@o-lang/olang 1.3.0-alpha → 1.4.0

package/src/runtime/index.js

@@ -5,12 +5,13 @@ const crypto         = require('crypto');
 const fs             = require('fs');
 const path           = require('path');
 
-// ── Load kernel private key (cached) ─────────────────────────────────────────
-let KERNEL_PRIVATE_KEY = null;
-
-function getKernelPrivateKey() {
-  if (KERNEL_PRIVATE_KEY) return KERNEL_PRIVATE_KEY;
+// ── Load kernel private key ───────────────────────────────────────────────────
+// FIX: Load at module initialisation time (when kernel boots) instead of
+// lazily on the first execute() call. This prevents a 5-10s delay on the
+// first request caused by RSA key file I/O + audit chain signing overhead.
+// ─────────────────────────────────────────────────────────────────────────────
 
+function _loadPrivateKey() {
   const keyPath      = process.env.KERNEL_PRIVATE_KEY_PATH || './kernel-keys/kernel-private.pem';
   const absolutePath = path.isAbsolute(keyPath)
     ? keyPath
@@ -22,11 +23,37 @@ function getKernelPrivateKey() {
     return null;
   }
 
-  KERNEL_PRIVATE_KEY = fs.readFileSync(absolutePath, 'utf8');
+  const key = fs.readFileSync(absolutePath, 'utf8');
   console.log('[kernel] ✅ Private key loaded for signing');
-  return KERNEL_PRIVATE_KEY;
+  return key;
 }
 
+// Loaded once at require() time — cached for all subsequent execute() calls
+const KERNEL_PRIVATE_KEY = _loadPrivateKey();
+
+function _loadPublicKey() {
+  if (!KERNEL_PRIVATE_KEY) return null;
+  try {
+    const pubKeyPath      = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
+    const absolutePubPath = path.isAbsolute(pubKeyPath)
+      ? pubKeyPath
+      : path.join(process.cwd(), pubKeyPath);
+
+    if (!fs.existsSync(absolutePubPath)) return null;
+
+    return fs.readFileSync(absolutePubPath, 'utf8')
+      .replace('-----BEGIN PUBLIC KEY-----', '')
+      .replace('-----END PUBLIC KEY-----', '')
+      .replace(/\s/g, '');
+  } catch (err) {
+    console.warn('[kernel] Could not load public key:', err.message);
+    return null;
+  }
+}
+
+// Also loaded once at require() time
+const KERNEL_PUBLIC_KEY = _loadPublicKey();
+
 // ── Sign audit data with RSA-SHA256 ──────────────────────────────────────────
 // Uses RSA-SHA256 to match the RSA key generated by crypto.generateKeyPairSync.
 // The same sorted JSON serialization is used during verification.
@@ -72,35 +99,14 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
     chain:                   rt.auditLog,
   };
 
-  // Sign the audit data with the kernel private key
-  const privateKey = getKernelPrivateKey();
-  const signature  = signAuditData(auditData, privateKey);
-
-  // Load public key for client-side verification (stripped PEM)
-  let publicKey = null;
-  if (privateKey) {
-    try {
-      const pubKeyPath      = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
-      const absolutePubPath = path.isAbsolute(pubKeyPath)
-        ? pubKeyPath
-        : path.join(process.cwd(), pubKeyPath);
-
-      if (fs.existsSync(absolutePubPath)) {
-        publicKey = fs.readFileSync(absolutePubPath, 'utf8')
-          .replace('-----BEGIN PUBLIC KEY-----', '')
-          .replace('-----END PUBLIC KEY-----', '')
-          .replace(/\s/g, '');
-      }
-    } catch (err) {
-      console.warn('[kernel] Could not load public key:', err.message);
-    }
-  }
+  // FIX: Use pre-loaded keys — no file I/O on hot path
+  const signature = signAuditData(auditData, KERNEL_PRIVATE_KEY);
 
   // Attach audit to result — server.js detaches it before sending to client
   result.__audit = {
     ...auditData,
-    signature,  // RSA-SHA256 hex signature
-    publicKey,  // Stripped PEM for client verification
+    signature,        // RSA-SHA256 hex signature
+    publicKey: KERNEL_PUBLIC_KEY, // Stripped PEM for client verification
   };
 
   return result;
@@ -115,5 +121,4 @@ function redact(text) {
   return rt.redact(text);
 }
 
-
 module.exports = { execute, parse, redact };