Skip to content

Instantly share code, notes, and snippets.

@ruvnet

ruvnet/wasm.txt

Created April 30, 2025 12:27
Show Gist options
  • Save ruvnet/f7b451a5dd353f691cd0ea20a2d93c50 to your computer and use it in GitHub Desktop.
Save ruvnet/f7b451a5dd353f691cd0ea20a2d93c50 to your computer and use it in GitHub Desktop.
Download ZIP
Implementation Plan for a WASM‑Based Local Serverless CLI Agent System
Raw
wasm.txt
Introduction
Building a local serverless runtime for agent command/control systems involves using WebAssembly (WASM) modules as secure, ephemeral plugins executed via a command-line interface (CLI). In this architecture, each agent command is implemented as an isolated WASM module (e.g. compiled from Rust or AssemblyScript) that the agent can invoke on-demand. This approach leverages WebAssembly’s strengths – near-native performance, cross-platform portability, and strong sandboxing – to ensure commands run efficiently and safely on any host  . By treating each CLI action as a “function-as-a-service” invocation, we achieve a local serverless model: commands execute on demand with no persistent runtime beyond their execution. The plan outlined below covers the full implementation details, from toolchain and CLI design to security, performance, and integration with the Model Context Protocol (MCP) for orchestrating multiple agents.
High-Level Design: A central Controller (which could be an MCP client or orchestration service) communicates with one or more Agent Nodes running our CLI-based WASM runtime. The agent’s CLI (e.g. agent-ctl) receives commands (either from a user or via MCP calls) and dispatches them to corresponding WASM modules through a WASM runtime engine. Each command’s module executes in a sandboxed environment (WASI) with only the minimal capabilities it needs (principle of least privilege). This ensures that even potentially unsafe operations (e.g. running untrusted code or performing system changes) are confined and cannot harm the host system beyond allowed boundaries. The following sections break down the key components of this architecture and provide an implementation plan for each, including tooling, CLI integration, module development, protocol orchestration, and more.
Toolchain Setup
A robust toolchain is required to develop, build, and run the WASM modules and the host runtime. This includes choosing languages for module development, selecting appropriate WASM runtimes for execution, and setting up CLI tools to facilitate running modules easily.
Languages for WASM Modules (Rust and AssemblyScript)
Rust with wasm-pack: Rust is an ideal choice for writing high-performance WASM modules due to its efficiency and rich tooling support. We will use Rust to implement most agent command modules, compiling them to the wasm32-wasi target. The wasm-pack tool will streamline this process by bundling the compiled WASM with JavaScript bindings for easy consumption in a Node.js context if needed. Rust’s strong type system and memory safety help ensure reliability of the modules, and it has excellent support for WASI (the WebAssembly System Interface). Using wasm-pack, we can compile Rust code into a WASM package ready to publish on NPM or use via npx . Each Rust command module will expose a function (or set of functions) that follow a predefined interface (e.g. a main() or run() entrypoint taking parameters), which the host can call via WASI.
AssemblyScript (optional): For developers more familiar with TypeScript, AssemblyScript offers a way to write WASM modules using a TypeScript-like syntax. AssemblyScript compiles a restricted subset of TypeScript to WASM. While not as mature or performant as Rust, it can be used for simpler command modules or prototypes. If we include AssemblyScript, we’ll set up its compiler and use its loader/runtime to produce WASM binaries. Note that AssemblyScript’s WASI support is somewhat limited, so for system-level commands (file I/O, networking), Rust is preferable. In practice, AssemblyScript might be used for purely computational or data-processing commands that don’t require extensive WASI APIs. The toolchain will treat AssemblyScript outputs similarly to Rust’s – producing .wasm binaries that can be loaded by our runtime. (We will ensure any AssemblyScript module is compiled with optimization and minimal runtime overhead.)
Other Languages: While Rust and AssemblyScript are the primary choices, the WASM ecosystem allows using other languages (Go via TinyGo, C/C++, etc.) if needed. The architecture doesn’t mandate a single language – one advantage of WASM is that modules from different languages can co-exist and run on the same runtime. For example, a plugin could even be written in Go (compiled with TinyGo) if it fits a use case. This flexibility is illustrated in the plugin model (Figure 1 below), where multiple source languages compile down to WASM modules that the host can execute interchangeably.
WASM Runtimes (Wasmtime, Wasmer, Node.js WASI)
To execute the WASM modules on the agent, we need a local WASM runtime engine. We will evaluate and possibly combine the following runtimes:
• Wasmtime: A lightweight, high-performance runtime from the Bytecode Alliance. Wasmtime focuses on security and compliance with WASI, making it a strong candidate for our needs. It JIT-compiles WASM to native code using the Cranelift backend, and is designed for embedding in applications. Wasmtime’s emphasis is on safe and efficient execution , aligning well with our goal of securely running untrusted command modules. We can embed Wasmtime into a Rust-based CLI host, or use its C/API from other languages. Wasmtime supports caching of compiled modules to speed up repeat invocations. We will likely use Wasmtime when implementing the host in Rust (for example, if agent-ctl is written in Rust, it can use the Wasmtime library to load and run modules in-process).
• Wasmer: Another popular runtime, Wasmer provides both JIT and ahead-of-time (AOT) compilation options. Wasmer emphasizes portability (multi-platform support) and performance, and it also maintains WAPM (WebAssembly Package Manager) for distributing modules  . Wasmer can be used via a CLI or embedded as a library (with bindings for many languages including Python and JavaScript). Uniquely, Wasmer has an NPM package (@wasmer/cli) that allows running WASM modules via Node.js. This could be leveraged for our CLI if we want a Node-based launcher. We will consider Wasmer particularly for its NPM integration and WAPM package support. For instance, using Wasmer, one could run wasmer run my_module.wasm or use the wapm package manager to fetch modules on the fly. Wasmer’s ability to AOT compile modules could reduce startup latency if we have performance-critical commands.
• Node.js WASI: Node.js has built-in WASI support via the node:wasi module, allowing running WASM with WASI in a Node process. This means our CLI (if implemented in Node.js/TypeScript) could instantiate WASM modules without external runtimes. The Node WASI API lets us provide args, env vars, and pre-opened directories, then start the WASM instance  . However, a caveat is that Node’s WASI implementation is still experimental and does not yet provide the same security guarantees as Wasmtime/Wasmer (for example, Node’s documentation warns that its WASI does not enforce a sandbox as strictly, so untrusted code could be a risk) . We will use Node’s WASI for development convenience (e.g. testing modules in a Node environment), but for production, leaning on Wasmtime or Wasmer is safer for untrusted modules. If the CLI is Node-based, one approach is to use @wasmer/wasi (or similar packages) which provide a more secure WASI runtime in Node, or spawn a Wasmtime subprocess.
Runtime Selection: We do not have to pick exactly one runtime for all use-cases – for example, the agent CLI might use Wasmtime internally for maximal security when running real commands, but during development or in certain contexts, we could use Wasmer CLI for quickly testing modules via npx. Overall, Wasmtime will be our primary engine (given its security focus and efficient JIT), with Wasmer CLI support for interoperability (e.g. allowing others to run modules with wasmer if they don’t have our whole system). Both Wasmtime and Wasmer support the WASI API which we rely on for sandboxing. A comparison of these runtimes is given in Table 1 below, to guide tool selection.
Table 1: Comparison of WASM Runtimes for the Agent
Runtime Execution Mode Notable Features Security Sandboxing Suitable Use-Case
Wasmtime JIT (Cranelift); minimal AOT support via cache Efficient, small footprint; Bytecode Alliance project focused on standards Strong WASI compliance; designed for secure embedding  Embedding in Rust-based host; high-security use (untrusted code)
Wasmer JIT (Cranelift, Singlepass) or AOT (LLVM) WAPM package manager; multi-language bindings; fast startup option Good WASI support; sandboxed execution similar to Wasmtime Standalone CLI usage (wasmer run); NPM integration (@wasmer/cli); when portability is key
Node.js WASI Uses V8 JIT for WASM Built into Node.js (no external install); easy integration with Node CLI Partial. Provides WASI API but not guaranteed secure sandbox  Prototyping and dev; running trusted modules in a Node-based CLI
(Note: “Security Sandboxing” refers to how strictly the runtime confines file system and OS access. Both Wasmtime and Wasmer implement capability-based security, whereas Node’s WASI is currently less locked-down.)
Development Tools (NPX, Wasmer CLI, MCP Server utilities)
To streamline both development and execution, we will make use of several command-line tools and frameworks:
• NPX for CLI Commands: The npx tool (part of Node.js) allows running Node package binaries without installing them globally. We plan to distribute the agent CLI and possibly individual command modules as NPM packages, so that end-users (or automated scripts) can invoke commands easily via npx. For example, one could run npx agent-ctl <command> which fetches the CLI tool if not present. Moreover, if each WASM module is packaged (via wasm-pack) as an NPM module, npx could even directly run a specific module. (This is analogous to how WAPM’s wax command runs remote WASM packages similar to npx .) In our implementation, the primary usage is that agent-ctl will be an NPX-capable tool; under the hood it will load the WASM module for the given command and execute it. This provides a serverless feel – the code is fetched and run on demand.
• Wasmer CLI (@wasmer/cli): Wasmer provides an NPM package for its CLI, which means we can run WASM modules via Wasmer in any environment with Node. This is extremely useful for testing and possibly for users who don’t want to build Rust themselves. For instance, running npx @wasmer/cli run my-command.wasm -- <args> would execute a WASM module using Wasmer’s runtime. We will integrate this into development workflows (to quickly test modules in isolation), and potentially as a fallback execution method in the agent. If the host detects Wasmtime is not available, it might invoke the Wasmer CLI as a subprocess to run a module. Also, Wasmer’s WAPM integration could allow fetching modules by name. (However, in a controlled agent deployment, we may bundle modules instead of fetching from WAPM for determinism and security.)
• MCP Protocol Server Library (@mcp-protocol/server): To integrate with the Model Context Protocol (explained later), we will likely use an existing MCP server implementation or library. The @mcp-protocol/server package (if using Node/TypeScript) or an equivalent in Python/Rust can provide a ready-made MCP server that exposes tools to an AI assistant. For example, a Node-based agent could import this package to handle JSON-RPC communications with an MCP client. We will design our agent such that all its CLI commands are registered as tools in the MCP server, with the CLI acting as the execution backend. If using a Node library, we’ll configure it to call our command dispatch function when a JSON-RPC request for a tool comes in. Alternatively, if writing the agent in Rust, we might implement the MCP protocol (which is JSON-RPC based) using an RPC crate or by interfacing with an existing MCP server over STDIO or WebSocket. In any case, this tool/library will save us from implementing the entire protocol from scratch.
• Other Dev Tools: We will set up typical development tooling: a testing framework to validate WASM modules (more in CI/CD section), and possibly cargo-wasi (a Cargo subcommand to directly build/test WASI binaries). Docker might be used to ensure cross-platform builds (especially if targeting multiple OSes for the agent runtime). If using Node, tools like TypeScript, ts-node, etc., will be configured for the CLI code. We’ll also maintain a repository of example modules and how to run them (for developers to contribute new commands easily).
With the above toolchain in place, developers can write a new command in Rust (or AssemblyScript), compile it to WASM, and either run it using the CLI (agent-ctl) or independently test it via Wasmer/Wasmtime. Next, we detail how the CLI itself is structured to integrate these modules.
CLI Integration
The command-line interface, tentatively called agent-ctl, is the entry point for users (or controllers) to trigger functions. This CLI will parse user input, determine which WASM module to invoke, execute it with the provided parameters, and return the results or output. Key considerations include the design of the CLI commands/subcommands, how arguments are passed to WASM, and the mechanism for loading and running the modules.
agent-ctl Interface Design
The CLI should be user-friendly and also script-friendly. We will design agent-ctl with subcommands corresponding to the available agent functions (tools). For example:
• agent-ctl scan --ip 192.168.0.0/24 might trigger a network scan module.
• agent-ctl logs --filter "ERROR" might run a log analysis module.
• agent-ctl update-config --file config.yaml --key foo --value bar to update a config.
We will use a CLI parsing library (depending on implementation language – e.g. Rust’s Clap or Node’s Commander.js) to define these subcommands and options. The CLI will have a help output listing all available commands and their descriptions. Importantly, the list of commands can be dynamic, reflecting the modules available. In a simple setup, we can hard-code the known commands, but to enable hot-swapping modules (adding/removing commands at runtime), agent-ctl could scan a modules directory or query a registry to populate its list of subcommands.
Each subcommand maps to a specific WASM module. The design will likely have a one-to-one mapping: e.g., a scan subcommand corresponds to scan.wasm module. We will establish a naming convention or a lookup table internally. The CLI should also allow a generic way to run an arbitrary WASM module (for development), e.g., agent-ctl run-wasm ./path/to/module.wasm -- <args> as a fallback for testing new modules not formally integrated yet.
Command Parsing and Dispatching
When agent-ctl is invoked, it will parse the input arguments to identify the command and its parameters. The dispatch logic works as follows:
1. Parse Input: Using the CLI library, parse the command name and options. For example, if the user runs agent-ctl scan --ip 192.168.0.0/24 --output report.json, the parser identifies the subcommand scan and option values (ip and output).
2. Validate and Construct WASM Invocation: The CLI will then construct the invocation for the WASM module. This may involve formatting the arguments in a way the WASM module expects. The simplest approach is to launch the WASM module as if it were a standalone program, passing arguments as if they were argv strings (WASI supports argument arrays). In this example, we might prepare an argv like: ["scan.wasm", "--ip", "192.168.0.0/24", "--output", "report.json"]. The WASM runtime will make these available to the module via WASI APIs (Rust’s std::env::args() inside the module can retrieve them). Alternatively, for more complex interactions, we could pass a JSON or use environment variables to convey structured data; however, keeping things simple with CLI-like args is effective.
3. Dispatch to Module: Based on the command name, the CLI looks up the corresponding WASM module file or package. Perhaps we maintain a directory like ~/.agentctl/modules/scan.wasm or a built-in mapping to a packaged module. The dispatch code will load the module (from file or from an embedded byte array if compiled in) and prepare the runtime (Wasmtime or Wasmer instance). Any required context (like pre-opened directories or allowed capabilities) will be set up at this point (more on that in Security section).
4. Execute and Stream Output: The CLI then executes the WASM module. If the module writes to stdout/stderr (via WASI calls), our runtime will capture that and stream it through the CLI’s own stdout/stderr, so the user sees output as if it were a native command. We will ensure that the WASM’s stdout is hooked to the CLI’s output (this is default in WASI if not overridden). If the module returns a result or exit code, the CLI will propagate that (e.g., exit with the same code, or print a formatted result). In some cases, modules might produce structured output (like JSON text or a file); the CLI can post-process if needed, but generally the module can handle its output.
5. Error Handling: If the WASM module fails (panics, traps, or returns a non-zero code), the CLI will catch that. The CLI can print an error message including the trap reason or error code. Since debugging inside WASM is tricky, we’ll try to surface as much info as possible (for example, Wasmtime can return a trap message like “unreachable executed” or a custom abort message). We may also have the modules print errors to stderr which are then visible. The CLI itself should handle its own errors (like unknown command, missing module) gracefully and suggest help.
This dispatch cycle should be very quick – the overhead is mostly the WASM module loading and JIT compilation if not cached. To optimize, we will consider keeping a pool of pre-initialized modules or caching compiled artifacts (see Performance section). But correctness and simplicity come first: initially, dispatch will load and run fresh each time (emulating serverless function cold start).
Invoking WASM Modules with Parameters
One of the challenges is passing parameters from the CLI to the WASM function in a structured way. We have a few strategies:
• WASI Arguments & Environment: As mentioned, we can map CLI flags directly to program arguments. For example, the Rust module can use clap internally as well to parse its arguments (the module sees arguments as if it was run by a user). This means duplicating some parsing inside the module, but it decouples module logic from the host. Alternatively, the host could encode all parameters into a single JSON string and pass it via an environment variable or a file. For instance, set AGENTCTL_PARAMS={"ip": "192.168.0.0/24", "output": "report.json"} in the WASM environment, and the module reads that env var and parses JSON. This approach allows complex data but at the cost of some boilerplate in modules. We will likely stick to standard argv for simplicity unless a module’s parameters are too complex for flat args.
• Direct Function Invocation (WASI Commands vs Components): In the future, the WASM component model could allow treating modules as libraries with importable functions. But currently, using WASI to mimic a CLI app is straightforward and has been used in practice (e.g., Shopify Functions run WASM modules as CLI processes with input/output through STDIN/STDOUT ). We will follow this model: each module essentially behaves like a small CLI program that reads its input (from args or stdin) and produces output (via stdout or a file).
• Parameter Schema and Validation: We will maintain a schema for each command’s parameters (for MCP integration and for user help). For example, the scan command takes an --ip (string or CIDR) and optional --output (file path). This schema can be used by the CLI to validate user input before invoking the module (e.g., ensure IP is well-formed). Also, the MCP tool description will use this schema. We might define these schemas in a JSON file or as part of module metadata. The CLI dispatch will consult the schema and either reject bad input with a message or transform it if needed (like default values).
• Return Values: If a module needs to return a value (not just print output), how to get it back? One way is to design modules to print their result as JSON to stdout, and the CLI can capture and parse it. Another way is to use the WASM module’s exit code to indicate simple statuses. For complex results (like a data structure), writing to stdout or a file is easiest given WASI’s constraints. We will implement conventions such as: modules should print human-readable output for CLI use, or if --json flag is passed to agent-ctl, the module can produce JSON output for programmatic use. The CLI can toggle an environment variable to tell the WASM module which format to use.
Figure 1 below illustrates the relationship between the agent CLI (host platform) and the multiple WASM modules (plugins) that implement its commands. Each plugin can be authored in a different language (compiled to WASM) and is invoked via a common extension point in the host.
Figure 1: The agent host platform (CLI) invokes various command implementations as sandboxed WASM modules (plugins). Each “Plug-in” represents a command tool (e.g., network scan, log parse, etc.) compiled to a .wasm binary (purple “WA” icon). This plugin architecture allows modules written in different source languages (Go, C++, Java, Rust, etc.) to be executed uniformly. The CLI provides extension points (red node) that route to these plugins, ensuring that adding or updating a command is as simple as deploying a new WASM module.
By designing the CLI in this manner, we achieve a flexible system where new commands can be added by dropping in a new WASM module, and those commands can be invoked either by a user locally or by a remote controller via standardized calls. Next, we delve into how to develop the WASM modules themselves, with focus on security and capabilities.
WASM Module Development
Developing the individual WASM modules (the command handlers) requires adhering to certain guidelines so that they run safely and efficiently in the host environment. We will primarily use Rust to create these modules, leveraging the WASI interface for all system interactions. Key considerations include module interface design, memory and I/O management within the sandbox, and applying security restrictions at compile-time and runtime.
Rust Modules for Command Handling
Each command will be implemented as a Rust program or library compiled to WebAssembly (WASI target). To standardize module interfaces:
• We define a common entry convention. For example, each module will have a function main() (for a standalone WASI binary) that processes input and performs the task. If using a library approach, we could require an entry function like command_run() with a known export name. However, the simplest path is to compile each as a standalone WASI executable, which means the module can be run with wasmtime module.wasm. We can still call such a module from within a host process by instantiating it and using wasi.start(instance) which invokes its _start (the WASI entry that calls main). So, we’ll likely make each module a small binary.
• Input/Output Conventions: As discussed in CLI integration, modules will receive arguments via std::env::args (already provided by WASI if we instantiate with arguments). They can also read environment variables via std::env::var for any additional config. For output, they can write to stdout (using println! or similar in Rust), which will be captured by the host. Modules performing complex operations (like returning a large data structure) might write to a file or simply format the output as text/JSON.
• Minimal Dependencies: Each module should be as lightweight as possible. We will avoid linking large Rust crates that bloat the WASM, to keep module size small. The binary size affects load time, so using profile optimizations (panic = "abort", no debug info in release builds, etc.) is important. We might use wasm-opt (from Binaryen) in the build pipeline to further reduce size if needed.
• Memory Management: Rust’s own memory management works inside WASM as normal (with its allocator managing the linear memory). We need to be mindful of memory usage – by default, Rust’s WASM might reserve some initial memory (maybe a few pages) and it can grow up to some limit. We will set appropriate limits when instantiating (for example, Wasmtime allows setting a maximum memory size for the module). In module code, avoid unbounded allocations. If a module needs large data (like reading a huge log file), consider streaming or chunking through WASI FS APIs rather than slurping everything into memory.
• Error Handling: Modules should handle errors (e.g., inability to open a file, network timeouts) gracefully and convey that to the host. This might be via exit codes (non-zero for error) or writing an error message to stderr. We will standardize some exit codes (like 0 = success, 1 = general error, etc.) and ensure the host interprets them if needed.
For example, a simple Rust module for the logs command might look like:
fn main() {
// Parse args (e.g., filter keyword)
let filter = std::env::args().nth(1).unwrap_or_default();
// Open a pre-defined log file (the host will grant access to, say, /var/log/app.log via WASI preopen)
if let Ok(mut file) = File::open("/var/log/app.log") {
let mut contents = String::new();
file.read_to_string(&mut contents).unwrap();
for line in contents.lines() {
if filter.is_empty() || line.contains(&filter) {
println!("{}", line);
}
}
} else {
eprintln!("Error: cannot open log file");
std::process::exit(1);
}
}
This hypothetical module reads a log and filters lines. It uses only WASI-supported calls (opening a file, reading, printing). At compile time, we’ll ensure it’s built for wasm32-wasi. We might use wasm-bindgen only if we need to export specific functions or interface with JavaScript, but for pure WASI it’s not necessary.
Security Restrictions via WASI
One of the major advantages of using WASM/WASI is the capability-based security model. By default, a WASM module cannot access any host resource unless explicitly allowed . We will leverage this heavily:
• Filesystem Access: If a command needs to read/write files, we will pre-open specific directories for it. For instance, in the log analysis example, the host might pre-open /var/log as a directory in the WASI context (mapped perhaps to /logs within WASM). The module can only see files under that directory – it cannot arbitrarily open /etc/passwd or other sensitive files unless we allow it. This ensures each command only touches what it should. If a command doesn’t need any file access, we won’t preopen anything, and any attempt to use open will fail.
• Network Access: WASI networking is still experimental (WASI does not yet have stable sockets API as of 2025). However, there are proposals and some runtimes have extensions for sockets. We have two approaches: (a) Use a WASI socket API if available in Wasmtime/Wasmer (likely requiring enabling experimental features) to allow a module to make network connections in a controlled way (e.g., only certain hostnames or addresses). Or (b) More simply, forbid direct network access from WASM, and instead provide host “proxy” functions for specific actions (like a module can call a host import to fetch a URL, if that’s needed). Initially, we will likely disallow network from inside modules to maintain isolation, unless a use-case demands it (like a network scanner module – which actually is a use-case!). For a network scan command, we might handle it by the host providing a minimal capability (e.g., a host-side implementation that can ping an address list given by the module, or use something like Wasmtime’s networking extension with proper sandboxing). Capability-based security isn’t as clear-cut for networking yet, but we will restrict as much as possible (maybe only allow connecting to certain subnets for the scanner, etc., configured by policy).
• WASI Rights and Permissions: WASI allows controlling access to clocks, random number generators, etc. For instance, if a module doesn’t need to get the time or random, we could remove those imports (though usually not necessary to be that strict). The default is that WASM has no access to things like system clock or entropy unless provided. We will provide a secure random (so modules can use randomness for crypto if needed) via WASI, and allow time functions, as these are generally harmless.
• No Shared Memory unless needed: We will not enable shared memory (threading) by default, so modules can’t create shared memory segments to communicate with each other or break isolation. Each module runs in its own isolated memory space. This also means no data races or interference between concurrently running modules.
• Crucial Security Principle: Least privilege. When launching a module, the host will grant it only the resources it absolutely requires. For example, if the update-config command only needs access to a specific config file, we open only that file (or its directory) for the module. If the scan command needs raw sockets (for ICMP ping perhaps), we might grant it a special capability or run it under a controlled context where it can open an AF_INET socket (with appropriate OS-level permissions, possibly using a privileged helper rather than WASM directly). Each command’s requirements will be reviewed and encoded in a policy.
At development time, we’ll likely annotate modules with what they need. We might maintain a manifest file for modules, e.g.:
{
"name": "scan",
"wasi": {
"filesystem": [],
"network": true,
"env": []
}
}
(This example implies the scan module doesn’t need file access but does need network.) The agent host reads this manifest and sets up WASI accordingly. Alternatively, if using an MCP server config, we can store allowed capabilities there.
Sandbox Enforcement: It’s worth noting that WebAssembly’s sandbox is robust – the module cannot escape its memory or directly invoke host syscalls. WASI ensures system calls go through the host’s allowed interfaces . Even if a module is malicious, at worst it can consume CPU or memory (which we will also constrain). This is a key reason we chose WASM: as a sandbox, it’s much safer than running native plugins or shell commands.
Memory Management and I/O Considerations
Within each module, memory and I/O must be handled with the constraints of the WASM environment:
• Linear Memory Limits: We will configure the maximum memory for modules. For example, we might allow up to, say, 128MB per module (or less, depending on expected use) to prevent runaway allocation. Wasmtime’s API lets us set memory limits when instantiating a module . We will tune this per module type if needed (some might need more memory). If a module tries to allocate beyond this, it will trap (out-of-memory), which the host catches and reports as an error.
• Stack Size: WebAssembly uses a fixed stack size for each thread (if multi-threaded) or each fiber. In Wasmtime, stack size for async or threads can be configured, but for single-threaded sync calls it’s typically sufficient by default. If we encounter stack overflow (deep recursion) in a module, Wasmtime will trap it safely (WASM defines stack overflow behavior). We might increase the allowable stack size for modules that do heavy recursion by tweaking runtime settings, but generally encourage modules to use iterative approaches to avoid deep recursion.
• I/O Sandboxing: File I/O is already sandboxed by WASI preopens. However, we should also consider performance of I/O. Reading large files entirely might be slow, but since this is local execution, it’s often fine and similar to native speed for sequential reads. Wasm overhead on I/O is usually minimal (calls go through the host). If a module needs to process a very large file, an alternative approach is to perform the heavy lifting in streaming fashion – possibly even letting the host assist. For example, a log analysis module could read from stdin, and we have the host stream the log file content into the module’s stdin rather than the module directly opening the file. This way, the host can use efficient I/O and push data in chunks to the module. We will evaluate such patterns if needed for performance.
• Persistent State: By design, modules are ephemeral – they should not rely on any persistent state in memory between runs. If a command needs to persist data (say cache results or maintain a database), it should do so via files (with permission) or perhaps by informing the host to store something. For instance, a module could write to a known output file, and subsequent runs could read it. But from the module’s perspective, each run is fresh (like a stateless function). This aligns with the serverless model.
• Debug and DWARF Info: During development, we may compile modules with debug symbols (DWARF) to get better error messages or to use debugging tools. Wasmtime has some support for using DWARF info to map traps to source lines  . In production, we might strip these symbols to reduce size, but we could keep them if they are not too large, since they can aid in post-mortem analysis of crashes. It’s a trade-off (DWARF can increase .wasm size significantly). Perhaps we’ll have two build profiles: one for debug (with DWARF, for internal testing) and one optimized release (stripped, for deployment).
In summary, developing the modules involves writing them like small programs that assume they are running in a restricted OS. We will document for module developers what they can and cannot do (for example, “don’t try to open arbitrary paths, it won’t work; request needed paths via manifest”). With robust modules in hand, the next step is coordinating their execution across a fleet of agents, which is where the MCP integration comes in.
MCP Protocol Integration
To manage multiple agents and allow higher-level controllers or AI systems to invoke agent functions, we integrate our architecture with the Model Context Protocol (MCP). MCP is a JSON-RPC-based protocol that standardizes how AI assistants (or any clients) can call tools on remote servers . In our case, each CLI command corresponds to a tool exposed by an MCP server running on the agent. This section describes how we orchestrate controller-agent communication, ensure it’s secure, and enable hot-swapping of modules in a running system.
Controller and Agent Node Orchestration
Controller (MCP Client): The controller could be an AI system or a central orchestrator that decides which agent should run which command. It will act as an MCP client, connecting to each agent’s MCP server. For example, an AI (like Anthropic Claude or similar) might generate a JSON-RPC request saying “call the scan tool on Agent 5 with parameters X”. The controller ensures these requests are routed to the correct agent.
Agent (MCP Server + CLI): On each agent node, alongside the CLI functionality, we run an MCP server that listens for JSON-RPC requests (over a transport such as WebSockets or SSE if networked, or STDIO if the AI is local). The MCP server will advertise a list of available tools (commands) and handle incoming tools/call requests . We will integrate this with the CLI’s dispatch system: essentially, when the MCP server receives a request to execute tool “X” with params Y, it will invoke the same internal function that agent-ctl X ... would do for a local user. This could be done by internally calling the command handler or by literally spawning the CLI command as a subprocess. For efficiency, we can directly call the module (since we have the WASM runtime loaded in the agent process anyway).
Tool Registration: At startup, the agent will register all its commands with the MCP server. MCP defines a tools/list method where the server returns the names, descriptions, and parameter schemas of all available tools . We will implement this by having a static (or dynamic) registry of tools in the agent. For example, a tool entry might look like:
{
"name": "scan",
"description": "Network scan of a given subnet",
"parameters": {
"type": "object",
"properties": {
"ip": {"type": "string", "description": "IP range to scan"},
"ports": {"type": "array", "items": {"type":"number"}, "description": "Ports to scan"}
},
"required": ["ip"]
}
}
These schemas will mirror what the CLI expects. The MCP server can serve this info to any client that calls tools/list. This ensures an AI can discover what actions it can ask the agent to perform.
MCP Communication: MCP can operate over various transports depending on the deployment :
• In a local scenario, the controller could spawn the agent process and communicate via STDIN/STDOUT pipes (MCP supports STDIO transport with JSON-RPC) . This is low-latency (microseconds) and secure (since it’s not exposed to network).
• In a distributed cluster, the agent MCP server might run as a daemon listening on a localhost port or using server-sent events (SSE) or WebSocket to a central hub . We will likely use SSE or WebSocket for remote agents: the agent can initiate a connection to a central MCP router service (or the controller directly) to register itself.
• All JSON-RPC messages will be exchanged over an encrypted channel if going over a network (e.g., WebSocket over TLS). If using SSE, it might be over HTTPS.
The orchestration flow is:
1. Agents start up, connect to controller (or are dialed by controller) and provide their tool list.
2. Controller decides to execute a command on one or multiple agents (for cluster coordination scenarios).
3. Controller sends JSON-RPC request {"jsonrpc":"2.0","id":123,"method":"tools/call","params":{"tool":"scan","args":{"ip":"192.168.0.0/24"}}} to the target agent .
4. Agent’s MCP server receives it, finds the “scan” tool, and calls the corresponding WASM module (with the parameter).
5. When the module finishes, the agent sends back the result in a JSON-RPC response (or an error if it failed). The result might contain the output data, or a reference (like “output file written” message).
6. The controller (or AI) then uses that result as needed (maybe formulates a higher-level response, or triggers another action).
We will use existing MCP server frameworks if possible. For instance, there are MCP server implementations in various languages (Python FastAPI, Node, etc.). If our agent is Node-based, using @mcp-protocol/server should let us simply do something like:
const server = new MCPServer({ port: 4000 });
server.addTool("scan", schema, async (params) => {
// call agent-ctl internally or directly Wasm
return await runWasmModule("scan", params.ip, params.ports);
});
server.start();
(This pseudo-code registers a “scan” tool with a handler that calls our WASM run function.)
Multi-Agent Coordination: MCP supports a host connecting to multiple servers , so a controller could send parallel requests to many agent MCP endpoints. For example, to do a cluster-wide config update, the controller can iterate through all agents and call update-config on each (or concurrently if the MCP client supports concurrency with multiple ids). Our design ensures each agent operates independently – since the modules are local, there’s no dependency between them unless orchestrated by the controller. If needed, the controller can also orchestrate sequences (e.g., first call a tool on Agent A, then use its output as input to a tool on Agent B, etc.), and MCP’s structured results make this possible.
Secure Communication and Authentication
Security between controller and agents is paramount:
• We will enforce authentication on the MCP connections. Each agent will have an authentication token or use mutual TLS with the controller. If using WebSockets, a token (or API key) must be presented by the controller. If using a central hub, agents authenticate to the hub and so does the controller.
• Communication will be encrypted (TLS) to prevent eavesdropping or injection of commands by an attacker.
• The MCP server on the agent will be configured to only accept commands from the authorized controller. If someone tries to directly connect (if the port is open), it should reject or require auth. For extra security, the MCP port might only listen locally and the agent might establish an outbound connection to a known server (so it doesn’t accept arbitrary inbound requests).
The Model Context Protocol itself is designed with security considerations like capability advertisements and so on . Tools might require certain permissions (for example, a dangerous tool could be marked as requiring a user approval in some contexts). Our agent can incorporate such checks: e.g., if a command is particularly sensitive (like shutting down a system), the agent might confirm it’s allowed to run at this time or log an audit record.
In summary, integrating MCP allows an AI or orchestrator to seamlessly invoke the agent’s CLI functions as JSON-RPC calls, with a standardized interface. This turns our agent into a plug-and-play “tool server” in the broader AI ecosystem (like a USB device accessible to AI, as some describe MCP ).
Hot-Swapping WASM Modules
One powerful feature of this architecture is the ability to update or add new modules without restarting the entire agent service:
• Adding New Commands: Suppose we develop a new command tool (e.g., a disk usage analyzer). We can deploy the corresponding analyze-disk.wasm to the agents (via our CI/CD, see later). The agent’s CLI and MCP server can be designed to pick up new modules either on startup or even at runtime. For instance, the agent could watch a directory for new .wasm files. If one appears, it loads it, registers a new command in the CLI parser (if the CLI is persistent in memory) and adds a new tool to the MCP server’s registry. If our agent CLI is implemented to run per invocation, then adding a module simply means the next run of agent-ctl will list it. But if it’s a long-running process (like a daemon serving MCP), we might implement a command like agent-ctl reload or have a config that is SIGHUP-triggered to reload the module list.
• Updating Modules: If we need to update a module (e.g., a bugfix in scan.wasm), we can replace the .wasm file on the agent. Because modules are only loaded at invocation, the next time the command is run, it will use the new version. For a running MCP server, we can similarly unload the old module (ensuring no instance is running) and load the new one. Wasmtime and Wasmer support dropping instances safely to free memory. If the CLI process caches modules, it should invalidate or refresh the cache on update. We might incorporate module versioning in filenames (like scan_v2.wasm) to avoid confusion, or maintain a manifest mapping “scan” to the latest file.
• Downtime and Consistency: Hot-swapping should ideally not require stopping the agent. However, to avoid any inconsistency, the deployment process might quiesce the command for a moment (e.g., disable the tool in MCP list while updating, then re-enable). Alternatively, one could run multiple WASM versions side by side and route new calls to the new one. Our initial implementation will likely go with the simpler approach: during a deploy, if an agent is performing an action, we wait for it to finish, then replace the module. Because each execution is short-lived, this is typically fast. If truly needed, versioned APIs could allow running both old and new (but that complicates the interface).
• MCP Tool List Update: When modules change, the MCP server should update the results of tools/list so the controller/AI is aware of any new or removed tools. MCP allows dynamic updates; the client could periodically refresh or be notified. Possibly, we can send an MCP notification event for “tool_added” or “tool_removed” if the protocol or implementation supports it (this would be an extension, as MCP mainly defines request/response, but notifications are allowed as one-way messages). At minimum, the next time the AI queries available tools, it will see the updated list.
In practice, supporting hot-swapping means our agent needs to be a bit dynamic. If we implement it in Node.js, it’s easier to load new WASM binaries at runtime (just read the file and instantiate). In Rust, if the agent is compiled with modules embedded, that’s static – but more likely we won’t embed them, we’ll load from the filesystem. We might have a folder structure like /opt/agentctl/tools/<toolname>.wasm on each agent, populated via deployment.
Hot-swapping also implies that if something goes wrong with a new module (say it fails to initialize), the agent should handle that gracefully – maybe revert to the old version or report an error for that tool.
With MCP integration and hot-swapping, our system can be centrally managed, updated, and extended without heavy downtime. Next, we will address performance considerations to ensure this flexibility doesn’t come at the cost of efficiency.
Performance and Optimization
While WebAssembly is quite fast, we must ensure that invoking these modules on demand (potentially repeatedly) does not introduce unacceptable latency or overhead compared to native code. We will consider both the runtime performance of modules and the overall throughput of the system. Key strategies include benchmarking against native or JS implementations, caching compiled modules, and WASM-specific tuning (such as adjusting stack sizes and utilizing debug info wisely).
Benchmarking WASM vs Native and JS Agents
It’s important to quantify the overhead of using WASM modules for agent commands. We will create simple benchmarks comparing a given functionality implemented as:
• a native binary (Rust compiled to machine code),
• a Node.js script (if applicable),
• and our WASM module run via the runtime (Wasmtime or Wasmer).
Early tests (and existing research) suggest that well-optimized WASM can run very close to native speed for compute-heavy tasks, typically within 10-20% of native performance . Table 2 provides an example from a benchmark computing Fibonacci numbers, comparing native vs WASM:
Table 2: Example Performance Overhead of WASM vs Native for a CPU-bound Task 
Implementation Execution Time (s) Overhead vs. Native Max Memory Usage (MB)
Native (Rust, optimized) 0.82 – 1.8 MB
WASM (Wasmtime runtime) 0.95 +15–18% 12 MB
WASM (Wasmer runtime) 1.02 +25% 24 MB
Table 2 Notes: This benchmark   computed a large Fibonacci number. Wasmtime was ~15% slower than native and used ~10 MB more memory, while Wasmer was ~25% slower with ~22 MB more memory. Both runtimes automatically cached JIT results to improve subsequent runs.
For many command tasks (which might be I/O-bound or relatively small computations), this overhead will likely be negligible – the bottleneck might be waiting on network or reading files, where WASM’s speed is on par with native since it calls into host syscalls for I/O. However, startup latency is a concern: when a WASM module is first invoked, the runtime must compile it to native code (JIT) unless we use AOT.
Cold Start vs Warm Start: A cold start (first run) of a WASM module might take tens of milliseconds for compilation, depending on module size. Both Wasmtime and Wasmer support caching compiled code on disk . We will enable caching: e.g., Wasmtime can cache in-memory or to a file, so that if the same module is run again, it can skip recompilation. If agents have sufficient disk, we’ll store the cache in something like ~/.cache/wasmtime or a designated folder. This way, repeated calls of the same command incur much less overhead after the first time. In a scenario where the agent handles many calls, this is critical. (Alternatively, for hot paths we could use Wasmer’s AOT to precompile modules offline and deploy the native code alongside, but that ties it to architecture and is more complex.)
Throughput: If an agent needed to handle many requests per second (say dozens of MCP calls rapidly), we should measure how quickly it can spin up and tear down WASM instances. Lightweight runtimes like Wasmtime can instantiate in microseconds once compiled, so likely the overhead is low. We can also reuse an instance for multiple calls if the function can be called repeatedly without full reinit (though typical WASI programs terminate after one run). If needed, we might redesign heavy commands as persistent services (but that breaks the serverless model, so we prefer not to).
Comparison to NodeJS agent: If we had written the agent commands in pure Node.js (JavaScript), the performance might be lower for compute tasks (JS is slower for CPU-bound work). WASM gives us near C/C++ speed for those tasks. For I/O-bound tasks, Node and WASM should be similar (since both ultimately call the OS). The overhead of crossing boundary (JS to WASM) is small but not zero; in our design, once a module is running, it doesn’t call back and forth to JS frequently (it mostly stays within WASM until done). So we get the best of both worlds: convenience of a JS host (if using one) and speed of native for the task itself.
An overall finding from recent runtime evaluations is that major WASM engines (Wasmtime, Wasmer, WasmEdge) have very similar performance on most workloads . Single-pass compilers like Wasmer’s might trade off some optimization for faster startup, whereas others like WasmEdge with LLVM can sometimes exceed others in specific crypto workloads . For our purposes, any of these is likely sufficient, but we’ll stick with one unless performance issues arise. We will continuously benchmark critical commands (like those doing heavy data parsing) to ensure the overhead is acceptable. If we find a particular module is slow under WASM, we might consider optimizing it or even making it native if absolutely necessary (as a last resort, since that breaks uniformity).
Caching and Reusing WASM Modules
To optimize repeated command execution:
• On-Demand vs Preload: We could preload some frequently-used WASM modules at agent startup, keeping them in memory. For example, if heartbeat.wasm is called every minute, having it ready would save a tiny delay. Wasmtime allows instantiating a module once and calling exports multiple times, but for WASI modules (which expect to run and exit), reuse is not straightforward. Instead, we might load the module (compile it) and store the Module object, then on each invocation create a new Instance from that Module with a fresh memory and state. This avoids recompilation. We will implement a simple in-memory module cache: a map from module name to compiled Module (Wasmtime) or Artifact (Wasmer). The first time a command runs, we compile and cache. Subsequent runs (even with different parameters) reuse the compiled module.
• Disk Cache: In addition, we’ll enable the engines’ disk caching. According to one analysis, Wasmtime and Wasmer both automatically cache JIT results by default (to a temp directory, keyed by a hash of the module) . We will verify this and ensure cache location is configured appropriately. For example, if the agent is running in a container that gets redeployed, a disk cache might not persist between deployments, but while running, a cache avoids recompiling the same module if called repeatedly.
• Thread Pool for Startup: If we anticipate a burst of calls, we might preemptively compile modules in parallel threads. E.g., at launch, compile all known modules in separate threads so that the first actual call sees it ready. Wasmtime’s API is thread-safe for compilation of separate modules. This is more of a nice-to-have; initially, we can rely on lazy loading.
• Resource Reuse: For modules that open the same files repeatedly, the OS cache will already optimize that (not specific to WASM). But we might also consider persistent file descriptors: e.g., if a module runs frequently and always reads the same config file, opening it each time could be a small overhead. WASI doesn’t allow a module to inherit an already open file descriptor across runs easily (each run is fresh). The host could open the file and pass an fd in, however. This is micro-optimization likely unnecessary unless profiling shows it matters.
WASM-Specific Tuning (DWARF, Stack, Memory Limits)
There are a few low-level settings we will adjust for performance or reliability:
• DWARF Debug Info: As discussed, including debug info bloats the binary but can help in debugging. We will compile release builds of modules with debug info off (stripped) for smaller size in production. If we need to troubleshoot an issue on an agent, we can deploy a debug build just for that tool. The runtime (Wasmtime) can utilize DWARF to give clearer stack traces in traps , but in production we might accept opaque trap messages for the sake of speed and size. We’ll document a procedure for developers to reproduce issues with debug builds locally.
• Stack Size: WebAssembly’s default stack size might be around 5MB (depending on engine) for each instance execution. If a module uses deep recursion, it could hit that. We can adjust the stack size in Wasmtime via configuration (the Config object allows setting the maximum stack size for async calls) . We might raise it if needed by some module (though a recursive algorithm that deep might be reworked). Conversely, we could lower it to reduce memory overhead if our modules are lightweight, but 5MB per module run is usually fine since modules aren’t all running simultaneously in large numbers in our scenario.
• Memory Limits: By default, a WASM module’s linear memory can grow to 4GB (the maximum for 32-bit addressing) , but we likely want to cap far lower. We will set a reasonable upper limit per module, e.g., 128MB or 256MB, to avoid a runaway module consuming too much RAM on an agent . This can be set by specifying --max-memory=128MiB in some runtimes or programmatically. If a module exceeds its limit, it will crash (which is contained and reported). We should pick limits based on expected usage: e.g., log processing might need tens of MB for buffers, whereas a simple network ping module could be limited to <10MB.
• Instruction Fuel (Compute Limits): Some WASM engines provide a mechanism to measure or limit the number of instructions executed (often called “fuel”). This can be used to stop a module that runs too long (infinite loop or just very slow). As of now, Wasmtime has an optional fuel mechanism that can be enabled. We may enable this and assign, for example, a certain fuel budget per invocation correlated with a time limit. Alternatively, we can run modules with a wall-clock timeout by spawning a thread and interrupting if it exceeds, but fuel is more deterministic. We’ll explore using fuel to implement, say, a max execution time of a few seconds per command (which should be plenty for normal tasks). This adds a layer of safety: a malicious or buggy module can’t hang forever – it will be aborted by the runtime.
• SIMD and Multithreading: We should ensure that our toolchain uses modern WASM features like SIMD for performance if available. Rust will automatically use WASM SIMD proposals if enabled (and if the runtime supports it). We will enable WASM SIMD in our builds to accelerate data processing (like vectorized string operations, etc.). All major runtimes now support the SIMD extension. As for multithreading (WASM threads), we likely won’t utilize it yet, as it complicates the runtime (would need to allow shared memory and start threads in modules), and our tasks probably don’t need multi-threading at the module level (we can always parallelize at the orchestrator level by calling multiple agents). So we will keep threading disabled to maintain simplicity and security.
By implementing these performance measures, the overhead of the WASM abstraction should be minimal. In testing, we expect that for most agent tasks, there is no noticeable difference to the end user between this serverless WASM approach and a traditional native approach – except we gain all the benefits of security and flexibility.
Security
Security is a central concern for this architecture, as the agent may run untrusted or potentially harmful code (especially if an AI is generating code or commands). We have already touched on many security aspects (capability-based sandboxing, communication encryption). Here we consolidate the security strategy, focusing on how we enforce capability-based access control, isolate each command’s execution, and impose resource limits to prevent abuse.
Capability-Based Access Control (WASI Sandbox Model)
WebAssembly with WASI uses a capability-based security model, meaning that a module must be explicitly granted access to any external resource . This model aligns with the principle of least privilege:
• When the agent CLI launches a WASM module, it supplies a WASIContext that holds the capabilities (such as open file handles or network privileges) the module can use. Anything not supplied is simply inaccessible – if the module tries to open a file that wasn’t pre-opened, the call returns an error.
• By default, our modules will start with no access to the host OS except a sandboxed /tmp (perhaps a temp directory if they need scratch space) and stdio. “No syscalls possible by default” is the stance .
• We will maintain a configuration (per command) of what to allow:
• File system paths (read or read/write).
• Environment variables (if any secrets or config need to be passed, though we will avoid putting secrets in env unless needed).
• Whether network sockets are allowed (and if so, maybe restricted to certain addresses).
• Other capabilities like WASI clocks, randomness (those are harmless and usually enabled).
• These configurations can be coded or come from an external policy file. An example policy: The logs module can read files in /var/log/ and nowhere else. The update-config module can write to /etc/agent/config.yaml and nothing else. The scan module can initiate outbound TCP connections (for port scanning) but cannot open files. We’ll implement these via WASI preopens for files and likely an allow-list for syscalls if using an extended WASI (for networking, we might only allow certain socket syscalls).
At runtime, the enforcement is automatic by the WASI implementation: it will check any call against the allowed capabilities and return errors if not permitted . This means even if a module is compromised or malicious, it cannot break out of its sandbox unless the WASM runtime itself had a severe bug. Both Wasmtime and Wasmer are built with safety in mind (Wasmtime in particular is memory-safe since it’s written in Rust, minimizing risk of runtime vulnerabilities).
One should also consider side-channel attacks (like a module trying to infer information via timing, etc.), but those are beyond our threat model for now.
Isolation Policies per Command
In our system, each command execution is isolated from others:
• Memory Isolation: Each WASM instance has its own linear memory and cannot read/write another instance’s memory. We will never run two commands in the same WASM instance concurrently. If multiple commands run in parallel (perhaps the agent allows concurrent tasks), they will be separate instances, possibly separate OS threads, ensuring isolation akin to separate processes.
• Process Isolation (if needed): We could even run each WASM execution in a separate OS process as an extra layer (like invoking the Wasmtime CLI as a subprocess). This would add overhead but might be a security enhancement defense-in-depth. Initially, we might not do this, running them in-process with our agent daemon. But if we ever needed extreme isolation (maybe for a high-security environment), we have the option to containerize or put each run in a lightweight process. Because WASM is already pretty secure, this is likely unnecessary overhead.
• No Persistent State Sharing: As mentioned, modules don’t share global variables or files unless explicitly done through host. So one command cannot covertly pass data to another except via normal channels (e.g., writing a file that another later reads, which we would control via policy).
• MCP Multi-tenant Isolation: If the AI (controller) is controlling multiple tools on one agent, it might instruct sequences. We ensure that even if it calls two tools on the same agent, those tools cannot interfere with each other’s operation except through intended means. The agent’s MCP server will queue or run them in separate threads as appropriate.
Given these isolation measures, a failure or compromise in one command should not cascade. For instance, if the scan module crashes due to an assert, it won’t take down the agent process (we catch the trap). If it somehow tries to consume all memory, it’s limited and will be terminated. If it attempts forbidden access, it simply gets an error without affecting anything else.
Resource Constraints and Enforcement
To prevent denial-of-service or resource abuse:
• CPU Limits: We discussed using instruction fuel or timeouts. We will implement a maximum execution time per command (for example, 5 seconds by default, configurable per tool). The host can measure the wall time and abort if limit exceeded (perhaps by dropping the WASM instance or using an async cancellation). Wasmtime’s fuel mechanism, if enabled, can incrementally check the instruction count. Alternatively, running the WASM in an async context and using a tokio timeout (if Rust) or setTimeout (if Node) to interrupt might be used. Ensuring the runtime can be interrupted is key (Wasmtime allows sending an interrupt signal to break out of execution, which we can invoke on timeout).
• Memory Limits: We will enforce memory caps as described. This also covers preventing a module from allocating until the host OS swaps to death.
• File Descriptor Limits: A module could theoretically try to open many files or sockets to exhaust resources. We can set a cap on how many files a WASI instance can have open (WASI itself doesn’t have an explicit limit, but we can limit at the host by not preopening unlimited directories or by counting opens). In practice, if a module tries to open hundreds of files in an allowed directory, the OS/user limits (ulimit) and the fact it can only open what’s in one directory mitigate the system-wide effect. We might not worry too much unless use-case dictates.
• Sanitization of Outputs: If an AI is consuming outputs, ensure the module’s output cannot accidentally break the protocol. For example, if a module prints some special sequence that could be interpreted wrongly by the MCP client, we should handle it. Since MCP transmits results as JSON, our agent should ensure to JSON-encode any data properly. For CLI usage, sanitizing terminal control characters might be a consideration to prevent messing up terminals (though not a security issue per se, more of user experience).
• Code Integrity: Only trusted parties should be able to deploy/change WASM modules on agents. This is more of an operational security detail: we will sign or checksum the modules delivered to agents to avoid tampering. Possibly the MCP server could also expose a tool to update modules, but that would itself be restricted to administrative use.
Finally, we should plan for audit and logging. The agent will log all commands executed (who invoked them and results), especially those invoked via MCP. This helps in detecting any misuse or abnormal behavior. For example, if an AI triggers a dangerous sequence of actions, we have an audit trail.
Emergency Stop: In case something goes wrong (a module misbehaves in an unforeseen way), the agent should have an emergency stop mechanism. This could be as simple as the host process killing the WASM thread if it detects anomaly, or an admin sending a command to disable certain tools.
By combining the intrinsic security of WebAssembly with careful host-side policies, the system will be robust against both accidental mishaps and malicious attempts to break out or misuse resources . Next, we cover how this system is built, tested, and deployed in a CI/CD pipeline.
CI/CD and Deployment
To manage the development and deployment of potentially many WASM modules and the agent itself, we will set up a continuous integration/continuous deployment pipeline. This covers building the modules, versioning them, deploying to agents (possibly via the MCP channel or traditional config management), and testing each component in isolation.
Build Pipeline for WASM Modules
Our CI process (e.g., using GitHub Actions or Jenkins) will include jobs to build all WASM modules from source:
• Rust Modules: Use cargo build --release --target wasm32-wasi for each module crate. We might have a workspace with multiple crate packages, one per command, or a monorepo structure. Each build produces a .wasm file. We will then run wasm-strip to remove unnecessary sections, and possibly wasm-opt -O2 for extra optimization if build times permit.
• If using wasm-pack for integration with NPM, CI can run wasm-pack build which outputs pkg/ with .wasm plus JS wrappers. This is useful if we publish to NPM for others, but for our deployment to agents, we might not need the JS glue since our host can directly load the WASM. However, having an NPM package for each module could be part of how we distribute them (especially if using npx to fetch modules dynamically). We will decide if modules are packaged individually or just shipped as part of the agent distribution.
• AssemblyScript Modules: If any, run the AssemblyScript compiler (asc) to produce WASM. Ensure optimization flags are on (like -O3). Also run any binaryen optimization passes if needed. The CI must also produce the appropriate definition files if needed.
• Artifact Storage: The built .wasm binaries will be stored as artifacts and possibly published. For instance, we might attach them to a GitHub Release or push to an internal artifact repository. If using WAPM, we could publish them as WAPM packages as well. Or if using NPM, publish the @myorg/agent-tool-scan etc. for each. This way, an agent could fetch a module by version number.
• We will version each module (e.g., scan v1.0.0) and use semantic versioning for changes. The agent might enforce that only a certain compatible version range is accepted unless updated.
Versioning and Deployment via MCP or Other Mechanisms
Deployment of the agent and its modules can be done in a few ways:
• Agent Application Deployment: The agent-ctl host (and MCP server) will itself be deployed as a binary or service to each target machine. This could be via a container, a system package, or even an NPM global package if it’s Node-based. We’ll use standard devops practices (for example, build a Docker image containing the agent and its modules).
• WASM Module Deployment: Modules (the .wasm files) could either be packaged inside the agent deployment (baked into the image or installed to a directory), or they could be fetched on demand from a central repository. Using MCP for deployment is intriguing: we could have an MCP tool on each agent like “update_module” that takes a URL or package name and updates the module. But initially, it might be simpler: when we want to update modules, we roll out a new agent version or use configuration management to push new wasm files to the agents’ modules directory.
However, since the question hints “deployment via MCP”, we can outline a scenario: The controller could distribute module updates by calling a special admin tool on each agent which downloads the new WASM from a secure source and swaps it in. This would be a controlled approach where the central orchestrator manages versions (similar to how Kubernetes might push a new container, here we push a new wasm).
Alternatively, the agent could poll a central service for new module versions periodically.
• Version Compatibility: Both agent host and modules have versions. We must ensure an agent can load a module of a given version. If we keep backward compatibility in interfaces, older agent could run newer module as long as the basic WASI interface hasn’t changed. We might enforce that agent and modules are updated together to avoid any mismatch (especially if the host expects certain behavior from a module). In practice, tying module deployment to agent software deployment is simpler for consistency.
• Continuous Deployment: If we use a tool like Terraform or Ansible, after CI produces new modules, a CD pipeline can ship them to all agents (or a selected group for canary testing). Once updated, the MCP tool list will reflect new capabilities or improvements.
Testing Frameworks for Isolated WASM Execution
Testing is crucial to ensure each WASM module performs its job correctly in isolation (unit tests) and as part of the agent (integration tests).
• Unit Testing Modules: For Rust modules, we can write unit tests in Rust and run them using cargo test in a native environment for logic that is not WASI-specific. For any WASI-specific behavior (like file access), we might use simulators or just ensure logic works with given inputs/outputs. Additionally, we can test the compiled WASM directly using a runtime in CI:
• Use Wasmtime CLI in CI to run the .wasm with sample inputs and verify outputs. For example, after building scan.wasm, run wasmtime run scan.wasm -- --ip 127.0.0.0/30 and capture output to see if it matches expected text.
• We can automate such tests with a script that iterates over all modules, executes them with predefined test arguments (perhaps the modules can have a self-test mode or we just simulate input files as needed).
• There are testing frameworks emerging for WASM. One could embed Wasmtime in a test harness to call exported functions directly. But since our modules are WASI programs, treating them as black-box executables is fine for testing their end-to-end behavior.
• Integration Testing Agent CLI: We will also test the agent-ctl command itself. For example, run agent-ctl scan --ip 127.0.0.1/32 in a controlled environment and verify it prints the expected result (maybe “Host is up”). This can be done in CI by launching the CLI with dummy modules or a real module but using a fake environment (like a fake log file for log command).
• MCP Integration Testing: We should simulate an MCP client in tests. Possibly write a small test that starts the agent in MCP server mode (maybe on a local port), then sends a JSON-RPC message to it, and checks the response. This ensures our JSON encoding, parameter passing via MCP, etc., work correctly. We might use Python or Node to easily send these JSON-RPC calls in tests. For example, using curl or a websocket client if needed.
• Security Testing: Write tests to ensure isolation: try to open a disallowed file from within a module and ensure it fails. Try a long-running loop and see that our timeout stops it. These are more like dynamic tests that we might run in a staging environment to validate our constraints.
• Performance Testing: Although not every CI will include heavy performance tests, we might have a scheduled job or a special mode to run benchmarks of certain modules (as discussed, comparing with native or measuring execution time under load).
• Continuous Fuzzing (optional): For critical modules, we could employ fuzz testing by feeding them random inputs via WASM to see if they crash or behave oddly. And for the host, fuzzing input commands (ensuring parser security) might be prudent.
The testing frameworks to use include standard ones (Rust’s test, perhaps Wasmtime’s WASI testsuite if applicable, etc.). We might incorporate the WASI official testsuite to ensure our runtime behaves (but since we rely on Wasmtime/Wasmer, that’s mostly their concern, still good to verify environment is correct).
Finally, ensure that any new module added has accompanying tests and that our CI gating requires tests to pass before deployment.
With build and test processes in place, the team can rapidly iterate: develop a new module or update, have CI compile and test it in WASM form, then deploy to agents where it becomes immediately available via the serverless CLI system.
Use Case Examples
To solidify the plan, here are a few example scenarios of how this WASM-based CLI agent would function in practice, demonstrating its capabilities:
• Network Scan (Security Audit Tool): An administrator or AI triggers a network scan on multiple agents: e.g., agent-ctl scan --ip 10.0.0.0/24 --ports 22,80,443. The scan WASM module, written in Rust, takes the IP range and port list, and uses permitted socket calls (or a host-provided ping utility) to check host availability and open ports. It writes results to stdout or a report file. Running under WASI, it cannot modify system settings or access files (ensuring a rogue scan tool can’t, say, exfiltrate data outside its scope). The results from each agent are gathered (maybe via MCP returning JSON data), and the controller aggregates them into a network map. The performance overhead of WASM is minimal compared to network latency, and the benefit is that the same scan tool runs on Windows or Linux agents identically without recompilation.
• Log Analysis (Troubleshooting Automation): Suppose an AI assistant needs to find error patterns in logs across a cluster. It uses MCP to call the logs tool on each agent: logs --filter "ERROR". Each agent’s logs.wasm module reads the local log file (allowed via preopen to /var/log), filters lines, and returns matching entries. The WASM sandbox ensures the tool can’t read other sensitive files. Even if one agent’s log file is huge, the module is optimized to stream through it. The AI collects all error lines and perhaps calls another tool to collate or summarize them. Because each log file might have different format, one could update the log parsing module easily if needed (hot-swap a new version that knows how to parse a new log format).
• Configuration Updates (Self-Healing Infrastructure): An automated workflow decides to update a configuration on all agents (for example, toggling a feature flag in a config file). The controller invokes update-config tool with parameters for the key and value to change. The update-config.wasm module on each agent (written in Rust) safely opens the specific config file (e.g., only allowed to open /etc/agent/config.yaml), modifies the key, and saves it. Thanks to WASI, it cannot edit any other file, preventing broad accidental changes. After updating, it might even call another internal function to restart a service (this could be done by outputting a signal that host picks up, or via an MCP call to a “restart” tool). The ability to run the exact same WASM logic on all nodes (regardless of OS differences in file path or format, which we normalize via the module) ensures consistency.
• Cluster-Level Coordination (Multi-Agent Task): For a more complex scenario, imagine deploying a new version of an application across a cluster. The AI (or orchestrator) might do: call download-update tool on all agents (which is a WASM module that fetches a binary from a URL - the host might give it a permitted URL and it uses a host-provided download function to save it in a pre-specified path), then call install-update tool on each (which maybe moves files, again within allowed dirs), and then call a verify-status tool to ensure the app is running. Each of these steps is implemented in isolated WASM modules, which can be audited and tested independently. If any step fails on one agent, it can be rolled back without affecting others. The orchestrator can do these in parallel thanks to the independence of agents. The use of MCP means the orchestrator uses the same interface to trigger these tools on all agents.
• Cross-Platform Deployment: The cluster may include Linux, Windows, and Mac machines. Without WASM, one would need to build and distribute separate binaries or scripts for each platform. With our WASM approach, the same .wasm module runs on all (as long as a WASM runtime is present). The agent runtime (Wasmtime/Wasmer) abstracts the OS differences. For example, file paths in WASI use a Unix-like interface, but Wasmtime on Windows will internally translate that to Win32 calls on the allowed directory. So, the logs tool works on Windows by preopening the directory C:\ProgramData\Agent\logs as /var/log inside WASI. The module code doesn’t change. This greatly simplifies development and testing: we write the tool once in Rust, and it covers all agents. If a certain OS has a unique requirement, we can handle it in host configuration (like mapping correct paths or using an OS-specific host import if absolutely needed, but we try to avoid OS-specific logic inside modules).
These examples show how the system can be used for real DevOps tasks. In each case, the ephemeral and isolated nature of WASM modules provides safety (e.g., a faulty log parser can’t crash the agent or corrupt the system) and agility (update one module without redeploying everything).
Limitations and Mitigation Strategies
No system is without limitations. Here we outline some known limitations of using WebAssembly for this purpose and how we plan to mitigate them:
Threading Limitations
Limitation: WebAssembly (as of WASM MVP + current proposals) does not natively support multithreading within a single module unless the Threads proposal is enabled and the environment allows it. Even then, threading in WASM requires using shared memory and atomic operations, and support varies by runtime. Our agent’s tasks might want to do things in parallel (e.g., scanning multiple IPs concurrently).
Mitigation: We will handle concurrency at the host level rather than within a single WASM instance. For example, if we want to scan multiple IPs in parallel, the orchestrator can launch multiple scan tool instances (or the scan module itself could spawn asynchronous tasks via the host). Alternatively, we can implement a simple cooperative concurrency in the module (e.g., Rust async with a single thread) if needed. For CPU-bound tasks, single-thread performance of WASM is usually fine given modern speeds. If we truly need threading (e.g., a heavy computation that could benefit from multiple cores), one could compile the module with the threads proposal enabled and use a runtime like Wasmer or Wasmtime configured for it, but we’d also need to ensure the host (and OS) supports mapping thread primitives. This adds complexity and potential security concerns (shared memory could break some of the isolation guarantees if not careful). So, our primary approach: spin up multiple module instances to parallelize work across cores. The overhead is like launching multiple processes, which is acceptable for most tasks.
As a backup, if a particular module really needs threads (say for performance), we might allow it on a case-by-case basis with SharedArrayBuffer memory. This would involve:
• Enabling the threads proposal in the WASM target (Rust flags and runtime support).
• The host providing a --max-threads or similar to the runtime.
• Carefully managing that one module with threads still cannot interfere with others (which should hold since threads are contained to that module’s memory). We would treat it akin to a multi-threaded process.
I/O and System API Limitations
Limitation: WASI is still evolving. Some system operations might not be available in WASI yet. Examples:
• No built-in WASI calls for everything we might need (e.g., sending an HTTP request, system service control, privileged operations like opening raw sockets).
• Limited filesystem capabilities for certain operations (like no direct file watching, though we might not need that).
• No direct way to call OS-specific functionality or libraries from within WASM (since it can’t just FFI into arbitrary .dll/.so).
Mitigation: Use host-provided proxy services for needed functionality:
• If a module needs to make an HTTP request, the host can provide an imported function (not a standard WASI, but a custom import) that does HTTP using the host’s networking stack. For example, we could import a function host_http_get(url: ptr, len: usize) -> result for a module to call. We’d implement it in the host to use something like reqwest (Rust) or axios (Node). This way, the heavy lifting is done by the host, and the module remains sandboxed (just calling a safe function we expose).
• For controlling system services or running other programs, instead of letting WASM do it, we expose a controlled interface. Perhaps an exec(command) import that the host will execute but with very constrained input (or not at all if too dangerous).
• We should be judicious in adding such host-proxy functions because each one is a potential escalation of capability if not carefully restricted. But they are sometimes needed to fill gaps in WASI.
• Another method: when WASM can’t do X, have the orchestrator do it. For instance, if a module needs current CPU temperature (and WASI has no API for that), the orchestrator could separately call a different tool or ask the OS. Or we add a specialized WASM tool that is allowed to call a particular script on the host (like through a small shim).
• WASM Extensions like WASI-CLI and component model: The WASI ecosystem is adding new API “worlds” like wasi-sockets for network, wasi-http for making outbound HTTP calls, etc. As those standardize, we can adopt them. (E.g., Wasmtime might soon have wasi-nn, wasi-socket etc. We can upgrade the agent runtime to support those when stable, which would allow modules to directly use them.)
In summary, when something isn’t possible in pure WASI now, use a host function or handle it outside the module. Keep track of these exceptions and minimize them to maintain security.
Debugging and Observability Limitations
Limitation: Debugging WebAssembly can be more challenging than debugging native code. When a WASM module crashes or misbehaves, we don’t have as easy access to stack traces or memory dumps as native. Tools are improving, but it’s not as straightforward to attach a debugger to a running WASM in an embedding as it is to a native process.
Mitigation:
• DWARF Symbols & Source Maps: As mentioned, we can compile modules with DWARF info when debugging. Wasmtime can use this info to map a trap to a file/line . There are also projects to enable gdb/lldb to debug WASM, or even Chrome DevTools can debug WASM if you run it in a browser or Node. We might, for tricky issues, run the module under a WASM debugger environment. We will also keep the Rust source readily available and perhaps build a version that can run natively for debugging logic if needed (though that might not catch WASI-specific bugs).
• Verbose Logging in Modules: We will implement logging inside modules (maybe writing to stderr or a log file) to trace their behavior. Because attaching a debugger in production is unrealistic, good old logging is key. We might have modules honor a verbosity level via env var (e.g., if DEBUG=1 in env, module prints lots of info). The agent could then toggle that for a problematic module without restarting others.
• Host Monitoring: The host agent can monitor module execution (timing, memory usage if possible via API, etc.). We can instrument the runtime to log when modules start/finish, how long they ran, if they trapped. Wasmtime’s API provides trap information we can log. We can include the module name and input in that log for context.
• Testing and Staging: Mitigate at development time by thorough testing so that bugs in modules are caught early. Also maintain a small playground where developers can run the WASM modules in a controlled setting (perhaps even in a web browser with WASI polyfill or with wasmtime CLI).
While debugging is harder, these measures ensure we aren’t totally blind. Over time, as tooling improves (like full support for WASM in IDE debuggers), we will integrate that.
Additionally, observability: We might want metrics from our agent – e.g., how many times a tool was called, how long it took, resource used. We can gather that at the host level and export to a monitoring system. This helps identify if a tool is misbehaving (taking too long, being called too often by maybe a loop in an AI’s logic, etc.). Those metrics can be part of agent’s logs or an exposed MCP resource.
In conclusion, although WebAssembly introduces some limitations (especially around threading and low-level system access), our architecture either avoids those needs or compensates with host involvement. The benefits in security and flexibility outweigh these drawbacks. By anticipating the limitations and planning mitigations like host-provided capabilities, timeouts, and robust logging, we ensure the system remains reliable and maintainable.
Implementation Checklist
To wrap up, here is a checklist of concrete steps to implement this local serverless WASM runtime for the agent CLI system:
• Toolchain Setup:
• Install and configure Rust toolchain with wasm32-wasi target. Set up wasm-pack for packaging if needed.
• Optionally install AssemblyScript compiler for any modules to be written in TS.
• Install WASM runtimes (Wasmtime CLI for testing, Wasmer CLI, etc.) and ensure they work on target OSes.
• Set up Node.js environment (if using Node for CLI) and add @wasmer/cli and @mcp-protocol/server packages to the project.
• Agent CLI Development (agent-ctl):
• Define CLI structure (subcommands and options) using a library (Clap in Rust or Commander in Node). Implement help and parsing logic.
• Implement dispatch logic that maps subcommands to loading and executing the correct WASM module with WASI. Include argument passing conversion.
• Integrate Wasmtime (or chosen runtime) in the CLI: create a WASI context, configure preopens and limits, instantiate module, run it, capture output.
• Implement caching of compiled modules to speed up repeated calls (e.g., keep a Module or use Wasmtime’s cache config).
• Test CLI locally with a dummy module (e.g., a hello world WASM) to verify end-to-end flow.
• WASM Modules Development:
• Create project structure for each command module (Rust crate or AssemblyScript project).
• Implement the functionality for each command in Rust, respecting the guidelines (use std::fs for file access, etc.). Include appropriate error handling and output formatting.
• Write unit tests for module logic.
• Compile each to .wasm and ensure it runs with wasmtime/wasmer on the dev machine.
• For each module, create a manifest of needed capabilities (files, network, etc.) for use in host configuration.
• Optimize modules (enable LTO, strip symbols) and note any that might need debug versions.
• Security Configuration:
• In the agent CLI, implement the sandbox policies:
• Set up WASI preopen dirs as per module manifest.
• Lock down environment and restrict syscalls (if using a custom resolver for extra host calls, ensure they check permissions).
• Set memory limits and (if using) fuel/time limits for execution.
• Implement authentication for MCP (generate or configure keys/certs to be used by agent and controller).
• Document the security model for users/administrators.
• MCP Integration:
• Integrate an MCP server in the agent:
• If Node-based, instantiate @mcp-protocol/server and add tools. If Rust, implement a minimal JSON-RPC server or use an existing crate.
• Tie MCP tool calls to the same dispatch as CLI (possibly refactor CLI dispatch so MCP and direct CLI both call a common function to execute a module).
• Ensure tools/list returns all current commands with their schema. This might be static JSON or generated from a schema definition file.
• Implement secure startup of MCP (listening on appropriate interface/port, using TLS or SSH tunnel if required).
• Test calling a tool via MCP using a JSON-RPC client (simulate AI request).
• Performance Optimization:
• Enable module compilation caching (file path or use Wasmtime’s default).
• Possibly implement pre-loading of modules at agent start (depending on memory trade-offs).
• Benchmark a few modules (time a run vs native) and record baseline. Adjust settings if needed (increase stack for deep recursion, etc.).
• If using Wasmer, consider using its AOT compilation for critical modules and test speed.
• Ensure SIMD is enabled by trying a module that uses std::simd and verifying runtime support.
• CI/CD Pipeline:
• Set up repository with all modules and agent code. Configure CI to build all modules (Rust --target wasm32-wasi) and the agent (if it’s compiled, e.g., Rust binary or Node package).
• Include a test stage: run each WASM module with sample inputs using wasmtime (or node wasi) in CI and verify outputs.
• Include integration test: start agent in a test mode and simulate an MCP call or run a CLI command, checking result.
• Package artifacts: e.g., produce a tarball or container image containing agent-ctl and all .wasm modules.
• If distributing via NPM/WAPM, configure wasm-pack publish or wapm publish for modules, and npm publish for the CLI.
• Deploy to a staging environment (some test VMs or containers) for end-to-end testing with an orchestrator. Validate that an orchestrator (perhaps a script) can invoke a tool on the agent and get expected result.
• Deployment and Hot-Swap:
• Determine deployment mechanism for production (puppet/chef, kubernetes DaemonSet, etc.). Implement accordingly (e.g., helm chart for a DaemonSet if Kubernetes, or an Ansible playbook to install binary and modules).
• To enable hot-swapping, decide on strategy:
• If agents will be updated by replacing files, ensure agent watches module directory or provides an endpoint to reload. Implement that watcher or reload command.
• If using MCP to push updates, implement an admin tool in agent like update_module(name, url) and test it with a dummy module update.
• Create a versioning document to track which module versions are deployed. Possibly integrate with the CI/CD to auto-increment module versions on changes.
• Monitoring and Logging:
• Implement logging in the agent: all invocations (with timestamp, tool name, maybe truncated args) to a logfile.
• If possible, integrate with a monitoring system to emit metrics (calls count, errors count, avg execution time, etc.).
• Set up alerts for failures (e.g., if a module consistently failing or taking too long, alert ops team).
• Documentation and Examples:
• Write documentation for developers on how to add a new command module (steps to create Rust project, interface requirements, how to test it, how to submit it).
• Document for users how to install the agent, and use agent-ctl commands.
• Provide example usage scenarios (similar to those above) perhaps as scripts or in README.
• Note any limitations or things to avoid.
• Review Security Before Launch:
• Perform a security review or even a light penetration test of one agent: attempt to break out of WASM sandbox, ensure it’s not possible to access unauthorized files or memory.
• Check that all communications (MCP, etc.) are properly encrypted and authenticated.
• Validate that an agent with the runtime cannot be tricked into executing arbitrary host code (the WASM modules should be the only code they run, aside from our defined host imports).
Following this checklist will lead to a successful implementation of the WASM-based serverless CLI agent system. Each step ensures that by the end, we have a secure, flexible, and efficient solution where agents can perform a wide range of tasks through WebAssembly modules, coordinated seamlessly by higher-level controls. The end result is an architecture that is modular, easy to update, and safe by design, leveraging the best of WebAssembly for modern infrastructure automation.
Sources: The design draws upon WebAssembly and WASI principles  , performance benchmarks , and the emerging Model Context Protocol standard  to ensure the system is built on proven foundations. All considerations for runtime selection , security sandboxing , and serverless deployment have been referenced from official documentation and recent industry experiences for accuracy and completeness.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment