feat: add enterprise mirror support for air-gap deployments

Implements Phase 1 of enterprise air-gap support (Issue #208) by adding
configurable mirror URLs for all external dependencies via environment
variables.

Changes:
- toolchains/secure_download.bzl: Add BAZEL_WASM_GITHUB_MIRROR support
  for wasm-tools, wit-bindgen, wac, wkg, wasmtime, wizer, wasi-sdk
- toolchains/jco_toolchain.bzl: Add BAZEL_NODEJS_MIRROR and
  BAZEL_NPM_REGISTRY for Node.js downloads and npm packages
- toolchains/tinygo_toolchain.bzl: Add BAZEL_GO_MIRROR and BAZEL_GOPROXY
  for Go SDK and module proxy configuration
- .bazelrc: Document all mirror environment variables with examples

Benefits:
- Zero code changes required for default public URLs
- Corporate mirror support for JFrog, Nexus, Harbor, Minio
- All downloads maintain mandatory SHA256 checksum verification
- Enables air-gap/offline builds in restricted environments

Backward Compatible: All environment variables default to public URLs,
ensuring existing builds continue to work without configuration.

Issue: #208

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: avrabe

.bazelrc

@@ -46,3 +46,39 @@ build --incompatible_strict_action_env
 build:clippy --aspects=@rules_rust//rust:defs.bzl%rust_clippy_aspect
 build:clippy --output_groups=+clippy_checks
 build:clippy --@rules_rust//:clippy_flags=-D,warnings,-D,clippy::all,-D,clippy::correctness,-D,clippy::style,-D,clippy::complexity,-D,clippy::perf
+
+# ============================================================================
+# Enterprise / Air-Gap Configuration
+# ============================================================================
+# The following environment variables allow you to configure corporate mirrors
+# for all external dependencies. This supports enterprise deployments with:
+# - Air-gap/offline builds
+# - Corporate artifact repositories (JFrog, Nexus, Harbor, Minio)
+# - Security scanning and compliance requirements
+#
+# To use corporate mirrors, set these in your environment or .bazelrc.user:
+#
+# GitHub Releases Mirror (for wasm-tools, wit-bindgen, wac, wkg, wasmtime, wizer, wasi-sdk):
+#   build --action_env=BAZEL_WASM_GITHUB_MIRROR=https://artifactory.company.com/github
+#
+# Node.js Mirror (for jco toolchain):
+#   build --action_env=BAZEL_NODEJS_MIRROR=https://artifactory.company.com/nodejs
+#
+# NPM Registry Mirror (for jco and componentize-js packages):
+#   build --action_env=BAZEL_NPM_REGISTRY=https://artifactory.company.com/npm
+#
+# Go SDK Mirror (for TinyGo toolchain):
+#   build --action_env=BAZEL_GO_MIRROR=https://artifactory.company.com/golang
+#
+# Go Module Proxy (for wit-bindgen-go and other Go dependencies):
+#   build --action_env=BAZEL_GOPROXY=https://artifactory.company.com/go-proxy
+#
+# Example corporate configuration (.bazelrc.user):
+#   build --action_env=BAZEL_WASM_GITHUB_MIRROR=https://nexus.corp.com/repository/github-proxy
+#   build --action_env=BAZEL_NODEJS_MIRROR=https://nexus.corp.com/repository/nodejs-dist
+#   build --action_env=BAZEL_NPM_REGISTRY=https://nexus.corp.com/repository/npm-group
+#   build --action_env=BAZEL_GO_MIRROR=https://nexus.corp.com/repository/golang-dist
+#   build --action_env=BAZEL_GOPROXY=https://nexus.corp.com/repository/go-proxy
+#
+# All downloads include mandatory SHA256 checksum verification for security.
+# See checksums/tools/*.json for the complete list of verified checksums.

MODULE.bazel.lock

@@ -96,7 +96,12 @@ def _jco_toolchain_repository_impl(repository_ctx):
     _create_jco_build_files(repository_ctx)
 
 def _setup_downloaded_jco_tools(repository_ctx, platform, jco_version, node_version):
-    """Download hermetic Node.js and install jco via npm"""
+    """Download hermetic Node.js and install jco via npm
+
+    Supports configurable mirrors via environment variables for enterprise/air-gap deployments:
+    - BAZEL_NODEJS_MIRROR: Override Node.js download URL (default: https://nodejs.org)
+    - BAZEL_NPM_REGISTRY: Override npm registry URL (default: https://registry.npmjs.org)
+    """
 
     # Get Node.js info from registry
     node_info = get_tool_info("nodejs", node_version, platform)
@@ -113,9 +118,13 @@ def _setup_downloaded_jco_tools(repository_ctx, platform, jco_version, node_vers
         platform,
     ))
 
-    # Download Node.js
+    # Get mirror configuration from environment (enterprise support)
+    nodejs_mirror = repository_ctx.os.environ.get("BAZEL_NODEJS_MIRROR", "https://nodejs.org")
+    npm_registry = repository_ctx.os.environ.get("BAZEL_NPM_REGISTRY", "https://registry.npmjs.org")
+
+    # Download Node.js from configurable mirror
     archive_name = "node-v{}-{}".format(node_version, node_info["url_suffix"])
-    node_url = "https://nodejs.org/dist/v{}/{}".format(node_version, archive_name)
+    node_url = "{}/dist/v{}/{}".format(nodejs_mirror, node_version, archive_name)
 
     print("Downloading Node.js from: {}".format(node_url))
 
@@ -170,6 +179,12 @@ def _setup_downloaded_jco_tools(repository_ctx, platform, jco_version, node_vers
     # Install jco using the hermetic npm
     print("Installing jco {} using hermetic npm...".format(jco_version))
 
+    # Configure npm to use custom registry if specified
+    if npm_registry != "https://registry.npmjs.org":
+        print("Configuring npm to use custom registry: {}".format(npm_registry))
+        npmrc_content = "registry={}\n".format(npm_registry)
+        repository_ctx.file("jco_workspace/.npmrc", npmrc_content)
+
     # Create a local node_modules for jco
     # Set up environment so npm can find node binary
     node_dir = str(node_binary.dirname)

toolchains/jco_toolchain.bzl

@@ -3,7 +3,11 @@
 load("//checksums:registry.bzl", "get_github_repo", "get_tool_checksum", "get_tool_info")
 
 def secure_download_tool(ctx, tool_name, version, platform):
-    """Download tool with mandatory checksum verification using central registry"""
+    """Download tool with mandatory checksum verification using central registry
+
+    Supports configurable mirrors via environment variables for enterprise/air-gap deployments.
+    Set BAZEL_WASM_GITHUB_MIRROR to override default GitHub URL.
+    """
 
     # Get verified checksum from central registry
     expected_checksum = get_tool_checksum(tool_name, version, platform)
@@ -20,8 +24,11 @@ def secure_download_tool(ctx, tool_name, version, platform):
     if not tool_info:
         fail("SECURITY: Tool info not found for '{}' version '{}' platform '{}'".format(tool_name, version, platform))
 
+    # Get mirror configuration from environment (enterprise support)
+    github_mirror = ctx.os.environ.get("BAZEL_WASM_GITHUB_MIRROR", "https://github.com")
+
     # Download with verification
-    url = _build_download_url(tool_name, version, platform, tool_info)
+    url = _build_download_url(ctx, tool_name, version, platform, tool_info, github_mirror)
 
     # Determine archive type from URL suffix
     archive_type = "zip" if tool_info.get("url_suffix", "").endswith(".zip") else "tar.gz"
@@ -32,8 +39,20 @@ def secure_download_tool(ctx, tool_name, version, platform):
         type = archive_type,
     )
 
-def _build_download_url(tool_name, version, platform, tool_info):
-    """Build download URL using tool info from central registry"""
+def _build_download_url(ctx, tool_name, version, platform, tool_info, github_mirror):
+    """Build download URL using tool info from central registry
+
+    Args:
+        ctx: Repository context
+        tool_name: Name of the tool
+        version: Version to download
+        platform: Target platform
+        tool_info: Tool metadata from registry
+        github_mirror: Mirror URL for GitHub releases (enterprise support)
+
+    Returns:
+        Download URL (either public GitHub or corporate mirror)
+    """
 
     # Get GitHub repository from registry
     github_repo = get_github_repo(tool_name)
@@ -44,8 +63,9 @@ def _build_download_url(tool_name, version, platform, tool_info):
     if not url_suffix:
         fail("URL suffix not found for tool '{}' version '{}' platform '{}'".format(tool_name, version, platform))
 
-    # Build the URL using GitHub releases pattern
-    return "https://github.com/{github_repo}/releases/download/v{version}/{tool_name}-{version}-{suffix}".format(
+    # Build the URL using GitHub releases pattern with configurable mirror
+    return "{mirror}/{github_repo}/releases/download/v{version}/{tool_name}-{version}-{suffix}".format(
+        mirror = github_mirror,
         github_repo = github_repo,
         tool_name = tool_name,
         version = version,

toolchains/secure_download.bzl

@@ -30,7 +30,11 @@ def _detect_host_platform(repository_ctx):
         fail("Unsupported operating system: {}".format(os_name))
 
 def _download_go(repository_ctx, version, platform):
-    """Download hermetic Go SDK for TinyGo to use"""
+    """Download hermetic Go SDK for TinyGo to use
+
+    Supports configurable mirrors via environment variables for enterprise/air-gap deployments:
+    - BAZEL_GO_MIRROR: Override Go SDK download URL (default: https://go.dev)
+    """
 
     go_version = "1.25.3"  # Latest stable Go version (1.25.0 doesn't exist)
 
@@ -46,9 +50,12 @@ def _download_go(repository_ctx, version, platform):
     if not go_platform:
         fail("Unsupported platform for Go SDK: {}".format(platform))
 
+    # Get mirror configuration from environment (enterprise support)
+    go_mirror = repository_ctx.os.environ.get("BAZEL_GO_MIRROR", "https://go.dev")
+
     # Windows uses .zip, others use .tar.gz
     go_extension = ".zip" if platform == "windows_amd64" else ".tar.gz"
-    go_url = "https://go.dev/dl/go{}.{}{}".format(go_version, go_platform, go_extension)
+    go_url = "{}/dl/go{}.{}{}".format(go_mirror, go_version, go_platform, go_extension)
 
     print("Downloading Go {} for TinyGo from: {}".format(go_version, go_url))
 
@@ -182,19 +189,26 @@ def _setup_go_wit_bindgen(repository_ctx, go_binary):
     """Install wit-bindgen-go Go tool for WIT binding generation
 
     Installs go.bytecodealliance.org/wit/bindgen which provides 'go tool wit-bindgen-go'
+
+    Supports configurable Go proxy via environment variable for enterprise/air-gap deployments:
+    - BAZEL_GOPROXY: Override Go module proxy (default: https://proxy.golang.org,direct)
     """
 
     print("Installing Go WIT binding tools...")
 
     # Create bin directory first
     repository_ctx.file("bin/.gitkeep", "")
 
+    # Get Go proxy configuration from environment (enterprise support)
+    goproxy = repository_ctx.os.environ.get("BAZEL_GOPROXY", "https://proxy.golang.org,direct")
+
     # Set up Go environment for tool installation
     go_env = {
         "GOCACHE": str(repository_ctx.path("go_cache")),
         "GOPATH": str(repository_ctx.path("go_path")),
         "CGO_ENABLED": "0",
         "GO111MODULE": "on",
+        "GOPROXY": goproxy,
     }
 
     # Install wit-bindgen-go using hermetic Go - this provides 'go tool wit-bindgen-go'