CONTRACT, constraints: { ...BASE_CONTRACT.constraints, max_size_kb: 1 } };
+    const result = runSandboxAcceptance(wasm, contract);
+    // 應在 size_check 就停止，不到 syscall_scan
+    expect(result.failed_step).toBe('size_check');
+  });
+});
@@ -0,0 +1,113 @@
+// 單元測試：validateContract
+// Requirements: 1.1, 1.2, 11.5
+
+import { describe, it, expect } from 'vitest';
+import { validateContract } from '../src/actions/validateContract';
+
+const VALID_CONTRACT = {
+  canonical_id: 'validate_json',
+  display_name: 'JSON 格式驗證器',
+  category: 'logic',
+  version: 'v1',
+  wasi_target: 'preview1',
+  stability: 'floating',
+  runtime_compat: ['cf-workers', 'wazero'],
+  constraints: {
+    max_size_kb: 2048,
+    max_cold_start_ms: 50,
+    no_network_syscall: true,
+    io_model: 'stdin_stdout_json',
+  },
+  input_schema: { type: 'object', required: ['json_string'] },
+  output_schema: { type: 'object', properties: { valid: { type: 'boolean' } } },
+  gherkin_tests: [
+    { scenario: 'happy path', given: '{"json_string":"{}"}', then_contains: '{"valid":true}' },
+    { scenario: 'error path', given: '{"json_string":"bad"}', then_contains: '{"valid":false' },
+  ],
+};
+
+describe('validateContract', () => {
+  it('完整合約通過驗證', () => {
+    const result = validateContract(VALID_CONTRACT);
+    expect(result.valid).toBe(true);
+    expect(result.missing_fields).toHaveLength(0);
+    expect(result.errors).toHaveLength(0);
+  });
+
+  it('缺少 canonical_id 時回傳 missing_fields', () => {
+    const { canonical_id: _, ...rest } = VALID_CONTRACT;
+    const result = validateContract(rest);
+    expect(result.valid).toBe(false);
+    expect(result.missing_fields).toContain('canonical_id');
+  });
+
+  it('缺少 version 時回傳 missing_fields', () => {
+    const { version: _, ...rest } = VALID_CONTRACT;
+    const result = validateContract(rest);
+    expect(result.valid).toBe(false);
+    expect(result.missing_fields).toContain('version');
+  });
+
+  it('缺少 constraints.io_model 時驗證失敗', () => {
+    const contract = {
+      ...VALID_CONTRACT,
+      constraints: {
+        max_size_kb: 2048,
+        max_cold_start_ms: 50,
+        no_network_syscall: true,
+        // io_model 缺失
+      },
+    };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+    // io_model 缺失時可能在 missing_fields 或 errors 中
+    const allIssues = [...result.missing_fields, ...result.errors];
+    expect(allIssues.some(f => f.includes('io_model'))).toBe(true);
+  });
+
+  it('gherkin_tests 少於 2 個時驗證失敗', () => {
+    const contract = {
+      ...VALID_CONTRACT,
+      gherkin_tests: [
+        { scenario: 'only one', given: '{}', then_contains: '{}' },
+      ],
+    };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+  });
+
+  it('category 不在允許集合時驗證失敗', () => {
+    const contract = { ...VALID_CONTRACT, category: 'invalid_category' };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+  });
+
+  it('wasi_target 不是 preview1 時驗證失敗', () => {
+    const contract = { ...VALID_CONTRACT, wasi_target: 'preview2' };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+  });
+
+  it('version 格式不符時驗證失敗', () => {
+    const contract = { ...VALID_CONTRACT, version: '1.0.0' };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+  });
+
+  it('canonical_id 含大寫時驗證失敗', () => {
+    const contract = { ...VALID_CONTRACT, canonical_id: 'ValidateJson' };
+    const result = validateContract(contract);
+    expect(result.valid).toBe(false);
+  });
+
+  it('空物件回傳所有必填欄位', () => {
+    const result = validateContract({});
+    expect(result.valid).toBe(false);
+    expect(result.missing_fields.length).toBeGreaterThan(0);
+  });
+
+  it('null 輸入回傳驗證失敗', () => {
+    const result = validateContract(null);
+    expect(result.valid).toBe(false);
+  });
+});