WASM Sandbox
WASM tool sandboxing with Wasmtime, fuel metering, memory limits, tool catalog, and lifecycle chain logging.
The WASM sandbox provides isolated tool execution with configurable resource limits. Tools run as WASM modules inside a Wasmtime runtime with fuel metering, memory caps, and optional WASI access.
Source: crates/clawft-kernel/src/wasm_runner.rs (~1,639 lines)
Feature: wasm-sandbox
WasmToolRunner
pub struct WasmToolRunner {
config: WasmSandboxConfig,
}Executes WASM modules with fuel metering (each instruction consumes fuel), memory limits via ResourceLimiter, and configurable timeout.
WasmSandboxConfig
pub struct WasmSandboxConfig {
pub fuel_limit: u64,
pub memory_limit_bytes: u64,
pub timeout_ms: u64,
pub wasi_enabled: bool,
pub wasi_fs_scope: WasiFsScope,
}
pub enum WasiFsScope {
None,
ReadOnly(Vec<PathBuf>),
ReadWrite(Vec<PathBuf>),
}Tool Catalog (27 Built-in Tools)
| Category | Tools | Gate Action Prefix |
|---|---|---|
| Agent | 7 | tool.agent.* |
| IPC | 2 | tool.ipc.* |
| Filesystem | 9 | tool.fs.* |
| System | 6 | tool.sys.* |
| ECC | 7 | tool.ecc.* (ecc feature) |
Each tool has a BuiltinToolSpec with an EffectVector for governance scoring.
Tool Lifecycle
Build -> Deploy -> Execute -> Version -> RevokeAll phases are chain-logged when exochain is enabled.
Host Isolation
By default, WASM modules have no access to filesystem, network, environment variables, or system clock unless explicitly configured via WasiFsScope.
Extended Tool Catalog (Sprint 10)
10 additional tools in tools_extended.rs:
| Tool | Category | Description |
|---|---|---|
fs.analyze | Filesystem | Directory structure analysis |
git.log | System | Git history retrieval |
doc.parse | System | Markdown/document parsing |
config.read | System | Configuration file reading |
env.detect | System | Environment detection |
metrics.snapshot | Observability | Kernel metrics snapshot |
kv.get | Config | Read from ConfigService |
kv.set | Config | Write to ConfigService |
report.template | System | Report generation templates |
health.check | System | Service health checks |
Stateless tools are registered via register_stateless_tools(). Tools requiring kernel services (metrics, kv, health) use register_extended_tools() with injected Arc references.
Tool Signing (D9)
Ed25519 signing for tool provenance and integrity verification.
pub struct ToolSignature {
pub tool_hash: String, // SHA-256 of tool module bytes
pub signer_id: String, // Identity of the signer
pub signature: Vec<u8>, // Ed25519 signature
}Signature Verification
// Register a signed tool
registry.register_signed("my-tool", module_bytes, signature)?;
// Enforce signature requirement
registry.set_require_signatures(true);
// Manage trusted keys
registry.add_trusted_key(public_key);When require_signatures is enabled, unsigned tools are rejected at registration. Each signature is verified against all trusted keys.
Chain constant: EVENT_KIND_TOOL_SIGNED logs signing events to ExoChain.
WASM Shell Execution (D10)
Shell commands compiled to WASM for sandboxed execution:
pub struct ShellCommand {
pub command: String,
pub args: Vec<String>,
}
pub struct ShellResult {
pub exit_code: i32,
pub stdout: String,
pub stderr: String,
pub duration_ms: u64,
}execute_shell() dispatches to built-in commands (echo, true, false) within the sandbox. Wall-clock timing is recorded. The shell.exec tool is registered in the builtin catalog.
Chain constant: EVENT_KIND_SHELL_EXEC logs shell executions to ExoChain.
CompiledModuleCache
LRU cache of compiled WASM modules keyed by content hash to avoid repeated compilation.
Cluster Management
ClusterMembership, NodeIdentity, NodeState lifecycle, SWIM heartbeat, distributed process table, service advertisement, chain replication, and CRDT gossip.
Container Integration
ContainerManager lifecycle, ContainerConfig validation, ContainerState state machine, health check propagation, and port mapping.