chore: add code runner

code-executor/.dockerignore

@@ -0,0 +1,9 @@
+node_modules
+dist
+.temp
+*.log
+.git
+.gitignore
+README.md
+.env*
+

code-executor/.gitignore

@@ -0,0 +1,7 @@
+node_modules/
+dist/
+.temp/
+.env
+.env.*
+*.log
+

code-executor/Dockerfile

@@ -0,0 +1,29 @@
+FROM node:20-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd -r executor && useradd -r -g executor executor
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci --only=production
+
+COPY tsconfig.json ./
+COPY src ./src
+
+RUN npm run build || npx tsc
+
+RUN mkdir -p .temp && chown -R executor:executor /app
+
+USER executor
+
+ENV NODE_ENV=production
+ENV PORT=3040
+
+EXPOSE 3040
+
+CMD ["node", "dist/server.js"]
+

code-executor/README.md

@@ -0,0 +1,124 @@
+# Light Code Executor
+
+Isolated code execution service for Light Protocol documentation.
+
+## Security Features
+
+- API key authentication required
+- Rate limiting (30 req/min)
+- Code pattern blocking (no fs, child_process, eval, etc.)
+- Execution timeout (30s)
+- Output size limits (50KB)
+- Memory limits (128MB heap)
+- Runs as non-root user in Docker
+- Read-only filesystem with tmpfs for execution
+
+## Environment Variables
+
+```bash
+# Required: API key for authenticating requests
+EXECUTOR_API_KEY=your-secure-api-key-here
+
+# Optional: Port (default: 3040)
+PORT=3040
+```
+
+## Local Development
+
+```bash
+cd code-executor
+
+# Install dependencies
+npm install
+
+# Set environment variable
+export EXECUTOR_API_KEY=dev-key-12345
+
+# Run dev server
+npm run dev
+```
+
+## Docker Deployment
+
+### Build and Run
+
+```bash
+# Build image
+docker build -t light-code-executor .
+
+# Run container
+docker run -d \
+  --name code-executor \
+  -p 3040:3040 \
+  -e EXECUTOR_API_KEY=your-secure-key \
+  --memory=512m \
+  --cpus=0.5 \
+  --read-only \
+  --tmpfs /app/.temp:size=50M \
+  --security-opt=no-new-privileges:true \
+  light-code-executor
+```
+
+### Using Docker Compose
+
+```bash
+export EXECUTOR_API_KEY=your-secure-key
+docker-compose up -d
+```
+
+## Deployment Options
+
+### Railway
+
+1. Connect your repo
+2. Set `EXECUTOR_API_KEY` environment variable
+3. Deploy
+
+### Fly.io
+
+```bash
+fly launch
+fly secrets set EXECUTOR_API_KEY=your-secure-key
+fly deploy
+```
+
+### Render
+
+1. Create new Web Service
+2. Set environment variables
+3. Deploy from Docker
+
+## API
+
+### Health Check
+
+```
+GET /health
+Response: { "status": "ok" }
+```
+
+### Execute TypeScript
+
+```
+POST /typescript
+Headers:
+  Authorization: Bearer <EXECUTOR_API_KEY>
+  Content-Type: application/json
+
+Body:
+  { "code": "console.log('Hello');" }
+
+Response:
+  { "stdout": "Hello", "stderr": "" }
+```
+
+## Integration with code-runner
+
+The code-runner Next.js app proxies requests to this service. Configure:
+
+```bash
+# In code-runner environment
+CODE_EXECUTOR_URL=https://your-executor-url.com
+EXECUTOR_API_KEY=same-key-as-executor
+```
+

code-executor/docker-compose.yml

@@ -0,0 +1,22 @@
+version: "3.8"
+
+services:
+  code-executor:
+    build: .
+    ports:
+      - "3040:3040"
+    environment:
+      - EXECUTOR_API_KEY=${EXECUTOR_API_KEY}
+      - PORT=3040
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+          cpus: "0.5"
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /app/.temp:size=50M,mode=1777
+

code-executor/fly.toml

@@ -0,0 +1,21 @@
+app = "light-code-executor"
+primary_region = "iad"
+
+[build]
+  dockerfile = "Dockerfile"
+
+[env]
+  PORT = "3040"
+
+[http_service]
+  internal_port = 3040
+  force_https = true
+  auto_stop_machines = true
+  auto_start_machines = true
+  min_machines_running = 0
+
+[[vm]]
+  cpu_kind = "shared"
+  cpus = 1
+  memory_mb = 512
+