fix(arcrun): address PR #2 review findings

Security:
- init.ts: remove cf_api_token from POST /register (only email sent to arcrun.dev)
- cf-api.ts: remove base64 fallback in encryptCredential, throw clear error if key missing

Correctness:
- submitComponent.ts: replace KBDB dependency with SUBMISSIONS_KV + R2 (standalone)
- registry/types.ts: remove KBDB_URL/KBDB_INTERNAL_TOKEN, add SUBMISSIONS_KV/ANALYTICS_KV
- webhooks.ts: add waitUntil(writeExecutionVerdict) for fire-and-forget analytics
- execution-logger.ts: create missing module (was imported but didn't exist)
- cypher-executor/types.ts + wrangler.toml: add ANALYTICS_KV binding
- gmail/telegram/google_sheets/line_notify/http_request: no_network_syscall false (api category)
- init.ts: replace require() with await import() for ES module compatibility

Cleanup:
- Remove arcrun/builtins/ (dead code — initComponents used old HTTP endpoint model,
  all 21 components now in TinyGo WASM under registry/components/)

Docs:
- tasks.md: update to reflect completed work and remaining items

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-16 13:07:28 +08:00
parent 2707fca32b
commit e630fca2df
20 changed files with 123 additions and 392 deletions
+5 -4
View File
@@ -77,10 +77,11 @@ export class CfKvClient {
/** AES-GCM 加密 credential(與 cypher-executor credential-injector 解密邏輯對應)*/
export async function encryptCredential(value: string, encryptionKey: string): Promise<string> {
// 若沒有設定 encryption key,使用 base64 作為 fallbackdev 模式)
if (!encryptionKey || encryptionKey.length < 32) {
const b64 = Buffer.from(value).toString('base64');
return JSON.stringify({ encrypted: b64, iv: 'dev-mode', mode: 'base64' });
if (!encryptionKey || encryptionKey.length < 64) {
throw new Error(
'ARCRUN_ENCRYPTION_KEY 未設定或長度不足(需要 256-bit hex,即 64 個十六進位字元)\n' +
'生成指令:node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"'
);
}
const keyBytes = hexToUint8Array(encryptionKey);