canonical_id: "platform_crypto"
display_name: "Platform Crypto Primitive"
category: "platform"
version: "v1"
wasi_target: "preview1"
stability: "stable"
runtime_compat:
  - "cf-workers"
  - "workerd"
  - "wazero"
constraints:
  max_size_kb: 2048
  max_cold_start_ms: 50
  no_network_syscall: true
  no_filesystem_syscall: true
  io_model: "stdin_stdout_json"
input_schema:
  type: object
  required: [action]
  properties:
    action:
      type: string
      enum: [generate_api_key, encrypt, random_token]
    email:
      type: string
      description: generate_api_key 用
    plaintext:
      type: string
      description: encrypt 用
    bytes:
      type: integer
      description: random_token 用，預設 32
output_schema:
  type: object
  properties:
    success:
      type: boolean
    api_key:
      type: string
      description: generate_api_key 結果，ak_ 前綴
    encrypted:
      type: string
      description: encrypt 結果，base64
    iv:
      type: string
      description: encrypt 結果，base64
    token:
      type: string
      description: random_token 結果，hex
tags: [platform, crypto, internal]
description: |
  平台內部 crypto primitive。
  - generate_api_key: HMAC-SHA256(email, ENCRYPTION_KEY) → ak_xxx
  - encrypt: AES-GCM(plaintext, ENCRYPTION_KEY) → {encrypted, iv}（base64）
  - random_token: crypto random bytes → hex string
  ENCRYPTION_KEY 由 host 持有，永不進入 WASM。