Headless workflow server + security hardening
New
- wfe-server: Single-binary headless workflow server
- gRPC API with 13 RPCs: workflow CRUD, lifecycle streaming, log streaming, log search
- HTTP webhooks: GitHub and Gitea with HMAC-SHA256 verification, configurable triggers
- OIDC/JWT auth with JWKS discovery and asymmetric algorithm allowlist
- Real-time log streaming via
StreamLogs with follow mode
- Full-text log search via OpenSearch with
SearchLogs RPC
- Layered config: CLI flags > env vars > TOML file
- wfe-server-protos: gRPC service definitions (tonic 0.14)
- wfe-core:
LogSink trait for real-time step output streaming
- wfe-core: Lifecycle publisher wired into executor
- wfe-yaml: Shell step streaming mode with
tokio::select!
Security
- JWT algorithm confusion prevention (derive alg from JWK, reject symmetric)
- Constant-time static token comparison via
subtle crate
- OIDC issuer HTTPS validation (SSRF prevention)
- Fail-closed on OIDC discovery failure
- Authenticated generic webhook endpoint
- 2MB webhook payload size limit
- Config parse errors fail loudly
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.)
- Security regression tests for all critical findings
Fixed
- Shell step streaming respects
timeout_ms with child.kill()
- LogSink threaded from WorkflowHostBuilder through executor to steps
- LogStore OpenSearch indexing wired in server
- Webhook publish failures return 500 instead of 200
Crates published
wfe-core, wfe-sqlite, wfe-postgres, wfe-opensearch, wfe-valkey, wfe-buildkit, wfe-buildkit-protos, wfe-containerd, wfe-containerd-protos, wfe-rustlang, wfe-server-protos, wfe, wfe-yaml
siennathesane released this