Skip to main content

Elements

Grove

Grove is the native Rust and WebAssembly extension host for Land, using Wasmtime to sandbox extensions with capability-based security instead of relying on Node.js process isolation.

Grove is Land’s native Rust and WASM extension host. It provides a sandboxed environment for running WASM-compiled VS Code extensions via Wasmtime, sharing the same VS Code API surface as Cocoon. Grove is implemented and available as an optional build feature; it is not the active extension path for existing VS Code extensions. Cocoon remains the default host for unmodified extension compatibility.

The problem Grove solves

VS Code extensions share a single Node.js process. A malicious or buggy extension can access any file on disk, make arbitrary network requests, and read another extension’s in-memory state. The extension sandbox in VS Code is a policy document enforced by trust, not a technical boundary enforced by the runtime.

Grove makes the sandbox a hardware-enforced boundary. A WASM module running inside Wasmtime has no access to the host OS by default. It can only call functions that the host explicitly exports to it. An extension that requests file access gets exactly the file handles it was granted — nothing more.

Overview

AttributeValue
LanguageRust (edition 2021)
Crate typeLibrary + Binary
WASM runtimeWasmtime (optional feature)
DependenciesCommon, wasmtime, wasmtime-wasi, tonic, prost, clap, serde
Feature-gatedNot enabled by default (opt-in: --features grove)

Architecture

Grove is organized into five layers:

+----------------------------------------------------------------+
|                      Grove                                      |
|                                                                |
|  +------------------------+  +------------------------------+  |
|  |    Host Layer          |  |    WASM Layer                |  |
|  |  - ExtensionHost.rs    |  |  - Runtime.rs (Wasmtime)    |  |
|  |  - ExtensionManager.rs |  |  - ModuleLoader.rs           |  |
|  |  - Activation.rs       |  |  - MemoryManager.rs          |  |
|  |  - Lifecycle.rs        |  |  - HostBridge.rs             |  |
|  |  - APIBridge.rs        |  +------------------------------+  |
|  +------------------------+                                     |
|                                                                |
|  +------------------------+  +------------------------------+  |
|  |    Transport Layer     |  |    API Layer                 |  |
|  |  - gRPCTransport.rs    |  |  - VSCode.rs                 |  |
|  |  - IPCTransport.rs     |  |  - Types.rs                  |  |
|  |  - WASMTransport.rs    |  |  - FunctionExports.rs        |  |
|  |  - Strategy.rs         |  +------------------------------+  |
|  +------------------------+                                     |
|                                                                |
|  +------------------------+                                     |
|  |    Protocol Layer      |                                     |
|  |  - SpineConnection.rs  |                                     |
|  |  - SpineActionClient   |                                     |
|  +------------------------+                                     |
+----------------------------------------------------------------+

Module Map

PathPurpose
Source/Host/ExtensionHost.rsMain extension host controller
Source/Host/ExtensionManager.rsExtension discovery and loading
Source/Host/Activation.rsExtension activation logic
Source/Host/Lifecycle.rsExtension startup/shutdown lifecycle
Source/Host/APIBridge.rsBridges WASM API calls to Mountain
Source/WASM/Runtime.rsWasmtime engine initialization
Source/WASM/ModuleLoader.rsWASM module loading and compilation
Source/WASM/MemoryManager.rsWASM linear memory management
Source/WASM/HostBridge.rsHost function registration for WASM
Source/WASM/FunctionExport.rsExported WASM function wrappers
Source/Transport/gRPCTransport.rsgRPC-based communication with Mountain
Source/Transport/IPCTransport.rsIPC-based communication
Source/Transport/WASMTransport.rsDirect WASM host function calls
Source/Transport/Strategy.rsTransport selection strategy trait
Source/Transport/CommonAdapter.rsShared transport utilities
Source/Protocol/SpcineConnection.rsSpine protocol client connection
Source/Protocol/SpcineActionClient.rsSpine action/response client
Source/Binary/Main.rsBinary entry point

How Grove differs from Cocoon

AspectCocoonGrove
RuntimeNode.js (V8)Wasmtime (WASM)
Language extensions can be written inTypeScript / JavaScriptRust (compiled to WASM), or any language with a WASM target
Security modelProcess isolation — OS boundary, but broad Node.js capabilityCapability-based — no OS access without explicit grant
VS Code API coverageFull vscode.d.tsPlanned subset, to be expanded
Extension compatibilityRuns unmodified VS Code extensionsRequires compilation to wasm32-wasi target
Current statusActive, default hostImplemented; optional --features grove build flag

Transport Strategies

Grove supports three transport strategies for communicating with Mountain:

StrategyTrackingLatencyUse Case
gRPC--features grpc~1msRemote extension host (default)
IPC--features ipc~0.1msSame-machine communication
WASM--features wasm~0.01msIn-process WASM host functions
pub enum TransportStrategy {
    /// gRPC over TCP (default)
    Grpc(GrpcConfig),
    /// Unix domain socket or named pipe
    Ipc(IpcConfig),
    /// Direct WASM host function calls
    Wasm(WasmConfig),
}

The transport strategy is selected at build time via Cargo features. --features all enables all three.

WASM Runtime

Grove uses Wasmtime as its WebAssembly runtime:

ComponentDetail
EngineWasmtime with Cranelift compiler
WASIwasmtime-wasi for sandboxed I/O
MemoryConfigurable initial/maximum memory pages
Host functionsRegistered via HostBridge for VS Code API calls
Module cacheCompiled module caching for faster startup

Sandbox Properties

PropertySetting
File systemWASI virtual filesystem (no host access)
NetworkProxied through Mountain via gRPC
ProcessNo process creation (wasmtime restriction)
MemoryIsolated linear memory per module
CPUBounded by Wasmtime execution limits

Host Function Bridge

The HostBridge registers VS Code API functions as WASM imports:

// HostBridge registers host functions that WASM modules can call
let mut linker = Linker::new(&engine);
linker.func_wrap("vscode", "readFile", |path_ptr: i32, path_len: i32| {
    // Read file through Mountain via gRPC
    let host = HostBridge::current();
    host.read_file(path_ptr, path_len)
})?;

VS Code API Surface

Grove implements a subset of the VS Code API for WASM extensions:

NamespaceSupport LevelNotes
vscode.commandsFullregisterCommand, executeCommand
vscode.windowPartialshowInformationMessage, showInputBox
vscode.workspacePartialworkspace folders, configuration
vscode.languagesPartialregisterHoverProvider, registerCompletionProvider
vscode.envFullappName, appRoot, language

Extension Lifecycle

1. ExtensionManager discovers WASM extension (.wasm file + package.json)
    |
    v
2. ModuleLoader compiles WASM module with Wasmtime
    |  - Validates module structure
    |  - Creates WASM instance with HostBridge
    |
    v
3. Activation.rs calls extension's activate() export
    |  - Passes VS Code API surface via imports
    |  - Extension registers providers and commands
    |
    v
4. Normal operation:
    |  - Extension API calls routed through HostBridge
    |  - HostBridge dispatches to Mountain via transport layer
    |  - Results returned to WASM extension
    |
    v
5. Lifecycle.rs handles deactivation
    |  - Calls extension's deactivate() export
    |  - Unregisters all providers and commands
    |  - Frees WASM module memory

Feature Gates

Grove’s Cargo features control build configuration:

FeatureDefaultDescription
grpcYesEnable gRPC transport (requires tonic, prost)
wasmYesEnable WASM runtime (requires wasmtime)
ipcNoEnable IPC transport
allNoEnable all transport strategies

When not enabled, Grove is a compile-time no-op. Mountain links it conditionally:

# Mountain/Cargo.toml
[features]
grove = ["dep:grove"]

Target use cases

Grove is intended for two categories of extensions:

  • Performance-critical extensions — parser integrations, language servers, formatters that benefit from near-native execution speed without a JavaScript runtime overhead
  • Security-sensitive extensions — extensions that handle credentials, signing operations, or sensitive file access where users need verifiable capability boundaries before installation

Grove is not intended to replace Cocoon for the broad platform of existing VS Code extensions, which are written in TypeScript and depend on full Node.js compatibility.

Current status

Note

Grove is implemented and available as an optional Cargo feature (--features grove). It is not enabled in the default debug-electron build profile. Cocoon (Node.js) remains the default extension host for unmodified VS Code extensions. WASM-targeting extensions can use Grove’s Wasmtime sandbox today. Full integration with Mountain’s extension activation flow and a complete VS Code API subset are ongoing work.


Project Maintainers: Source Open (Source/[email protected]) | GitHub Repository