Leo
18f04448ce
- wasi-shim gains kv_get / crypto_decrypt / crypto_sign_rs256 host functions with strict boundary (ENCRYPTION_KEY never exits Worker). - registry/components/auth_static_key: TinyGo impl for API-key / Bearer / Basic Auth recipes (80% of supported services). - .component-builds/auth_static_key: independent Worker at auth-static-key.arcrun.dev, imports wasi-shim cross-directory. - cypher-executor/auth-dispatcher routes static_key recipes to the new Worker instead of credential-injector TS. Replaces TS credential injection per .agents/specs/arcrun/credential-primitives-wasm Phase 1. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
68 lines
2.2 KiB
YAML
68 lines
2.2 KiB
YAML
canonical_id: "auth_static_key"
|
|
display_name: "Auth Primitive — Static Key"
|
|
category: "auth"
|
|
version: "v1"
|
|
wasi_target: "preview1"
|
|
stability: "floating"
|
|
runtime_compat:
|
|
- "cf-workers"
|
|
- "workerd"
|
|
- "wazero"
|
|
constraints:
|
|
max_size_kb: 2048
|
|
max_cold_start_ms: 50
|
|
no_network_syscall: true
|
|
no_filesystem_syscall: true
|
|
io_model: "stdin_stdout_json"
|
|
input_schema:
|
|
type: object
|
|
required: [action, api_key, service]
|
|
properties:
|
|
action:
|
|
type: string
|
|
enum: [authenticate]
|
|
description: 目前僅支援 authenticate;static_key 無 refresh 概念
|
|
api_key:
|
|
type: string
|
|
description: 租戶識別(ak_ 前綴),用來組 {api_key}:cred:{name} KV key
|
|
service:
|
|
type: string
|
|
description: auth recipe 名稱,對應 auth_recipe:{service} 的 KV 記錄
|
|
request:
|
|
type: object
|
|
description: (保留)下游零件的 HTTP request 上下文;static_key 當前不使用
|
|
output_schema:
|
|
type: object
|
|
properties:
|
|
success:
|
|
type: boolean
|
|
auth_headers:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
auth_query:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
auth_body:
|
|
type: object
|
|
additionalProperties:
|
|
type: string
|
|
runtime:
|
|
type: object
|
|
description: Static key 不使用;欄位保留以對齊其他 auth primitive
|
|
gherkin_tests:
|
|
- scenario: "缺少 api_key"
|
|
given: '{"action":"authenticate","service":"openai"}'
|
|
then_contains: '{"success":false'
|
|
- scenario: "找不到 auth recipe"
|
|
given: '{"action":"authenticate","api_key":"ak_nonexistent","service":"nonexistent"}'
|
|
then_contains: '{"success":false'
|
|
tags: [auth, credential, primitive, static_key]
|
|
description: "Static key auth primitive。讀取 auth_recipe + 解密 required_secrets + 展開 {{secret.X}} 模板,回傳 auth_headers / auth_query / auth_body。涵蓋 Bearer token / API key / Basic auth / 自訂 header 等 80% 服務。透過 host function kv_get + crypto_decrypt,plaintext 永不離開 WASM。"
|
|
config_example: |
|
|
auth_step:
|
|
component: "auth_static_key"
|
|
action: "authenticate"
|
|
service: "openai" # 對應 auth_recipe:openai 的 KV 記錄
|