922a57fe34
Self-hosted 開源:WASM 零件 + recipe + cypher-executor,跑在你自己的 Cloudflare。 此為重建的乾淨歷史起點(移除曾誤 commit 的 GCP SA 金鑰,舊歷史保留在 richblack/arcrun 與本地 backup 分支)。含: - acr init --self-hosted installer(建 KV/R2 + codeload 拉預編譯 wasm + wrangler deploy + seed recipe) - recipe push 把關(資料外流提醒 + 打通檢查) - 19 個正當零件預編譯 wasm(claude_api/km_writer/kbdb_upsert_block 排除:違反 DECISIONS §1) - CLI / cypher-executor / registry / 完整 SDD Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
106 lines
3.7 KiB
TypeScript
106 lines
3.7 KiB
TypeScript
/**
|
|
* arcrun auth_service_account Worker
|
|
*
|
|
* POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
|
|
*
|
|
* 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
|
|
* 確保 AES-GCM 解密 / RS256 sign 邏輯只存在於一個檔案(rule 02 §2.2)。
|
|
*
|
|
* 這個 Worker 比 auth_static_key 多一個 host function:http_request(token exchange 用)。
|
|
* http_request 不是 crypto,不受 rule 02 §2.2 約束;在此檔內聚合提供即可。
|
|
*
|
|
* 安全邊界:
|
|
* - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
|
|
* - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
|
|
* - private key 只以 PKCS8 bytes 傳給 crypto_sign_rs256 host function,decrypt 後 plaintext 不離開 WASM
|
|
*/
|
|
|
|
import componentWasm from '../component.wasm' assert { type: 'webassembly' };
|
|
import { Hono } from 'hono';
|
|
import { cors } from 'hono/cors';
|
|
import {
|
|
createWasiShim,
|
|
createArcrunHostFunctions,
|
|
type ArcrunHostEnv,
|
|
type WasiHostFunctions,
|
|
} from '../../../cypher-executor/src/lib/wasi-shim';
|
|
|
|
type Env = ArcrunHostEnv;
|
|
|
|
const app = new Hono<{ Bindings: Env }>();
|
|
app.use('*', cors());
|
|
|
|
app.get('/', (c) => c.json({ ok: true, component: 'auth_service_account' }));
|
|
|
|
app.post('/', async (c) => {
|
|
let input: Record<string, unknown>;
|
|
try {
|
|
input = await c.req.json();
|
|
} catch {
|
|
return c.json({ success: false, error: 'request body must be JSON' }, 400);
|
|
}
|
|
|
|
const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
|
|
if (!apiKey) {
|
|
return c.json({ success: false, error: 'api_key 必填' }, 400);
|
|
}
|
|
|
|
try {
|
|
const result = await runWasm(c.env, apiKey, input);
|
|
return c.json(result);
|
|
} catch (e) {
|
|
return c.json(
|
|
{ success: false, error: e instanceof Error ? e.message : String(e) },
|
|
500,
|
|
);
|
|
}
|
|
});
|
|
|
|
export default app;
|
|
|
|
// ── WASM runner ──────────────────────────────────────────────────────────────
|
|
|
|
async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
|
|
const stdinData = JSON.stringify(input);
|
|
const baseHost = createArcrunHostFunctions(env, apiKey);
|
|
const hostFunctions: WasiHostFunctions = {
|
|
...baseHost,
|
|
http_request: async (url, method, headersJson, body) => {
|
|
const headers: Record<string, string> = {};
|
|
if (headersJson) {
|
|
try {
|
|
const parsed = JSON.parse(headersJson);
|
|
if (parsed && typeof parsed === 'object') {
|
|
for (const [k, v] of Object.entries(parsed as Record<string, unknown>)) {
|
|
if (typeof v === 'string') headers[k] = v;
|
|
}
|
|
}
|
|
} catch {
|
|
// 忽略 header parse 錯誤,當作沒 header
|
|
}
|
|
}
|
|
const init: RequestInit = { method, headers };
|
|
if (body && method.toUpperCase() !== 'GET' && method.toUpperCase() !== 'HEAD') {
|
|
init.body = body;
|
|
}
|
|
const res = await fetch(url, init);
|
|
// WASM 端(main.go)直接 json.Unmarshal 回傳內容找 access_token,
|
|
// 因此只回傳 response body 原文。非 2xx 也回原文,讓 WASM 從 {error, error_description} 判斷
|
|
return await res.text();
|
|
},
|
|
};
|
|
|
|
const shim = createWasiShim(stdinData, hostFunctions);
|
|
|
|
const instance = await WebAssembly.instantiate(
|
|
componentWasm as WebAssembly.Module,
|
|
shim.imports,
|
|
);
|
|
shim.setMemory(instance.exports.memory as WebAssembly.Memory);
|
|
await shim.run(instance);
|
|
|
|
const stdout = shim.getStdout().trim();
|
|
if (!stdout) throw new Error('WASM component produced no output');
|
|
return JSON.parse(stdout);
|
|
}
|