Already partially in place. ReScript gives type-safe parsing (DNS TXT, policy JSON) that compiles to clean ESM. This remains the rapid development layer — iterate on protocol semantics here first, then promote hot paths to Rust.
The real workhorse. Rust gives a single codebase that cross-compiles to every target that matters. Policy validation, schema enforcement, DNS caching logic, and the enforcement daemon all belong here.
Per hyperpolymath standard. Idris2 proves the protocol invariants (e.g., "L0 policies MUST NOT appear in AXEL-N gateway rules", "expired cache entries fail closed"). Zig FFI provides C-compatible bindings for integration into existing infrastructure (nginx modules, firewalld plugins, DNS resolver hooks).
| Priority | Target | Rationale |
|---|---|---|
| 1 | WASM (wasm32-wasi) | Universal. Runs on Cloudflare Workers, Fastly Compute@Edge, Vercel Edge, Deno Deploy, browsers, wasmtime/wasmer. One binary, every CDN. Primary enforcement deployment target. |
| 2 | JavaScript (ESM) | Already working via ReScript. Widest ecosystem reach for npm/deno distribution. Developer-facing SDK and rapid prototyping layer. Fallback for environments without WASM. |
| 3 | Native x86_64-linux | CLI validator (axel-validate), network gateway daemon, CI/CD integration. Rust cargo build --release. Infrastructure target — ISPs and firewall operators won't deploy WASM. |
| 4 | Native aarch64-linux | ARM servers (AWS Graviton, Ampere). Second native target. Trivial with Rust cross-compilation. |
| 5 | Cloudflare Workers (wasm32-unknown-unknown) | Specialized WASM variant with Workers KV/D1 bindings. Most likely first real CDN deployment. Worth having as a named target with platform-specific glue. |
| 6 | WASM Component Model (wasm32-wasip2) | Future-facing. WASI Preview 2 + Component Model gives composable, sandboxed modules. Not production-ready today but this is where the ecosystem is going. |
┌─────────────────────────────────────────────┐
│ Idris2 ABI (formal proofs) │
│ - Protocol invariants │
│ - Policy object type safety │
│ - Isolation level enforcement rules │
└──────────────┬──────────────────────────────┘
│ generates C headers
┌──────────────▼──────────────────────────────┐
│ Rust core library (axel-core) │
│ - Policy parsing + validation │
│ - DNS TXT record parser │
│ - Schema enforcement (no Ajv dependency) │
│ - Cache logic (max_age, stale_if_error) │
│ - Enforcement decisions (303/403 routing) │
├─────────────────────────────────────────────┤
│ Compile targets: │
│ ├── wasm32-wasi → CDN edge workers │
│ ├── wasm32-unknown → browsers, CF Workers │
│ ├── x86_64-linux → CLI, daemon, CI │
│ └── aarch64-linux → ARM servers │
└──────────────┬──────────────────────────────┘
│ wasm-bindgen / wasm-pack
┌──────────────▼──────────────────────────────┐
│ ReScript SDK (axel-sdk) │
│ - Developer-facing API (imports WASM) │
│ - Policy builder / validator │
│ - Deno-native tooling │
│ - Falls back to pure JS if no WASM │
└─────────────────────────────────────────────┘
│
┌──────────────▼──────────────────────────────┐
│ Zig FFI (platform integration) │
│ - nginx module (axel-nginx) │
│ - firewalld plugin │
│ - DNS resolver hooks (knot, unbound) │
│ - Zero runtime dependencies │
└─────────────────────────────────────────────┘
CDN edge is where AXEL enforcement actually happens at scale. A Cloudflare Worker running the WASM policy validator at 300+ edge locations is orders of magnitude more impactful than a native binary running on one origin server. The CDN intercepts the request, checks the _axel DNS record (cached), fetches the policy (cached), and gates with 303/403 — all before the origin even sees traffic. WASM makes that a single deployable artifact across every edge platform.
Policy parser, schema validator, DNS TXT parser, enforcement decision engine. No external dependencies for the core. Replaces Ajv and the --no-check workaround.
axel-core/src/lib.rs— public APIaxel-core/src/policy.rs— AXEL Policy Object parsing + validationaxel-core/src/dns.rs— DNS TXT record parser (strict, fail-closed)axel-core/src/enforce.rs— enforcement decision engine (303/403 routing)axel-core/src/cache.rs— cache logic (max_age_seconds, stale_if_error_seconds)axel-core/src/schema.rs— built-in schema validation (no Ajv)
wasm-pack build --target web — browser + edge WASM bundle from the same crate.
axel-core/Cargo.tomlwithcrate-type = ["cdylib", "rlib"]wasm-bindgenexports for policy validation, DNS parsing, enforcement decisions- Bundle size target: <100KB gzipped
cargo build --release — native CLI (axel-validate <domain>) for CI/CD and local testing.
axel-validate/src/main.rs— CLI binary- Subcommands:
validate <domain>,check-policy <file>,parse-txt <record> - Exit codes: 0 (valid), 1 (invalid), 2 (network error)
Thin wrapper importing the WASM module, with JS fallback.
src/AxelCore.res— ReScript bindings to WASM exportssrc/AxelCoreFallback.res— pure JS implementation (current code)- Runtime detection: use WASM if available, fall back to JS
Formal verification of protocol invariants.
src/abi/PolicyTypes.idr— dependent types for policy objectssrc/abi/IsolationLevel.idr— proofs about isolation level constraintssrc/abi/CacheInvariants.idr— proofs about cache behaviorsrc/abi/EnforcementRules.idr— proofs about enforcement correctness
C-compatible bindings for infrastructure integration.
ffi/zig/src/axel.zig— core FFI functionsffi/zig/src/nginx.zig— nginx module integrationffi/zig/src/firewalld.zig— firewalld pluginffi/zig/src/dns_resolver.zig— knot/unbound hooks