Leo
17a076d35c
feat(arcrun): Phase 2 降級假零件成 recipe + credential 鏈路修復
...
Phase 1(credential 注入鏈路):
- 修 auth_static_key ENCRYPTION_KEY 漂移根因(見 docs/incidents)
- component-loader: readBodyOnce() 修 "Body has already been used"
Phase 2(降級假零件成 recipe,registry/components 33→22):
- 引擎: RecipeDefinition 加 auth_service(多 recipe 共用一把 auth)
auth-dispatcher 先查 recipe.auth_service 再 fallback componentId
- 引擎: auth_static_key inject.path + makeRecipeRunner {{auth.K}}
(endpoint 可插 secret,解 telegram 類 URL-path token)
- 引擎: makeRecipeRunner auto-body 剔除 _ 前綴內部欄位
- 降級並刪除: kbdb_{get,create_block,patch_block,delete,ingest}
gmail/telegram/line_notify/google_sheets(改建為 recipe)
- 刪除: ai_transform_{compile,run}(Arcrun 是 AI 呼叫的工具,
工作流不該內嵌 AI 節點回頭呼叫 AI)
- deferred(源碼暫留): claude_api/km_writer(交 Mira 收成工作流)、
kbdb_upsert_block(交 KBDB 出 upsert endpoint)
文件: DECISIONS.md(工作流是 default/建零件人類閘門/AI→工具)、
BACKLOG.md、auth-recipe.md §七、docs/incidents 加密 key 漂移
驗收: KBDB get/create/ingest/delete 2xx;telegram auth 注入綠;
gmail/sheets/line recipe 正確但缺 credential 未驗收;
kbdb patch 403 為 KBDB 端 bug(已交 kbdb/docs)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com >
2026-05-29 16:18:18 +08:00
Leo
475c95aaae
feat(kbdb_upsert_block): add create_only flag ( #2 stub support)
...
leo 反饋 2026-05-17:「至少建一個 placeholder 給未來累積」
但 upsert 預設 PATCH 既有會把完整 wiki 覆寫成 stub。
新 input field:create_only (bool, default false)
- false (預設):既有 → PATCH (傳統 upsert 行為)
- true:既有 → return action='exists' 不動,避免 stub 覆寫 full wiki
用於 wiki_synthesis V3.1 referenced_entities → ensure_stub_wiki_page 場景。
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-17 11:07:31 +08:00
Leo
bc6360ccfc
feat(arcrun): http_request body_json + error heuristic; mira feed fire-and-forget
...
http_request 零件擴展(registry/components/http_request):
- 加 body_json 物件欄位(內部 JSON.stringify),yaml 端不用手組 JSON 字串
- 新增 JSON 回應的 error 欄位偵測 → 若 body 含 `{"error":"..."}` 則零件回 success=false
解 cascade bug:mira_feed_watcher 用 http_request trigger wiki_synthesis,
原本 4xx response 也被當 success,ON_SUCCESS 鏈會誤觸發
根因架構債:host fn 沒回 HTTP status code(arcrun.md 列為 P1 follow-up)
landing 河道 feed (landing/app/mira/feed/page.tsx):
- 加回 triggerWikiSynthesis fire-and-forget 對 cypher.arcrun.dev/webhooks/named/
wiki_synthesis/trigger 公開觸發 endpoint(arcrun-native,非 mira-specific route)
- 不走 watcher 是因為 cypher-executor 自己 fetch 自己 workers.dev URL = CF 1042
self-fetch 擋
watcher 仍存在當 cron backup,但目前因 self-fetch 1042 不會真正觸發下游
wiki_synthesis(arcrun.md 列為 P1 follow-up)。
2026-05-14 16:06:46 +08:00
Leo
711af5dbf2
feat(arcrun): kbdb_get 加 type/source/user_id filter
...
之前只支援 block_id / page_name,撈「source=km-writer-direct 的 note」這類
跨 page 查詢做不到。Wiki UI 7B.3g 跟 mira_feed_watcher 都要用 client-side
filter 繞,違反「邊用 arcrun 邊修」原則。
擴 contract:保留既有 block_id (mode A) + page_name (mode B),新增純 filter
mode C:type / source / user_id 任意組合。同時 page_name + filter 也允許組合。
驗證:source=km-writer-direct&type=note&limit=5 撈到 leo 5 筆未處理河道貼文。
對應 SDD: arcrun.md 三-B 新零件 checklist + tasks.md 7B.3h(mira_feed_watcher
正在組)。
2026-05-14 14:18:43 +08:00
Leo
4e746986b4
feat(arcrun): add kbdb_upsert_block component for idempotent block writes
...
對應 mira 7B.3f:per-entity index-entry 維護需要「找有則 PATCH 沒找到 POST」,
arcrun workflow 沒 IF/branch 能力(已知限制 #1 + 新 P1 #1),用 kbdb_upsert_block
零件把分支邏輯封進零件內:GET /blocks?page_name=X → user_id filter → 找到 PATCH 沒找到 POST。
page_name 當 idempotency key,未來其他「找有則改沒則建」場景共用。
SDD:polaris/mira/.agents/specs/mira-app/design.md §3.5.12.4.1
matrix/arcrun/.agents/specs/arcrun/arcrun.md 三-A P1 #1 + 三-B 新零件加入紀錄
2026-05-14 10:18:21 +08:00
Leo
519423cb0d
feat(arcrun): mira wiki page with tag filter + accumulated WIP
...
- landing/app/mira/wiki: tag=mira-wiki list now shows all wiki paragraphs
(depends on KBDB tag filter exposed in matrix/kbdb commit, separate repo)
- landing: app/mira hub + feed split + various WIP from prior sessions
- registry/components: claude_api / kbdb_create_block / kbdb_get / km_writer /
platform_crypto / auth_oauth2 contracts + main.go (accumulated)
- .component-builds: pkg-lock updates + index.ts adjustments (WIP)
- .agents/specs/arcrun/frontend-redesign: design notes
- docs/test_credentials, docs/user_requirements/arcrun-landing-page: WIP docs
- cypher-executor: auth-dispatcher / wasi-shim adjustments (WIP)
Includes accumulated work from prior sessions plus the wiki UI tag-filter
update that surfaces the AI-generated wiki paragraphs at /mira/wiki.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-07 16:52:01 +08:00
Leo
497f92a268
feat(arcrun): recipe system + resumable workflow + component registry canon
...
Three new platform capabilities + one component (kbdb_get) to enable
real AI workflow execution through cypher binding YAML.
## Recipe System (容器 + Recipe 模式)
SDD: .agents/specs/recipe-system/
- prompt_recipe schema (Zod): fragments + inputs + assembly + output
- recipe-expander.ts: expand recipe ref → real prompt by fetching KBDB blocks
+ pulling context fields with transforms (pluck_content / extract_field / etc)
- 7 transform whitelist: json_array / to_string / join / markdown_list /
extract_field / first / pluck_content
- graph-executor hooks: detect node.data.recipe → expand → inject into ctx
- output JSON parser (with markdown fence stripping for Claude-wrapped JSON)
- Stored in RECIPES KV under prompt_recipe:{name}
## Resumable Workflow (webhook callback resume)
SDD: .agents/specs/resumable-workflow/
- WorkflowPaused class + paused-runs.ts (persist/load/consume in EXEC_CONTEXT KV, 24h TTL)
- graph-executor: detect {pending:true, task_id} → persist state → throw WorkflowPaused
- cypher-handlers: catch → return {success:true, paused:true, task_id, run_id}
- POST /workflows/resume route: consume KV state → resumeFromPaused()
- Auto-inject callback_url for claude_api nodes (PUBLIC_BASE_URL or default cypher.arcrun.dev)
- claude_api/main.go: forward callback_url to Mira daemon, default timeout 25s→120s
- Idempotent (consume = load+delete)
## Component Registry Canon
SDD: .agents/specs/component-registry-canon/
- Add POST /components/index-only endpoint (metadata-only, no wasm/sandbox)
- Backfill script (mjs): scan registry/components/*/contract.yaml → submit to KV
- register-component.sh: SSOT for local + CI hook (deploy.yml change in next commit)
- Drop R2 dead storage from submitComponent + types + wrangler
- Schema relaxed: category enum + auth/ai/platform; cold_start 50→500ms; size 2→8MB
## kbdb_get component
- registry/components/kbdb_get/: TinyGo WASM, two modes (block_id / page_name list)
- .component-builds/kbdb_get/: WASI shim worker (kbdb-get.arcrun.dev)
End-to-end validation: AI uses MCP execute_workflow with recipe ref →
cypher-executor expands prompt from KBDB schema/skill blocks + drafts →
claude_api calls Mira daemon → daemon callback fires resume route →
workflow continues. Verified with real 2KB+ Karpathy LLM Wiki draft.
🤖 Generated with [Claude Code](https://claude.com/claude-code )
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-05-07 15:52:19 +08:00
Leo
83a01fe028
feat(auth_static_key): auto-encode Basic Auth; seed gemini/trello/mailgun recipes
...
- auth_static_key WASM: 偵測 Authorization header "Basic <x>:<y>" (含冒號
的 user:pass 原文), 自動 base64 編碼; 無冒號則維持原樣 (向後相容
已 base64 過的值).
這涵蓋 twilio / jira / mailgun 三個 Basic Auth recipe, 用戶 recipe
只需寫 'Basic {{secret.user}}:{{secret.key}}' 直覺語法.
- 新增 3 個 recipe (auth-recipe-seeds.ts):
• gemini — static_key / header x-goog-api-key (單 secret)
• trello — static_key / QUERY key+token (雙 secret, 第一個 query
injection 測試覆蓋)
• mailgun — static_key / HEADER Basic api:<key> (雙 secret Basic Auth)
- hook fix (pre-write-guard.sh): 放行 auth-recipe-seeds.ts 的 {{secret.X}}
字面值. 該檔是 RECIPES KV 的 seed 資料, 不是 TS 展開邏輯;
真正展開仍在 WASM 完成.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-22 08:29:02 +08:00
Leo
8c14562a2f
feat(auth): auth_service_account WASM primitive + remove TS JWT signer
...
- registry/components/auth_service_account: TinyGo impl for Google
Service Account (JWT-bearer → token exchange) and base structure
for AWS SigV4.
- .component-builds/auth_service_account: independent Worker at
auth-service-account.arcrun.dev, extends wasi-shim with an
http_request host function for the token exchange step.
- Delete cypher-executor/src/lib/wasm-executor.ts (legacy, replaced
by component-loader WASM HTTP runner path).
- credential-injector.ts service_account branch now throws — all
service_account recipes must route through auth-dispatcher.
Per .agents/specs/arcrun/credential-primitives-wasm Phase 2.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-20 17:34:42 +08:00
Leo
18f04448ce
feat(auth): auth_static_key WASM primitive + host functions
...
- wasi-shim gains kv_get / crypto_decrypt / crypto_sign_rs256 host
functions with strict boundary (ENCRYPTION_KEY never exits Worker).
- registry/components/auth_static_key: TinyGo impl for API-key /
Bearer / Basic Auth recipes (80% of supported services).
- .component-builds/auth_static_key: independent Worker at
auth-static-key.arcrun.dev, imports wasi-shim cross-directory.
- cypher-executor/auth-dispatcher routes static_key recipes to the
new Worker instead of credential-injector TS.
Replaces TS credential injection per
.agents/specs/arcrun/credential-primitives-wasm Phase 1.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com >
2026-04-20 16:54:18 +08:00
Leo
e630fca2df
fix(arcrun): address PR #2 review findings
...
Security:
- init.ts: remove cf_api_token from POST /register (only email sent to arcrun.dev)
- cf-api.ts: remove base64 fallback in encryptCredential, throw clear error if key missing
Correctness:
- submitComponent.ts: replace KBDB dependency with SUBMISSIONS_KV + R2 (standalone)
- registry/types.ts: remove KBDB_URL/KBDB_INTERNAL_TOKEN, add SUBMISSIONS_KV/ANALYTICS_KV
- webhooks.ts: add waitUntil(writeExecutionVerdict) for fire-and-forget analytics
- execution-logger.ts: create missing module (was imported but didn't exist)
- cypher-executor/types.ts + wrangler.toml: add ANALYTICS_KV binding
- gmail/telegram/google_sheets/line_notify/http_request: no_network_syscall false (api category)
- init.ts: replace require() with await import() for ES module compatibility
Cleanup:
- Remove arcrun/builtins/ (dead code — initComponents used old HTTP endpoint model,
all 21 components now in TinyGo WASM under registry/components/)
Docs:
- tasks.md: update to reflect completed work and remaining items
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-04-16 13:07:28 +08:00
2707fca32b
feat(arcrun): implement arcrun MVP — open-source AI workflow engine
...
Phase 1-5 complete per .agents/specs/u6u-core-mvp/:
**Phase 1 — Cherry-pick & cleanup**
- Create arcrun/ from cypher-executor, credentials, builtins, registry
- Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_*, AICEO, MINI_ME)
- Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error)
- Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB)
- Clean all KV namespace IDs and InkStone internal URLs from config files
**Phase 2 — contract.yaml completeness**
- Add credentials_required to gmail, google_sheets, telegram, line_notify
- Add config_example to all 21 components with annotated field descriptions
**Phase 3 — Credential injection**
- Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV
- Integrate into GraphExecutor before WASM execution
- Structured errors with repair instructions when credential missing
**Phase 4 — CLI (acr)**
- cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora
- 8 commands: init, creds push, push, run, validate, parts, list, logs
- Standard mode: writes directly to user's CF KV via CF REST API
- acr init: interactive setup with arcrun.dev API Key registration
**Phase 5 — Open source release prep**
- README.md: 5-minute quickstart, component table, workflow YAML syntax
- CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow
- Security audit: no InkStone internal URLs/IDs in committed files
- .gitignore: exclude credentials.yaml, .wrangler, *.wasm
https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT
2026-04-16 04:06:25 +00:00
Leo
Claude