wasmagent-mcp-server
This server provides a two-tool interface that collapses many downstream tools into a single, token-efficient surface.
docs_search: Discover available downstream tools by name or substring. Call this first to learn what tools are accessible before writing any code.execute_code: Run JavaScript snippets inside a sandboxed kernel. The snippet can chain multiple downstream tool calls viacallTool(name, args). Only the final return value is surfaced — intermediate outputs stay hidden inside the sandbox, keeping token usage low.
Key benefits:
Chain multiple tool calls in one round-trip: Orchestrate N tool calls inside a single
execute_codescript instead of making N separate MCP calls, reducing back-and-forth with the model.Token efficiency: Compressing N downstream tools into just 2 tools keeps bootstrap token cost flat (O(1)) rather than growing linearly — at 30 tools this is ~13.6% of the direct MCP token cost.
Portal mode: Can federate multiple upstream MCP servers (filesystem, GitHub, memory, etc.) behind this single two-tool surface with a unified security/capability manifest.
Allows deploying agents to Cloudflare Workers runtime.
Allows downloading models from Hugging Face for local execution.
Allows using Ollama as a local model endpoint for agent execution.
Allows using OpenAI's models for AI agent interactions.
Allows exporting telemetry data via OpenTelemetry for observability.
Provides Redis-based backend for checkpointing and state persistence.
Provides Upstash-based backend for checkpointing and state persistence.
wasmagent-js
WasmAgent adds a verifiable evidence layer to agent tool use: protect tool calls, record what happened, audit the result, and turn trusted traces into training data.
Protect → Record → Audit → Train
Start in 30 seconds
Pick your entry point:
Goal | Install |
Protect tools — runtime firewall, policy enforcement, taint tracking |
|
Record evidence — signed AEP records after every agent run |
|
Train from traces — compliance scoring + DPO/PPO export |
|
Trust Pack — 30-minute end-to-end: docs/quickstarts/trust-pack-30min.md
Related MCP server: Code Executor MCP Server
Quickstart
Three paths — pick the one that fits your use case:
Path 1 — Protect: MCP runtime firewall
Wrap any MCP server: vet tools before execution, enforce policy per call, track taint across results.
npm install @wasmagent/mcp-firewallimport { vetTool, evaluatePolicy, taintObservation, snapshotTool } from "@wasmagent/mcp-firewall";
// Before calling a tool
const snap = snapshotTool(entry, "my-server"); // hash descriptor at registration
const vetting = vetTool(entry); // static scan: injection / exfil / rug-pull
const decision = evaluatePolicy(entry.name, args, vetting, consentRecords);
if (decision.decision === "deny") throw new Error(`Blocked: ${decision.reason}`);
if (decision.decision === "ask_user") {
// surface consent UI, then call recordConsent(...)
}
// After receiving result
const obs = taintObservation(entry.name, rawResult); // boundary-tagged, safe to assemble into prompt→ Security pack · OWASP Agentic Top 10 · Attack demos
Path 2 — Record: AEP evidence export
Emit a signed evidence record after every agent run — consumable by trace-pipeline for audit and training.
npm install @wasmagent/aepimport { AEPEmitter } from "@wasmagent/aep";
const emitter = new AEPEmitter({ run_id: "run-001", model_id: "claude-sonnet-4-6" });
// During the run — add tool call evidence
emitter.addAction({ tool_name: "bash", outcome: "pass", exit_code: 0 });
// At the end — emit the record
const record = emitter.build();
// record satisfies aep/v0.1 JSON Schema — ready for evomerge validate-aep→ AEP schema · trace-pipeline 10-min tutorial
Path 3 — Execute: Sandboxed code execution
Run agent-generated code in an isolated WASM kernel — no host-process access.
npm install @wasmagent/aisdk @wasmagent/kernel-quickjsimport { sandboxedJsTool } from "@wasmagent/aisdk";
import { QuickJSKernel } from "@wasmagent/kernel-quickjs";
// Drop into any AI SDK / LangChain / OpenAI Agents setup
const codeTool = sandboxedJsTool({ kernel: new QuickJSKernel() });→ Kernel comparison · Getting started
📚 Docs · Getting started · Kernels · OWASP governance · Security pack · Changelog
What is shipped vs alpha
WasmAgent uses a five-tier maturity scale to prevent "shipped" from becoming a vague claim:
Tier | Meaning | Semver guarantee | Production use |
stable | Public API locked; breaking changes require major-version bump | Yes | Yes |
beta | Functional and used in production, but a specific limitation is documented (e.g. first-line filter only, contract still evolving) | Minor/patch only | Yes, with caveats documented |
alpha | Schema versioned; fields may be added without a breaking-change bump | No | Informed use |
demo | Demonstration or example code; not hardened for production | No | No |
research | Research-grade prototype; interfaces may change without notice | No | No |
Packages not listed here (model adapters, UI cards, etc.) follow the same scale — see each package's README or package.json wasmagent.stability field.
Package maturity
Package | Maturity | Notes |
| stable | Public API; semver guaranteed |
| stable | |
| stable | |
| stable | Published 0.1.0; gateway composes all firewall layers |
| beta | First-line filter, not adversarial-grade — keyword bag + lightweight n-gram classifier; use defence-in-depth |
| beta | v0.2 signature contract (Ed25519) shipped; schema versioned |
| alpha | GENAI_SEMCONV, AEP↔OTel bridge |
| alpha | API stable, may add fields |
| alpha | Schema versioned; may add fields without breaking |
| alpha — private | Not yet published to npm |
| alpha — private | Not yet published to npm |
| alpha | |
| alpha |
WasmAgent Ecosystem
WasmAgent is a portable, governable agent runtime for safe code execution, verifiable rollouts, and post-training data loops.
Repo | Role |
wasmagent-js (this repo) | Embedded Agent Runtime / WASM Kernel / policy / verifier / adapters |
Cloudflare flagship demo and deploy template for safe coding agents | |
Public datafactory and eval-trust backend for rollout data |
Task → Safe Runtime → Verifiable Rollout → Trajectory Export → DPO/PPO Data → Better ModelsWhat makes wasmagent different
Three wedges where wasmagent stands apart from generic agent frameworks:
Wedge | What it means |
Sandboxed execution | Three isolation tiers — VmKernel / WASM (QuickJS·Pyodide·Wasmtime) / microVM — with a single |
Runtime compliance |
|
Trace-to-training contract | Verifiable rollout branching, objective scoring, DPO/PPO export — the loop from runtime evidence to training data is first-class, not an afterthought |
# | Axis | Status |
1 | Multi-provider adapters — one | shipped |
2 | Three isolation tiers — | shipped |
3 | Cross-runtime + offline — Node / edge / browser / air-gapped laptop; | shipped |
4 | Memory layers — | shipped |
5 | Durable workflows — | shipped |
6 | Code-mode MCP — N tools → 2 tools ( | shipped |
7 | Devtools + OTel — local Studio, | shipped |
8 | Goal-directed loop — agent synthesises success criteria, verifies, retries with hints | shipped 2026-06-18 |
9 | Adaptive execution — registered fallbacks (L1) → synthesised tool (L2) → relaxed goal (L3) | shipped 2026-06-18 |
10 | MCP runtime firewall — | shipped 2026-06-25 |
Full comparison with Vercel AI SDK, LangGraph.js, OpenAI Agents JS, Mastra, CF Agents SDK: docs/compare.md
Quick Start
Tool-Calling Agent
import { ToolCallingAgent, AnthropicModel } from "@wasmagent/core";
import { z } from "zod";
const agent = new ToolCallingAgent({
model: new AnthropicModel("claude-haiku-4-5-20251001"),
tools: [{
name: "search", description: "Search the web",
inputSchema: z.object({ query: z.string() }),
readOnly: true, idempotent: true,
forward: async ({ query }) => `Results for: ${query}`,
}],
stopPolicies: ["steps:10", "cost:0.5"],
});
for await (const ev of agent.run("Search for recent AI news")) {
if (ev.event === "final_answer") console.log(ev.data.answer);
}Sandboxed Code Agent
import { CodeAgent, AnthropicModel } from "@wasmagent/core";
const agent = new CodeAgent({
model: new AnthropicModel("claude-sonnet-4-6"),
tools: [], // kernel executes code; no extra tools needed
maxSteps: 10,
});
for await (const ev of agent.run("What is 42 * 1337?")) {
if (ev.event === "final_answer") console.log(ev.data.answer);
}CLI
npm install -g @wasmagent/cli
# Agent runs
wasmagent run "What is the square root of 144?"
wasmagent run "Summarise AI news" --stream | jq .
# Rollout / training data
wasmagent rank-rollout rollouts.jsonl --out ranked.jsonl
wasmagent validate-rollouts ranked.jsonl
wasmagent export-rollouts --in ranked.jsonl --format dpo --out dpo.jsonl
# MCP security (scan → guard → evidence)
wasmagent init --guard # generate wasmagent.policy.yaml
wasmagent scan-mcp tools.json # static risk scan, exits 1 on critical findings
wasmagent guard --config wasmagent.policy.yaml --upstream tools.json
wasmagent evidence export --input aep-records.jsonl --format jsonGitHub Action — enforce policy in CI:
- uses: WasmAgent/wasmagent-js/.github/actions/agent-evidence-gate@main
with:
policy: wasmagent.policy.yaml
tools-file: mcp-tools.json
fail-on-policy-violation: "true"→ MCP Guard guide · Attack demos
Key Capabilities
Capability | Guide |
MCP firewall — vetTool, ScopeLease, ApprovalReceipt | |
AEP v0.2 evidence — causal chain, scope lease, taint, memory refs | |
OWASP MCP Top 10 crosswalk | |
OWASP security demo (10 scenarios) | |
Security benchmark runner | |
AEP ↔ OTel bidirectional mapping | |
AgentTeam delegation chain | |
Claim dashboard |
|
Quality runners (self-consistency, reflect-refine, parallel fork-join) | |
Durable runtime (checkpoints, SSE resume, HITL) | |
Observational memory — ~22% tokens on 50-turn traces | |
Goal-directed agent with verifiers | |
Production APIs (retry, evals, OTel, React hook) | |
API stability policy |
Model Providers
First-class adapters: Anthropic · OpenAI · Doubao · DeepSeek · Kimi · Qwen · GLM · MiniMax · local llama.cpp
// Chinese providers with thinking support
import { DoubaoModel, DoubaoModels } from "@wasmagent/model-doubao";
import { DeepSeekModel, DeepSeekModels } from "@wasmagent/model-deepseek";
// Local / offline
import { LocalModel } from "@wasmagent/model-local"; // node-llama-cpp, multi-mirror downloadFull provider reference and proxy/custom endpoint setup: docs/guides/openai-compat-recipes.md
Ecosystem
Project | Role |
Flagship Cloudflare deploy template — wires every wasmagent-js capability into a real edge product | |
Training data factory — converts ranked rollouts into DPO/PPO datasets |
Development
bun install && bun run build
bun test packages/
bun run typecheck
bun run bench # reproduce all README benchmarks
bun run check:branding # CI guard: no old brand references
bun run verify:claims # CI guard: all benchmark claims have evidence scriptsMaintenance
Tools
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/WasmAgent/wasmagent-js'
If you have feedback or need assistance with the MCP directory API, please join our Discord server