feat(credentials): resolver becomes a per-request callback

Replace the static-token storage model with a host-side callback that
produces the token at request-dispatch time, so resolvers can refresh
tokens (IMDS, OAuth, Key Vault, ...) without re-registering credentials.

Core (`hyperlight_sandbox`):
* `ResolverFn = Arc<dyn Fn() -> Result<String, String> + Send + Sync>`,
  invoked once per credentialed outgoing request. The registry mutex
  is released *before* the resolver runs, so a slow resolver cannot
  stall unrelated requests.
* `CredentialEntry::with_static_resolver` for tests / short-lived
  tokens.
* Manual `Debug` impl on `CredentialEntry` renders the resolver as
  `<callback>` so captured secrets cannot leak via logs, panics, or
  `dbg!` output.
* Re-export `ResolverFn` from the crate root.

Wire path (`wasi_impl/http_handler.rs`):
* Clone the credential entry by id, drop the mutex, enforce scope
  (URL prefix) before the existing `allow_domain` network gate,
  invoke the resolver, filter any guest-set header of the same name
  (case-insensitive), then inject `<header>: <prefix><token>`.
* On resolver `Err`, the diagnostic is dropped before crossing the
  guest boundary; the guest sees only
  `InternalError("credential resolver failed")`. `ResolverFn` rustdoc
  updated to match this behaviour (was previously inaccurate).

Python SDK (`hyperlight_sandbox` / `wasm_backend`):
* `register_credential(..., resolver: Callable[[], str])` accepts any
  zero-arg Python callable. The PyO3 bridge re-acquires the GIL on
  every invocation. When the resolver raises, only the exception
  **type name** is forwarded across the FFI boundary; the message
  body is dropped (it may have been assembled from secret material).

Integration tests (`src/wasm_sandbox/tests/credential_integration.rs`):
* `resolver_invoked_per_request` — atomic counter + rotating tokens
  prove the resolver runs on every request, not once at registration.
* `resolver_failure_surfaces_as_error` — resolver returns a
  secret-bearing diagnostic; the test asserts the diagnostic is
  absent from guest stdout and from the surfaced error payload.
* `isolated_registries_across_sandboxes` — two sandboxes register the
  same credential id with different tokens; each sees only its own.

Hygiene:
* Fix joined-line whitespace bug in `wasm_backend/src/lib.rs`.
* Sort `sandbox_executor` imports in guest `hyperlight.py` for the
  new `attach_credential` entry (was `I001`).

Signed-off-by: Simon Davies <simongdavies@users.noreply.github.com>

Author: simongdavies

src/hyperlight_sandbox/src/credentials.rs

@@ -8,19 +8,39 @@
 //! * `header` — HTTP header name (e.g. `"Authorization"`).
 //! * `prefix` — Value prefix prepended to the resolved token
 //!   (e.g. `"Bearer "`).
-//! * `resolver` — Opaque resolver identifier. Today this is a simple
-//!   string key; a future commit will support async resolution
-//!   callbacks.
+//! * `resolver` — A host-side callback invoked on every credentialed
+//!   outgoing request to produce a fresh secret value. The host calls
+//!   the resolver synchronously from the WASI HTTP dispatch path, so
+//!   implementations should be fast and (where appropriate) memoise
+//!   internally. Errors returned by the resolver surface to the guest
+//!   as a request-level dispatch failure with a host-redacted message.
 //!
 //! The registry is populated by the host before the guest runs.
 //! Guests bind a credential to a specific outgoing request via WIT
 //! `attach`.
 
 use std::collections::HashMap;
+use std::fmt;
 use std::sync::{Arc, Mutex};
 
+/// Host-side callback that produces the secret token value for a
+/// credential at request-dispatch time.
+///
+/// The returned `String` is treated as the literal token; the host
+/// prepends [`CredentialEntry::prefix`] to it to form the outgoing
+/// header value.
+///
+/// On error, the returned diagnostic string is **dropped** by the
+/// outgoing-handler before any guest-visible error is produced — it
+/// is neither sent to the guest nor logged by this crate. The wire
+/// path surfaces only a fixed `"credential resolver failed"`
+/// indication. Resolver authors who need diagnostics should record
+/// them inside the resolver itself (e.g. via the host's own logger)
+/// before returning the `Err`.
+pub type ResolverFn = Arc<dyn Fn() -> Result<String, String> + Send + Sync>;
+
 /// Metadata for a single scoped credential.
-#[derive(Debug, Clone)]
+#[derive(Clone)]
 pub struct CredentialEntry {
     /// URL-prefix scope. Only requests whose URL starts with this
     /// value are eligible for credential injection.
@@ -33,9 +53,47 @@ pub struct CredentialEntry {
     /// (e.g. `"Bearer "`). May be empty.
     pub prefix: String,
 
-    /// Opaque resolver identifier. The outgoing-handler will use
-    /// this to obtain the actual secret value at dispatch time.
-    pub resolver: String,
+    /// Resolver callback. Invoked on every credentialed outgoing
+    /// request; see [`ResolverFn`] for the contract.
+    pub resolver: ResolverFn,
+}
+
+impl fmt::Debug for CredentialEntry {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        // The resolver is a function pointer that may close over secret
+        // material; we never want it (or its captures) to appear in a
+        // log line, panic message, or `dbg!` output.
+        f.debug_struct("CredentialEntry")
+            .field("target", &self.target)
+            .field("header", &self.header)
+            .field("prefix", &self.prefix)
+            .field("resolver", &"<callback>")
+            .finish()
+    }
+}
+
+impl CredentialEntry {
+    /// Build a [`CredentialEntry`] whose resolver returns a fixed
+    /// token string on every invocation.
+    ///
+    /// Convenience constructor for tests, examples, and trivially
+    /// short-lived secrets. Production callers that need refresh
+    /// behaviour (managed identities, OAuth, …) should construct
+    /// the entry directly with a custom [`ResolverFn`].
+    pub fn with_static_resolver(
+        target: impl Into<String>,
+        header: impl Into<String>,
+        prefix: impl Into<String>,
+        token: impl Into<String>,
+    ) -> Self {
+        let token = token.into();
+        Self {
+            target: target.into(),
+            header: header.into(),
+            prefix: prefix.into(),
+            resolver: Arc::new(move || Ok(token.clone())),
+        }
+    }
 }
 
 /// Shared, thread-safe credential registry keyed by credential id.

src/hyperlight_sandbox/src/lib.rs

@@ -18,7 +18,7 @@ pub use cap_fs::{
     CapFs, DescriptorFlags, DescriptorStat, DescriptorType, Dir, DirPerms, FilePerms, FsError,
     OpenFlags,
 };
-pub use credentials::{CredentialEntry, CredentialRegistry};
+pub use credentials::{CredentialEntry, CredentialRegistry, ResolverFn};
 pub use network::{HttpMethod, MethodFilter, NetworkPermission, NetworkPermissions};
 use serde::{Deserialize, Serialize};
 pub use tools::{ArgType, ToolRegistry, ToolSchema};

src/sdk/python/core/hyperlight_sandbox/__init__.py

@@ -187,7 +187,7 @@ def register_credential(
         target: str,
         header: str = "Authorization",
         prefix: str = "Bearer ",
-        resolver: str,
+        resolver: Callable[[], str],
     ) -> None:
         """Register a scoped credential for outgoing HTTP requests.
 
@@ -201,8 +201,15 @@ def register_credential(
             header: HTTP header name to set (default ``Authorization``).
             prefix: Value prefix prepended to the resolved token
                 (default ``Bearer ``).
-            resolver: Opaque resolver key.  Currently used as the
-                literal token value (static credentials).
+            resolver: A callable invoked with no arguments on every
+                credentialed outgoing request to produce a fresh token
+                value as a ``str``.  Called synchronously from the host
+                HTTP dispatch path, so it must be fast and thread-safe;
+                long-running fetches (e.g. IMDS, OAuth) should be
+                memoised by the caller.  Any exception raised by the
+                callable surfaces to guest code as a host-redacted
+                request-level error (only the exception **type name**
+                is propagated; the message body is dropped).
         """
         self._inner.register_credential(id, target, header, prefix, resolver)
 

src/sdk/python/wasm_backend/src/lib.rs

@@ -1,7 +1,8 @@
 use std::collections::HashMap;
+use std::sync::Arc;
 
 use hyperlight_sandbox::{
-    DEFAULT_HEAP_SIZE, DEFAULT_STACK_SIZE, DirPerms, FilePerms, HttpMethod, Sandbox,
+    DEFAULT_HEAP_SIZE, DEFAULT_STACK_SIZE, DirPerms, FilePerms, HttpMethod, ResolverFn, Sandbox,
     SandboxBuilder, SandboxConfig,
 };
 use hyperlight_sandbox_pyo3_common::{
@@ -22,7 +23,37 @@ struct PendingCredential {
     target: String,
     header: String,
     prefix: String,
-    resolver: String,
+    resolver: ResolverFn,
+}
+
+/// Wrap a Python callable as a [`ResolverFn`] suitable for storage in
+/// the credential registry.
+///
+/// On each invocation the wrapper re-acquires the Python GIL, calls
+/// the supplied callable with no arguments, and extracts the result
+/// as a Python `str`.  Exceptions are mapped to a redacted Rust error
+/// — only the exception **type name** is surfaced, never the message
+/// (which may contain secret material assembled by user code).
+fn python_callable_to_resolver(callable: Py<PyAny>) -> ResolverFn {
+    Arc::new(move || -> Result<String, String> {
+        Python::attach(|py| {
+            let bound = callable.bind(py);
+            match bound.call0() {
+                Ok(result) => result
+                    .extract::<String>()
+                    .map_err(|_| "credential resolver did not return a str".to_string()),
+                Err(err) => {
+                    let type_name = err
+                        .get_type(py)
+                        .qualname()
+                        .ok()
+                        .and_then(|n| n.extract::<String>().ok())
+                        .unwrap_or_else(|| "Exception".to_string());
+                    Err(format!("python resolver raised {type_name}"))
+                }
+            }
+        })
+    })
 }
 
 #[pyclass]
@@ -192,15 +223,22 @@ impl WasmSandbox {
     ///
     /// Must be called before `run()`. The credential can then be
     /// attached to individual requests by guest code via WIT `attach`.
+    ///
+    /// `resolver` is a Python callable that takes no arguments and
+    /// returns the secret token as a `str`. It is invoked synchronously
+    /// from the WASI HTTP dispatch path on every credentialed request,
+    /// so it must be fast and thread-safe; long-running token fetches
+    /// should be memoised by the caller.
     #[pyo3(signature = (id, target, header, prefix, resolver))]
     fn register_credential(
         &mut self,
         id: &str,
         target: &str,
         header: &str,
         prefix: &str,
-        resolver: &str,
+        resolver: Py<PyAny>,
     ) -> PyResult<()> {
+        let resolver_fn = python_callable_to_resolver(resolver);
         if let Some(sandbox) = self.inner.as_ref() {
             // Register directly on the live sandbox.
             sandbox
@@ -210,7 +248,7 @@ impl WasmSandbox {
                         target: target.to_string(),
                         header: header.to_string(),
                         prefix: prefix.to_string(),
-                        resolver: resolver.to_string(),
+                        resolver: resolver_fn,
                     },
                 )
                 .map_err(|e| PyRuntimeError::new_err(format!("{e}")))?;
@@ -221,7 +259,7 @@ impl WasmSandbox {
                 target: target.to_string(),
                 header: header.to_string(),
                 prefix: prefix.to_string(),
-                resolver: resolver.to_string(),
+                resolver: resolver_fn,
             });
         }
         Ok(())

src/wasm_sandbox/guests/python/hyperlight.py

@@ -1,7 +1,6 @@
 """Hyperlight guest-side helpers, available to user code via `from hyperlight import call_tool`."""
 
 from sandbox_executor import _call_tool as call_tool
-from sandbox_executor import http_get, http_post
-from sandbox_executor import attach_credential
+from sandbox_executor import attach_credential, http_get, http_post
 
 __all__ = ["call_tool", "http_get", "http_post", "attach_credential"]

src/wasm_sandbox/src/wasi_impl/http_handler.rs

@@ -90,20 +90,27 @@ impl
         // Scope is enforced BEFORE the network permission check so a
         // mis-scoped credential is rejected immediately with a clear
         // error rather than leaking through to the allow-list gate.
+        //
+        // The credential-registry mutex is dropped before the resolver
+        // is invoked — resolvers may perform slow I/O (e.g. an IMDS
+        // round-trip on cache miss) and we do not want to serialise
+        // unrelated credentialed requests behind one slow resolver.
         // -----------------------------------------------------------------
         let credential_header: Option<(String, String)> =
             if let Some(ref cred_id) = request_data.attached_credential {
-                let registry = self.credential_registry.lock().map_err(|_| {
-                    HyperlightError::Error("credential registry mutex poisoned".to_string())
-                })?;
-                let entry = match registry.get(cred_id) {
-                    Some(e) => e.clone(),
-                    // Defensive: attach() validated this, but the registry
-                    // could have been cleared between attach and dispatch.
-                    None => {
-                        return Ok(Err(ErrorCode::InternalError(Some(
-                            "attached credential not found in registry".to_string(),
-                        ))));
+                let entry = {
+                    let registry = self.credential_registry.lock().map_err(|_| {
+                        HyperlightError::Error("credential registry mutex poisoned".to_string())
+                    })?;
+                    match registry.get(cred_id) {
+                        Some(e) => e.clone(),
+                        // Defensive: attach() validated this, but the registry
+                        // could have been cleared between attach and dispatch.
+                        None => {
+                            return Ok(Err(ErrorCode::InternalError(Some(
+                                "attached credential not found in registry".to_string(),
+                            ))));
+                        }
                     }
                 };
 
@@ -113,10 +120,22 @@ impl
                     return Ok(Err(ErrorCode::HTTPRequestDenied));
                 }
 
-                // Resolve the token.  For now the resolver string IS the
-                // token value (static credentials).  A future commit will
-                // support async resolution callbacks.
-                let header_value = format!("{}{}", entry.prefix, entry.resolver);
+                // Resolve the token by invoking the registered
+                // callback.  The resolver returns the literal secret
+                // value on success; on failure we surface a fixed,
+                // host-redacted message so the guest never sees the
+                // resolver's diagnostic text (which could contain
+                // secret material).
+                let token = match (entry.resolver)() {
+                    Ok(t) => t,
+                    Err(_diag) => {
+                        return Ok(Err(ErrorCode::InternalError(Some(
+                            "credential resolver failed".to_string(),
+                        ))));
+                    }
+                };
+
+                let header_value = format!("{}{}", entry.prefix, token);
                 Some((entry.header.clone(), header_value))
             } else {
                 None