Add seccomp feature flag (seccompiler + libc, Linux-only, optional).
When compiled with --features seccomp, weft-runtime installs a
SECCOMP_MODE_FILTER immediately after argument parsing, before any
package resolution or WASM execution.
Filter strategy: default-allow with explicit KillProcess rules for
high-risk syscalls a WASM runtime process has no legitimate need for:
ptrace, process_vm_readv/writev, kexec_load, personality, syslog,
reboot, mount/umount2, setuid/setgid/setreuid/setregid/setresuid/
setresgid, chroot, pivot_root, init_module/finit_module/delete_module,
bpf, perf_event_open, acct.
The feature is off by default so the standard build and tests are
unaffected. Enable in production service builds with --features seccomp.
Adds crates/weft-runtime/wit/weft-app.wit defining package weft:app@0.1.0
with interface notify { ready: func() }.
In the wasmtime-runtime path:
- Registers weft:app/notify@0.1.0 in the component linker before instantiation
- ready() prints
weft-runtime now parses optional flags after <app_id> <session_id>:
--preopen HOST::GUEST pre-opens a host directory at GUEST path in the
WASI filesystem (HOST::GUEST or HOST for same path)
--ipc-socket PATH sets WEFT_IPC_SOCKET env var inside the component
wasmtime-runtime path applies preopened dirs via cap_std and WasiCtxBuilder,
and injects WEFT_IPC_SOCKET when --ipc-socket is present. Stub path ignores
both flags.
weft-appd: SessionRegistry gains ipc_socket field (set to the appd Unix
socket path in run()), extracted alongside compositor_tx in dispatch(), and
forwarded to supervise() as ipc_socket_path. supervise() passes
--ipc-socket <path> to the spawned runtime when present.
cap-std added as optional dep under wasmtime-runtime feature.
Cargo.toml:
- New feature: wasmtime-runtime = [dep:wasmtime, dep:wasmtime-wasi]
- Default is off so the normal build remains lightweight.
- wasmtime 30 and wasmtime-wasi 30 added as optional dependencies.
src/main.rs:
- run_module(wasm_path) replaces the inline stub.
- cfg(not(feature = wasmtime-runtime)): prints READY and returns.
Preserves all existing test and development behaviour unchanged.
- cfg(feature = wasmtime-runtime): creates a Wasmtime Engine + Module,
builds a WASI linker with inherited stdout/stderr, prints READY, then
instantiates the module and calls _start.
READY is printed before _start so weft-appd can record the session as
Running before the app enters its event loop.
The production service binary is built with:
cargo build -p weft-runtime --release --features wasmtime-runtime
New crate: weft-runtime — the child process spawned by weft-appd to
execute WEFT application packages.
src/main.rs:
- Parses CLI arguments: <app_id> <session_id> (as per the supervisor
contract in runtime.rs).
- resolve_package(): searches user store
(~/.local/share/weft/apps/<app_id>) then system store
(/usr/share/weft/apps/<app_id>) for a wapp.toml manifest. Overridden
by WEFT_APP_STORE env var.
- Verifies app.wasm exists in the resolved package directory.
- Stubs Wasmtime execution with a TODO comment; prints 'READY' to
stdout and exits cleanly so weft-appd's supervisor can complete the
session lifecycle during development and integration testing.
Tests (2):
- package_store_roots_includes_system_path: system store path present.
- package_store_roots_uses_weft_app_store_when_set: WEFT_APP_STORE
override replaces default search list.
Also:
- Added weft-runtime to workspace Cargo.toml members.
- wsl-test.sh: added cargo test -p weft-runtime.
