feat(arcrun): mira wiki page with tag filter + accumulated WIP

- landing/app/mira/wiki: tag=mira-wiki list now shows all wiki paragraphs
  (depends on KBDB tag filter exposed in matrix/kbdb commit, separate repo)
- landing: app/mira hub + feed split + various WIP from prior sessions
- registry/components: claude_api / kbdb_create_block / kbdb_get / km_writer /
  platform_crypto / auth_oauth2 contracts + main.go (accumulated)
- .component-builds: pkg-lock updates + index.ts adjustments (WIP)
- .agents/specs/arcrun/frontend-redesign: design notes
- docs/test_credentials, docs/user_requirements/arcrun-landing-page: WIP docs
- cypher-executor: auth-dispatcher / wasi-shim adjustments (WIP)

Includes accumulated work from prior sessions plus the wiki UI tag-filter
update that surfaces the AI-generated wiki paragraphs at /mira/wiki.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.component-builds/auth_oauth2/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "arcrun-auth-oauth2",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "hono": "^4.7.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250408.0",
+    "typescript": "^5.4.0",
+    "wrangler": "^4.0.0"
+  }
+}

.component-builds/auth_oauth2/src/index.ts

@@ -0,0 +1,86 @@
+/**
+ * arcrun auth_oauth2 Worker
+ *
+ * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
+ *
+ * 額外 host functions（相較 auth_static_key）：
+ *   - kv_put：快取 access_token（短效，TTL 跟隨 expires_in）
+ *   - http_request：POST token endpoint 換 access_token
+ */
+
+import componentWasm from '../component.wasm' assert { type: 'webassembly' };
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import {
+  createWasiShim,
+  createArcrunHostFunctions,
+  type ArcrunHostEnv,
+} from '../../../cypher-executor/src/lib/wasi-shim';
+
+type Env = ArcrunHostEnv;
+
+const app = new Hono<{ Bindings: Env }>();
+app.use('*', cors());
+
+app.get('/', (c) => c.json({ ok: true, component: 'auth_oauth2' }));
+
+app.post('/', async (c) => {
+  let input: Record<string, unknown>;
+  try {
+    input = await c.req.json();
+  } catch {
+    return c.json({ success: false, error: 'request body must be JSON' }, 400);
+  }
+
+  const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
+  if (!apiKey) {
+    return c.json({ success: false, error: 'api_key 必填' }, 400);
+  }
+
+  try {
+    const result = await runWasm(c.env, apiKey, input);
+    return c.json(result);
+  } catch (e) {
+    return c.json(
+      { success: false, error: e instanceof Error ? e.message : String(e) },
+      500,
+    );
+  }
+});
+
+export default app;
+
+// ── WASM runner ──────────────────────────────────────────────────────────────
+
+async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
+  const stdinData = JSON.stringify(input);
+  const hostFunctions = createArcrunHostFunctions(env, apiKey);
+
+  // 加入 http_request（token endpoint 用）
+  hostFunctions.http_request = async (url, method, headersJSON, body) => {
+    const headers: Record<string, string> = {};
+    try {
+      Object.assign(headers, JSON.parse(headersJSON || '{}'));
+    } catch { /* ignore */ }
+
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: body || undefined,
+    });
+    return res.text();
+  };
+
+  const shim = createWasiShim(stdinData, hostFunctions);
+
+  const instance = await WebAssembly.instantiate(
+    componentWasm as WebAssembly.Module,
+    shim.imports,
+  );
+  shim.setMemory(instance.exports.memory as WebAssembly.Memory);
+  await shim.run(instance);
+
+  const stdout = shim.getStdout().trim();
+  if (!stdout) throw new Error('WASM component produced no output');
+  return JSON.parse(stdout);
+}

.component-builds/auth_oauth2/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ES2022",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noEmit": true
+  }
+}

.component-builds/auth_oauth2/wrangler.toml

@@ -0,0 +1,21 @@
+name = "arcrun-auth-oauth2"
+main = "src/index.ts"
+compatibility_date = "2025-02-19"
+compatibility_flags = ["nodejs_compat"]
+
+[vars]
+COMPONENT_ID = "auth_oauth2"
+
+[[routes]]
+pattern = "auth-oauth2.arcrun.dev/*"
+zone_name = "arcrun.dev"
+
+[[kv_namespaces]]
+binding = "CREDENTIALS_KV"
+id = "e7f4320f88d343f187e35e3543dd74c9"
+
+[[kv_namespaces]]
+binding = "RECIPES"
+id = "9cf9db905c6241f78503199e58b2ffe0"
+
+# ENCRYPTION_KEY 透過 wrangler secret put 設定