From 0e210af0c6677c789d2dd6361e051979640cbff0 Mon Sep 17 00:00:00 2001 From: NubsCarson <192162056+NubsCarson@users.noreply.github.com> Date: Mon, 8 Jun 2026 03:12:19 +0000 Subject: [PATCH] fix(issuer): cfg(unix)-gate dstack-kms so the wasm32 build compiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The new dstack-kms client uses `std::os::unix::net::UnixStream`, which doesn't exist on `wasm32` — and `tessera-wasm` transitively compiles `tessera-issuer`, so PR #25 broke the `wasm browser client` CI job (and landed on main: my merge command's piped `gh pr checks` masked the failing exit code). Gate the Unix-only module behind `#[cfg(unix)]`; the `KeyProviderConfig::DstackKms` variant still parses everywhere (portable config validation), but preflight/establish fail closed with a clear "requires a Unix platform" error on non-Unix targets. Verified: `tessera-wasm` now builds for wasm32-unknown-unknown; the Unix path is unchanged (35 issuer tests green, clippy clean). --- crates/tessera-issuer/src/key_provider.rs | 39 +++++++++++++++++++++-- crates/tessera-issuer/src/lib.rs | 4 +++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/crates/tessera-issuer/src/key_provider.rs b/crates/tessera-issuer/src/key_provider.rs index 44bb04c..db8e171 100644 --- a/crates/tessera-issuer/src/key_provider.rs +++ b/crates/tessera-issuer/src/key_provider.rs @@ -104,7 +104,7 @@ impl KeyProviderConfig { match self { Self::Ephemeral => Ok(()), Self::File { path } => check_path_usable(path, "TESSERA_KEY_FILE"), - Self::DstackKms { socket, key_id } => crate::dstack_kms::preflight(socket, key_id), + Self::DstackKms { socket, key_id } => dstack_preflight(socket, key_id), } } @@ -116,7 +116,7 @@ impl KeyProviderConfig { match self { Self::Ephemeral => Ok(ServerPrivateKey::setup(rng)), Self::File { path } => Ok(ensure_shared_key(path)), - Self::DstackKms { socket, key_id } => crate::dstack_kms::establish(socket, key_id), + Self::DstackKms { socket, key_id } => dstack_establish(socket, key_id), } } @@ -140,6 +140,41 @@ impl KeyProviderConfig { } } +// `dstack-kms` parses on every platform (so config validation is portable), but it +// can only *run* on Unix (it talks to the guest-agent Unix socket). On a non-Unix +// target it fails closed at preflight/establish rather than failing to compile. +#[cfg(unix)] +fn dstack_preflight(socket: &str, key_id: &str) -> Result<(), String> { + crate::dstack_kms::preflight(socket, key_id) +} + +#[cfg(not(unix))] +fn dstack_preflight(_socket: &str, _key_id: &str) -> Result<(), String> { + Err( + "TESSERA_KEY_PROVIDER=dstack-kms requires a Unix platform (the dstack guest-agent socket)" + .to_string(), + ) +} + +#[cfg(unix)] +fn dstack_establish( + socket: &str, + key_id: &str, +) -> Result<(ServerPrivateKey, ServerPublicKey), String> { + crate::dstack_kms::establish(socket, key_id) +} + +#[cfg(not(unix))] +fn dstack_establish( + _socket: &str, + _key_id: &str, +) -> Result<(ServerPrivateKey, ServerPublicKey), String> { + Err( + "TESSERA_KEY_PROVIDER=dstack-kms requires a Unix platform (the dstack guest-agent socket)" + .to_string(), + ) +} + fn reject_key_file_with_provider(provider: &str, key_file: Option<&str>) -> Result<(), String> { if key_file.is_some() { Err(format!( diff --git a/crates/tessera-issuer/src/lib.rs b/crates/tessera-issuer/src/lib.rs index 9c80e5b..80786a9 100644 --- a/crates/tessera-issuer/src/lib.rs +++ b/crates/tessera-issuer/src/lib.rs @@ -34,6 +34,10 @@ use rand_core::RngCore; use sha2::{Digest, Sha256}; use std::collections::HashSet; +// dstack-kms is a Unix-domain-socket client (the dstack guest agent); it is +// Unix-only, so it is not compiled for non-Unix targets such as the `wasm32` +// build of this crate. +#[cfg(unix)] pub mod dstack_kms; pub mod key_provider; pub mod keyfile;