http-request/MODULE.md
flemming-it b325736dfd refactor: rename to chain:platform WIT + provider chain
Tracks the platform's fai->chain rename: capability provider chain,
WIT ABI chain:platform (binding paths/accessors), SDK pin bumped.

Signed-off-by: flemming-it <sf@flemming.it>
2026-06-15 22:54:52 +02:00

2.9 KiB

http.request

Generic HTTP client for flow steps. GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS with arbitrary headers and a UTF-8 body. The audit-friendly alternative to flows rolling their own HTTP clients.

Capability

  • http.request@0.1.0

Inputs

Name Type Description
method text Uppercase HTTP verb (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS).
url text Full URL including scheme.
headers text Optional JSON-object string of extra headers. Empty = none.
body text Optional UTF-8 request body. Empty = no body.

Example headers input:

{"Accept":"application/json","X-Tenant":"acme","Content-Length":42}

String, numeric, and boolean values are accepted (numbers and bools are coerced to strings). Nested arrays / objects are rejected at parse time with a clear error.

Outputs

Name Type Description
status text Decimal status code as text (e.g. "200", "404").
headers text Response headers serialised as a JSON object (lowercased keys).
body text Response body as UTF-8. Replacement chars on non-UTF-8.

Status is text rather than number so the audit-log entry stays operator-readable without JSON re-parsing.

Permissions

permissions:
  - "net: *"

The wildcard makes it explicit that this module can call any HTTP endpoint by design. Operators clamp the surface in their policy ceiling (~/.chain/config.yaml#security.max_permissions.net) — installing http.request against a policy that disallows wildcards fails at install time.

Why a generic primitive instead of per-API modules

Same answer as llm.chat: a single explicit egress module means operators audit net: * exactly once, not in every flow YAML. The permission posture stays observable.

Limits in v0.1.0

  • UTF-8 body only. Binary upload / download is a separate http.request-bytes capability (v0.2.0).
  • No per-request timeout / retry inputs (waki's default timeouts apply).
  • No cookie-jar or session-keeping inputs.

Example flow

name: post-to-webhook
inputs:
  payload: text
steps:
  - id: notify
    use: http.request@^0
    with:
      method: "POST"
      url: "https://example.org/webhook"
      headers: '{"Content-Type":"application/json"}'
      body: $inputs.payload
outputs:
  status: $notify.status
  echo: $notify.body

Build

cargo build --release --target wasm32-wasip2
# Output: target/wasm32-wasip2/release/http_request.wasm