First release. Pure-WASM HTTP client built on waki 0.5 for F∆I flow steps that need to call REST APIs. Capability: http.request@0.1.0 Inputs: method (GET/POST/PUT/PATCH/DELETE/HEAD/OPTIONS), url, headers (JSON object string), body (UTF-8). Outputs: status (decimal text), headers (JSON object), body (UTF-8 lossy). Permissions: net: *. The wildcard is deliberate — operators clamp to specific hosts via their operator-policy ceiling. 6 unit tests on the headers-input parser (empty / strings / numbers coerced / non-object rejected / nested rejected / malformed JSON rejected). Bundle: target/wasm32-wasip2/release/http_request.wasm (~120 KiB stripped). v0.2.0 candidates: http.request-bytes for binary payloads, per-request timeout / retry inputs, cookie-jar. Signed-off-by: flemming-it <sf@flemming.it>
2.9 KiB
http.request
Generic HTTP client for flow steps. GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS with arbitrary headers and a UTF-8 body. The audit-friendly alternative to flows rolling their own HTTP clients.
Capability
http.request@0.1.0
Inputs
| Name | Type | Description |
|---|---|---|
method |
text | Uppercase HTTP verb (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS). |
url |
text | Full URL including scheme. |
headers |
text | Optional JSON-object string of extra headers. Empty = none. |
body |
text | Optional UTF-8 request body. Empty = no body. |
Example headers input:
{"Accept":"application/json","X-Tenant":"acme","Content-Length":42}
String, numeric, and boolean values are accepted (numbers and bools are coerced to strings). Nested arrays / objects are rejected at parse time with a clear error.
Outputs
| Name | Type | Description |
|---|---|---|
status |
text | Decimal status code as text (e.g. "200", "404"). |
headers |
text | Response headers serialised as a JSON object (lowercased keys). |
body |
text | Response body as UTF-8. Replacement chars on non-UTF-8. |
Status is text rather than number so the audit-log entry stays operator-readable without JSON re-parsing.
Permissions
permissions:
- "net: *"
The wildcard makes it explicit that this module can call any
HTTP endpoint by design. Operators clamp the surface in their
policy ceiling (~/.fai/config.yaml#security.max_permissions.net)
— installing http.request against a policy that disallows
wildcards fails at install time.
Why a generic primitive instead of per-API modules
Same answer as llm.chat: a single explicit egress module
means operators audit net: * exactly once, not in every flow
YAML. The permission posture stays observable.
Limits in v0.1.0
- UTF-8 body only. Binary upload / download is a separate
http.request-bytescapability (v0.2.0). - No per-request timeout / retry inputs (waki's default timeouts apply).
- No cookie-jar or session-keeping inputs.
Example flow
name: post-to-webhook
inputs:
payload: text
steps:
- id: notify
use: http.request@^0
with:
method: "POST"
url: "https://example.org/webhook"
headers: '{"Content-Type":"application/json"}'
body: $inputs.payload
outputs:
status: $notify.status
echo: $notify.body
Build
cargo build --release --target wasm32-wasip2
# Output: target/wasm32-wasip2/release/http_request.wasm