Inside the WASM Sandbox: How Ops Runs Third-Party Code Without Risk

The Marketplace Trust Problem
Every software marketplace faces the same dilemma: how do you allow third parties to extend your platform without giving them the keys to the kingdom?
Traditional plugin systems solve this badly. A WordPress plugin runs with full PHP process permissions. A miscoded or malicious plugin can read your database, write files to your server, or exfiltrate data to an external endpoint. The user has no protection.
Ops takes a fundamentally different approach: every addon runs inside a WebAssembly sandbox.
What WebAssembly Provides
WebAssembly (WASM) is a formally verified execution environment with:
- Memory isolation: Each WASM module gets its own linear memory space. It cannot read or write memory belonging to other modules.
- No implicit I/O: A WASM module has zero access to the filesystem, network, or system calls by default. All I/O must be explicitly granted.
- Deterministic execution: The same inputs always produce the same outputs — making modules auditable.
- Near-native performance: Wasmtime compiles WASM to optimized native machine code.
Capability-Based Security
Instead of blocking malicious actions, Ops uses a positive permission model. An addon can only do what its manifest explicitly declares and what the tenant admin approves.
```yaml
name: cashback-wallet
version: 1.2.0
capabilities:
database:
- read: [customers, orders]
- write: [customer_wallets, wallet_transactions]
http:
- allowed_hosts: [] # No outbound HTTP
```
The Wasmtime engine enforces these constraints at the syscall level — even if addon code tries to make an unauthorized HTTP request, it is blocked before reaching the network stack.
Hot-Swap: Zero Downtime Updates
Because addons are isolated, Ops can install a new WASM binary while running, execute database migrations, route new API calls to the new binary, and gracefully terminate the old one — all in under 45 seconds with zero downtime.
The Rollback Safety Net
When an addon misbehaves, Ops immediately terminates the sandbox, rolls back Postgres schema migrations, alerts the tenant admin, and re-enables the previous version. The core system continues running. Other tenants are completely unaware.
An Open Marketplace by Design
With WASM sandboxing, the security guarantee is structural, not procedural. Even a deliberately malicious addon cannot escape the sandbox. This means Ops can have a truly open marketplace — any developer can publish an addon, and the security comes from the runtime, not a team of manual reviewers.
Ready to try Ops?
Create your account, install what you use, and start selling today.
Start free in 5 minutes