18f04448ce
- wasi-shim gains kv_get / crypto_decrypt / crypto_sign_rs256 host functions with strict boundary (ENCRYPTION_KEY never exits Worker). - registry/components/auth_static_key: TinyGo impl for API-key / Bearer / Basic Auth recipes (80% of supported services). - .component-builds/auth_static_key: independent Worker at auth-static-key.arcrun.dev, imports wasi-shim cross-directory. - cypher-executor/auth-dispatcher routes static_key recipes to the new Worker instead of credential-injector TS. Replaces TS credential injection per .agents/specs/arcrun/credential-primitives-wasm Phase 1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
84 lines
2.6 KiB
TypeScript
84 lines
2.6 KiB
TypeScript
/**
|
|
* arcrun auth_static_key Worker
|
|
*
|
|
* POST / → JSON input {action, api_key, service} → WASM (WASI preview1 stdin/stdout) → JSON output
|
|
*
|
|
* 方案 A:直接 import cypher-executor/src/lib/wasi-shim.ts 的 shim + host function factory,
|
|
* 確保 AES-GCM 解密邏輯只存在於一個檔案(rule 02 §2.2)。
|
|
*
|
|
* 安全邊界:
|
|
* - api_key 經 stdin 傳進 WASM,同時綁到 host function 的 kv_get 做越權檢查
|
|
* - ENCRYPTION_KEY 只存在於 host function 的 closure 中,不會進入 WASM 記憶體
|
|
*/
|
|
|
|
import componentWasm from '../component.wasm' assert { type: 'webassembly' };
|
|
import { Hono } from 'hono';
|
|
import { cors } from 'hono/cors';
|
|
import {
|
|
createWasiShim,
|
|
createArcrunHostFunctions,
|
|
type ArcrunHostEnv,
|
|
} from '../../../cypher-executor/src/lib/wasi-shim';
|
|
|
|
type Env = ArcrunHostEnv;
|
|
|
|
const app = new Hono<{ Bindings: Env }>();
|
|
app.use('*', cors());
|
|
|
|
app.get('/', (c) => c.json({ ok: true, component: 'auth_static_key' }));
|
|
|
|
app.post('/', async (c) => {
|
|
let input: Record<string, unknown>;
|
|
try {
|
|
input = await c.req.json();
|
|
} catch {
|
|
return c.json({ success: false, error: 'request body must be JSON' }, 400);
|
|
}
|
|
|
|
const apiKey = typeof input.api_key === 'string' ? input.api_key : '';
|
|
if (!apiKey) {
|
|
return c.json({ success: false, error: 'api_key 必填' }, 400);
|
|
}
|
|
|
|
try {
|
|
const result = await runWasm(c.env, apiKey, input);
|
|
return c.json(result);
|
|
} catch (e) {
|
|
return c.json(
|
|
{ success: false, error: e instanceof Error ? e.message : String(e) },
|
|
500,
|
|
);
|
|
}
|
|
});
|
|
|
|
export default app;
|
|
|
|
// ── WASM runner ──────────────────────────────────────────────────────────────
|
|
|
|
async function runWasm(env: Env, apiKey: string, input: unknown): Promise<unknown> {
|
|
const stdinData = JSON.stringify(input);
|
|
const hostFunctions = createArcrunHostFunctions(env, apiKey);
|
|
const shim = createWasiShim(stdinData, hostFunctions);
|
|
|
|
const instance = await WebAssembly.instantiate(
|
|
componentWasm as WebAssembly.Module,
|
|
shim.imports,
|
|
);
|
|
shim.setMemory(instance.exports.memory as WebAssembly.Memory);
|
|
|
|
const start = (instance.exports._start ?? instance.exports.main) as () => void;
|
|
if (typeof start !== 'function') {
|
|
throw new Error('WASM missing _start or main export');
|
|
}
|
|
|
|
try {
|
|
start();
|
|
} catch (e) {
|
|
if (!(e instanceof Error && e.message === 'wasm exit: 0')) throw e;
|
|
}
|
|
|
|
const stdout = shim.getStdout().trim();
|
|
if (!stdout) throw new Error('WASM component produced no output');
|
|
return JSON.parse(stdout);
|
|
}
|