wasi-auth is the single public authentication, authorization, and trusted-
ingress crate for WASI services. It combines account and session lifecycles,
multi-tenant organizations, native HTTP security policy, embedded Cedar,
optional direct SpiceDB, Leptos context, and Spin gRPC request support behind
an empty-by-default feature graph.
Current version: 0.1.0-rc.1.
The standalone crate baseline is Rust 1.93, wasip3 0.7.0 with final
wasi:http@0.3.0, and Wasmtime 46.0.1. Tagged Spin 4.0.2 cannot link the
final-WASI components. Spin consumers are pinned to SDK revision
a02d330fe9357be2d18e6deef400511195ce6f7f until a tagged upstream release contains
the required final-WASI and gRPC graph. That immutable SDK manifest declares
Rust 1.93. The maintained Spin runtime fork is pinned to
c34c584dbf77b3a3528ad0536aa9ce4761b9f772; it is the release-candidate
terminal lane, while WAC-composed middleware remains experimental. The
library and SDK MSRV is Rust 1.93; the native Spin host requires Rust 1.94
because its Wasmtime 46 dependency graph declares that floor. The
Leptos/browser dependency graph is locked to wasm-bindgen 0.2.126; that
browser binding version is independent of the WASI component ABI.
Exactly one library package is publishable: wasi-auth. The older
wasi-authz-* and leptos-wasi-authz packages remain private compatibility
fixtures while consumers migrate; portable PDP and middleware components are
also private workspace packages.
[dependencies]
wasi-auth = { version = "0.1.0-rc.1", default-features = false, features = [
"fullstack-spin",
"postgres-spin",
] }Development templates use PostgreSQL and mail-capture. Production startup
selects PostgreSQL while the native worker owns the documented HTTP webhook
adapter and optional SpiceDB writes. Install the worker from the same package:
cargo install wasi-auth --version 0.1.0-rc.1 \
--features outbox-worker --bin wasi-auth-outbox-workerThe workspace also builds experimental, separately deployable final-WASIp3 coarse HTTP PEP, Cedar PDP, and SpiceDB PDP components. Production applications embed Cedar and call SpiceDB directly through the typed provider; the remote AuthZEN SpiceDB PDP remains a compatibility deployment.
Production request handling uses native trusted ingress and installs one
non-forgeable VerifiedAuthContext. Guest-composed component middleware and
remote AuthZEN PDPs are compatibility features only. Embedded Cedar is the
default decision provider; SpiceDB calls are direct and opt-in. Anything other
than an explicit valid allow decision fails closed.
The private wasi-auth-ingress service is distributed as a signed binary/OCI
artifact, not as a second public crate. It terminates public HTTP, REST, and
gRPC traffic, validates credentials through a prepared native PostgreSQL pool,
and sends the loopback-only Spin backend a five-second HMAC envelope bound to
audience, method, path, and request ID. Migration
0009_context_invalidation publishes transactional cache invalidations; the
ingress refuses startup if the trigger set is incomplete. The default REST
Cedar check executes in the ingress from the same strictly validated policy
bundle, removing an unnecessary second HTTP hop. See
Native trusted ingress.
Authentication is implemented by the PostgreSQL relational command kernel.
Each product mutation is one bounded, parameterized SQL statement that owns
its row locks, optimistic checks, credential changes, idempotency result,
authorization revision, audit record, and durable outbox insertion. It is not
event sourced. DDD business aggregates remain consumer concerns; wasi-auth
has no ddd_cqrs_es dependency.
Mail and optional SpiceDB delivery share auth_outbox. Mail payloads remain
encrypted; relationship rows use typed, non-secret relational metadata. The
native worker leases bounded batches with FOR UPDATE SKIP LOCKED, retries,
dead-letters poison records, and acknowledges provider delivery tokens.
Delivery no longer depends on request traffic.
Install the checksum-pinned SpiceDB and zed binaries and run the live
relationship matrix with:
make provider-tools
make test-spicedb-liveSee Architecture, Compatibility, Production support, Native outbox worker, Performance, Security, Relationship consistency, and Release process.