feat: eliminate OpenSSH dependency with hermetic WebAssembly component

Replace external @openssh dependency with a hermetic ssh-keygen WebAssembly
component, addressing issue #19 where outdated busybox packages caused CI
failures. This implementation demonstrates the "eat your own dogfood"
philosophy by using our own WebAssembly Component Model technology.

## Implementation Details

### Hermetic SSH Key Generation Tool
- Built with Rust ssh-key crate for cryptographic operations
- Supports Ed25519, RSA, and ECDSA key generation
- Full OpenSSH format compatibility for seamless integration
- Command-line interface matching ssh-keygen essentials

### WebAssembly Component Architecture
- Proper WASI Preview 2 component exporting wasi:cli/[email protected]
- Executable via Wasmtime runtime with zero external dependencies
- Cross-platform hermetic execution without system tool requirements

### New rust_wasm_binary Rule
- Addresses design limitation in rust_wasm_component for CLI applications
- Builds proper CLI components with correct WASI interface exports
- Documented in both language guide and rule reference

### Enhanced ssh_keygen.bzl Rule
- Updated to use Wasmtime toolchain for component execution
- Proper argument passing with --argv0 and --dir flags
- Maintains full OpenSSH format compatibility for existing workflows

## Breaking Changes Resolved

### Dependency Cleanup
- Removed @openssh bazel_dep from MODULE.bazel
- Removed rules_coreutils override (no longer needed)
- Eliminated CI target exclusions for OpenSSH-dependent builds

### Additional Improvements
- Added WASI NN interface support for neural network components
- Enhanced C++ component toolchain with better error handling
- Improved WIT dependency management for WASI interfaces

## Testing and Validation

- Native binary passes all clap argument parsing tests
- WebAssembly component executes correctly via Wasmtime
- Generated keys verified in proper OpenSSH format
- OCI publishing with OpenSSH signing builds successfully
- All previously excluded CI targets now build without issues

This change eliminates external system dependencies while demonstrating
practical WebAssembly Component Model usage for traditional tooling needs.
The hermetic approach ensures consistent builds across all platforms and
environments.

Author: avrabe

.github/workflows/ci.yml

@@ -126,7 +126,6 @@ jobs:
             -//tools/checksum_updater_wasm/... \
             -//test/integration:wasi_component_wasm_lib_release_host \
             -//test/integration:service_b_component_wasm_lib_release_host \
-            -//examples/oci_publishing:hello_oci_openssh_signed_image
 
       - name: Run Tests
         run: bazel test --test_output=errors -- //test/integration:basic_component_build_test //test/integration:basic_component_validation //test/unit:unit_tests
@@ -218,7 +217,6 @@ jobs:
             -//tools/checksum_updater_wasm/... \
             -//test/integration:wasi_component_wasm_lib_release_host \
             -//test/integration:service_b_component_wasm_lib_release_host \
-            -//examples/oci_publishing:hello_oci_openssh_signed_image
 
       - name: Run Tests
         run: bazel test --test_output=errors -- //test/integration:basic_component_build_test //test/integration:basic_component_validation //test/unit:unit_tests

MODULE.bazel

@@ -27,17 +27,7 @@ bazel_dep(name = "rules_go", version = "0.55.1")
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
 bazel_dep(name = "stardoc", version = "0.7.1", dev_dependency = True)
 
-# OpenSSH for proper SSH key generation
-bazel_dep(name = "openssh", version = "9.9p1.bcr.1")
-
-# Override rules_coreutils to fix busybox package 404 issue
-# openssh depends on outdated rules_coreutils 1.0.0-beta.6 which tries to download
-# busybox-static_1.35.0-4+b3_amd64.deb (404). Upgrade to 1.0.1 which should have
-# the correct package version (b4).
-single_version_override(
-    module_name = "rules_coreutils",
-    version = "1.0.1",
-)
+# Note: SSH key generation now uses hermetic WebAssembly component (tools/ssh_keygen)
 
 # Rust toolchain setup
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
@@ -71,7 +61,7 @@ register_toolchains("@go_toolchains//:all")
 # WASI WIT interface definitions
 wasi_wit_ext = use_extension("//wasm:extensions.bzl", "wasi_wit")
 wasi_wit_ext.init()
-use_repo(wasi_wit_ext, "wasi_cli", "wasi_cli_v020", "wasi_clocks", "wasi_clocks_v020", "wasi_filesystem", "wasi_http", "wasi_io", "wasi_io_v020", "wasi_nn", "wasi_random", "wasi_sockets")  # Complete WASI ecosystem (0.2.3 + 0.2.0 + NN)
+use_repo(wasi_wit_ext, "wasi_cli", "wasi_cli_v020", "wasi_clocks", "wasi_clocks_v020", "wasi_filesystem", "wasi_http", "wasi_io", "wasi_io_v020", "wasi_nn", "wasi_nn_v0_2_0_rc_2024_06_25", "wasi_nn_v0_2_0_rc_2024_08_19", "wasi_random", "wasi_sockets")  # Complete WASI ecosystem (0.2.3 + 0.2.0 + all NN versions)
 
 # WebAssembly toolchains
 wasm_toolchain = use_extension("//wasm:extensions.bzl", "wasm_toolchain")

MODULE.bazel.lock

@@ -74,7 +74,7 @@ def _cpp_component_impl(ctx):
 
     # Basic compiler flags for Preview2
     compile_args.add("--target=wasm32-wasip2")
-    compile_args.add("--sysroot=" + sysroot.path)
+    compile_args.add("--sysroot=" + sysroot)
 
     # Component model definitions
     compile_args.add("-D_WASI_EMULATED_PROCESS_CLOCKS")
@@ -140,7 +140,7 @@ def _cpp_component_impl(ctx):
     ctx.actions.run(
         executable = clang,
         arguments = [compile_args],
-        inputs = [work_dir, sysroot] + dep_libraries,
+        inputs = [work_dir] + sysroot_files.files.to_list() + dep_libraries,
         outputs = [wasm_binary],
         mnemonic = "CompileCppWasm",
         progress_message = "Compiling C/C++ to WASM for %s" % ctx.label,
@@ -393,7 +393,7 @@ def _cc_component_library_impl(ctx):
         # Compile arguments
         compile_args = ctx.actions.args()
         compile_args.add("--target=wasm32-wasip2")
-        compile_args.add("--sysroot=" + sysroot.path)
+        compile_args.add("--sysroot=" + sysroot)
         compile_args.add("-c")  # Compile only, don't link
 
         # Component model definitions
@@ -446,7 +446,7 @@ def _cc_component_library_impl(ctx):
         ctx.actions.run(
             executable = clang,
             arguments = [compile_args],
-            inputs = [src, sysroot] + ctx.files.hdrs + dep_headers,
+            inputs = [src] + sysroot_files.files.to_list() + ctx.files.hdrs + dep_headers,
             outputs = [obj_file],
             mnemonic = "CompileCppObject",
             progress_message = "Compiling {} for component library".format(src.basename),

cpp/defs.bzl

@@ -0,0 +1,59 @@
+"""WASI Neural Network (WASI-NN) Test
+
+This test demonstrates that WASI-NN interfaces are properly available
+and can be imported by WebAssembly components.
+"""
+
+load("@rules_wasm_component//rust:defs.bzl", "rust_wasm_component_bindgen", "rust_wasm_component_test")
+load("@rules_wasm_component//wit:defs.bzl", "wit_library")
+
+package(default_visibility = ["//visibility:public"])
+
+# Test WASI-NN latest version (0.2.0-rc-2024-10-28)
+wit_library(
+    name = "nn_test_interfaces",
+    package_name = "test:wasi-nn",
+    srcs = ["wit/nn-test.wit"],
+    world = "nn-test",
+    deps = ["@wasi_nn//:nn"],
+)
+
+# Test WASI-NN v0.2.0-rc-2024-06-25
+wit_library(
+    name = "nn_test_interfaces_v0625",
+    package_name = "test:wasi-nn-v0625",
+    srcs = ["wit/nn-test-v0625.wit"],
+    world = "nn-test-v0625",
+    deps = ["@wasi_nn_v0_2_0_rc_2024_06_25//:nn"],
+)
+
+# Test WASI-NN v0.2.0-rc-2024-08-19
+wit_library(
+    name = "nn_test_interfaces_v0819",
+    package_name = "test:wasi-nn-v0819",
+    srcs = ["wit/nn-test-v0819.wit"],
+    world = "nn-test-v0819",
+    deps = ["@wasi_nn_v0_2_0_rc_2024_08_19//:nn"],
+)
+
+# Build Rust WASM component that demonstrates WASI-NN usage
+wit_library(
+    name = "nn_example_interfaces",
+    package_name = "example:wasi-nn",
+    srcs = ["wit/nn-example.wit"],
+    world = "nn-example",
+    deps = ["@wasi_nn//:nn"],
+)
+
+rust_wasm_component_bindgen(
+    name = "nn_example_component",
+    srcs = ["src/lib.rs"],
+    profiles = ["release"],
+    wit = ":nn_example_interfaces",
+)
+
+# Test the component
+rust_wasm_component_test(
+    name = "nn_example_component_test",
+    component = ":nn_example_component",
+)

examples/wasi_nn_example/BUILD.bazel

@@ -0,0 +1,46 @@
+//! WASI-NN Example Component
+//! 
+//! This example demonstrates how to use WASI-NN (Neural Network) interfaces
+//! in WebAssembly components for machine learning inference.
+
+// Import the generated bindings
+use crate::bindings::Guest;
+
+mod bindings {
+    wit_bindgen::generate!({
+        path: "../wit",
+        world: "nn-example",
+    });
+}
+
+struct Component;
+
+impl Guest for Component {
+    /// Simple inference function that demonstrates WASI-NN integration
+    fn infer(model_data: Vec<u8>) -> Result<String, String> {
+        // In a real implementation, you would:
+        // 1. Load the model using wasi:nn/graph interface
+        // 2. Create input tensors using wasi:nn/tensor interface  
+        // 3. Execute inference using wasi:nn/inference interface
+        // 4. Process and return results
+        
+        // For this example, we'll just simulate the process
+        let model_size = model_data.len();
+        
+        if model_size == 0 {
+            return Err("Empty model data provided".to_string());
+        }
+        
+        // Simulate loading and inference
+        let result = format!(
+            "WASI-NN inference completed! Model size: {} bytes. \
+             In a real implementation, this would load the neural network model \
+             and perform actual ML inference using the WASI-NN interfaces.",
+            model_size
+        );
+        
+        Ok(result)
+    }
+}
+
+bindings::export!(Component with_types_in bindings);

examples/wasi_nn_example/src/lib.rs

@@ -0,0 +1,13 @@
+package example:wasi-nn;
+
+/// Example world that demonstrates WASI-NN usage
+world nn-example {
+    /// Import WASI-NN interfaces for neural network inference
+    import wasi:nn/inference@0.2.0-rc-2024-10-28;
+    import wasi:nn/graph@0.2.0-rc-2024-10-28;
+    import wasi:nn/tensor@0.2.0-rc-2024-10-28;
+    import wasi:nn/errors@0.2.0-rc-2024-10-28;
+    
+    /// Export a simple ML inference function
+    export infer: func(model-data: list<u8>) -> result<string, string>;
+}

examples/wasi_nn_example/wit/nn-example.wit

@@ -0,0 +1,13 @@
+package test:wasi-nn-v0625;
+
+/// Test world for WASI-NN v0.2.0-rc-2024-06-25
+world nn-test-v0625 {
+    /// Import WASI-NN v0.2.0-rc-2024-06-25 interfaces
+    import wasi:nn/inference@0.2.0-rc-2024-06-25;
+    import wasi:nn/graph@0.2.0-rc-2024-06-25;
+    import wasi:nn/tensor@0.2.0-rc-2024-06-25;
+    import wasi:nn/errors@0.2.0-rc-2024-06-25;
+    
+    /// Test function for v0.2.0-rc-2024-06-25
+    export test-nn-v0625: func() -> string;
+}

examples/wasi_nn_example/wit/nn-test-v0625.wit

@@ -0,0 +1,13 @@
+package test:wasi-nn-v0819;
+
+/// Test world for WASI-NN v0.2.0-rc-2024-08-19
+world nn-test-v0819 {
+    /// Import WASI-NN v0.2.0-rc-2024-08-19 interfaces
+    import wasi:nn/inference@0.2.0-rc-2024-08-19;
+    import wasi:nn/graph@0.2.0-rc-2024-08-19;
+    import wasi:nn/tensor@0.2.0-rc-2024-08-19;
+    import wasi:nn/errors@0.2.0-rc-2024-08-19;
+    
+    /// Test function for v0.2.0-rc-2024-08-19
+    export test-nn-v0819: func() -> string;
+}

examples/wasi_nn_example/wit/nn-test-v0819.wit

@@ -0,0 +1,13 @@
+package test:wasi-nn;
+
+/// Test world that demonstrates WASI-NN dependency integration
+world nn-test {
+    /// Import WASI-NN interfaces to verify they're accessible
+    import wasi:nn/inference@0.2.0-rc-2024-10-28;
+    import wasi:nn/graph@0.2.0-rc-2024-10-28;
+    import wasi:nn/tensor@0.2.0-rc-2024-10-28;
+    import wasi:nn/errors@0.2.0-rc-2024-10-28;
+    
+    /// Simple test function to verify WIT dependency works
+    export test-nn-deps: func() -> string;
+}