canonical_id: "auth_static_key"
display_name: "Auth Primitive — Static Key"
category: "auth"
version: "v1"
wasi_target: "preview1"
stability: "floating"
runtime_compat:
  - "cf-workers"
  - "workerd"
  - "wazero"
constraints:
  max_size_kb: 2048
  max_cold_start_ms: 50
  no_network_syscall: true
  no_filesystem_syscall: true
  io_model: "stdin_stdout_json"
input_schema:
  type: object
  required: [action, api_key, service]
  properties:
    action:
      type: string
      enum: [authenticate]
      description: 目前僅支援 authenticate;static_key 無 refresh 概念
    api_key:
      type: string
      description: 租戶識別(ak_ 前綴),用來組 {api_key}:cred:{name} KV key
    service:
      type: string
      description: auth recipe 名稱,對應 auth_recipe:{service} 的 KV 記錄
    request:
      type: object
      description: (保留)下游零件的 HTTP request 上下文;static_key 當前不使用
output_schema:
  type: object
  properties:
    success:
      type: boolean
    auth_headers:
      type: object
      additionalProperties:
        type: string
    auth_query:
      type: object
      additionalProperties:
        type: string
    auth_body:
      type: object
      additionalProperties:
        type: string
    runtime:
      type: object
      description: Static key 不使用;欄位保留以對齊其他 auth primitive
gherkin_tests:
  - scenario: "缺少 api_key"
    given: '{"action":"authenticate","service":"openai"}'
    then_contains: '{"success":false'
  - scenario: "找不到 auth recipe"
    given: '{"action":"authenticate","api_key":"ak_nonexistent","service":"nonexistent"}'
    then_contains: '{"success":false'
tags: [auth, credential, primitive, static_key]
description: "Static key auth primitive。讀取 auth_recipe + 解密 required_secrets + 展開 {{secret.X}} 模板,回傳 auth_headers / auth_query / auth_body。涵蓋 Bearer token / API key / Basic auth / 自訂 header 等 80% 服務。透過 host function kv_get + crypto_decrypt,plaintext 永不離開 WASM。"
config_example: |
  auth_step:
    component: "auth_static_key"
    action: "authenticate"
    service: "openai"      # 對應 auth_recipe:openai 的 KV 記錄