arcrun — AI workflow execution engine (clean history)

Self-hosted 開源：WASM 零件 + recipe + cypher-executor，跑在你自己的 Cloudflare。此為重建的乾淨歷史起點（移除曾誤 commit 的 GCP SA 金鑰，舊歷史保留在 richblack/arcrun 與本地 backup 分支）。含： - acr init --self-hosted installer（建 KV/R2 + codeload 拉預編譯 wasm + wrangler deploy + seed recipe） - recipe push 把關（資料外流提醒 + 打通檢查） - 19 個正當零件預編譯 wasm（claude_api/km_writer/kbdb_upsert_block 排除：違反 DECISIONS §1） - CLI / cypher-executor / registry / 完整 SDD Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 15:52:38 +08:00
commit 922a57fe34
485 changed files with 89356 additions and 0 deletions
@@ -0,0 +1,14 @@
+{
+  "name": "arcrun-auth-static-key",
+  "version": "1.0.0",
+  "private": true,
+  "type": "module",
+  "dependencies": {
+    "hono": "^4.7.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250408.0",
+    "typescript": "^5.4.0",
+    "wrangler": "^4.0.0"
+  }
+}
@@ -0,0 +1,73 @@
+/**
+ * arcrun auth_static_key Worker
+ *
+ * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
+ *
+ * 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
+ * 確保 AES-GCM 解密邏輯只存在於一個檔案(rule 02 §2.2)。
+ *
+ * 安全邊界:
+ *   - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
+ *   - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
+ */
+
+import componentWasm from '../component.wasm' assert { type: 'webassembly' };
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import {
+  createWasiShim,
+  createArcrunHostFunctions,
+  type ArcrunHostEnv,
+} from '../../../cypher-executor/src/lib/wasi-shim';
+
+type Env = ArcrunHostEnv;
+
+const app = new Hono<{ Bindings: Env }>();
+app.use('*', cors());
+
+app.get('/', (c) => c.json({ ok: true, component: 'auth_static_key' }));
+
+app.post('/', async (c) => {
+  let input: Record<string, unknown>;
+  try {
+    input = await c.req.json();
+  } catch {
+    return c.json({ success: false, error: 'request body must be JSON' }, 400);
+  }
+
+  const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
+  if (!apiKey) {
+    return c.json({ success: false, error: 'api_key 必填' }, 400);
+  }
+
+  try {
+    const result = await runWasm(c.env, apiKey, input);
+    return c.json(result);
+  } catch (e) {
+    return c.json(
+      { success: false, error: e instanceof Error ? e.message : String(e) },
+      500,
+    );
+  }
+});
+
+export default app;
+
+// ── WASM runner ──────────────────────────────────────────────────────────────
+
+async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
+  const stdinData = JSON.stringify(input);
+  const hostFunctions = createArcrunHostFunctions(env, apiKey);
+  const shim = createWasiShim(stdinData, hostFunctions);
+
+  const instance = await WebAssembly.instantiate(
+    componentWasm as WebAssembly.Module,
+    shim.imports,
+  );
+  shim.setMemory(instance.exports.memory as WebAssembly.Memory);
+  await shim.run(instance);
+
+  const stdout = shim.getStdout().trim();
+  if (!stdout) throw new Error('WASM component produced no output');
+  return JSON.parse(stdout);
+}
@@ -0,0 +1,11 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ES2022",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "types": ["@cloudflare/workers-types"],
+    "strict": true,
+    "noEmit": true
+  }
+}
@@ -0,0 +1,24 @@
+name = "arcrun-auth-static-key"
+main = "src/index.ts"
+compatibility_date = "2025-02-19"
+compatibility_flags = ["nodejs_compat"]
+workers_dev = true
+
+[vars]
+COMPONENT_ID = "auth_static_key"
+
+[[routes]]
+pattern = "auth-static-key.arcrun.dev/*"
+zone_name = "arcrun.dev"
+
+# 與 cypher-executor/wrangler.toml 同一組 KV namespace
+[[kv_namespaces]]
+binding = "CREDENTIALS_KV"
+id = "e7f4320f88d343f187e35e3543dd74c9"
+
+[[kv_namespaces]]
+binding = "RECIPES"
+id = "9cf9db905c6241f78503199e58b2ffe0"
+
+# ENCRYPTION_KEY 透過 wrangler secret set 設定
+# wrangler secret put ENCRYPTION_KEY