Skip to content

Explanation

Understanding-oriented discussion: how afmpeg works, why it is built this way, and the alternatives that were weighed.

  • Architecture — the three layers (embedded WASM module, the afero↔wazero vfs bridge, the Go API) and how a call flows through them.
  • Components › The vfs bridge — how the guest's filesystem syscalls are routed onto an afero.Fs, the /tmp + /dev/null overlay, seek-on-write, and the no-host-filesystem guarantee.
  • Components › Errors — the sentinel-error catalogue and the error-handling convention.
  • Verifying a release — how WithModuleRelease certifies a published module: the KMS-signed checksums, the pinned key, what each layer defends, and the gap the WKD second layer will close.

For the full design thesis, requirements, and the decision record, see the specs — the source of truth.