Beta Environment Notice
TDM is currently in Beta. Exercise caution when handling assets. Use at your own risk.
Fast Export
Switch the current page to Markdown for fast agent reading, or download it as a .md file.
TDM is currently in Beta. Exercise caution when handling assets. Use at your own risk.
Fast Export
Switch the current page to Markdown for fast agent reading, or download it as a .md file.
# Execution Sandbox Summary: DaOS uses WebAssembly plus the TDM IPC ABI to run untrusted code. Every plugin installed from the TDM Hub runs in its own isolated sandbox, preventing it from accessing your host machine, files, or network without explicit permission. Status: Technical architecture Topics: - Sandboxing mechanics - WASM capability model - Plugin isolation - Memory safety Packages: - tdm-sdk Commands: - tdm workspace status
In a world of agentic plugins, Security is non-negotiable. Contour Runtime enforces a strict Zero-Trust execution model using WASM.
Unlike Docker or VMs, WASM provides Granular isolation with near-zero overhead. TDM adds a narrow JSON-RPC IPC boundary, WASI Preview1 reactor startup, and host-side capability checks.
WASM's linear memory model prevents buffer overflows and pointer manipulation outside the sandbox.
FileSystem and Network access are provided via "Capabilities" (descriptors) rather than global paths.
Code behaves exactly the same across different OSs and architectures (Windows, Linux, macOS).
By default, a new plugin has the following constraints:
The Contour Runtime uses a dedicated WASM worker sandbox to execute plugins. This architecture provides several layers of defense:
WASM modules run in a dedicated memory space. They cannot access pointers outside their own heap, making them immune to traditional buffer overflow exploits.
Marketplace WASM modules are loaded with empty WASI args, empty env, no preopened directories, and a strict WASI import allowlist. Network, tool, vault, and context access must flow through explicit host-approved intents and permissions.
Communication between the SDK and the WASM plugin happens through exported linear memory. The SDK writes a JSON-RPC request, calls tdm_plugin_execute_intent, and reads a length-prefixed JSON result.
Every DaOS plugin must implement the TDM IPC protocol. The runtime validates these exports before launch:
vault:read; only non-secret metadata and policy state are exposed.