|
|
|
The Native Rust/WebAssembly Extension Host for LandβποΈ
VS Code extensions run with full
Node.jscapabilities in a shared process. A malicious or buggy extension can access any file, make any network request, and read another extension's state. The extension sandbox is a policy document, not a technical boundary.
"An extension can only touch what you explicitly grant. The sandbox is enforced by the hardware, not a policy."
β
β
β
Rust API Documentationβπ
Grove is the high-performance Rust/WebAssembly extension host for the
Land Code Editor. It complements Cocoon (Node.js) by providing a native
environment for running Rust and WASM-compiled VS Code extensions. Grove
offers secure sandboxing through WASMtime, multiple transport strategies
(gRPC, IPC, WASM), and full compatibility with the VS Code API surface.
VS Code extensions run with full Node.js capabilities in a shared process - a
malicious or buggy extension can access any file, make any network request, and
read another extension's state. Grove solves this by enforcing sandboxing at the
hardware level: an extension can only touch what you explicitly grant.
Grove is engineered to:
- Provide Native Extension Hosting - Execute
Rustextensions with zero overhead through static linking orWASMsandboxing. - Enable Secure Sandboxing - Isolate untrusted extensions using
WASMtime's capability-based security model with configurable memory limits and resource controls. - Support Multiple Transports - Communicate with
MountainviagRPC,IPC, or directWASMhost function calls for flexible deployment. - Maintain Cocoon Compatibility - Share the same VS Code API surface and
activation semantics for seamless extension porting between the
Node.jsand native hosting environments.
WASM Runtime Integration - Full WebAssembly support through WASMtime,
with capability-based security, configurable memory limits, CPU throttling, and
explicit host-function grants. Extensions are sandboxed at the hardware level.
Multiple Transport Strategies - A strategy-pattern transport layer
supporting gRPC (to Mountain's Vine server on port 50052), IPC (Unix
socket for local communication), WASM (direct host function calls), and Mist
(message-bus integration with the Mist pub/sub system).
Standalone Operation - Can run as an independent process with its own
lifecycle, or connect to Mountain via gRPC for distributed deployment. The
Transport/CommonAdapter unifies all transport backends behind a single
interface.
Cross-Platform - Native support for macOS, Linux, and Windows with
platform-specific optimizations. The Binary/Main/ entry point handles platform
signal handling and daemon initialization.
VS Code API Compatibility - Implements vscode.d.ts type definitions
through the APIBridge facade, with API/VSCode.rs providing typed wrappers
for the full VS Code extension API surface including commands, windows, and
notifications.
Secure by Default - #![deny(unsafe_code)] at the crate level, WASMtime
capability-based isolation, configurable memory limits per extension, and
explicit host-function grants ensure no extension can escape its sandbox.
| Principle | Description | Key Components |
|---|---|---|
| Security First | Isolate extensions via WASMtime's capability model with configurable resource limits. Unsafe code is denied at the crate level. |
WASM/Runtime, WASM/MemoryManager, WASM/HostBridge |
| Transport Agnosticism | Multiple communication strategies behind a unified Transport/Strategy trait so deployment choice is a config flag, not a code change. |
Transport/Strategy, Transport/CommonAdapter, Transport/gRPCTransport, Transport/IPCTransport, Transport/WASMTransport, Transport/MistTransport |
| API Surface Parity | Implement the full VS Code extension API (vscode.d.ts) so extensions port seamlessly between Cocoon and Grove. |
API/VSCode, API/Types, Host/APIBridge, Host/Activation |
| Composability | Modular separation of host core, WASM runtime, transport layer, and protocol handling. Each module can be compiled and tested independently. |
Host/*, WASM/*, Transport/*, Protocol/*, API/* |
graph LR
classDef grove fill:#d0d8ff,stroke:#4a6fa5,stroke-width:2px,color:#001050;
classDef mountain fill:#f0d0ff,stroke:#9b59b6,stroke-width:2px,color:#2c0050;
classDef wasm fill:#d4f5d4,stroke:#27ae60,stroke-width:2px,color:#0a3a0a;
classDef transport fill:#fff3c0,stroke:#f39c12,stroke-width:1px,stroke-dasharray:5 5,color:#5a3e00;
classDef cocoon fill:#cce8ff,stroke:#2980b9,stroke-width:1px,stroke-dasharray:5 5,color:#003050;
subgraph GROVE["Grove π³ - Rust/WASM Extension Host"]
direction TB
subgraph HOST["Host/ - Extension Lifecycle"]
ExtHost["ExtensionHost.rs π‘ main controller"]:::grove
ExtMgr["ExtensionManager.rs π discovery + loading"]:::grove
Activation["Activation.rs β‘ activation events"]:::grove
Lifecycle["Lifecycle.rs"]:::grove
APIBridge["APIBridge.rs π vscode.d.ts facade"]:::grove
ExtHost --> ExtMgr --> Activation --> Lifecycle
Activation --> APIBridge
end
subgraph API["API/ - VS Code API Surface"]
VSCode["VSCode.rs π typed API wrappers"]:::grove
Types["Types.rs 𧱠shared type definitions"]:::grove
APIBridge --> VSCode --> Types
end
subgraph WASM_RT["WASM/ - WASMtime Runtime"]
WASMRuntime["Runtime/ π WASMtime engine + store"]:::wasm
ModLoader["ModuleLoader/ π¦ compile + instantiate"]:::wasm
MemMgr["MemoryManager/ π allocation + limits"]:::wasm
HostBridge["HostBridge/ π hostβWASM calls"]:::wasm
WASMRuntime --> ModLoader
ModLoader --> MemMgr
WASMRuntime --> HostBridge
end
subgraph TRANSPORT["Transport/ - Strategy Pattern"]
Strategy["Strategy.rs - trait"]:::transport
CommonAdapter["CommonAdapter.rs π unified backend"]:::transport
gRPC["gRPCTransport.rs"]:::transport
IPC["IPCTransport.rs"]:::transport
WASMTrans["WASMTransport.rs"]:::transport
MistTrans["MistTransport.rs π¬ pub/sub bus"]:::transport
Strategy --- CommonAdapter
CommonAdapter --- gRPC
CommonAdapter --- IPC
CommonAdapter --- WASMTrans
CommonAdapter --- MistTrans
end
subgraph PROTO["Protocol/"]
SpineConn["SpineConnection.rs 𦴠Spine protocol"]:::grove
SpineAction["SpineActionClient.rs π¬ action dispatch"]:::grove
SpineConn --> SpineAction
end
APIBridge --> WASMRuntime
HostBridge --> Strategy
SpineConn --> gRPC
end
subgraph MOUNTAIN["Mountain β°οΈ"]
VineGRPC["Vine gRPC Server πΏ"]:::mountain
end
subgraph COCOON["Cocoon π¦ complementary host"]
CocoonRef["Node.js extension host same vscode API surface"]:::cocoon
end
gRPC -- gRPC :50052 --> VineGRPC
IPC -- Unix socket --> VineGRPC
MistTrans -- message bus --> VineGRPC
Grove -.shares API surface.-> CocoonRef
Connection paths:
| Path | Protocol | Use Case |
|---|---|---|
Grove β Mountain via gRPC |
Protobuf over gRPC on port 50052 |
Distributed deployment, remote extensions |
Grove β Mountain via IPC |
Unix domain socket | Local single-machine communication |
Grove β Mountain via Mist |
Message-bus pub/sub | Event-driven, decoupled workflows |
| Grove β Cocoon | Shared API surface | Extension portability between native and Node.js hosts |
Extension β WASMtime |
WASM host functions |
Sandboxed extension execution |
APIBridge β API/VSCode |
Direct call | Typed VS Code API wrappers |
| Component | Path | Description |
|---|---|---|
| ExtensionHost | Source/Host/ExtensionHost.rs |
Main controller managing the full extension lifecycle |
| ExtensionManager | Source/Host/ExtensionManager.rs |
Extension discovery, validation, and loading |
| Activation | Source/Host/Activation.rs |
Activation events and contribution point handling |
| Lifecycle | Source/Host/Lifecycle.rs |
Extension state machine (install, enable, disable, uninstall) |
| APIBridge | Source/Host/APIBridge.rs |
VS Code API facade implementing vscode.d.ts |
| VSCode API | Source/API/VSCode.rs |
Typed wrappers for the full VS Code extension API surface |
| API Types | Source/API/Types.rs |
Shared type definitions for extension API interactions |
| WASM Runtime | Source/WASM/Runtime.rs |
WASMtime engine and store lifecycle |
| ModuleLoader | Source/WASM/ModuleLoader.rs |
WASM module compilation and instantiation |
| MemoryManager | Source/WASM/MemoryManager.rs |
Configurable memory limits and allocation tracking |
| HostBridge | Source/WASM/HostBridge.rs |
Host-to-WASM function call dispatch |
| FunctionExport | Source/WASM/FunctionExport.rs |
Export host functions to WASM guest modules |
| Transport Strategy | Source/Transport/Strategy.rs |
Transport strategy trait definition |
| CommonAdapter | Source/Transport/CommonAdapter.rs |
Unified transport backend routing |
| gRPC Transport | Source/Transport/gRPCTransport.rs |
gRPC-based communication with Mountain |
| IPC Transport | Source/Transport/IPCTransport.rs |
Inter-process communication (Unix socket) |
| WASM Transport | Source/Transport/WASMTransport.rs |
Direct WASM host-function communication |
| Mist Transport | Source/Transport/MistTransport.rs |
Message-bus integration with Mist pub/sub |
| Spine Connection | Source/Protocol/SpineConnection.rs |
Spine protocol client connection |
| Spine Action Client | Source/Protocol/SpineActionClient.rs |
Action dispatch over Spine protocol |
| Configuration Service | Source/Services/ConfigurationService.rs |
Service for managing extension-level configuration |
| Common Traits | Source/Common/Traits.rs |
Shared trait definitions for the extension host |
| Common Error | Source/Common/Error.rs |
Unified error types for the host layer |
| Runtime Build | Source/Binary/Build/RuntimeBuild.rs |
Build-time runtime configuration |
| Service Register | Source/Binary/Build/ServiceRegister.rs |
Service registration at build time |
| Entry | Source/Binary/Main/Entry.rs |
Platform entry point and daemon initialization |
Element/Grove/
βββ Source/
β βββ Library.rs # Library root (cdylib + rlib)
β βββ main.rs # Binary entry point
β βββ DevLog.rs # Development logging infrastructure
β βββ API/ # VS Code API surface
β β βββ mod.rs # Module re-exports
β β βββ VSCode.rs # Typed VS Code extension API wrappers
β β βββ Types.rs # Shared API type definitions
β βββ Binary/ # Binary initialization
β β βββ mod.rs
β β βββ Build/ # Build-time configuration
β β β βββ mod.rs
β β β βββ RuntimeBuild.rs # Build-time runtime configuration
β β β βββ ServiceRegister.rs # Service registration at build time
β β βββ Main/ # Main entry point + platform init
β β βββ mod.rs
β β βββ Entry.rs # Platform entry point and daemon init
β βββ Common/ # Shared traits and error types
β β βββ mod.rs
β β βββ Traits.rs # Core trait definitions
β β βββ Error.rs # Unified error types
β βββ Host/ # Extension lifecycle management
β β βββ mod.rs
β β βββ ExtensionHost.rs # Main host controller
β β βββ ExtensionManager.rs # Discovery and loading
β β βββ Activation.rs # Activation events
β β βββ Lifecycle.rs # Lifecycle state machine
β β βββ APIBridge.rs # VS Code API facade
β βββ Services/ # Extension-level services
β β βββ mod.rs
β β βββ ConfigurationService.rs # Extension configuration management
β βββ WASM/ # WebAssembly runtime integration
β β βββ mod.rs
β β βββ Runtime.rs # WASMtime engine and store
β β βββ ModuleLoader.rs # Module compilation + instantiation
β β βββ MemoryManager.rs # Memory allocation and limits
β β βββ HostBridge.rs # Host-to-WASM function calls
β β βββ FunctionExport.rs # Host function export to WASM
β βββ Transport/ # Communication strategies
β β βββ mod.rs
β β βββ Strategy.rs # Transport strategy trait
β β βββ CommonAdapter.rs # Unified transport backend
β β βββ gRPCTransport.rs # gRPC to Mountain
β β βββ IPCTransport.rs # Inter-process (Unix only)
β β βββ WASMTransport.rs # Direct WASM communication
β β βββ MistTransport.rs # Mist message-bus integration
β βββ Protocol/ # Protocol handling
β βββ mod.rs
β βββ SpineConnection.rs # Spine protocol client
β βββ SpineActionClient.rs # Action dispatch
β βββ Generated/ # Code-generated protocol types
β βββ grove.rs # Generated gRPC service definitions
βββ Documentation/
β βββ Rust/
β βββ doc/ # Cargo doc output
βββ Cargo.toml
βββ LICENSE
Grove serves as the native Rust/WASM extension host alongside Cocoon (the
Node.js host). Together they provide the two execution environments for the
Land editor's extension model:
| Host | Language | Runtime | Sandboxing |
|---|---|---|---|
| Grove | Rust, WASM |
WASMtime |
Hardware-enforced via capability model |
| Cocoon | TypeScript, JavaScript |
Node.js via Effect-TS |
Fiber-level process isolation |
Grove communicates with Mountain via gRPC (port 50052), IPC (Unix socket),
or the Mist message bus for event-driven workflows. It shares the same VS Code
API surface as Cocoon, enabling seamless porting of extensions between the
Node.js and native hosting environments.
The Transport/CommonAdapter abstracts all communication strategies behind a
single interface, allowing deployment flexibility - standalone process,
distributed via gRPC, or integrated with Mountain's Vine server.
- Rust 1.75 or later
- Protocol Buffer compiler (optional, for proto file modifications)
- For
WASMbuilds:rustup target add wasm32-wasi
cd Element/Grove
cargo build --releasecd Element/Grove
cargo build --target wasm32-wasi --release# All features enabled
cargo build --release --features all
# WASM only
cargo build --release --features wasm
# gRPC only
cargo build --release --features grpc| Feature | Description |
|---|---|
default |
Enables grpc and wasm |
grpc |
gRPC transport support |
wasm |
WebAssembly runtime support |
ipc |
Inter-process communication (Unix only) |
all |
All features enabled |
use grove::{ExtensionHost, Transport};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let Host = ExtensionHost::new(Transport::default()).await?;
Host.load_extension("/path/to/extension").await?;
Host.activate().await?;
Ok(())
}Grove enforces security at multiple layers:
| Layer | Mechanism |
|---|---|
| Crate level | #![deny(unsafe_code)] - no unsafe code permitted |
| Runtime | WASMtime capability-based isolation - each extension gets an independent sandbox |
| Memory | Configurable per-extension memory limits via WASM/MemoryManager |
| Resources | CPU throttling and resource controls per extension |
| Host functions | Explicit capability grants - extensions must declare required host functions |
| Type safety | Full Rust type system across the host-WASM boundary |
Grove is designed to be compatible with:
| Target | Integration |
|---|---|
| Cocoon | Shares VS Code API surface, activation semantics, and manifest parsing |
| VS Code | Implements vscode.d.ts type definitions |
| Mountain | Integrates via GroveService gRPC protocol using Vine.proto |
| Mist | Connects via MistTransport for event-driven pub/sub workflows |
- Rust API Documentationβπ
- Architecture Overview - Land system architecture
- Why WebAssembly - Why
WASMfor extension sandboxing - CHANGELOG
- Version history and release notes
- Mountain - Native desktop shell
and
gRPCbackend - Cocoon -
Node.js/Effect-TSextension host - Mist - Pub/sub message bus for event-driven workflows
This project is funded through NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program, under grant agreement No 101135429.
The project is operated by PlayForm, based in Sofia, Bulgaria. PlayForm acts as the open-source steward for Code Editor Land under the NGI0 Commons Fund grant.
|
|
|
|
|