Wasmtime engine.
What is WASI?
When a Node.js or Python tool executes in MCP, it relies on the operating system’s broad sandboxing (usually containerization like Docker). If a Python dependency is compromised, it could theoretically attempt full network escalation or escape. WASI flips the security model. WebAssembly is a memory-safe, purely mathematical compute format. By default, a.wasm module literally lacks the CPU instructions to talk to the operating system, disk, clock, or network. WASI is the strictly controlled bridge that re-introduces these features exactly, and only, when explicitly granted.
The LIOP Sandbox Lifecycle
When an Agent Node injects a WebAssembly module into a Data Node, the following security barriers activate:1. Capability Verification
The Agent declares the capabilities it requires upfront (e.g.,requires_capability: ["logs_read", "sql_readonly"]). The Data Node checks its local manifest to see if it allows this specific Agent to access those capabilities.
2. Microscopic Preopens
If approved, the Data Node does not grant the WASM module access to the file system. Instead, it “pre-opens” very specific file descriptors and maps them into the WASM module’s virtualized space. If the agent asks to read/var/log/nginx/ and the server allows it as /logs, the Agent only sees /logs as the absolute root of its entire universe. Attempting to traverse directories with ../ stops dead at the Sandbox limit.
3. Execution & Memory Bounds
Wasmtime boots the engine with strict limiters:
- Maximum Execution Time: If the module enters an infinite loop, the runtime kills it via Out-Of-Fuel exhaustion.
- Maximum Memory Limit: If the module attempts a buffer overflow or tries to allocate memory beyond its cap (e.g., 50MB), it triggers an uncatchable OOM Trap.
- Zero Sockets: The Agent logic runs completely offline inside the Server. It cannot open a port, connect to the internet, or exfiltrate data directly over a TCP socket. Its only output is what it
returnsto the LIOP invocation orchestrator. - Node.js Parity (V8 Isolation): In local development or SDK Demos (where WebAssembly isn’t pre-installed), LIOP utilizes identical strict boundaries via the
node:vmmodule (vm.createContext(Object.create(null))). This establishes absolute hardware-level containment, explicitly stripping the Sandbox of 25 poisoned globals (process,require,eval,Function,Date,ArrayBuffer,Uint8Array, and more), thereby eliminating any possibility of Host-System escalation. - Timing Side-Channel Defense: The
Dateobject is poisoned within the sandbox to prevent injected logic from measuring execution time differences, which could be used to infer dataset size or internal execution patterns. Because the globalDateclass is set toundefined(callingnew Date()orDate.now()will throw a ReferenceError), chronological sorting and filtering must be performed using lexicographical string comparisons on ISO 8601 strings (e.g.,record.date >= '2024-01-01'). - Heap Bomb Defense: All 12
TypedArrayconstructors (Uint8Array,Float64Array,DataView, etc.) are neutralized to prevent allocation of massive binary buffers that could crash the worker process through V8 heap exhaustion. Each worker is additionally constrained to a configurable memory ceiling viamaxHeapMb(default: 64 MB). - Prototype Pollution Defense: Eleven core JavaScript prototypes (
Object,Array,String,Number,Boolean,RegExp,Map,Set,Promise,Error, andFunctionresolved dynamically) are frozen viaObject.freeze()inside the sandbox IIFE before user code executes. By wrapping execution in"use strict";, any unauthorized attempts to pollute prototypes trigger immediateTypeErrorhalts instead of silent failures, preventing injected logic from overriding built-in methods. - Non-Blocking Pool: The Sandbox execution is inherently computationally heavy. To prevent Node.js servers from freezing, the
@nekzus/liopisolates this entire lifecycle inside nativeworker_threads(viapiscina), achieving parallel throughput identical to the native Mesh-Node. The pool implements an asynchronous background warmup (No-Op Warmup) on initialization to eliminate V8 cold-start overhead (~820k fuel units). - Safe Host Environment Isolation (
allowEnv): By default, the WASI sandbox completely isolates the execution from any environment variables. If host variables are strictly required by the business logic, you can enable environment propagation:To completely block command-injection exploits (such as Shellshock) and prevent leakage of sensitive secrets (like AWS keys or database tokens), the SDK filters environment variables through a strict safe allowlist viagetDefaultEnvironment():- Windows Host Allowlist:
APPDATA,HOMEDRIVE,HOMEPATH,LOCALAPPDATA,PATH,PROCESSOR_ARCHITECTURE,SYSTEMDRIVE,SYSTEMROOT,TEMP,USERNAME,USERPROFILE,PROGRAMFILES. - Unix/Linux Host Allowlist:
HOME,LOGNAME,PATH,SHELL,TERM,USER. Any environment variable starting with shell function definitions()is immediately rejected to prevent remote code execution.
- Windows Host Allowlist: