fix(arcrun): address PR #2 review findings

Security:
- init.ts: remove cf_api_token from POST /register (only email sent to arcrun.dev)
- cf-api.ts: remove base64 fallback in encryptCredential, throw clear error if key missing

Correctness:
- submitComponent.ts: replace KBDB dependency with SUBMISSIONS_KV + R2 (standalone)
- registry/types.ts: remove KBDB_URL/KBDB_INTERNAL_TOKEN, add SUBMISSIONS_KV/ANALYTICS_KV
- webhooks.ts: add waitUntil(writeExecutionVerdict) for fire-and-forget analytics
- execution-logger.ts: create missing module (was imported but didn't exist)
- cypher-executor/types.ts + wrangler.toml: add ANALYTICS_KV binding
- gmail/telegram/google_sheets/line_notify/http_request: no_network_syscall false (api category)
- init.ts: replace require() with await import() for ES module compatibility

Cleanup:
- Remove arcrun/builtins/ (dead code — initComponents used old HTTP endpoint model,
  all 21 components now in TinyGo WASM under registry/components/)

Docs:
- tasks.md: update to reflect completed work and remaining items

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cli/src/commands/init.ts

@@ -51,7 +51,7 @@ async function initStandard(rl: ReturnType<typeof createInterface>): Promise<voi
     const res = await fetch(ARCRUN_REGISTER_URL, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ email, cf_api_token: cfApiToken }),
+      body: JSON.stringify({ email }),  // CF API Token 永遠不離開本機
     });
 
     if (!res.ok) {
@@ -137,9 +137,10 @@ function createCredentialsYamlIfMissing(): void {
   // 確保 .gitignore 排除 credentials.yaml
   const gitignorePath = join(process.cwd(), '.gitignore');
   if (existsSync(gitignorePath)) {
-    const content = require('node:fs').readFileSync(gitignorePath, 'utf8');
+    const { readFileSync, appendFileSync } = await import('node:fs');
+    const content = readFileSync(gitignorePath, 'utf8');
     if (!content.includes('credentials.yaml')) {
-      require('node:fs').appendFileSync(gitignorePath, '\ncredentials.yaml\n');
+      appendFileSync(gitignorePath, '\ncredentials.yaml\n');
     }
   }
 }

cli/src/lib/cf-api.ts

@@ -77,10 +77,11 @@ export class CfKvClient {
 
 /** AES-GCM 加密 credential（與 cypher-executor credential-injector 解密邏輯對應）*/
 export async function encryptCredential(value: string, encryptionKey: string): Promise<string> {
-  // 若沒有設定 encryption key，使用 base64 作為 fallback（dev 模式）
-  if (!encryptionKey || encryptionKey.length < 32) {
-    const b64 = Buffer.from(value).toString('base64');
-    return JSON.stringify({ encrypted: b64, iv: 'dev-mode', mode: 'base64' });
+  if (!encryptionKey || encryptionKey.length < 64) {
+    throw new Error(
+      'ARCRUN_ENCRYPTION_KEY 未設定或長度不足（需要 256-bit hex，即 64 個十六進位字元）\n' +
+      '生成指令：node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"'
+    );
   }
 
   const keyBytes = hexToUint8Array(encryptionKey);