Fully sandbox WebAssembly components by default

[BrianJDrake]

One of the core features of WebAssembly is that WebAssembly modules are fully sandboxed: a module can access the environment only through imports and those imports must be resolved by the code that instantiates the module.

Standards like WASI change this, by allowing the runtime to resolve certain imports automatically. A security-focused runtime would make such features opt-in; that is what Wasmtime does (at least according to the Component Model documentation).

jco run should also make such features opt-in and allow them to be controlled in a similar manner to Wasmtime. We should review how similar improvements can be made to jco transpile.

[guybedford]

This is a much better framing, thank you. There are two main approaches to sandboxing - the one is the WASI-Virt project, which allows creating a component with a reduced security surface. The other is to have runtime-level sandbox configurations.

Both can make sense, although the nice thing about the WASI-Virt approach is that it can be applied to any runtime at all.

Adding basic sandboxing capabilities to jco run would be a nice feature to explore further, but it would involve various integration points to solve.