WASM Sandbox
Nexus OS runs agents in a WebAssembly sandbox for security and portability. Each agent gets its own isolated execution environment.
Why WASM?
| Benefit | Description |
|---|---|
| Isolation | Each agent runs in its own memory space |
| Security | No direct filesystem or network access |
| Portability | Same binary runs on any OS |
| Performance | Near-native execution speed |
| Determinism | Reproducible execution across environments |
Sandbox Architecture
┌─────────────────────────────────┐
│ Nexus OS Runtime │
├─────────┬─────────┬─────────────┤
│ Agent A │ Agent B │ Agent C │
│ (WASM) │ (WASM) │ (WASM) │
├─────────┴─────────┴─────────────┤
│ WASM Sandbox Layer │
│ Memory isolation │ Syscall │
│ Resource limits │ filtering │
└─────────────────────────────────┘Memory Limits
Configure per-agent or globally:
yaml
# Global default
execution:
memoryLimit: 256MB
# Per-agent override
agents:
researcher:
execution:
memoryLimit: 512MBHost Functions
Agents can call these host-provided functions:
| Function | Description |
|---|---|
log(msg) | Write to agent log |
http_get(url) | Make HTTP GET request |
http_post(url, body) | Make HTTP POST request |
kv_get(key) | Read from key-value store |
kv_set(key, value) | Write to key-value store |
time_now() | Get current timestamp |
Building WASM Agents
Agents can be written in any language that compiles to WASM:
bash
# Rust
cargo build --target wasm32-wasi --release
# Go
GOOS=wasip1 GOARCH=wasm go build -o agent.wasm
# AssemblyScript
asc agent.ts --outFile agent.wasm