feat(body): allow_body target rule + body-aware proxy_on_request_body

eval.zig:
- New evaluateWithTarget(arena, input, ast, target_rule). evaluate()
  becomes a thin wrapper targeting 'allow'.

main.zig:
- New evaluate_target wasm export with explicit target_rule pointer
  / length pair, mirroring the request-target ABI.

proxy_wasm.zig:
- proxy_on_request_body waits for end_of_stream then reads up to
  max_body_bytes (64 KiB) via proxy_get_buffer_bytes.
- Builds {body: <parsed-or-null>, body_raw: <string>}: tries JSON
  parse first; on failure 'body' is null and 'body_raw' carries the
  raw bytes so policies can still match e.g. with the upcoming
  'contains' builtin.
- Evaluates 'allow_body' target rule. Deny -> 403 + Action.Pause.
- Header-side path stays on 'allow', unchanged.

Note on header context: hosts (Envoy/wamr in particular) clear
:method / :path from the header map by the time the body callback
fires, so a body rule that needs request method must depend on a
snapshot taken in proxy_on_request_headers. Per-context snapshot
plumbing is intentionally out of scope for v1; v1 surfaces only the
body itself. Tracked in the design doc.

Tests:
- src/eval.zig: 3 unit cases (amount-over-limit denies, missing
  target denies, body_raw fallback).
- test/run.mjs and test/run_wasmtime.py: 4 cases each driving the
  new evaluate_target export end-to-end through the wasm boundary.

Release build grows from 50K to 54K. ci.yml gains test-unit job in
line with the other implementation branches.

Author: kanywst

src/eval.zig

@@ -46,9 +46,9 @@ const Scope = struct {
 ///
 /// Targets the default package ("") and the default rule ("allow").
 /// Use `evaluateWithTarget` to pick a non-default rule (e.g.
-/// "allow_response"), or `evaluateAddressed` to dispatch into a
-/// specific `package.rule` pair within a `{"type":"modules", ...}`
-/// bundle.
+/// "allow_response" or "allow_body"), or `evaluateAddressed` to
+/// dispatch into a specific `package.rule` pair within a
+/// `{"type":"modules", ...}` bundle.
 pub fn evaluate(
     arena: *std.heap.ArenaAllocator,
     input_json: []const u8,
@@ -58,9 +58,10 @@ pub fn evaluate(
 }
 
 /// Run a single evaluation against `target_rule` in the default
-/// package (""). Used by the proxy-wasm shim to route the
-/// response-phase callback to the `allow_response` rule while
-/// keeping the request-phase on `allow`.
+/// package (""). Used by the proxy-wasm shim to route phase-specific
+/// callbacks: `allow_response` for the response phase and
+/// `allow_body` for the body phase, while the request-headers phase
+/// stays on `allow`.
 pub fn evaluateWithTarget(
     arena: *std.heap.ArenaAllocator,
     input_json: []const u8,
@@ -612,6 +613,58 @@ test "evaluateWithTarget: allow target preserves default behaviour" {
     try testing.expect(try runWithTarget("{}", policy, "allow"));
 }
 
+test "evaluateWithTarget: allow_body fires on amount > limit" {
+    const policy =
+        "{\"type\":\"module\",\"rules\":[" ++
+        "{\"type\":\"rule\",\"name\":\"allow_body\",\"default\":true," ++
+        "\"value\":{\"type\":\"value\",\"value\":true}}," ++
+        "{\"type\":\"rule\",\"name\":\"allow_body\",\"body\":[" ++
+        "{\"type\":\"gt\"," ++
+        "\"left\":{\"type\":\"ref\",\"path\":[\"input\",\"body\",\"amount\"]}," ++
+        "\"right\":{\"type\":\"value\",\"value\":1000}}]," ++
+        "\"value\":{\"type\":\"value\",\"value\":false}}" ++
+        "]}";
+
+    // Body amount over limit -> rule fires returning false -> deny.
+    try testing.expect(!(try runWithTarget(
+        "{\"body\":{\"amount\":5000},\"body_raw\":\"...\"}",
+        policy,
+        "allow_body",
+    )));
+
+    // Body amount under limit -> default rule wins -> allow.
+    try testing.expect(try runWithTarget(
+        "{\"body\":{\"amount\":50},\"body_raw\":\"...\"}",
+        policy,
+        "allow_body",
+    ));
+}
+
+test "evaluateWithTarget: body_raw fallback when body parse fails" {
+    // Policy targets body_raw directly so a non-JSON body is still
+    // policy-checkable.
+    const policy =
+        "{\"type\":\"module\",\"rules\":[" ++
+        "{\"type\":\"rule\",\"name\":\"allow_body\",\"body\":[" ++
+        "{\"type\":\"eq\"," ++
+        "\"left\":{\"type\":\"ref\",\"path\":[\"input\",\"body_raw\"]}," ++
+        "\"right\":{\"type\":\"value\",\"value\":\"BLOCKED\"}}]," ++
+        "\"value\":{\"type\":\"value\",\"value\":false}}," ++
+        "{\"type\":\"rule\",\"name\":\"allow_body\",\"default\":true," ++
+        "\"value\":{\"type\":\"value\",\"value\":true}}" ++
+        "]}";
+    try testing.expect(!(try runWithTarget(
+        "{\"body\":null,\"body_raw\":\"BLOCKED\"}",
+        policy,
+        "allow_body",
+    )));
+    try testing.expect(try runWithTarget(
+        "{\"body\":null,\"body_raw\":\"ok\"}",
+        policy,
+        "allow_body",
+    ));
+}
+
 test "evaluate: every+some over arrays" {
     const policy =
         "{\"type\":\"every\",\"var\":\"req\"," ++

src/main.zig

@@ -53,9 +53,10 @@ export fn evaluate(
 }
 
 /// Run one evaluation against an explicit target rule. Same return
-/// codes as `evaluate`. Hosts that want to drive the response-side
-/// "allow_response" path (or any other target name) call this
-/// instead of the default `evaluate`.
+/// codes as `evaluate`. Hosts that want to drive a non-default rule
+/// (`allow_response` for the response phase, `allow_body` for the
+/// body phase, or any other target name) call this instead of the
+/// default `evaluate`.
 export fn evaluate_target(
     input_ptr: [*]const u8,
     input_len: usize,

src/proxy_wasm.zig

@@ -4,8 +4,9 @@
 //! `proxy_on_context_create`, `proxy_on_request_headers`,
 //! `proxy_on_request_body`, `proxy_on_response_headers`,
 //! `proxy_on_done`. Request headers fire the "allow" target rule;
+//! request body fires "allow_body" with `{"body": <parsed-json>,
+//! "body_raw": <string>}` once the host signals end of stream;
 //! response headers fire "allow_response" with `{"response":{...}}`.
-//! Body callbacks are no-ops; see ROADMAP.md.
 //!
 //! Configuration: the policy AST JSON arrives via
 //! `proxy_on_configure`. We copy it into `host_allocator` so it
@@ -16,8 +17,9 @@
 //! `malloc`. We `hostFree` them once consumed.
 
 const std = @import("std");
-const memory = @import("memory.zig");
 const eval = @import("eval.zig");
+const json = @import("json.zig");
+const memory = @import("memory.zig");
 
 // ABI version negotiation: one empty export per supported version.
 
@@ -144,12 +146,88 @@ export fn proxy_on_request_headers(_: i32, _: i32, _: i32) i32 {
     return action_continue;
 }
 
-/// No-op for now. Keeps the symbol resolvable when the filter
-/// declares body interest.
-export fn proxy_on_request_body(_: i32, _: i32, _: i32) i32 {
+/// Evaluate against the request body once the host signals end of
+/// stream. Until then we return `Continue` so streaming chunks pass
+/// through; the final fragment triggers the eval. Body input shape
+/// is `{"body": <parsed-or-null>, "body_raw": <string>}`.
+///
+/// Hosts clear `:method` / `:path` from the header map by the time
+/// this fires (Envoy/wamr behaviour), so a body rule that needs
+/// header context must depend on a snapshot taken in
+/// `proxy_on_request_headers`. Per-context snapshot plumbing is
+/// tracked in ROADMAP.md; v1 surfaces only the body itself.
+export fn proxy_on_request_body(_: i32, body_size: i32, end_of_stream: i32) i32 {
+    if (end_of_stream == 0) return action_continue;
+    if (body_size <= 0) return action_continue;
+    const policy = configured_policy orelse return action_continue;
+    if (!evaluateBodyAt(@intCast(body_size), policy)) {
+        denyWithStatus(403);
+        return action_pause;
+    }
     return action_continue;
 }
 
+const body_target_rule: []const u8 = "allow_body";
+const max_body_bytes: usize = 64 * 1024;
+
+fn evaluateBodyAt(body_size: usize, policy: []const u8) bool {
+    const arena = memory.requestArena();
+    defer memory.resetRequestArena();
+    const allocator = arena.allocator();
+
+    const cap = if (body_size > max_body_bytes) max_body_bytes else body_size;
+    const body_bytes = readBodyBytes(allocator, cap) catch return false;
+    const input_bytes = buildBodyInput(allocator, body_bytes) catch return false;
+    return eval.evaluateWithTarget(arena, input_bytes, policy, body_target_rule) catch false;
+}
+
+/// Pull the request body from the host. Returns an empty slice on
+/// host error so the caller sees a body of "" rather than failing
+/// the request outright.
+fn readBodyBytes(allocator: std.mem.Allocator, cap: usize) ![]const u8 {
+    var data: ?[*]u8 = null;
+    var data_size: usize = 0;
+    const status = proxy_get_buffer_bytes(
+        buffer_type_http_request_body,
+        0,
+        cap,
+        &data,
+        &data_size,
+    );
+    if (status != status_ok) return &[_]u8{};
+    if (data_size == 0) return &[_]u8{};
+    const ptr = data orelse return &[_]u8{};
+    defer memory.hostFree(ptr);
+    return try allocator.dupe(u8, ptr[0..data_size]);
+}
+
+/// Build `{"body": <parsed-json-or-null>, "body_raw": <string>}`. We
+/// try to parse the body as JSON; if it fails, `body` is null and
+/// the policy can still match against `body_raw` (e.g. with the
+/// `contains` builtin). The parsed copy is dropped on the next
+/// arena reset, so this only costs one transient walk.
+fn buildBodyInput(allocator: std.mem.Allocator, body: []const u8) ![]u8 {
+    const parsed_ok = blk: {
+        _ = json.parse(allocator, body) catch break :blk false;
+        break :blk true;
+    };
+
+    var buf: std.ArrayList(u8) = .empty;
+    defer buf.deinit(allocator);
+
+    try buf.appendSlice(allocator, "{\"body\":");
+    if (parsed_ok and body.len > 0) {
+        try buf.appendSlice(allocator, body);
+    } else {
+        try buf.appendSlice(allocator, "null");
+    }
+    try buf.appendSlice(allocator, ",\"body_raw\":");
+    try appendJsonString(allocator, &buf, body);
+    try buf.append(allocator, '}');
+
+    return try allocator.dupe(u8, buf.items);
+}
+
 /// Evaluate against response status + headers under the
 /// `allow_response` target rule. Deny replaces the response with a
 /// 503; allow lets the upstream response through unchanged.

test/run.mjs

@@ -605,6 +605,73 @@ check(
   0,
 );
 
+// ---------------------------------------------------------------------------
+// 12. evaluate_target: body-side rules driven via the new export.
+//
+// proxy_on_request_body in proxy_wasm.zig fires the "allow_body"
+// target rule against {body, body_raw}. The generic evaluate_target
+// export lets hosts reach the same eval path without proxy-wasm.
+// ---------------------------------------------------------------------------
+const bodyPolicy = {
+  type: 'module',
+  rules: [
+    { type: 'rule', name: 'allow_body', default: true, value: { type: 'value', value: true } },
+    {
+      type: 'rule',
+      name: 'allow_body',
+      body: [
+        {
+          type: 'gt',
+          left: { type: 'ref', path: ['input', 'body', 'amount'] },
+          right: { type: 'value', value: 1000 },
+        },
+      ],
+      value: { type: 'value', value: false },
+    },
+  ],
+};
+check(
+  'evaluate_target allow_body: amount over limit -> deny',
+  decideTarget({ body: { amount: 5000 }, body_raw: '{"amount":5000}' }, bodyPolicy, 'allow_body'),
+  0,
+);
+check(
+  'evaluate_target allow_body: amount under limit -> allow',
+  decideTarget({ body: { amount: 50 }, body_raw: '{"amount":50}' }, bodyPolicy, 'allow_body'),
+  1,
+);
+
+// body_raw fallback: policies can match on the raw bytes when the
+// body did not parse as JSON.
+const rawPolicy = {
+  type: 'module',
+  rules: [
+    {
+      type: 'rule',
+      name: 'allow_body',
+      body: [
+        {
+          type: 'eq',
+          left: { type: 'ref', path: ['input', 'body_raw'] },
+          right: { type: 'value', value: 'BLOCKED' },
+        },
+      ],
+      value: { type: 'value', value: false },
+    },
+    { type: 'rule', name: 'allow_body', default: true, value: { type: 'value', value: true } },
+  ],
+};
+check(
+  'evaluate_target allow_body: body_raw=BLOCKED -> deny',
+  decideTarget({ body: null, body_raw: 'BLOCKED' }, rawPolicy, 'allow_body'),
+  0,
+);
+check(
+  'evaluate_target allow_body: body_raw=ok -> allow',
+  decideTarget({ body: null, body_raw: 'ok' }, rawPolicy, 'allow_body'),
+  1,
+);
+
 if (failed > 0) {
   console.error(`\n${failed} test(s) failed`);
   exit(1);

test/run_wasmtime.py

@@ -460,6 +460,67 @@ def check(name: str, got, expected):
     0,
 )
 
+# ---------------------------------------------------------------------------
+# 12. evaluate_target: body-side rules via the explicit-target export.
+# ---------------------------------------------------------------------------
+body_policy = {
+    "type": "module",
+    "rules": [
+        {"type": "rule", "name": "allow_body", "default": True, "value": {"type": "value", "value": True}},
+        {
+            "type": "rule",
+            "name": "allow_body",
+            "body": [
+                {
+                    "type": "gt",
+                    "left": {"type": "ref", "path": ["input", "body", "amount"]},
+                    "right": {"type": "value", "value": 1000},
+                }
+            ],
+            "value": {"type": "value", "value": False},
+        },
+    ],
+}
+check(
+    "evaluate_target allow_body: amount over limit -> deny",
+    decide_target({"body": {"amount": 5000}, "body_raw": "{\"amount\":5000}"}, body_policy, "allow_body"),
+    0,
+)
+check(
+    "evaluate_target allow_body: amount under limit -> allow",
+    decide_target({"body": {"amount": 50}, "body_raw": "{\"amount\":50}"}, body_policy, "allow_body"),
+    1,
+)
+
+raw_policy = {
+    "type": "module",
+    "rules": [
+        {
+            "type": "rule",
+            "name": "allow_body",
+            "body": [
+                {
+                    "type": "eq",
+                    "left": {"type": "ref", "path": ["input", "body_raw"]},
+                    "right": {"type": "value", "value": "BLOCKED"},
+                }
+            ],
+            "value": {"type": "value", "value": False},
+        },
+        {"type": "rule", "name": "allow_body", "default": True, "value": {"type": "value", "value": True}},
+    ],
+}
+check(
+    "evaluate_target allow_body: body_raw=BLOCKED -> deny",
+    decide_target({"body": None, "body_raw": "BLOCKED"}, raw_policy, "allow_body"),
+    0,
+)
+check(
+    "evaluate_target allow_body: body_raw=ok -> allow",
+    decide_target({"body": None, "body_raw": "ok"}, raw_policy, "allow_body"),
+    1,
+)
+
 if failed:
     print(f"\n{failed} test(s) failed", file=sys.stderr)
     sys.exit(1)