Skip to content

feat: Phase 2 components - keyring, rego, crypto #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
avrabe merged 4 commits into from
Jan 27, 2026
Merged

feat: Phase 2 components - keyring, rego, crypto #37

avrabe merged 4 commits into from
Jan 27, 2026

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 26, 2026

Summary

Wire up exploratory Phase 2 components that were implemented but not committed:

  • OS Keyring Storage: Cross-platform secure key storage (macOS Keychain, Linux secret-service, Windows Credential Manager)
  • Rego Policy Engine: OPA/Rego policy language support via Regorus for advanced policy evaluation
  • wsc:crypto Component: WASM component implementing hardware signing interface as stopgap before wasi-crypto

Changes

  1. feat: add OS keyring/keychain key storage provider

    • Enables storing signing keys in OS-provided secure storage
    • Feature-gated behind keyring-storage feature flag

  2. feat: add Rego policy language support via Regorus

    • Wire up existing rego.rs to policy module
    • Feature-gated behind rego feature flag

  3. feat: add wsc:crypto WASM component for hardware signing

    • New src/crypto/ crate with wit-bindgen bindings
    • wit/BUILD.bazel wsc_crypto_wit target for component model

Test plan

  • cargo build --all-features passes
  • bazel build //... passes
  • Keyring feature compiles on macOS/Linux
  • Rego feature compiles with regorus

avrabe and others added 4 commits January 26, 2026 20:04
@avrabe
feat: add OS keyring/keychain key storage provider
a7b9701 
Cross-platform credential storage via keyring crate:
- macOS: Keychain (encrypted, Touch ID optional)
- Linux: secret-service (GNOME Keyring, KDE Wallet)
- Windows: Credential Manager

SecurityLevel::HardwareBasic - keys encrypted at rest by OS.
@avrabe
feat: add Rego policy language support via Regorus
bdcda97 
OPA/Rego policy engine for expressive supply chain policies:
- SLSA level enforcement
- Trusted tool/builder verification
- Custom policy rules with violations reporting

Requires --features rego (uses Microsoft's Regorus)
@avrabe @claude
feat: add wsc:crypto WASM component for hardware signing
48390d1 
Add WASM component implementing wsc:crypto/hardware-signing interface.
This provides a portable abstraction for cryptographic operations that
can be backed by software or hardware implementations.

- src/crypto/: Component crate with wit-bindgen generated bindings
- wit/BUILD.bazel: Add wsc_crypto_wit target for component model

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@avrabe
chore: add .env to gitignore and update lockfile
8dac25f
@avrabe avrabe merged commit 5f28435 into main Jan 27, 2026
12 checks passed
@avrabe avrabe deleted the feat/phase2-components branch January 27, 2026 05:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@avrabe