WASM Sandbox

Every agent runs inside a WebAssembly sandbox powered by Wasmtime. The sandbox is the primary security boundary — it controls what an agent can access and how much computation it can consume.

Execution tiers

Tier 1 is the only execution tier available today. Agents compile to wasm32-wasip2 targets and run inside Wasmtime with capability-gated host imports.

Capability-gated host imports

Agents declare the host capabilities they need in their configuration. The runtime exposes these capabilities as WASM host imports:

Deny-by-default: if an agent calls a capability it did not declare, the call fails immediately. There is no prompt, no fallback — undeclared capabilities are hard errors.

Fuel metering

Each agent gets a fuel budget that limits computation per execution cycle. Fuel maps roughly to WASM instructions executed.

• Default budget: 100,000,000 (100M) fuel units per invocation.
• Configurable: set fuel in the agent entry in runtime.toml.
• Exhaustion: when fuel runs out, the sandbox traps and the supervisor handles the restart.

Fuel prevents runaway agents from monopolizing CPU. It is not a billing mechanism — see Economics for spend tracking.

What the sandbox prevents

• Filesystem access: agents cannot read or write the host filesystem directly.
• Network access: all outbound requests go through the broker.
• System calls: WASM has no exec, no signals, no process control.
• Memory isolation: each agent gets its own linear memory; no shared state between agents except through explicit host capabilities.