fix: remove broken ssh_keys dependency and add info module

examples/wasmtime-loader/src/main.rs

@@ -124,16 +124,16 @@ fn main() -> Result<()> {
     log::info!("Loading trusted keys");
     let mut keys = PublicKeySet::empty();
 
-    // Try to load keys from keys/ directory
-    let key_path = Path::new("examples/wasmtime-loader/keys/trusted.pub");
+    // Try to load keys from keys/ directory (PEM format)
+    let key_path = Path::new("examples/wasmtime-loader/keys/trusted.pem");
     if key_path.exists() {
-        keys.insert_any_file(key_path)
+        keys.insert_pem_file(key_path)
             .with_context(|| format!("Failed to load key: {}", key_path.display()))?;
         log::info!("Loaded {} trusted key(s)", keys.items().len());
     } else {
         log::warn!("No trusted keys found at: {}", key_path.display());
         log::warn!("All signature verifications will fail in strict mode");
-        log::warn!("Generate keys with: cargo run --bin wsc -- generate-key");
+        log::warn!("Generate keys with: cargo run --bin wsc -- generate-key --pem");
     }
 
     // Configure Wasmtime
@@ -196,8 +196,8 @@ EXAMPLES:
     cargo run --release -- --no-verify components/hello.wasm
 
 TRUST CONFIGURATION:
-    Place trusted public keys in: examples/wasmtime-loader/keys/trusted.pub
-    Generate keys with: cargo run --bin wsc -- generate-key
+    Place trusted public keys in: examples/wasmtime-loader/keys/trusted.pem (PEM format)
+    Generate keys with: cargo run --bin wsc -- generate-key --pem
 
 SEE ALSO:
     https://github.com/pulseengine/wsc - WSC signature toolkit

src/cli/BUILD.bazel

@@ -34,7 +34,6 @@ rust_binary(
         "@wsc_deps//:env_logger",
         "@wsc_deps//:regex",
         "@wsc_deps//:ureq-3.1.2",
-        "@wsc_deps//:uri_encode",
         "@wsc_deps//:wasi",
     ],
     # No feature flags needed - HTTP client selected via #[cfg(target_os = "wasi")]

src/cli/Cargo.toml

@@ -25,10 +25,7 @@ env_logger = { version = "0.11.8", default-features = false, features = [
     "humantime",
 ] }
 regex = "1.12.2"
-# HTTP client for GitHub key fetching
-# - Native builds (not wasm32): use ureq
-# - WASI builds (wasm32-wasip2): use wasi::http
+# HTTP client for keyless signing
 ureq = { version = "3.1.2" }
-uri_encode = { version = "1.0.3" }
 wasi = { version = "0.14.7" }
 wsc = { version = "0.4.0", path = "../lib" }

src/component/src/lib.rs

@@ -98,33 +98,42 @@ impl Guest for Component {
     }
 
     fn parse_public_key(key_bytes: Vec<u8>) -> Result<Vec<u8>, String> {
-        // Try to parse as any supported format
-        let pk = PublicKey::from_any(&key_bytes)
-            .map_err(|e| format!("Failed to parse public key: {}", e))?;
-
-        Ok(pk.to_bytes())
+        // Try explicit formats (no auto-detection per security policy)
+        // Try raw WSC bytes first
+        if let Ok(pk) = PublicKey::from_bytes(&key_bytes) {
+            return Ok(pk.to_bytes());
+        }
+        // Try DER
+        if let Ok(pk) = PublicKey::from_der(&key_bytes) {
+            return Ok(pk.to_bytes());
+        }
+        // Try PEM (text format)
+        if let Ok(s) = std::str::from_utf8(&key_bytes) {
+            if let Ok(pk) = PublicKey::from_pem(s) {
+                return Ok(pk.to_bytes());
+            }
+        }
+        Err("Failed to parse public key. Supported formats: WSC bytes, DER, PEM".to_string())
     }
 
     fn parse_secret_key(key_bytes: Vec<u8>) -> Result<Vec<u8>, String> {
-        // Try to parse as any supported format
-        // Try raw bytes first
+        // Try explicit formats (no auto-detection per security policy)
+        // Note: OpenSSH format not supported - convert to PEM first
+        // Try raw WSC bytes first
         if let Ok(sk) = SecretKey::from_bytes(&key_bytes) {
             return Ok(sk.to_bytes());
         }
         // Try DER
         if let Ok(sk) = SecretKey::from_der(&key_bytes) {
             return Ok(sk.to_bytes());
         }
-        // Try PEM/OpenSSH
+        // Try PEM (text format)
         if let Ok(s) = std::str::from_utf8(&key_bytes) {
             if let Ok(sk) = SecretKey::from_pem(s) {
                 return Ok(sk.to_bytes());
             }
-            if let Ok(sk) = SecretKey::from_openssh(s) {
-                return Ok(sk.to_bytes());
-            }
         }
-        Err("Failed to parse secret key in any known format".to_string())
+        Err("Failed to parse secret key. Supported formats: WSC bytes, DER, PEM".to_string())
     }
 
     fn to_pem_public(key_bytes: Vec<u8>) -> Result<String, String> {

src/lib/BUILD.bazel

@@ -22,8 +22,9 @@ rust_library(
         "@wsc_deps//:log",
         "@wsc_deps//:regex",
         "@wsc_deps//:sha2",
-        "@wsc_deps//:ssh-keys",
         "@wsc_deps//:thiserror",
+        "@wsc_deps//:tracing",
+        "@wsc_deps//:tracing-subscriber",
         "@wsc_deps//:wasi",
         # Keyless signing dependencies (common to all targets)
         "@wsc_deps//:base64",