Run agent generated
code in production.
Without the risk.

Omnia is a WebAssembly runtime that executes untrusted code without letting it access anything it shouldn't. Typed capability interfaces. Full thread safety. Zero compromises.

View on GitHub
handler.rs
use omnia_sdk::{Config, HttpRequest, Result}; use omnia_sdk::api::{Context, Variable, Reply}; async fn handle<P>( event: &str, req: MyRequest, provider: &P, ) -> Result<Reply<MyResponse>> where P: Config + HttpRequest, { // Your business logic here let config = P::get(); Ok(Reply::ok(response)) }
Agent Code Rust handlers
WASM Component wasm32-wasip2
Omnia Runtime Wasmtime sandbox
HTTP
State
SQL
SQL
Auth
Events
Auth

Your infrastructure.
Your rules.

Agent-generated code needs to call APIs, push state, publish events, and query databases — the same as any other code. The difference is you didn't write it.

Omnia compiles your Rust handlers to wasm32-wasip2 components and executes them inside a Wasmtime sandbox, where every external operation routes through typed provider traits that you define and control.

No network access. No filesystem. No environment variables. Just capability-scoped interfaces that your guest code requests — and your host decides whether to grant.

Provider traits

Seven capabilities.
Every call goes through you.

Every external operation your WASM guest needs is expressed as a Rust trait. Compose only what you use — fewer bounds means more testable, more auditable code.

Configuration
Config

Environment variables, URLs, and feature flags — without std::env.

HTTP
HttpRequest

Outbound HTTP calls routed through the host. No reqwest, no hyper.

Messaging
Publish

Publish events to Kafka topics with typed Message structs.

State
StateStore

Key-value persistence and caching, backed by the host's store.

Auth
Identity

OAuth and Azure AD tokens acquired by the host, passed to your code.

SQL
TableStore

Typed database queries via sea-query, executed host-side.

WebSocket
Broadcast

Real-time send and reply over WebSocket connections.

Compose exactly
what you need.

Handler trait bounds are the union of all capabilities the function calls. A handler that only reads config and makes HTTP calls declares P: Config + HttpRequest — nothing more.

Get started

From Rust to running
WASM in minutes.

Build your handlers as a standard Rust crate, compile to wasm32-wasip2, and let the runtime handle the rest.

View on GitHub

1 Build your runtime

terminal
# Build with the features you need cargo build \ --bin=realtime \ --features=realtime \ --release

2 Wire your guest provider

lib.rs
use omnia_sdk::{Config, HttpRequest, Identity}; #[derive(Clone, Default)] pub struct Provider impl Provider { pub fn new() -> Self { ensure_env!("API_URL","AZURE_IDENTITY"); Self } } impl Config for Provider {} impl HttpRequest for Provider {} impl Identity for Provider {}

3 Deploy

terminal
docker build \ --build-arg BIN="realtime" \ --build-arg FEATURES="realtime" \ --tag ghcr.io/augentic/realtime .

See Augentic in action.

Request a demo