Zephir is a Rust-based CLI tool for packaging, unpacking, and invoking application directories inside a sandboxed environment. It supports Native binaries, WebAssembly (WASM), and Lua scripts, offering fine-grained resource control and secure isolated execution.
Ideal for serverless runtimes, sandboxed compute, or local function testing.
- ποΈ Init β Generate a default configuration file.
- π¦ Package β Package a directory into a
.zephirartifact. - π Unpack β Unpack packaged artifacts to a sandbox directory.
- βοΈ Invoke β Run unpacked artifacts inside an isolated sandbox.
- π Run β Full pipeline: unpack β sandbox β invoke.
- π Sandboxing β CPU, memory, and storage limits for safe execution.
- π§Ή Graceful Shutdown β Cleans up sandbox directories automatically.
- πͺ΅ Logging β Structured logs with prefix and debug support.
- π WASM Support β Run WebAssembly modules using a WASI-compliant runtime.
- π Lua Support β Execute sandboxed Lua scripts securely.
Ensure Rust (v1.86+) is installed.
git clone https://github.com/spyder01/zephir-rs.git
cd zephir-rs
cargo build --releaseThe compiled binary will be available at:
target/release/zephir-rs
Zephir uses a YAML configuration file (default: zephir.yaml).
name: zephir-function
function:
app:
entry: ./main.lua
bundle:
packagePath: function.zephir
artifactType: LUA # NATIVE | WASM | LUA
resources:
memory: 134217728 # 128 MB
storage: 536870912 # 512 MB
cpuLimit: 10 # 10 seconds
storage:
sandbox: zephir-sandbox/
cache: zephir-cache/
logConfig:
toFile: false
toStdout: true
prefix: "[Zephir]"
debugEnabled: falseSupported artifactType values:
NATIVEβ Compiled executablesWASMβ WebAssembly modulesLUAβ Lua scripts
zephir-rs init --output ./zephir.yamlzephir-rs package --dir ./my-function --output ./function.zephirzephir-rs unpack --config ./zephir.yamlzephir-rs invoke --sandbox ./zephir-sandbox --config ./zephir.yaml --args arg1 arg2zephir-rs run --config ./zephir.yaml| Option | Description |
|---|---|
toFile |
Write logs to a file |
filePath |
Path to log file (if enabled) |
toStdout |
Print logs to stdout |
prefix |
Log prefix label |
debugEnabled |
Enables verbose logging |
Zephir isolates execution using strict sandboxing controls:
- CPU limit: via fuel counters or process control
- Memory cap: on WASM, Lua, and native executables
- Storage quota: per sandbox directory
- Automatic cleanup: on completion or interruption
artifactType: NATIVE
entry: ./my_binaryRuns local executables with real-time stdout/stderr streaming and enforced resource limits.
artifactType: WASM
entry: ./module.wasm- Uses Wasmtime + WASI
- Preopens
/sandboxdirectory - Enforces CPU, memory, and file I/O limits
- Supports graceful shutdowns
artifactType: LUA
entry: ./main.luaRuns sandboxed Lua scripts using mlua with restricted standard libraries.
print("Hello from Lua!")
print("Sandbox path:", sandbox_path)
local f = io.open(sandbox_path .. "/output.txt", "w")
f:write("Lua execution complete.")
f:close()cargo run -- <COMMAND>
cargo testsrc/
ββ main.rs # CLI entrypoint
ββ engine/ # Core execution logic
ββ models/ # Config & data structures
ββ utils/ # FS, YAML, OS helpers
ββ logger/ # Logging setup
ββ compress/ # Zstd compression/decompression
- π¦ Rust 1.86+
- π§ Linux / macOS (Unix sandboxing features)
- 𧩠(Optional) Wasmtime for WASM runtime
- Add network namespace sandboxing
- WASM async I/O and streaming support
- Lua execution timeout controls
- Hermyx integration for cached artifact serving
- Add example templates for NATIVE / WASM / LUA projects
Weβre participating in Hacktoberfest 2025! If youβre a systems, Rust, or WASM enthusiast β this is the perfect time to contribute π
Check them out here π Good First Issues
- π¦ Implement new sandboxing features
- βοΈ Improve WASM or Lua execution engines
- π§ͺ Add unit/integration tests
- π§Ύ Improve documentation and examples
- π§° Build utility commands (e.g., resource inspector)
- π Add demo projects for all artifact types
-
Fork the repo
-
Clone your fork
git clone https://github.com/<your-username>/zephir-rs.git
-
Create a branch
git checkout -b feature/add-wasm-limits
-
Build & test
cargo run -- init cargo test -
Commit & push
git commit -m "Add CPU limit enforcement for WASM" git push origin feature/add-wasm-limits -
Open a Pull Request π
Licensed under the MIT License β see LICENSE for details.
If you like Zephir, give it a β on GitHub! It helps others discover the project and supports ongoing development.