What is Traverse's security model?
Traverse enforces two layers of security: WASM sandbox isolation for execution, and contract validation as hard gates on input and output. A capability cannot read arbitrary memory, make network calls, or access the filesystem unless the host explicitly grants those permissions through WASI imports.
WASM sandbox
Every capability runs inside a Wasmtime sandbox. WASM has a defined memory model with no access to host memory outside the instance's linear memory. Syscalls are mediated through WASI. By default, Traverse grants no WASI capabilities — no file access, no network, no environment variables. You grant only what a capability explicitly needs.
Contract as a security gate
The contract defines what inputs are valid and what outputs are acceptable. The runtime rejects any call that does not satisfy the preconditions before the WASM binary ever runs. A malformed or unexpected input that could cause undefined behavior inside the WASM module never reaches the module.
Supply chain considerations
WASM binaries are deterministic and can be checksummed. You can verify a registered capability binary against a known hash before deploying, and Ed25519 artifact signature verification is implemented. The runtime checksum gate itself is not yet enforced automatically in verify_artifact, and Sigstore verification is currently a stub — see the security audit for exact status. The registry stores the binary alongside the contract, so you can audit both. This matters when running third-party capabilities.
What Traverse does not provide
- Authentication or authorization — who can call a capability is your responsibility
- Network security — the MCP server transport security is your responsibility
- Key management or secret injection into capabilities
- Runtime monitoring or anomaly detection
Traverse gives you a sandboxed, contract-validated execution environment. Layering auth, transport security, and observability on top is your design decision. For a full breakdown of current gaps — including the MCP server's lack of authentication and the HTTP server's insecure default mode — see the security and permanence audit.