Files
Arcrun/.component-builds/auth_static_key/src/index.ts
T
Leo 18f04448ce feat(auth): auth_static_key WASM primitive + host functions
- wasi-shim gains kv_get / crypto_decrypt / crypto_sign_rs256 host
  functions with strict boundary (ENCRYPTION_KEY never exits Worker).
- registry/components/auth_static_key: TinyGo impl for API-key /
  Bearer / Basic Auth recipes (80% of supported services).
- .component-builds/auth_static_key: independent Worker at
  auth-static-key.arcrun.dev, imports wasi-shim cross-directory.
- cypher-executor/auth-dispatcher routes static_key recipes to the
  new Worker instead of credential-injector TS.

Replaces TS credential injection per
.agents/specs/arcrun/credential-primitives-wasm Phase 1.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 16:54:18 +08:00

84 lines
2.6 KiB
TypeScript

/**
* arcrun auth_static_key Worker
*
* POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
*
* 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
* 確保 AES-GCM 解密邏輯只存在於一個檔案(rule 02 §2.2)。
*
* 安全邊界:
* - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
* - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
*/
import componentWasm from '../component.wasm' assert { type: 'webassembly' };
import { Hono } from 'hono';
import { cors } from 'hono/cors';
import {
createWasiShim,
createArcrunHostFunctions,
type ArcrunHostEnv,
} from '../../../cypher-executor/src/lib/wasi-shim';
type Env = ArcrunHostEnv;
const app = new Hono<{ Bindings: Env }>();
app.use('*', cors());
app.get('/', (c) => c.json({ ok: true, component: 'auth_static_key' }));
app.post('/', async (c) => {
let input: Record<string, unknown>;
try {
input = await c.req.json();
} catch {
return c.json({ success: false, error: 'request body must be JSON' }, 400);
}
const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
if (!apiKey) {
return c.json({ success: false, error: 'api_key 必填' }, 400);
}
try {
const result = await runWasm(c.env, apiKey, input);
return c.json(result);
} catch (e) {
return c.json(
{ success: false, error: e instanceof Error ? e.message : String(e) },
500,
);
}
});
export default app;
// ── WASM runner ──────────────────────────────────────────────────────────────
async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
const stdinData = JSON.stringify(input);
const hostFunctions = createArcrunHostFunctions(env, apiKey);
const shim = createWasiShim(stdinData, hostFunctions);
const instance = await WebAssembly.instantiate(
componentWasm as WebAssembly.Module,
shim.imports,
);
shim.setMemory(instance.exports.memory as WebAssembly.Memory);
const start = (instance.exports._start ?? instance.exports.main) as () => void;
if (typeof start !== 'function') {
throw new Error('WASM missing _start or main export');
}
try {
start();
} catch (e) {
if (!(e instanceof Error && e.message === 'wasm exit: 0')) throw e;
}
const stdout = shim.getStdout().trim();
if (!stdout) throw new Error('WASM component produced no output');
return JSON.parse(stdout);
}