/** * arcrun auth_static_key Worker * * POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output * * 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory, * 確保 AES-GCM 解密邏輯只存在於一個檔案(rule 02 §2.2)。 * * 安全邊界: * - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查 * - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體 */ import componentWasm from '../component.wasm' assert { type: 'webassembly' }; import { Hono } from 'hono'; import { cors } from 'hono/cors'; import { createWasiShim, createArcrunHostFunctions, type ArcrunHostEnv, } from '../../../cypher-executor/src/lib/wasi-shim'; type Env = ArcrunHostEnv; const app = new Hono<{ Bindings: Env }>(); app.use('*', cors()); app.get('/', (c) => c.json({ ok: true, component: 'auth_static_key' })); app.post('/', async (c) => { let input: Record; try { input = await c.req.json(); } catch { return c.json({ success: false, error: 'request body must be JSON' }, 400); } const apiKey = typeof input.api_key === 'string' ? input.api_key : ''; if (!apiKey) { return c.json({ success: false, error: 'api_key 必填' }, 400); } try { const result = await runWasm(c.env, apiKey, input); return c.json(result); } catch (e) { return c.json( { success: false, error: e instanceof Error ? e.message : String(e) }, 500, ); } }); export default app; // ── WASM runner ────────────────────────────────────────────────────────────── async function runWasm(env: Env, apiKey: string, input: unknown): Promise { const stdinData = JSON.stringify(input); const hostFunctions = createArcrunHostFunctions(env, apiKey); const shim = createWasiShim(stdinData, hostFunctions); const instance = await WebAssembly.instantiate( componentWasm as WebAssembly.Module, shim.imports, ); shim.setMemory(instance.exports.memory as WebAssembly.Memory); const start = (instance.exports._start ?? instance.exports.main) as () => void; if (typeof start !== 'function') { throw new Error('WASM missing _start or main export'); } try { start(); } catch (e) { if (!(e instanceof Error && e.message === 'wasm exit: 0')) throw e; } const stdout = shim.getStdout().trim(); if (!stdout) throw new Error('WASM component produced no output'); return JSON.parse(stdout); }