System Overview
The architecture follows a “Guest-Host” model where thepalyrad daemon acts as the host, managing a pool of WASM modules.
| Component | Role | Crate |
|---|---|---|
| Plugin Runtime | The wasmtime-based host that executes modules. | palyra-plugins-runtime |
| Plugin SDK | Guest-side library for building WASM modules. | palyra-plugins-sdk |
| Skills Layer | Packaging, signing, and manifest management. | palyra-skills |
| Runner | Orchestrates module resolution and execution policy. | palyra-daemon |
Architecture and Data Flow
The following diagram illustrates how a Natural Language request for a tool eventually triggers a sandboxed WASM execution via theWasmPluginRunner.
Tool Execution Pipeline
Sources: crates/palyra-daemon/src/wasm_plugin_runner.rs#96-126, crates/palyra-daemon/src/plugins.rs#13-18, crates/palyra-plugins/runtime/src/lib.rs#133-150
9.1 WASM Plugin Runtime
Thepalyra-plugins-runtime crate implements a hardened host for WebAssembly using wasmtime. It enforces strict isolation through several mechanisms:
- Resource Quotas: Every execution is bound by a
RuntimeLimitsprofile, includingfuel_budget(instruction count),max_memory_bytes, andmax_instancescrates/palyra-plugins/runtime/src/lib.rs#24-29. - Capability Grants: Plugins have no ambient access to the host. Access to HTTP hosts, secrets, or storage must be explicitly granted via
CapabilityGrantSetcrates/palyra-plugins/runtime/src/lib.rs#43-48. - Deterministic Execution: The runtime uses
epoch_interruptionand fuel consumption to prevent infinite loops and ensure predictable execution times crates/palyra-plugins/runtime/src/lib.rs#116-121.
WasmPluginRunnerPolicy in the daemon defines the global constraints for all plugins, such as whether inline modules are allowed and the maximum allowed module size crates/palyra-daemon/src/wasm_plugin_runner.rs#18-30.
For details, see WASM Plugin Runtime.
9.2 Skills: Packaging, Trust, and Audit
Skills are the distribution units for Palyra extensions. A Skill is a signed artifact containing a WASM module and askill.toml manifest that declares its identity and required capabilities.
The Skill Manifest
TheSkillManifest defines the metadata, entrypoints (tools), and requested capabilities. Entrypoints specify the input_schema and output_schema using JSON Schema, allowing the LLM to understand how to invoke the tool crates/palyra-skills/examples/echo-http/skill.toml#8-22.
Trust and Security
The system implements a multi-stage trust model:- Verification: Ensuring the artifact signature matches the publisher’s key crates/palyra-skills/src/lib.rs#24-24.
- Auditing: The
audit_skill_artifact_securityfunction scans the WASM module for suspicious imports or excessive exports crates/palyra-skills/src/lib.rs#12-12. - Trust States: Skills can be in
Quarantine,TOFU(Trust On First Use), orTrustedstates.
Hooks and Automation
The system supports aHook mechanism where plugin execution can be triggered by system events rather than direct LLM tool calls.
- Events: Supported events include
gateway:startup,skill:enabled, andskill:quarantinedcrates/palyra-daemon/src/hooks.rs#79-95. - Bindings:
HookBindingRecordmaps a specific event to aplugin_id, allowing automated responses to system state changes crates/palyra-daemon/src/hooks.rs#45-54.