arcrun — AI workflow execution engine (clean history)
Self-hosted 開源:WASM 零件 + recipe + cypher-executor,跑在你自己的 Cloudflare。 此為重建的乾淨歷史起點(移除曾誤 commit 的 GCP SA 金鑰,舊歷史保留在 richblack/arcrun 與本地 backup 分支)。含: - acr init --self-hosted installer(建 KV/R2 + codeload 拉預編譯 wasm + wrangler deploy + seed recipe) - recipe push 把關(資料外流提醒 + 打通檢查) - 19 個正當零件預編譯 wasm(claude_api/km_writer/kbdb_upsert_block 排除:違反 DECISIONS §1) - CLI / cypher-executor / registry / 完整 SDD Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,105 @@
|
||||
/**
|
||||
* arcrun auth_service_account Worker
|
||||
*
|
||||
* POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
|
||||
*
|
||||
* 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
|
||||
* 確保 AES-GCM 解密 / RS256 sign 邏輯只存在於一個檔案(rule 02 §2.2)。
|
||||
*
|
||||
* 這個 Worker 比 auth_static_key 多一個 host function:http_request(token exchange 用)。
|
||||
* http_request 不是 crypto,不受 rule 02 §2.2 約束;在此檔內聚合提供即可。
|
||||
*
|
||||
* 安全邊界:
|
||||
* - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
|
||||
* - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
|
||||
* - private key 只以 PKCS8 bytes 傳給 crypto_sign_rs256 host function,decrypt 後 plaintext 不離開 WASM
|
||||
*/
|
||||
|
||||
import componentWasm from '../component.wasm' assert { type: 'webassembly' };
|
||||
import { Hono } from 'hono';
|
||||
import { cors } from 'hono/cors';
|
||||
import {
|
||||
createWasiShim,
|
||||
createArcrunHostFunctions,
|
||||
type ArcrunHostEnv,
|
||||
type WasiHostFunctions,
|
||||
} from '../../../cypher-executor/src/lib/wasi-shim';
|
||||
|
||||
type Env = ArcrunHostEnv;
|
||||
|
||||
const app = new Hono<{ Bindings: Env }>();
|
||||
app.use('*', cors());
|
||||
|
||||
app.get('/', (c) => c.json({ ok: true, component: 'auth_service_account' }));
|
||||
|
||||
app.post('/', async (c) => {
|
||||
let input: Record<string, unknown>;
|
||||
try {
|
||||
input = await c.req.json();
|
||||
} catch {
|
||||
return c.json({ success: false, error: 'request body must be JSON' }, 400);
|
||||
}
|
||||
|
||||
const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
|
||||
if (!apiKey) {
|
||||
return c.json({ success: false, error: 'api_key 必填' }, 400);
|
||||
}
|
||||
|
||||
try {
|
||||
const result = await runWasm(c.env, apiKey, input);
|
||||
return c.json(result);
|
||||
} catch (e) {
|
||||
return c.json(
|
||||
{ success: false, error: e instanceof Error ? e.message : String(e) },
|
||||
500,
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
export default app;
|
||||
|
||||
// ── WASM runner ──────────────────────────────────────────────────────────────
|
||||
|
||||
async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
|
||||
const stdinData = JSON.stringify(input);
|
||||
const baseHost = createArcrunHostFunctions(env, apiKey);
|
||||
const hostFunctions: WasiHostFunctions = {
|
||||
...baseHost,
|
||||
http_request: async (url, method, headersJson, body) => {
|
||||
const headers: Record<string, string> = {};
|
||||
if (headersJson) {
|
||||
try {
|
||||
const parsed = JSON.parse(headersJson);
|
||||
if (parsed && typeof parsed === 'object') {
|
||||
for (const [k, v] of Object.entries(parsed as Record<string, unknown>)) {
|
||||
if (typeof v === 'string') headers[k] = v;
|
||||
}
|
||||
}
|
||||
} catch {
|
||||
// 忽略 header parse 錯誤,當作沒 header
|
||||
}
|
||||
}
|
||||
const init: RequestInit = { method, headers };
|
||||
if (body && method.toUpperCase() !== 'GET' && method.toUpperCase() !== 'HEAD') {
|
||||
init.body = body;
|
||||
}
|
||||
const res = await fetch(url, init);
|
||||
// WASM 端(main.go)直接 json.Unmarshal 回傳內容找 access_token,
|
||||
// 因此只回傳 response body 原文。非 2xx 也回原文,讓 WASM 從 {error, error_description} 判斷
|
||||
return await res.text();
|
||||
},
|
||||
};
|
||||
|
||||
const shim = createWasiShim(stdinData, hostFunctions);
|
||||
|
||||
const instance = await WebAssembly.instantiate(
|
||||
componentWasm as WebAssembly.Module,
|
||||
shim.imports,
|
||||
);
|
||||
shim.setMemory(instance.exports.memory as WebAssembly.Memory);
|
||||
await shim.run(instance);
|
||||
|
||||
const stdout = shim.getStdout().trim();
|
||||
if (!stdout) throw new Error('WASM component produced no output');
|
||||
return JSON.parse(stdout);
|
||||
}
|
||||
Reference in New Issue
Block a user