fix(wasm): upgrade Wasmtime to 43.0.1 and restore CI (#2224)

* fix(wasm): upgrade wasmtime to 43.0.1

* chore(wasm): align wasmparser with wasmtime deps

Author: henrypark133

Cargo.lock

@@ -147,9 +147,9 @@ open = "5"
 pgvector = { version = "0.4", features = ["postgres"], optional = true }
 
 # WASM sandbox for untrusted tool execution
-wasmtime = { version = "28", features = ["component-model"] }
-wasmtime-wasi = "28"  # WASI support for component model
-wasmparser = "0.220"  # WASM binary parsing for validation
+wasmtime = { version = "43.0.1", features = ["component-model"] }
+wasmtime-wasi = "43.0.1"  # WASI support for component model
+wasmparser = "0.245.1"  # WASM binary parsing for validation
 
 # Cryptography for secrets management
 aes-gcm = "0.10"

Cargo.toml

@@ -40,7 +40,7 @@ use tokio_tungstenite::tungstenite::protocol::Message as WebsocketMessage;
 use uuid::Uuid;
 use wasmtime::Store;
 use wasmtime::component::Linker;
-use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiView};
+use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiCtxView, WasiView};
 
 use crate::channels::wasm::capabilities::ChannelCapabilities;
 use crate::channels::wasm::error::WasmChannelError;
@@ -74,7 +74,6 @@ const TELEGRAM_TEST_API_BASE_ENV: &str = "IRONCLAW_TEST_TELEGRAM_API_BASE_URL";
 wasmtime::component::bindgen!({
     path: "wit/channel.wit",
     world: "sandboxed-channel",
-    async: false,
     with: {
         // Use our own store data type
     },
@@ -268,12 +267,11 @@ impl ChannelStoreData {
 
 // Implement WasiView to provide WASI context and resource table
 impl WasiView for ChannelStoreData {
-    fn ctx(&mut self) -> &mut WasiCtx {
-        &mut self.wasi
-    }
-
-    fn table(&mut self) -> &mut ResourceTable {
-        &mut self.table
+    fn ctx(&mut self) -> WasiCtxView<'_> {
+        WasiCtxView {
+            ctx: &mut self.wasi,
+            table: &mut self.table,
+        }
     }
 }
 
@@ -1129,14 +1127,16 @@ impl WasmChannel {
     /// to properly register all host functions with correct component model signatures.
     fn add_host_functions(linker: &mut Linker<ChannelStoreData>) -> Result<(), WasmChannelError> {
         // Add WASI support (required by the component adapter)
-        wasmtime_wasi::add_to_linker_sync(linker).map_err(|e| {
+        wasmtime_wasi::p2::add_to_linker_sync(linker).map_err(|e| {
             WasmChannelError::Config(format!("Failed to add WASI functions: {}", e))
         })?;
 
         // Use the generated add_to_linker function from bindgen for our custom interface
-        near::agent::channel_host::add_to_linker(linker, |state| state).map_err(|e| {
-            WasmChannelError::Config(format!("Failed to add host functions: {}", e))
-        })?;
+        SandboxedChannel::add_to_linker::<_, wasmtime::component::HasSelf<_>>(
+            linker,
+            |state: &mut ChannelStoreData| state,
+        )
+        .map_err(|e| WasmChannelError::Config(format!("Failed to add host functions: {}", e)))?;
 
         Ok(())
     }
@@ -1445,8 +1445,12 @@ impl WasmChannel {
     }
 
     /// Map WASM execution errors to our error types.
-    fn map_wasm_error(e: anyhow::Error, name: &str, fuel_limit: u64) -> WasmChannelError {
-        let error_str = e.to_string();
+    fn map_wasm_error(
+        e: impl Into<anyhow::Error>,
+        name: &str,
+        fuel_limit: u64,
+    ) -> WasmChannelError {
+        let error_str = e.into().to_string();
         if error_str.contains("out of fuel") {
             WasmChannelError::FuelExhausted {
                 name: name.to_string(),

src/channels/wasm/wrapper.rs

@@ -166,6 +166,7 @@ impl WasmValidator {
                             Ok(exp) => {
                                 let kind = match exp.kind {
                                     wasmparser::ExternalKind::Func => ExportKind::Function,
+                                    wasmparser::ExternalKind::FuncExact => ExportKind::Function,
                                     wasmparser::ExternalKind::Memory => ExportKind::Memory,
                                     wasmparser::ExternalKind::Table => ExportKind::Table,
                                     wasmparser::ExternalKind::Global => ExportKind::Global,
@@ -186,11 +187,12 @@ impl WasmValidator {
                     }
                 }
                 Ok(wasmparser::Payload::ImportSection(reader)) => {
-                    for import in reader {
+                    for import in reader.into_imports() {
                         match import {
                             Ok(imp) => {
                                 let kind = match imp.ty {
                                     wasmparser::TypeRef::Func(_) => ImportKind::Function,
+                                    wasmparser::TypeRef::FuncExact(_) => ImportKind::Function,
                                     wasmparser::TypeRef::Memory(_) => ImportKind::Memory,
                                     wasmparser::TypeRef::Table(_) => ImportKind::Table,
                                     wasmparser::TypeRef::Global(_) => ImportKind::Global,

src/tools/builder/validation.rs

@@ -102,7 +102,7 @@ impl ResourceLimiter for WasmResourceLimiter {
         current: usize,
         desired: usize,
         _maximum: Option<usize>,
-    ) -> anyhow::Result<bool> {
+    ) -> Result<bool, wasmtime::Error> {
         let desired_u64 = desired as u64;
 
         if desired_u64 > self.memory_limit {
@@ -130,7 +130,7 @@ impl ResourceLimiter for WasmResourceLimiter {
         current: usize,
         desired: usize,
         _maximum: Option<usize>,
-    ) -> anyhow::Result<bool> {
+    ) -> Result<bool, wasmtime::Error> {
         // Allow reasonable table growth
         if desired > 10_000 {
             tracing::warn!(

src/tools/wasm/limits.rs

@@ -9,7 +9,7 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use tokio::sync::RwLock;
-use wasmtime::{Config, Engine, OptLevel};
+use wasmtime::{Cache, Config, Engine, OptLevel};
 
 use crate::tools::wasm::error::WasmError;
 use crate::tools::wasm::limits::{FuelConfig, ResourceLimits};
@@ -18,15 +18,17 @@ use crate::tools::wasm::limits::{FuelConfig, ResourceLimits};
 /// which causes any store with an expired epoch deadline to trap.
 pub const EPOCH_TICK_INTERVAL: Duration = Duration::from_millis(500);
 
-/// Enable wasmtime's persistent compilation cache for a [`Config`].
+/// Enable Wasmtime's persistent compilation cache for a [`Config`].
 ///
-/// On Unix, this delegates to `cache_config_load_default()` which uses a
-/// shared cache directory. On Windows, each engine gets its own subdirectory
-/// (keyed by `label`) to avoid OS error 33 (`ERROR_LOCK_VIOLATION`) when
-/// multiple engines memory-map files in the same cache directory. See #448.
+/// If `explicit_dir` is `Some`, this writes a small cache TOML file pointing
+/// at that directory and loads it with [`Cache::from_file`].
 ///
-/// If `explicit_dir` is `Some`, it is used as the cache directory on all
-/// platforms, bypassing the default.
+/// If `explicit_dir` is `None`, we load Wasmtime's default cache configuration
+/// by calling `Cache::from_file(None)`.
+///
+/// On Windows, the caller typically passes an engine-specific directory keyed
+/// by `label` to avoid OS error 33 (`ERROR_LOCK_VIOLATION`) when multiple
+/// engines memory-map files in the same cache directory. See #448.
 pub fn enable_compilation_cache(
     wasmtime_config: &mut Config,
     label: &str,
@@ -60,11 +62,11 @@ pub fn enable_compilation_cache(
                 .replace('"', "\\\"");
             let toml_content = format!("[cache]\nenabled = true\ndirectory = \"{}\"\n", escaped);
             std::fs::write(&toml_path, toml_content)?;
-            wasmtime_config.cache_config_load(&toml_path)?;
+            wasmtime_config.cache(Some(Cache::from_file(Some(&toml_path))?));
             Ok(())
         }
         None => {
-            wasmtime_config.cache_config_load_default()?;
+            wasmtime_config.cache(Some(Cache::from_file(None)?));
             Ok(())
         }
     }

src/tools/wasm/runtime.rs

@@ -14,7 +14,7 @@ use std::time::{Duration, Instant};
 use async_trait::async_trait;
 use wasmtime::Store;
 use wasmtime::component::Linker;
-use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiView};
+use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiCtxView, WasiView};
 
 use crate::auth::resolve_secret_for_runtime;
 use crate::context::JobContext;
@@ -42,7 +42,6 @@ use ironclaw_safety::LeakDetector;
 wasmtime::component::bindgen!({
     path: "wit/tool.wit",
     world: "sandboxed-tool",
-    async: false,
     with: {},
 });
 
@@ -266,12 +265,11 @@ impl StoreData {
 // Provide WASI context for the WASM component.
 // Required because tools are compiled with wasm32-wasip2 target.
 impl WasiView for StoreData {
-    fn ctx(&mut self) -> &mut WasiCtx {
-        &mut self.wasi
-    }
-
-    fn table(&mut self) -> &mut ResourceTable {
-        &mut self.table
+    fn ctx(&mut self) -> WasiCtxView<'_> {
+        WasiCtxView {
+            ctx: &mut self.wasi,
+            table: &mut self.table,
+        }
     }
 }
 
@@ -976,12 +974,15 @@ impl WasmToolWrapper {
     /// `near:agent/host` namespace.
     fn add_host_functions(linker: &mut Linker<StoreData>) -> Result<(), WasmError> {
         // Add WASI support (required by components built with wasm32-wasip2)
-        wasmtime_wasi::add_to_linker_sync(linker)
+        wasmtime_wasi::p2::add_to_linker_sync(linker)
             .map_err(|e| WasmError::ConfigError(format!("Failed to add WASI functions: {}", e)))?;
 
         // Add our custom host interface using the generated add_to_linker
-        near::agent::host::add_to_linker(linker, |state| state)
-            .map_err(|e| WasmError::ConfigError(format!("Failed to add host functions: {}", e)))?;
+        SandboxedTool::add_to_linker::<_, wasmtime::component::HasSelf<_>>(
+            linker,
+            |state: &mut StoreData| state,
+        )
+        .map_err(|e| WasmError::ConfigError(format!("Failed to add host functions: {}", e)))?;
 
         Ok(())
     }

src/tools/wasm/wrapper.rs

@@ -13,7 +13,7 @@
 
 use std::path::{Path, PathBuf};
 
-use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiView};
+use wasmtime_wasi::{ResourceTable, WasiCtx, WasiCtxBuilder, WasiCtxView, WasiView};
 
 /// Minimal store data that satisfies WasiView for component instantiation.
 struct TestStoreData {
@@ -31,12 +31,11 @@ impl TestStoreData {
 }
 
 impl WasiView for TestStoreData {
-    fn ctx(&mut self) -> &mut WasiCtx {
-        &mut self.wasi
-    }
-
-    fn table(&mut self) -> &mut ResourceTable {
-        &mut self.table
+    fn ctx(&mut self) -> WasiCtxView<'_> {
+        WasiCtxView {
+            ctx: &mut self.wasi,
+            table: &mut self.table,
+        }
     }
 }
 
@@ -167,30 +166,30 @@ fn compile_component(
 fn stub_shared_host_functions(
     host: &mut wasmtime::component::LinkerInstance<'_, TestStoreData>,
 ) -> Result<(), String> {
-    host.func_new("log", |_ctx, _args, _results| Ok(()))
+    host.func_new("log", |_ctx, _ty, _args, _results| Ok(()))
         .map_err(|e| format!("stub 'log': {e}"))?;
 
-    host.func_new("now-millis", |_ctx, _args, results| {
+    host.func_new("now-millis", |_ctx, _ty, _args, results| {
         results[0] = wasmtime::component::Val::U64(0);
         Ok(())
     })
     .map_err(|e| format!("stub 'now-millis': {e}"))?;
 
-    host.func_new("workspace-read", |_ctx, _args, results| {
+    host.func_new("workspace-read", |_ctx, _ty, _args, results| {
         results[0] = wasmtime::component::Val::Option(None);
         Ok(())
     })
     .map_err(|e| format!("stub 'workspace-read': {e}"))?;
 
-    host.func_new("http-request", |_ctx, _args, results| {
+    host.func_new("http-request", |_ctx, _ty, _args, results| {
         results[0] = wasmtime::component::Val::Result(Err(Some(Box::new(
             wasmtime::component::Val::String("stub".into()),
         ))));
         Ok(())
     })
     .map_err(|e| format!("stub 'http-request': {e}"))?;
 
-    host.func_new("secret-exists", |_ctx, _args, results| {
+    host.func_new("secret-exists", |_ctx, _ty, _args, results| {
         results[0] = wasmtime::component::Val::Bool(false);
         Ok(())
     })
@@ -209,7 +208,7 @@ fn instantiate_tool_component(
 
     let mut linker: Linker<TestStoreData> = Linker::new(engine);
 
-    wasmtime_wasi::add_to_linker_sync(&mut linker)
+    wasmtime_wasi::p2::add_to_linker_sync(&mut linker)
         .map_err(|e| format!("WASI linker failed: {e}"))?;
 
     // If the WIT added/removed/renamed a function, stub registration
@@ -221,7 +220,7 @@ fn instantiate_tool_component(
         if let Ok(mut host) = root.instance(interface) {
             stub_shared_host_functions(&mut host)?;
 
-            host.func_new("tool-invoke", |_ctx, _args, results| {
+            host.func_new("tool-invoke", |_ctx, _ty, _args, results| {
                 results[0] = wasmtime::component::Val::Result(Err(Some(Box::new(
                     wasmtime::component::Val::String("stub".into()),
                 ))));
@@ -249,7 +248,7 @@ fn instantiate_channel_component(
 
     let mut linker: Linker<TestStoreData> = Linker::new(engine);
 
-    wasmtime_wasi::add_to_linker_sync(&mut linker)
+    wasmtime_wasi::p2::add_to_linker_sync(&mut linker)
         .map_err(|e| format!("WASI linker failed: {e}"))?;
 
     // Register stubs for both versioned (0.3.0+) and unversioned (pre-0.3.0) interface
@@ -261,30 +260,30 @@ fn instantiate_channel_component(
     ) -> Result<(), String> {
         stub_shared_host_functions(host)?;
 
-        host.func_new("store-attachment-data", |_ctx, _args, results| {
+        host.func_new("store-attachment-data", |_ctx, _ty, _args, results| {
             results[0] = wasmtime::component::Val::Result(Ok(None));
             Ok(())
         })
         .map_err(|e| format!("stub 'store-attachment-data': {e}"))?;
 
-        host.func_new("emit-message", |_ctx, _args, _results| Ok(()))
+        host.func_new("emit-message", |_ctx, _ty, _args, _results| Ok(()))
             .map_err(|e| format!("stub 'emit-message': {e}"))?;
 
-        host.func_new("workspace-write", |_ctx, _args, results| {
+        host.func_new("workspace-write", |_ctx, _ty, _args, results| {
             results[0] = wasmtime::component::Val::Result(Ok(None));
             Ok(())
         })
         .map_err(|e| format!("stub 'workspace-write': {e}"))?;
 
-        host.func_new("pairing-upsert-request", |_ctx, _args, results| {
+        host.func_new("pairing-upsert-request", |_ctx, _ty, _args, results| {
             results[0] = wasmtime::component::Val::Result(Err(Some(Box::new(
                 wasmtime::component::Val::String("stub".into()),
             ))));
             Ok(())
         })
         .map_err(|e| format!("stub 'pairing-upsert-request': {e}"))?;
 
-        host.func_new("pairing-resolve-identity", |_ctx, _args, results| {
+        host.func_new("pairing-resolve-identity", |_ctx, _ty, _args, results| {
             // Test stub: unknown sender — returns Ok(option::none).
             results[0] = wasmtime::component::Val::Result(Ok(Some(Box::new(
                 wasmtime::component::Val::Option(None),
@@ -293,7 +292,7 @@ fn instantiate_channel_component(
         })
         .map_err(|e| format!("stub 'pairing-resolve-identity': {e}"))?;
 
-        host.func_new("pairing-read-allow-from", |_ctx, _args, results| {
+        host.func_new("pairing-read-allow-from", |_ctx, _ty, _args, results| {
             results[0] = wasmtime::component::Val::Result(Ok(Some(Box::new(
                 wasmtime::component::Val::List(vec![]),
             ))));