WASM and WASI
Forge is designed around portable agents. The Rust reference implementation is the anchor for WASM/WASI execution and shared crypto hot paths.
Goals
WASM support exists so Forge agents can:
- run in a sandboxed host
- share deterministic crypto and identity behavior across SDKs
- deploy to local WASI hosts, edge runtimes, and chain-adjacent execution
- constrain host access through explicit WASI capabilities
What belongs in WASM
Good WASM candidates include:
- identity derivation
- signature verification
- ACT verification
- schema validation
- deterministic routing helpers
- agent loop logic that does not require host-only APIs
Provider network calls, filesystem access, browser APIs, and durable workflow state usually remain host capabilities exposed to the WASM component.
Capability boundary
WASI is an execution boundary, not a trust shortcut. A WASM agent should only receive the capabilities granted by its host. Forge still applies identity, tool tiering, ACT checks, and telemetry inside that boundary.
Status
forge-wasm is the Rust-side execution surface. Cross-language SDKs can use
Rust-WASM components for shared behavior where deterministic parity matters.
See Deployment Overview and Local and WASI.