Arcrun

Leo/Arcrun

Fork 0

Commit Graph

Author	SHA1	Message	Date
Leo	202a5ab8d6	feat(registry): Phase 3 零件投稿靜態把關 + component-gatekeeping SDD 新 SDD .agents/specs/component-gatekeeping/（richblack 確認，含 venue 修訂 + 信任模型）。 registry 端靜態把關（CF Worker 可跑，不執行 wasm）： - G1 detectFakeComponent: 外部 URL/domain + http_request 子集偵測，硬擋退稿指回 recipe - G3 wasmImports: 解析 wasm import section，只准 wasi_snapshot_preview1 + u6u 白名單 - G5/G6: unimplemented_steps 明列 gherkin/cold_start/runtime_compat，不假綠（§3c/§7） - gherkin_evidence 一致性驗證（投稿者本地跑，registry 不重跑——CF 禁 runtime 編譯 wasm）把關範圍：公共庫 + self-hosted 私人庫同一套（design §0.0）。信任模型（design §4.5）：Gherkin 全綠≠安全；純 WASI 沙箱框死能力才是發佈底氣；第一期 evidence 可造假（誠實標明），平台重跑列未來。 hook: pre-write-guard 白名單加 component-gatekeeping / component-registry-canon SDD 目錄。測試: sandboxAcceptance.test.ts 4 綠（含 G1 假零件被擋）。待續（同 SDD）: G4 CLI 投稿指令本地跑 Gherkin、G0 人類閘門、R5 白名單+本機 hook。 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-29 17:53:03 +08:00
Leo	8e2c32e466	feat(registry): component_hash_id — stable id system for workflow references Problem: canonical_id is readable but mutable; if a component is renamed, all workflows referencing it by canonical_id break. Solution: dual-id system - component_hash_id: cmp_{sha256(canonical_id).slice(0,8)}, derived deterministically, never changes, safe for workflow references - canonical_id: human-readable name, used for search and display - idx:{canonical_id} KV key: reverse-lookup index for resolving canonical_id → hash_id Changes: - types.ts: SandboxResult.component_id → component_hash_id + canonical_id, added 'data' to category enum - submitComponent.ts: deriveHashId(), writes idx: reverse-lookup on submit - queryComponents.ts: full rewrite — removed KBDB dependency, uses SUBMISSIONS_KV; supports both cmp_* and canonical_id as query id; Phase 0 keyword search with note to upgrade to Vectorize in Phase 2 - sandboxAcceptance.ts: updated field names, fixed TextDecoder TS type - ensureTemplate.ts: removed KBDB dependency, now a KV health check - tests: updated component_id → canonical_id - CONTRIBUTING.md: explain hash_id derivation and dual-id workflow reference syntax Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-16 14:41:22 +08:00
Claude	2707fca32b	feat(arcrun): implement arcrun MVP — open-source AI workflow engine Phase 1-5 complete per .agents/specs/u6u-core-mvp/: Phase 1 — Cherry-pick & cleanup - Create arcrun/ from cypher-executor, credentials, builtins, registry - Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_, AICEO, MINI_ME) - Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error) - Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB) - Clean all KV namespace IDs and InkStone internal URLs from config files Phase 2 — contract.yaml completeness* - Add credentials_required to gmail, google_sheets, telegram, line_notify - Add config_example to all 21 components with annotated field descriptions Phase 3 — Credential injection - Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV - Integrate into GraphExecutor before WASM execution - Structured errors with repair instructions when credential missing Phase 4 — CLI (acr) - cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora - 8 commands: init, creds push, push, run, validate, parts, list, logs - Standard mode: writes directly to user's CF KV via CF REST API - acr init: interactive setup with arcrun.dev API Key registration Phase 5 — Open source release prep - README.md: 5-minute quickstart, component table, workflow YAML syntax - CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow - Security audit: no InkStone internal URLs/IDs in committed files - .gitignore: exclude credentials.yaml, .wrangler, *.wasm https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT	2026-04-16 04:06:25 +00:00

Author

SHA1

Message

Date

Leo

202a5ab8d6

feat(registry): Phase 3 零件投稿靜態把關 + component-gatekeeping SDD

新 SDD .agents/specs/component-gatekeeping/（richblack 確認，含 venue 修訂 + 信任模型）。

registry 端靜態把關（CF Worker 可跑，不執行 wasm）：
- G1 detectFakeComponent: 外部 URL/domain + http_request 子集偵測，硬擋退稿指回 recipe
- G3 wasmImports: 解析 wasm import section，只准 wasi_snapshot_preview1 + u6u 白名單
- G5/G6: unimplemented_steps 明列 gherkin/cold_start/runtime_compat，不假綠（§3c/§7）
- gherkin_evidence 一致性驗證（投稿者本地跑，registry 不重跑——CF 禁 runtime 編譯 wasm）

把關範圍：公共庫 + self-hosted 私人庫同一套（design §0.0）。
信任模型（design §4.5）：Gherkin 全綠≠安全；純 WASI 沙箱框死能力才是發佈底氣；
第一期 evidence 可造假（誠實標明），平台重跑列未來。

hook: pre-write-guard 白名單加 component-gatekeeping / component-registry-canon SDD 目錄。

測試: sandboxAcceptance.test.ts 4 綠（含 G1 假零件被擋）。

待續（同 SDD）: G4 CLI 投稿指令本地跑 Gherkin、G0 人類閘門、R5 白名單+本機 hook。

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-05-29 17:53:03 +08:00

Leo

8e2c32e466

feat(registry): component_hash_id — stable id system for workflow references

Problem: canonical_id is readable but mutable; if a component is renamed,
all workflows referencing it by canonical_id break.

Solution: dual-id system
- component_hash_id: cmp_{sha256(canonical_id).slice(0,8)}, derived deterministically,
  never changes, safe for workflow references
- canonical_id: human-readable name, used for search and display
- idx:{canonical_id} KV key: reverse-lookup index for resolving canonical_id → hash_id

Changes:
- types.ts: SandboxResult.component_id → component_hash_id + canonical_id,
  added 'data' to category enum
- submitComponent.ts: deriveHashId(), writes idx: reverse-lookup on submit
- queryComponents.ts: full rewrite — removed KBDB dependency, uses SUBMISSIONS_KV;
  supports both cmp_* and canonical_id as query id; Phase 0 keyword search
  with note to upgrade to Vectorize in Phase 2
- sandboxAcceptance.ts: updated field names, fixed TextDecoder TS type
- ensureTemplate.ts: removed KBDB dependency, now a KV health check
- tests: updated component_id → canonical_id
- CONTRIBUTING.md: explain hash_id derivation and dual-id workflow reference syntax

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-16 14:41:22 +08:00

Claude

2707fca32b

feat(arcrun): implement arcrun MVP — open-source AI workflow engine

Phase 1-5 complete per .agents/specs/u6u-core-mvp/:

**Phase 1 — Cherry-pick & cleanup**
- Create arcrun/ from cypher-executor, credentials, builtins, registry
- Remove 9 InkStone Service Bindings (KBDB, REGISTRY, CLINIC_*, AICEO, MINI_ME)
- Rewrite component-loader: 3-layer (builtin → WASM_BUCKET R2 → error)
- Remove autoPublishMissing.ts, proxy.ts (AICEO), execution-logger.ts (KBDB)
- Clean all KV namespace IDs and InkStone internal URLs from config files

**Phase 2 — contract.yaml completeness**
- Add credentials_required to gmail, google_sheets, telegram, line_notify
- Add config_example to all 21 components with annotated field descriptions

**Phase 3 — Credential injection**
- Add credential-injector.ts: AES-GCM decrypt from CREDENTIALS_KV
- Integrate into GraphExecutor before WASM execution
- Structured errors with repair instructions when credential missing

**Phase 4 — CLI (acr)**
- cli/package.json: arcrun package, bin: acr, deps: commander/js-yaml/chalk/ora
- 8 commands: init, creds push, push, run, validate, parts, list, logs
- Standard mode: writes directly to user's CF KV via CF REST API
- acr init: interactive setup with arcrun.dev API Key registration

**Phase 5 — Open source release prep**
- README.md: 5-minute quickstart, component table, workflow YAML syntax
- CONTRIBUTING.md: TinyGo dev env, component scaffolding, submission flow
- Security audit: no InkStone internal URLs/IDs in committed files
- .gitignore: exclude credentials.yaml, .wrangler, *.wasm

https://claude.ai/code/session_01BnCdSLVH8tUed9VrrPavgT

2026-04-16 04:06:25 +00:00

3 Commits