What problems was I solving

ARC-2161 requires establishing a secure custom component substrate with trust boundaries, dedicated service ownership, parser-backed validation, and per-instance iframe runtime isolation. The PR moves custom component ownership from assets-service to a new dedicated service, adds feature-gated admin APIs, establishes the publish lifecycle in a separate database, and enforces strict CSP in frontend renderers.

What user-facing changes did I ship

Custom components are now only renderable via tenant-enabled admin interface and feature-flagged admin routes. Admin API endpoints exist for CRUD, validation, and publish, but components will not be created/tested until feature flag is enabled for specific tenants. Page UI components render in per-instance iframes with restricted CSP and injected host environment APIs.

How I implemented it

New custom-component-service owns tenant-scoped component records and version lifecycle. assets-service only stores published runtime asset projection with component refs (not authoring data). Admin gateway routes are feature-flag gated before delegating to custom-component-service. Custom components render in iframes with limited CSP and inlined self-hosted React runtime. Parser-backed validation with acorn blocks imports, exports, and dangerous globals before publish.

Description for the changelog

Introduces new custom-component-service for component lifecycle management, adds feature-gated admin API for tenant-scoped component creation and publishing, establishes trust boundary by requiring component refs in runtime assets rather than raw code, implements per-instance iframe sandbox with strict CSP for custom component rendering, adds parser-backed source analysis using acorn to block security escape hatches during validation.