Glyph security is centered on capability-secure WASM modules running inside host-controlled environments.
Glyph assumes modules may be untrusted. Hosts must remain safe even when loading hostile or buggy modules.
Modules can only do what the host explicitly allows.
Capabilities are:
- declared in the manifest
- granted by the host at load time
- enforced by the host runtime
Common examples include IO, storage, timers, DOM access, and engine hooks.
WASM provides the execution boundary. Modules do not receive direct access to host memory or operating system resources.
Hosts should enforce upper bounds for:
- memory
- CPU time
- wall-clock time
- host handles
Module failures must terminate the module safely and return structured error information to the host.
Specs and toolchain validation help catch capability and manifest problems before load time, but the host remains the final enforcement point.
Glyph should remain safe to embed even when the module author is untrusted.