arcrun — AI workflow execution engine (clean history)

Self-hosted 開源：WASM 零件 + recipe + cypher-executor，跑在你自己的 Cloudflare。

此為重建的乾淨歷史起點（移除曾誤 commit 的 GCP SA 金鑰，舊歷史保留在
richblack/arcrun 與本地 backup 分支）。含：
- acr init --self-hosted installer（建 KV/R2 + codeload 拉預編譯 wasm + wrangler deploy + seed recipe）
- recipe push 把關（資料外流提醒 + 打通檢查）
- 19 個正當零件預編譯 wasm（claude_api/km_writer/kbdb_upsert_block 排除：違反 DECISIONS §1）
- CLI / cypher-executor / registry / 完整 SDD

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

registry/components/auth_static_key/component.contract.yaml

@@ -0,0 +1,67 @@
+canonical_id: "auth_static_key"
+display_name: "Auth Primitive — Static Key"
+category: "auth"
+version: "v1"
+wasi_target: "preview1"
+stability: "floating"
+runtime_compat:
+  - "cf-workers"
+  - "workerd"
+  - "wazero"
+constraints:
+  max_size_kb: 2048
+  max_cold_start_ms: 50
+  no_network_syscall: true
+  no_filesystem_syscall: true
+  io_model: "stdin_stdout_json"
+input_schema:
+  type: object
+  required: [action, api_key, service]
+  properties:
+    action:
+      type: string
+      enum: [authenticate]
+      description: 目前僅支援 authenticate;static_key 無 refresh 概念
+    api_key:
+      type: string
+      description: 租戶識別(ak_ 前綴),用來組 {api_key}:cred:{name} KV key
+    service:
+      type: string
+      description: auth recipe 名稱,對應 auth_recipe:{service} 的 KV 記錄
+    request:
+      type: object
+      description: (保留)下游零件的 HTTP request 上下文;static_key 當前不使用
+output_schema:
+  type: object
+  properties:
+    success:
+      type: boolean
+    auth_headers:
+      type: object
+      additionalProperties:
+        type: string
+    auth_query:
+      type: object
+      additionalProperties:
+        type: string
+    auth_body:
+      type: object
+      additionalProperties:
+        type: string
+    runtime:
+      type: object
+      description: Static key 不使用;欄位保留以對齊其他 auth primitive
+gherkin_tests:
+  - scenario: "缺少 api_key"
+    given: '{"action":"authenticate","service":"openai"}'
+    then_contains: '{"success":false'
+  - scenario: "找不到 auth recipe"
+    given: '{"action":"authenticate","api_key":"ak_nonexistent","service":"nonexistent"}'
+    then_contains: '{"success":false'
+tags: [auth, credential, primitive, static_key]
+description: "Static key auth primitive。讀取 auth_recipe + 解密 required_secrets + 展開 {{secret.X}} 模板,回傳 auth_headers / auth_query / auth_body。涵蓋 Bearer token / API key / Basic auth / 自訂 header 等 80% 服務。透過 host function kv_get + crypto_decrypt,plaintext 永不離開 WASM。"
+config_example: |
+  auth_step:
+    component: "auth_static_key"
+    action: "authenticate"
+    service: "openai"      # 對應 auth_recipe:openai 的 KV 記錄