Files
wehub-resource-sync 23f7624596
ADR-166 MCP Bridge Security Lock / Static-source security lock (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / Compose default binds loopback + Mongo has auth (push) Failing after 2s
CodeQL Advanced / Analyze (rust) (push) Failing after 0s
ADR-166 MCP Bridge Security Lock / plugin-agent-federation bindHost default (push) Failing after 1s
ADR-166 MCP Bridge Security Lock / Runtime behavior — 401 + terminal gate + fail-closed (push) Failing after 4s
business-pods-smoke / smoke (push) Failing after 1s
all-plugins-smoke / smoke-all (push) Failing after 2s
CI/CD Pipeline / Security & Code Quality (push) Failing after 1s
CI/CD Pipeline / Test Suite (ubuntu-latest) (push) Failing after 1s
CI/CD Pipeline / Build & Package (macos-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (ubuntu-latest) (push) Has been skipped
CI/CD Pipeline / Build & Package (windows-latest) (push) Has been skipped
CI/CD Pipeline / Documentation & Examples (push) Failing after 1s
Clone Tracker (14-day rolling) / Snapshot clones for ruflo ecosystem (push) Failing after 1s
CodeQL Advanced / Analyze (actions) (push) Failing after 1s
CodeQL Advanced / Analyze (javascript-typescript) (push) Failing after 1s
federation-peer-rust / stable-noop (push) Failing after 1s
metaharness-ci / score (push) Failing after 1s
metaharness-ci / router-compat (push) Failing after 0s
metaharness-ci / similarity-tests (push) Failing after 0s
no-agentbbs-smoke / smoke-without-agentbbs (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (windows-latest) (push) Has been skipped
codex-integration-audit / Codex integration audit (push) Failing after 1s
helpers-manifest-guard / guard (push) Failing after 1s
🔗 Cross-Agent Integration Tests / 🤝 Agent Coordination Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🧠 Memory Sharing Integration (push) Has been skipped
🔗 Cross-Agent Integration Tests / 🛡️ Fault Tolerance Tests (push) Has been skipped
🔗 Cross-Agent Integration Tests / ⚡ Performance Integration Tests (push) Has been skipped
metaharness-ci / mcp-scan (push) Failing after 1s
metaharness-ci / eject-dryrun (push) Failing after 1s
metaharness-ci / metaharness-real-data (push) Failing after 0s
no-cli-optdep-bloat-2561 / guard (push) Failing after 1s
no-metaharness-smoke / smoke-without-metaharness (push) Failing after 1s
no-phantom-agentic-flow-subpath / guard (push) Failing after 1s
🔄 Automated Rollback Manager / 🚨 Failure Detection (push) Failing after 1s
V3 CI/CD Pipeline / Plugin hooks smoke / ubuntu-latest / Node 22 (push) Failing after 1s
V3 CI/CD Pipeline / ruflo-graph-intelligence build + test smoke (#2044, ADR-123) (push) Failing after 1s
CVE Audit Gate / Audit root (critical-blocking) (push) Failing after 2s
cost-tracker-smoke / smoke (push) Failing after 3s
oia-audit-weekly / audit (push) Failing after 2s
ruflo-agent-smoke / ruflo-agent structural smoke (push) Failing after 1s
📊 Status Badges Update / 📊 Update Status Badges (push) Failing after 1s
V3 CI/CD Pipeline / Static regression guards (#2267 YAML + (push) Failing after 1s
V3 CI/CD Pipeline / Test V3 Packages (push) Failing after 0s
V3 CI/CD Pipeline / agent_execute provider routing smoke (#2042) (push) Failing after 0s
CVE Audit Gate / Audit v3 (critical-blocking) (push) Failing after 1s
federation-peer-rust / stable-native (push) Failing after 2s
🔗 Cross-Agent Integration Tests / 🚀 Integration Test Setup (push) Failing after 2s
neural-trader-smoke / runtime-smoke (push) Failing after 1s
V3 CI/CD Pipeline / Build V3 (macos-latest) (push) Has been skipped
V3 CI/CD Pipeline / Build V3 (ubuntu-latest) (push) Has been skipped
V3 CI/CD Pipeline / Type Check V3 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 24 (push) Failing after 1s
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / ubuntu-latest / Node 22 (push) Failing after 2s
V3 CI/CD Pipeline / browser rvf create flag smoke (#2015) (push) Failing after 0s
V3 CI/CD Pipeline / Dependency review (#2046) (push) Has been skipped
V3 CI/CD Pipeline / Supply-chain audit (#2046) (push) Failing after 0s
V3 CI/CD Pipeline / witness marker drift smoke (#2021) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader portfolio CG smoke (#2068, ADR-126 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / neural-trader backtest signing smoke (#2068, ADR-126 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / kg-extract type-import classification smoke (#2049) (push) Failing after 0s
V3 CI/CD Pipeline / witness verify precondition smoke (#1880) (push) Failing after 2s
V3 CI/CD Pipeline / neural-trader pipeline risk-gate smoke (#2068, ADR-126 Phase 5) (push) Failing after 0s
V3 CI/CD Pipeline / neural-trader feature attribution smoke (#2068, ADR-126 Phase 6) (push) Failing after 0s
V3 CI/CD Pipeline / plugin-registry signature verification smoke (#1922, CWE-347) (push) Failing after 4s
V3 CI/CD Pipeline / memory stats legacy-DB smoke (#2120) (push) Failing after 4s
V3 CI/CD Pipeline / github deprecated actions smoke (#2089, ADR-127 Phase 3) (push) Failing after 1s
V3 CI/CD Pipeline / graph query + pathfinder smoke (ADR-130 P2+P5) (push) Has been skipped
V3 CI/CD Pipeline / graph trajectory hooks smoke (ADR-130 P3) (push) Has been skipped
V3 CI/CD Pipeline / graph plugin adapter smoke (ADR-130 P4) (push) Has been skipped
V3 CI/CD Pipeline / graph benchmark (ADR-130 P6) (push) Has been skipped
V3 CI/CD Pipeline / statusline generator delegation smoke (#2195) (push) Failing after 1s
V3 CI/CD Pipeline / wizard init regression guard (#2206 (push) Failing after 1s
V3 CI/CD Pipeline / memory no-stray-db smoke (ADR-125 P7) (push) Failing after 1s
V3 CI/CD Pipeline / github-safe injection smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github actions pin smoke (#2089, ADR-127 Phase 1) (push) Failing after 1s
V3 CI/CD Pipeline / github attribution opt-in smoke (#2089, ADR-127 Phase 4) (push) Failing after 1s
V3 CI/CD Pipeline / pre-bash hook safety smoke (#2017) (push) Failing after 1s
V3 CI/CD Pipeline / Memory import smoke / ubuntu-latest (push) Failing after 0s
V3 CI/CD Pipeline / MCP protocol smoke / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / ruvllm WASM auto-init smoke (#2086) (push) Failing after 4s
V3 CI/CD Pipeline / MCP paired-tool round-trip smoke (#1889) (push) Failing after 1s
V3 CI/CD Pipeline / Plugin package install-safety (#1902/#1903/#1904) (push) Failing after 1s
V3 CI/CD Pipeline / Tool description discoverability (ADR-112) (push) Failing after 3s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (22) (push) Failing after 1s
V3 CI/CD Pipeline / CLI npx-install smoke (#1147 / (24) (push) Failing after 1s
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / ubuntu-latest (push) Failing after 2s
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / ubuntu-latest (push) Failing after 1s
V3 CI/CD Pipeline / Vector-index dimension audit (#1947) (push) Failing after 0s
V3 CI/CD Pipeline / Hook-command install safety (#1921) (push) Failing after 1s
V3 CI/CD Pipeline / ToolOutputGuardrail smoke (ADR-131, (push) Failing after 1s
V3 CI/CD Pipeline / init-bundle invariants smoke (#2095, ADR-128 Phase 5) (push) Failing after 1s
V3 CI/CD Pipeline / wasm provider bridge smoke (ADR-129 P1) (push) Failing after 2s
V3 CI/CD Pipeline / wasm gallery CRUD smoke (ADR-129 P3) (push) Failing after 1s
V3 CI/CD Pipeline / wasm plugin bridge smoke (ADR-129 P4) (push) Failing after 0s
V3 CI/CD Pipeline / wasm compose smoke (ADR-129 P2) (push) Failing after 4s
V3 CI/CD Pipeline / graph schema smoke (ADR-130 P1) (push) Failing after 0s
Validate Marketplace / validate (push) Failing after 1s
🔍 Verification Pipeline / 🚀 Setup Verification (push) Failing after 1s
🔍 Verification Pipeline / 🛡️ Security Verification (push) Has been skipped
🔍 Verification Pipeline / 📝 Code Quality (push) Has been skipped
🔍 Verification Pipeline / 🧪 Test Verification (${{ matrix.os }}, Node ${{ matrix.node }}) (push) Has been skipped
🔍 Verification Pipeline / 🏗️ Build Verification (push) Has been skipped
🔍 Verification Pipeline / 📚 Documentation Verification (push) Has been skipped
CVE Audit Gate / High-severity report (warn only) (push) Has been cancelled
🔄 Automated Rollback Manager / 🔄 Execute Rollback (push) Has been cancelled
🔄 Automated Rollback Manager / ✅ Post-Rollback Verification (push) Has been cancelled
🔄 Automated Rollback Manager / 📊 Rollback Monitoring (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook execution smoke (#2132) / windows-latest (push) Has been cancelled
🔄 Automated Rollback Manager / ⏳ Manual Rollback Approval (push) Has been cancelled
V3 CI/CD Pipeline / MCP protocol smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Memory import smoke / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows hook shim smoke (#2132) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Windows init hooks smoke (#2132) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / macos-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / ubuntu-latest (push) Has been cancelled
V3 CI/CD Pipeline / Witness verify (signed manifest) / windows-latest (push) Has been cancelled
V3 CI/CD Pipeline / Publish to npm (alpha) (push) Has been cancelled
V3 CI/CD Pipeline / Smoke (no better-sqlite3) / macos-latest / Node 22 (push) Has been cancelled
V3 CI/CD Pipeline / Plugin hooks smoke / macos-latest / Node 22 (push) Has been cancelled
CI/CD Pipeline / Deploy & Release (push) Has been cancelled
CI/CD Pipeline / CI Status (push) Has been cancelled
🔗 Cross-Agent Integration Tests / 📊 Integration Test Report (push) Has been cancelled
🔄 Automated Rollback Manager / 🔍 Pre-Rollback Validation (push) Has been cancelled
🔍 Verification Pipeline / ⚡ Performance Verification (push) Has been cancelled
🔍 Verification Pipeline / 📊 Verification Report (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:02:19 +08:00

7.1 KiB

WASM Kernel Guide

The WASM kernel offloads hot-path operations (hashing, secret scanning, destructive detection, shard scoring) from JavaScript to Rust compiled to WebAssembly. It loads automatically when available and falls back to JS transparently.

Architecture

graph LR
    subgraph "Layer B — Node Host"
        H[wasm-kernel.ts]
        FB[JS Fallback]
    end

    subgraph "Layer A — Rust WASM"
        P[proof.rs: SHA-256, HMAC, chain verify]
        G[gates.rs: secrets, destructive]
        S[scoring.rs: shard relevance]
        L[lib.rs: batch_process dispatcher]
    end

    H -->|"Available?"| P
    H -->|"Available?"| G
    H -->|"Available?"| S
    H -.->|"Fallback"| FB

Layer A (Rust WASM) contains only pure functions — no filesystem, no network, no Node APIs. Layer B (Node host) handles loading, error recovery, and fallback.

Usage

import { getKernel, isWasmAvailable } from '@claude-flow/guidance/wasm-kernel';

const k = getKernel();
console.log(k.available); // true = WASM, false = JS fallback
console.log(k.version);   // 'guidance-kernel-0.1.0' or 'js-fallback'

The getKernel() call is idempotent — it loads WASM once, caches the result, and returns the same instance on every subsequent call.

API

Proof / Hashing

// SHA-256 hash
const hash = k.sha256('hello world');
// 'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9'

// HMAC-SHA256
const mac = k.hmacSha256('secret-key', 'message body');

// Deterministic content hash (sorts JSON keys, then SHA-256)
const contentHash = k.contentHash('{"b":2,"a":1}');
// Same result as k.contentHash('{"a":1,"b":2}')

// Sign a proof envelope
const signature = k.signEnvelope('hmac-key', envelopeJsonString);

// Verify a proof chain
const valid = k.verifyChain(chainJsonString, 'hmac-key');

Gates

// Scan for secrets — returns array of matched strings
const secrets = k.scanSecrets('export const key = "sk-ant-abc123xyz"');
// ['sk-ant-abc123xyz']

const clean = k.scanSecrets('const x = 42');
// []

// Detect destructive commands — returns matched pattern or null
const destructive = k.detectDestructive('rm -rf /tmp');
// 'rm -rf'

const safe = k.detectDestructive('ls -la');
// null

Secret Patterns (8 built-in)

Pattern Example
API keys api_key="abc123"
Passwords password: "hunter2"
Tokens token="eyJhbG..."
Private keys -----BEGIN RSA PRIVATE KEY-----
Anthropic keys sk-ant-...
GitHub tokens ghp_...
npm tokens npm_...
AWS access keys AKIA...

Destructive Patterns (12 built-in)

Pattern Examples
File deletion rm -rf, rm -r
Database drops DROP TABLE, DROP DATABASE, TRUNCATE TABLE
Git force ops git push --force, git reset --hard, git clean -f
Kubernetes kubectl delete --all
Unqualified deletes DELETE FROM table
Schema drops ALTER TABLE ... DROP
Windows deletion del /s, format c:

Batch API

For bulk operations, use the batch API to minimize WASM boundary crossings. One WASM call handles many operations:

const results = k.batchProcess([
  { op: 'sha256', payload: 'data1' },
  { op: 'sha256', payload: 'data2' },
  { op: 'hmac_sha256', payload: 'message', key: 'secret' },
  { op: 'scan_secrets', payload: 'api_key="test"' },
  { op: 'detect_destructive', payload: 'ls -la' },
  { op: 'content_hash', payload: '{"b":2,"a":1}' },
]);

// results[0] = { hash: '...' }
// results[1] = { hash: '...' }
// results[2] = { mac: '...' }
// results[3] = { matches: ['test'] }
// results[4] = { match: null }
// results[5] = { hash: '...' }

Supported batch operations: sha256, hmac_sha256, content_hash, sign_envelope, verify_chain, scan_secrets, detect_destructive, score_shards.

Performance

Measured on 10,000 iterations with SIMD128 enabled:

Operation WASM JS Speedup
SHA-256 throughput 910k/s 505k/s 1.80x
Secret scan (dirty input) 362k/s 185k/s 1.96x
Secret scan (clean input) 676k/s 402k/s 1.68x
Proof chain (10k events) 61ms 76ms 1.25x

The biggest wins come from regex-heavy operations (secret scanning, destructive detection) where Rust's Aho-Corasick and memchr with SIMD outperform JS's regex engine.

SIMD128

The kernel is compiled with WebAssembly SIMD128 enabled:

# wasm-kernel/.cargo/config.toml
[target.wasm32-unknown-unknown]
rustflags = ["-C", "target-feature=+simd128"]

SIMD accelerates:

  • SHA-256 — Compression rounds use SIMD instructions
  • Regex — Aho-Corasick automaton uses SIMD for multi-pattern matching
  • memchr — Byte scanning uses SIMD for vectorized search

SIMD is supported in all modern runtimes: Node.js 16+, Chrome 91+, Firefox 89+, Safari 16.4+.

Building from Source

Prerequisites: Rust 1.70+, wasm-pack.

# Install prerequisites
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup target add wasm32-unknown-unknown
cargo install wasm-pack

# Build
cd wasm-kernel
wasm-pack build --target nodejs --out-dir ../wasm-pkg --release

# Run Rust unit tests
cargo test

The build produces:

  • wasm-pkg/guidance_kernel_bg.wasm — The WASM binary (~1.1MB with SIMD+O2)
  • wasm-pkg/guidance_kernel.js — Node.js glue code
  • wasm-pkg/guidance_kernel.d.ts — TypeScript declarations

Build Options

# Cargo.toml [profile.release]
opt-level = 2        # O2 for speed (not "z" for size)
lto = true           # Link-time optimization
codegen-units = 1    # Better optimization, slower compile

To disable wasm-opt (if binaryen download fails):

[package.metadata.wasm-pack.profile.release]
wasm-opt = false

Fallback Behavior

If the WASM binary fails to load (missing file, incompatible runtime, etc.), the host bridge transparently falls back to JavaScript implementations:

const k = getKernel();
// k.available === false — using JS fallback
// All methods still work, just slower:
k.sha256('hello');        // Uses node:crypto createHash
k.scanSecrets(content);   // Uses JS regex
k.detectDestructive(cmd); // Uses JS regex

The fallback is functionally identical. The acceptance tests verify output parity between WASM and JS for all operations.

Testing

# Run all guidance tests (includes WASM acceptance tests)
cd v3/@claude-flow/guidance
npx vitest run

# Run only WASM tests
npx vitest run tests/wasm-kernel.test.ts

The WASM test suite includes:

  • Output parity tests (WASM === JS for all operations)
  • 10,000-event proof chain (verifies identical root hash)
  • Throughput benchmarks (SHA-256, secret scanning)
  • Batch API tests
  • Fallback behavior tests

Rust Source Structure

wasm-kernel/
  Cargo.toml              # Crate config
  .cargo/config.toml      # SIMD flags
  src/
    lib.rs                # Entry point, batch_process dispatcher
    proof.rs              # SHA-256, HMAC, content hash, chain verify
    gates.rs              # Secret scanning (8 patterns), destructive (12 patterns)
    scoring.rs            # Shard relevance scoring

Each Rust module has unit tests (cargo test runs 15 tests).