feat: http.request v0.1.0 — generic HTTP client

First release. Pure-WASM HTTP client built on waki 0.5 for
F∆I flow steps that need to call REST APIs.

Capability: http.request@0.1.0

Inputs: method (GET/POST/PUT/PATCH/DELETE/HEAD/OPTIONS),
url, headers (JSON object string), body (UTF-8).

Outputs: status (decimal text), headers (JSON object), body
(UTF-8 lossy).

Permissions: net: *. The wildcard is deliberate — operators
clamp to specific hosts via their operator-policy ceiling.

6 unit tests on the headers-input parser (empty / strings /
numbers coerced / non-object rejected / nested rejected /
malformed JSON rejected).

Bundle: target/wasm32-wasip2/release/http_request.wasm
(~120 KiB stripped).

v0.2.0 candidates: http.request-bytes for binary payloads,
per-request timeout / retry inputs, cookie-jar.

Signed-off-by: flemming-it <sf@flemming.it>
This commit is contained in:
flemming-it 2026-05-25 14:16:09 +02:00
commit 4681d0bb2c
8 changed files with 1194 additions and 0 deletions

51
module.yaml Normal file
View file

@ -0,0 +1,51 @@
schema_version: 1
name: http-request
version: 0.1.0
# Capability provided by this module.
provides:
- capability: http.request
version: 0.1.0
# Inputs the invoke function accepts.
inputs:
# HTTP method as uppercase string. Supported: GET, POST,
# PUT, PATCH, DELETE, HEAD, OPTIONS.
method: text
# Full URL including scheme. Must be https:// for production
# use; http:// is permitted so loopback and air-gapped
# internal services work, but operator policy can clamp it.
url: text
# Optional headers as JSON object string, e.g.
# '{"Accept":"application/json","X-Tenant":"acme"}'. Empty
# string means no extra headers (Content-Type is auto-set
# when `body` is non-empty and the input is not already a
# JSON-shaped string).
headers: text
# Optional request body. Treated as UTF-8 text — binary
# payloads should use a future `http.request-bytes` variant.
body: text
# Outputs produced.
outputs:
# HTTP status code as decimal text (e.g. "200", "404").
# Text rather than number so the audit-log entry stays
# operator-readable without JSON re-parsing.
status: text
# Response headers serialised as a JSON object (same shape
# as the input format) so downstream flow steps can pluck
# values like Content-Type or rate-limit headers.
headers: text
# Response body as UTF-8 text. Non-UTF-8 responses come
# through with replacement characters; that's acceptable
# for v0.1.0 since the bytes-shaped variant covers binary.
body: text
# Permissions required.
#
# v0.1.0 declares the broadest net: permission needed to call
# arbitrary URLs. Operators clamp this per-host via their
# operator-policy ceiling — installing http.request against a
# policy that disallows wildcards fails fast at install time.
permissions:
- "net: *"