✨ feat: runtime, env, and headers for site scripts

[vaayne]

Summary

Adds per-script metadata for declaring execution environment, environment variable dependencies, and HTTP headers. This enables:

1. Pure API scripts that skip the browser entirely (runtime: "http")
2. Auth-injected scripts that derive headers from env vars (headers: {"X-API-Key": "${EXA_API_KEY}"})

Phases implemented

Phase 1 — Type changes and env validation

• Added EnvDef struct (mirrors ArgDef) and Env map[string]EnvDef to Meta
• Added ValidateEnv() — checks required env vars are set, lists all missing
• Added ResolveHeaders() — interpolates ${ENV_VAR} via os.LookupEnv, skips headers with unset optional vars
• Wired ValidateEnv() into Client.RunScript before engine dispatch

Phase 2 — Runtime routing

• Added enginesByRuntime() on Client — filters engine list by script-declared runtime
• Maps: "http" → QuickJS only, "browser"/"lightpanda" → Browser only, "auto"/"" → fallback chain
• Respects forceBrowser user override (all runtimes return browser-only)
• Empty engine list returns a descriptive error before dispatch

Phase 3 — Header injection in engines

• Added RunOpts{Headers} struct; changed Engine.Run signature to accept it
• QuickJS.injectFetch: meta headers set first, JS-level headers override them
• transport.BrowseEvalWithPause: injects network.SetExtraHTTPHeaders before Navigate when headers are non-empty
• Client.RunScript resolves headers via s.Meta.ResolveHeaders() and passes them as RunOpts.Headers

Phase 4 — CLI display and sample script

• site info shows Runtime, Env (with required/optional badges), and Headers (masked)
• site list shows runtime badges (e.g., [http]) after descriptions
• Updated sites/exa/search.js with runtime: "http", optional EXA_API_KEY, and X-API-Key header
• Registry test validates all new fields parse correctly from the embedded script

Deferred (not in this PR)

• Phase 5: authRequired cookie store check
• Phase 6: Web/D1 schema updates

Verification

• mise run test — all packages pass
• mise run lint — 0 issues

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	tap	832d2cc	May 12 2026, 04:08 AM

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5861896d6d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exclude built-ins when caller requests local-only scripts

DefaultRegistry always injects sites.FS, so callers cannot construct a registry from only one filesystem path. In cmd/tap/main.go, --local-only sets WithSitesDir(localOverrideDir) specifically to expose only local override scripts, but this change now still loads embedded scripts as well, violating the flag’s documented behavior and causing site list/script resolution to include non-local entries.

Useful? React with 👍 / 👎.