In this section: System Evolution

MCP and WebAssembly: AI-native portable microservices

MCP gives AI agents a structured way to call capabilities. WASM gives those capabilities a portable, sandboxed execution boundary. Together they define what an AI-native microservice looks like.

What the combination solves

Two problems have to be solved simultaneously for an AI agent to call a capability reliably: the agent needs a stable, typed interface to discover and invoke the capability, and the capability needs an execution boundary that is safe, portable, and host-independent.

MCP solves the first problem. WebAssembly solves the second. Neither alone is sufficient. An MCP tool definition with no portable execution boundary is a contract that ties your business logic to one platform. A WASM module with no structured invocation interface requires every agent integration to be hand-rolled.

The combination closes both gaps: MCP defines what a capability looks like to an agent, and WASM defines where and how that capability executes, consistently regardless of host environment.

MCP as the invocation layer

Model Context Protocol is Anthropic's open standard for structured tool use by AI agents. It gives a model a typed, discoverable interface to capabilities: each tool has a name, a schema for its inputs, and a schema for its outputs. The agent can list available tools, select the appropriate one, call it with structured arguments, and interpret the result, without bespoke wiring for each integration.

MCP is deliberately a protocol, not a runtime. It specifies the shape of the conversation between agent and capability. It says nothing about where the capability runs, what language it is written in, whether it can be moved between environments, or what isolation it provides. Those questions are outside its scope by design.

That is not a weakness. It is the right boundary for a protocol. But it means MCP defines the contract. Something else must fulfill the execution guarantee.

WASM as the execution boundary

WebAssembly provides a capability-based sandboxed runtime. A WASM module declares exactly which host capabilities it requires (file access, network, clock) and receives only those capabilities. It cannot access anything it has not been granted. The sandbox is enforced by the runtime, not by convention or process isolation.

Portability is a structural property: the same WASM binary runs in a browser, a server, an edge node, or an embedded device without recompilation and without OS dependencies. The module's behavior is determined by its bytecode, not by its host. Move the module. The logic is identical.

WASI (the WebAssembly System Interface) extends this to system-level capabilities (filesystem access, sockets, clocks) with the same capability-based model. WASI 0.2 is stable. The component model, which enables composing multiple WASM modules with typed interfaces, is in active development and advancing steadily.

The UMA connection

In UMA, an active descriptor can expose a WASM-backed capability as an MCP tool. The agent calls the tool using MCP's standard invocation protocol. The UMA runtime resolves that call to a WASM module, executes it in a sandboxed context, and returns the result. The business logic in the module is unchanged whether the runtime is running on a developer's laptop, a cloud function, or an edge node.

This is what AI-native portability looks like in practice. The capability is not tied to a platform, a language runtime, or a deployment topology. The agent does not need to know any of that. The MCP interface is stable. The WASM module is portable. The descriptor is the binding.

Governance sits in the runtime layer. When an agent invokes a tool, the UMA runtime validates the request against the descriptor's declared contracts before the WASM module executes. The sandbox enforces isolation. The combination means a misbehaving agent cannot escalate through the tool. The execution boundary is structural, not policy-based.

What this prevents

Without MCP and WASM working together, specific failure modes appear consistently:

Logic duplicated per agent platform. Without a stable invocation interface, every new agent framework requires its own adapter layer for each capability. The business logic diverges across integrations. Bugs fix in one path, not in others.

Unsafe execution. Without a sandboxed execution boundary, a capability invoked by an agent runs with whatever access the host process has. An injected or misbehaving tool call has broad blast radius. There is no structural limit.

Brittle tool definitions that break when moved. Without portability guarantees, moving a capability to a different environment (cloud region, edge, different runtime) requires re-integration, re-testing, and inevitably re-debugging. The definition survives. The execution does not.

With MCP and WASM together: one canonical implementation, exposed through a stable typed interface, executing in a sandboxed portable boundary, versioned through the descriptor.

Current maturity

This is an honest assessment, not a product pitch.

WASM and WASI are maturing but not complete. WASI 0.2 is stable and usable in production. The WASM component model, which enables typed composition of modules, is in progress. It is advancing, but teams building on it today are working at the frontier, not on settled ground.

MCP tooling is early-stage. The protocol itself is well-specified. Ecosystem tooling, server implementations, and agent framework integrations are developing rapidly but unevenly. Some integrations are production-ready. Others are proofs of concept.

Production-ready patterns exist for specific combinations: Rust or Go compiled to WASM, WASI 0.2 host runtimes such as Wasmtime, MCP server implementations in TypeScript or Python. Teams using these combinations with deliberate design can reach production. Teams expecting turnkey deployment will be disappointed. The stack requires judgment at each layer.

The trajectory is clear. The current state requires realistic expectations.

Questions and answers

Does every MCP tool need to be backed by WASM?
No. MCP tools can be backed by any executable: a process, a container, a function, a native library. WASM is not required by the protocol. What WASM provides is a portability guarantee and a structural sandbox that native execution cannot match. If portability and sandboxing matter for a given capability (and in AI agent contexts they usually do), WASM is the right execution boundary. If a capability is already tightly bound to a specific host and will never move, native execution is simpler.
Is this combination production-ready?
Honest answer: emerging. The individual pieces (WASI 0.2, mature WASM runtimes, MCP protocol implementations) are stable enough for production use in specific configurations. The full stack as a coherent, opinionated pattern is still being established. Teams shipping this today are doing deliberate engineering, not installing a framework. That will change as the component model stabilizes and tooling matures, but that timeline is measured in years, not months.

MCP role

Defines the typed, discoverable interface between an AI agent and a capability. The agent lists, selects, invokes, and interprets through a stable protocol that does not change when the underlying execution moves.

WASM role

Provides the sandboxed, portable execution boundary for the capability. The module runs identically in any WASM host, with access limited to what it explicitly declares. The sandbox is structural, not policy-based.

Related concepts

Runtime governance determines what an agent is allowed to invoke before execution. Active descriptors are the binding that exposes a WASM-backed capability as an MCP tool.