Open-source WASM cloud runtime with real TCP and full ingress routing.
Most WASM-cloud runtimes either block raw sockets entirely or stub them out. Sarwasm keeps wasi:sockets wired in and gates it behind a per-worker network policy so operators stay in control. Pair that with container-mode workers (std::net::TcpListener + your favourite framework) and you get a runtime that hosts ordinary Rust / Go / JS / Python application servers in WASM, with vhost ingress, wildcard multi-tenancy, and replica fan-out.
| Cloudflare Workers | sarwasm | |
|---|---|---|
| Outbound TCP | ❌ blocked | ✅ policy-gated |
| Bring your own framework | ❌ wasi-http only | ✅ container mode |
| Multi-tenant ingress | ❌ external | ✅ vhost + wildcard |
| Self-host | ❌ | ✅ single binary |
| License | proprietary | MIT |
# Install toolchain
rustup target add wasm32-wasip2 --toolchain 1.86
cargo install cargo-component --locked
# Build sarwasm
git clone https://github.com/aimtune/sarwasm.git && cd sarwasm
cargo build --release -p sarwasm-cli
# Build a worker (in your project dir)
sarwasm build --release # → handler.wasm
# Run
./target/release/sarwasm server --config sarwasm.tomlFor a 5-minute walkthrough see the Quickstart docs.
Full docs (Docusaurus site) live under website/ and are published to https://sarwasm.aimtune.dev.
Highlights:
- Architecture — runtime, gateway, component model
- Worker modes — proxy vs container, when to use which
- Ingress routing — vhost + wildcard + specificity
- Network policy — outbound TCP allowlist with DNS hostnames
- Multi-tenant guide — per-tenant exact host, shared wildcard, hybrid
- Container worker walkthrough — Rust + axum + Postgres example
- CLI reference —
sarwasm build+sarwasm server - Rust SDK —
sarwasm::listen()& friends
sarwasm/
├── crates/
│ ├── sarwasm-runtime/ wasmtime host, stores, WASI wiring
│ ├── sarwasm-net/ NetworkPolicy engine
│ ├── sarwasm-gateway/ axum HTTP front door, vhost dispatch, replicas
│ └── sarwasm-cli/ single binary (`sarwasm` build|server)
├── sdk/
│ └── rust/sarwasm/ tiny SDK: listen() + env helpers
├── examples/
│ ├── rust-container-hello/ minimal HTTP echo (container mode)
│ ├── rust-container-pg/ Postgres CRUD over std::net (container mode)
│ ├── rust-tcp-postgres/ proxy mode reference (wasi:http)
│ └── go-http-handler/ TinyGo + ydnar wasi-http
├── docs/
│ └── adr/ architecture decision records
├── website/ Docusaurus docs site
└── .github/workflows/ CI + release pipeline
MIT — see LICENSE.
The codebase is small (under 5k LOC across the four crates). Read CLAUDE.md for the high-level conventions. Bug reports and PRs welcome.