docs: correct WASM extension wording (WOR-145)

CHANGELOG.md

@@ -172,6 +172,17 @@ of the new YAML fields below until the version that ships them.
 
 ### Fixed
 
+- **WASM extension docs corrected.** `CLAUDE.md` previously labeled the
+  WASM surface as "WASM stub" while marketing docs claimed
+  production-grade support; the runtime is real
+  (`wasmtime` + WASI preview-1 with sandboxed memory and CPU caps,
+  stderr capture, no FS or network). `llms.txt` also incorrectly
+  claimed "WASI networking with host allowlist" but `allowed_hosts` is
+  parsed-but-inert until WASI sockets land. CLAUDE.md and llms.txt now
+  match the shipped surface.
+  ([CLAUDE.md], [llms.txt],
+  [crates/sbproxy-extension/src/wasm/mod.rs])
+
 - **E2E proxy startup flake under CPU contention.** The e2e
   `ProxyHarness` keeps its HTTP-level readiness probe, but now gives
   release/debug proxy boots a 10-second window instead of 5 seconds so

CLAUDE.md

@@ -55,8 +55,9 @@ sbproxy-rust/
     sbproxy-cache/      - response cache, KV stores (memory/file/memcached/redis)
     sbproxy-ai/         - AI gateway path (providers, routing, guardrails,
                           streaming, budgets, cost tracking)
-    sbproxy-extension/  - scripting (CEL, Lua, JavaScript, WASM stub),
-                          MCP server, feature flags
+    sbproxy-extension/  - scripting (CEL, Lua, JavaScript, WASM via
+                          wasmtime + WASI preview-1), MCP server,
+                          feature flags
     sbproxy-observe/    - metrics (sbproxy_*), events, structured logging
     sbproxy-security/   - WAF, PII redactor, certpin, hostfilter
     sbproxy-tls/        - TLS config, mTLS

llms.txt

@@ -211,7 +211,7 @@ Four engines, picked per use case:
 - **CEL** via `cel-rust`. Compiled once, evaluates in microseconds. Best for routing decisions and quick predicates. Custom functions for HTTP request inspection, hashing, time, and IP utilities.
 - **Lua** via `mlua` with the Luau runtime. Sandboxed. Best for request and response body transforms.
 - **JavaScript** via QuickJS (`rquickjs`). V8-compatible API surface. Best for teams already invested in JS tooling.
-- **WebAssembly** via `wasmtime`. WASI networking with host allowlist. Best for sandboxed plugins from any source language.
+- **WebAssembly** via `wasmtime` against WASI preview-1. Modules read input on stdin and write output to stdout; no filesystem, no network. Memory and CPU bounded per-call. Best for response-body transforms in any language with a `wasm32-wasi` target (Rust, TinyGo, AssemblyScript, Zig).
 
 Every engine sees the same context namespaces: `request`, `session`, `origin`, `server`, `vars`, `ctx`, `response`.