How we allowed remote code execution (but safely)
Summary
This article explains how untrusted C++/Rust code can be executed safely by compiling to WebAssembly and running in a WASI-enabled sandbox (Wasmtime), using a Docker-based build pipeline and a configurable evaluation engine. It discusses why traditional Linux sandboxing can be error-prone, how WASM/WASI provides strong isolation, and outlines the three-run evaluation workflow (Build Index, Query, Eval) used for a coding challenge, along with future plans to replace WASI with AppArmor for perf consistency.