Integrate dynamic secret injection with component runtime

crates/wassette/Cargo.toml

@@ -16,11 +16,14 @@ hyper = { version = "1.7", features = ["client"] }
 oci-client = { workspace = true }
 oci-wasm = { workspace = true }
 policy = { workspace = true }
+regex = "1.11"
 reqwest = { workspace = true }
+secrecy = { version = "0.10", features = ["serde"] }
 serde = { workspace = true }
 serde_json = { workspace = true }
 sha2 = "0.10"
 serde_yaml = { workspace = true }
+zeroize = "1.8"
 tempfile = { workspace = true }
 tokio = { workspace = true, features = ["full", "test-util"] }
 tokio-util = { workspace = true, features = ["io"] }

crates/wassette/src/ipc_protocol.rs

@@ -40,6 +40,7 @@ pub enum IpcCommand {
         /// Component identifier
         component_id: String,
         /// Whether to include secret values in the response
+        #[serde(default)]
         show_values: bool,
     },
 }

crates/wassette/src/ipc_server.rs

@@ -159,7 +159,7 @@ async fn handle_request(
             value,
         } => {
             secrets_manager
-                .set_component_secrets(&component_id, &[(key.clone(), value)])
+                .inject_secret(&component_id, key.clone(), value)
                 .await
                 .context("Failed to set secret")?;
             Ok(IpcResponse::success(format!(
@@ -169,22 +169,35 @@ async fn handle_request(
         }
 
         IpcCommand::DeleteSecret { component_id, key } => {
-            secrets_manager
-                .delete_component_secrets(&component_id, std::slice::from_ref(&key))
+            // Try to delete from memory store first
+            match secrets_manager
+                .remove_memory_secret(&component_id, &key)
                 .await
-                .context("Failed to delete secret")?;
-            Ok(IpcResponse::success(format!(
-                "Secret '{}' deleted from component '{}'",
-                key, component_id
-            )))
+            {
+                Ok(_) => Ok(IpcResponse::success(format!(
+                    "Secret '{}' deleted from component '{}'",
+                    key, component_id
+                ))),
+                Err(_) => {
+                    // If not in memory, try file-based
+                    secrets_manager
+                        .delete_component_secrets(&component_id, std::slice::from_ref(&key))
+                        .await
+                        .context("Failed to delete secret")?;
+                    Ok(IpcResponse::success(format!(
+                        "Secret '{}' deleted from component '{}'",
+                        key, component_id
+                    )))
+                }
+            }
         }
 
         IpcCommand::ListSecrets {
             component_id,
             show_values,
         } => {
             let secrets = secrets_manager
-                .list_component_secrets(&component_id, show_values)
+                .list_all_secrets(&component_id, show_values)
                 .await
                 .context("Failed to list secrets")?;
 
@@ -541,9 +554,9 @@ mod tests {
         let response = handle_request(request, &secrets_manager).await.unwrap();
         assert_eq!(response.status, "success");
 
-        // Verify secret was actually set
+        // Verify secret was actually set in memory
         let secrets = secrets_manager
-            .list_component_secrets("test-component", true)
+            .list_all_secrets("test-component", true)
             .await
             .unwrap();
         assert_eq!(secrets.get("API_KEY"), Some(&Some("secret123".to_string())));

crates/wassette/src/lib.rs

@@ -319,6 +319,61 @@ pub struct ComponentInstance {
     package_docs: Option<Value>,
 }
 
+/// Attempt to extract missing environment variable names from error messages
+fn extract_missing_env_vars(error_message: &str) -> Vec<String> {
+    let mut missing_vars = Vec::new();
+
+    // Common patterns for missing environment variable errors
+    let patterns = [
+        // WASI error: "environment variable not found: API_KEY"
+        r"environment variable not found:\s*([A-Z_][A-Z0-9_]*)",
+        // Generic: "missing environment variable API_KEY"
+        r"missing environment variable\s*([A-Z_][A-Z0-9_]*)",
+        // env::var error: "environment variable `API_KEY` not found"
+        r"environment variable `([A-Z_][A-Z0-9_]*)` not found",
+        // Other variations
+        r"variable\s+([A-Z_][A-Z0-9_]*)\s+not\s+found",
+    ];
+
+    for pattern in &patterns {
+        if let Ok(re) = regex::Regex::new(pattern) {
+            for cap in re.captures_iter(error_message) {
+                if let Some(var_name) = cap.get(1) {
+                    missing_vars.push(var_name.as_str().to_string());
+                }
+            }
+        }
+    }
+
+    missing_vars
+}
+
+/// Enhance error message with instructions for missing secrets
+fn enhance_missing_secret_error(component_id: &str, error: anyhow::Error) -> anyhow::Error {
+    let error_msg = error.to_string();
+    let missing_vars = extract_missing_env_vars(&error_msg);
+
+    if !missing_vars.is_empty() {
+        let vars_list = missing_vars.join(", ");
+        let hint = format!(
+            "\n\nComponent execution failed. Missing secrets: {}\n\
+            To provide the secret(s), use:\n  \
+            wassette secret set --component {} {}",
+            vars_list,
+            component_id,
+            missing_vars
+                .iter()
+                .map(|v| format!("{}=value", v))
+                .collect::<Vec<_>>()
+                .join(" ")
+        );
+
+        anyhow!("{}{}", error_msg, hint)
+    } else {
+        error
+    }
+}
+
 impl LifecycleManager {
     /// Begin constructing a lifecycle manager with a fluent builder that
     /// validates configuration and applies sensible defaults.
@@ -1076,8 +1131,8 @@ impl LifecycleManager {
                 // Return a more informative error with instructions
                 return Err(anyhow!(perm_error.to_user_message(component_id)));
             }
-            // Otherwise, return the original WASM execution error
-            return Err(e);
+            // Check if it might be a missing secret error and enhance the message
+            return Err(enhance_missing_secret_error(component_id, e));
         }
 
         let result_json = vals_to_json(&results);

crates/wassette/src/policy_internal.rs

@@ -151,7 +151,8 @@ impl PolicyManager {
     async fn build_default_template(&self, component_id: &str) -> Arc<WasiStateTemplate> {
         let mut config_vars = self.environment_vars.as_ref().clone();
 
-        if let Ok(secrets) = self.secrets.load_component_secrets(component_id).await {
+        // Load both file-based and in-memory secrets
+        if let Ok(secrets) = self.secrets.get_all_secrets(component_id).await {
             for (key, value) in secrets {
                 config_vars.insert(key, value);
             }
@@ -189,7 +190,8 @@ impl PolicyManager {
         let metadata_path = self.metadata_path(component_id);
         tokio::fs::write(&metadata_path, serde_json::to_string_pretty(&metadata)?).await?;
 
-        let secrets = self.secrets.load_component_secrets(component_id).await.ok();
+        // Load both file-based and in-memory secrets
+        let secrets = self.secrets.get_all_secrets(component_id).await.ok();
 
         let wasi_template = crate::create_wasi_state_template_from_policy(
             &policy,
@@ -287,7 +289,8 @@ impl PolicyManager {
             return Ok(());
         }
 
-        let secrets = self.secrets.load_component_secrets(component_id).await.ok();
+        // Load both file-based and in-memory secrets
+        let secrets = self.secrets.get_all_secrets(component_id).await.ok();
 
         match tokio::fs::read_to_string(&policy_path).await {
             Ok(policy_content) => match PolicyParser::parse_str(&policy_content) {

crates/wassette/src/secrets.rs

@@ -16,8 +16,10 @@ use std::path::{Path, PathBuf};
 use std::time::SystemTime;
 
 use anyhow::{anyhow, Context, Result};
+use secrecy::{ExposeSecret, SecretString};
 use tokio::sync::RwLock;
 use tracing::{debug, info, warn};
+use zeroize::Zeroize;
 
 /// Cache entry for component secrets
 #[derive(Debug, Clone)]
@@ -33,8 +35,11 @@ pub struct SecretCache {
 pub struct SecretsManager {
     /// Directory where secrets are stored
     secrets_dir: PathBuf,
-    /// Cache of component secrets
+    /// Cache of component secrets from files
     cache: RwLock<HashMap<String, SecretCache>>,
+    /// In-memory secrets store for dynamically injected secrets
+    /// Component ID → (Secret Key → Secret Value)
+    memory_store: RwLock<HashMap<String, HashMap<String, SecretString>>>,
 }
 
 impl SecretsManager {
@@ -43,6 +48,7 @@ impl SecretsManager {
         Self {
             secrets_dir,
             cache: RwLock::new(HashMap::new()),
+            memory_store: RwLock::new(HashMap::new()),
         }
     }
 
@@ -339,6 +345,103 @@ impl SecretsManager {
 
         Ok(())
     }
+
+    /// Inject a secret into in-memory store (dynamic secret injection via IPC)
+    pub async fn inject_secret(
+        &self,
+        component_id: &str,
+        key: String,
+        value: String,
+    ) -> Result<()> {
+        let secret_value = SecretString::new(value.into());
+        let mut store = self.memory_store.write().await;
+
+        let component_secrets = store
+            .entry(component_id.to_string())
+            .or_insert_with(HashMap::new);
+        component_secrets.insert(key.clone(), secret_value);
+
+        info!("Injected secret '{}' for component: {}", key, component_id);
+        Ok(())
+    }
+
+    /// Remove a secret from in-memory store
+    pub async fn remove_memory_secret(&self, component_id: &str, key: &str) -> Result<()> {
+        let mut store = self.memory_store.write().await;
+
+        if let Some(component_secrets) = store.get_mut(component_id) {
+            if let Some(secret) = component_secrets.remove(key) {
+                // Zeroize the secret before dropping
+                let mut exposed = secret.expose_secret().to_string();
+                exposed.zeroize();
+                info!(
+                    "Removed memory secret '{}' for component: {}",
+                    key, component_id
+                );
+                Ok(())
+            } else {
+                Err(anyhow!(
+                    "Memory secret '{}' not found for component: {}",
+                    key,
+                    component_id
+                ))
+            }
+        } else {
+            Err(anyhow!(
+                "No memory secrets found for component: {}",
+                component_id
+            ))
+        }
+    }
+
+    /// Get all secrets for a component (merged from file and memory)
+    /// Returns a combined map with memory secrets taking precedence over file-based secrets
+    pub async fn get_all_secrets(&self, component_id: &str) -> Result<HashMap<String, String>> {
+        let mut merged = HashMap::new();
+
+        // Start with file-based secrets (lower precedence)
+        let file_secrets = self.load_component_secrets(component_id).await?;
+        merged.extend(file_secrets);
+
+        // Overlay memory secrets (higher precedence)
+        let store = self.memory_store.read().await;
+        if let Some(memory_secrets) = store.get(component_id) {
+            for (key, secret_value) in memory_secrets {
+                merged.insert(key.clone(), secret_value.expose_secret().to_string());
+            }
+        }
+
+        Ok(merged)
+    }
+
+    /// List all secrets for a component (both file-based and memory)
+    pub async fn list_all_secrets(
+        &self,
+        component_id: &str,
+        show_values: bool,
+    ) -> Result<HashMap<String, Option<String>>> {
+        let mut result = HashMap::new();
+
+        // Add file-based secrets
+        let file_secrets = self
+            .list_component_secrets(component_id, show_values)
+            .await?;
+        result.extend(file_secrets);
+
+        // Add memory secrets
+        let store = self.memory_store.read().await;
+        if let Some(memory_secrets) = store.get(component_id) {
+            for (key, secret_value) in memory_secrets {
+                if show_values {
+                    result.insert(key.clone(), Some(secret_value.expose_secret().to_string()));
+                } else {
+                    result.insert(key.clone(), None);
+                }
+            }
+        }
+
+        Ok(result)
+    }
 }
 
 /// Sanitize component ID for use as filename

crates/wassette/src/wasistate.rs

@@ -273,11 +273,8 @@ pub(crate) fn extract_env_vars(
         env_vars.extend(secrets_map.clone());
     }
 
-    // Add inherited environment vars (middle precedence)
-    // Note: This would require passing process environment, but for now
-    // we'll just add configured environment_vars which act as inherited
-
-    // Add policy-allowed environment variables (highest precedence)
+    // Add policy-allowed environment variables from environment_vars (higher precedence)
+    // These override secrets when keys conflict
     if let Some(env_perms) = &policy.permissions.environment {
         if let Some(env_allow_vec) = &env_perms.allow {
             for env_allow in env_allow_vec {