feat(wasm): add Go wrapper for wasmsign2 to resolve Bazel sandbox + WASI conflict

Implements a cross-platform Go wrapper for wasmsign2 that resolves the
fundamental incompatibility between Bazel's sandbox (symlinks) and WASI's
cap-std security model (blocks symlinks outside preopened directories).

**Solution:**
- Created Go wrapper (tools/wasmsign2_wrapper) that resolves symlinks to
  real paths at execution time
- Maps only necessary directories to WASI (not full filesystem access)
- Eliminates all shell scripts from wasm_signing.bzl

**Changes:**
- tools/wasmsign2_wrapper/: New Go binary for path resolution and wasmtime execution
- wasm/wasm_signing.bzl: Updated wasm_keygen, wasm_sign, wasm_verify to use wrapper
- MODULE.bazel: Updated wasmsign2-cli.wasm to v0.2.7-rc.2
- .github/workflows/ci.yml: Enabled wasm_signing targets in CI (Linux + macOS)

**Benefits:**
✅ Cross-platform (Windows, macOS, Linux)
✅ Maintains Bazel sandbox hermeticity
✅ Maintains WASI security (limited directory access)
✅ Zero shell scripts (pure Go + Bazel)
✅ Follows file-ops pattern

Resolves the symlink issue discovered during wasmsign2 integration where
Bazel sandbox symlinks pointing outside the sandbox directory were blocked
by WASI's cap-std security model.

Author: avrabe

.github/workflows/ci.yml

@@ -153,6 +153,10 @@ jobs:
             //examples/js_component:simple_js_component \
             //examples/js_component:hello_js_component \
             //examples/js_component:calc_js_component \
+            //examples/wasm_signing:compact_keys \
+            //examples/wasm_signing:signed_component_embedded \
+            //examples/wasm_signing:signed_raw_wasm \
+            //examples/wasm_signing:verify_embedded \
             //rust/... \
             //go/... \
             //cpp/... \
@@ -247,6 +251,10 @@ jobs:
             //examples/js_component:simple_js_component \
             //examples/js_component:hello_js_component \
             //examples/js_component:calc_js_component \
+            //examples/wasm_signing:compact_keys \
+            //examples/wasm_signing:signed_component_embedded \
+            //examples/wasm_signing:signed_raw_wasm \
+            //examples/wasm_signing:verify_embedded \
             //rust/... \
             //go/... \
             //cpp/... \

MODULE.bazel

@@ -196,6 +196,14 @@ http_file(
     downloaded_file_path = "file_ops_component.wasm",
 )
 
+# wasmsign2 CLI WASM binary for component signing
+http_file(
+    name = "wasmsign2_cli_wasm",
+    url = "https://github.com/pulseengine/wasmsign2/releases/download/v0.2.7-rc.2/wasmsign2-cli.wasm",
+    sha256 = "0a2ba6a55621d83980daa7f38e3770ba6b9342736971a0cebf613df08377cd34",
+    downloaded_file_path = "wasmsign2.wasm",
+)
+
 # WASM Tools Component toolchain for universal wasm-tools operations
 register_toolchains("//toolchains:wasm_tools_component_toolchain_local")
 

tools/wasmsign2_wrapper/BUILD.bazel

@@ -0,0 +1,30 @@
+"""Cross-platform wrapper for wasmsign2 WASM component
+
+This wrapper executes the pre-built wasmsign2.wasm component via wasmtime,
+resolving symlinks to real paths to work with both Bazel's sandbox and
+WASI's security model.
+"""
+
+load("@rules_go//go:def.bzl", "go_binary")
+
+package(default_visibility = ["//visibility:public"])
+
+# Wrapper binary that executes wasmsign2.wasm with path resolution
+go_binary(
+    name = "wasmsign2_wrapper",
+    srcs = ["main.go"],
+    pure = "on",  # Pure Go for cross-platform compatibility
+    data = [
+        "@wasmsign2_cli_wasm//file",
+        "@wasmtime_toolchain//:wasmtime",
+    ],
+    deps = ["@rules_go//go/runfiles"],
+    visibility = ["//visibility:public"],
+)
+
+# Export for easy access in toolchains
+alias(
+    name = "wasmsign2",
+    actual = ":wasmsign2_wrapper",
+    visibility = ["//visibility:public"],
+)

tools/wasmsign2_wrapper/main.go

@@ -0,0 +1,196 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/bazelbuild/rules_go/go/runfiles"
+)
+
+// Wrapper for wasmsign2 WASM component
+// Resolves symlinks to real paths and calls wasmtime with limited directory access
+func main() {
+	if len(os.Args) < 2 {
+		log.Fatal("Usage: wasmsign2_wrapper <command> [args...]")
+	}
+
+	// Check for --bazel-marker-file flag (internal use only)
+	var markerFile string
+	filteredArgs := make([]string, 0, len(os.Args))
+	for i, arg := range os.Args {
+		if strings.HasPrefix(arg, "--bazel-marker-file=") {
+			markerFile = strings.TrimPrefix(arg, "--bazel-marker-file=")
+		} else if i > 0 { // Skip program name
+			filteredArgs = append(filteredArgs, arg)
+		}
+	}
+
+	// Initialize Bazel runfiles
+	r, err := runfiles.New()
+	if err != nil {
+		log.Fatalf("Failed to initialize runfiles: %v", err)
+	}
+
+	// Locate wasmtime binary
+	wasmtimeBinary, err := r.Rlocation("+wasmtime+wasmtime_toolchain/wasmtime")
+	if err != nil {
+		log.Fatalf("Failed to locate wasmtime: %v", err)
+	}
+
+	if _, err := os.Stat(wasmtimeBinary); err != nil {
+		log.Fatalf("Wasmtime binary not found at %s: %v", wasmtimeBinary, err)
+	}
+
+	// Locate wasmsign2 WASM component
+	wasmsign2Wasm, err := r.Rlocation("+_repo_rules+wasmsign2_cli_wasm/file/wasmsign2.wasm")
+	if err != nil {
+		log.Fatalf("Failed to locate wasmsign2.wasm: %v", err)
+	}
+
+	if _, err := os.Stat(wasmsign2Wasm); err != nil {
+		log.Fatalf("wasmsign2.wasm not found at %s: %v", wasmsign2Wasm, err)
+	}
+
+	// Parse command
+	command := filteredArgs[0]
+	cmdArgs := filteredArgs[1:]
+
+	// Resolve all file paths in arguments to real paths
+	resolvedArgs, dirs, err := resolvePathsInArgs(command, cmdArgs)
+	if err != nil {
+		log.Fatalf("Failed to resolve paths: %v", err)
+	}
+
+	// Build wasmtime command with directory mappings
+	wasmtimeArgs := []string{
+		"run",
+		"-S", "cli",
+		"-S", "http",
+	}
+
+	// Add unique directory mappings
+	uniqueDirs := uniqueStrings(dirs)
+	for _, dir := range uniqueDirs {
+		wasmtimeArgs = append(wasmtimeArgs, "--dir", dir)
+	}
+
+	// Add wasmsign2.wasm and command with resolved arguments
+	wasmtimeArgs = append(wasmtimeArgs, wasmsign2Wasm, command)
+	wasmtimeArgs = append(wasmtimeArgs, resolvedArgs...)
+
+	// Execute wasmtime
+	cmd := exec.Command(wasmtimeBinary, wasmtimeArgs...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+
+	if err := cmd.Run(); err != nil {
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			os.Exit(exitErr.ExitCode())
+		}
+		log.Fatalf("Failed to execute wasmtime: %v", err)
+	}
+
+	// If marker file was requested, create it on success
+	if markerFile != "" {
+		if err := os.WriteFile(markerFile, []byte("Verification passed\n"), 0644); err != nil {
+			log.Fatalf("Failed to write marker file: %v", err)
+		}
+	}
+}
+
+// resolvePathsInArgs resolves file paths in command arguments
+// Returns resolved arguments and list of directories to map
+func resolvePathsInArgs(command string, args []string) ([]string, []string, error) {
+	resolvedArgs := make([]string, 0, len(args))
+	dirs := make([]string, 0)
+
+	// Track which flags expect file paths
+	pathFlags := map[string]bool{
+		"-i": true, "--input":       true,
+		"-o": true, "--output":      true,
+		"-k": true, "--secret-key":  true,
+		"-K": true, "--public-key":  true,
+		"-S": true, "--signature":   true,
+		"--public-key-name":  true,
+		"--secret-key-name":  true,
+	}
+
+	for i := 0; i < len(args); i++ {
+		arg := args[i]
+
+		// Check if this is a flag that expects a path
+		if pathFlags[arg] && i+1 < len(args) {
+			// Next argument is a file path
+			resolvedArgs = append(resolvedArgs, arg)
+			i++
+			path := args[i]
+
+			// Resolve to real path
+			realPath, err := filepath.EvalSymlinks(path)
+			if err != nil {
+				// If symlink evaluation fails, try absolute path
+				realPath, err = filepath.Abs(path)
+				if err != nil {
+					return nil, nil, fmt.Errorf("failed to resolve path %s: %w", path, err)
+				}
+			}
+
+			resolvedArgs = append(resolvedArgs, realPath)
+
+			// Add directory for mapping
+			dir := filepath.Dir(realPath)
+			dirs = append(dirs, dir)
+		} else if strings.Contains(arg, "=") && (strings.HasPrefix(arg, "--public-key-name=") ||
+			strings.HasPrefix(arg, "--secret-key-name=") ||
+			strings.HasPrefix(arg, "-i=") || strings.HasPrefix(arg, "-o=") ||
+			strings.HasPrefix(arg, "-k=") || strings.HasPrefix(arg, "-K=") ||
+			strings.HasPrefix(arg, "-S=")) {
+			// Handle --flag=value format
+			parts := strings.SplitN(arg, "=", 2)
+			if len(parts) == 2 {
+				flag := parts[0]
+				path := parts[1]
+
+				realPath, err := filepath.EvalSymlinks(path)
+				if err != nil {
+					realPath, err = filepath.Abs(path)
+					if err != nil {
+						return nil, nil, fmt.Errorf("failed to resolve path %s: %w", path, err)
+					}
+				}
+
+				resolvedArgs = append(resolvedArgs, flag+"="+realPath)
+
+				dir := filepath.Dir(realPath)
+				dirs = append(dirs, dir)
+			} else {
+				resolvedArgs = append(resolvedArgs, arg)
+			}
+		} else {
+			// Not a path argument, pass through as-is
+			resolvedArgs = append(resolvedArgs, arg)
+		}
+	}
+
+	return resolvedArgs, dirs, nil
+}
+
+// uniqueStrings returns unique strings from a slice
+func uniqueStrings(strs []string) []string {
+	seen := make(map[string]bool)
+	result := make([]string, 0, len(strs))
+
+	for _, s := range strs {
+		if !seen[s] {
+			seen[s] = true
+			result = append(result, s)
+		}
+	}
+
+	return result
+}