diff --git a/.gitignore b/.gitignore
index 917660a34..28b58e27d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-*.wasm
\ No newline at end of file
+*.wasm
+tmp/
diff --git a/proposals/cli/LICENSE.md b/proposals/cli/LICENSE.md
new file mode 100644
index 000000000..c1c3b9443
--- /dev/null
+++ b/proposals/cli/LICENSE.md
@@ -0,0 +1,8 @@
+Copyright © 2019-2024 the Contributors to the WASI Specification, published
+by the [WebAssembly Community Group][cg] under the
+[W3C Community Contributor License Agreement (CLA)][cla]. A human-readable
+[summary][summary] is available.
+
+[cg]: https://www.w3.org/community/webassembly/
+[cla]: https://www.w3.org/community/about/agreements/cla/
+[summary]: https://www.w3.org/community/about/agreements/cla-deed/
diff --git a/proposals/cli/README.md b/proposals/cli/README.md
new file mode 100644
index 000000000..7df15996a
--- /dev/null
+++ b/proposals/cli/README.md
@@ -0,0 +1,119 @@
+# WASI CLI World
+
+A proposed [WebAssembly System Interface](https://github.com/WebAssembly/WASI) API.
+
+### Current Phase
+
+wasi-cli is currently in [Phase 3].
+
+[Phase 3]: https://github.com/WebAssembly/WASI/blob/main/Proposals.md#phase-3---implementation-phase-cg--wg
+
+### Champions
+
+- Dan Gohman
+
+### Portability Criteria
+
+WASI CLI must have host implementations which can pass the testsuite
+on at least Windows, macOS, and Linux.
+
+WASI CLI must have at least two complete independent implementations.
+
+## Table of Contents
+
+- [Introduction](#introduction)
+- [Goals [or Motivating Use Cases, or Scenarios]](#goals-or-motivating-use-cases-or-scenarios)
+- [Non-goals](#non-goals)
+- [API walk-through](#api-walk-through)
+ - [Use case 1](#use-case-1)
+ - [Use case 2](#use-case-2)
+- [Detailed design discussion](#detailed-design-discussion)
+ - [Should stdout be an `output-stream`?](#should-stdout-be-an-output-stream)
+ - [Should stderr be an `output-stream`?](#should-stderr-be-an-output-stream)
+ - [Should environment variables be arguments to `command`?](#should-environment-variables-be-arguments-to-command)
+- [Stakeholder Interest & Feedback](#stakeholder-interest--feedback)
+- [References & acknowledgements](#references--acknowledgements)
+
+### Introduction
+
+Wasi-cli a [World] proposal for a Command-Line Interface (CLI) environment. It provides APIs commonly available in such environments, such as filesystems and sockets, and also provides command-line facilities such as command-line arguments, environment variables, and stdio.
+
+[World]: https://github.com/WebAssembly/component-model/blob/main/design/mvp/WIT.md#wit-worlds
+
+### Goals
+
+Wasi-cli aims to be useful for:
+
+ - Interactive command-line argument programs.
+
+ - Servers that use filesystems, sockets, and related APIs and expect to be started with
+ a CLI-style command-line.
+
+ - Stream filters that read from standard input and write to standard output.
+
+### Non-goals
+
+Wasi-cli is not aiming to significantly re-imagine the concept of command-line interface programs. While WASI as a whole is exploring ideas such as [Typed Main], wasi-cli sticks to the traditional list-of-strings style command-line arguments.
+
+[Typed Main]: https://sunfishcode.github.io/typed-main-wasi-presentation/
+
+### API walk-through
+
+The full API documentation can be found [here](command.md).
+
+TODO [Walk through of how someone would use this API.]
+
+#### [Use case 1]
+
+[Provide example code snippets and diagrams explaining how the API would be used to solve the given problem]
+
+#### [Use case 2]
+
+[etc.]
+
+### Detailed design discussion
+
+#### Should stdout be an `output-stream`?
+
+For server use cases, standard output (stdout) is typically used as a log,
+where it's typically not meaningfully blocking, async, or fallible. It's just
+a place for the program to send messages to and forget about them. One option
+would be to give such use cases a dedicated API, which would have a single
+function to allow printing strings that doesn't return a `result`, meaning it
+never fails.
+
+However, it'd only be a minor simplification in practice, and dedicated cloud
+or edge use cases should ideally migrate to more specialized worlds than the
+wasi-cli world anyway, as they can result in much greater simplifications, so
+this doesn't seem worthwhile.
+
+#### Should stderr be an `output-stream`?
+
+This is similar to the question for stdout, but for standard error (stderr),
+it's a little more tempting to do something like this because stderr is used
+in this logging style by many kinds of applications.
+
+However, it seems better overall to keep stderr consistent with stdout, and
+focus our desires for simplification toward other worlds, which can achieve
+even greater simplifications.
+
+#### Should environment variables be arguments to `command`?
+
+Environment variables are useful in some non-cli use cases, so leaving them
+as separate imports means they can be used from worlds that don't have a
+`command` entrypoint.
+
+### Stakeholder Interest & Feedback
+
+TODO before entering Phase 3.
+
+[This should include a list of implementers who have expressed interest in implementing the proposal]
+
+### References & acknowledgements
+
+The concept of wasi-cli has been in development for over a year since the proposal is
+posted here, and many people have contributed ideas that have influenced. Many thanks
+for valuable feedback and advice in particular from:
+
+- Luke Wagner
+- Pat Hickey
diff --git a/proposals/cli/command.md b/proposals/cli/command.md
new file mode 100644
index 000000000..34c1c9290
--- /dev/null
+++ b/proposals/cli/command.md
@@ -0,0 +1,3144 @@
+World command
+
+- Imports:
+
+
+- Exports:
+
+
+
+Import interface wasi:cli/environment@0.2.8
+
+Functions
+get-environment: func
+Get the POSIX-style environment variables.
+Each environment variable is provided as a pair of string variable names
+and string value.
+Morally, these are a value import, but until value imports are available
+in the component model, this import function should return the same
+values each time it is called.
+Return values
+
+- list<(
string, string)>
+
+get-arguments: func
+Get the POSIX-style arguments to the program.
+Return values
+
+initial-cwd: func
+Return a path that programs should use as their initial current working
+directory, interpreting . as shorthand for this.
+Return values
+
+Import interface wasi:cli/exit@0.2.8
+
+Functions
+exit: func
+Exit the current instance and any linked instances.
+Params
+
+exit-with-code: func
+Exit the current instance and any linked instances, reporting the
+specified status code to the host.
+The meaning of the code depends on the context, with 0 usually meaning
+"success", and other values indicating various types of failure.
+This function does not return; the effect is analogous to a trap, but
+without the connotation that something bad has happened.
+Params
+
+Import interface wasi:io/error@0.2.8
+
+Types
+resource error
+A resource which represents some error information.
+The only method provided by this resource is to-debug-string,
+which provides some human-readable information about the error.
+In the wasi:io package, this resource is returned through the
+wasi:io/streams/stream-error type.
+To provide more specific error information, other interfaces may
+offer functions to "downcast" this error into more specific types. For example,
+errors returned from streams derived from filesystem types can be described using
+the filesystem's own error-code type. This is done using the function
+wasi:filesystem/types/filesystem-error-code, which takes a borrow<error>
+parameter and returns an option<wasi:filesystem/types/error-code>.
+The set of functions which can "downcast" an error into a more
+concrete type is open.
+Functions
+[method]error.to-debug-string: func
+Returns a string that is suitable to assist humans in debugging
+this error.
+WARNING: The returned string should not be consumed mechanically!
+It may change across platforms, hosts, or other implementation
+details. Parsing this string is a major platform-compatibility
+hazard.
+Params
+
+Return values
+
+Import interface wasi:io/poll@0.2.8
+A poll API intended to let users wait for I/O events on multiple handles
+at once.
+
+Types
+resource pollable
+pollable represents a single I/O event which may be ready, or not.
+Functions
+[method]pollable.ready: func
+Return the readiness of a pollable. This function never blocks.
+Returns true when the pollable is ready, and false otherwise.
+Params
+
+Return values
+
+[method]pollable.block: func
+block returns immediately if the pollable is ready, and otherwise
+blocks until ready.
+This function is equivalent to calling poll.poll on a list
+containing only this pollable.
+Params
+
+poll: func
+Poll for completion on a set of pollables.
+This function takes a list of pollables, which identify I/O sources of
+interest, and waits until one or more of the events is ready for I/O.
+The result list<u32> contains one or more indices of handles in the
+argument list that is ready for I/O.
+This function traps if either:
+
+- the list is empty, or:
+- the list contains more elements than can be indexed with a
u32 value.
+
+A timeout can be implemented by adding a pollable from the
+wasi-clocks API to the list.
+This function does not return a result; polling in itself does not
+do any I/O so it doesn't fail. If any of the I/O sources identified by
+the pollables has an error, it is indicated by marking the source as
+being ready for I/O.
+Params
+
+Return values
+
+Import interface wasi:io/streams@0.2.8
+WASI I/O is an I/O abstraction API which is currently focused on providing
+stream types.
+In the future, the component model is expected to add built-in stream types;
+when it does, they are expected to subsume this API.
+
+Types
+type error
+error
+
+
type pollable
+pollable
+
+
variant stream-error
+An error for input-stream and output-stream operations.
+Variant Cases
+
+-
+
last-operation-failed: own<error>
+The last operation (a write or flush) failed before completion.
+
More information is available in the error payload.
+After this, the stream will be closed. All future operations return
+stream-error::closed.
+
+-
+
closed
+The stream is closed: no more input will be accepted by the
+stream. A closed output-stream will return this error on all
+future operations.
+
+
+resource input-stream
+An input bytestream.
+input-streams are non-blocking to the extent practical on underlying
+platforms. I/O operations always return promptly; if fewer bytes are
+promptly available than requested, they return the number of bytes promptly
+available, which could even be zero. To wait for data to be available,
+use the subscribe function to obtain a pollable which can be polled
+for using wasi:io/poll.
+resource output-stream
+An output bytestream.
+output-streams are non-blocking to the extent practical on
+underlying platforms. Except where specified otherwise, I/O operations also
+always return promptly, after the number of bytes that can be written
+promptly, which could even be zero. To wait for the stream to be ready to
+accept data, the subscribe function to obtain a pollable which can be
+polled for using wasi:io/poll.
+Dropping an output-stream while there's still an active write in
+progress may result in the data being lost. Before dropping the stream,
+be sure to fully flush your writes.
+Functions
+[method]input-stream.read: func
+Perform a non-blocking read from the stream.
+When the source of a read is binary data, the bytes from the source
+are returned verbatim. When the source of a read is known to the
+implementation to be text, bytes containing the UTF-8 encoding of the
+text are returned.
+This function returns a list of bytes containing the read data,
+when successful. The returned list will contain up to len bytes;
+it may return fewer than requested, but not more. The list is
+empty when no bytes are available for reading at this time. The
+pollable given by subscribe will be ready when more bytes are
+available.
+This function fails with a stream-error when the operation
+encounters an error, giving last-operation-failed, or when the
+stream is closed, giving closed.
+When the caller gives a len of 0, it represents a request to
+read 0 bytes. If the stream is still open, this call should
+succeed and return an empty list, or otherwise fail with closed.
+The len parameter is a u64, which could represent a list of u8 which
+is not possible to allocate in wasm32, or not desirable to allocate as
+as a return value by the callee. The callee may return a list of bytes
+less than len in size while more bytes are available for reading.
+Params
+
+Return values
+
+[method]input-stream.blocking-read: func
+Read bytes from a stream, after blocking until at least one byte can
+be read. Except for blocking, behavior is identical to read.
+Params
+
+Return values
+
+[method]input-stream.skip: func
+Skip bytes from a stream. Returns number of bytes skipped.
+Behaves identical to read, except instead of returning a list
+of bytes, returns the number of bytes consumed from the stream.
+Params
+
+Return values
+
+[method]input-stream.blocking-skip: func
+Skip bytes from a stream, after blocking until at least one byte
+can be skipped. Except for blocking behavior, identical to skip.
+Params
+
+Return values
+
+[method]input-stream.subscribe: func
+Create a pollable which will resolve once either the specified stream
+has bytes available to read or the other end of the stream has been
+closed.
+The created pollable is a child resource of the input-stream.
+Implementations may trap if the input-stream is dropped before
+all derived pollables created with this function are dropped.
+Params
+
+Return values
+
+[method]output-stream.check-write: func
+Check readiness for writing. This function never blocks.
+Returns the number of bytes permitted for the next call to write,
+or an error. Calling write with more bytes than this function has
+permitted will trap.
+When this function returns 0 bytes, the subscribe pollable will
+become ready when this function will report at least 1 byte, or an
+error.
+Params
+
+Return values
+
+[method]output-stream.write: func
+Perform a write. This function never blocks.
+When the destination of a write is binary data, the bytes from
+contents are written verbatim. When the destination of a write is
+known to the implementation to be text, the bytes of contents are
+transcoded from UTF-8 into the encoding of the destination and then
+written.
+Precondition: check-write gave permit of Ok(n) and contents has a
+length of less than or equal to n. Otherwise, this function will trap.
+returns Err(closed) without writing if the stream has closed since
+the last call to check-write provided a permit.
+Params
+
+Return values
+
+[method]output-stream.blocking-write-and-flush: func
+Perform a write of up to 4096 bytes, and then flush the stream. Block
+until all of these operations are complete, or an error occurs.
+Returns success when all of the contents written are successfully
+flushed to output. If an error occurs at any point before all
+contents are successfully flushed, that error is returned as soon as
+possible. If writing and flushing the complete contents causes the
+stream to become closed, this call should return success, and
+subsequent calls to check-write or other interfaces should return
+stream-error::closed.
+Params
+
+Return values
+
+[method]output-stream.flush: func
+Request to flush buffered output. This function never blocks.
+This tells the output-stream that the caller intends any buffered
+output to be flushed. the output which is expected to be flushed
+is all that has been passed to write prior to this call.
+Upon calling this function, the output-stream will not accept any
+writes (check-write will return ok(0)) until the flush has
+completed. The subscribe pollable will become ready when the
+flush has completed and the stream can accept more writes.
+Params
+
+Return values
+
+[method]output-stream.blocking-flush: func
+Request to flush buffered output, and block until flush completes
+and stream is ready for writing again.
+Params
+
+Return values
+
+[method]output-stream.subscribe: func
+Create a pollable which will resolve once the output-stream
+is ready for more writing, or an error has occurred. When this
+pollable is ready, check-write will return ok(n) with n>0, or an
+error.
+If the stream is closed, this pollable is always ready immediately.
+The created pollable is a child resource of the output-stream.
+Implementations may trap if the output-stream is dropped before
+all derived pollables created with this function are dropped.
+Params
+
+Return values
+
+[method]output-stream.write-zeroes: func
+Write zeroes to a stream.
+This should be used precisely like write with the exact same
+preconditions (must use check-write first), but instead of
+passing a list of bytes, you simply pass the number of zero-bytes
+that should be written.
+Params
+
+Return values
+
+[method]output-stream.blocking-write-zeroes-and-flush: func
+Perform a write of up to 4096 zeroes, and then flush the stream.
+Block until all of these operations are complete, or an error
+occurs.
+Functionality is equivelant to blocking-write-and-flush with
+contents given as a list of len containing only zeroes.
+Params
+
+Return values
+
+[method]output-stream.splice: func
+Read from one stream and write to another.
+The behavior of splice is equivalent to:
+
+- calling
check-write on the output-stream
+- calling
read on the input-stream with the smaller of the
+check-write permitted length and the len provided to splice
+- calling
write on the output-stream with that read data.
+
+Any error reported by the call to check-write, read, or
+write ends the splice and reports that error.
+This function returns the number of bytes transferred; it may be less
+than len.
+Params
+
+Return values
+
+[method]output-stream.blocking-splice: func
+Read from one stream and write to another, with blocking.
+This is similar to splice, except that it blocks until the
+output-stream is ready for writing, and the input-stream
+is ready for reading, before performing the splice.
+Params
+
+Return values
+
+Import interface wasi:cli/stdin@0.2.8
+
+Types
+type input-stream
+input-stream
+
+
+Functions
+get-stdin: func
+Return values
+
+Import interface wasi:cli/stdout@0.2.8
+
+Types
+type output-stream
+output-stream
+
+
+Functions
+get-stdout: func
+Return values
+
+Import interface wasi:cli/stderr@0.2.8
+
+Types
+type output-stream
+output-stream
+
+
+Functions
+get-stderr: func
+Return values
+
+Import interface wasi:cli/terminal-input@0.2.8
+Terminal input.
+In the future, this may include functions for disabling echoing,
+disabling input buffering so that keyboard events are sent through
+immediately, querying supported features, and so on.
+
+Types
+resource terminal-input
+The input side of a terminal.
+Import interface wasi:cli/terminal-output@0.2.8
+Terminal output.
+In the future, this may include functions for querying the terminal
+size, being notified of terminal size changes, querying supported
+features, and so on.
+
+Types
+resource terminal-output
+The output side of a terminal.
+Import interface wasi:cli/terminal-stdin@0.2.8
+An interface providing an optional terminal-input for stdin as a
+link-time authority.
+
+Types
+type terminal-input
+terminal-input
+
+
+Functions
+get-terminal-stdin: func
+If stdin is connected to a terminal, return a terminal-input handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:cli/terminal-stdout@0.2.8
+An interface providing an optional terminal-output for stdout as a
+link-time authority.
+
+Types
+type terminal-output
+terminal-output
+
+
+Functions
+get-terminal-stdout: func
+If stdout is connected to a terminal, return a terminal-output handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:cli/terminal-stderr@0.2.8
+An interface providing an optional terminal-output for stderr as a
+link-time authority.
+
+Types
+type terminal-output
+terminal-output
+
+
+Functions
+get-terminal-stderr: func
+If stderr is connected to a terminal, return a terminal-output handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:clocks/monotonic-clock@0.2.8
+WASI Monotonic Clock is a clock API intended to let users measure elapsed
+time.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+A monotonic clock is a clock which has an unspecified initial value, and
+successive reads of the clock will produce non-decreasing values.
+
+Types
+type pollable
+pollable
+
+
type instant
+u64
+An instant in time, in nanoseconds. An instant is relative to an
+unspecified initial value, and can only be compared to instances from
+the same monotonic-clock.
+
type duration
+u64
+A duration of time, in nanoseconds.
+
+Functions
+now: func
+Read the current value of the clock.
+The clock is monotonic, therefore calling this function repeatedly will
+produce a sequence of non-decreasing values.
+For completeness, this function traps if it's not possible to represent
+the value of the clock in an instant. Consequently, implementations
+should ensure that the starting time is low enough to avoid the
+possibility of overflow in practice.
+Return values
+
+resolution: func
+Query the resolution of the clock. Returns the duration of time
+corresponding to a clock tick.
+Return values
+
+subscribe-instant: func
+Create a pollable which will resolve once the specified instant
+has occurred.
+Params
+
+Return values
+
+subscribe-duration: func
+Create a pollable that will resolve after the specified duration has
+elapsed from the time this function is invoked.
+Params
+
+Return values
+
+Import interface wasi:clocks/wall-clock@0.2.8
+WASI Wall Clock is a clock API intended to let users query the current
+time. The name "wall" makes an analogy to a "clock on the wall", which
+is not necessarily monotonic as it may be reset.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+A wall clock is a clock which measures the date and time according to
+some external reference.
+External references may be reset, so this clock is not necessarily
+monotonic, making it unsuitable for measuring elapsed time.
+It is intended for reporting the current date and time for humans.
+
+Types
+record datetime
+A time and date in seconds plus nanoseconds.
+Record Fields
+
+seconds: u64nanoseconds: u32
+
+Functions
+now: func
+Read the current value of the clock.
+This clock is not monotonic, therefore calling this function repeatedly
+will not necessarily produce a sequence of non-decreasing values.
+The returned timestamps represent the number of seconds since
+1970-01-01T00:00:00Z, also known as POSIX's Seconds Since the Epoch,
+also known as Unix Time.
+The nanoseconds field of the output is always less than 1000000000.
+Return values
+
+resolution: func
+Query the resolution of the clock.
+The nanoseconds field of the output is always less than 1000000000.
+Return values
+
+Import interface wasi:clocks/timezone@0.2.8
+
+Types
+type datetime
+datetime
+
+
record timezone-display
+Information useful for displaying the timezone of a specific datetime.
+This information may vary within a single timezone to reflect daylight
+saving time adjustments.
+Record Fields
+
+-
+
utc-offset: s32
+The number of seconds difference between UTC time and the local
+time of the timezone.
+
The returned value will always be less than 86400 which is the
+number of seconds in a day (246060).
+In implementations that do not expose an actual time zone, this
+should return 0.
+
+-
+
name: string
+The abbreviated name of the timezone to display to a user. The name
+`UTC` indicates Coordinated Universal Time. Otherwise, this should
+reference local standards for the name of the time zone.
+
In implementations that do not expose an actual time zone, this
+should be the string UTC.
+In time zones that do not have an applicable name, a formatted
+representation of the UTC offset may be returned, such as -04:00.
+
+-
+
in-daylight-saving-time: bool
+Whether daylight saving time is active.
+
In implementations that do not expose an actual time zone, this
+should return false.
+
+
+
+Functions
+display: func
+Return information needed to display the given datetime. This includes
+the UTC offset, the time zone name, and a flag indicating whether
+daylight saving time is active.
+If the timezone cannot be determined for the given datetime, return a
+timezone-display for UTC with a utc-offset of 0 and no daylight
+saving time.
+Params
+
+Return values
+
+utc-offset: func
+The same as display, but only return the UTC offset.
+Params
+
+Return values
+
+Import interface wasi:filesystem/types@0.2.8
+WASI filesystem is a filesystem API primarily intended to let users run WASI
+programs that access their files on their existing filesystems, without
+significant overhead.
+It is intended to be roughly portable between Unix-family platforms and
+Windows, though it does not hide many of the major differences.
+Paths are passed as interface-type strings, meaning they must consist of
+a sequence of Unicode Scalar Values (USVs). Some filesystems may contain
+paths which are not accessible by this API.
+The directory separator in WASI is always the forward-slash (/).
+All paths in WASI are relative paths, and are interpreted relative to a
+descriptor referring to a base directory. If a path argument to any WASI
+function starts with /, or if any step of resolving a path, including
+.. and symbolic link steps, reaches a directory outside of the base
+directory, or reaches a symlink to an absolute or rooted path in the
+underlying filesystem, the function fails with error-code::not-permitted.
+For more information about WASI path resolution and sandboxing, see
+WASI filesystem path resolution.
+
+Types
+type input-stream
+input-stream
+
+
type output-stream
+output-stream
+
+
type error
+error
+
+
type datetime
+datetime
+
+
type filesize
+u64
+File size or length of a region within a file.
+
enum descriptor-type
+The type of a filesystem object referenced by a descriptor.
+Note: This was called filetype in earlier versions of WASI.
+Enum Cases
+
+-
+
unknown
+The type of the descriptor or file is unknown or is different from
+any of the other types specified.
+
+-
+
block-device
+The descriptor refers to a block device inode.
+
+-
+
character-device
+The descriptor refers to a character device inode.
+
+-
+
directory
+The descriptor refers to a directory inode.
+
+-
+
fifo
+The descriptor refers to a named pipe.
+
+-
+
symbolic-link
+The file refers to a symbolic link inode.
+
+-
+
regular-file
+The descriptor refers to a regular file inode.
+
+-
+
socket
+The descriptor refers to a socket.
+
+
+flags descriptor-flags
+Descriptor flags.
+Note: This was called fdflags in earlier versions of WASI.
+Flags members
+
+-
+
read:
+Read mode: Data can be read.
+
+-
+
write:
+Write mode: Data can be written to.
+
+-
+
file-integrity-sync:
+Request that writes be performed according to synchronized I/O file
+integrity completion. The data stored in the file and the file's
+metadata are synchronized. This is similar to `O_SYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
data-integrity-sync:
+Request that writes be performed according to synchronized I/O data
+integrity completion. Only the data stored in the file is
+synchronized. This is similar to `O_DSYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
requested-write-sync:
+Requests that reads be performed at the same level of integrity
+requested for writes. This is similar to `O_RSYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
mutate-directory:
+Mutating directories mode: Directory contents may be mutated.
+
When this flag is unset on a descriptor, operations using the
+descriptor which would create, rename, delete, modify the data or
+metadata of filesystem objects, or obtain another handle which
+would permit any of those, shall fail with error-code::read-only if
+they would otherwise succeed.
+This may only be set on directories.
+
+
+flags path-flags
+Flags determining the method of how paths are resolved.
+Flags members
+
+flags open-flags
+Open flags used by open-at.
+Flags members
+
+-
+
create:
+Create file if it does not exist, similar to `O_CREAT` in POSIX.
+
+-
+
directory:
+Fail if not a directory, similar to `O_DIRECTORY` in POSIX.
+
+-
+
exclusive:
+Fail if file already exists, similar to `O_EXCL` in POSIX.
+
+-
+
truncate:
+Truncate file to size 0, similar to `O_TRUNC` in POSIX.
+
+
+type link-count
+u64
+Number of hard links to an inode.
+
record descriptor-stat
+File attributes.
+Note: This was called filestat in earlier versions of WASI.
+Record Fields
+
+-
+
type: descriptor-type
+File type.
+
+-
+
link-count: link-count
+Number of hard links to the file.
+
+-
+
size: filesize
+For regular files, the file size in bytes. For symbolic links, the
+length in bytes of the pathname contained in the symbolic link.
+
+-
+
data-access-timestamp: option<datetime>
+Last data access timestamp.
+
If the option is none, the platform doesn't maintain an access
+timestamp for this file.
+
+-
+
data-modification-timestamp: option<datetime>
+Last data modification timestamp.
+
If the option is none, the platform doesn't maintain a
+modification timestamp for this file.
+
+-
+
status-change-timestamp: option<datetime>
+Last file status-change timestamp.
+
If the option is none, the platform doesn't maintain a
+status-change timestamp for this file.
+
+
+variant new-timestamp
+When setting a timestamp, this gives the value to set it to.
+Variant Cases
+
+-
+
no-change
+Leave the timestamp set to its previous value.
+
+-
+
now
+Set the timestamp to the current time of the system clock associated
+with the filesystem.
+
+-
+
timestamp: datetime
+Set the timestamp to the given value.
+
+
+record directory-entry
+A directory entry.
+Record Fields
+
+enum error-code
+Error codes returned by functions, similar to errno in POSIX.
+Not all of these error codes are returned by the functions provided by this
+API; some are used in higher-level library layers, and others are provided
+merely for alignment with POSIX.
+Enum Cases
+
+-
+
access
+Permission denied, similar to `EACCES` in POSIX.
+
+-
+
would-block
+Resource unavailable, or operation would block, similar to `EAGAIN` and `EWOULDBLOCK` in POSIX.
+
+-
+
already
+Connection already in progress, similar to `EALREADY` in POSIX.
+
+-
+
bad-descriptor
+Bad descriptor, similar to `EBADF` in POSIX.
+
+-
+
busy
+Device or resource busy, similar to `EBUSY` in POSIX.
+
+-
+
deadlock
+Resource deadlock would occur, similar to `EDEADLK` in POSIX.
+
+-
+
quota
+Storage quota exceeded, similar to `EDQUOT` in POSIX.
+
+-
+
exist
+File exists, similar to `EEXIST` in POSIX.
+
+-
+
file-too-large
+File too large, similar to `EFBIG` in POSIX.
+
+-
+
illegal-byte-sequence
+Illegal byte sequence, similar to `EILSEQ` in POSIX.
+
+-
+
in-progress
+Operation in progress, similar to `EINPROGRESS` in POSIX.
+
+-
+
interrupted
+Interrupted function, similar to `EINTR` in POSIX.
+
+-
+
invalid
+Invalid argument, similar to `EINVAL` in POSIX.
+
+-
+
io
+I/O error, similar to `EIO` in POSIX.
+
+-
+
is-directory
+Is a directory, similar to `EISDIR` in POSIX.
+
+-
+
loop
+Too many levels of symbolic links, similar to `ELOOP` in POSIX.
+
+-
+
too-many-links
+Too many links, similar to `EMLINK` in POSIX.
+
+-
+
message-size
+Message too large, similar to `EMSGSIZE` in POSIX.
+
+-
+
name-too-long
+Filename too long, similar to `ENAMETOOLONG` in POSIX.
+
+-
+
no-device
+No such device, similar to `ENODEV` in POSIX.
+
+-
+
no-entry
+No such file or directory, similar to `ENOENT` in POSIX.
+
+-
+
no-lock
+No locks available, similar to `ENOLCK` in POSIX.
+
+-
+
insufficient-memory
+Not enough space, similar to `ENOMEM` in POSIX.
+
+-
+
insufficient-space
+No space left on device, similar to `ENOSPC` in POSIX.
+
+-
+
not-directory
+Not a directory or a symbolic link to a directory, similar to `ENOTDIR` in POSIX.
+
+-
+
not-empty
+Directory not empty, similar to `ENOTEMPTY` in POSIX.
+
+-
+
not-recoverable
+State not recoverable, similar to `ENOTRECOVERABLE` in POSIX.
+
+-
+
unsupported
+Not supported, similar to `ENOTSUP` and `ENOSYS` in POSIX.
+
+-
+
no-tty
+Inappropriate I/O control operation, similar to `ENOTTY` in POSIX.
+
+-
+
no-such-device
+No such device or address, similar to `ENXIO` in POSIX.
+
+-
+
overflow
+Value too large to be stored in data type, similar to `EOVERFLOW` in POSIX.
+
+-
+
not-permitted
+Operation not permitted, similar to `EPERM` in POSIX.
+
+-
+
pipe
+Broken pipe, similar to `EPIPE` in POSIX.
+
+-
+
read-only
+Read-only file system, similar to `EROFS` in POSIX.
+
+-
+
invalid-seek
+Invalid seek, similar to `ESPIPE` in POSIX.
+
+-
+
text-file-busy
+Text file busy, similar to `ETXTBSY` in POSIX.
+
+-
+
cross-device
+Cross-device link, similar to `EXDEV` in POSIX.
+
+
+enum advice
+File or memory access pattern advisory information.
+Enum Cases
+
+-
+
normal
+The application has no advice to give on its behavior with respect
+to the specified data.
+
+-
+
sequential
+The application expects to access the specified data sequentially
+from lower offsets to higher offsets.
+
+-
+
random
+The application expects to access the specified data in a random
+order.
+
+-
+
will-need
+The application expects to access the specified data in the near
+future.
+
+-
+
dont-need
+The application expects that it will not access the specified data
+in the near future.
+
+-
+
no-reuse
+The application expects to access the specified data once and then
+not reuse it thereafter.
+
+
+record metadata-hash-value
+A 128-bit hash value, split into parts because wasm doesn't have a
+128-bit integer type.
+Record Fields
+
+resource descriptor
+A descriptor is a reference to a filesystem object, which may be a file,
+directory, named pipe, special file, or other object on which filesystem
+calls may be made.
+resource directory-entry-stream
+A stream of directory entries.
+Functions
+[method]descriptor.read-via-stream: func
+Return a stream for reading from a file, if available.
+May fail with an error-code describing why the file cannot be read.
+Multiple read, write, and append streams may be active on the same open
+file and they do not interfere with each other.
+Note: This allows using read-stream, which is similar to read in POSIX.
+Params
+
+Return values
+
+[method]descriptor.write-via-stream: func
+Return a stream for writing to a file, if available.
+May fail with an error-code describing why the file cannot be written.
+Note: This allows using write-stream, which is similar to write in
+POSIX.
+Params
+
+Return values
+
+[method]descriptor.append-via-stream: func
+Return a stream for appending to a file, if available.
+May fail with an error-code describing why the file cannot be appended.
+Note: This allows using write-stream, which is similar to write with
+O_APPEND in POSIX.
+Params
+
+Return values
+
+[method]descriptor.advise: func
+Provide file advisory information on a descriptor.
+This is similar to posix_fadvise in POSIX.
+Params
+
+Return values
+
+[method]descriptor.sync-data: func
+Synchronize the data of a file to disk.
+This function succeeds with no effect if the file descriptor is not
+opened for writing.
+Note: This is similar to fdatasync in POSIX.
+Params
+
+Return values
+
+[method]descriptor.get-flags: func
+Get flags associated with a descriptor.
+Note: This returns similar flags to fcntl(fd, F_GETFL) in POSIX.
+Note: This returns the value that was the fs_flags value returned
+from fdstat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.get-type: func
+Get the dynamic type of a descriptor.
+Note: This returns the same value as the type field of the fd-stat
+returned by stat, stat-at and similar.
+Note: This returns similar flags to the st_mode & S_IFMT value provided
+by fstat in POSIX.
+Note: This returns the value that was the fs_filetype value returned
+from fdstat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-size: func
+Adjust the size of an open file. If this increases the file's size, the
+extra bytes are filled with zeros.
+Note: This was called fd_filestat_set_size in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-times: func
+Adjust the timestamps of an open file or directory.
+Note: This is similar to futimens in POSIX.
+Note: This was called fd_filestat_set_times in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.read: func
+Read from a descriptor, without using and updating the descriptor's offset.
+This function returns a list of bytes containing the data that was
+read, along with a bool which, when true, indicates that the end of the
+file was reached. The returned list will contain up to length bytes; it
+may return fewer than requested, if the end of the file is reached or
+if the I/O operation is interrupted.
+In the future, this may change to return a stream<u8, error-code>.
+Note: This is similar to pread in POSIX.
+Params
+
+Return values
+
+[method]descriptor.write: func
+Write to a descriptor, without using and updating the descriptor's offset.
+It is valid to write past the end of a file; the file is extended to the
+extent of the write, with bytes between the previous end and the start of
+the write set to zero.
+In the future, this may change to take a stream<u8, error-code>.
+Note: This is similar to pwrite in POSIX.
+Params
+
+Return values
+
+[method]descriptor.read-directory: func
+Read directory entries from a directory.
+On filesystems where directories contain entries referring to themselves
+and their parents, often named . and .. respectively, these entries
+are omitted.
+This always returns a new stream which starts at the beginning of the
+directory. Multiple streams may be active on the same directory, and they
+do not interfere with each other.
+Params
+
+Return values
+
+[method]descriptor.sync: func
+Synchronize the data and metadata of a file to disk.
+This function succeeds with no effect if the file descriptor is not
+opened for writing.
+Note: This is similar to fsync in POSIX.
+Params
+
+Return values
+
+[method]descriptor.create-directory-at: func
+Create a directory.
+Note: This is similar to mkdirat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.stat: func
+Return the attributes of an open file or directory.
+Note: This is similar to fstat in POSIX, except that it does not return
+device and inode information. For testing whether two descriptors refer to
+the same underlying filesystem object, use is-same-object. To obtain
+additional data that can be used do determine whether a file has been
+modified, use metadata-hash.
+Note: This was called fd_filestat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.stat-at: func
+Return the attributes of a file or directory.
+Note: This is similar to fstatat in POSIX, except that it does not
+return device and inode information. See the stat description for a
+discussion of alternatives.
+Note: This was called path_filestat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-times-at: func
+Adjust the timestamps of a file or directory.
+Note: This is similar to utimensat in POSIX.
+Note: This was called path_filestat_set_times in earlier versions of
+WASI.
+Params
+
+Return values
+
+[method]descriptor.link-at: func
+Create a hard link.
+Fails with error-code::no-entry if the old path does not exist,
+with error-code::exist if the new path already exists, and
+error-code::not-permitted if the old path is not a file.
+Note: This is similar to linkat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.open-at: func
+Open a file or directory.
+If flags contains descriptor-flags::mutate-directory, and the base
+descriptor doesn't have descriptor-flags::mutate-directory set,
+open-at fails with error-code::read-only.
+If flags contains write or mutate-directory, or open-flags
+contains truncate or create, and the base descriptor doesn't have
+descriptor-flags::mutate-directory set, open-at fails with
+error-code::read-only.
+Note: This is similar to openat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.readlink-at: func
+Read the contents of a symbolic link.
+If the contents contain an absolute or rooted path in the underlying
+filesystem, this function fails with error-code::not-permitted.
+Note: This is similar to readlinkat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.remove-directory-at: func
+Remove a directory.
+Return error-code::not-empty if the directory is not empty.
+Note: This is similar to unlinkat(fd, path, AT_REMOVEDIR) in POSIX.
+Params
+
+Return values
+
+[method]descriptor.rename-at: func
+Rename a filesystem object.
+Note: This is similar to renameat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.symlink-at: func
+Create a symbolic link (also known as a "symlink").
+If old-path starts with /, the function fails with
+error-code::not-permitted.
+Note: This is similar to symlinkat in POSIX.
+Params
+
+self: borrow<descriptor>old-path: stringnew-path: string
+Return values
+
+[method]descriptor.unlink-file-at: func
+Unlink a filesystem object that is not a directory.
+Return error-code::is-directory if the path refers to a directory.
+Note: This is similar to unlinkat(fd, path, 0) in POSIX.
+Params
+
+Return values
+
+[method]descriptor.is-same-object: func
+Test whether two descriptors refer to the same filesystem object.
+In POSIX, this corresponds to testing whether the two descriptors have the
+same device (st_dev) and inode (st_ino or d_ino) numbers.
+wasi-filesystem does not expose device and inode numbers, so this function
+may be used instead.
+Params
+
+Return values
+
+[method]descriptor.metadata-hash: func
+Return a hash of the metadata associated with a filesystem object referred
+to by a descriptor.
+This returns a hash of the last-modification timestamp and file size, and
+may also include the inode number, device number, birth timestamp, and
+other metadata fields that may change when the file is modified or
+replaced. It may also include a secret value chosen by the
+implementation and not otherwise exposed.
+Implementations are encouraged to provide the following properties:
+
+- If the file is not modified or replaced, the computed hash value should
+usually not change.
+- If the object is modified or replaced, the computed hash value should
+usually change.
+- The inputs to the hash should not be easily computable from the
+computed hash.
+
+However, none of these is required.
+Params
+
+Return values
+
+[method]descriptor.metadata-hash-at: func
+Return a hash of the metadata associated with a filesystem object referred
+to by a directory descriptor and a relative path.
+This performs the same hash computation as metadata-hash.
+Params
+
+Return values
+
+[method]directory-entry-stream.read-directory-entry: func
+Read a single directory entry from a directory-entry-stream.
+Params
+
+Return values
+
+filesystem-error-code: func
+Attempts to extract a filesystem-related error-code from the stream
+error provided.
+Stream operations which return stream-error::last-operation-failed
+have a payload with more information about the operation that failed.
+This payload can be passed through to this function to see if there's
+filesystem-related information about the error to return.
+Note that this function is fallible because not all stream-related
+errors are filesystem-related errors.
+Params
+
+Return values
+
+Import interface wasi:filesystem/preopens@0.2.8
+
+Types
+type descriptor
+descriptor
+
+
+Functions
+get-directories: func
+Return the set of preopened directories, and their paths.
+Return values
+
+Import interface wasi:sockets/network@0.2.8
+
+Types
+type error
+error
+
+
resource network
+An opaque resource that represents access to (a subset of) the network.
+This enables context-based security for networking.
+There is no need for this to map 1:1 to a physical network interface.
+enum error-code
+Error codes.
+In theory, every API can return any error code.
+In practice, API's typically only return the errors documented per API
+combined with a couple of errors that are always possible:
+
+unknownaccess-deniednot-supportedout-of-memoryconcurrency-conflict
+See each individual API for what the POSIX equivalents are. They sometimes differ per API.
+Enum Cases
+
+-
+
unknown
+Unknown error
+
+-
+
access-denied
+Access denied.
+
POSIX equivalent: EACCES, EPERM
+
+-
+
not-supported
+The operation is not supported.
+
POSIX equivalent: EOPNOTSUPP
+
+-
+
invalid-argument
+One of the arguments is invalid.
+
POSIX equivalent: EINVAL
+
+-
+
out-of-memory
+Not enough memory to complete the operation.
+
POSIX equivalent: ENOMEM, ENOBUFS, EAI_MEMORY
+
+-
+
timeout
+The operation timed out before it could finish completely.
+
+-
+
concurrency-conflict
+This operation is incompatible with another asynchronous operation that is already in progress.
+
POSIX equivalent: EALREADY
+
+-
+
not-in-progress
+Trying to finish an asynchronous operation that:
+- has not been started yet, or:
+- was already finished by a previous `finish-*` call.
+
Note: this is scheduled to be removed when futures are natively supported.
+
+-
+
would-block
+The operation has been aborted because it could not be completed immediately.
+
Note: this is scheduled to be removed when futures are natively supported.
+
+-
+
invalid-state
+The operation is not valid in the socket's current state.
+
+-
+
new-socket-limit
+A new socket resource could not be created because of a system limit.
+
+-
+
address-not-bindable
+A bind operation failed because the provided address is not an address that the `network` can bind to.
+
+-
+
address-in-use
+A bind operation failed because the provided address is already in use or because there are no ephemeral ports available.
+
+-
+
remote-unreachable
+The remote address is not reachable
+
+-
+
connection-refused
+The TCP connection was forcefully rejected
+
+-
+
connection-reset
+The TCP connection was reset.
+
+-
+
connection-aborted
+A TCP connection was aborted.
+
+-
+
datagram-too-large
+The size of a datagram sent to a UDP socket exceeded the maximum
+supported size.
+
+-
+
name-unresolvable
+Name does not exist or has no suitable associated IP addresses.
+
+-
+
temporary-resolver-failure
+A temporary failure in name resolution occurred.
+
+-
+
permanent-resolver-failure
+A permanent failure in name resolution occurred.
+
+
+enum ip-address-family
+Enum Cases
+
+tuple ipv4-address
+Tuple Fields
+
+0: u81: u82: u83: u8
+tuple ipv6-address
+Tuple Fields
+
+0: u161: u162: u163: u164: u165: u166: u167: u16
+variant ip-address
+Variant Cases
+
+record ipv4-socket-address
+Record Fields
+
+-
+
port: u16
+sin_port
+
+-
+
address: ipv4-address
+sin_addr
+
+
+record ipv6-socket-address
+Record Fields
+
+-
+
port: u16
+sin6_port
+
+-
+
flow-info: u32
+sin6_flowinfo
+
+-
+
address: ipv6-address
+sin6_addr
+
+-
+
scope-id: u32
+sin6_scope_id
+
+
+variant ip-socket-address
+Variant Cases
+
+
+Functions
+network-error-code: func
+Attempts to extract a network-related error-code from the stream
+error provided.
+Stream operations which return stream-error::last-operation-failed
+have a payload with more information about the operation that failed.
+This payload can be passed through to this function to see if there's
+network-related information about the error to return.
+Note that this function is fallible because not all stream-related
+errors are network-related errors.
+Params
+
+Return values
+
+Import interface wasi:sockets/instance-network@0.2.8
+This interface provides a value-export of the default network handle..
+
+Types
+type network
+network
+
+
+Functions
+instance-network: func
+Get a handle to the default network.
+Return values
+
+Import interface wasi:sockets/udp@0.2.8
+
+Types
+type pollable
+pollable
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-socket-address
+ip-socket-address
+
+
type ip-address-family
+ip-address-family
+
+
record incoming-datagram
+A received datagram.
+Record Fields
+
+-
+
data: list<u8>
+The payload.
+
Theoretical max size: ~64 KiB. In practice, typically less than 1500 bytes.
+
+-
+
remote-address: ip-socket-address
+The source address.
+
This field is guaranteed to match the remote address the stream was initialized with, if any.
+Equivalent to the src_addr out parameter of recvfrom.
+
+
+record outgoing-datagram
+A datagram to be sent out.
+Record Fields
+
+-
+
data: list<u8>
+The payload.
+
+-
+
remote-address: option<ip-socket-address>
+The destination address.
+
The requirements on this field depend on how the stream was initialized:
+
+- with a remote address: this field must be None or match the stream's remote address exactly.
+- without a remote address: this field is required.
+
+If this value is None, the send operation is equivalent to send in POSIX. Otherwise it is equivalent to sendto.
+
+
+resource udp-socket
+A UDP socket handle.
+resource incoming-datagram-stream
+resource outgoing-datagram-stream
+
+Functions
+[method]udp-socket.start-bind: func
+Bind the socket to a specific network on the provided IP address and port.
+If the IP address is zero (0.0.0.0 in IPv4, :: in IPv6), it is left to the implementation to decide which
+network interface(s) to bind to.
+If the port is zero, the socket will be bound to a random free port.
+Typical errors
+
+invalid-argument: The local-address has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)invalid-state: The socket is already bound. (EINVAL)address-in-use: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)address-in-use: Address is already in use. (EADDRINUSE)address-not-bindable: local-address is not an address that the network can bind to. (EADDRNOTAVAIL)not-in-progress: A bind operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+Unlike in POSIX, in WASI the bind operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+bind as part of either start-bind or finish-bind.
+References
+
+Params
+
+Return values
+
+[method]udp-socket.finish-bind: func
+Params
+
+Return values
+
+[method]udp-socket.stream: func
+Set up inbound & outbound communication channels, optionally to a specific peer.
+This function only changes the local socket configuration and does not generate any network traffic.
+On success, the remote-address of the socket is updated. The local-address may be updated as well,
+based on the best network path to remote-address.
+When a remote-address is provided, the returned streams are limited to communicating with that specific peer:
+
+send can only be used to send to this destination.receive will only return datagrams sent from the provided remote-address.
+This method may be called multiple times on the same socket to change its association, but
+only the most recently returned pair of streams will be operational. Implementations may trap if
+the streams returned by a previous invocation haven't been dropped yet before calling stream again.
+The POSIX equivalent in pseudo-code is:
+if (was previously connected) {
+ connect(s, AF_UNSPEC)
+}
+if (remote_address is Some) {
+ connect(s, remote_address)
+}
+
+Unlike in POSIX, the socket must already be explicitly bound.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The port in remote-address is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)invalid-state: The socket is not bound.address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)
+References
+
+Params
+
+Return values
+
+[method]udp-socket.local-address: func
+Get the current bound address.
+POSIX mentions:
+
+If the socket has not been bound to a local name, the value
+stored in the object pointed to by address is unspecified.
+
+WASI is stricter and requires local-address to return invalid-state when the socket hasn't been bound yet.
+Typical errors
+
+invalid-state: The socket is not bound to any local address.
+References
+
+Params
+
+Return values
+
+[method]udp-socket.remote-address: func
+Get the address the socket is currently streaming to.
+Typical errors
+
+invalid-state: The socket is not streaming to a specific remote address. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+[method]udp-socket.address-family: func
+Whether this is a IPv4 or IPv6 socket.
+Equivalent to the SO_DOMAIN socket option.
+Params
+
+Return values
+
+[method]udp-socket.unicast-hop-limit: func
+Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+If the provided value is 0, an invalid-argument error is returned.
+Typical errors
+
+invalid-argument: (set) The TTL value must be 1 or higher.
+Params
+
+Return values
+
+[method]udp-socket.set-unicast-hop-limit: func
+Params
+
+Return values
+
+[method]udp-socket.receive-buffer-size: func
+The kernel buffer space reserved for sends/receives on this socket.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]udp-socket.set-receive-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.send-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.set-send-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.subscribe: func
+Create a pollable which will resolve once the socket is ready for I/O.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]incoming-datagram-stream.receive: func
+Receive messages on the socket.
+This function attempts to receive up to max-results datagrams on the socket without blocking.
+The returned list may contain fewer elements than requested, but never more.
+This function returns successfully with an empty list when either:
+
+max-results is 0, or:max-results is greater than 0, but no results are immediately available.
+This function never returns error(would-block).
+Typical errors
+
+remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)
+References
+
+Params
+
+Return values
+
+[method]incoming-datagram-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready to receive again.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.check-send: func
+Check readiness for sending. This function never blocks.
+Returns the number of datagrams permitted for the next call to send,
+or an error. Calling send with more datagrams than this function has
+permitted will trap.
+When this function returns ok(0), the subscribe pollable will
+become ready when this function will report at least ok(1), or an
+error.
+Never returns would-block.
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.send: func
+Send messages on the socket.
+This function attempts to send all provided datagrams on the socket without blocking and
+returns how many messages were actually sent (or queued for sending). This function never
+returns error(would-block). If none of the datagrams were able to be sent, ok(0) is returned.
+This function semantically behaves the same as iterating the datagrams list and sequentially
+sending each individual datagram until either the end of the list has been reached or the first error occurred.
+If at least one datagram has been sent successfully, this function never returns an error.
+If the input list is empty, the function returns ok(0).
+Each call to send must be permitted by a preceding check-send. Implementations must trap if
+either check-send was not called or datagrams contains more items than check-send permitted.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The port in remote-address is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The socket is in "connected" mode and remote-address is some value that does not match the address passed to stream. (EISCONN)invalid-argument: The socket is not "connected" and no value for remote-address was provided. (EDESTADDRREQ)remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)datagram-too-large: The datagram is too large. (EMSGSIZE)
+References
+
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready to send again.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+Import interface wasi:sockets/udp-create-socket@0.2.8
+
+Types
+type network
+network
+
+
type error-code
+error-code
+
+
type ip-address-family
+ip-address-family
+
+
type udp-socket
+udp-socket
+
+
+Functions
+create-udp-socket: func
+Create a new UDP socket.
+Similar to socket(AF_INET or AF_INET6, SOCK_DGRAM, IPPROTO_UDP) in POSIX.
+On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+This function does not require a network capability handle. This is considered to be safe because
+at time of creation, the socket is not bound to any network yet. Up to the moment bind is called,
+the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+Typical errors
+
+not-supported: The specified address-family is not supported. (EAFNOSUPPORT)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References:
+
+Params
+
+Return values
+
+Import interface wasi:sockets/tcp@0.2.8
+
+Types
+type input-stream
+input-stream
+
+
type output-stream
+output-stream
+
+
type pollable
+pollable
+
+
type duration
+duration
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-socket-address
+ip-socket-address
+
+
type ip-address-family
+ip-address-family
+
+
enum shutdown-type
+Enum Cases
+
+-
+
receive
+Similar to `SHUT_RD` in POSIX.
+
+-
+
send
+Similar to `SHUT_WR` in POSIX.
+
+-
+
both
+Similar to `SHUT_RDWR` in POSIX.
+
+
+resource tcp-socket
+A TCP socket resource.
+The socket can be in one of the following states:
+
+Note: Except where explicitly mentioned, whenever this documentation uses
+the term "bound" without backticks it actually means: in the bound state or higher.
+(i.e. bound, listen-in-progress, listening, connect-in-progress or connected)
+In addition to the general error codes documented on the
+network::error-code type, TCP socket methods may always return
+error(invalid-state) when in the closed state.
+Functions
+[method]tcp-socket.start-bind: func
+Bind the socket to a specific network on the provided IP address and port.
+If the IP address is zero (0.0.0.0 in IPv4, :: in IPv6), it is left to the implementation to decide which
+network interface(s) to bind to.
+If the TCP/UDP port is zero, the socket will be bound to a random free port.
+Bind can be attempted multiple times on the same socket, even with
+different arguments on each iteration. But never concurrently and
+only as long as the previous bind failed. Once a bind succeeds, the
+binding can't be changed anymore.
+Typical errors
+
+invalid-argument: The local-address has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)invalid-argument: local-address is not a unicast address. (EINVAL)invalid-argument: local-address is an IPv4-mapped IPv6 address. (EINVAL)invalid-state: The socket is already bound. (EINVAL)address-in-use: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)address-in-use: Address is already in use. (EADDRINUSE)address-not-bindable: local-address is not an address that the network can bind to. (EADDRNOTAVAIL)not-in-progress: A bind operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+When binding to a non-zero port, this bind operation shouldn't be affected by the TIME_WAIT
+state of a recently closed socket on the same local address. In practice this means that the SO_REUSEADDR
+socket option should be set implicitly on all platforms, except on Windows where this is the default behavior
+and SO_REUSEADDR performs something different entirely.
+Unlike in POSIX, in WASI the bind operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+bind as part of either start-bind or finish-bind.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-bind: func
+Params
+
+Return values
+
+[method]tcp-socket.start-connect: func
+Connect to a remote endpoint.
+On success:
+
+- the socket is transitioned into the
connected state.
+- a pair of streams is returned that can be used to read & write to the connection
+
+After a failed connection attempt, the socket will be in the closed
+state and the only valid action left is to drop the socket. A single
+socket can not be used to connect more than once.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: remote-address is not a unicast address. (EINVAL, ENETUNREACH on Linux, EAFNOSUPPORT on MacOS)invalid-argument: remote-address is an IPv4-mapped IPv6 address. (EINVAL, EADDRNOTAVAIL on Illumos)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EADDRNOTAVAIL on Windows)invalid-argument: The port in remote-address is set to 0. (EADDRNOTAVAIL on Windows)invalid-argument: The socket is already attached to a different network. The network passed to connect must be identical to the one passed to bind.invalid-state: The socket is already in the connected state. (EISCONN)invalid-state: The socket is already in the listening state. (EOPNOTSUPP, EINVAL on Windows)timeout: Connection timed out. (ETIMEDOUT)connection-refused: The connection was forcefully rejected. (ECONNREFUSED)connection-reset: The connection was reset. (ECONNRESET)connection-aborted: The connection was aborted. (ECONNABORTED)remote-unreachable: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)not-in-progress: A connect operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+The POSIX equivalent of start-connect is the regular connect syscall.
+Because all WASI sockets are non-blocking this is expected to return
+EINPROGRESS, which should be translated to ok() in WASI.
+The POSIX equivalent of finish-connect is a poll for event POLLOUT
+with a timeout of 0 on the socket descriptor. Followed by a check for
+the SO_ERROR socket option, in case the poll signaled readiness.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-connect: func
+Params
+
+Return values
+
+[method]tcp-socket.start-listen: func
+Start listening for new connections.
+Transitions the socket into the listening state.
+Unlike POSIX, the socket must already be explicitly bound.
+Typical errors
+
+invalid-state: The socket is not bound to any local address. (EDESTADDRREQ)invalid-state: The socket is already in the connected state. (EISCONN, EINVAL on BSD)invalid-state: The socket is already in the listening state.address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE)not-in-progress: A listen operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+Unlike in POSIX, in WASI the listen operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+listen as part of either start-listen or finish-listen.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-listen: func
+Params
+
+Return values
+
+[method]tcp-socket.accept: func
+Accept a new client socket.
+The returned socket is bound and in the connected state. The following properties are inherited from the listener socket:
+
+address-familykeep-alive-enabledkeep-alive-idle-timekeep-alive-intervalkeep-alive-counthop-limitreceive-buffer-sizesend-buffer-size
+On success, this function returns the newly accepted client socket along with
+a pair of streams that can be used to read & write to the connection.
+Typical errors
+
+invalid-state: Socket is not in the listening state. (EINVAL)would-block: No pending connections at the moment. (EWOULDBLOCK, EAGAIN)connection-aborted: An incoming connection was pending, but was terminated by the client before this listener could accept it. (ECONNABORTED)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.local-address: func
+Get the bound local address.
+POSIX mentions:
+
+If the socket has not been bound to a local name, the value
+stored in the object pointed to by address is unspecified.
+
+WASI is stricter and requires local-address to return invalid-state when the socket hasn't been bound yet.
+Typical errors
+
+invalid-state: The socket is not bound to any local address.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.remote-address: func
+Get the remote address.
+Typical errors
+
+invalid-state: The socket is not connected to a remote address. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.is-listening: func
+Whether the socket is in the listening state.
+Equivalent to the SO_ACCEPTCONN socket option.
+Params
+
+Return values
+
+[method]tcp-socket.address-family: func
+Whether this is a IPv4 or IPv6 socket.
+Equivalent to the SO_DOMAIN socket option.
+Params
+
+Return values
+
+[method]tcp-socket.set-listen-backlog-size: func
+Hints the desired listen queue size. Implementations are free to ignore this.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+Typical errors
+
+not-supported: (set) The platform does not support changing the backlog size after the initial listen.invalid-argument: (set) The provided value was 0.invalid-state: (set) The socket is in the connect-in-progress or connected state.
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-enabled: func
+Enables or disables keepalive.
+The keepalive behavior can be adjusted using:
+
+keep-alive-idle-timekeep-alive-intervalkeep-alive-count
+These properties can be configured while keep-alive-enabled is false, but only come into effect when keep-alive-enabled is true.
+Equivalent to the SO_KEEPALIVE socket option.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-enabled: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-idle-time: func
+Amount of time the connection has to be idle before TCP starts sending keepalive packets.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPIDLE socket option. (TCP_KEEPALIVE on MacOS)
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-idle-time: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-interval: func
+The time between keepalive packets.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPINTVL socket option.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-interval: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-count: func
+The maximum amount of keepalive packets TCP should send before aborting the connection.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPCNT socket option.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-count: func
+Params
+
+Return values
+
+[method]tcp-socket.hop-limit: func
+Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+If the provided value is 0, an invalid-argument error is returned.
+Typical errors
+
+invalid-argument: (set) The TTL value must be 1 or higher.
+Params
+
+Return values
+
+[method]tcp-socket.set-hop-limit: func
+Params
+
+Return values
+
+[method]tcp-socket.receive-buffer-size: func
+The kernel buffer space reserved for sends/receives on this socket.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-receive-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.send-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.set-send-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.subscribe: func
+Create a pollable which can be used to poll for, or block on,
+completion of any of the asynchronous operations of this socket.
+When finish-bind, finish-listen, finish-connect or accept
+return error(would-block), this pollable can be used to wait for
+their success or failure, after which the method can be retried.
+The pollable is not limited to the async operation that happens to be
+in progress at the time of calling subscribe (if any). Theoretically,
+subscribe only has to be called once per socket and can then be
+(re)used for the remainder of the socket's lifetime.
+See https://github.com/WebAssembly/wasi-sockets/blob/main/TcpSocketOperationalSemantics.md#pollable-readiness
+for more information.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]tcp-socket.shutdown: func
+Initiate a graceful shutdown.
+
+receive: The socket is not expecting to receive any data from
+the peer. The input-stream associated with this socket will be
+closed. Any data still in the receive queue at time of calling
+this method will be discarded.send: The socket has no more data to send to the peer. The output-stream
+associated with this socket will be closed and a FIN packet will be sent.both: Same effect as receive & send combined.
+This function is idempotent; shutting down a direction more than once
+has no effect and returns ok.
+The shutdown function does not close (drop) the socket.
+Typical errors
+
+invalid-state: The socket is not in the connected state. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+Import interface wasi:sockets/tcp-create-socket@0.2.8
+
+Types
+type network
+network
+
+
type error-code
+error-code
+
+
type ip-address-family
+ip-address-family
+
+
type tcp-socket
+tcp-socket
+
+
+Functions
+create-tcp-socket: func
+Create a new TCP socket.
+Similar to socket(AF_INET or AF_INET6, SOCK_STREAM, IPPROTO_TCP) in POSIX.
+On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+This function does not require a network capability handle. This is considered to be safe because
+at time of creation, the socket is not bound to any network yet. Up to the moment bind/connect
+is called, the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+Typical errors
+
+not-supported: The specified address-family is not supported. (EAFNOSUPPORT)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References
+
+Params
+
+Return values
+
+Import interface wasi:sockets/ip-name-lookup@0.2.8
+
+Types
+type pollable
+pollable
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-address
+ip-address
+
+
resource resolve-address-stream
+
+Functions
+resolve-addresses: func
+Resolve an internet host name to a list of IP addresses.
+Unicode domain names are automatically converted to ASCII using IDNA encoding.
+If the input is an IP address string, the address is parsed and returned
+as-is without making any external requests.
+See the wasi-socket proposal README.md for a comparison with getaddrinfo.
+This function never blocks. It either immediately fails or immediately
+returns successfully with a resolve-address-stream that can be used
+to (asynchronously) fetch the results.
+Typical errors
+
+invalid-argument: name is a syntactically invalid domain name or IP address.
+References:
+
+Params
+
+Return values
+
+[method]resolve-address-stream.resolve-next-address: func
+Returns the next address from the resolver.
+This function should be called multiple times. On each call, it will
+return the next address in connection order preference. If all
+addresses have been exhausted, this function returns none.
+This function never returns IPv4-mapped IPv6 addresses.
+Typical errors
+
+name-unresolvable: Name does not exist or has no suitable associated IP addresses. (EAI_NONAME, EAI_NODATA, EAI_ADDRFAMILY)temporary-resolver-failure: A temporary failure in name resolution occurred. (EAI_AGAIN)permanent-resolver-failure: A permanent failure in name resolution occurred. (EAI_FAIL)would-block: A result is not available yet. (EWOULDBLOCK, EAGAIN)
+Params
+
+Return values
+
+[method]resolve-address-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready for I/O.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+Import interface wasi:random/random@0.2.8
+WASI Random is a random data API.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+get-random-bytes: func
+Return len cryptographically-secure random or pseudo-random bytes.
+This function must produce data at least as cryptographically secure and
+fast as an adequately seeded cryptographically-secure pseudo-random
+number generator (CSPRNG). It must not block, from the perspective of
+the calling program, under any circumstances, including on the first
+request and on requests for numbers of bytes. The returned data must
+always be unpredictable.
+This function must always return fresh data. Deterministic environments
+must omit this function, rather than implementing it with deterministic
+data.
+Params
+
+Return values
+
+get-random-u64: func
+Return a cryptographically-secure random or pseudo-random u64 value.
+This function returns the same type of data as get-random-bytes,
+represented as a u64.
+Return values
+
+Import interface wasi:random/insecure@0.2.8
+The insecure interface for insecure pseudo-random numbers.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+get-insecure-random-bytes: func
+Return len insecure pseudo-random bytes.
+This function is not cryptographically secure. Do not use it for
+anything related to security.
+There are no requirements on the values of the returned bytes, however
+implementations are encouraged to return evenly distributed values with
+a long period.
+Params
+
+Return values
+
+get-insecure-random-u64: func
+Return an insecure pseudo-random u64 value.
+This function returns the same type of pseudo-random data as
+get-insecure-random-bytes, represented as a u64.
+Return values
+
+Import interface wasi:random/insecure-seed@0.2.8
+The insecure-seed interface for seeding hash-map DoS resistance.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+insecure-seed: func
+Return a 128-bit value that may contain a pseudo-random value.
+The returned value is not required to be computed from a CSPRNG, and may
+even be entirely deterministic. Host implementations are encouraged to
+provide pseudo-random values to any program exposed to
+attacker-controlled content, to enable DoS protection built into many
+languages' hash-map implementations.
+This function is intended to only be called once, by a source language
+to initialize Denial Of Service (DoS) protection in its hash-map
+implementation.
+Expected future evolution
+This will likely be changed to a value import, to prevent it from being
+called multiple times and potentially used for purposes other than DoS
+protection.
+Return values
+
+Export interface wasi:cli/run@0.2.8
+
+Functions
+run: func
+Run the program.
+Return values
+
diff --git a/proposals/cli/imports.md b/proposals/cli/imports.md
new file mode 100644
index 000000000..b23b099bb
--- /dev/null
+++ b/proposals/cli/imports.md
@@ -0,0 +1,3130 @@
+World imports
+
+Import interface wasi:cli/environment@0.2.8
+
+Functions
+get-environment: func
+Get the POSIX-style environment variables.
+Each environment variable is provided as a pair of string variable names
+and string value.
+Morally, these are a value import, but until value imports are available
+in the component model, this import function should return the same
+values each time it is called.
+Return values
+
+- list<(
string, string)>
+
+get-arguments: func
+Get the POSIX-style arguments to the program.
+Return values
+
+initial-cwd: func
+Return a path that programs should use as their initial current working
+directory, interpreting . as shorthand for this.
+Return values
+
+Import interface wasi:cli/exit@0.2.8
+
+Functions
+exit: func
+Exit the current instance and any linked instances.
+Params
+
+exit-with-code: func
+Exit the current instance and any linked instances, reporting the
+specified status code to the host.
+The meaning of the code depends on the context, with 0 usually meaning
+"success", and other values indicating various types of failure.
+This function does not return; the effect is analogous to a trap, but
+without the connotation that something bad has happened.
+Params
+
+Import interface wasi:io/error@0.2.8
+
+Types
+resource error
+A resource which represents some error information.
+The only method provided by this resource is to-debug-string,
+which provides some human-readable information about the error.
+In the wasi:io package, this resource is returned through the
+wasi:io/streams/stream-error type.
+To provide more specific error information, other interfaces may
+offer functions to "downcast" this error into more specific types. For example,
+errors returned from streams derived from filesystem types can be described using
+the filesystem's own error-code type. This is done using the function
+wasi:filesystem/types/filesystem-error-code, which takes a borrow<error>
+parameter and returns an option<wasi:filesystem/types/error-code>.
+The set of functions which can "downcast" an error into a more
+concrete type is open.
+Functions
+[method]error.to-debug-string: func
+Returns a string that is suitable to assist humans in debugging
+this error.
+WARNING: The returned string should not be consumed mechanically!
+It may change across platforms, hosts, or other implementation
+details. Parsing this string is a major platform-compatibility
+hazard.
+Params
+
+Return values
+
+Import interface wasi:io/poll@0.2.8
+A poll API intended to let users wait for I/O events on multiple handles
+at once.
+
+Types
+resource pollable
+pollable represents a single I/O event which may be ready, or not.
+Functions
+[method]pollable.ready: func
+Return the readiness of a pollable. This function never blocks.
+Returns true when the pollable is ready, and false otherwise.
+Params
+
+Return values
+
+[method]pollable.block: func
+block returns immediately if the pollable is ready, and otherwise
+blocks until ready.
+This function is equivalent to calling poll.poll on a list
+containing only this pollable.
+Params
+
+poll: func
+Poll for completion on a set of pollables.
+This function takes a list of pollables, which identify I/O sources of
+interest, and waits until one or more of the events is ready for I/O.
+The result list<u32> contains one or more indices of handles in the
+argument list that is ready for I/O.
+This function traps if either:
+
+- the list is empty, or:
+- the list contains more elements than can be indexed with a
u32 value.
+
+A timeout can be implemented by adding a pollable from the
+wasi-clocks API to the list.
+This function does not return a result; polling in itself does not
+do any I/O so it doesn't fail. If any of the I/O sources identified by
+the pollables has an error, it is indicated by marking the source as
+being ready for I/O.
+Params
+
+Return values
+
+Import interface wasi:io/streams@0.2.8
+WASI I/O is an I/O abstraction API which is currently focused on providing
+stream types.
+In the future, the component model is expected to add built-in stream types;
+when it does, they are expected to subsume this API.
+
+Types
+type error
+error
+
+
type pollable
+pollable
+
+
variant stream-error
+An error for input-stream and output-stream operations.
+Variant Cases
+
+-
+
last-operation-failed: own<error>
+The last operation (a write or flush) failed before completion.
+
More information is available in the error payload.
+After this, the stream will be closed. All future operations return
+stream-error::closed.
+
+-
+
closed
+The stream is closed: no more input will be accepted by the
+stream. A closed output-stream will return this error on all
+future operations.
+
+
+resource input-stream
+An input bytestream.
+input-streams are non-blocking to the extent practical on underlying
+platforms. I/O operations always return promptly; if fewer bytes are
+promptly available than requested, they return the number of bytes promptly
+available, which could even be zero. To wait for data to be available,
+use the subscribe function to obtain a pollable which can be polled
+for using wasi:io/poll.
+resource output-stream
+An output bytestream.
+output-streams are non-blocking to the extent practical on
+underlying platforms. Except where specified otherwise, I/O operations also
+always return promptly, after the number of bytes that can be written
+promptly, which could even be zero. To wait for the stream to be ready to
+accept data, the subscribe function to obtain a pollable which can be
+polled for using wasi:io/poll.
+Dropping an output-stream while there's still an active write in
+progress may result in the data being lost. Before dropping the stream,
+be sure to fully flush your writes.
+Functions
+[method]input-stream.read: func
+Perform a non-blocking read from the stream.
+When the source of a read is binary data, the bytes from the source
+are returned verbatim. When the source of a read is known to the
+implementation to be text, bytes containing the UTF-8 encoding of the
+text are returned.
+This function returns a list of bytes containing the read data,
+when successful. The returned list will contain up to len bytes;
+it may return fewer than requested, but not more. The list is
+empty when no bytes are available for reading at this time. The
+pollable given by subscribe will be ready when more bytes are
+available.
+This function fails with a stream-error when the operation
+encounters an error, giving last-operation-failed, or when the
+stream is closed, giving closed.
+When the caller gives a len of 0, it represents a request to
+read 0 bytes. If the stream is still open, this call should
+succeed and return an empty list, or otherwise fail with closed.
+The len parameter is a u64, which could represent a list of u8 which
+is not possible to allocate in wasm32, or not desirable to allocate as
+as a return value by the callee. The callee may return a list of bytes
+less than len in size while more bytes are available for reading.
+Params
+
+Return values
+
+[method]input-stream.blocking-read: func
+Read bytes from a stream, after blocking until at least one byte can
+be read. Except for blocking, behavior is identical to read.
+Params
+
+Return values
+
+[method]input-stream.skip: func
+Skip bytes from a stream. Returns number of bytes skipped.
+Behaves identical to read, except instead of returning a list
+of bytes, returns the number of bytes consumed from the stream.
+Params
+
+Return values
+
+[method]input-stream.blocking-skip: func
+Skip bytes from a stream, after blocking until at least one byte
+can be skipped. Except for blocking behavior, identical to skip.
+Params
+
+Return values
+
+[method]input-stream.subscribe: func
+Create a pollable which will resolve once either the specified stream
+has bytes available to read or the other end of the stream has been
+closed.
+The created pollable is a child resource of the input-stream.
+Implementations may trap if the input-stream is dropped before
+all derived pollables created with this function are dropped.
+Params
+
+Return values
+
+[method]output-stream.check-write: func
+Check readiness for writing. This function never blocks.
+Returns the number of bytes permitted for the next call to write,
+or an error. Calling write with more bytes than this function has
+permitted will trap.
+When this function returns 0 bytes, the subscribe pollable will
+become ready when this function will report at least 1 byte, or an
+error.
+Params
+
+Return values
+
+[method]output-stream.write: func
+Perform a write. This function never blocks.
+When the destination of a write is binary data, the bytes from
+contents are written verbatim. When the destination of a write is
+known to the implementation to be text, the bytes of contents are
+transcoded from UTF-8 into the encoding of the destination and then
+written.
+Precondition: check-write gave permit of Ok(n) and contents has a
+length of less than or equal to n. Otherwise, this function will trap.
+returns Err(closed) without writing if the stream has closed since
+the last call to check-write provided a permit.
+Params
+
+Return values
+
+[method]output-stream.blocking-write-and-flush: func
+Perform a write of up to 4096 bytes, and then flush the stream. Block
+until all of these operations are complete, or an error occurs.
+Returns success when all of the contents written are successfully
+flushed to output. If an error occurs at any point before all
+contents are successfully flushed, that error is returned as soon as
+possible. If writing and flushing the complete contents causes the
+stream to become closed, this call should return success, and
+subsequent calls to check-write or other interfaces should return
+stream-error::closed.
+Params
+
+Return values
+
+[method]output-stream.flush: func
+Request to flush buffered output. This function never blocks.
+This tells the output-stream that the caller intends any buffered
+output to be flushed. the output which is expected to be flushed
+is all that has been passed to write prior to this call.
+Upon calling this function, the output-stream will not accept any
+writes (check-write will return ok(0)) until the flush has
+completed. The subscribe pollable will become ready when the
+flush has completed and the stream can accept more writes.
+Params
+
+Return values
+
+[method]output-stream.blocking-flush: func
+Request to flush buffered output, and block until flush completes
+and stream is ready for writing again.
+Params
+
+Return values
+
+[method]output-stream.subscribe: func
+Create a pollable which will resolve once the output-stream
+is ready for more writing, or an error has occurred. When this
+pollable is ready, check-write will return ok(n) with n>0, or an
+error.
+If the stream is closed, this pollable is always ready immediately.
+The created pollable is a child resource of the output-stream.
+Implementations may trap if the output-stream is dropped before
+all derived pollables created with this function are dropped.
+Params
+
+Return values
+
+[method]output-stream.write-zeroes: func
+Write zeroes to a stream.
+This should be used precisely like write with the exact same
+preconditions (must use check-write first), but instead of
+passing a list of bytes, you simply pass the number of zero-bytes
+that should be written.
+Params
+
+Return values
+
+[method]output-stream.blocking-write-zeroes-and-flush: func
+Perform a write of up to 4096 zeroes, and then flush the stream.
+Block until all of these operations are complete, or an error
+occurs.
+Functionality is equivelant to blocking-write-and-flush with
+contents given as a list of len containing only zeroes.
+Params
+
+Return values
+
+[method]output-stream.splice: func
+Read from one stream and write to another.
+The behavior of splice is equivalent to:
+
+- calling
check-write on the output-stream
+- calling
read on the input-stream with the smaller of the
+check-write permitted length and the len provided to splice
+- calling
write on the output-stream with that read data.
+
+Any error reported by the call to check-write, read, or
+write ends the splice and reports that error.
+This function returns the number of bytes transferred; it may be less
+than len.
+Params
+
+Return values
+
+[method]output-stream.blocking-splice: func
+Read from one stream and write to another, with blocking.
+This is similar to splice, except that it blocks until the
+output-stream is ready for writing, and the input-stream
+is ready for reading, before performing the splice.
+Params
+
+Return values
+
+Import interface wasi:cli/stdin@0.2.8
+
+Types
+type input-stream
+input-stream
+
+
+Functions
+get-stdin: func
+Return values
+
+Import interface wasi:cli/stdout@0.2.8
+
+Types
+type output-stream
+output-stream
+
+
+Functions
+get-stdout: func
+Return values
+
+Import interface wasi:cli/stderr@0.2.8
+
+Types
+type output-stream
+output-stream
+
+
+Functions
+get-stderr: func
+Return values
+
+Import interface wasi:cli/terminal-input@0.2.8
+Terminal input.
+In the future, this may include functions for disabling echoing,
+disabling input buffering so that keyboard events are sent through
+immediately, querying supported features, and so on.
+
+Types
+resource terminal-input
+The input side of a terminal.
+Import interface wasi:cli/terminal-output@0.2.8
+Terminal output.
+In the future, this may include functions for querying the terminal
+size, being notified of terminal size changes, querying supported
+features, and so on.
+
+Types
+resource terminal-output
+The output side of a terminal.
+Import interface wasi:cli/terminal-stdin@0.2.8
+An interface providing an optional terminal-input for stdin as a
+link-time authority.
+
+Types
+type terminal-input
+terminal-input
+
+
+Functions
+get-terminal-stdin: func
+If stdin is connected to a terminal, return a terminal-input handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:cli/terminal-stdout@0.2.8
+An interface providing an optional terminal-output for stdout as a
+link-time authority.
+
+Types
+type terminal-output
+terminal-output
+
+
+Functions
+get-terminal-stdout: func
+If stdout is connected to a terminal, return a terminal-output handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:cli/terminal-stderr@0.2.8
+An interface providing an optional terminal-output for stderr as a
+link-time authority.
+
+Types
+type terminal-output
+terminal-output
+
+
+Functions
+get-terminal-stderr: func
+If stderr is connected to a terminal, return a terminal-output handle
+allowing further interaction with it.
+Return values
+
+Import interface wasi:clocks/monotonic-clock@0.2.8
+WASI Monotonic Clock is a clock API intended to let users measure elapsed
+time.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+A monotonic clock is a clock which has an unspecified initial value, and
+successive reads of the clock will produce non-decreasing values.
+
+Types
+type pollable
+pollable
+
+
type instant
+u64
+An instant in time, in nanoseconds. An instant is relative to an
+unspecified initial value, and can only be compared to instances from
+the same monotonic-clock.
+
type duration
+u64
+A duration of time, in nanoseconds.
+
+Functions
+now: func
+Read the current value of the clock.
+The clock is monotonic, therefore calling this function repeatedly will
+produce a sequence of non-decreasing values.
+For completeness, this function traps if it's not possible to represent
+the value of the clock in an instant. Consequently, implementations
+should ensure that the starting time is low enough to avoid the
+possibility of overflow in practice.
+Return values
+
+resolution: func
+Query the resolution of the clock. Returns the duration of time
+corresponding to a clock tick.
+Return values
+
+subscribe-instant: func
+Create a pollable which will resolve once the specified instant
+has occurred.
+Params
+
+Return values
+
+subscribe-duration: func
+Create a pollable that will resolve after the specified duration has
+elapsed from the time this function is invoked.
+Params
+
+Return values
+
+Import interface wasi:clocks/wall-clock@0.2.8
+WASI Wall Clock is a clock API intended to let users query the current
+time. The name "wall" makes an analogy to a "clock on the wall", which
+is not necessarily monotonic as it may be reset.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+A wall clock is a clock which measures the date and time according to
+some external reference.
+External references may be reset, so this clock is not necessarily
+monotonic, making it unsuitable for measuring elapsed time.
+It is intended for reporting the current date and time for humans.
+
+Types
+record datetime
+A time and date in seconds plus nanoseconds.
+Record Fields
+
+seconds: u64nanoseconds: u32
+
+Functions
+now: func
+Read the current value of the clock.
+This clock is not monotonic, therefore calling this function repeatedly
+will not necessarily produce a sequence of non-decreasing values.
+The returned timestamps represent the number of seconds since
+1970-01-01T00:00:00Z, also known as POSIX's Seconds Since the Epoch,
+also known as Unix Time.
+The nanoseconds field of the output is always less than 1000000000.
+Return values
+
+resolution: func
+Query the resolution of the clock.
+The nanoseconds field of the output is always less than 1000000000.
+Return values
+
+Import interface wasi:clocks/timezone@0.2.8
+
+Types
+type datetime
+datetime
+
+
record timezone-display
+Information useful for displaying the timezone of a specific datetime.
+This information may vary within a single timezone to reflect daylight
+saving time adjustments.
+Record Fields
+
+-
+
utc-offset: s32
+The number of seconds difference between UTC time and the local
+time of the timezone.
+
The returned value will always be less than 86400 which is the
+number of seconds in a day (246060).
+In implementations that do not expose an actual time zone, this
+should return 0.
+
+-
+
name: string
+The abbreviated name of the timezone to display to a user. The name
+`UTC` indicates Coordinated Universal Time. Otherwise, this should
+reference local standards for the name of the time zone.
+
In implementations that do not expose an actual time zone, this
+should be the string UTC.
+In time zones that do not have an applicable name, a formatted
+representation of the UTC offset may be returned, such as -04:00.
+
+-
+
in-daylight-saving-time: bool
+Whether daylight saving time is active.
+
In implementations that do not expose an actual time zone, this
+should return false.
+
+
+
+Functions
+display: func
+Return information needed to display the given datetime. This includes
+the UTC offset, the time zone name, and a flag indicating whether
+daylight saving time is active.
+If the timezone cannot be determined for the given datetime, return a
+timezone-display for UTC with a utc-offset of 0 and no daylight
+saving time.
+Params
+
+Return values
+
+utc-offset: func
+The same as display, but only return the UTC offset.
+Params
+
+Return values
+
+Import interface wasi:filesystem/types@0.2.8
+WASI filesystem is a filesystem API primarily intended to let users run WASI
+programs that access their files on their existing filesystems, without
+significant overhead.
+It is intended to be roughly portable between Unix-family platforms and
+Windows, though it does not hide many of the major differences.
+Paths are passed as interface-type strings, meaning they must consist of
+a sequence of Unicode Scalar Values (USVs). Some filesystems may contain
+paths which are not accessible by this API.
+The directory separator in WASI is always the forward-slash (/).
+All paths in WASI are relative paths, and are interpreted relative to a
+descriptor referring to a base directory. If a path argument to any WASI
+function starts with /, or if any step of resolving a path, including
+.. and symbolic link steps, reaches a directory outside of the base
+directory, or reaches a symlink to an absolute or rooted path in the
+underlying filesystem, the function fails with error-code::not-permitted.
+For more information about WASI path resolution and sandboxing, see
+WASI filesystem path resolution.
+
+Types
+type input-stream
+input-stream
+
+
type output-stream
+output-stream
+
+
type error
+error
+
+
type datetime
+datetime
+
+
type filesize
+u64
+File size or length of a region within a file.
+
enum descriptor-type
+The type of a filesystem object referenced by a descriptor.
+Note: This was called filetype in earlier versions of WASI.
+Enum Cases
+
+-
+
unknown
+The type of the descriptor or file is unknown or is different from
+any of the other types specified.
+
+-
+
block-device
+The descriptor refers to a block device inode.
+
+-
+
character-device
+The descriptor refers to a character device inode.
+
+-
+
directory
+The descriptor refers to a directory inode.
+
+-
+
fifo
+The descriptor refers to a named pipe.
+
+-
+
symbolic-link
+The file refers to a symbolic link inode.
+
+-
+
regular-file
+The descriptor refers to a regular file inode.
+
+-
+
socket
+The descriptor refers to a socket.
+
+
+flags descriptor-flags
+Descriptor flags.
+Note: This was called fdflags in earlier versions of WASI.
+Flags members
+
+-
+
read:
+Read mode: Data can be read.
+
+-
+
write:
+Write mode: Data can be written to.
+
+-
+
file-integrity-sync:
+Request that writes be performed according to synchronized I/O file
+integrity completion. The data stored in the file and the file's
+metadata are synchronized. This is similar to `O_SYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
data-integrity-sync:
+Request that writes be performed according to synchronized I/O data
+integrity completion. Only the data stored in the file is
+synchronized. This is similar to `O_DSYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
requested-write-sync:
+Requests that reads be performed at the same level of integrity
+requested for writes. This is similar to `O_RSYNC` in POSIX.
+
The precise semantics of this operation have not yet been defined for
+WASI. At this time, it should be interpreted as a request, and not a
+requirement.
+
+-
+
mutate-directory:
+Mutating directories mode: Directory contents may be mutated.
+
When this flag is unset on a descriptor, operations using the
+descriptor which would create, rename, delete, modify the data or
+metadata of filesystem objects, or obtain another handle which
+would permit any of those, shall fail with error-code::read-only if
+they would otherwise succeed.
+This may only be set on directories.
+
+
+flags path-flags
+Flags determining the method of how paths are resolved.
+Flags members
+
+flags open-flags
+Open flags used by open-at.
+Flags members
+
+-
+
create:
+Create file if it does not exist, similar to `O_CREAT` in POSIX.
+
+-
+
directory:
+Fail if not a directory, similar to `O_DIRECTORY` in POSIX.
+
+-
+
exclusive:
+Fail if file already exists, similar to `O_EXCL` in POSIX.
+
+-
+
truncate:
+Truncate file to size 0, similar to `O_TRUNC` in POSIX.
+
+
+type link-count
+u64
+Number of hard links to an inode.
+
record descriptor-stat
+File attributes.
+Note: This was called filestat in earlier versions of WASI.
+Record Fields
+
+-
+
type: descriptor-type
+File type.
+
+-
+
link-count: link-count
+Number of hard links to the file.
+
+-
+
size: filesize
+For regular files, the file size in bytes. For symbolic links, the
+length in bytes of the pathname contained in the symbolic link.
+
+-
+
data-access-timestamp: option<datetime>
+Last data access timestamp.
+
If the option is none, the platform doesn't maintain an access
+timestamp for this file.
+
+-
+
data-modification-timestamp: option<datetime>
+Last data modification timestamp.
+
If the option is none, the platform doesn't maintain a
+modification timestamp for this file.
+
+-
+
status-change-timestamp: option<datetime>
+Last file status-change timestamp.
+
If the option is none, the platform doesn't maintain a
+status-change timestamp for this file.
+
+
+variant new-timestamp
+When setting a timestamp, this gives the value to set it to.
+Variant Cases
+
+-
+
no-change
+Leave the timestamp set to its previous value.
+
+-
+
now
+Set the timestamp to the current time of the system clock associated
+with the filesystem.
+
+-
+
timestamp: datetime
+Set the timestamp to the given value.
+
+
+record directory-entry
+A directory entry.
+Record Fields
+
+enum error-code
+Error codes returned by functions, similar to errno in POSIX.
+Not all of these error codes are returned by the functions provided by this
+API; some are used in higher-level library layers, and others are provided
+merely for alignment with POSIX.
+Enum Cases
+
+-
+
access
+Permission denied, similar to `EACCES` in POSIX.
+
+-
+
would-block
+Resource unavailable, or operation would block, similar to `EAGAIN` and `EWOULDBLOCK` in POSIX.
+
+-
+
already
+Connection already in progress, similar to `EALREADY` in POSIX.
+
+-
+
bad-descriptor
+Bad descriptor, similar to `EBADF` in POSIX.
+
+-
+
busy
+Device or resource busy, similar to `EBUSY` in POSIX.
+
+-
+
deadlock
+Resource deadlock would occur, similar to `EDEADLK` in POSIX.
+
+-
+
quota
+Storage quota exceeded, similar to `EDQUOT` in POSIX.
+
+-
+
exist
+File exists, similar to `EEXIST` in POSIX.
+
+-
+
file-too-large
+File too large, similar to `EFBIG` in POSIX.
+
+-
+
illegal-byte-sequence
+Illegal byte sequence, similar to `EILSEQ` in POSIX.
+
+-
+
in-progress
+Operation in progress, similar to `EINPROGRESS` in POSIX.
+
+-
+
interrupted
+Interrupted function, similar to `EINTR` in POSIX.
+
+-
+
invalid
+Invalid argument, similar to `EINVAL` in POSIX.
+
+-
+
io
+I/O error, similar to `EIO` in POSIX.
+
+-
+
is-directory
+Is a directory, similar to `EISDIR` in POSIX.
+
+-
+
loop
+Too many levels of symbolic links, similar to `ELOOP` in POSIX.
+
+-
+
too-many-links
+Too many links, similar to `EMLINK` in POSIX.
+
+-
+
message-size
+Message too large, similar to `EMSGSIZE` in POSIX.
+
+-
+
name-too-long
+Filename too long, similar to `ENAMETOOLONG` in POSIX.
+
+-
+
no-device
+No such device, similar to `ENODEV` in POSIX.
+
+-
+
no-entry
+No such file or directory, similar to `ENOENT` in POSIX.
+
+-
+
no-lock
+No locks available, similar to `ENOLCK` in POSIX.
+
+-
+
insufficient-memory
+Not enough space, similar to `ENOMEM` in POSIX.
+
+-
+
insufficient-space
+No space left on device, similar to `ENOSPC` in POSIX.
+
+-
+
not-directory
+Not a directory or a symbolic link to a directory, similar to `ENOTDIR` in POSIX.
+
+-
+
not-empty
+Directory not empty, similar to `ENOTEMPTY` in POSIX.
+
+-
+
not-recoverable
+State not recoverable, similar to `ENOTRECOVERABLE` in POSIX.
+
+-
+
unsupported
+Not supported, similar to `ENOTSUP` and `ENOSYS` in POSIX.
+
+-
+
no-tty
+Inappropriate I/O control operation, similar to `ENOTTY` in POSIX.
+
+-
+
no-such-device
+No such device or address, similar to `ENXIO` in POSIX.
+
+-
+
overflow
+Value too large to be stored in data type, similar to `EOVERFLOW` in POSIX.
+
+-
+
not-permitted
+Operation not permitted, similar to `EPERM` in POSIX.
+
+-
+
pipe
+Broken pipe, similar to `EPIPE` in POSIX.
+
+-
+
read-only
+Read-only file system, similar to `EROFS` in POSIX.
+
+-
+
invalid-seek
+Invalid seek, similar to `ESPIPE` in POSIX.
+
+-
+
text-file-busy
+Text file busy, similar to `ETXTBSY` in POSIX.
+
+-
+
cross-device
+Cross-device link, similar to `EXDEV` in POSIX.
+
+
+enum advice
+File or memory access pattern advisory information.
+Enum Cases
+
+-
+
normal
+The application has no advice to give on its behavior with respect
+to the specified data.
+
+-
+
sequential
+The application expects to access the specified data sequentially
+from lower offsets to higher offsets.
+
+-
+
random
+The application expects to access the specified data in a random
+order.
+
+-
+
will-need
+The application expects to access the specified data in the near
+future.
+
+-
+
dont-need
+The application expects that it will not access the specified data
+in the near future.
+
+-
+
no-reuse
+The application expects to access the specified data once and then
+not reuse it thereafter.
+
+
+record metadata-hash-value
+A 128-bit hash value, split into parts because wasm doesn't have a
+128-bit integer type.
+Record Fields
+
+resource descriptor
+A descriptor is a reference to a filesystem object, which may be a file,
+directory, named pipe, special file, or other object on which filesystem
+calls may be made.
+resource directory-entry-stream
+A stream of directory entries.
+Functions
+[method]descriptor.read-via-stream: func
+Return a stream for reading from a file, if available.
+May fail with an error-code describing why the file cannot be read.
+Multiple read, write, and append streams may be active on the same open
+file and they do not interfere with each other.
+Note: This allows using read-stream, which is similar to read in POSIX.
+Params
+
+Return values
+
+[method]descriptor.write-via-stream: func
+Return a stream for writing to a file, if available.
+May fail with an error-code describing why the file cannot be written.
+Note: This allows using write-stream, which is similar to write in
+POSIX.
+Params
+
+Return values
+
+[method]descriptor.append-via-stream: func
+Return a stream for appending to a file, if available.
+May fail with an error-code describing why the file cannot be appended.
+Note: This allows using write-stream, which is similar to write with
+O_APPEND in POSIX.
+Params
+
+Return values
+
+[method]descriptor.advise: func
+Provide file advisory information on a descriptor.
+This is similar to posix_fadvise in POSIX.
+Params
+
+Return values
+
+[method]descriptor.sync-data: func
+Synchronize the data of a file to disk.
+This function succeeds with no effect if the file descriptor is not
+opened for writing.
+Note: This is similar to fdatasync in POSIX.
+Params
+
+Return values
+
+[method]descriptor.get-flags: func
+Get flags associated with a descriptor.
+Note: This returns similar flags to fcntl(fd, F_GETFL) in POSIX.
+Note: This returns the value that was the fs_flags value returned
+from fdstat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.get-type: func
+Get the dynamic type of a descriptor.
+Note: This returns the same value as the type field of the fd-stat
+returned by stat, stat-at and similar.
+Note: This returns similar flags to the st_mode & S_IFMT value provided
+by fstat in POSIX.
+Note: This returns the value that was the fs_filetype value returned
+from fdstat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-size: func
+Adjust the size of an open file. If this increases the file's size, the
+extra bytes are filled with zeros.
+Note: This was called fd_filestat_set_size in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-times: func
+Adjust the timestamps of an open file or directory.
+Note: This is similar to futimens in POSIX.
+Note: This was called fd_filestat_set_times in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.read: func
+Read from a descriptor, without using and updating the descriptor's offset.
+This function returns a list of bytes containing the data that was
+read, along with a bool which, when true, indicates that the end of the
+file was reached. The returned list will contain up to length bytes; it
+may return fewer than requested, if the end of the file is reached or
+if the I/O operation is interrupted.
+In the future, this may change to return a stream<u8, error-code>.
+Note: This is similar to pread in POSIX.
+Params
+
+Return values
+
+[method]descriptor.write: func
+Write to a descriptor, without using and updating the descriptor's offset.
+It is valid to write past the end of a file; the file is extended to the
+extent of the write, with bytes between the previous end and the start of
+the write set to zero.
+In the future, this may change to take a stream<u8, error-code>.
+Note: This is similar to pwrite in POSIX.
+Params
+
+Return values
+
+[method]descriptor.read-directory: func
+Read directory entries from a directory.
+On filesystems where directories contain entries referring to themselves
+and their parents, often named . and .. respectively, these entries
+are omitted.
+This always returns a new stream which starts at the beginning of the
+directory. Multiple streams may be active on the same directory, and they
+do not interfere with each other.
+Params
+
+Return values
+
+[method]descriptor.sync: func
+Synchronize the data and metadata of a file to disk.
+This function succeeds with no effect if the file descriptor is not
+opened for writing.
+Note: This is similar to fsync in POSIX.
+Params
+
+Return values
+
+[method]descriptor.create-directory-at: func
+Create a directory.
+Note: This is similar to mkdirat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.stat: func
+Return the attributes of an open file or directory.
+Note: This is similar to fstat in POSIX, except that it does not return
+device and inode information. For testing whether two descriptors refer to
+the same underlying filesystem object, use is-same-object. To obtain
+additional data that can be used do determine whether a file has been
+modified, use metadata-hash.
+Note: This was called fd_filestat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.stat-at: func
+Return the attributes of a file or directory.
+Note: This is similar to fstatat in POSIX, except that it does not
+return device and inode information. See the stat description for a
+discussion of alternatives.
+Note: This was called path_filestat_get in earlier versions of WASI.
+Params
+
+Return values
+
+[method]descriptor.set-times-at: func
+Adjust the timestamps of a file or directory.
+Note: This is similar to utimensat in POSIX.
+Note: This was called path_filestat_set_times in earlier versions of
+WASI.
+Params
+
+Return values
+
+[method]descriptor.link-at: func
+Create a hard link.
+Fails with error-code::no-entry if the old path does not exist,
+with error-code::exist if the new path already exists, and
+error-code::not-permitted if the old path is not a file.
+Note: This is similar to linkat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.open-at: func
+Open a file or directory.
+If flags contains descriptor-flags::mutate-directory, and the base
+descriptor doesn't have descriptor-flags::mutate-directory set,
+open-at fails with error-code::read-only.
+If flags contains write or mutate-directory, or open-flags
+contains truncate or create, and the base descriptor doesn't have
+descriptor-flags::mutate-directory set, open-at fails with
+error-code::read-only.
+Note: This is similar to openat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.readlink-at: func
+Read the contents of a symbolic link.
+If the contents contain an absolute or rooted path in the underlying
+filesystem, this function fails with error-code::not-permitted.
+Note: This is similar to readlinkat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.remove-directory-at: func
+Remove a directory.
+Return error-code::not-empty if the directory is not empty.
+Note: This is similar to unlinkat(fd, path, AT_REMOVEDIR) in POSIX.
+Params
+
+Return values
+
+[method]descriptor.rename-at: func
+Rename a filesystem object.
+Note: This is similar to renameat in POSIX.
+Params
+
+Return values
+
+[method]descriptor.symlink-at: func
+Create a symbolic link (also known as a "symlink").
+If old-path starts with /, the function fails with
+error-code::not-permitted.
+Note: This is similar to symlinkat in POSIX.
+Params
+
+self: borrow<descriptor>old-path: stringnew-path: string
+Return values
+
+[method]descriptor.unlink-file-at: func
+Unlink a filesystem object that is not a directory.
+Return error-code::is-directory if the path refers to a directory.
+Note: This is similar to unlinkat(fd, path, 0) in POSIX.
+Params
+
+Return values
+
+[method]descriptor.is-same-object: func
+Test whether two descriptors refer to the same filesystem object.
+In POSIX, this corresponds to testing whether the two descriptors have the
+same device (st_dev) and inode (st_ino or d_ino) numbers.
+wasi-filesystem does not expose device and inode numbers, so this function
+may be used instead.
+Params
+
+Return values
+
+[method]descriptor.metadata-hash: func
+Return a hash of the metadata associated with a filesystem object referred
+to by a descriptor.
+This returns a hash of the last-modification timestamp and file size, and
+may also include the inode number, device number, birth timestamp, and
+other metadata fields that may change when the file is modified or
+replaced. It may also include a secret value chosen by the
+implementation and not otherwise exposed.
+Implementations are encouraged to provide the following properties:
+
+- If the file is not modified or replaced, the computed hash value should
+usually not change.
+- If the object is modified or replaced, the computed hash value should
+usually change.
+- The inputs to the hash should not be easily computable from the
+computed hash.
+
+However, none of these is required.
+Params
+
+Return values
+
+[method]descriptor.metadata-hash-at: func
+Return a hash of the metadata associated with a filesystem object referred
+to by a directory descriptor and a relative path.
+This performs the same hash computation as metadata-hash.
+Params
+
+Return values
+
+[method]directory-entry-stream.read-directory-entry: func
+Read a single directory entry from a directory-entry-stream.
+Params
+
+Return values
+
+filesystem-error-code: func
+Attempts to extract a filesystem-related error-code from the stream
+error provided.
+Stream operations which return stream-error::last-operation-failed
+have a payload with more information about the operation that failed.
+This payload can be passed through to this function to see if there's
+filesystem-related information about the error to return.
+Note that this function is fallible because not all stream-related
+errors are filesystem-related errors.
+Params
+
+Return values
+
+Import interface wasi:filesystem/preopens@0.2.8
+
+Types
+type descriptor
+descriptor
+
+
+Functions
+get-directories: func
+Return the set of preopened directories, and their paths.
+Return values
+
+Import interface wasi:sockets/network@0.2.8
+
+Types
+type error
+error
+
+
resource network
+An opaque resource that represents access to (a subset of) the network.
+This enables context-based security for networking.
+There is no need for this to map 1:1 to a physical network interface.
+enum error-code
+Error codes.
+In theory, every API can return any error code.
+In practice, API's typically only return the errors documented per API
+combined with a couple of errors that are always possible:
+
+unknownaccess-deniednot-supportedout-of-memoryconcurrency-conflict
+See each individual API for what the POSIX equivalents are. They sometimes differ per API.
+Enum Cases
+
+-
+
unknown
+Unknown error
+
+-
+
access-denied
+Access denied.
+
POSIX equivalent: EACCES, EPERM
+
+-
+
not-supported
+The operation is not supported.
+
POSIX equivalent: EOPNOTSUPP
+
+-
+
invalid-argument
+One of the arguments is invalid.
+
POSIX equivalent: EINVAL
+
+-
+
out-of-memory
+Not enough memory to complete the operation.
+
POSIX equivalent: ENOMEM, ENOBUFS, EAI_MEMORY
+
+-
+
timeout
+The operation timed out before it could finish completely.
+
+-
+
concurrency-conflict
+This operation is incompatible with another asynchronous operation that is already in progress.
+
POSIX equivalent: EALREADY
+
+-
+
not-in-progress
+Trying to finish an asynchronous operation that:
+- has not been started yet, or:
+- was already finished by a previous `finish-*` call.
+
Note: this is scheduled to be removed when futures are natively supported.
+
+-
+
would-block
+The operation has been aborted because it could not be completed immediately.
+
Note: this is scheduled to be removed when futures are natively supported.
+
+-
+
invalid-state
+The operation is not valid in the socket's current state.
+
+-
+
new-socket-limit
+A new socket resource could not be created because of a system limit.
+
+-
+
address-not-bindable
+A bind operation failed because the provided address is not an address that the `network` can bind to.
+
+-
+
address-in-use
+A bind operation failed because the provided address is already in use or because there are no ephemeral ports available.
+
+-
+
remote-unreachable
+The remote address is not reachable
+
+-
+
connection-refused
+The TCP connection was forcefully rejected
+
+-
+
connection-reset
+The TCP connection was reset.
+
+-
+
connection-aborted
+A TCP connection was aborted.
+
+-
+
datagram-too-large
+The size of a datagram sent to a UDP socket exceeded the maximum
+supported size.
+
+-
+
name-unresolvable
+Name does not exist or has no suitable associated IP addresses.
+
+-
+
temporary-resolver-failure
+A temporary failure in name resolution occurred.
+
+-
+
permanent-resolver-failure
+A permanent failure in name resolution occurred.
+
+
+enum ip-address-family
+Enum Cases
+
+tuple ipv4-address
+Tuple Fields
+
+0: u81: u82: u83: u8
+tuple ipv6-address
+Tuple Fields
+
+0: u161: u162: u163: u164: u165: u166: u167: u16
+variant ip-address
+Variant Cases
+
+record ipv4-socket-address
+Record Fields
+
+-
+
port: u16
+sin_port
+
+-
+
address: ipv4-address
+sin_addr
+
+
+record ipv6-socket-address
+Record Fields
+
+-
+
port: u16
+sin6_port
+
+-
+
flow-info: u32
+sin6_flowinfo
+
+-
+
address: ipv6-address
+sin6_addr
+
+-
+
scope-id: u32
+sin6_scope_id
+
+
+variant ip-socket-address
+Variant Cases
+
+
+Functions
+network-error-code: func
+Attempts to extract a network-related error-code from the stream
+error provided.
+Stream operations which return stream-error::last-operation-failed
+have a payload with more information about the operation that failed.
+This payload can be passed through to this function to see if there's
+network-related information about the error to return.
+Note that this function is fallible because not all stream-related
+errors are network-related errors.
+Params
+
+Return values
+
+Import interface wasi:sockets/instance-network@0.2.8
+This interface provides a value-export of the default network handle..
+
+Types
+type network
+network
+
+
+Functions
+instance-network: func
+Get a handle to the default network.
+Return values
+
+Import interface wasi:sockets/udp@0.2.8
+
+Types
+type pollable
+pollable
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-socket-address
+ip-socket-address
+
+
type ip-address-family
+ip-address-family
+
+
record incoming-datagram
+A received datagram.
+Record Fields
+
+-
+
data: list<u8>
+The payload.
+
Theoretical max size: ~64 KiB. In practice, typically less than 1500 bytes.
+
+-
+
remote-address: ip-socket-address
+The source address.
+
This field is guaranteed to match the remote address the stream was initialized with, if any.
+Equivalent to the src_addr out parameter of recvfrom.
+
+
+record outgoing-datagram
+A datagram to be sent out.
+Record Fields
+
+-
+
data: list<u8>
+The payload.
+
+-
+
remote-address: option<ip-socket-address>
+The destination address.
+
The requirements on this field depend on how the stream was initialized:
+
+- with a remote address: this field must be None or match the stream's remote address exactly.
+- without a remote address: this field is required.
+
+If this value is None, the send operation is equivalent to send in POSIX. Otherwise it is equivalent to sendto.
+
+
+resource udp-socket
+A UDP socket handle.
+resource incoming-datagram-stream
+resource outgoing-datagram-stream
+
+Functions
+[method]udp-socket.start-bind: func
+Bind the socket to a specific network on the provided IP address and port.
+If the IP address is zero (0.0.0.0 in IPv4, :: in IPv6), it is left to the implementation to decide which
+network interface(s) to bind to.
+If the port is zero, the socket will be bound to a random free port.
+Typical errors
+
+invalid-argument: The local-address has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)invalid-state: The socket is already bound. (EINVAL)address-in-use: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)address-in-use: Address is already in use. (EADDRINUSE)address-not-bindable: local-address is not an address that the network can bind to. (EADDRNOTAVAIL)not-in-progress: A bind operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+Unlike in POSIX, in WASI the bind operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+bind as part of either start-bind or finish-bind.
+References
+
+Params
+
+Return values
+
+[method]udp-socket.finish-bind: func
+Params
+
+Return values
+
+[method]udp-socket.stream: func
+Set up inbound & outbound communication channels, optionally to a specific peer.
+This function only changes the local socket configuration and does not generate any network traffic.
+On success, the remote-address of the socket is updated. The local-address may be updated as well,
+based on the best network path to remote-address.
+When a remote-address is provided, the returned streams are limited to communicating with that specific peer:
+
+send can only be used to send to this destination.receive will only return datagrams sent from the provided remote-address.
+This method may be called multiple times on the same socket to change its association, but
+only the most recently returned pair of streams will be operational. Implementations may trap if
+the streams returned by a previous invocation haven't been dropped yet before calling stream again.
+The POSIX equivalent in pseudo-code is:
+if (was previously connected) {
+ connect(s, AF_UNSPEC)
+}
+if (remote_address is Some) {
+ connect(s, remote_address)
+}
+
+Unlike in POSIX, the socket must already be explicitly bound.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The port in remote-address is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)invalid-state: The socket is not bound.address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)
+References
+
+Params
+
+Return values
+
+[method]udp-socket.local-address: func
+Get the current bound address.
+POSIX mentions:
+
+If the socket has not been bound to a local name, the value
+stored in the object pointed to by address is unspecified.
+
+WASI is stricter and requires local-address to return invalid-state when the socket hasn't been bound yet.
+Typical errors
+
+invalid-state: The socket is not bound to any local address.
+References
+
+Params
+
+Return values
+
+[method]udp-socket.remote-address: func
+Get the address the socket is currently streaming to.
+Typical errors
+
+invalid-state: The socket is not streaming to a specific remote address. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+[method]udp-socket.address-family: func
+Whether this is a IPv4 or IPv6 socket.
+Equivalent to the SO_DOMAIN socket option.
+Params
+
+Return values
+
+[method]udp-socket.unicast-hop-limit: func
+Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+If the provided value is 0, an invalid-argument error is returned.
+Typical errors
+
+invalid-argument: (set) The TTL value must be 1 or higher.
+Params
+
+Return values
+
+[method]udp-socket.set-unicast-hop-limit: func
+Params
+
+Return values
+
+[method]udp-socket.receive-buffer-size: func
+The kernel buffer space reserved for sends/receives on this socket.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]udp-socket.set-receive-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.send-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.set-send-buffer-size: func
+Params
+
+Return values
+
+[method]udp-socket.subscribe: func
+Create a pollable which will resolve once the socket is ready for I/O.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]incoming-datagram-stream.receive: func
+Receive messages on the socket.
+This function attempts to receive up to max-results datagrams on the socket without blocking.
+The returned list may contain fewer elements than requested, but never more.
+This function returns successfully with an empty list when either:
+
+max-results is 0, or:max-results is greater than 0, but no results are immediately available.
+This function never returns error(would-block).
+Typical errors
+
+remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)
+References
+
+Params
+
+Return values
+
+[method]incoming-datagram-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready to receive again.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.check-send: func
+Check readiness for sending. This function never blocks.
+Returns the number of datagrams permitted for the next call to send,
+or an error. Calling send with more datagrams than this function has
+permitted will trap.
+When this function returns ok(0), the subscribe pollable will
+become ready when this function will report at least ok(1), or an
+error.
+Never returns would-block.
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.send: func
+Send messages on the socket.
+This function attempts to send all provided datagrams on the socket without blocking and
+returns how many messages were actually sent (or queued for sending). This function never
+returns error(would-block). If none of the datagrams were able to be sent, ok(0) is returned.
+This function semantically behaves the same as iterating the datagrams list and sequentially
+sending each individual datagram until either the end of the list has been reached or the first error occurred.
+If at least one datagram has been sent successfully, this function never returns an error.
+If the input list is empty, the function returns ok(0).
+Each call to send must be permitted by a preceding check-send. Implementations must trap if
+either check-send was not called or datagrams contains more items than check-send permitted.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The port in remote-address is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)invalid-argument: The socket is in "connected" mode and remote-address is some value that does not match the address passed to stream. (EISCONN)invalid-argument: The socket is not "connected" and no value for remote-address was provided. (EDESTADDRREQ)remote-unreachable: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)connection-refused: The connection was refused. (ECONNREFUSED)datagram-too-large: The datagram is too large. (EMSGSIZE)
+References
+
+Params
+
+Return values
+
+[method]outgoing-datagram-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready to send again.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+Import interface wasi:sockets/udp-create-socket@0.2.8
+
+Types
+type network
+network
+
+
type error-code
+error-code
+
+
type ip-address-family
+ip-address-family
+
+
type udp-socket
+udp-socket
+
+
+Functions
+create-udp-socket: func
+Create a new UDP socket.
+Similar to socket(AF_INET or AF_INET6, SOCK_DGRAM, IPPROTO_UDP) in POSIX.
+On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+This function does not require a network capability handle. This is considered to be safe because
+at time of creation, the socket is not bound to any network yet. Up to the moment bind is called,
+the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+Typical errors
+
+not-supported: The specified address-family is not supported. (EAFNOSUPPORT)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References:
+
+Params
+
+Return values
+
+Import interface wasi:sockets/tcp@0.2.8
+
+Types
+type input-stream
+input-stream
+
+
type output-stream
+output-stream
+
+
type pollable
+pollable
+
+
type duration
+duration
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-socket-address
+ip-socket-address
+
+
type ip-address-family
+ip-address-family
+
+
enum shutdown-type
+Enum Cases
+
+-
+
receive
+Similar to `SHUT_RD` in POSIX.
+
+-
+
send
+Similar to `SHUT_WR` in POSIX.
+
+-
+
both
+Similar to `SHUT_RDWR` in POSIX.
+
+
+resource tcp-socket
+A TCP socket resource.
+The socket can be in one of the following states:
+
+Note: Except where explicitly mentioned, whenever this documentation uses
+the term "bound" without backticks it actually means: in the bound state or higher.
+(i.e. bound, listen-in-progress, listening, connect-in-progress or connected)
+In addition to the general error codes documented on the
+network::error-code type, TCP socket methods may always return
+error(invalid-state) when in the closed state.
+Functions
+[method]tcp-socket.start-bind: func
+Bind the socket to a specific network on the provided IP address and port.
+If the IP address is zero (0.0.0.0 in IPv4, :: in IPv6), it is left to the implementation to decide which
+network interface(s) to bind to.
+If the TCP/UDP port is zero, the socket will be bound to a random free port.
+Bind can be attempted multiple times on the same socket, even with
+different arguments on each iteration. But never concurrently and
+only as long as the previous bind failed. Once a bind succeeds, the
+binding can't be changed anymore.
+Typical errors
+
+invalid-argument: The local-address has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)invalid-argument: local-address is not a unicast address. (EINVAL)invalid-argument: local-address is an IPv4-mapped IPv6 address. (EINVAL)invalid-state: The socket is already bound. (EINVAL)address-in-use: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)address-in-use: Address is already in use. (EADDRINUSE)address-not-bindable: local-address is not an address that the network can bind to. (EADDRNOTAVAIL)not-in-progress: A bind operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+When binding to a non-zero port, this bind operation shouldn't be affected by the TIME_WAIT
+state of a recently closed socket on the same local address. In practice this means that the SO_REUSEADDR
+socket option should be set implicitly on all platforms, except on Windows where this is the default behavior
+and SO_REUSEADDR performs something different entirely.
+Unlike in POSIX, in WASI the bind operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+bind as part of either start-bind or finish-bind.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-bind: func
+Params
+
+Return values
+
+[method]tcp-socket.start-connect: func
+Connect to a remote endpoint.
+On success:
+
+- the socket is transitioned into the
connected state.
+- a pair of streams is returned that can be used to read & write to the connection
+
+After a failed connection attempt, the socket will be in the closed
+state and the only valid action left is to drop the socket. A single
+socket can not be used to connect more than once.
+Typical errors
+
+invalid-argument: The remote-address has the wrong address family. (EAFNOSUPPORT)invalid-argument: remote-address is not a unicast address. (EINVAL, ENETUNREACH on Linux, EAFNOSUPPORT on MacOS)invalid-argument: remote-address is an IPv4-mapped IPv6 address. (EINVAL, EADDRNOTAVAIL on Illumos)invalid-argument: The IP address in remote-address is set to INADDR_ANY (0.0.0.0 / ::). (EADDRNOTAVAIL on Windows)invalid-argument: The port in remote-address is set to 0. (EADDRNOTAVAIL on Windows)invalid-argument: The socket is already attached to a different network. The network passed to connect must be identical to the one passed to bind.invalid-state: The socket is already in the connected state. (EISCONN)invalid-state: The socket is already in the listening state. (EOPNOTSUPP, EINVAL on Windows)timeout: Connection timed out. (ETIMEDOUT)connection-refused: The connection was forcefully rejected. (ECONNREFUSED)connection-reset: The connection was reset. (ECONNRESET)connection-aborted: The connection was aborted. (ECONNABORTED)remote-unreachable: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)not-in-progress: A connect operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+The POSIX equivalent of start-connect is the regular connect syscall.
+Because all WASI sockets are non-blocking this is expected to return
+EINPROGRESS, which should be translated to ok() in WASI.
+The POSIX equivalent of finish-connect is a poll for event POLLOUT
+with a timeout of 0 on the socket descriptor. Followed by a check for
+the SO_ERROR socket option, in case the poll signaled readiness.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-connect: func
+Params
+
+Return values
+
+[method]tcp-socket.start-listen: func
+Start listening for new connections.
+Transitions the socket into the listening state.
+Unlike POSIX, the socket must already be explicitly bound.
+Typical errors
+
+invalid-state: The socket is not bound to any local address. (EDESTADDRREQ)invalid-state: The socket is already in the connected state. (EISCONN, EINVAL on BSD)invalid-state: The socket is already in the listening state.address-in-use: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE)not-in-progress: A listen operation is not in progress.would-block: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+Implementors note
+Unlike in POSIX, in WASI the listen operation is async. This enables
+interactive WASI hosts to inject permission prompts. Runtimes that
+don't want to make use of this ability can simply call the native
+listen as part of either start-listen or finish-listen.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.finish-listen: func
+Params
+
+Return values
+
+[method]tcp-socket.accept: func
+Accept a new client socket.
+The returned socket is bound and in the connected state. The following properties are inherited from the listener socket:
+
+address-familykeep-alive-enabledkeep-alive-idle-timekeep-alive-intervalkeep-alive-counthop-limitreceive-buffer-sizesend-buffer-size
+On success, this function returns the newly accepted client socket along with
+a pair of streams that can be used to read & write to the connection.
+Typical errors
+
+invalid-state: Socket is not in the listening state. (EINVAL)would-block: No pending connections at the moment. (EWOULDBLOCK, EAGAIN)connection-aborted: An incoming connection was pending, but was terminated by the client before this listener could accept it. (ECONNABORTED)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.local-address: func
+Get the bound local address.
+POSIX mentions:
+
+If the socket has not been bound to a local name, the value
+stored in the object pointed to by address is unspecified.
+
+WASI is stricter and requires local-address to return invalid-state when the socket hasn't been bound yet.
+Typical errors
+
+invalid-state: The socket is not bound to any local address.
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.remote-address: func
+Get the remote address.
+Typical errors
+
+invalid-state: The socket is not connected to a remote address. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+[method]tcp-socket.is-listening: func
+Whether the socket is in the listening state.
+Equivalent to the SO_ACCEPTCONN socket option.
+Params
+
+Return values
+
+[method]tcp-socket.address-family: func
+Whether this is a IPv4 or IPv6 socket.
+Equivalent to the SO_DOMAIN socket option.
+Params
+
+Return values
+
+[method]tcp-socket.set-listen-backlog-size: func
+Hints the desired listen queue size. Implementations are free to ignore this.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+Typical errors
+
+not-supported: (set) The platform does not support changing the backlog size after the initial listen.invalid-argument: (set) The provided value was 0.invalid-state: (set) The socket is in the connect-in-progress or connected state.
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-enabled: func
+Enables or disables keepalive.
+The keepalive behavior can be adjusted using:
+
+keep-alive-idle-timekeep-alive-intervalkeep-alive-count
+These properties can be configured while keep-alive-enabled is false, but only come into effect when keep-alive-enabled is true.
+Equivalent to the SO_KEEPALIVE socket option.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-enabled: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-idle-time: func
+Amount of time the connection has to be idle before TCP starts sending keepalive packets.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPIDLE socket option. (TCP_KEEPALIVE on MacOS)
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-idle-time: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-interval: func
+The time between keepalive packets.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPINTVL socket option.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-interval: func
+Params
+
+Return values
+
+[method]tcp-socket.keep-alive-count: func
+The maximum amount of keepalive packets TCP should send before aborting the connection.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the TCP_KEEPCNT socket option.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-keep-alive-count: func
+Params
+
+Return values
+
+[method]tcp-socket.hop-limit: func
+Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+If the provided value is 0, an invalid-argument error is returned.
+Typical errors
+
+invalid-argument: (set) The TTL value must be 1 or higher.
+Params
+
+Return values
+
+[method]tcp-socket.set-hop-limit: func
+Params
+
+Return values
+
+[method]tcp-socket.receive-buffer-size: func
+The kernel buffer space reserved for sends/receives on this socket.
+If the provided value is 0, an invalid-argument error is returned.
+Any other value will never cause an error, but it might be silently clamped and/or rounded.
+I.e. after setting a value, reading the same setting back may return a different value.
+Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+Typical errors
+
+invalid-argument: (set) The provided value was 0.
+Params
+
+Return values
+
+[method]tcp-socket.set-receive-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.send-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.set-send-buffer-size: func
+Params
+
+Return values
+
+[method]tcp-socket.subscribe: func
+Create a pollable which can be used to poll for, or block on,
+completion of any of the asynchronous operations of this socket.
+When finish-bind, finish-listen, finish-connect or accept
+return error(would-block), this pollable can be used to wait for
+their success or failure, after which the method can be retried.
+The pollable is not limited to the async operation that happens to be
+in progress at the time of calling subscribe (if any). Theoretically,
+subscribe only has to be called once per socket and can then be
+(re)used for the remainder of the socket's lifetime.
+See https://github.com/WebAssembly/wasi-sockets/blob/main/TcpSocketOperationalSemantics.md#pollable-readiness
+for more information.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+[method]tcp-socket.shutdown: func
+Initiate a graceful shutdown.
+
+receive: The socket is not expecting to receive any data from
+the peer. The input-stream associated with this socket will be
+closed. Any data still in the receive queue at time of calling
+this method will be discarded.send: The socket has no more data to send to the peer. The output-stream
+associated with this socket will be closed and a FIN packet will be sent.both: Same effect as receive & send combined.
+This function is idempotent; shutting down a direction more than once
+has no effect and returns ok.
+The shutdown function does not close (drop) the socket.
+Typical errors
+
+invalid-state: The socket is not in the connected state. (ENOTCONN)
+References
+
+Params
+
+Return values
+
+Import interface wasi:sockets/tcp-create-socket@0.2.8
+
+Types
+type network
+network
+
+
type error-code
+error-code
+
+
type ip-address-family
+ip-address-family
+
+
type tcp-socket
+tcp-socket
+
+
+Functions
+create-tcp-socket: func
+Create a new TCP socket.
+Similar to socket(AF_INET or AF_INET6, SOCK_STREAM, IPPROTO_TCP) in POSIX.
+On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+This function does not require a network capability handle. This is considered to be safe because
+at time of creation, the socket is not bound to any network yet. Up to the moment bind/connect
+is called, the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+Typical errors
+
+not-supported: The specified address-family is not supported. (EAFNOSUPPORT)new-socket-limit: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+References
+
+Params
+
+Return values
+
+Import interface wasi:sockets/ip-name-lookup@0.2.8
+
+Types
+type pollable
+pollable
+
+
type network
+network
+
+
type error-code
+error-code
+
+
type ip-address
+ip-address
+
+
resource resolve-address-stream
+
+Functions
+resolve-addresses: func
+Resolve an internet host name to a list of IP addresses.
+Unicode domain names are automatically converted to ASCII using IDNA encoding.
+If the input is an IP address string, the address is parsed and returned
+as-is without making any external requests.
+See the wasi-socket proposal README.md for a comparison with getaddrinfo.
+This function never blocks. It either immediately fails or immediately
+returns successfully with a resolve-address-stream that can be used
+to (asynchronously) fetch the results.
+Typical errors
+
+invalid-argument: name is a syntactically invalid domain name or IP address.
+References:
+
+Params
+
+Return values
+
+[method]resolve-address-stream.resolve-next-address: func
+Returns the next address from the resolver.
+This function should be called multiple times. On each call, it will
+return the next address in connection order preference. If all
+addresses have been exhausted, this function returns none.
+This function never returns IPv4-mapped IPv6 addresses.
+Typical errors
+
+name-unresolvable: Name does not exist or has no suitable associated IP addresses. (EAI_NONAME, EAI_NODATA, EAI_ADDRFAMILY)temporary-resolver-failure: A temporary failure in name resolution occurred. (EAI_AGAIN)permanent-resolver-failure: A permanent failure in name resolution occurred. (EAI_FAIL)would-block: A result is not available yet. (EWOULDBLOCK, EAGAIN)
+Params
+
+Return values
+
+[method]resolve-address-stream.subscribe: func
+Create a pollable which will resolve once the stream is ready for I/O.
+Note: this function is here for WASI 0.2 only.
+It's planned to be removed when future is natively supported in Preview3.
+Params
+
+Return values
+
+Import interface wasi:random/random@0.2.8
+WASI Random is a random data API.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+get-random-bytes: func
+Return len cryptographically-secure random or pseudo-random bytes.
+This function must produce data at least as cryptographically secure and
+fast as an adequately seeded cryptographically-secure pseudo-random
+number generator (CSPRNG). It must not block, from the perspective of
+the calling program, under any circumstances, including on the first
+request and on requests for numbers of bytes. The returned data must
+always be unpredictable.
+This function must always return fresh data. Deterministic environments
+must omit this function, rather than implementing it with deterministic
+data.
+Params
+
+Return values
+
+get-random-u64: func
+Return a cryptographically-secure random or pseudo-random u64 value.
+This function returns the same type of data as get-random-bytes,
+represented as a u64.
+Return values
+
+Import interface wasi:random/insecure@0.2.8
+The insecure interface for insecure pseudo-random numbers.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+get-insecure-random-bytes: func
+Return len insecure pseudo-random bytes.
+This function is not cryptographically secure. Do not use it for
+anything related to security.
+There are no requirements on the values of the returned bytes, however
+implementations are encouraged to return evenly distributed values with
+a long period.
+Params
+
+Return values
+
+get-insecure-random-u64: func
+Return an insecure pseudo-random u64 value.
+This function returns the same type of pseudo-random data as
+get-insecure-random-bytes, represented as a u64.
+Return values
+
+Import interface wasi:random/insecure-seed@0.2.8
+The insecure-seed interface for seeding hash-map DoS resistance.
+It is intended to be portable at least between Unix-family platforms and
+Windows.
+
+Functions
+insecure-seed: func
+Return a 128-bit value that may contain a pseudo-random value.
+The returned value is not required to be computed from a CSPRNG, and may
+even be entirely deterministic. Host implementations are encouraged to
+provide pseudo-random values to any program exposed to
+attacker-controlled content, to enable DoS protection built into many
+languages' hash-map implementations.
+This function is intended to only be called once, by a source language
+to initialize Denial Of Service (DoS) protection in its hash-map
+implementation.
+Expected future evolution
+This will likely be changed to a value import, to prevent it from being
+called multiple times and potentially used for purposes other than DoS
+protection.
+Return values
+
diff --git a/proposals/cli/test/README.md b/proposals/cli/test/README.md
new file mode 100644
index 000000000..c274acd9d
--- /dev/null
+++ b/proposals/cli/test/README.md
@@ -0,0 +1,11 @@
+# Testing guidelines
+
+TK fill in testing guidelines
+
+## Installing the tools
+
+TK fill in instructions
+
+## Running the tests
+
+TK fill in instructions
diff --git a/proposals/cli/wit-0.3.0-draft/command.wit b/proposals/cli/wit-0.3.0-draft/command.wit
new file mode 100644
index 000000000..f2f613e55
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/command.wit
@@ -0,0 +1,10 @@
+package wasi:cli@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world command {
+ @since(version = 0.3.0-rc-2025-09-16)
+ include imports;
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ export run;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps.lock b/proposals/cli/wit-0.3.0-draft/deps.lock
new file mode 100644
index 000000000..931f9574c
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps.lock
@@ -0,0 +1,23 @@
+[clocks]
+sha256 = "cf61a3785c2838340ce530ee1cdc6dbee3257f1672d6000ca748dfe253808dec"
+sha512 = "f647de7d6c470595c3e5bf0dba6af98703beb9f701c66543cea5d42e81f7a1a73f199c3949035a9c2c1bd717056e5e68788f520af39b9d26480242b7626f22ce"
+
+[filesystem]
+url = "https://github.com/WebAssembly/wasi-filesystem/archive/main.tar.gz"
+subdir = "wit-0.3.0-draft"
+sha256 = "99292288bdb7ecb04e0a1a7bee478a9410df9ab57af222c3dcde375f7b957181"
+sha512 = "4da72faf65b99263bd0521871a6004ea19fc9189e906451fb4d48b83d9da3269a8e4470c5775faf037a05e03151a0c05fd05cc0dfeb36757715fda2799dd1d85"
+deps = ["clocks"]
+
+[random]
+url = "https://github.com/WebAssembly/wasi-random/archive/main.tar.gz"
+subdir = "wit-0.3.0-draft"
+sha256 = "0a0cead69094ce1773468ff363b2d324ded025aab4f03a1d53b2538710c31e43"
+sha512 = "3596bbd164c28254aefb0f7c7a047d81121df1de170808d16975f021c5170ea35dfe6fc1867f93469013ab8d36df8de14d4c5e1c9b70197bfd10e699fd6757e5"
+
+[sockets]
+url = "https://github.com/WebAssembly/wasi-sockets/archive/main.tar.gz"
+subdir = "wit-0.3.0-draft"
+sha256 = "57e9d6df8389015116c5407641af76b717cf0d1a79e36384af3cb7d7fa9687ed"
+sha512 = "45dab8dd2fa48450c480b1e770a3739793f6156b07b39075414510ce2cde3db6e714da87f47f0e9b9c82b5ef38a963a59f4d86449aa5f2310c78bc79134d0dd5"
+deps = ["clocks"]
diff --git a/proposals/cli/wit-0.3.0-draft/deps.toml b/proposals/cli/wit-0.3.0-draft/deps.toml
new file mode 100644
index 000000000..39bc16e55
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps.toml
@@ -0,0 +1,3 @@
+filesystem = { url = "https://github.com/WebAssembly/wasi-filesystem/archive/main.tar.gz", subdir = "wit-0.3.0-draft" }
+random = { url = "https://github.com/WebAssembly/wasi-random/archive/main.tar.gz", subdir = "wit-0.3.0-draft" }
+sockets = { url = "https://github.com/WebAssembly/wasi-sockets/archive/main.tar.gz", subdir = "wit-0.3.0-draft" }
diff --git a/proposals/cli/wit-0.3.0-draft/deps/clocks/monotonic-clock.wit b/proposals/cli/wit-0.3.0-draft/deps/clocks/monotonic-clock.wit
new file mode 100644
index 000000000..a91d495c6
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/clocks/monotonic-clock.wit
@@ -0,0 +1,48 @@
+package wasi:clocks@0.3.0-rc-2025-09-16;
+/// WASI Monotonic Clock is a clock API intended to let users measure elapsed
+/// time.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+///
+/// A monotonic clock is a clock which has an unspecified initial value, and
+/// successive reads of the clock will produce non-decreasing values.
+@since(version = 0.3.0-rc-2025-09-16)
+interface monotonic-clock {
+ use types.{duration};
+
+ /// An instant in time, in nanoseconds. An instant is relative to an
+ /// unspecified initial value, and can only be compared to instances from
+ /// the same monotonic-clock.
+ @since(version = 0.3.0-rc-2025-09-16)
+ type instant = u64;
+
+ /// Read the current value of the clock.
+ ///
+ /// The clock is monotonic, therefore calling this function repeatedly will
+ /// produce a sequence of non-decreasing values.
+ ///
+ /// For completeness, this function traps if it's not possible to represent
+ /// the value of the clock in an `instant`. Consequently, implementations
+ /// should ensure that the starting time is low enough to avoid the
+ /// possibility of overflow in practice.
+ @since(version = 0.3.0-rc-2025-09-16)
+ now: func() -> instant;
+
+ /// Query the resolution of the clock. Returns the duration of time
+ /// corresponding to a clock tick.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-resolution: func() -> duration;
+
+ /// Wait until the specified instant has occurred.
+ @since(version = 0.3.0-rc-2025-09-16)
+ wait-until: async func(
+ when: instant,
+ );
+
+ /// Wait for the specified duration to elapse.
+ @since(version = 0.3.0-rc-2025-09-16)
+ wait-for: async func(
+ how-long: duration,
+ );
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/clocks/timezone.wit b/proposals/cli/wit-0.3.0-draft/deps/clocks/timezone.wit
new file mode 100644
index 000000000..ab8f5c080
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/clocks/timezone.wit
@@ -0,0 +1,55 @@
+package wasi:clocks@0.3.0-rc-2025-09-16;
+
+@unstable(feature = clocks-timezone)
+interface timezone {
+ @unstable(feature = clocks-timezone)
+ use wall-clock.{datetime};
+
+ /// Return information needed to display the given `datetime`. This includes
+ /// the UTC offset, the time zone name, and a flag indicating whether
+ /// daylight saving time is active.
+ ///
+ /// If the timezone cannot be determined for the given `datetime`, return a
+ /// `timezone-display` for `UTC` with a `utc-offset` of 0 and no daylight
+ /// saving time.
+ @unstable(feature = clocks-timezone)
+ display: func(when: datetime) -> timezone-display;
+
+ /// The same as `display`, but only return the UTC offset.
+ @unstable(feature = clocks-timezone)
+ utc-offset: func(when: datetime) -> s32;
+
+ /// Information useful for displaying the timezone of a specific `datetime`.
+ ///
+ /// This information may vary within a single `timezone` to reflect daylight
+ /// saving time adjustments.
+ @unstable(feature = clocks-timezone)
+ record timezone-display {
+ /// The number of seconds difference between UTC time and the local
+ /// time of the timezone.
+ ///
+ /// The returned value will always be less than 86400 which is the
+ /// number of seconds in a day (24*60*60).
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should return 0.
+ utc-offset: s32,
+
+ /// The abbreviated name of the timezone to display to a user. The name
+ /// `UTC` indicates Coordinated Universal Time. Otherwise, this should
+ /// reference local standards for the name of the time zone.
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should be the string `UTC`.
+ ///
+ /// In time zones that do not have an applicable name, a formatted
+ /// representation of the UTC offset may be returned, such as `-04:00`.
+ name: string,
+
+ /// Whether daylight saving time is active.
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should return false.
+ in-daylight-saving-time: bool,
+ }
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/clocks/types.wit b/proposals/cli/wit-0.3.0-draft/deps/clocks/types.wit
new file mode 100644
index 000000000..aff7c2a22
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/clocks/types.wit
@@ -0,0 +1,8 @@
+package wasi:clocks@0.3.0-rc-2025-09-16;
+/// This interface common types used throughout wasi:clocks.
+@since(version = 0.3.0-rc-2025-09-16)
+interface types {
+ /// A duration of time, in nanoseconds.
+ @since(version = 0.3.0-rc-2025-09-16)
+ type duration = u64;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/clocks/wall-clock.wit b/proposals/cli/wit-0.3.0-draft/deps/clocks/wall-clock.wit
new file mode 100644
index 000000000..ea940500f
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/clocks/wall-clock.wit
@@ -0,0 +1,46 @@
+package wasi:clocks@0.3.0-rc-2025-09-16;
+/// WASI Wall Clock is a clock API intended to let users query the current
+/// time. The name "wall" makes an analogy to a "clock on the wall", which
+/// is not necessarily monotonic as it may be reset.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+///
+/// A wall clock is a clock which measures the date and time according to
+/// some external reference.
+///
+/// External references may be reset, so this clock is not necessarily
+/// monotonic, making it unsuitable for measuring elapsed time.
+///
+/// It is intended for reporting the current date and time for humans.
+@since(version = 0.3.0-rc-2025-09-16)
+interface wall-clock {
+ /// A time and date in seconds plus nanoseconds.
+ @since(version = 0.3.0-rc-2025-09-16)
+ record datetime {
+ seconds: u64,
+ nanoseconds: u32,
+ }
+
+ /// Read the current value of the clock.
+ ///
+ /// This clock is not monotonic, therefore calling this function repeatedly
+ /// will not necessarily produce a sequence of non-decreasing values.
+ ///
+ /// The returned timestamps represent the number of seconds since
+ /// 1970-01-01T00:00:00Z, also known as [POSIX's Seconds Since the Epoch],
+ /// also known as [Unix Time].
+ ///
+ /// The nanoseconds field of the output is always less than 1000000000.
+ ///
+ /// [POSIX's Seconds Since the Epoch]: https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap04.html#tag_21_04_16
+ /// [Unix Time]: https://en.wikipedia.org/wiki/Unix_time
+ @since(version = 0.3.0-rc-2025-09-16)
+ now: func() -> datetime;
+
+ /// Query the resolution of the clock.
+ ///
+ /// The nanoseconds field of the output is always less than 1000000000.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-resolution: func() -> datetime;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/clocks/world.wit b/proposals/cli/wit-0.3.0-draft/deps/clocks/world.wit
new file mode 100644
index 000000000..a6b885f07
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/clocks/world.wit
@@ -0,0 +1,11 @@
+package wasi:clocks@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world imports {
+ @since(version = 0.3.0-rc-2025-09-16)
+ import monotonic-clock;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import wall-clock;
+ @unstable(feature = clocks-timezone)
+ import timezone;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/filesystem/preopens.wit b/proposals/cli/wit-0.3.0-draft/deps/filesystem/preopens.wit
new file mode 100644
index 000000000..9036e90e8
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/filesystem/preopens.wit
@@ -0,0 +1,11 @@
+package wasi:filesystem@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+interface preopens {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use types.{descriptor};
+
+ /// Return the set of preopened directories, and their paths.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-directories: func() -> list>;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/filesystem/types.wit b/proposals/cli/wit-0.3.0-draft/deps/filesystem/types.wit
new file mode 100644
index 000000000..41d91beee
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/filesystem/types.wit
@@ -0,0 +1,636 @@
+package wasi:filesystem@0.3.0-rc-2025-09-16;
+/// WASI filesystem is a filesystem API primarily intended to let users run WASI
+/// programs that access their files on their existing filesystems, without
+/// significant overhead.
+///
+/// It is intended to be roughly portable between Unix-family platforms and
+/// Windows, though it does not hide many of the major differences.
+///
+/// Paths are passed as interface-type `string`s, meaning they must consist of
+/// a sequence of Unicode Scalar Values (USVs). Some filesystems may contain
+/// paths which are not accessible by this API.
+///
+/// The directory separator in WASI is always the forward-slash (`/`).
+///
+/// All paths in WASI are relative paths, and are interpreted relative to a
+/// `descriptor` referring to a base directory. If a `path` argument to any WASI
+/// function starts with `/`, or if any step of resolving a `path`, including
+/// `..` and symbolic link steps, reaches a directory outside of the base
+/// directory, or reaches a symlink to an absolute or rooted path in the
+/// underlying filesystem, the function fails with `error-code::not-permitted`.
+///
+/// For more information about WASI path resolution and sandboxing, see
+/// [WASI filesystem path resolution].
+///
+/// [WASI filesystem path resolution]: https://github.com/WebAssembly/wasi-filesystem/blob/main/path-resolution.md
+@since(version = 0.3.0-rc-2025-09-16)
+interface types {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use wasi:clocks/wall-clock@0.3.0-rc-2025-09-16.{datetime};
+
+ /// File size or length of a region within a file.
+ @since(version = 0.3.0-rc-2025-09-16)
+ type filesize = u64;
+
+ /// The type of a filesystem object referenced by a descriptor.
+ ///
+ /// Note: This was called `filetype` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum descriptor-type {
+ /// The type of the descriptor or file is unknown or is different from
+ /// any of the other types specified.
+ unknown,
+ /// The descriptor refers to a block device inode.
+ block-device,
+ /// The descriptor refers to a character device inode.
+ character-device,
+ /// The descriptor refers to a directory inode.
+ directory,
+ /// The descriptor refers to a named pipe.
+ fifo,
+ /// The file refers to a symbolic link inode.
+ symbolic-link,
+ /// The descriptor refers to a regular file inode.
+ regular-file,
+ /// The descriptor refers to a socket.
+ socket,
+ }
+
+ /// Descriptor flags.
+ ///
+ /// Note: This was called `fdflags` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ flags descriptor-flags {
+ /// Read mode: Data can be read.
+ read,
+ /// Write mode: Data can be written to.
+ write,
+ /// Request that writes be performed according to synchronized I/O file
+ /// integrity completion. The data stored in the file and the file's
+ /// metadata are synchronized. This is similar to `O_SYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ file-integrity-sync,
+ /// Request that writes be performed according to synchronized I/O data
+ /// integrity completion. Only the data stored in the file is
+ /// synchronized. This is similar to `O_DSYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ data-integrity-sync,
+ /// Requests that reads be performed at the same level of integrity
+ /// requested for writes. This is similar to `O_RSYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ requested-write-sync,
+ /// Mutating directories mode: Directory contents may be mutated.
+ ///
+ /// When this flag is unset on a descriptor, operations using the
+ /// descriptor which would create, rename, delete, modify the data or
+ /// metadata of filesystem objects, or obtain another handle which
+ /// would permit any of those, shall fail with `error-code::read-only` if
+ /// they would otherwise succeed.
+ ///
+ /// This may only be set on directories.
+ mutate-directory,
+ }
+
+ /// File attributes.
+ ///
+ /// Note: This was called `filestat` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ record descriptor-stat {
+ /// File type.
+ %type: descriptor-type,
+ /// Number of hard links to the file.
+ link-count: link-count,
+ /// For regular files, the file size in bytes. For symbolic links, the
+ /// length in bytes of the pathname contained in the symbolic link.
+ size: filesize,
+ /// Last data access timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain an access
+ /// timestamp for this file.
+ data-access-timestamp: option,
+ /// Last data modification timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain a
+ /// modification timestamp for this file.
+ data-modification-timestamp: option,
+ /// Last file status-change timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain a
+ /// status-change timestamp for this file.
+ status-change-timestamp: option,
+ }
+
+ /// Flags determining the method of how paths are resolved.
+ @since(version = 0.3.0-rc-2025-09-16)
+ flags path-flags {
+ /// As long as the resolved path corresponds to a symbolic link, it is
+ /// expanded.
+ symlink-follow,
+ }
+
+ /// Open flags used by `open-at`.
+ @since(version = 0.3.0-rc-2025-09-16)
+ flags open-flags {
+ /// Create file if it does not exist, similar to `O_CREAT` in POSIX.
+ create,
+ /// Fail if not a directory, similar to `O_DIRECTORY` in POSIX.
+ directory,
+ /// Fail if file already exists, similar to `O_EXCL` in POSIX.
+ exclusive,
+ /// Truncate file to size 0, similar to `O_TRUNC` in POSIX.
+ truncate,
+ }
+
+ /// Number of hard links to an inode.
+ @since(version = 0.3.0-rc-2025-09-16)
+ type link-count = u64;
+
+ /// When setting a timestamp, this gives the value to set it to.
+ @since(version = 0.3.0-rc-2025-09-16)
+ variant new-timestamp {
+ /// Leave the timestamp set to its previous value.
+ no-change,
+ /// Set the timestamp to the current time of the system clock associated
+ /// with the filesystem.
+ now,
+ /// Set the timestamp to the given value.
+ timestamp(datetime),
+ }
+
+ /// A directory entry.
+ record directory-entry {
+ /// The type of the file referred to by this directory entry.
+ %type: descriptor-type,
+
+ /// The name of the object.
+ name: string,
+ }
+
+ /// Error codes returned by functions, similar to `errno` in POSIX.
+ /// Not all of these error codes are returned by the functions provided by this
+ /// API; some are used in higher-level library layers, and others are provided
+ /// merely for alignment with POSIX.
+ enum error-code {
+ /// Permission denied, similar to `EACCES` in POSIX.
+ access,
+ /// Connection already in progress, similar to `EALREADY` in POSIX.
+ already,
+ /// Bad descriptor, similar to `EBADF` in POSIX.
+ bad-descriptor,
+ /// Device or resource busy, similar to `EBUSY` in POSIX.
+ busy,
+ /// Resource deadlock would occur, similar to `EDEADLK` in POSIX.
+ deadlock,
+ /// Storage quota exceeded, similar to `EDQUOT` in POSIX.
+ quota,
+ /// File exists, similar to `EEXIST` in POSIX.
+ exist,
+ /// File too large, similar to `EFBIG` in POSIX.
+ file-too-large,
+ /// Illegal byte sequence, similar to `EILSEQ` in POSIX.
+ illegal-byte-sequence,
+ /// Operation in progress, similar to `EINPROGRESS` in POSIX.
+ in-progress,
+ /// Interrupted function, similar to `EINTR` in POSIX.
+ interrupted,
+ /// Invalid argument, similar to `EINVAL` in POSIX.
+ invalid,
+ /// I/O error, similar to `EIO` in POSIX.
+ io,
+ /// Is a directory, similar to `EISDIR` in POSIX.
+ is-directory,
+ /// Too many levels of symbolic links, similar to `ELOOP` in POSIX.
+ loop,
+ /// Too many links, similar to `EMLINK` in POSIX.
+ too-many-links,
+ /// Message too large, similar to `EMSGSIZE` in POSIX.
+ message-size,
+ /// Filename too long, similar to `ENAMETOOLONG` in POSIX.
+ name-too-long,
+ /// No such device, similar to `ENODEV` in POSIX.
+ no-device,
+ /// No such file or directory, similar to `ENOENT` in POSIX.
+ no-entry,
+ /// No locks available, similar to `ENOLCK` in POSIX.
+ no-lock,
+ /// Not enough space, similar to `ENOMEM` in POSIX.
+ insufficient-memory,
+ /// No space left on device, similar to `ENOSPC` in POSIX.
+ insufficient-space,
+ /// Not a directory or a symbolic link to a directory, similar to `ENOTDIR` in POSIX.
+ not-directory,
+ /// Directory not empty, similar to `ENOTEMPTY` in POSIX.
+ not-empty,
+ /// State not recoverable, similar to `ENOTRECOVERABLE` in POSIX.
+ not-recoverable,
+ /// Not supported, similar to `ENOTSUP` and `ENOSYS` in POSIX.
+ unsupported,
+ /// Inappropriate I/O control operation, similar to `ENOTTY` in POSIX.
+ no-tty,
+ /// No such device or address, similar to `ENXIO` in POSIX.
+ no-such-device,
+ /// Value too large to be stored in data type, similar to `EOVERFLOW` in POSIX.
+ overflow,
+ /// Operation not permitted, similar to `EPERM` in POSIX.
+ not-permitted,
+ /// Broken pipe, similar to `EPIPE` in POSIX.
+ pipe,
+ /// Read-only file system, similar to `EROFS` in POSIX.
+ read-only,
+ /// Invalid seek, similar to `ESPIPE` in POSIX.
+ invalid-seek,
+ /// Text file busy, similar to `ETXTBSY` in POSIX.
+ text-file-busy,
+ /// Cross-device link, similar to `EXDEV` in POSIX.
+ cross-device,
+ }
+
+ /// File or memory access pattern advisory information.
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum advice {
+ /// The application has no advice to give on its behavior with respect
+ /// to the specified data.
+ normal,
+ /// The application expects to access the specified data sequentially
+ /// from lower offsets to higher offsets.
+ sequential,
+ /// The application expects to access the specified data in a random
+ /// order.
+ random,
+ /// The application expects to access the specified data in the near
+ /// future.
+ will-need,
+ /// The application expects that it will not access the specified data
+ /// in the near future.
+ dont-need,
+ /// The application expects to access the specified data once and then
+ /// not reuse it thereafter.
+ no-reuse,
+ }
+
+ /// A 128-bit hash value, split into parts because wasm doesn't have a
+ /// 128-bit integer type.
+ @since(version = 0.3.0-rc-2025-09-16)
+ record metadata-hash-value {
+ /// 64 bits of a 128-bit hash value.
+ lower: u64,
+ /// Another 64 bits of a 128-bit hash value.
+ upper: u64,
+ }
+
+ /// A descriptor is a reference to a filesystem object, which may be a file,
+ /// directory, named pipe, special file, or other object on which filesystem
+ /// calls may be made.
+ @since(version = 0.3.0-rc-2025-09-16)
+ resource descriptor {
+ /// Return a stream for reading from a file.
+ ///
+ /// Multiple read, write, and append streams may be active on the same open
+ /// file and they do not interfere with each other.
+ ///
+ /// This function returns a `stream` which provides the data received from the
+ /// file, and a `future` providing additional error information in case an
+ /// error is encountered.
+ ///
+ /// If no error is encountered, `stream.read` on the `stream` will return
+ /// `read-status::closed` with no `error-context` and the future resolves to
+ /// the value `ok`. If an error is encountered, `stream.read` on the
+ /// `stream` returns `read-status::closed` with an `error-context` and the future
+ /// resolves to `err` with an `error-code`.
+ ///
+ /// Note: This is similar to `pread` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ read-via-stream: func(
+ /// The offset within the file at which to start reading.
+ offset: filesize,
+ ) -> tuple, future>>;
+
+ /// Return a stream for writing to a file, if available.
+ ///
+ /// May fail with an error-code describing why the file cannot be written.
+ ///
+ /// It is valid to write past the end of a file; the file is extended to the
+ /// extent of the write, with bytes between the previous end and the start of
+ /// the write set to zero.
+ ///
+ /// This function returns once either full contents of the stream are
+ /// written or an error is encountered.
+ ///
+ /// Note: This is similar to `pwrite` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ write-via-stream: async func(
+ /// Data to write
+ data: stream,
+ /// The offset within the file at which to start writing.
+ offset: filesize,
+ ) -> result<_, error-code>;
+
+ /// Return a stream for appending to a file, if available.
+ ///
+ /// May fail with an error-code describing why the file cannot be appended.
+ ///
+ /// This function returns once either full contents of the stream are
+ /// written or an error is encountered.
+ ///
+ /// Note: This is similar to `write` with `O_APPEND` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ append-via-stream: async func(data: stream) -> result<_, error-code>;
+
+ /// Provide file advisory information on a descriptor.
+ ///
+ /// This is similar to `posix_fadvise` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ advise: async func(
+ /// The offset within the file to which the advisory applies.
+ offset: filesize,
+ /// The length of the region to which the advisory applies.
+ length: filesize,
+ /// The advice.
+ advice: advice
+ ) -> result<_, error-code>;
+
+ /// Synchronize the data of a file to disk.
+ ///
+ /// This function succeeds with no effect if the file descriptor is not
+ /// opened for writing.
+ ///
+ /// Note: This is similar to `fdatasync` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ sync-data: async func() -> result<_, error-code>;
+
+ /// Get flags associated with a descriptor.
+ ///
+ /// Note: This returns similar flags to `fcntl(fd, F_GETFL)` in POSIX.
+ ///
+ /// Note: This returns the value that was the `fs_flags` value returned
+ /// from `fdstat_get` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-flags: async func() -> result;
+
+ /// Get the dynamic type of a descriptor.
+ ///
+ /// Note: This returns the same value as the `type` field of the `fd-stat`
+ /// returned by `stat`, `stat-at` and similar.
+ ///
+ /// Note: This returns similar flags to the `st_mode & S_IFMT` value provided
+ /// by `fstat` in POSIX.
+ ///
+ /// Note: This returns the value that was the `fs_filetype` value returned
+ /// from `fdstat_get` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-type: async func() -> result;
+
+ /// Adjust the size of an open file. If this increases the file's size, the
+ /// extra bytes are filled with zeros.
+ ///
+ /// Note: This was called `fd_filestat_set_size` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-size: async func(size: filesize) -> result<_, error-code>;
+
+ /// Adjust the timestamps of an open file or directory.
+ ///
+ /// Note: This is similar to `futimens` in POSIX.
+ ///
+ /// Note: This was called `fd_filestat_set_times` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-times: async func(
+ /// The desired values of the data access timestamp.
+ data-access-timestamp: new-timestamp,
+ /// The desired values of the data modification timestamp.
+ data-modification-timestamp: new-timestamp,
+ ) -> result<_, error-code>;
+
+ /// Read directory entries from a directory.
+ ///
+ /// On filesystems where directories contain entries referring to themselves
+ /// and their parents, often named `.` and `..` respectively, these entries
+ /// are omitted.
+ ///
+ /// This always returns a new stream which starts at the beginning of the
+ /// directory. Multiple streams may be active on the same directory, and they
+ /// do not interfere with each other.
+ ///
+ /// This function returns a future, which will resolve to an error code if
+ /// reading full contents of the directory fails.
+ @since(version = 0.3.0-rc-2025-09-16)
+ read-directory: async func() -> tuple, future>>;
+
+ /// Synchronize the data and metadata of a file to disk.
+ ///
+ /// This function succeeds with no effect if the file descriptor is not
+ /// opened for writing.
+ ///
+ /// Note: This is similar to `fsync` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ sync: async func() -> result<_, error-code>;
+
+ /// Create a directory.
+ ///
+ /// Note: This is similar to `mkdirat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ create-directory-at: async func(
+ /// The relative path at which to create the directory.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Return the attributes of an open file or directory.
+ ///
+ /// Note: This is similar to `fstat` in POSIX, except that it does not return
+ /// device and inode information. For testing whether two descriptors refer to
+ /// the same underlying filesystem object, use `is-same-object`. To obtain
+ /// additional data that can be used do determine whether a file has been
+ /// modified, use `metadata-hash`.
+ ///
+ /// Note: This was called `fd_filestat_get` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ stat: async func() -> result;
+
+ /// Return the attributes of a file or directory.
+ ///
+ /// Note: This is similar to `fstatat` in POSIX, except that it does not
+ /// return device and inode information. See the `stat` description for a
+ /// discussion of alternatives.
+ ///
+ /// Note: This was called `path_filestat_get` in earlier versions of WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ stat-at: async func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to inspect.
+ path: string,
+ ) -> result;
+
+ /// Adjust the timestamps of a file or directory.
+ ///
+ /// Note: This is similar to `utimensat` in POSIX.
+ ///
+ /// Note: This was called `path_filestat_set_times` in earlier versions of
+ /// WASI.
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-times-at: async func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to operate on.
+ path: string,
+ /// The desired values of the data access timestamp.
+ data-access-timestamp: new-timestamp,
+ /// The desired values of the data modification timestamp.
+ data-modification-timestamp: new-timestamp,
+ ) -> result<_, error-code>;
+
+ /// Create a hard link.
+ ///
+ /// Fails with `error-code::no-entry` if the old path does not exist,
+ /// with `error-code::exist` if the new path already exists, and
+ /// `error-code::not-permitted` if the old path is not a file.
+ ///
+ /// Note: This is similar to `linkat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ link-at: async func(
+ /// Flags determining the method of how the path is resolved.
+ old-path-flags: path-flags,
+ /// The relative source path from which to link.
+ old-path: string,
+ /// The base directory for `new-path`.
+ new-descriptor: borrow,
+ /// The relative destination path at which to create the hard link.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Open a file or directory.
+ ///
+ /// If `flags` contains `descriptor-flags::mutate-directory`, and the base
+ /// descriptor doesn't have `descriptor-flags::mutate-directory` set,
+ /// `open-at` fails with `error-code::read-only`.
+ ///
+ /// If `flags` contains `write` or `mutate-directory`, or `open-flags`
+ /// contains `truncate` or `create`, and the base descriptor doesn't have
+ /// `descriptor-flags::mutate-directory` set, `open-at` fails with
+ /// `error-code::read-only`.
+ ///
+ /// Note: This is similar to `openat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ open-at: async func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the object to open.
+ path: string,
+ /// The method by which to open the file.
+ open-flags: open-flags,
+ /// Flags to use for the resulting descriptor.
+ %flags: descriptor-flags,
+ ) -> result;
+
+ /// Read the contents of a symbolic link.
+ ///
+ /// If the contents contain an absolute or rooted path in the underlying
+ /// filesystem, this function fails with `error-code::not-permitted`.
+ ///
+ /// Note: This is similar to `readlinkat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ readlink-at: async func(
+ /// The relative path of the symbolic link from which to read.
+ path: string,
+ ) -> result;
+
+ /// Remove a directory.
+ ///
+ /// Return `error-code::not-empty` if the directory is not empty.
+ ///
+ /// Note: This is similar to `unlinkat(fd, path, AT_REMOVEDIR)` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ remove-directory-at: async func(
+ /// The relative path to a directory to remove.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Rename a filesystem object.
+ ///
+ /// Note: This is similar to `renameat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ rename-at: async func(
+ /// The relative source path of the file or directory to rename.
+ old-path: string,
+ /// The base directory for `new-path`.
+ new-descriptor: borrow,
+ /// The relative destination path to which to rename the file or directory.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Create a symbolic link (also known as a "symlink").
+ ///
+ /// If `old-path` starts with `/`, the function fails with
+ /// `error-code::not-permitted`.
+ ///
+ /// Note: This is similar to `symlinkat` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ symlink-at: async func(
+ /// The contents of the symbolic link.
+ old-path: string,
+ /// The relative destination path at which to create the symbolic link.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Unlink a filesystem object that is not a directory.
+ ///
+ /// Return `error-code::is-directory` if the path refers to a directory.
+ /// Note: This is similar to `unlinkat(fd, path, 0)` in POSIX.
+ @since(version = 0.3.0-rc-2025-09-16)
+ unlink-file-at: async func(
+ /// The relative path to a file to unlink.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Test whether two descriptors refer to the same filesystem object.
+ ///
+ /// In POSIX, this corresponds to testing whether the two descriptors have the
+ /// same device (`st_dev`) and inode (`st_ino` or `d_ino`) numbers.
+ /// wasi-filesystem does not expose device and inode numbers, so this function
+ /// may be used instead.
+ @since(version = 0.3.0-rc-2025-09-16)
+ is-same-object: async func(other: borrow) -> bool;
+
+ /// Return a hash of the metadata associated with a filesystem object referred
+ /// to by a descriptor.
+ ///
+ /// This returns a hash of the last-modification timestamp and file size, and
+ /// may also include the inode number, device number, birth timestamp, and
+ /// other metadata fields that may change when the file is modified or
+ /// replaced. It may also include a secret value chosen by the
+ /// implementation and not otherwise exposed.
+ ///
+ /// Implementations are encouraged to provide the following properties:
+ ///
+ /// - If the file is not modified or replaced, the computed hash value should
+ /// usually not change.
+ /// - If the object is modified or replaced, the computed hash value should
+ /// usually change.
+ /// - The inputs to the hash should not be easily computable from the
+ /// computed hash.
+ ///
+ /// However, none of these is required.
+ @since(version = 0.3.0-rc-2025-09-16)
+ metadata-hash: async func() -> result;
+
+ /// Return a hash of the metadata associated with a filesystem object referred
+ /// to by a directory descriptor and a relative path.
+ ///
+ /// This performs the same hash computation as `metadata-hash`.
+ @since(version = 0.3.0-rc-2025-09-16)
+ metadata-hash-at: async func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to inspect.
+ path: string,
+ ) -> result;
+ }
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/filesystem/world.wit b/proposals/cli/wit-0.3.0-draft/deps/filesystem/world.wit
new file mode 100644
index 000000000..87fc72716
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/filesystem/world.wit
@@ -0,0 +1,9 @@
+package wasi:filesystem@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world imports {
+ @since(version = 0.3.0-rc-2025-09-16)
+ import types;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import preopens;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/random/insecure-seed.wit b/proposals/cli/wit-0.3.0-draft/deps/random/insecure-seed.wit
new file mode 100644
index 000000000..302151ba6
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/random/insecure-seed.wit
@@ -0,0 +1,27 @@
+package wasi:random@0.3.0-rc-2025-09-16;
+/// The insecure-seed interface for seeding hash-map DoS resistance.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.3.0-rc-2025-09-16)
+interface insecure-seed {
+ /// Return a 128-bit value that may contain a pseudo-random value.
+ ///
+ /// The returned value is not required to be computed from a CSPRNG, and may
+ /// even be entirely deterministic. Host implementations are encouraged to
+ /// provide pseudo-random values to any program exposed to
+ /// attacker-controlled content, to enable DoS protection built into many
+ /// languages' hash-map implementations.
+ ///
+ /// This function is intended to only be called once, by a source language
+ /// to initialize Denial Of Service (DoS) protection in its hash-map
+ /// implementation.
+ ///
+ /// # Expected future evolution
+ ///
+ /// This will likely be changed to a value import, to prevent it from being
+ /// called multiple times and potentially used for purposes other than DoS
+ /// protection.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-insecure-seed: func() -> tuple;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/random/insecure.wit b/proposals/cli/wit-0.3.0-draft/deps/random/insecure.wit
new file mode 100644
index 000000000..39146e391
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/random/insecure.wit
@@ -0,0 +1,25 @@
+package wasi:random@0.3.0-rc-2025-09-16;
+/// The insecure interface for insecure pseudo-random numbers.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.3.0-rc-2025-09-16)
+interface insecure {
+ /// Return `len` insecure pseudo-random bytes.
+ ///
+ /// This function is not cryptographically secure. Do not use it for
+ /// anything related to security.
+ ///
+ /// There are no requirements on the values of the returned bytes, however
+ /// implementations are encouraged to return evenly distributed values with
+ /// a long period.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-insecure-random-bytes: func(len: u64) -> list;
+
+ /// Return an insecure pseudo-random `u64` value.
+ ///
+ /// This function returns the same type of pseudo-random data as
+ /// `get-insecure-random-bytes`, represented as a `u64`.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-insecure-random-u64: func() -> u64;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/random/random.wit b/proposals/cli/wit-0.3.0-draft/deps/random/random.wit
new file mode 100644
index 000000000..fa1f111dc
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/random/random.wit
@@ -0,0 +1,29 @@
+package wasi:random@0.3.0-rc-2025-09-16;
+/// WASI Random is a random data API.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.3.0-rc-2025-09-16)
+interface random {
+ /// Return `len` cryptographically-secure random or pseudo-random bytes.
+ ///
+ /// This function must produce data at least as cryptographically secure and
+ /// fast as an adequately seeded cryptographically-secure pseudo-random
+ /// number generator (CSPRNG). It must not block, from the perspective of
+ /// the calling program, under any circumstances, including on the first
+ /// request and on requests for numbers of bytes. The returned data must
+ /// always be unpredictable.
+ ///
+ /// This function must always return fresh data. Deterministic environments
+ /// must omit this function, rather than implementing it with deterministic
+ /// data.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-random-bytes: func(len: u64) -> list;
+
+ /// Return a cryptographically-secure random or pseudo-random `u64` value.
+ ///
+ /// This function returns the same type of data as `get-random-bytes`,
+ /// represented as a `u64`.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-random-u64: func() -> u64;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/random/world.wit b/proposals/cli/wit-0.3.0-draft/deps/random/world.wit
new file mode 100644
index 000000000..08c5ed88b
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/random/world.wit
@@ -0,0 +1,13 @@
+package wasi:random@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world imports {
+ @since(version = 0.3.0-rc-2025-09-16)
+ import random;
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ import insecure;
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ import insecure-seed;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/sockets/ip-name-lookup.wit b/proposals/cli/wit-0.3.0-draft/deps/sockets/ip-name-lookup.wit
new file mode 100644
index 000000000..6a652ff23
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/sockets/ip-name-lookup.wit
@@ -0,0 +1,62 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface ip-name-lookup {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use types.{ip-address};
+
+ /// Lookup error codes.
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum error-code {
+ /// Unknown error
+ unknown,
+
+ /// Access denied.
+ ///
+ /// POSIX equivalent: EACCES, EPERM
+ access-denied,
+
+ /// `name` is a syntactically invalid domain name or IP address.
+ ///
+ /// POSIX equivalent: EINVAL
+ invalid-argument,
+
+ /// Name does not exist or has no suitable associated IP addresses.
+ ///
+ /// POSIX equivalent: EAI_NONAME, EAI_NODATA, EAI_ADDRFAMILY
+ name-unresolvable,
+
+ /// A temporary failure in name resolution occurred.
+ ///
+ /// POSIX equivalent: EAI_AGAIN
+ temporary-resolver-failure,
+
+ /// A permanent failure in name resolution occurred.
+ ///
+ /// POSIX equivalent: EAI_FAIL
+ permanent-resolver-failure,
+ }
+
+ /// Resolve an internet host name to a list of IP addresses.
+ ///
+ /// Unicode domain names are automatically converted to ASCII using IDNA encoding.
+ /// If the input is an IP address string, the address is parsed and returned
+ /// as-is without making any external requests.
+ ///
+ /// See the wasi-socket proposal README.md for a comparison with getaddrinfo.
+ ///
+ /// The results are returned in connection order preference.
+ ///
+ /// This function never succeeds with 0 results. It either fails or succeeds
+ /// with at least one address. Additionally, this function never returns
+ /// IPv4-mapped IPv6 addresses.
+ ///
+ /// The returned future will resolve to an error code in case of failure.
+ /// It will resolve to success once the returned stream is exhausted.
+ ///
+ /// # References:
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ resolve-addresses: async func(name: string) -> result, error-code>;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/sockets/types.wit b/proposals/cli/wit-0.3.0-draft/deps/sockets/types.wit
new file mode 100644
index 000000000..2ed1912e4
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/sockets/types.wit
@@ -0,0 +1,725 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface types {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use wasi:clocks/monotonic-clock@0.3.0-rc-2025-09-16.{duration};
+
+ /// Error codes.
+ ///
+ /// In theory, every API can return any error code.
+ /// In practice, API's typically only return the errors documented per API
+ /// combined with a couple of errors that are always possible:
+ /// - `unknown`
+ /// - `access-denied`
+ /// - `not-supported`
+ /// - `out-of-memory`
+ ///
+ /// See each individual API for what the POSIX equivalents are. They sometimes differ per API.
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum error-code {
+ /// Unknown error
+ unknown,
+
+ /// Access denied.
+ ///
+ /// POSIX equivalent: EACCES, EPERM
+ access-denied,
+
+ /// The operation is not supported.
+ ///
+ /// POSIX equivalent: EOPNOTSUPP
+ not-supported,
+
+ /// One of the arguments is invalid.
+ ///
+ /// POSIX equivalent: EINVAL
+ invalid-argument,
+
+ /// Not enough memory to complete the operation.
+ ///
+ /// POSIX equivalent: ENOMEM, ENOBUFS, EAI_MEMORY
+ out-of-memory,
+
+ /// The operation timed out before it could finish completely.
+ timeout,
+
+ /// The operation is not valid in the socket's current state.
+ invalid-state,
+
+ /// A bind operation failed because the provided address is not an address that the `network` can bind to.
+ address-not-bindable,
+
+ /// A bind operation failed because the provided address is already in use or because there are no ephemeral ports available.
+ address-in-use,
+
+ /// The remote address is not reachable
+ remote-unreachable,
+
+
+ /// The TCP connection was forcefully rejected
+ connection-refused,
+
+ /// The TCP connection was reset.
+ connection-reset,
+
+ /// A TCP connection was aborted.
+ connection-aborted,
+
+
+ /// The size of a datagram sent to a UDP socket exceeded the maximum
+ /// supported size.
+ datagram-too-large,
+ }
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum ip-address-family {
+ /// Similar to `AF_INET` in POSIX.
+ ipv4,
+
+ /// Similar to `AF_INET6` in POSIX.
+ ipv6,
+ }
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ type ipv4-address = tuple;
+ @since(version = 0.3.0-rc-2025-09-16)
+ type ipv6-address = tuple;
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ variant ip-address {
+ ipv4(ipv4-address),
+ ipv6(ipv6-address),
+ }
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ record ipv4-socket-address {
+ /// sin_port
+ port: u16,
+ /// sin_addr
+ address: ipv4-address,
+ }
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ record ipv6-socket-address {
+ /// sin6_port
+ port: u16,
+ /// sin6_flowinfo
+ flow-info: u32,
+ /// sin6_addr
+ address: ipv6-address,
+ /// sin6_scope_id
+ scope-id: u32,
+ }
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ variant ip-socket-address {
+ ipv4(ipv4-socket-address),
+ ipv6(ipv6-socket-address),
+ }
+
+ /// A TCP socket resource.
+ ///
+ /// The socket can be in one of the following states:
+ /// - `unbound`
+ /// - `bound` (See note below)
+ /// - `listening`
+ /// - `connecting`
+ /// - `connected`
+ /// - `closed`
+ /// See
+ /// for more information.
+ ///
+ /// Note: Except where explicitly mentioned, whenever this documentation uses
+ /// the term "bound" without backticks it actually means: in the `bound` state *or higher*.
+ /// (i.e. `bound`, `listening`, `connecting` or `connected`)
+ ///
+ /// In addition to the general error codes documented on the
+ /// `types::error-code` type, TCP socket methods may always return
+ /// `error(invalid-state)` when in the `closed` state.
+ @since(version = 0.3.0-rc-2025-09-16)
+ resource tcp-socket {
+
+ /// Create a new TCP socket.
+ ///
+ /// Similar to `socket(AF_INET or AF_INET6, SOCK_STREAM, IPPROTO_TCP)` in POSIX.
+ /// On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+ ///
+ /// Unlike POSIX, WASI sockets have no notion of a socket-level
+ /// `O_NONBLOCK` flag. Instead they fully rely on the Component Model's
+ /// async support.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ create: static func(address-family: ip-address-family) -> result;
+
+ /// Bind the socket to the provided IP address and port.
+ ///
+ /// If the IP address is zero (`0.0.0.0` in IPv4, `::` in IPv6), it is left to the implementation to decide which
+ /// network interface(s) to bind to.
+ /// If the TCP/UDP port is zero, the socket will be bound to a random free port.
+ ///
+ /// Bind can be attempted multiple times on the same socket, even with
+ /// different arguments on each iteration. But never concurrently and
+ /// only as long as the previous bind failed. Once a bind succeeds, the
+ /// binding can't be changed anymore.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `local-address` has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)
+ /// - `invalid-argument`: `local-address` is not a unicast address. (EINVAL)
+ /// - `invalid-argument`: `local-address` is an IPv4-mapped IPv6 address. (EINVAL)
+ /// - `invalid-state`: The socket is already bound. (EINVAL)
+ /// - `address-in-use`: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)
+ /// - `address-in-use`: Address is already in use. (EADDRINUSE)
+ /// - `address-not-bindable`: `local-address` is not an address that can be bound to. (EADDRNOTAVAIL)
+ ///
+ /// # Implementors note
+ /// When binding to a non-zero port, this bind operation shouldn't be affected by the TIME_WAIT
+ /// state of a recently closed socket on the same local address. In practice this means that the SO_REUSEADDR
+ /// socket option should be set implicitly on all platforms, except on Windows where this is the default behavior
+ /// and SO_REUSEADDR performs something different entirely.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ bind: func(local-address: ip-socket-address) -> result<_, error-code>;
+
+ /// Connect to a remote endpoint.
+ ///
+ /// On success, the socket is transitioned into the `connected` state and this function returns a connection resource.
+ ///
+ /// After a failed connection attempt, the socket will be in the `closed`
+ /// state and the only valid action left is to `drop` the socket. A single
+ /// socket can not be used to connect more than once.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `remote-address` has the wrong address family. (EAFNOSUPPORT)
+ /// - `invalid-argument`: `remote-address` is not a unicast address. (EINVAL, ENETUNREACH on Linux, EAFNOSUPPORT on MacOS)
+ /// - `invalid-argument`: `remote-address` is an IPv4-mapped IPv6 address. (EINVAL, EADDRNOTAVAIL on Illumos)
+ /// - `invalid-argument`: The IP address in `remote-address` is set to INADDR_ANY (`0.0.0.0` / `::`). (EADDRNOTAVAIL on Windows)
+ /// - `invalid-argument`: The port in `remote-address` is set to 0. (EADDRNOTAVAIL on Windows)
+ /// - `invalid-state`: The socket is already in the `connecting` state. (EALREADY)
+ /// - `invalid-state`: The socket is already in the `connected` state. (EISCONN)
+ /// - `invalid-state`: The socket is already in the `listening` state. (EOPNOTSUPP, EINVAL on Windows)
+ /// - `timeout`: Connection timed out. (ETIMEDOUT)
+ /// - `connection-refused`: The connection was forcefully rejected. (ECONNREFUSED)
+ /// - `connection-reset`: The connection was reset. (ECONNRESET)
+ /// - `connection-aborted`: The connection was aborted. (ECONNABORTED)
+ /// - `remote-unreachable`: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ /// - `address-in-use`: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ connect: async func(remote-address: ip-socket-address) -> result<_, error-code>;
+
+ /// Start listening and return a stream of new inbound connections.
+ ///
+ /// Transitions the socket into the `listening` state. This can be called
+ /// at most once per socket.
+ ///
+ /// If the socket is not already explicitly bound, this function will
+ /// implicitly bind the socket to a random free port.
+ ///
+ /// Normally, the returned sockets are bound, in the `connected` state
+ /// and immediately ready for I/O. Though, depending on exact timing and
+ /// circumstances, a newly accepted connection may already be `closed`
+ /// by the time the server attempts to perform its first I/O on it. This
+ /// is true regardless of whether the WASI implementation uses
+ /// "synthesized" sockets or not (see Implementors Notes below).
+ ///
+ /// The following properties are inherited from the listener socket:
+ /// - `address-family`
+ /// - `keep-alive-enabled`
+ /// - `keep-alive-idle-time`
+ /// - `keep-alive-interval`
+ /// - `keep-alive-count`
+ /// - `hop-limit`
+ /// - `receive-buffer-size`
+ /// - `send-buffer-size`
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is already in the `connected` state. (EISCONN, EINVAL on BSD)
+ /// - `invalid-state`: The socket is already in the `listening` state.
+ /// - `address-in-use`: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE)
+ ///
+ /// # Implementors note
+ /// This method returns a single perpetual stream that should only close
+ /// on fatal errors (if any). Yet, the POSIX' `accept` function may also
+ /// return transient errors (e.g. ECONNABORTED). The exact details differ
+ /// per operation system. For example, the Linux manual mentions:
+ ///
+ /// > Linux accept() passes already-pending network errors on the new
+ /// > socket as an error code from accept(). This behavior differs from
+ /// > other BSD socket implementations. For reliable operation the
+ /// > application should detect the network errors defined for the
+ /// > protocol after accept() and treat them like EAGAIN by retrying.
+ /// > In the case of TCP/IP, these are ENETDOWN, EPROTO, ENOPROTOOPT,
+ /// > EHOSTDOWN, ENONET, EHOSTUNREACH, EOPNOTSUPP, and ENETUNREACH.
+ /// Source: https://man7.org/linux/man-pages/man2/accept.2.html
+ ///
+ /// WASI implementations have two options to handle this:
+ /// - Optionally log it and then skip over non-fatal errors returned by
+ /// `accept`. Guest code never gets to see these failures. Or:
+ /// - Synthesize a `tcp-socket` resource that exposes the error when
+ /// attempting to send or receive on it. Guest code then sees these
+ /// failures as regular I/O errors.
+ ///
+ /// In either case, the stream returned by this `listen` method remains
+ /// operational.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ listen: func() -> result, error-code>;
+
+ /// Transmit data to peer.
+ ///
+ /// The caller should close the stream when it has no more data to send
+ /// to the peer. Under normal circumstances this will cause a FIN packet
+ /// to be sent out. Closing the stream is equivalent to calling
+ /// `shutdown(SHUT_WR)` in POSIX.
+ ///
+ /// This function may be called at most once and returns once the full
+ /// contents of the stream are transmitted or an error is encountered.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not in the `connected` state. (ENOTCONN)
+ /// - `connection-reset`: The connection was reset. (ECONNRESET)
+ /// - `remote-unreachable`: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ send: async func(data: stream) -> result<_, error-code>;
+
+ /// Read data from peer.
+ ///
+ /// This function returns a `stream` which provides the data received from the
+ /// socket, and a `future` providing additional error information in case the
+ /// socket is closed abnormally.
+ ///
+ /// If the socket is closed normally, `stream.read` on the `stream` will return
+ /// `read-status::closed` with no `error-context` and the future resolves to
+ /// the value `ok`. If the socket is closed abnormally, `stream.read` on the
+ /// `stream` returns `read-status::closed` with an `error-context` and the future
+ /// resolves to `err` with an `error-code`.
+ ///
+ /// `receive` is meant to be called only once per socket. If it is called more
+ /// than once, the subsequent calls return a new `stream` that fails as if it
+ /// were closed abnormally.
+ ///
+ /// If the caller is not expecting to receive any data from the peer,
+ /// they may drop the stream. Any data still in the receive queue
+ /// will be discarded. This is equivalent to calling `shutdown(SHUT_RD)`
+ /// in POSIX.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not in the `connected` state. (ENOTCONN)
+ /// - `connection-reset`: The connection was reset. (ECONNRESET)
+ /// - `remote-unreachable`: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ receive: func() -> tuple, future>>;
+
+ /// Get the bound local address.
+ ///
+ /// POSIX mentions:
+ /// > If the socket has not been bound to a local name, the value
+ /// > stored in the object pointed to by `address` is unspecified.
+ ///
+ /// WASI is stricter and requires `get-local-address` to return `invalid-state` when the socket hasn't been bound yet.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not bound to any local address.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-local-address: func() -> result;
+
+ /// Get the remote address.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not connected to a remote address. (ENOTCONN)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-remote-address: func() -> result;
+
+ /// Whether the socket is in the `listening` state.
+ ///
+ /// Equivalent to the SO_ACCEPTCONN socket option.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-is-listening: func() -> bool;
+
+ /// Whether this is a IPv4 or IPv6 socket.
+ ///
+ /// This is the value passed to the constructor.
+ ///
+ /// Equivalent to the SO_DOMAIN socket option.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-address-family: func() -> ip-address-family;
+
+ /// Hints the desired listen queue size. Implementations are free to ignore this.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ ///
+ /// # Typical errors
+ /// - `not-supported`: (set) The platform does not support changing the backlog size after the initial listen.
+ /// - `invalid-argument`: (set) The provided value was 0.
+ /// - `invalid-state`: (set) The socket is in the `connecting` or `connected` state.
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-listen-backlog-size: func(value: u64) -> result<_, error-code>;
+
+ /// Enables or disables keepalive.
+ ///
+ /// The keepalive behavior can be adjusted using:
+ /// - `keep-alive-idle-time`
+ /// - `keep-alive-interval`
+ /// - `keep-alive-count`
+ /// These properties can be configured while `keep-alive-enabled` is false, but only come into effect when `keep-alive-enabled` is true.
+ ///
+ /// Equivalent to the SO_KEEPALIVE socket option.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-keep-alive-enabled: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-keep-alive-enabled: func(value: bool) -> result<_, error-code>;
+
+ /// Amount of time the connection has to be idle before TCP starts sending keepalive packets.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPIDLE socket option. (TCP_KEEPALIVE on MacOS)
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-keep-alive-idle-time: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-keep-alive-idle-time: func(value: duration) -> result<_, error-code>;
+
+ /// The time between keepalive packets.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPINTVL socket option.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-keep-alive-interval: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-keep-alive-interval: func(value: duration) -> result<_, error-code>;
+
+ /// The maximum amount of keepalive packets TCP should send before aborting the connection.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPCNT socket option.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-keep-alive-count: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-keep-alive-count: func(value: u32) -> result<_, error-code>;
+
+ /// Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The TTL value must be 1 or higher.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-hop-limit: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-hop-limit: func(value: u8) -> result<_, error-code>;
+
+ /// The kernel buffer space reserved for sends/receives on this socket.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-receive-buffer-size: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-receive-buffer-size: func(value: u64) -> result<_, error-code>;
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-send-buffer-size: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-send-buffer-size: func(value: u64) -> result<_, error-code>;
+ }
+
+ /// A UDP socket handle.
+ @since(version = 0.3.0-rc-2025-09-16)
+ resource udp-socket {
+
+ /// Create a new UDP socket.
+ ///
+ /// Similar to `socket(AF_INET or AF_INET6, SOCK_DGRAM, IPPROTO_UDP)` in POSIX.
+ /// On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+ ///
+ /// Unlike POSIX, WASI sockets have no notion of a socket-level
+ /// `O_NONBLOCK` flag. Instead they fully rely on the Component Model's
+ /// async support.
+ ///
+ /// # References:
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ create: static func(address-family: ip-address-family) -> result;
+
+ /// Bind the socket to the provided IP address and port.
+ ///
+ /// If the IP address is zero (`0.0.0.0` in IPv4, `::` in IPv6), it is left to the implementation to decide which
+ /// network interface(s) to bind to.
+ /// If the port is zero, the socket will be bound to a random free port.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `local-address` has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)
+ /// - `invalid-state`: The socket is already bound. (EINVAL)
+ /// - `address-in-use`: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)
+ /// - `address-in-use`: Address is already in use. (EADDRINUSE)
+ /// - `address-not-bindable`: `local-address` is not an address that can be bound to. (EADDRNOTAVAIL)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ bind: func(local-address: ip-socket-address) -> result<_, error-code>;
+
+ /// Associate this socket with a specific peer address.
+ ///
+ /// On success, the `remote-address` of the socket is updated.
+ /// The `local-address` may be updated as well, based on the best network
+ /// path to `remote-address`. If the socket was not already explicitly
+ /// bound, this function will implicitly bind the socket to a random
+ /// free port.
+ ///
+ /// When a UDP socket is "connected", the `send` and `receive` methods
+ /// are limited to communicating with that peer only:
+ /// - `send` can only be used to send to this destination.
+ /// - `receive` will only return datagrams sent from the provided `remote-address`.
+ ///
+ /// The name "connect" was kept to align with the existing POSIX
+ /// terminology. Other than that, this function only changes the local
+ /// socket configuration and does not generate any network traffic.
+ /// The peer is not aware of this "connection".
+ ///
+ /// This method may be called multiple times on the same socket to change
+ /// its association, but only the most recent one will be effective.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `remote-address` has the wrong address family. (EAFNOSUPPORT)
+ /// - `invalid-argument`: The IP address in `remote-address` is set to INADDR_ANY (`0.0.0.0` / `::`). (EDESTADDRREQ, EADDRNOTAVAIL)
+ /// - `invalid-argument`: The port in `remote-address` is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)
+ /// - `address-in-use`: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)
+ ///
+ /// # Implementors note
+ /// If the socket is already connected, some platforms (e.g. Linux)
+ /// require a disconnect before connecting to a different peer address.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ connect: func(remote-address: ip-socket-address) -> result<_, error-code>;
+
+ /// Dissociate this socket from its peer address.
+ ///
+ /// After calling this method, `send` & `receive` are free to communicate
+ /// with any address again.
+ ///
+ /// The POSIX equivalent of this is calling `connect` with an `AF_UNSPEC` address.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not connected.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ disconnect: func() -> result<_, error-code>;
+
+ /// Send a message on the socket to a particular peer.
+ ///
+ /// If the socket is connected, the peer address may be left empty. In
+ /// that case this is equivalent to `send` in POSIX. Otherwise it is
+ /// equivalent to `sendto`.
+ ///
+ /// Additionally, if the socket is connected, a `remote-address` argument
+ /// _may_ be provided but then it must be identical to the address
+ /// passed to `connect`.
+ ///
+ /// Implementations may trap if the `data` length exceeds 64 KiB.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `remote-address` has the wrong address family. (EAFNOSUPPORT)
+ /// - `invalid-argument`: The IP address in `remote-address` is set to INADDR_ANY (`0.0.0.0` / `::`). (EDESTADDRREQ, EADDRNOTAVAIL)
+ /// - `invalid-argument`: The port in `remote-address` is set to 0. (EDESTADDRREQ, EADDRNOTAVAIL)
+ /// - `invalid-argument`: The socket is in "connected" mode and `remote-address` is `some` value that does not match the address passed to `connect`. (EISCONN)
+ /// - `invalid-argument`: The socket is not "connected" and no value for `remote-address` was provided. (EDESTADDRREQ)
+ /// - `remote-unreachable`: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ /// - `connection-refused`: The connection was refused. (ECONNREFUSED)
+ /// - `datagram-too-large`: The datagram is too large. (EMSGSIZE)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ send: async func(data: list, remote-address: option) -> result<_, error-code>;
+
+ /// Receive a message on the socket.
+ ///
+ /// On success, the return value contains a tuple of the received data
+ /// and the address of the sender. Theoretical maximum length of the
+ /// data is 64 KiB. Though in practice, it will typically be less than
+ /// 1500 bytes.
+ ///
+ /// If the socket is connected, the sender address is guaranteed to
+ /// match the remote address passed to `connect`.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket has not been bound yet.
+ /// - `remote-unreachable`: The remote address is not reachable. (ECONNRESET, ENETRESET on Windows, EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ /// - `connection-refused`: The connection was refused. (ECONNREFUSED)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ receive: async func() -> result, ip-socket-address>, error-code>;
+
+ /// Get the current bound address.
+ ///
+ /// POSIX mentions:
+ /// > If the socket has not been bound to a local name, the value
+ /// > stored in the object pointed to by `address` is unspecified.
+ ///
+ /// WASI is stricter and requires `get-local-address` to return `invalid-state` when the socket hasn't been bound yet.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not bound to any local address.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-local-address: func() -> result;
+
+ /// Get the address the socket is currently "connected" to.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not "connected" to a specific remote address. (ENOTCONN)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-remote-address: func() -> result;
+
+ /// Whether this is a IPv4 or IPv6 socket.
+ ///
+ /// This is the value passed to the constructor.
+ ///
+ /// Equivalent to the SO_DOMAIN socket option.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-address-family: func() -> ip-address-family;
+
+ /// Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The TTL value must be 1 or higher.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-unicast-hop-limit: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-unicast-hop-limit: func(value: u8) -> result<_, error-code>;
+
+ /// The kernel buffer space reserved for sends/receives on this socket.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-receive-buffer-size: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-receive-buffer-size: func(value: u64) -> result<_, error-code>;
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-send-buffer-size: func() -> result;
+ @since(version = 0.3.0-rc-2025-09-16)
+ set-send-buffer-size: func(value: u64) -> result<_, error-code>;
+ }
+}
diff --git a/proposals/cli/wit-0.3.0-draft/deps/sockets/world.wit b/proposals/cli/wit-0.3.0-draft/deps/sockets/world.wit
new file mode 100644
index 000000000..44cc427ed
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/deps/sockets/world.wit
@@ -0,0 +1,9 @@
+package wasi:sockets@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world imports {
+ @since(version = 0.3.0-rc-2025-09-16)
+ import types;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import ip-name-lookup;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/environment.wit b/proposals/cli/wit-0.3.0-draft/environment.wit
new file mode 100644
index 000000000..3763f2f6c
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/environment.wit
@@ -0,0 +1,22 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface environment {
+ /// Get the POSIX-style environment variables.
+ ///
+ /// Each environment variable is provided as a pair of string variable names
+ /// and string value.
+ ///
+ /// Morally, these are a value import, but until value imports are available
+ /// in the component model, this import function should return the same
+ /// values each time it is called.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-environment: func() -> list>;
+
+ /// Get the POSIX-style arguments to the program.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-arguments: func() -> list;
+
+ /// Return a path that programs should use as their initial current working
+ /// directory, interpreting `.` as shorthand for this.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-initial-cwd: func() -> option;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/exit.wit b/proposals/cli/wit-0.3.0-draft/exit.wit
new file mode 100644
index 000000000..1efba7d68
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/exit.wit
@@ -0,0 +1,17 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface exit {
+ /// Exit the current instance and any linked instances.
+ @since(version = 0.3.0-rc-2025-09-16)
+ exit: func(status: result);
+
+ /// Exit the current instance and any linked instances, reporting the
+ /// specified status code to the host.
+ ///
+ /// The meaning of the code depends on the context, with 0 usually meaning
+ /// "success", and other values indicating various types of failure.
+ ///
+ /// This function does not return; the effect is analogous to a trap, but
+ /// without the connotation that something bad has happened.
+ @unstable(feature = cli-exit-with-code)
+ exit-with-code: func(status-code: u8);
+}
diff --git a/proposals/cli/wit-0.3.0-draft/imports.wit b/proposals/cli/wit-0.3.0-draft/imports.wit
new file mode 100644
index 000000000..660a2dd95
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/imports.wit
@@ -0,0 +1,34 @@
+package wasi:cli@0.3.0-rc-2025-09-16;
+
+@since(version = 0.3.0-rc-2025-09-16)
+world imports {
+ @since(version = 0.3.0-rc-2025-09-16)
+ include wasi:clocks/imports@0.3.0-rc-2025-09-16;
+ @since(version = 0.3.0-rc-2025-09-16)
+ include wasi:filesystem/imports@0.3.0-rc-2025-09-16;
+ @since(version = 0.3.0-rc-2025-09-16)
+ include wasi:sockets/imports@0.3.0-rc-2025-09-16;
+ @since(version = 0.3.0-rc-2025-09-16)
+ include wasi:random/imports@0.3.0-rc-2025-09-16;
+
+ @since(version = 0.3.0-rc-2025-09-16)
+ import environment;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import exit;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import stdin;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import stdout;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import stderr;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import terminal-input;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import terminal-output;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import terminal-stdin;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import terminal-stdout;
+ @since(version = 0.3.0-rc-2025-09-16)
+ import terminal-stderr;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/run.wit b/proposals/cli/wit-0.3.0-draft/run.wit
new file mode 100644
index 000000000..631441a3f
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/run.wit
@@ -0,0 +1,6 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface run {
+ /// Run the program.
+ @since(version = 0.3.0-rc-2025-09-16)
+ run: async func() -> result;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/stdio.wit b/proposals/cli/wit-0.3.0-draft/stdio.wit
new file mode 100644
index 000000000..51e5ae4b4
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/stdio.wit
@@ -0,0 +1,65 @@
+@since(version = 0.3.0-rc-2025-09-16)
+interface types {
+ @since(version = 0.3.0-rc-2025-09-16)
+ enum error-code {
+ /// Input/output error
+ io,
+ /// Invalid or incomplete multibyte or wide character
+ illegal-byte-sequence,
+ /// Broken pipe
+ pipe,
+ }
+}
+
+@since(version = 0.3.0-rc-2025-09-16)
+interface stdin {
+ use types.{error-code};
+
+ /// Return a stream for reading from stdin.
+ ///
+ /// This function returns a stream which provides data read from stdin,
+ /// and a future to signal read results.
+ ///
+ /// If the stream's readable end is dropped the future will resolve to success.
+ ///
+ /// If the stream's writable end is dropped the future will either resolve to
+ /// success if stdin was closed by the writer or to an error-code if reading
+ /// failed for some other reason.
+ ///
+ /// Multiple streams may be active at the same time. The behavior of concurrent
+ /// reads is implementation-specific.
+ @since(version = 0.3.0-rc-2025-09-16)
+ read-via-stream: func() -> tuple, future>>;
+}
+
+@since(version = 0.3.0-rc-2025-09-16)
+interface stdout {
+ use types.{error-code};
+
+ /// Write the given stream to stdout.
+ ///
+ /// If the stream's writable end is dropped this function will either return
+ /// success once the entire contents of the stream have been written or an
+ /// error-code representing a failure.
+ ///
+ /// Otherwise if there is an error the readable end of the stream will be
+ /// dropped and this function will return an error-code.
+ @since(version = 0.3.0-rc-2025-09-16)
+ write-via-stream: async func(data: stream) -> result<_, error-code>;
+}
+
+@since(version = 0.3.0-rc-2025-09-16)
+interface stderr {
+ use types.{error-code};
+
+ /// Write the given stream to stderr.
+ ///
+ /// If the stream's writable end is dropped this function will either return
+ /// success once the entire contents of the stream have been written or an
+ /// error-code representing a failure.
+ ///
+ /// Otherwise if there is an error the readable end of the stream will be
+ /// dropped and this function will return an error-code.
+ @since(version = 0.3.0-rc-2025-09-16)
+ write-via-stream: async func(data: stream) -> result<_, error-code>;
+}
diff --git a/proposals/cli/wit-0.3.0-draft/terminal.wit b/proposals/cli/wit-0.3.0-draft/terminal.wit
new file mode 100644
index 000000000..74c17694a
--- /dev/null
+++ b/proposals/cli/wit-0.3.0-draft/terminal.wit
@@ -0,0 +1,62 @@
+/// Terminal input.
+///
+/// In the future, this may include functions for disabling echoing,
+/// disabling input buffering so that keyboard events are sent through
+/// immediately, querying supported features, and so on.
+@since(version = 0.3.0-rc-2025-09-16)
+interface terminal-input {
+ /// The input side of a terminal.
+ @since(version = 0.3.0-rc-2025-09-16)
+ resource terminal-input;
+}
+
+/// Terminal output.
+///
+/// In the future, this may include functions for querying the terminal
+/// size, being notified of terminal size changes, querying supported
+/// features, and so on.
+@since(version = 0.3.0-rc-2025-09-16)
+interface terminal-output {
+ /// The output side of a terminal.
+ @since(version = 0.3.0-rc-2025-09-16)
+ resource terminal-output;
+}
+
+/// An interface providing an optional `terminal-input` for stdin as a
+/// link-time authority.
+@since(version = 0.3.0-rc-2025-09-16)
+interface terminal-stdin {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use terminal-input.{terminal-input};
+
+ /// If stdin is connected to a terminal, return a `terminal-input` handle
+ /// allowing further interaction with it.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-terminal-stdin: func() -> option;
+}
+
+/// An interface providing an optional `terminal-output` for stdout as a
+/// link-time authority.
+@since(version = 0.3.0-rc-2025-09-16)
+interface terminal-stdout {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use terminal-output.{terminal-output};
+
+ /// If stdout is connected to a terminal, return a `terminal-output` handle
+ /// allowing further interaction with it.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-terminal-stdout: func() -> option;
+}
+
+/// An interface providing an optional `terminal-output` for stderr as a
+/// link-time authority.
+@since(version = 0.3.0-rc-2025-09-16)
+interface terminal-stderr {
+ @since(version = 0.3.0-rc-2025-09-16)
+ use terminal-output.{terminal-output};
+
+ /// If stderr is connected to a terminal, return a `terminal-output` handle
+ /// allowing further interaction with it.
+ @since(version = 0.3.0-rc-2025-09-16)
+ get-terminal-stderr: func() -> option;
+}
diff --git a/proposals/cli/wit/command.wit b/proposals/cli/wit/command.wit
new file mode 100644
index 000000000..38ef86b86
--- /dev/null
+++ b/proposals/cli/wit/command.wit
@@ -0,0 +1,10 @@
+package wasi:cli@0.2.8;
+
+@since(version = 0.2.0)
+world command {
+ @since(version = 0.2.0)
+ include imports;
+
+ @since(version = 0.2.0)
+ export run;
+}
diff --git a/proposals/cli/wit/deps.lock b/proposals/cli/wit/deps.lock
new file mode 100644
index 000000000..525406a2b
--- /dev/null
+++ b/proposals/cli/wit/deps.lock
@@ -0,0 +1,24 @@
+[clocks]
+sha256 = "be1d8c61e2544e2b48d902c60df73577e293349063344ce752cda4d323f8b913"
+sha512 = "0fd7962c62b135da0e584c2b58a55147bf09873848b0bb5bd3913019bc3f8d4b5969fbd6f7f96fd99a015efaf562a3eeafe3bc13049f8572a6e13ef9ef0e7e75"
+
+[filesystem]
+url = "https://github.com/WebAssembly/wasi-filesystem/archive/v0.2.8.tar.gz"
+sha256 = "57c2e5e40c57d54a2eacb55d8855d2963a6c0b33971a3620c1468b732233d593"
+sha512 = "11d1dee738bea1fdd15f5cc07ea10bfb9953a4e84361bbdc2c1051f9520463329ec839caffe0e5cf22870584846f9bfe627c1b77ee4b555fcc990b8106791c68"
+deps = ["clocks", "io"]
+
+[io]
+sha256 = "9f1ad5da70f621bbd4c69e3bd90250a0c12ecfde266aa8f99684fc44bc1e7c15"
+sha512 = "6d0a9db6848f24762933d1c168a5b5b1065ba838c253ee20454afeb8dd1a049b918d25deff556083d68095dd3126ae131ac3e738774320eee5d918f5a4b5354e"
+
+[random]
+url = "https://github.com/WebAssembly/wasi-random/archive/v0.2.8.tar.gz"
+sha256 = "febd6f75dec1fa733b8e25c1cdee4de9acd922ddf755a192d85f479b1f96b445"
+sha512 = "1689d2eee3c64b9fc91faaf43741ff95f343b05acc758342dbf3aa86830de1ec66b4bcd0fe22bf1f77abc4a1feeaae90cdc2c06eedc30952a6667f70edca7d8f"
+
+[sockets]
+url = "https://github.com/WebAssembly/wasi-sockets/archive/v0.2.8.tar.gz"
+sha256 = "e82bb0502324f44ef22f6fdadec51f4963faf8ccd21187c37397ea872c0548c0"
+sha512 = "b8139db2b26a95d6948e345cf036497883943134ea832abfabd7267682d9f84b4c86ff38fc771125f1a8e2bcd237ea0a731d83bf22df9d78f19e452061227d77"
+deps = ["clocks", "io"]
diff --git a/proposals/cli/wit/deps.toml b/proposals/cli/wit/deps.toml
new file mode 100644
index 000000000..59d97afe4
--- /dev/null
+++ b/proposals/cli/wit/deps.toml
@@ -0,0 +1,3 @@
+filesystem = "https://github.com/WebAssembly/wasi-filesystem/archive/v0.2.8.tar.gz"
+random = "https://github.com/WebAssembly/wasi-random/archive/v0.2.8.tar.gz"
+sockets = "https://github.com/WebAssembly/wasi-sockets/archive/v0.2.8.tar.gz"
diff --git a/proposals/cli/wit/deps/clocks/monotonic-clock.wit b/proposals/cli/wit/deps/clocks/monotonic-clock.wit
new file mode 100644
index 000000000..e60f366f2
--- /dev/null
+++ b/proposals/cli/wit/deps/clocks/monotonic-clock.wit
@@ -0,0 +1,55 @@
+package wasi:clocks@0.2.8;
+/// WASI Monotonic Clock is a clock API intended to let users measure elapsed
+/// time.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+///
+/// A monotonic clock is a clock which has an unspecified initial value, and
+/// successive reads of the clock will produce non-decreasing values.
+@since(version = 0.2.0)
+interface monotonic-clock {
+ @since(version = 0.2.0)
+ use wasi:io/poll@0.2.8.{pollable};
+
+ /// An instant in time, in nanoseconds. An instant is relative to an
+ /// unspecified initial value, and can only be compared to instances from
+ /// the same monotonic-clock.
+ @since(version = 0.2.0)
+ type instant = u64;
+
+ /// A duration of time, in nanoseconds.
+ @since(version = 0.2.0)
+ type duration = u64;
+
+ /// Read the current value of the clock.
+ ///
+ /// The clock is monotonic, therefore calling this function repeatedly will
+ /// produce a sequence of non-decreasing values.
+ ///
+ /// For completeness, this function traps if it's not possible to represent
+ /// the value of the clock in an `instant`. Consequently, implementations
+ /// should ensure that the starting time is low enough to avoid the
+ /// possibility of overflow in practice.
+ @since(version = 0.2.0)
+ now: func() -> instant;
+
+ /// Query the resolution of the clock. Returns the duration of time
+ /// corresponding to a clock tick.
+ @since(version = 0.2.0)
+ resolution: func() -> duration;
+
+ /// Create a `pollable` which will resolve once the specified instant
+ /// has occurred.
+ @since(version = 0.2.0)
+ subscribe-instant: func(
+ when: instant,
+ ) -> pollable;
+
+ /// Create a `pollable` that will resolve after the specified duration has
+ /// elapsed from the time this function is invoked.
+ @since(version = 0.2.0)
+ subscribe-duration: func(
+ when: duration,
+ ) -> pollable;
+}
diff --git a/proposals/cli/wit/deps/clocks/timezone.wit b/proposals/cli/wit/deps/clocks/timezone.wit
new file mode 100644
index 000000000..534814a63
--- /dev/null
+++ b/proposals/cli/wit/deps/clocks/timezone.wit
@@ -0,0 +1,55 @@
+package wasi:clocks@0.2.8;
+
+@unstable(feature = clocks-timezone)
+interface timezone {
+ @unstable(feature = clocks-timezone)
+ use wall-clock.{datetime};
+
+ /// Return information needed to display the given `datetime`. This includes
+ /// the UTC offset, the time zone name, and a flag indicating whether
+ /// daylight saving time is active.
+ ///
+ /// If the timezone cannot be determined for the given `datetime`, return a
+ /// `timezone-display` for `UTC` with a `utc-offset` of 0 and no daylight
+ /// saving time.
+ @unstable(feature = clocks-timezone)
+ display: func(when: datetime) -> timezone-display;
+
+ /// The same as `display`, but only return the UTC offset.
+ @unstable(feature = clocks-timezone)
+ utc-offset: func(when: datetime) -> s32;
+
+ /// Information useful for displaying the timezone of a specific `datetime`.
+ ///
+ /// This information may vary within a single `timezone` to reflect daylight
+ /// saving time adjustments.
+ @unstable(feature = clocks-timezone)
+ record timezone-display {
+ /// The number of seconds difference between UTC time and the local
+ /// time of the timezone.
+ ///
+ /// The returned value will always be less than 86400 which is the
+ /// number of seconds in a day (24*60*60).
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should return 0.
+ utc-offset: s32,
+
+ /// The abbreviated name of the timezone to display to a user. The name
+ /// `UTC` indicates Coordinated Universal Time. Otherwise, this should
+ /// reference local standards for the name of the time zone.
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should be the string `UTC`.
+ ///
+ /// In time zones that do not have an applicable name, a formatted
+ /// representation of the UTC offset may be returned, such as `-04:00`.
+ name: string,
+
+ /// Whether daylight saving time is active.
+ ///
+ /// In implementations that do not expose an actual time zone, this
+ /// should return false.
+ in-daylight-saving-time: bool,
+ }
+}
diff --git a/proposals/cli/wit/deps/clocks/wall-clock.wit b/proposals/cli/wit/deps/clocks/wall-clock.wit
new file mode 100644
index 000000000..3386c800b
--- /dev/null
+++ b/proposals/cli/wit/deps/clocks/wall-clock.wit
@@ -0,0 +1,46 @@
+package wasi:clocks@0.2.8;
+/// WASI Wall Clock is a clock API intended to let users query the current
+/// time. The name "wall" makes an analogy to a "clock on the wall", which
+/// is not necessarily monotonic as it may be reset.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+///
+/// A wall clock is a clock which measures the date and time according to
+/// some external reference.
+///
+/// External references may be reset, so this clock is not necessarily
+/// monotonic, making it unsuitable for measuring elapsed time.
+///
+/// It is intended for reporting the current date and time for humans.
+@since(version = 0.2.0)
+interface wall-clock {
+ /// A time and date in seconds plus nanoseconds.
+ @since(version = 0.2.0)
+ record datetime {
+ seconds: u64,
+ nanoseconds: u32,
+ }
+
+ /// Read the current value of the clock.
+ ///
+ /// This clock is not monotonic, therefore calling this function repeatedly
+ /// will not necessarily produce a sequence of non-decreasing values.
+ ///
+ /// The returned timestamps represent the number of seconds since
+ /// 1970-01-01T00:00:00Z, also known as [POSIX's Seconds Since the Epoch],
+ /// also known as [Unix Time].
+ ///
+ /// The nanoseconds field of the output is always less than 1000000000.
+ ///
+ /// [POSIX's Seconds Since the Epoch]: https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap04.html#tag_21_04_16
+ /// [Unix Time]: https://en.wikipedia.org/wiki/Unix_time
+ @since(version = 0.2.0)
+ now: func() -> datetime;
+
+ /// Query the resolution of the clock.
+ ///
+ /// The nanoseconds field of the output is always less than 1000000000.
+ @since(version = 0.2.0)
+ resolution: func() -> datetime;
+}
diff --git a/proposals/cli/wit/deps/clocks/world.wit b/proposals/cli/wit/deps/clocks/world.wit
new file mode 100644
index 000000000..1655ca830
--- /dev/null
+++ b/proposals/cli/wit/deps/clocks/world.wit
@@ -0,0 +1,11 @@
+package wasi:clocks@0.2.8;
+
+@since(version = 0.2.0)
+world imports {
+ @since(version = 0.2.0)
+ import monotonic-clock;
+ @since(version = 0.2.0)
+ import wall-clock;
+ @unstable(feature = clocks-timezone)
+ import timezone;
+}
diff --git a/proposals/cli/wit/deps/filesystem/preopens.wit b/proposals/cli/wit/deps/filesystem/preopens.wit
new file mode 100644
index 000000000..0d2cca65d
--- /dev/null
+++ b/proposals/cli/wit/deps/filesystem/preopens.wit
@@ -0,0 +1,11 @@
+package wasi:filesystem@0.2.8;
+
+@since(version = 0.2.0)
+interface preopens {
+ @since(version = 0.2.0)
+ use types.{descriptor};
+
+ /// Return the set of preopened directories, and their paths.
+ @since(version = 0.2.0)
+ get-directories: func() -> list>;
+}
diff --git a/proposals/cli/wit/deps/filesystem/types.wit b/proposals/cli/wit/deps/filesystem/types.wit
new file mode 100644
index 000000000..ac68f88af
--- /dev/null
+++ b/proposals/cli/wit/deps/filesystem/types.wit
@@ -0,0 +1,676 @@
+package wasi:filesystem@0.2.8;
+/// WASI filesystem is a filesystem API primarily intended to let users run WASI
+/// programs that access their files on their existing filesystems, without
+/// significant overhead.
+///
+/// It is intended to be roughly portable between Unix-family platforms and
+/// Windows, though it does not hide many of the major differences.
+///
+/// Paths are passed as interface-type `string`s, meaning they must consist of
+/// a sequence of Unicode Scalar Values (USVs). Some filesystems may contain
+/// paths which are not accessible by this API.
+///
+/// The directory separator in WASI is always the forward-slash (`/`).
+///
+/// All paths in WASI are relative paths, and are interpreted relative to a
+/// `descriptor` referring to a base directory. If a `path` argument to any WASI
+/// function starts with `/`, or if any step of resolving a `path`, including
+/// `..` and symbolic link steps, reaches a directory outside of the base
+/// directory, or reaches a symlink to an absolute or rooted path in the
+/// underlying filesystem, the function fails with `error-code::not-permitted`.
+///
+/// For more information about WASI path resolution and sandboxing, see
+/// [WASI filesystem path resolution].
+///
+/// [WASI filesystem path resolution]: https://github.com/WebAssembly/wasi-filesystem/blob/main/path-resolution.md
+@since(version = 0.2.0)
+interface types {
+ @since(version = 0.2.0)
+ use wasi:io/streams@0.2.8.{input-stream, output-stream, error};
+ @since(version = 0.2.0)
+ use wasi:clocks/wall-clock@0.2.8.{datetime};
+
+ /// File size or length of a region within a file.
+ @since(version = 0.2.0)
+ type filesize = u64;
+
+ /// The type of a filesystem object referenced by a descriptor.
+ ///
+ /// Note: This was called `filetype` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ enum descriptor-type {
+ /// The type of the descriptor or file is unknown or is different from
+ /// any of the other types specified.
+ unknown,
+ /// The descriptor refers to a block device inode.
+ block-device,
+ /// The descriptor refers to a character device inode.
+ character-device,
+ /// The descriptor refers to a directory inode.
+ directory,
+ /// The descriptor refers to a named pipe.
+ fifo,
+ /// The file refers to a symbolic link inode.
+ symbolic-link,
+ /// The descriptor refers to a regular file inode.
+ regular-file,
+ /// The descriptor refers to a socket.
+ socket,
+ }
+
+ /// Descriptor flags.
+ ///
+ /// Note: This was called `fdflags` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ flags descriptor-flags {
+ /// Read mode: Data can be read.
+ read,
+ /// Write mode: Data can be written to.
+ write,
+ /// Request that writes be performed according to synchronized I/O file
+ /// integrity completion. The data stored in the file and the file's
+ /// metadata are synchronized. This is similar to `O_SYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ file-integrity-sync,
+ /// Request that writes be performed according to synchronized I/O data
+ /// integrity completion. Only the data stored in the file is
+ /// synchronized. This is similar to `O_DSYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ data-integrity-sync,
+ /// Requests that reads be performed at the same level of integrity
+ /// requested for writes. This is similar to `O_RSYNC` in POSIX.
+ ///
+ /// The precise semantics of this operation have not yet been defined for
+ /// WASI. At this time, it should be interpreted as a request, and not a
+ /// requirement.
+ requested-write-sync,
+ /// Mutating directories mode: Directory contents may be mutated.
+ ///
+ /// When this flag is unset on a descriptor, operations using the
+ /// descriptor which would create, rename, delete, modify the data or
+ /// metadata of filesystem objects, or obtain another handle which
+ /// would permit any of those, shall fail with `error-code::read-only` if
+ /// they would otherwise succeed.
+ ///
+ /// This may only be set on directories.
+ mutate-directory,
+ }
+
+ /// File attributes.
+ ///
+ /// Note: This was called `filestat` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ record descriptor-stat {
+ /// File type.
+ %type: descriptor-type,
+ /// Number of hard links to the file.
+ link-count: link-count,
+ /// For regular files, the file size in bytes. For symbolic links, the
+ /// length in bytes of the pathname contained in the symbolic link.
+ size: filesize,
+ /// Last data access timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain an access
+ /// timestamp for this file.
+ data-access-timestamp: option,
+ /// Last data modification timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain a
+ /// modification timestamp for this file.
+ data-modification-timestamp: option,
+ /// Last file status-change timestamp.
+ ///
+ /// If the `option` is none, the platform doesn't maintain a
+ /// status-change timestamp for this file.
+ status-change-timestamp: option,
+ }
+
+ /// Flags determining the method of how paths are resolved.
+ @since(version = 0.2.0)
+ flags path-flags {
+ /// As long as the resolved path corresponds to a symbolic link, it is
+ /// expanded.
+ symlink-follow,
+ }
+
+ /// Open flags used by `open-at`.
+ @since(version = 0.2.0)
+ flags open-flags {
+ /// Create file if it does not exist, similar to `O_CREAT` in POSIX.
+ create,
+ /// Fail if not a directory, similar to `O_DIRECTORY` in POSIX.
+ directory,
+ /// Fail if file already exists, similar to `O_EXCL` in POSIX.
+ exclusive,
+ /// Truncate file to size 0, similar to `O_TRUNC` in POSIX.
+ truncate,
+ }
+
+ /// Number of hard links to an inode.
+ @since(version = 0.2.0)
+ type link-count = u64;
+
+ /// When setting a timestamp, this gives the value to set it to.
+ @since(version = 0.2.0)
+ variant new-timestamp {
+ /// Leave the timestamp set to its previous value.
+ no-change,
+ /// Set the timestamp to the current time of the system clock associated
+ /// with the filesystem.
+ now,
+ /// Set the timestamp to the given value.
+ timestamp(datetime),
+ }
+
+ /// A directory entry.
+ record directory-entry {
+ /// The type of the file referred to by this directory entry.
+ %type: descriptor-type,
+
+ /// The name of the object.
+ name: string,
+ }
+
+ /// Error codes returned by functions, similar to `errno` in POSIX.
+ /// Not all of these error codes are returned by the functions provided by this
+ /// API; some are used in higher-level library layers, and others are provided
+ /// merely for alignment with POSIX.
+ enum error-code {
+ /// Permission denied, similar to `EACCES` in POSIX.
+ access,
+ /// Resource unavailable, or operation would block, similar to `EAGAIN` and `EWOULDBLOCK` in POSIX.
+ would-block,
+ /// Connection already in progress, similar to `EALREADY` in POSIX.
+ already,
+ /// Bad descriptor, similar to `EBADF` in POSIX.
+ bad-descriptor,
+ /// Device or resource busy, similar to `EBUSY` in POSIX.
+ busy,
+ /// Resource deadlock would occur, similar to `EDEADLK` in POSIX.
+ deadlock,
+ /// Storage quota exceeded, similar to `EDQUOT` in POSIX.
+ quota,
+ /// File exists, similar to `EEXIST` in POSIX.
+ exist,
+ /// File too large, similar to `EFBIG` in POSIX.
+ file-too-large,
+ /// Illegal byte sequence, similar to `EILSEQ` in POSIX.
+ illegal-byte-sequence,
+ /// Operation in progress, similar to `EINPROGRESS` in POSIX.
+ in-progress,
+ /// Interrupted function, similar to `EINTR` in POSIX.
+ interrupted,
+ /// Invalid argument, similar to `EINVAL` in POSIX.
+ invalid,
+ /// I/O error, similar to `EIO` in POSIX.
+ io,
+ /// Is a directory, similar to `EISDIR` in POSIX.
+ is-directory,
+ /// Too many levels of symbolic links, similar to `ELOOP` in POSIX.
+ loop,
+ /// Too many links, similar to `EMLINK` in POSIX.
+ too-many-links,
+ /// Message too large, similar to `EMSGSIZE` in POSIX.
+ message-size,
+ /// Filename too long, similar to `ENAMETOOLONG` in POSIX.
+ name-too-long,
+ /// No such device, similar to `ENODEV` in POSIX.
+ no-device,
+ /// No such file or directory, similar to `ENOENT` in POSIX.
+ no-entry,
+ /// No locks available, similar to `ENOLCK` in POSIX.
+ no-lock,
+ /// Not enough space, similar to `ENOMEM` in POSIX.
+ insufficient-memory,
+ /// No space left on device, similar to `ENOSPC` in POSIX.
+ insufficient-space,
+ /// Not a directory or a symbolic link to a directory, similar to `ENOTDIR` in POSIX.
+ not-directory,
+ /// Directory not empty, similar to `ENOTEMPTY` in POSIX.
+ not-empty,
+ /// State not recoverable, similar to `ENOTRECOVERABLE` in POSIX.
+ not-recoverable,
+ /// Not supported, similar to `ENOTSUP` and `ENOSYS` in POSIX.
+ unsupported,
+ /// Inappropriate I/O control operation, similar to `ENOTTY` in POSIX.
+ no-tty,
+ /// No such device or address, similar to `ENXIO` in POSIX.
+ no-such-device,
+ /// Value too large to be stored in data type, similar to `EOVERFLOW` in POSIX.
+ overflow,
+ /// Operation not permitted, similar to `EPERM` in POSIX.
+ not-permitted,
+ /// Broken pipe, similar to `EPIPE` in POSIX.
+ pipe,
+ /// Read-only file system, similar to `EROFS` in POSIX.
+ read-only,
+ /// Invalid seek, similar to `ESPIPE` in POSIX.
+ invalid-seek,
+ /// Text file busy, similar to `ETXTBSY` in POSIX.
+ text-file-busy,
+ /// Cross-device link, similar to `EXDEV` in POSIX.
+ cross-device,
+ }
+
+ /// File or memory access pattern advisory information.
+ @since(version = 0.2.0)
+ enum advice {
+ /// The application has no advice to give on its behavior with respect
+ /// to the specified data.
+ normal,
+ /// The application expects to access the specified data sequentially
+ /// from lower offsets to higher offsets.
+ sequential,
+ /// The application expects to access the specified data in a random
+ /// order.
+ random,
+ /// The application expects to access the specified data in the near
+ /// future.
+ will-need,
+ /// The application expects that it will not access the specified data
+ /// in the near future.
+ dont-need,
+ /// The application expects to access the specified data once and then
+ /// not reuse it thereafter.
+ no-reuse,
+ }
+
+ /// A 128-bit hash value, split into parts because wasm doesn't have a
+ /// 128-bit integer type.
+ @since(version = 0.2.0)
+ record metadata-hash-value {
+ /// 64 bits of a 128-bit hash value.
+ lower: u64,
+ /// Another 64 bits of a 128-bit hash value.
+ upper: u64,
+ }
+
+ /// A descriptor is a reference to a filesystem object, which may be a file,
+ /// directory, named pipe, special file, or other object on which filesystem
+ /// calls may be made.
+ @since(version = 0.2.0)
+ resource descriptor {
+ /// Return a stream for reading from a file, if available.
+ ///
+ /// May fail with an error-code describing why the file cannot be read.
+ ///
+ /// Multiple read, write, and append streams may be active on the same open
+ /// file and they do not interfere with each other.
+ ///
+ /// Note: This allows using `read-stream`, which is similar to `read` in POSIX.
+ @since(version = 0.2.0)
+ read-via-stream: func(
+ /// The offset within the file at which to start reading.
+ offset: filesize,
+ ) -> result;
+
+ /// Return a stream for writing to a file, if available.
+ ///
+ /// May fail with an error-code describing why the file cannot be written.
+ ///
+ /// Note: This allows using `write-stream`, which is similar to `write` in
+ /// POSIX.
+ @since(version = 0.2.0)
+ write-via-stream: func(
+ /// The offset within the file at which to start writing.
+ offset: filesize,
+ ) -> result;
+
+ /// Return a stream for appending to a file, if available.
+ ///
+ /// May fail with an error-code describing why the file cannot be appended.
+ ///
+ /// Note: This allows using `write-stream`, which is similar to `write` with
+ /// `O_APPEND` in POSIX.
+ @since(version = 0.2.0)
+ append-via-stream: func() -> result;
+
+ /// Provide file advisory information on a descriptor.
+ ///
+ /// This is similar to `posix_fadvise` in POSIX.
+ @since(version = 0.2.0)
+ advise: func(
+ /// The offset within the file to which the advisory applies.
+ offset: filesize,
+ /// The length of the region to which the advisory applies.
+ length: filesize,
+ /// The advice.
+ advice: advice
+ ) -> result<_, error-code>;
+
+ /// Synchronize the data of a file to disk.
+ ///
+ /// This function succeeds with no effect if the file descriptor is not
+ /// opened for writing.
+ ///
+ /// Note: This is similar to `fdatasync` in POSIX.
+ @since(version = 0.2.0)
+ sync-data: func() -> result<_, error-code>;
+
+ /// Get flags associated with a descriptor.
+ ///
+ /// Note: This returns similar flags to `fcntl(fd, F_GETFL)` in POSIX.
+ ///
+ /// Note: This returns the value that was the `fs_flags` value returned
+ /// from `fdstat_get` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ get-flags: func() -> result;
+
+ /// Get the dynamic type of a descriptor.
+ ///
+ /// Note: This returns the same value as the `type` field of the `fd-stat`
+ /// returned by `stat`, `stat-at` and similar.
+ ///
+ /// Note: This returns similar flags to the `st_mode & S_IFMT` value provided
+ /// by `fstat` in POSIX.
+ ///
+ /// Note: This returns the value that was the `fs_filetype` value returned
+ /// from `fdstat_get` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ get-type: func() -> result;
+
+ /// Adjust the size of an open file. If this increases the file's size, the
+ /// extra bytes are filled with zeros.
+ ///
+ /// Note: This was called `fd_filestat_set_size` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ set-size: func(size: filesize) -> result<_, error-code>;
+
+ /// Adjust the timestamps of an open file or directory.
+ ///
+ /// Note: This is similar to `futimens` in POSIX.
+ ///
+ /// Note: This was called `fd_filestat_set_times` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ set-times: func(
+ /// The desired values of the data access timestamp.
+ data-access-timestamp: new-timestamp,
+ /// The desired values of the data modification timestamp.
+ data-modification-timestamp: new-timestamp,
+ ) -> result<_, error-code>;
+
+ /// Read from a descriptor, without using and updating the descriptor's offset.
+ ///
+ /// This function returns a list of bytes containing the data that was
+ /// read, along with a bool which, when true, indicates that the end of the
+ /// file was reached. The returned list will contain up to `length` bytes; it
+ /// may return fewer than requested, if the end of the file is reached or
+ /// if the I/O operation is interrupted.
+ ///
+ /// In the future, this may change to return a `stream`.
+ ///
+ /// Note: This is similar to `pread` in POSIX.
+ @since(version = 0.2.0)
+ read: func(
+ /// The maximum number of bytes to read.
+ length: filesize,
+ /// The offset within the file at which to read.
+ offset: filesize,
+ ) -> result, bool>, error-code>;
+
+ /// Write to a descriptor, without using and updating the descriptor's offset.
+ ///
+ /// It is valid to write past the end of a file; the file is extended to the
+ /// extent of the write, with bytes between the previous end and the start of
+ /// the write set to zero.
+ ///
+ /// In the future, this may change to take a `stream`.
+ ///
+ /// Note: This is similar to `pwrite` in POSIX.
+ @since(version = 0.2.0)
+ write: func(
+ /// Data to write
+ buffer: list,
+ /// The offset within the file at which to write.
+ offset: filesize,
+ ) -> result;
+
+ /// Read directory entries from a directory.
+ ///
+ /// On filesystems where directories contain entries referring to themselves
+ /// and their parents, often named `.` and `..` respectively, these entries
+ /// are omitted.
+ ///
+ /// This always returns a new stream which starts at the beginning of the
+ /// directory. Multiple streams may be active on the same directory, and they
+ /// do not interfere with each other.
+ @since(version = 0.2.0)
+ read-directory: func() -> result;
+
+ /// Synchronize the data and metadata of a file to disk.
+ ///
+ /// This function succeeds with no effect if the file descriptor is not
+ /// opened for writing.
+ ///
+ /// Note: This is similar to `fsync` in POSIX.
+ @since(version = 0.2.0)
+ sync: func() -> result<_, error-code>;
+
+ /// Create a directory.
+ ///
+ /// Note: This is similar to `mkdirat` in POSIX.
+ @since(version = 0.2.0)
+ create-directory-at: func(
+ /// The relative path at which to create the directory.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Return the attributes of an open file or directory.
+ ///
+ /// Note: This is similar to `fstat` in POSIX, except that it does not return
+ /// device and inode information. For testing whether two descriptors refer to
+ /// the same underlying filesystem object, use `is-same-object`. To obtain
+ /// additional data that can be used do determine whether a file has been
+ /// modified, use `metadata-hash`.
+ ///
+ /// Note: This was called `fd_filestat_get` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ stat: func() -> result;
+
+ /// Return the attributes of a file or directory.
+ ///
+ /// Note: This is similar to `fstatat` in POSIX, except that it does not
+ /// return device and inode information. See the `stat` description for a
+ /// discussion of alternatives.
+ ///
+ /// Note: This was called `path_filestat_get` in earlier versions of WASI.
+ @since(version = 0.2.0)
+ stat-at: func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to inspect.
+ path: string,
+ ) -> result;
+
+ /// Adjust the timestamps of a file or directory.
+ ///
+ /// Note: This is similar to `utimensat` in POSIX.
+ ///
+ /// Note: This was called `path_filestat_set_times` in earlier versions of
+ /// WASI.
+ @since(version = 0.2.0)
+ set-times-at: func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to operate on.
+ path: string,
+ /// The desired values of the data access timestamp.
+ data-access-timestamp: new-timestamp,
+ /// The desired values of the data modification timestamp.
+ data-modification-timestamp: new-timestamp,
+ ) -> result<_, error-code>;
+
+ /// Create a hard link.
+ ///
+ /// Fails with `error-code::no-entry` if the old path does not exist,
+ /// with `error-code::exist` if the new path already exists, and
+ /// `error-code::not-permitted` if the old path is not a file.
+ ///
+ /// Note: This is similar to `linkat` in POSIX.
+ @since(version = 0.2.0)
+ link-at: func(
+ /// Flags determining the method of how the path is resolved.
+ old-path-flags: path-flags,
+ /// The relative source path from which to link.
+ old-path: string,
+ /// The base directory for `new-path`.
+ new-descriptor: borrow,
+ /// The relative destination path at which to create the hard link.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Open a file or directory.
+ ///
+ /// If `flags` contains `descriptor-flags::mutate-directory`, and the base
+ /// descriptor doesn't have `descriptor-flags::mutate-directory` set,
+ /// `open-at` fails with `error-code::read-only`.
+ ///
+ /// If `flags` contains `write` or `mutate-directory`, or `open-flags`
+ /// contains `truncate` or `create`, and the base descriptor doesn't have
+ /// `descriptor-flags::mutate-directory` set, `open-at` fails with
+ /// `error-code::read-only`.
+ ///
+ /// Note: This is similar to `openat` in POSIX.
+ @since(version = 0.2.0)
+ open-at: func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the object to open.
+ path: string,
+ /// The method by which to open the file.
+ open-flags: open-flags,
+ /// Flags to use for the resulting descriptor.
+ %flags: descriptor-flags,
+ ) -> result;
+
+ /// Read the contents of a symbolic link.
+ ///
+ /// If the contents contain an absolute or rooted path in the underlying
+ /// filesystem, this function fails with `error-code::not-permitted`.
+ ///
+ /// Note: This is similar to `readlinkat` in POSIX.
+ @since(version = 0.2.0)
+ readlink-at: func(
+ /// The relative path of the symbolic link from which to read.
+ path: string,
+ ) -> result;
+
+ /// Remove a directory.
+ ///
+ /// Return `error-code::not-empty` if the directory is not empty.
+ ///
+ /// Note: This is similar to `unlinkat(fd, path, AT_REMOVEDIR)` in POSIX.
+ @since(version = 0.2.0)
+ remove-directory-at: func(
+ /// The relative path to a directory to remove.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Rename a filesystem object.
+ ///
+ /// Note: This is similar to `renameat` in POSIX.
+ @since(version = 0.2.0)
+ rename-at: func(
+ /// The relative source path of the file or directory to rename.
+ old-path: string,
+ /// The base directory for `new-path`.
+ new-descriptor: borrow,
+ /// The relative destination path to which to rename the file or directory.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Create a symbolic link (also known as a "symlink").
+ ///
+ /// If `old-path` starts with `/`, the function fails with
+ /// `error-code::not-permitted`.
+ ///
+ /// Note: This is similar to `symlinkat` in POSIX.
+ @since(version = 0.2.0)
+ symlink-at: func(
+ /// The contents of the symbolic link.
+ old-path: string,
+ /// The relative destination path at which to create the symbolic link.
+ new-path: string,
+ ) -> result<_, error-code>;
+
+ /// Unlink a filesystem object that is not a directory.
+ ///
+ /// Return `error-code::is-directory` if the path refers to a directory.
+ /// Note: This is similar to `unlinkat(fd, path, 0)` in POSIX.
+ @since(version = 0.2.0)
+ unlink-file-at: func(
+ /// The relative path to a file to unlink.
+ path: string,
+ ) -> result<_, error-code>;
+
+ /// Test whether two descriptors refer to the same filesystem object.
+ ///
+ /// In POSIX, this corresponds to testing whether the two descriptors have the
+ /// same device (`st_dev`) and inode (`st_ino` or `d_ino`) numbers.
+ /// wasi-filesystem does not expose device and inode numbers, so this function
+ /// may be used instead.
+ @since(version = 0.2.0)
+ is-same-object: func(other: borrow) -> bool;
+
+ /// Return a hash of the metadata associated with a filesystem object referred
+ /// to by a descriptor.
+ ///
+ /// This returns a hash of the last-modification timestamp and file size, and
+ /// may also include the inode number, device number, birth timestamp, and
+ /// other metadata fields that may change when the file is modified or
+ /// replaced. It may also include a secret value chosen by the
+ /// implementation and not otherwise exposed.
+ ///
+ /// Implementations are encouraged to provide the following properties:
+ ///
+ /// - If the file is not modified or replaced, the computed hash value should
+ /// usually not change.
+ /// - If the object is modified or replaced, the computed hash value should
+ /// usually change.
+ /// - The inputs to the hash should not be easily computable from the
+ /// computed hash.
+ ///
+ /// However, none of these is required.
+ @since(version = 0.2.0)
+ metadata-hash: func() -> result;
+
+ /// Return a hash of the metadata associated with a filesystem object referred
+ /// to by a directory descriptor and a relative path.
+ ///
+ /// This performs the same hash computation as `metadata-hash`.
+ @since(version = 0.2.0)
+ metadata-hash-at: func(
+ /// Flags determining the method of how the path is resolved.
+ path-flags: path-flags,
+ /// The relative path of the file or directory to inspect.
+ path: string,
+ ) -> result;
+ }
+
+ /// A stream of directory entries.
+ @since(version = 0.2.0)
+ resource directory-entry-stream {
+ /// Read a single directory entry from a `directory-entry-stream`.
+ @since(version = 0.2.0)
+ read-directory-entry: func() -> result, error-code>;
+ }
+
+ /// Attempts to extract a filesystem-related `error-code` from the stream
+ /// `error` provided.
+ ///
+ /// Stream operations which return `stream-error::last-operation-failed`
+ /// have a payload with more information about the operation that failed.
+ /// This payload can be passed through to this function to see if there's
+ /// filesystem-related information about the error to return.
+ ///
+ /// Note that this function is fallible because not all stream-related
+ /// errors are filesystem-related errors.
+ @since(version = 0.2.0)
+ filesystem-error-code: func(err: borrow) -> option;
+}
diff --git a/proposals/cli/wit/deps/filesystem/world.wit b/proposals/cli/wit/deps/filesystem/world.wit
new file mode 100644
index 000000000..7daf06758
--- /dev/null
+++ b/proposals/cli/wit/deps/filesystem/world.wit
@@ -0,0 +1,9 @@
+package wasi:filesystem@0.2.8;
+
+@since(version = 0.2.0)
+world imports {
+ @since(version = 0.2.0)
+ import types;
+ @since(version = 0.2.0)
+ import preopens;
+}
diff --git a/proposals/cli/wit/deps/io/error.wit b/proposals/cli/wit/deps/io/error.wit
new file mode 100644
index 000000000..dd5a1af03
--- /dev/null
+++ b/proposals/cli/wit/deps/io/error.wit
@@ -0,0 +1,34 @@
+package wasi:io@0.2.8;
+
+@since(version = 0.2.0)
+interface error {
+ /// A resource which represents some error information.
+ ///
+ /// The only method provided by this resource is `to-debug-string`,
+ /// which provides some human-readable information about the error.
+ ///
+ /// In the `wasi:io` package, this resource is returned through the
+ /// `wasi:io/streams/stream-error` type.
+ ///
+ /// To provide more specific error information, other interfaces may
+ /// offer functions to "downcast" this error into more specific types. For example,
+ /// errors returned from streams derived from filesystem types can be described using
+ /// the filesystem's own error-code type. This is done using the function
+ /// `wasi:filesystem/types/filesystem-error-code`, which takes a `borrow`
+ /// parameter and returns an `option`.
+ ///
+ /// The set of functions which can "downcast" an `error` into a more
+ /// concrete type is open.
+ @since(version = 0.2.0)
+ resource error {
+ /// Returns a string that is suitable to assist humans in debugging
+ /// this error.
+ ///
+ /// WARNING: The returned string should not be consumed mechanically!
+ /// It may change across platforms, hosts, or other implementation
+ /// details. Parsing this string is a major platform-compatibility
+ /// hazard.
+ @since(version = 0.2.0)
+ to-debug-string: func() -> string;
+ }
+}
diff --git a/proposals/cli/wit/deps/io/poll.wit b/proposals/cli/wit/deps/io/poll.wit
new file mode 100644
index 000000000..833b381d9
--- /dev/null
+++ b/proposals/cli/wit/deps/io/poll.wit
@@ -0,0 +1,47 @@
+package wasi:io@0.2.8;
+
+/// A poll API intended to let users wait for I/O events on multiple handles
+/// at once.
+@since(version = 0.2.0)
+interface poll {
+ /// `pollable` represents a single I/O event which may be ready, or not.
+ @since(version = 0.2.0)
+ resource pollable {
+
+ /// Return the readiness of a pollable. This function never blocks.
+ ///
+ /// Returns `true` when the pollable is ready, and `false` otherwise.
+ @since(version = 0.2.0)
+ ready: func() -> bool;
+
+ /// `block` returns immediately if the pollable is ready, and otherwise
+ /// blocks until ready.
+ ///
+ /// This function is equivalent to calling `poll.poll` on a list
+ /// containing only this pollable.
+ @since(version = 0.2.0)
+ block: func();
+ }
+
+ /// Poll for completion on a set of pollables.
+ ///
+ /// This function takes a list of pollables, which identify I/O sources of
+ /// interest, and waits until one or more of the events is ready for I/O.
+ ///
+ /// The result `list` contains one or more indices of handles in the
+ /// argument list that is ready for I/O.
+ ///
+ /// This function traps if either:
+ /// - the list is empty, or:
+ /// - the list contains more elements than can be indexed with a `u32` value.
+ ///
+ /// A timeout can be implemented by adding a pollable from the
+ /// wasi-clocks API to the list.
+ ///
+ /// This function does not return a `result`; polling in itself does not
+ /// do any I/O so it doesn't fail. If any of the I/O sources identified by
+ /// the pollables has an error, it is indicated by marking the source as
+ /// being ready for I/O.
+ @since(version = 0.2.0)
+ poll: func(in: list>) -> list;
+}
diff --git a/proposals/cli/wit/deps/io/streams.wit b/proposals/cli/wit/deps/io/streams.wit
new file mode 100644
index 000000000..fbb0268b0
--- /dev/null
+++ b/proposals/cli/wit/deps/io/streams.wit
@@ -0,0 +1,258 @@
+package wasi:io@0.2.8;
+
+/// WASI I/O is an I/O abstraction API which is currently focused on providing
+/// stream types.
+///
+/// In the future, the component model is expected to add built-in stream types;
+/// when it does, they are expected to subsume this API.
+@since(version = 0.2.0)
+interface streams {
+ @since(version = 0.2.0)
+ use error.{error};
+ @since(version = 0.2.0)
+ use poll.{pollable};
+
+ /// An error for input-stream and output-stream operations.
+ @since(version = 0.2.0)
+ variant stream-error {
+ /// The last operation (a write or flush) failed before completion.
+ ///
+ /// More information is available in the `error` payload.
+ ///
+ /// After this, the stream will be closed. All future operations return
+ /// `stream-error::closed`.
+ last-operation-failed(error),
+ /// The stream is closed: no more input will be accepted by the
+ /// stream. A closed output-stream will return this error on all
+ /// future operations.
+ closed
+ }
+
+ /// An input bytestream.
+ ///
+ /// `input-stream`s are *non-blocking* to the extent practical on underlying
+ /// platforms. I/O operations always return promptly; if fewer bytes are
+ /// promptly available than requested, they return the number of bytes promptly
+ /// available, which could even be zero. To wait for data to be available,
+ /// use the `subscribe` function to obtain a `pollable` which can be polled
+ /// for using `wasi:io/poll`.
+ @since(version = 0.2.0)
+ resource input-stream {
+ /// Perform a non-blocking read from the stream.
+ ///
+ /// When the source of a `read` is binary data, the bytes from the source
+ /// are returned verbatim. When the source of a `read` is known to the
+ /// implementation to be text, bytes containing the UTF-8 encoding of the
+ /// text are returned.
+ ///
+ /// This function returns a list of bytes containing the read data,
+ /// when successful. The returned list will contain up to `len` bytes;
+ /// it may return fewer than requested, but not more. The list is
+ /// empty when no bytes are available for reading at this time. The
+ /// pollable given by `subscribe` will be ready when more bytes are
+ /// available.
+ ///
+ /// This function fails with a `stream-error` when the operation
+ /// encounters an error, giving `last-operation-failed`, or when the
+ /// stream is closed, giving `closed`.
+ ///
+ /// When the caller gives a `len` of 0, it represents a request to
+ /// read 0 bytes. If the stream is still open, this call should
+ /// succeed and return an empty list, or otherwise fail with `closed`.
+ ///
+ /// The `len` parameter is a `u64`, which could represent a list of u8 which
+ /// is not possible to allocate in wasm32, or not desirable to allocate as
+ /// as a return value by the callee. The callee may return a list of bytes
+ /// less than `len` in size while more bytes are available for reading.
+ @since(version = 0.2.0)
+ read: func(
+ /// The maximum number of bytes to read
+ len: u64
+ ) -> result, stream-error>;
+
+ /// Read bytes from a stream, after blocking until at least one byte can
+ /// be read. Except for blocking, behavior is identical to `read`.
+ @since(version = 0.2.0)
+ blocking-read: func(
+ /// The maximum number of bytes to read
+ len: u64
+ ) -> result, stream-error>;
+
+ /// Skip bytes from a stream. Returns number of bytes skipped.
+ ///
+ /// Behaves identical to `read`, except instead of returning a list
+ /// of bytes, returns the number of bytes consumed from the stream.
+ @since(version = 0.2.0)
+ skip: func(
+ /// The maximum number of bytes to skip.
+ len: u64,
+ ) -> result;
+
+ /// Skip bytes from a stream, after blocking until at least one byte
+ /// can be skipped. Except for blocking behavior, identical to `skip`.
+ @since(version = 0.2.0)
+ blocking-skip: func(
+ /// The maximum number of bytes to skip.
+ len: u64,
+ ) -> result;
+
+ /// Create a `pollable` which will resolve once either the specified stream
+ /// has bytes available to read or the other end of the stream has been
+ /// closed.
+ /// The created `pollable` is a child resource of the `input-stream`.
+ /// Implementations may trap if the `input-stream` is dropped before
+ /// all derived `pollable`s created with this function are dropped.
+ @since(version = 0.2.0)
+ subscribe: func() -> pollable;
+ }
+
+
+ /// An output bytestream.
+ ///
+ /// `output-stream`s are *non-blocking* to the extent practical on
+ /// underlying platforms. Except where specified otherwise, I/O operations also
+ /// always return promptly, after the number of bytes that can be written
+ /// promptly, which could even be zero. To wait for the stream to be ready to
+ /// accept data, the `subscribe` function to obtain a `pollable` which can be
+ /// polled for using `wasi:io/poll`.
+ ///
+ /// Dropping an `output-stream` while there's still an active write in
+ /// progress may result in the data being lost. Before dropping the stream,
+ /// be sure to fully flush your writes.
+ @since(version = 0.2.0)
+ resource output-stream {
+ /// Check readiness for writing. This function never blocks.
+ ///
+ /// Returns the number of bytes permitted for the next call to `write`,
+ /// or an error. Calling `write` with more bytes than this function has
+ /// permitted will trap.
+ ///
+ /// When this function returns 0 bytes, the `subscribe` pollable will
+ /// become ready when this function will report at least 1 byte, or an
+ /// error.
+ @since(version = 0.2.0)
+ check-write: func() -> result;
+
+ /// Perform a write. This function never blocks.
+ ///
+ /// When the destination of a `write` is binary data, the bytes from
+ /// `contents` are written verbatim. When the destination of a `write` is
+ /// known to the implementation to be text, the bytes of `contents` are
+ /// transcoded from UTF-8 into the encoding of the destination and then
+ /// written.
+ ///
+ /// Precondition: check-write gave permit of Ok(n) and contents has a
+ /// length of less than or equal to n. Otherwise, this function will trap.
+ ///
+ /// returns Err(closed) without writing if the stream has closed since
+ /// the last call to check-write provided a permit.
+ @since(version = 0.2.0)
+ write: func(
+ contents: list
+ ) -> result<_, stream-error>;
+
+ /// Perform a write of up to 4096 bytes, and then flush the stream. Block
+ /// until all of these operations are complete, or an error occurs.
+ ///
+ /// Returns success when all of the contents written are successfully
+ /// flushed to output. If an error occurs at any point before all
+ /// contents are successfully flushed, that error is returned as soon as
+ /// possible. If writing and flushing the complete contents causes the
+ /// stream to become closed, this call should return success, and
+ /// subsequent calls to check-write or other interfaces should return
+ /// stream-error::closed.
+ @since(version = 0.2.0)
+ blocking-write-and-flush: func(
+ contents: list
+ ) -> result<_, stream-error>;
+
+ /// Request to flush buffered output. This function never blocks.
+ ///
+ /// This tells the output-stream that the caller intends any buffered
+ /// output to be flushed. the output which is expected to be flushed
+ /// is all that has been passed to `write` prior to this call.
+ ///
+ /// Upon calling this function, the `output-stream` will not accept any
+ /// writes (`check-write` will return `ok(0)`) until the flush has
+ /// completed. The `subscribe` pollable will become ready when the
+ /// flush has completed and the stream can accept more writes.
+ @since(version = 0.2.0)
+ flush: func() -> result<_, stream-error>;
+
+ /// Request to flush buffered output, and block until flush completes
+ /// and stream is ready for writing again.
+ @since(version = 0.2.0)
+ blocking-flush: func() -> result<_, stream-error>;
+
+ /// Create a `pollable` which will resolve once the output-stream
+ /// is ready for more writing, or an error has occurred. When this
+ /// pollable is ready, `check-write` will return `ok(n)` with n>0, or an
+ /// error.
+ ///
+ /// If the stream is closed, this pollable is always ready immediately.
+ ///
+ /// The created `pollable` is a child resource of the `output-stream`.
+ /// Implementations may trap if the `output-stream` is dropped before
+ /// all derived `pollable`s created with this function are dropped.
+ @since(version = 0.2.0)
+ subscribe: func() -> pollable;
+
+ /// Write zeroes to a stream.
+ ///
+ /// This should be used precisely like `write` with the exact same
+ /// preconditions (must use check-write first), but instead of
+ /// passing a list of bytes, you simply pass the number of zero-bytes
+ /// that should be written.
+ @since(version = 0.2.0)
+ write-zeroes: func(
+ /// The number of zero-bytes to write
+ len: u64
+ ) -> result<_, stream-error>;
+
+ /// Perform a write of up to 4096 zeroes, and then flush the stream.
+ /// Block until all of these operations are complete, or an error
+ /// occurs.
+ ///
+ /// Functionality is equivelant to `blocking-write-and-flush` with
+ /// contents given as a list of len containing only zeroes.
+ @since(version = 0.2.0)
+ blocking-write-zeroes-and-flush: func(
+ /// The number of zero-bytes to write
+ len: u64
+ ) -> result<_, stream-error>;
+
+ /// Read from one stream and write to another.
+ ///
+ /// The behavior of splice is equivalent to:
+ /// 1. calling `check-write` on the `output-stream`
+ /// 2. calling `read` on the `input-stream` with the smaller of the
+ /// `check-write` permitted length and the `len` provided to `splice`
+ /// 3. calling `write` on the `output-stream` with that read data.
+ ///
+ /// Any error reported by the call to `check-write`, `read`, or
+ /// `write` ends the splice and reports that error.
+ ///
+ /// This function returns the number of bytes transferred; it may be less
+ /// than `len`.
+ @since(version = 0.2.0)
+ splice: func(
+ /// The stream to read from
+ src: borrow,
+ /// The number of bytes to splice
+ len: u64,
+ ) -> result;
+
+ /// Read from one stream and write to another, with blocking.
+ ///
+ /// This is similar to `splice`, except that it blocks until the
+ /// `output-stream` is ready for writing, and the `input-stream`
+ /// is ready for reading, before performing the `splice`.
+ @since(version = 0.2.0)
+ blocking-splice: func(
+ /// The stream to read from
+ src: borrow,
+ /// The number of bytes to splice
+ len: u64,
+ ) -> result;
+ }
+}
diff --git a/proposals/cli/wit/deps/io/world.wit b/proposals/cli/wit/deps/io/world.wit
new file mode 100644
index 000000000..1cc3fce12
--- /dev/null
+++ b/proposals/cli/wit/deps/io/world.wit
@@ -0,0 +1,10 @@
+package wasi:io@0.2.8;
+
+@since(version = 0.2.0)
+world imports {
+ @since(version = 0.2.0)
+ import streams;
+
+ @since(version = 0.2.0)
+ import poll;
+}
diff --git a/proposals/cli/wit/deps/random/insecure-seed.wit b/proposals/cli/wit/deps/random/insecure-seed.wit
new file mode 100644
index 000000000..b2b435e55
--- /dev/null
+++ b/proposals/cli/wit/deps/random/insecure-seed.wit
@@ -0,0 +1,27 @@
+package wasi:random@0.2.8;
+/// The insecure-seed interface for seeding hash-map DoS resistance.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.2.0)
+interface insecure-seed {
+ /// Return a 128-bit value that may contain a pseudo-random value.
+ ///
+ /// The returned value is not required to be computed from a CSPRNG, and may
+ /// even be entirely deterministic. Host implementations are encouraged to
+ /// provide pseudo-random values to any program exposed to
+ /// attacker-controlled content, to enable DoS protection built into many
+ /// languages' hash-map implementations.
+ ///
+ /// This function is intended to only be called once, by a source language
+ /// to initialize Denial Of Service (DoS) protection in its hash-map
+ /// implementation.
+ ///
+ /// # Expected future evolution
+ ///
+ /// This will likely be changed to a value import, to prevent it from being
+ /// called multiple times and potentially used for purposes other than DoS
+ /// protection.
+ @since(version = 0.2.0)
+ insecure-seed: func() -> tuple;
+}
diff --git a/proposals/cli/wit/deps/random/insecure.wit b/proposals/cli/wit/deps/random/insecure.wit
new file mode 100644
index 000000000..6dc77adec
--- /dev/null
+++ b/proposals/cli/wit/deps/random/insecure.wit
@@ -0,0 +1,25 @@
+package wasi:random@0.2.8;
+/// The insecure interface for insecure pseudo-random numbers.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.2.0)
+interface insecure {
+ /// Return `len` insecure pseudo-random bytes.
+ ///
+ /// This function is not cryptographically secure. Do not use it for
+ /// anything related to security.
+ ///
+ /// There are no requirements on the values of the returned bytes, however
+ /// implementations are encouraged to return evenly distributed values with
+ /// a long period.
+ @since(version = 0.2.0)
+ get-insecure-random-bytes: func(len: u64) -> list;
+
+ /// Return an insecure pseudo-random `u64` value.
+ ///
+ /// This function returns the same type of pseudo-random data as
+ /// `get-insecure-random-bytes`, represented as a `u64`.
+ @since(version = 0.2.0)
+ get-insecure-random-u64: func() -> u64;
+}
diff --git a/proposals/cli/wit/deps/random/random.wit b/proposals/cli/wit/deps/random/random.wit
new file mode 100644
index 000000000..524e77d4a
--- /dev/null
+++ b/proposals/cli/wit/deps/random/random.wit
@@ -0,0 +1,29 @@
+package wasi:random@0.2.8;
+/// WASI Random is a random data API.
+///
+/// It is intended to be portable at least between Unix-family platforms and
+/// Windows.
+@since(version = 0.2.0)
+interface random {
+ /// Return `len` cryptographically-secure random or pseudo-random bytes.
+ ///
+ /// This function must produce data at least as cryptographically secure and
+ /// fast as an adequately seeded cryptographically-secure pseudo-random
+ /// number generator (CSPRNG). It must not block, from the perspective of
+ /// the calling program, under any circumstances, including on the first
+ /// request and on requests for numbers of bytes. The returned data must
+ /// always be unpredictable.
+ ///
+ /// This function must always return fresh data. Deterministic environments
+ /// must omit this function, rather than implementing it with deterministic
+ /// data.
+ @since(version = 0.2.0)
+ get-random-bytes: func(len: u64) -> list;
+
+ /// Return a cryptographically-secure random or pseudo-random `u64` value.
+ ///
+ /// This function returns the same type of data as `get-random-bytes`,
+ /// represented as a `u64`.
+ @since(version = 0.2.0)
+ get-random-u64: func() -> u64;
+}
diff --git a/proposals/cli/wit/deps/random/world.wit b/proposals/cli/wit/deps/random/world.wit
new file mode 100644
index 000000000..c0c3272c9
--- /dev/null
+++ b/proposals/cli/wit/deps/random/world.wit
@@ -0,0 +1,13 @@
+package wasi:random@0.2.8;
+
+@since(version = 0.2.0)
+world imports {
+ @since(version = 0.2.0)
+ import random;
+
+ @since(version = 0.2.0)
+ import insecure;
+
+ @since(version = 0.2.0)
+ import insecure-seed;
+}
diff --git a/proposals/cli/wit/deps/sockets/instance-network.wit b/proposals/cli/wit/deps/sockets/instance-network.wit
new file mode 100644
index 000000000..5f6e6c1cc
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/instance-network.wit
@@ -0,0 +1,11 @@
+
+/// This interface provides a value-export of the default network handle..
+@since(version = 0.2.0)
+interface instance-network {
+ @since(version = 0.2.0)
+ use network.{network};
+
+ /// Get a handle to the default network.
+ @since(version = 0.2.0)
+ instance-network: func() -> network;
+}
diff --git a/proposals/cli/wit/deps/sockets/ip-name-lookup.wit b/proposals/cli/wit/deps/sockets/ip-name-lookup.wit
new file mode 100644
index 000000000..ecdaa8493
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/ip-name-lookup.wit
@@ -0,0 +1,56 @@
+@since(version = 0.2.0)
+interface ip-name-lookup {
+ @since(version = 0.2.0)
+ use wasi:io/poll@0.2.8.{pollable};
+ @since(version = 0.2.0)
+ use network.{network, error-code, ip-address};
+
+ /// Resolve an internet host name to a list of IP addresses.
+ ///
+ /// Unicode domain names are automatically converted to ASCII using IDNA encoding.
+ /// If the input is an IP address string, the address is parsed and returned
+ /// as-is without making any external requests.
+ ///
+ /// See the wasi-socket proposal README.md for a comparison with getaddrinfo.
+ ///
+ /// This function never blocks. It either immediately fails or immediately
+ /// returns successfully with a `resolve-address-stream` that can be used
+ /// to (asynchronously) fetch the results.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: `name` is a syntactically invalid domain name or IP address.
+ ///
+ /// # References:
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ resolve-addresses: func(network: borrow, name: string) -> result;
+
+ @since(version = 0.2.0)
+ resource resolve-address-stream {
+ /// Returns the next address from the resolver.
+ ///
+ /// This function should be called multiple times. On each call, it will
+ /// return the next address in connection order preference. If all
+ /// addresses have been exhausted, this function returns `none`.
+ ///
+ /// This function never returns IPv4-mapped IPv6 addresses.
+ ///
+ /// # Typical errors
+ /// - `name-unresolvable`: Name does not exist or has no suitable associated IP addresses. (EAI_NONAME, EAI_NODATA, EAI_ADDRFAMILY)
+ /// - `temporary-resolver-failure`: A temporary failure in name resolution occurred. (EAI_AGAIN)
+ /// - `permanent-resolver-failure`: A permanent failure in name resolution occurred. (EAI_FAIL)
+ /// - `would-block`: A result is not available yet. (EWOULDBLOCK, EAGAIN)
+ @since(version = 0.2.0)
+ resolve-next-address: func() -> result, error-code>;
+
+ /// Create a `pollable` which will resolve once the stream is ready for I/O.
+ ///
+ /// Note: this function is here for WASI 0.2 only.
+ /// It's planned to be removed when `future` is natively supported in Preview3.
+ @since(version = 0.2.0)
+ subscribe: func() -> pollable;
+ }
+}
diff --git a/proposals/cli/wit/deps/sockets/network.wit b/proposals/cli/wit/deps/sockets/network.wit
new file mode 100644
index 000000000..75a4f7d7f
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/network.wit
@@ -0,0 +1,169 @@
+@since(version = 0.2.0)
+interface network {
+ @unstable(feature = network-error-code)
+ use wasi:io/error@0.2.8.{error};
+
+ /// An opaque resource that represents access to (a subset of) the network.
+ /// This enables context-based security for networking.
+ /// There is no need for this to map 1:1 to a physical network interface.
+ @since(version = 0.2.0)
+ resource network;
+
+ /// Error codes.
+ ///
+ /// In theory, every API can return any error code.
+ /// In practice, API's typically only return the errors documented per API
+ /// combined with a couple of errors that are always possible:
+ /// - `unknown`
+ /// - `access-denied`
+ /// - `not-supported`
+ /// - `out-of-memory`
+ /// - `concurrency-conflict`
+ ///
+ /// See each individual API for what the POSIX equivalents are. They sometimes differ per API.
+ @since(version = 0.2.0)
+ enum error-code {
+ /// Unknown error
+ unknown,
+
+ /// Access denied.
+ ///
+ /// POSIX equivalent: EACCES, EPERM
+ access-denied,
+
+ /// The operation is not supported.
+ ///
+ /// POSIX equivalent: EOPNOTSUPP
+ not-supported,
+
+ /// One of the arguments is invalid.
+ ///
+ /// POSIX equivalent: EINVAL
+ invalid-argument,
+
+ /// Not enough memory to complete the operation.
+ ///
+ /// POSIX equivalent: ENOMEM, ENOBUFS, EAI_MEMORY
+ out-of-memory,
+
+ /// The operation timed out before it could finish completely.
+ timeout,
+
+ /// This operation is incompatible with another asynchronous operation that is already in progress.
+ ///
+ /// POSIX equivalent: EALREADY
+ concurrency-conflict,
+
+ /// Trying to finish an asynchronous operation that:
+ /// - has not been started yet, or:
+ /// - was already finished by a previous `finish-*` call.
+ ///
+ /// Note: this is scheduled to be removed when `future`s are natively supported.
+ not-in-progress,
+
+ /// The operation has been aborted because it could not be completed immediately.
+ ///
+ /// Note: this is scheduled to be removed when `future`s are natively supported.
+ would-block,
+
+
+ /// The operation is not valid in the socket's current state.
+ invalid-state,
+
+ /// A new socket resource could not be created because of a system limit.
+ new-socket-limit,
+
+ /// A bind operation failed because the provided address is not an address that the `network` can bind to.
+ address-not-bindable,
+
+ /// A bind operation failed because the provided address is already in use or because there are no ephemeral ports available.
+ address-in-use,
+
+ /// The remote address is not reachable
+ remote-unreachable,
+
+
+ /// The TCP connection was forcefully rejected
+ connection-refused,
+
+ /// The TCP connection was reset.
+ connection-reset,
+
+ /// A TCP connection was aborted.
+ connection-aborted,
+
+
+ /// The size of a datagram sent to a UDP socket exceeded the maximum
+ /// supported size.
+ datagram-too-large,
+
+
+ /// Name does not exist or has no suitable associated IP addresses.
+ name-unresolvable,
+
+ /// A temporary failure in name resolution occurred.
+ temporary-resolver-failure,
+
+ /// A permanent failure in name resolution occurred.
+ permanent-resolver-failure,
+ }
+
+ /// Attempts to extract a network-related `error-code` from the stream
+ /// `error` provided.
+ ///
+ /// Stream operations which return `stream-error::last-operation-failed`
+ /// have a payload with more information about the operation that failed.
+ /// This payload can be passed through to this function to see if there's
+ /// network-related information about the error to return.
+ ///
+ /// Note that this function is fallible because not all stream-related
+ /// errors are network-related errors.
+ @unstable(feature = network-error-code)
+ network-error-code: func(err: borrow) -> option;
+
+ @since(version = 0.2.0)
+ enum ip-address-family {
+ /// Similar to `AF_INET` in POSIX.
+ ipv4,
+
+ /// Similar to `AF_INET6` in POSIX.
+ ipv6,
+ }
+
+ @since(version = 0.2.0)
+ type ipv4-address = tuple;
+ @since(version = 0.2.0)
+ type ipv6-address = tuple;
+
+ @since(version = 0.2.0)
+ variant ip-address {
+ ipv4(ipv4-address),
+ ipv6(ipv6-address),
+ }
+
+ @since(version = 0.2.0)
+ record ipv4-socket-address {
+ /// sin_port
+ port: u16,
+ /// sin_addr
+ address: ipv4-address,
+ }
+
+ @since(version = 0.2.0)
+ record ipv6-socket-address {
+ /// sin6_port
+ port: u16,
+ /// sin6_flowinfo
+ flow-info: u32,
+ /// sin6_addr
+ address: ipv6-address,
+ /// sin6_scope_id
+ scope-id: u32,
+ }
+
+ @since(version = 0.2.0)
+ variant ip-socket-address {
+ ipv4(ipv4-socket-address),
+ ipv6(ipv6-socket-address),
+ }
+}
diff --git a/proposals/cli/wit/deps/sockets/tcp-create-socket.wit b/proposals/cli/wit/deps/sockets/tcp-create-socket.wit
new file mode 100644
index 000000000..eedbd3076
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/tcp-create-socket.wit
@@ -0,0 +1,30 @@
+@since(version = 0.2.0)
+interface tcp-create-socket {
+ @since(version = 0.2.0)
+ use network.{network, error-code, ip-address-family};
+ @since(version = 0.2.0)
+ use tcp.{tcp-socket};
+
+ /// Create a new TCP socket.
+ ///
+ /// Similar to `socket(AF_INET or AF_INET6, SOCK_STREAM, IPPROTO_TCP)` in POSIX.
+ /// On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+ ///
+ /// This function does not require a network capability handle. This is considered to be safe because
+ /// at time of creation, the socket is not bound to any `network` yet. Up to the moment `bind`/`connect`
+ /// is called, the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+ ///
+ /// All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+ ///
+ /// # Typical errors
+ /// - `not-supported`: The specified `address-family` is not supported. (EAFNOSUPPORT)
+ /// - `new-socket-limit`: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ create-tcp-socket: func(address-family: ip-address-family) -> result;
+}
diff --git a/proposals/cli/wit/deps/sockets/tcp.wit b/proposals/cli/wit/deps/sockets/tcp.wit
new file mode 100644
index 000000000..9b5552d2e
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/tcp.wit
@@ -0,0 +1,387 @@
+@since(version = 0.2.0)
+interface tcp {
+ @since(version = 0.2.0)
+ use wasi:io/streams@0.2.8.{input-stream, output-stream};
+ @since(version = 0.2.0)
+ use wasi:io/poll@0.2.8.{pollable};
+ @since(version = 0.2.0)
+ use wasi:clocks/monotonic-clock@0.2.8.{duration};
+ @since(version = 0.2.0)
+ use network.{network, error-code, ip-socket-address, ip-address-family};
+
+ @since(version = 0.2.0)
+ enum shutdown-type {
+ /// Similar to `SHUT_RD` in POSIX.
+ receive,
+
+ /// Similar to `SHUT_WR` in POSIX.
+ send,
+
+ /// Similar to `SHUT_RDWR` in POSIX.
+ both,
+ }
+
+ /// A TCP socket resource.
+ ///
+ /// The socket can be in one of the following states:
+ /// - `unbound`
+ /// - `bind-in-progress`
+ /// - `bound` (See note below)
+ /// - `listen-in-progress`
+ /// - `listening`
+ /// - `connect-in-progress`
+ /// - `connected`
+ /// - `closed`
+ /// See
+ /// for more information.
+ ///
+ /// Note: Except where explicitly mentioned, whenever this documentation uses
+ /// the term "bound" without backticks it actually means: in the `bound` state *or higher*.
+ /// (i.e. `bound`, `listen-in-progress`, `listening`, `connect-in-progress` or `connected`)
+ ///
+ /// In addition to the general error codes documented on the
+ /// `network::error-code` type, TCP socket methods may always return
+ /// `error(invalid-state)` when in the `closed` state.
+ @since(version = 0.2.0)
+ resource tcp-socket {
+ /// Bind the socket to a specific network on the provided IP address and port.
+ ///
+ /// If the IP address is zero (`0.0.0.0` in IPv4, `::` in IPv6), it is left to the implementation to decide which
+ /// network interface(s) to bind to.
+ /// If the TCP/UDP port is zero, the socket will be bound to a random free port.
+ ///
+ /// Bind can be attempted multiple times on the same socket, even with
+ /// different arguments on each iteration. But never concurrently and
+ /// only as long as the previous bind failed. Once a bind succeeds, the
+ /// binding can't be changed anymore.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `local-address` has the wrong address family. (EAFNOSUPPORT, EFAULT on Windows)
+ /// - `invalid-argument`: `local-address` is not a unicast address. (EINVAL)
+ /// - `invalid-argument`: `local-address` is an IPv4-mapped IPv6 address. (EINVAL)
+ /// - `invalid-state`: The socket is already bound. (EINVAL)
+ /// - `address-in-use`: No ephemeral ports available. (EADDRINUSE, ENOBUFS on Windows)
+ /// - `address-in-use`: Address is already in use. (EADDRINUSE)
+ /// - `address-not-bindable`: `local-address` is not an address that the `network` can bind to. (EADDRNOTAVAIL)
+ /// - `not-in-progress`: A `bind` operation is not in progress.
+ /// - `would-block`: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+ ///
+ /// # Implementors note
+ /// When binding to a non-zero port, this bind operation shouldn't be affected by the TIME_WAIT
+ /// state of a recently closed socket on the same local address. In practice this means that the SO_REUSEADDR
+ /// socket option should be set implicitly on all platforms, except on Windows where this is the default behavior
+ /// and SO_REUSEADDR performs something different entirely.
+ ///
+ /// Unlike in POSIX, in WASI the bind operation is async. This enables
+ /// interactive WASI hosts to inject permission prompts. Runtimes that
+ /// don't want to make use of this ability can simply call the native
+ /// `bind` as part of either `start-bind` or `finish-bind`.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ start-bind: func(network: borrow, local-address: ip-socket-address) -> result<_, error-code>;
+ @since(version = 0.2.0)
+ finish-bind: func() -> result<_, error-code>;
+
+ /// Connect to a remote endpoint.
+ ///
+ /// On success:
+ /// - the socket is transitioned into the `connected` state.
+ /// - a pair of streams is returned that can be used to read & write to the connection
+ ///
+ /// After a failed connection attempt, the socket will be in the `closed`
+ /// state and the only valid action left is to `drop` the socket. A single
+ /// socket can not be used to connect more than once.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: The `remote-address` has the wrong address family. (EAFNOSUPPORT)
+ /// - `invalid-argument`: `remote-address` is not a unicast address. (EINVAL, ENETUNREACH on Linux, EAFNOSUPPORT on MacOS)
+ /// - `invalid-argument`: `remote-address` is an IPv4-mapped IPv6 address. (EINVAL, EADDRNOTAVAIL on Illumos)
+ /// - `invalid-argument`: The IP address in `remote-address` is set to INADDR_ANY (`0.0.0.0` / `::`). (EADDRNOTAVAIL on Windows)
+ /// - `invalid-argument`: The port in `remote-address` is set to 0. (EADDRNOTAVAIL on Windows)
+ /// - `invalid-argument`: The socket is already attached to a different network. The `network` passed to `connect` must be identical to the one passed to `bind`.
+ /// - `invalid-state`: The socket is already in the `connected` state. (EISCONN)
+ /// - `invalid-state`: The socket is already in the `listening` state. (EOPNOTSUPP, EINVAL on Windows)
+ /// - `timeout`: Connection timed out. (ETIMEDOUT)
+ /// - `connection-refused`: The connection was forcefully rejected. (ECONNREFUSED)
+ /// - `connection-reset`: The connection was reset. (ECONNRESET)
+ /// - `connection-aborted`: The connection was aborted. (ECONNABORTED)
+ /// - `remote-unreachable`: The remote address is not reachable. (EHOSTUNREACH, EHOSTDOWN, ENETUNREACH, ENETDOWN, ENONET)
+ /// - `address-in-use`: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE, EADDRNOTAVAIL on Linux, EAGAIN on BSD)
+ /// - `not-in-progress`: A connect operation is not in progress.
+ /// - `would-block`: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+ ///
+ /// # Implementors note
+ /// The POSIX equivalent of `start-connect` is the regular `connect` syscall.
+ /// Because all WASI sockets are non-blocking this is expected to return
+ /// EINPROGRESS, which should be translated to `ok()` in WASI.
+ ///
+ /// The POSIX equivalent of `finish-connect` is a `poll` for event `POLLOUT`
+ /// with a timeout of 0 on the socket descriptor. Followed by a check for
+ /// the `SO_ERROR` socket option, in case the poll signaled readiness.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ start-connect: func(network: borrow, remote-address: ip-socket-address) -> result<_, error-code>;
+ @since(version = 0.2.0)
+ finish-connect: func() -> result, error-code>;
+
+ /// Start listening for new connections.
+ ///
+ /// Transitions the socket into the `listening` state.
+ ///
+ /// Unlike POSIX, the socket must already be explicitly bound.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not bound to any local address. (EDESTADDRREQ)
+ /// - `invalid-state`: The socket is already in the `connected` state. (EISCONN, EINVAL on BSD)
+ /// - `invalid-state`: The socket is already in the `listening` state.
+ /// - `address-in-use`: Tried to perform an implicit bind, but there were no ephemeral ports available. (EADDRINUSE)
+ /// - `not-in-progress`: A listen operation is not in progress.
+ /// - `would-block`: Can't finish the operation, it is still in progress. (EWOULDBLOCK, EAGAIN)
+ ///
+ /// # Implementors note
+ /// Unlike in POSIX, in WASI the listen operation is async. This enables
+ /// interactive WASI hosts to inject permission prompts. Runtimes that
+ /// don't want to make use of this ability can simply call the native
+ /// `listen` as part of either `start-listen` or `finish-listen`.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ start-listen: func() -> result<_, error-code>;
+ @since(version = 0.2.0)
+ finish-listen: func() -> result<_, error-code>;
+
+ /// Accept a new client socket.
+ ///
+ /// The returned socket is bound and in the `connected` state. The following properties are inherited from the listener socket:
+ /// - `address-family`
+ /// - `keep-alive-enabled`
+ /// - `keep-alive-idle-time`
+ /// - `keep-alive-interval`
+ /// - `keep-alive-count`
+ /// - `hop-limit`
+ /// - `receive-buffer-size`
+ /// - `send-buffer-size`
+ ///
+ /// On success, this function returns the newly accepted client socket along with
+ /// a pair of streams that can be used to read & write to the connection.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: Socket is not in the `listening` state. (EINVAL)
+ /// - `would-block`: No pending connections at the moment. (EWOULDBLOCK, EAGAIN)
+ /// - `connection-aborted`: An incoming connection was pending, but was terminated by the client before this listener could accept it. (ECONNABORTED)
+ /// - `new-socket-limit`: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ accept: func() -> result, error-code>;
+
+ /// Get the bound local address.
+ ///
+ /// POSIX mentions:
+ /// > If the socket has not been bound to a local name, the value
+ /// > stored in the object pointed to by `address` is unspecified.
+ ///
+ /// WASI is stricter and requires `local-address` to return `invalid-state` when the socket hasn't been bound yet.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not bound to any local address.
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ local-address: func() -> result;
+
+ /// Get the remote address.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not connected to a remote address. (ENOTCONN)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ remote-address: func() -> result;
+
+ /// Whether the socket is in the `listening` state.
+ ///
+ /// Equivalent to the SO_ACCEPTCONN socket option.
+ @since(version = 0.2.0)
+ is-listening: func() -> bool;
+
+ /// Whether this is a IPv4 or IPv6 socket.
+ ///
+ /// Equivalent to the SO_DOMAIN socket option.
+ @since(version = 0.2.0)
+ address-family: func() -> ip-address-family;
+
+ /// Hints the desired listen queue size. Implementations are free to ignore this.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ ///
+ /// # Typical errors
+ /// - `not-supported`: (set) The platform does not support changing the backlog size after the initial listen.
+ /// - `invalid-argument`: (set) The provided value was 0.
+ /// - `invalid-state`: (set) The socket is in the `connect-in-progress` or `connected` state.
+ @since(version = 0.2.0)
+ set-listen-backlog-size: func(value: u64) -> result<_, error-code>;
+
+ /// Enables or disables keepalive.
+ ///
+ /// The keepalive behavior can be adjusted using:
+ /// - `keep-alive-idle-time`
+ /// - `keep-alive-interval`
+ /// - `keep-alive-count`
+ /// These properties can be configured while `keep-alive-enabled` is false, but only come into effect when `keep-alive-enabled` is true.
+ ///
+ /// Equivalent to the SO_KEEPALIVE socket option.
+ @since(version = 0.2.0)
+ keep-alive-enabled: func() -> result;
+ @since(version = 0.2.0)
+ set-keep-alive-enabled: func(value: bool) -> result<_, error-code>;
+
+ /// Amount of time the connection has to be idle before TCP starts sending keepalive packets.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPIDLE socket option. (TCP_KEEPALIVE on MacOS)
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.2.0)
+ keep-alive-idle-time: func() -> result;
+ @since(version = 0.2.0)
+ set-keep-alive-idle-time: func(value: duration) -> result<_, error-code>;
+
+ /// The time between keepalive packets.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPINTVL socket option.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.2.0)
+ keep-alive-interval: func() -> result;
+ @since(version = 0.2.0)
+ set-keep-alive-interval: func(value: duration) -> result<_, error-code>;
+
+ /// The maximum amount of keepalive packets TCP should send before aborting the connection.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the TCP_KEEPCNT socket option.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.2.0)
+ keep-alive-count: func() -> result;
+ @since(version = 0.2.0)
+ set-keep-alive-count: func(value: u32) -> result<_, error-code>;
+
+ /// Equivalent to the IP_TTL & IPV6_UNICAST_HOPS socket options.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The TTL value must be 1 or higher.
+ @since(version = 0.2.0)
+ hop-limit: func() -> result;
+ @since(version = 0.2.0)
+ set-hop-limit: func(value: u8) -> result<_, error-code>;
+
+ /// The kernel buffer space reserved for sends/receives on this socket.
+ ///
+ /// If the provided value is 0, an `invalid-argument` error is returned.
+ /// Any other value will never cause an error, but it might be silently clamped and/or rounded.
+ /// I.e. after setting a value, reading the same setting back may return a different value.
+ ///
+ /// Equivalent to the SO_RCVBUF and SO_SNDBUF socket options.
+ ///
+ /// # Typical errors
+ /// - `invalid-argument`: (set) The provided value was 0.
+ @since(version = 0.2.0)
+ receive-buffer-size: func() -> result;
+ @since(version = 0.2.0)
+ set-receive-buffer-size: func(value: u64) -> result<_, error-code>;
+ @since(version = 0.2.0)
+ send-buffer-size: func() -> result;
+ @since(version = 0.2.0)
+ set-send-buffer-size: func(value: u64) -> result<_, error-code>;
+
+ /// Create a `pollable` which can be used to poll for, or block on,
+ /// completion of any of the asynchronous operations of this socket.
+ ///
+ /// When `finish-bind`, `finish-listen`, `finish-connect` or `accept`
+ /// return `error(would-block)`, this pollable can be used to wait for
+ /// their success or failure, after which the method can be retried.
+ ///
+ /// The pollable is not limited to the async operation that happens to be
+ /// in progress at the time of calling `subscribe` (if any). Theoretically,
+ /// `subscribe` only has to be called once per socket and can then be
+ /// (re)used for the remainder of the socket's lifetime.
+ ///
+ /// See
+ /// for more information.
+ ///
+ /// Note: this function is here for WASI 0.2 only.
+ /// It's planned to be removed when `future` is natively supported in Preview3.
+ @since(version = 0.2.0)
+ subscribe: func() -> pollable;
+
+ /// Initiate a graceful shutdown.
+ ///
+ /// - `receive`: The socket is not expecting to receive any data from
+ /// the peer. The `input-stream` associated with this socket will be
+ /// closed. Any data still in the receive queue at time of calling
+ /// this method will be discarded.
+ /// - `send`: The socket has no more data to send to the peer. The `output-stream`
+ /// associated with this socket will be closed and a FIN packet will be sent.
+ /// - `both`: Same effect as `receive` & `send` combined.
+ ///
+ /// This function is idempotent; shutting down a direction more than once
+ /// has no effect and returns `ok`.
+ ///
+ /// The shutdown function does not close (drop) the socket.
+ ///
+ /// # Typical errors
+ /// - `invalid-state`: The socket is not in the `connected` state. (ENOTCONN)
+ ///
+ /// # References
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ shutdown: func(shutdown-type: shutdown-type) -> result<_, error-code>;
+ }
+}
diff --git a/proposals/cli/wit/deps/sockets/udp-create-socket.wit b/proposals/cli/wit/deps/sockets/udp-create-socket.wit
new file mode 100644
index 000000000..e8eeacbfe
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/udp-create-socket.wit
@@ -0,0 +1,30 @@
+@since(version = 0.2.0)
+interface udp-create-socket {
+ @since(version = 0.2.0)
+ use network.{network, error-code, ip-address-family};
+ @since(version = 0.2.0)
+ use udp.{udp-socket};
+
+ /// Create a new UDP socket.
+ ///
+ /// Similar to `socket(AF_INET or AF_INET6, SOCK_DGRAM, IPPROTO_UDP)` in POSIX.
+ /// On IPv6 sockets, IPV6_V6ONLY is enabled by default and can't be configured otherwise.
+ ///
+ /// This function does not require a network capability handle. This is considered to be safe because
+ /// at time of creation, the socket is not bound to any `network` yet. Up to the moment `bind` is called,
+ /// the socket is effectively an in-memory configuration object, unable to communicate with the outside world.
+ ///
+ /// All sockets are non-blocking. Use the wasi-poll interface to block on asynchronous operations.
+ ///
+ /// # Typical errors
+ /// - `not-supported`: The specified `address-family` is not supported. (EAFNOSUPPORT)
+ /// - `new-socket-limit`: The new socket resource could not be created because of a system limit. (EMFILE, ENFILE)
+ ///
+ /// # References:
+ /// -
+ /// -
+ /// -
+ /// -
+ @since(version = 0.2.0)
+ create-udp-socket: func(address-family: ip-address-family) -> result;
+}
diff --git a/proposals/cli/wit/deps/sockets/udp.wit b/proposals/cli/wit/deps/sockets/udp.wit
new file mode 100644
index 000000000..0000a157e
--- /dev/null
+++ b/proposals/cli/wit/deps/sockets/udp.wit
@@ -0,0 +1,288 @@
+@since(version = 0.2.0)
+interface udp {
+ @since(version = 0.2.0)
+ use wasi:io/poll@0.2.8.{pollable};
+ @since(version = 0.2.0)
+ use network.{network, error-code, ip-socket-address, ip-address-family};
+
+ /// A received datagram.
+ @since(version = 0.2.0)
+ record incoming-datagram {
+ /// The payload.
+ ///
+ /// Theoretical max size: ~64 KiB. In practice, typically less than 1500 bytes.
+ data: list,
+
+ /// The source address.
+ ///
+ /// This field is guaranteed to match the remote address the stream was initialized with, if any.
+ ///
+ /// Equivalent to the `src_addr` out parameter of `recvfrom`.
+ remote-address: ip-socket-address,
+ }
+
+ /// A datagram to be sent out.
+ @since(version = 0.2.0)
+ record outgoing-datagram {
+ /// The payload.
+ data: list,
+
+ /// The destination address.
+ ///
+ /// The requirements on this field depend on how the stream was initialized:
+ /// - with a remote address: this field must be None or match the stream's remote address exactly.
+ /// - without a remote address: this field is required.
+ ///
+ /// If this value is None, the send operation is equivalent to `send` in POSIX. Otherwise it is equivalent to `sendto`.
+ remote-address: option