feat(arcrun): mira wiki page with tag filter + accumulated WIP

- landing/app/mira/wiki: tag=mira-wiki list now shows all wiki paragraphs
  (depends on KBDB tag filter exposed in matrix/kbdb commit, separate repo)
- landing: app/mira hub + feed split + various WIP from prior sessions
- registry/components: claude_api / kbdb_create_block / kbdb_get / km_writer /
  platform_crypto / auth_oauth2 contracts + main.go (accumulated)
- .component-builds: pkg-lock updates + index.ts adjustments (WIP)
- .agents/specs/arcrun/frontend-redesign: design notes
- docs/test_credentials, docs/user_requirements/arcrun-landing-page: WIP docs
- cypher-executor: auth-dispatcher / wasi-shim adjustments (WIP)

Includes accumulated work from prior sessions plus the wiki UI tag-filter
update that surfaces the AI-generated wiki paragraphs at /mira/wiki.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-07 16:52:01 +08:00
parent e8fca33f80
commit 519423cb0d
127 changed files with 23909 additions and 264 deletions
@@ -0,0 +1,80 @@
canonical_id: "auth_oauth2"
display_name: "Auth Primitive — OAuth2"
category: "auth"
version: "v1"
wasi_target: "preview1"
stability: "floating"
runtime_compat:
- "cf-workers"
- "workerd"
- "wazero"
constraints:
max_size_kb: 2048
max_cold_start_ms: 200
no_network_syscall: false
no_filesystem_syscall: true
io_model: "stdin_stdout_json"
input_schema:
type: object
required: [action, api_key, service]
properties:
action:
type: string
enum: [authenticate, needs_refresh, refresh]
description: |
authenticate — 用 refresh_token 換 access_token,展開 inject 模板
needs_refresh — 檢查 token 是否需要 refreshexpires_at < now+300s
refresh — 強制重新 refresh,更新 CREDENTIALS_KV 中的 access_token/expires_at
api_key:
type: string
description: 租戶識別(ak_ 前綴),用來組 {api_key}:cred:{name} KV key
service:
type: string
description: auth recipe 名稱,對應 auth_recipe:{service} 的 KV 記錄
request:
type: object
description: 下游零件的 HTTP request 上下文(保留,auth_oauth2 當前不使用)
output_schema:
type: object
properties:
success:
type: boolean
needs_refresh:
type: boolean
description: action=needs_refresh 時有效
auth_headers:
type: object
additionalProperties:
type: string
auth_query:
type: object
additionalProperties:
type: string
auth_body:
type: object
additionalProperties:
type: string
runtime:
type: object
description: 含 access_tokenaction=authenticate/refresh 時有效)
gherkin_tests:
- scenario: "缺少 api_key"
given: '{"action":"authenticate","service":"google"}'
then_contains: '{"success":false'
- scenario: "找不到 auth recipe"
given: '{"action":"authenticate","api_key":"ak_test","service":"nonexistent_oauth2_svc"}'
then_contains: '{"success":false'
- scenario: "needs_refresh 無 expires_at"
given: '{"action":"needs_refresh","api_key":"ak_test","service":"google"}'
then_contains: '"needs_refresh":true'
tags: [auth, credential, primitive, oauth2]
description: |
OAuth2 auth primitive。讀取 auth_recipe(含 token_endpoint、client_id、client_secret
+ 解密 refresh_token + 呼叫 token endpoint 換 access_token + 展開 {{runtime.access_token}}。
支援 authenticate / needs_refresh / refresh 三個 action。
透過 host function kv_get + crypto_decrypt + http_requestplaintext 永不離開 WASM。
config_example: |
auth_step:
component: "auth_oauth2"
action: "authenticate"
service: "google_drive" # 對應 auth_recipe:google_drive 的 KV 記錄