marcoallegretti/WEFT_OS
marcoallegretti/WEFT_OS
1
0
Fork 0
mirror of https://github.com/marcoallegretti/WEFT_OS.git synced 2026-03-26 17:03:09 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
WEFT OS is a Wayland compositor and application runtime where every app is a WebAssembly component rendered in an isolated Servo WebView.
160 commits 1 branch 0 tags 472 KiB
Rust 88.9%
JavaScript 3.9%
HTML 3.7%
Nix 2.2%
Shell 1.2%
Find a file
Marco Allegretti a098b3e93d fix(shell): harden Servo shell and app shell against rendering and lifecycle failures 
- blit_software: replace expect() on softbuffer Context and Surface
  creation with log-and-skip so a frame failure does not crash the process
- blit_software: replace NonZeroU32::new(1).unwrap() with NonZeroU32::MIN
- resumed: replace create_window().expect() with a match that calls
  event_loop.exit() and returns on failure instead of unwinding
- build_rendering_ctx: return Option<RenderingCtx> instead of panicking
  when SoftwareRenderingContext creation fails; callers exit cleanly
- resumed (app-shell): exit without emitting READY when no rendering
  context is available so weft-appd observes a clean session failure
- weft-servo-shell: bound gesture forwarding to one active thread at a
  time using JoinHandle::is_finished(); excess batches are dropped with
  a debug log to prevent unbounded thread creation per event loop tick
- shell_client (both shells): replace post-ensure! unwrap() with expect()
  that documents the invariant
2026-03-13 14:01:42 +01:00
.github/workflows ci: install llvm for mozjs_sys builds 2026-03-13 12:51:48 +01:00
.vscode feat: appd IPC relay, WIT interfaces, UI kit, gesture routing, and CI hardening 2026-03-12 12:49:45 +01:00
crates fix(shell): harden Servo shell and app shell against rendering and lifecycle failures 2026-03-13 14:01:42 +01:00
docs docs: correct openSUSE package names verified against rpmfind 2026-03-12 20:52:34 +01:00
examples feat(examples): add counter and notes demo apps 2026-03-12 15:31:20 +01:00
infra build(nix): set virtualisation.graphics=false for WSL2 serial console boot 2026-03-12 22:25:02 +01:00
protocol feat: appd IPC relay, WIT interfaces, UI kit, gesture routing, and CI hardening 2026-03-12 12:49:45 +01:00
scripts feat: weft-file-portal -- sandboxed file access broker 2026-03-11 15:52:33 +01:00
.gitattributes Initialize Rust workspace and repository metadata 2026-03-10 18:47:06 +01:00
.gitignore chore: ignore generated VM artifacts 2026-03-13 12:52:11 +01:00
Cargo.lock feat(servo-embed): wire Servo deps and share Wayland surface with shell client 2026-03-12 15:16:17 +01:00
Cargo.toml feat(examples): add counter and notes demo apps 2026-03-12 15:31:20 +01:00
flake.lock build(nix): lock flake inputs for nixos-25.05 + rust-overlay 2026-03-12 23:47:00 +01:00
flake.nix build(nix): use Rust 1.93.0 via rust-overlay for all package builds 2026-03-12 21:28:14 +01:00
justfile Add repository validation and CI checks 2026-03-10 18:47:16 +01:00
README.md docs: correct openSUSE package names verified against rpmfind 2026-03-12 20:52:34 +01:00
rust-toolchain.toml Initialize Rust workspace and repository metadata 2026-03-10 18:47:06 +01:00

README.md

WEFT OS

WEFT OS is a Wayland compositor and application runtime where every app is a WebAssembly component rendered in an isolated Servo WebView. No capability is granted by default; all resource access is declared in a per-app manifest and enforced at runtime.

What is implemented

Compositorweft-compositor is a Smithay-based Wayland compositor with DRM/KMS and winit backends. It implements the zweft-shell-unstable-v1 protocol extension, which typed shell slots (panel, application) register against.

System shellweft-servo-shell embeds Servo (feature-gated, --features servo-embed) and renders system-ui.html as a Wayland panel. Without servo-embed, the binary builds as a no-op stub. Navigation gestures from the compositor are forwarded to weft-appd over WebSocket.

App shellweft-app-shell is a per-process Servo host for application WebViews. It resolves weft-app://<id>/ui/index.html, injects a weftIpc WebSocket bridge into the page, and registers with the compositor as an application surface. Also feature-gated behind servo-embed.

App daemonweft-appd supervises sessions: spawns weft-runtime, waits for READY, spawns weft-app-shell, manages the per-session IPC relay between the Wasm component and the WebView, and handles session teardown. Wraps processes in systemd scopes (CPUQuota=200%, MemoryMax=512M) when available.

Runtimeweft-runtime runs WASI Component Model binaries under Wasmtime 30 (--features wasmtime-runtime). Provides weft:app/notify, weft:app/ipc, weft:app/fetch, weft:app/notifications, and weft:app/clipboard host imports. Preopens filesystem paths according to declared capabilities.

Package managementweft-pack handles check, sign, verify, install, uninstall, list, build-image (EROFS dm-verity), and info. Validates capability strings at check time.

File portalweft-file-portal is a per-session file proxy with a path allowlist and .. blocking.

Mount helperweft-mount-helper is a setuid helper for EROFS dm-verity mount/umount via veritysetup.

Demo appsexamples/org.weft.demo.counter and examples/org.weft.demo.notes are pre-built Wasm Component binaries (wasm32-wasip2, wit-bindgen 0.53) with HTML UIs, signed with a committed demo keypair.

Repository layout

crates/           Rust workspace members
examples/         Demo app packages (wasm32-wasip2, not workspace members)
  keys/           Demo Ed25519 keypair
protocol/         zweft-shell-unstable-v1 Wayland protocol XML
infra/
  nixos/          NixOS VM configuration and package derivations
  scripts/        check.ps1, check.sh
  shell/          system-ui.html, weft-ui-kit.js
  systemd/        service unit files
  vm/             build.sh, run.sh (QEMU)
docs/
  architecture.md Component map, IPC, capability table, env vars
  security.md     Capability model, process isolation, SpiderMonkey security boundary
  building.md     Build instructions for all targets

Building

Linux system packages required (openSUSE):

sudo zypper install -y \
  libwayland-devel libxkbcommon-devel libglvnd-devel \
  libgbm-devel libdrm-devel libinput-devel seatd-devel libudev-devel \
  systemd-devel pkg-config clang cmake python3

Build non-Servo crates:

cargo build --workspace --exclude weft-servo-shell --exclude weft-app-shell

Build Linux-only crates (no Servo):

cargo build -p weft-compositor -p weft-servo-shell -p weft-app-shell

Build with Servo embedding (3060 min, requires clang + python3):

cargo build -p weft-servo-shell --features servo-embed
cargo build -p weft-app-shell --features servo-embed

See docs/building.md for full instructions including Wasm component builds, NixOS VM, and signing.

CI

Three jobs on every push and pull request:

  • cross-platform — fmt, clippy, tests on Ubuntu and Windows
  • linux-only — clippy and tests for compositor and shell crates
  • servo-embed-linuxcargo check --features servo-embed for both servo crates

Security

See docs/security.md. Key points:

  • Capabilities declared in wapp.toml, validated at install, enforced at runtime
  • Per-app OS processes with systemd cgroup limits
  • WASI filesystem isolation via preopened directories
  • Ed25519 package signing; optional EROFS dm-verity
  • Optional seccomp BPF blocklist in weft-runtime
  • SpiderMonkey is not sandbox-isolated beyond process-level isolation (see docs/security.md)

Servo fork

  • Repository: https://github.com/marcoallegretti/servo, branch servo-weft
  • Base revision: 04ca254f
  • Patches: keyboard input, backdrop-filter in stylo
  • See crates/weft-servo-shell/SERVO_PIN.md for Servo integration status and known limitations