From ce5899e0d2711b2d6c952641738d502d7d77565a Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 15:30:05 +0000 Subject: [PATCH 1/2] docs: correct WASM extension wording (WOR-145) CLAUDE.md described the WASM surface as "WASM stub" but the production crate ships a real wasmtime + WASI preview-1 runtime: 568 lines in crates/sbproxy-extension/src/wasm/mod.rs with sandboxed memory caps, epoch-interrupt CPU timeouts, stderr capture, no FS, no network. End- to-end coverage exists in e2e/tests/wasm.rs and examples/wasm/. Drop "stub" from CLAUDE.md and tighten the language to match reality. llms.txt claimed "WASI networking with host allowlist" but the code parses allowed_hosts as a forward-compat reservation only; sockets are not exposed today (mod.rs:23, mod.rs:113-114). Rewrite the bullet to describe the actual stdin/stdout body-transform surface. Closes WOR-145. https://claude.ai/code/session_019zc6oCY6Kx2ssiuZEQdznk --- CLAUDE.md | 5 +++-- llms.txt | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index ad84b042..d6fd6713 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -55,8 +55,9 @@ sbproxy-rust/ sbproxy-cache/ - response cache, KV stores (memory/file/memcached/redis) sbproxy-ai/ - AI gateway path (providers, routing, guardrails, streaming, budgets, cost tracking) - sbproxy-extension/ - scripting (CEL, Lua, JavaScript, WASM stub), - MCP server, feature flags + sbproxy-extension/ - scripting (CEL, Lua, JavaScript, WASM via + wasmtime + WASI preview-1), MCP server, + feature flags sbproxy-observe/ - metrics (sbproxy_*), events, structured logging sbproxy-security/ - WAF, PII redactor, certpin, hostfilter sbproxy-tls/ - TLS config, mTLS diff --git a/llms.txt b/llms.txt index efee4ee0..f4378842 100644 --- a/llms.txt +++ b/llms.txt @@ -211,7 +211,7 @@ Four engines, picked per use case: - **CEL** via `cel-rust`. Compiled once, evaluates in microseconds. Best for routing decisions and quick predicates. Custom functions for HTTP request inspection, hashing, time, and IP utilities. - **Lua** via `mlua` with the Luau runtime. Sandboxed. Best for request and response body transforms. - **JavaScript** via QuickJS (`rquickjs`). V8-compatible API surface. Best for teams already invested in JS tooling. -- **WebAssembly** via `wasmtime`. WASI networking with host allowlist. Best for sandboxed plugins from any source language. +- **WebAssembly** via `wasmtime` against WASI preview-1. Modules read input on stdin and write output to stdout; no filesystem, no network. Memory and CPU bounded per-call. Best for response-body transforms in any language with a `wasm32-wasi` target (Rust, TinyGo, AssemblyScript, Zig). Every engine sees the same context namespaces: `request`, `session`, `origin`, `server`, `vars`, `ctx`, `response`. From d499823ea62ab176fb8330d57abdcc029ebd6bd2 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 6 May 2026 15:39:35 +0000 Subject: [PATCH 2/2] docs: changelog entry for WOR-145 WASM doc fix https://claude.ai/code/session_019zc6oCY6Kx2ssiuZEQdznk --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13f95abc..c62ea50c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -172,6 +172,17 @@ of the new YAML fields below until the version that ships them. ### Fixed +- **WASM extension docs corrected.** `CLAUDE.md` previously labeled the + WASM surface as "WASM stub" while marketing docs claimed + production-grade support; the runtime is real + (`wasmtime` + WASI preview-1 with sandboxed memory and CPU caps, + stderr capture, no FS or network). `llms.txt` also incorrectly + claimed "WASI networking with host allowlist" but `allowed_hosts` is + parsed-but-inert until WASI sockets land. CLAUDE.md and llms.txt now + match the shipped surface. + ([CLAUDE.md], [llms.txt], + [crates/sbproxy-extension/src/wasm/mod.rs]) + - **E2E proxy startup flake under CPU contention.** The e2e `ProxyHarness` keeps its HTTP-level readiness probe, but now gives release/debug proxy boots a 10-second window instead of 5 seconds so