feat(reborn): route WASM HTTP through shared egress

[serrrfirat]

Summary

Follow-up after #3098 to route the Reborn WASM WIT http-request host import through the shared RuntimeHttpEgress boundary instead of a WASM-local/mock HTTP surface.

What changed

• Adds WasmRuntimeHttpAdapter<E> in ironclaw_wasm:
  • converts WIT-native method/header/body/timeout shapes into RuntimeHttpEgressRequest
  • forwards host-supplied scope, network policy, response limit, and request-scoped credential injections
  • uses a host-owned WasmRuntimeCredentialProvider so credential injections are resolved from the actual method/URL/headers rather than reused adapter-wide
  • sanitizes credential-provider and shared-egress errors to stable runtime-visible categories
  • does not create HTTP clients, resolve DNS, apply ad-hoc SSRF policy, or inject credentials
  • marks post-send shared-egress failures so WASM execution accounting preserves outbound request bytes, including zero-body response-stage failures
  • strips sensitive response headers before encoding the WIT headers-json object using the shared runtime-sensitive header vocabulary, including token/auth/secret/credential/password/cookie-bearing header names beyond exact matches
  • combines duplicate non-sensitive response headers case-insensitively at the WIT JSON-object boundary
• Threads timeout_ms through RuntimeHttpEgressRequest -> NetworkHttpRequest -> NetworkTransportRequest; reqwest-backed transport applies the smaller of the request timeout and the host transport default.
• Updates Script/MCP HTTP request structs to carry the shared timeout field and return stable sanitized shared-egress error categories.
• Bumps Wasmtime/WASI patch versions from 43.0.1 to 43.0.2 to clear the cargo-deny advisory gate.
• Updates the WASM dispatch integration smoke to use the shared egress adapter for the HTTP trap path.
• Documents the WASM/shared-egress boundary in docs/reborn/contracts/wasm.md.

Verification

cargo fmt --all -- --check
CARGO_TARGET_DIR=/tmp/ironclaw-reborn-wasm-egress-target cargo test -p ironclaw_wasm
CARGO_TARGET_DIR=/tmp/ironclaw-reborn-wasm-egress-target cargo test -p ironclaw_host_api -p ironclaw_host_runtime -p ironclaw_network -p ironclaw_scripts -p ironclaw_mcp
CARGO_TARGET_DIR=/tmp/ironclaw-reborn-wasm-egress-target cargo clippy -q -p ironclaw_host_api -p ironclaw_wasm -p ironclaw_host_runtime -p ironclaw_network -p ironclaw_scripts -p ironclaw_mcp --all-targets -- -D warnings
CARGO_TARGET_DIR=/tmp/ironclaw-reborn-wasm-egress-target cargo test -p ironclaw_architecture
cargo deny check
git diff --check

Links

Completes #3085.
Part of #2987.

[gemini-code-assist]

Code Review

This pull request introduces the WasmRuntimeHttpAdapter, which bridges WASM WIT HTTP imports to the shared RuntimeHttpEgress service, handling header sanitization and error mapping. Feedback was provided to improve the robustness of header decoding for empty strings and to use a Vec instead of a Map for encoding headers to support duplicate keys. Additionally, the logic for determining if a request was sent should be refined to correctly account for bodyless requests like GET, ensuring accurate error reporting and resource tracking.

[gemini-code-assist]

The serde_json::from_str call will fail with an error if headers_json is an empty string. While the WIT contract usually provides a JSON object string (like {}), it's safer to handle the empty string case explicitly. Per repository guidelines, when handling empty strings in the context of JSON schemas, they should be preserved unless the schema specifically requires null or disallows strings.

References

1. When coercing an empty string to a value based on a JSON schema, convert it to null only if the schema allows null or does not allow string. Otherwise, preserve the empty string as it may be a valid value.

[gemini-code-assist]

Using a serde_json::Map to encode headers means that if the response from the egress service contains duplicate header names (e.g., multiple Set-Cookie headers), only the last one will be preserved. Consider using a Vec<(String, String)> to maintain all headers and their insertion order. For small collections, a Vec is often preferred over a Map or Set in this repository to ensure deterministic behavior and support duplicate keys.

References

1. When choosing data structures, consider the trade-offs between performance, readability, and deterministic ordering for debugging. For small, non-performance-critical collections, a Vec might be preferred over a HashSet if insertion order is important for debugging.

[gemini-code-assist]

The logic error.request_bytes() > 0 to determine if a request was sent might be inaccurate for requests with no body (e.g., a simple GET request). If request_bytes only tracks the body size, then a failed GET request that was actually sent to the network will be reported as Denied instead of FailedAfterRequestSent. Ensure that any accumulated metrics like resource usage are correctly tracked and propagated even when an operation fails.

References

1. When an operation can fail, ensure that any accumulated metrics (like resource usage) are propagated out along with the error, not discarded.