{"id":50803664,"url":"https://github.com/afterburner-sh/afterburner","last_synced_at":"2026-06-12T23:01:03.635Z","repository":{"id":355625258,"uuid":"1209608426","full_name":"afterburner-sh/afterburner","owner":"afterburner-sh","description":"JS ~\u003e WASM Sandboxed Execution Runtime","archived":false,"fork":false,"pushed_at":"2026-06-11T11:58:43.000Z","size":73374,"stargazers_count":6,"open_issues_count":5,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-06-11T12:10:20.239Z","etag":null,"topics":["afterburner","burn","javascript","javascriptcore","npm","runtime","rustlang","sandbox","typescript"],"latest_commit_sha":null,"homepage":"https://afterburner.sh","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/afterburner-sh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":"CLA.md"}},"created_at":"2026-04-13T15:44:47.000Z","updated_at":"2026-06-11T10:18:14.000Z","dependencies_parsed_at":null,"dependency_job_id":"019e2361-be20-45c1-8d84-39b2ab39b820","html_url":"https://github.com/afterburner-sh/afterburner","commit_stats":null,"previous_names":["vertexclique/afterburner","afterburner-sh/afterburner"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/afterburner-sh/afterburner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/afterburner-sh%2Fafterburner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/afterburner-sh%2Fafterburner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/afterburner-sh%2Fafterburner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/afterburner-sh%2Fafterburner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/afterburner-sh","download_url":"https://codeload.github.com/afterburner-sh/afterburner/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/afterburner-sh%2Fafterburner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34265491,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["afterburner","burn","javascript","javascriptcore","npm","runtime","rustlang","sandbox","typescript"],"created_at":"2026-06-12T23:01:01.497Z","updated_at":"2026-06-12T23:01:03.613Z","avatar_url":"https://github.com/afterburner-sh.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://github.com/afterburner-sh/afterburner/raw/master/art/svg/afterburner-bg-2000x500.svg\" alt=\"Afterburner\" width=\"100%\"/\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003cstrong\u003eA sandboxed JavaScript VM for Rust. Execute untrusted scripts with memory limits, timeouts, capability-gated I/O, and threading, with its own package format, registry, and package manager.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://crates.io/crates/afterburner\"\u003e\u003cimg src=\"https://img.shields.io/crates/v/afterburner?style=flat-square\u0026color=e6832e\" alt=\"crates.io\"/\u003e\u003c/a\u003e\n \u003ca href=\"https://docs.rs/afterburner\"\u003e\u003cimg src=\"https://img.shields.io/docsrs/afterburner?style=flat-square\u0026color=2a9d8f\" alt=\"docs.rs\"/\u003e\u003c/a\u003e\n \u003cimg src=\"https://img.shields.io/badge/rust-1.90%2B_(2024_ed)-blue?style=flat-square\u0026logo=rust\u0026logoColor=white\" alt=\"MSRV\"/\u003e\n \u003cimg src=\"https://img.shields.io/badge/license-BUSL--1.1-orange?style=flat-square\" alt=\"License\"/\u003e\n \u003ca href=\"https://discord.gg/GfTJmZaNNn\"\u003e\u003cimg src=\"https://img.shields.io/badge/discord-join%20chat-5865F2?style=flat-square\u0026logo=discord\u0026logoColor=white\" alt=\"Discord\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nAfterburner is a JavaScript runtime built in Rust, and the way you build on it is by writing **packages**: small, capability-sealed units of JavaScript or TypeScript that you scaffold, test, build into a single `.afb` file, and publish to a registry. It ships its own package format, registry, and Cargo-style package manager, so the whole workflow is one toolchain. (You can also embed the engine as a Rust library; see [Library usage](#library-usage-embedding-the-engine) below.)\n\n## Quickstart: build a package\n\nInstall the toolchain, then scaffold, run, and publish a package:\n\n```sh\ncurl -fsSL https://afterburner.sh | sh # install the `burn` toolchain\n\nburn init ./greeter --namespace nyquist --name greeter # scaffold (add --ts for TypeScript)\ncd greeter\nburn run # run the package entry (like `cargo run`)\nburn test # run tests/ in the sandbox\nburn package # build ./nyquist-greeter-0.1.0.afb\nburn publish # upload to the registry\nburn clean # remove build artifacts\n```\n\nA package is a directory with three parts: a manifest (`afb.toml`), a capability grant (`manifold.json`), and your `source/`. The entry exports one function that takes a JSON input and returns a JSON result:\n\n```javascript\n// source/main.js\nmodule.exports = function (input) {\n return { hello: (input \u0026\u0026 input.name) || \"world\" };\n};\n```\n\nIt is **sealed by default**: the scaffolded `manifold.json` grants nothing, so the code cannot touch the network, filesystem, or environment until you open a door. See [Packages, registry \u0026 package manager](#packages-registry--package-manager) for the full authoring reference.\n\n## `burn`: the command-line runtime\n\n### Install (prebuilt binaries)\n\nLinux / macOS:\n\n```sh\ncurl -fsSL https://afterburner.sh | sh\n```\n\nWindows (PowerShell):\n\n```powershell\niwr -useb https://afterburner.sh | iex\n```\n\nPin a specific version with `BURN_VERSION`:\n\n```sh\n# POSIX (put the latest version if you want, below command might be outdated)\nBURN_VERSION=v0.1.3 curl -fsSL https://afterburner.sh | sh\n```\n\n```powershell\n# PowerShell (put the latest version if you want, below command might be outdated)\n$env:BURN_VERSION = 'v0.1.3'; iwr -useb https://afterburner.sh | iex\n```\n\nOr grab a tarball directly from the [Releases page](https://github.com/afterburner-sh/afterburner/releases). Archives are named `burn-\u003cversion\u003e-\u003ctarget\u003e.tar.gz` (or `.zip` for Windows) and ship with a `.sha256` next to them.\n\nBuilt with `--features release-cli` (every backend, every L3 shadow, TypeScript loader), so it's a single self-contained binary. No runtime libsqlite3, libssl, or libclang required. Plugin `.wasm` is `include_bytes!`-baked into the binary at build time.\n\n### Install (build from source)\n\n```bash\ncargo install afterburner --features bin # installs the `burn` binary\nburn ./script.js # run a file\nburn -e 'module.exports = () =\u003e 42' # eval inline\necho '{\"n\":21}' | burn thrust transform.js # UDF mode (stdin → JSON)\nburn bench perf.js --iters 10000 --workers 8\nburn repl # interactive\n```\n\nDeno-style capability grants (deny by default):\n\n```bash\nburn --allow-net=api.example.com,*.trusted.io script.js\nburn --allow-listen=8080 server.js # inbound: port list or a lo-hi range\nburn --allow-fs=/tmp,/var/data etl.js\nburn --allow-env=HOME,PATH launcher.js\nburn -A runall.js # grant everything\n```\n\nSee [`examples/`](./examples/) for standalone projects covering single\nUDF, batched UDF, multi-worker scheduling, streaming crypto,\n`HostContext` + capability grants, and rebuilding `burn` in 30 lines.\n[`examples/express-app`](./examples/express-app) runs a real Express.js\napp: `require('express')` resolves the actual npm package out of\n`node_modules/` and serves HTTP end-to-end.\n\n---\n\n## Packages, registry \u0026 package manager\n\nAfterburner ships its **own package ecosystem**: its own package format,\nits own registry, and a built-in package manager. You don't need npm to\npublish or consume Afterburner code (and npm packages can still be pulled\nin as dependencies when you want them).\n\n- **`.afb` packages**: a package is a single, content-addressed,\n compressed file: a manifest (`afb.toml`), a capability grant\n (`manifold.json`), and your `source/`. Sealed by default; what it may\n touch is declared and reviewable before anyone installs it. JavaScript\n or TypeScript (TS is transpiled to JS at pack time).\n- **Registry**: publish and install packages from the Afterburner\n registry (`afterburner-cloud` client + the `afterburner-registry`\n service). Coordinates are `namespace/name@version`; every release is\n pinned by SHA-256 digest.\n- **Cargo-style package manager**: `burn install` resolves the full\n dependency graph with a conflict-driven version solver, writes a\n reproducible `burn.lock`, and caches packages content-addressed. Two\n kinds of dependency, both declared (never vendored into your artifact):\n `[dependencies]` for other registry packages and `[npm]` for npm\n packages, which a **native, pure-Rust** installer fetches and\n integrity-checks (no install scripts, native/C-ABI addons rejected).\n\n```sh\nburn init ./greeter --namespace nyquist --name greeter # scaffold (add --ts for TypeScript)\nburn test # run tests in the sandbox\nburn add nyquist/json-tools # pin a registry dependency\nburn install # resolve + cache the graph → burn.lock\nburn package # build the .afb (deterministic)\nburn publish # upload to the registry\n```\n\nFull authoring guide and the dependency-security model are in the\n[documentation](https://afterburner.sh/docs#packages).\n\n---\n\n## Use with AI coding agents\n\nOne command routes every piece of JavaScript your AI assistant writes\nthrough the sealed sandbox instead of raw `node`:\n\n```sh\nburn agent install # arrow-key multi-select: Claude Code, Codex, Gemini CLI, Cursor, Copilot, Antigravity\nburn agent status # what's detected, wired, and current\nburn agent uninstall # exact inverse - configs restored, nothing left behind\n```\n\nIt wires a pre-tool hook into each assistant's config (plus a short\ninstruction block where the assistant reads one). When the assistant\ntries `node app.js`, `npm test`, or `npx tsx ...`, the hook hands back\nthe corrected command - `burn --sandbox node app.js` - and the assistant\nre-runs it sealed: no network, no filesystem, no env access. Capabilities\nare granted per run, narrowly, only when the code genuinely needs them\n(`burn --sandbox --allow-net=api.example.com node app.js`). Runtime\nfailures surface in the conversation prefixed `BURN:` so they're\nunmistakably the runtime speaking. One-off bypass: `BURN_AGENT_HOOK=0`.\n\n---\n\n## Library usage (embedding the engine)\n\nBesides the package toolchain, you can embed the engine directly in a Rust\nprogram to run untrusted JavaScript inside your own application. Add the\ncrate, register a script, hand it JSON, get JSON back:\n\n```toml\n[dependencies]\nafterburner = \"0.1\"\n```\n\n```rust\nuse afterburner::Afterburner;\nuse serde_json::json;\n\nlet ab = Afterburner::new()?;\nlet id = ab.register(\"module.exports = (d) =\u003e d.n + 1\")?;\nlet out = ab.run(\u0026id, \u0026json!({ \"n\": 41 }))?;\nassert_eq!(out, json!(42));\n```\n\nThe default picks the best mode available (adaptive: native on the first\ncall, WASM-sandboxed thereafter). Use `Afterburner::builder()` for mode,\nlimits, and capabilities:\n\n```rust\nuse afterburner::{Afterburner, Manifold, FsAccess};\n\nlet ab = Afterburner::builder()\n .fuel(1_000_000_000)\n .memory_bytes(64 \u003c\u003c 20)\n .timeout_ms(30_000)\n .manifold(Manifold {\n fs: FsAccess::ReadWrite(vec![\"/var/data\".into()]),\n ..Manifold::sealed()\n })\n .threaded(8)\n .build()?;\n```\n\n---\n\n## Workspace Crates\n\n| Crate | Purpose |\n|:------|:--------|\n| **`afterburner`** | Facade: `Afterburner` + builder, `burn` binary, one ergonomic entry point |\n| **`afterburner-core`** | `Combustor` trait, `Manifold`, `FuelGauge`, `BurnCache`, level-gated logging |\n| **`afterburner-ignite`** | Native JS engine, thread-local runtimes |\n| **`afterburner-wasi`** | Wasmtime sandbox with host-function imports, pooling allocator + InstancePre, bytecode cache |\n| **`afterburner-node-compat`** | `plenum.js` polyfill bundle + Rust-backed host impls (incl. bounded HTTP + DNS with per-call timeouts) |\n| **`afterburner-flow`** | High-level `FlowEngine::load/execute/unload` for flow-style pipelines |\n| **`afterburner-adaptive`** | Flying Start: native → WASM tier switch |\n| **`afterburner-thrust`** | Multi-threaded scheduler: bounded per-worker queues + global injector, token-bucket admission, NUMA-aware steal-when-idle, graceful drain |\n| **`afterburner-plugin`** | WASM-side runtime plugin (`wasm32-wasip1`) |\n\n---\n\n## License\n\nAfterburner is **source-available** under the [Business Source License 1.1](LICENSE)\n(BSL 1.1). Each version released under the BSL automatically converts to the\n[Apache License, Version 2.0](LICENSE-APACHE) **four years after that version's\nrelease** (its per-version Change Date). Versions released *before* the relicense\n(git tag `last-apache-2.0`) were never under the BSL and remain Apache-2.0.\n\nThe Apache-2.0 components shipped alongside the engine (everything under\n`examples/` (see [`examples/LICENSE`](examples/LICENSE)), plus the planned\n`afterburner-afb` and `burn/*` packages) are Apache-2.0 via\ntheir own `LICENSE` / `license` metadata and **not** subject to the BSL.\n\n**Free for non-commercial and non-production use.** Individuals on personal\nprojects, students on coursework, and non-commercial open-source projects (no\npaid sponsorship, no monetised hosting, no enterprise SLA), plus any internal\nevaluation/development/testing, are explicitly welcome, no separate agreement\nneeded (see the Additional Use Grant in [LICENSE](LICENSE)).\n\n**Commercial license required to host, embed, or compete.** Offering\nAfterburner as a hosted/managed service, embedding it in a commercial product\ndistributed to third parties (OEM), or using it to build a competing offering\nrequires a commercial license, including via forks, rebrands, vendored, or\nembedded copies. See **[LICENSING.md](LICENSING.md)**; contact\n`info@afterburner.sh`.\n\n\"Afterburner\" and related marks are trademarks of vertexclique; see\n[TRADEMARK.md](TRADEMARK.md). Contributions require a [CLA](CLA.md).\n\n---\n\n\u003cp align=\"center\"\u003e\n \u003csub\u003eBUSL-1.1 \u0026rarr; Apache-2.0 (per-version, 4-year change)\u003c/sub\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fafterburner-sh%2Fafterburner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fafterburner-sh%2Fafterburner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fafterburner-sh%2Fafterburner/lists"}