Crate aegis_wasm

Crate aegis_wasm 

Source
Expand description

§Aegis - WebAssembly Sandbox Runtime

Aegis is a local-first runtime that allows users and applications to execute untrusted WebAssembly code safely within a tightly controlled sandbox.

§Features

  • Security: Capability-based security with no ambient authority
  • Resource Control: Memory limits, CPU limits (fuel), and timeouts
  • Observability: Metrics collection and event subscription
  • Embeddable: Library-first design for easy integration

§Quick Start

use aegis::prelude::*;

// Create a runtime
let runtime = Aegis::builder()
    .with_memory_limit(64 * 1024 * 1024)  // 64MB
    .with_fuel_limit(1_000_000_000)        // 1B fuel units
    .with_timeout(Duration::from_secs(30))
    .build()?;

// Load a module
let module = runtime.load_file("plugin.wasm")?;

// Execute in a sandbox
let mut sandbox = runtime.sandbox().build()?;
sandbox.load_module(&module)?;

let result: i32 = sandbox.call("add", (2i32, 3i32))?;
assert_eq!(result, 5);

§Security Model

Aegis follows the principle of least privilege:

  1. No Ambient Authority: All permissions must be explicitly granted
  2. Capability-Based: Each capability explicitly defines allowed actions
  3. Resource Limits: Memory, CPU, and time are bounded
  4. Isolation: Each sandbox runs in its own isolated environment

§Architecture

┌─────────────────────────────────────────────────────────┐
│                    Your Application                     │
├─────────────────────────────────────────────────────────┤
│                      aegis (facade)                     │
│                    ┌─────────────────┐                  │
│                    │  Aegis Builder  │                  │
│                    └────────┬────────┘                  │
│                             │                           │
│  ┌──────────────┬──────────┴───────┬───────────────┐   │
│  │ aegis-core   │ aegis-capability │ aegis-observe │   │
│  │ (engine,     │ (permissions)    │ (metrics,     │   │
│  │  sandbox)    │                  │  events)      │   │
│  └──────────────┴──────────────────┴───────────────┘   │
├─────────────────────────────────────────────────────────┤
│                       Wasmtime                          │
└─────────────────────────────────────────────────────────┘

Re-exports§

pub use aegis_capability;
pub use aegis_core;
pub use aegis_host;
pub use aegis_observe;
pub use aegis_resource;

Modules§

prelude
Prelude module for convenient imports.

Structs§

Aegis
Main entry point for Aegis.
AegisBuilder
Builder for configuring the Aegis runtime.
AegisRuntime
A configured Aegis runtime.
RuntimeSandboxBuilder
Builder for creating sandboxes from a runtime.

Enums§

AegisError
Errors from the Aegis runtime.