arcrun — AI workflow execution engine (clean history)

Self-hosted 開源：WASM 零件 + recipe + cypher-executor，跑在你自己的 Cloudflare。

此為重建的乾淨歷史起點（移除曾誤 commit 的 GCP SA 金鑰，舊歷史保留在
richblack/arcrun 與本地 backup 分支）。含：
- acr init --self-hosted installer（建 KV/R2 + codeload 拉預編譯 wasm + wrangler deploy + seed recipe）
- recipe push 把關（資料外流提醒 + 打通檢查）
- 19 個正當零件預編譯 wasm（claude_api/km_writer/kbdb_upsert_block 排除：違反 DECISIONS §1）
- CLI / cypher-executor / registry / 完整 SDD

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.component-builds/auth_oauth2/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "arcrun-auth-oauth2",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "hono": "^4.7.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250408.0",
+    "typescript": "^5.4.0",
+    "wrangler": "^4.0.0"
+  }
+}

.component-builds/auth_oauth2/src/index.ts

@@ -0,0 +1,86 @@
+/**
+ * arcrun auth_oauth2 Worker
+ *
+ * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
+ *
+ * 額外 host functions（相較 auth_static_key）：
+ *   - kv_put：快取 access_token（短效，TTL 跟隨 expires_in）
+ *   - http_request：POST token endpoint 換 access_token
+ */
+
+import componentWasm from '../component.wasm' assert { type: 'webassembly' };
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import {
+  createWasiShim,
+  createArcrunHostFunctions,
+  type ArcrunHostEnv,
+} from '../../../cypher-executor/src/lib/wasi-shim';
+
+type Env = ArcrunHostEnv;
+
+const app = new Hono<{ Bindings: Env }>();
+app.use('*', cors());
+
+app.get('/', (c) => c.json({ ok: true, component: 'auth_oauth2' }));
+
+app.post('/', async (c) => {
+  let input: Record<string, unknown>;
+  try {
+    input = await c.req.json();
+  } catch {
+    return c.json({ success: false, error: 'request body must be JSON' }, 400);
+  }
+
+  const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
+  if (!apiKey) {
+    return c.json({ success: false, error: 'api_key 必填' }, 400);
+  }
+
+  try {
+    const result = await runWasm(c.env, apiKey, input);
+    return c.json(result);
+  } catch (e) {
+    return c.json(
+      { success: false, error: e instanceof Error ? e.message : String(e) },
+      500,
+    );
+  }
+});
+
+export default app;
+
+// ── WASM runner ──────────────────────────────────────────────────────────────
+
+async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
+  const stdinData = JSON.stringify(input);
+  const hostFunctions = createArcrunHostFunctions(env, apiKey);
+
+  // 加入 http_request（token endpoint 用）
+  hostFunctions.http_request = async (url, method, headersJSON, body) => {
+    const headers: Record<string, string> = {};
+    try {
+      Object.assign(headers, JSON.parse(headersJSON || '{}'));
+    } catch { /* ignore */ }
+
+    const res = await fetch(url, {
+      method,
+      headers,
+      body: body || undefined,
+    });
+    return res.text();
+  };
+
+  const shim = createWasiShim(stdinData, hostFunctions);
+
+  const instance = await WebAssembly.instantiate(
+    componentWasm as WebAssembly.Module,
+    shim.imports,
+  );
+  shim.setMemory(instance.exports.memory as WebAssembly.Memory);
+  await shim.run(instance);
+
+  const stdout = shim.getStdout().trim();
+  if (!stdout) throw new Error('WASM component produced no output');
+  return JSON.parse(stdout);
+}

.component-builds/auth_oauth2/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ES2022",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noEmit": true
+  }
+}

.component-builds/auth_oauth2/wrangler.toml

@@ -0,0 +1,22 @@
+name = "arcrun-auth-oauth2"
+main = "src/index.ts"
+compatibility_date = "2025-02-19"
+compatibility_flags = ["nodejs_compat"]
+workers_dev = true
+
+[vars]
+COMPONENT_ID = "auth_oauth2"
+
+[[routes]]
+pattern = "auth-oauth2.arcrun.dev/*"
+zone_name = "arcrun.dev"
+
+[[kv_namespaces]]
+binding = "CREDENTIALS_KV"
+id = "e7f4320f88d343f187e35e3543dd74c9"
+
+[[kv_namespaces]]
+binding = "RECIPES"
+id = "9cf9db905c6241f78503199e58b2ffe0"
+
+# ENCRYPTION_KEY 透過 wrangler secret put 設定