The WASM sandbox per agent with typed ABI is a really clean isolation model. Most agent runtimes I've seen just throw everything into one process and hope for the best.

Curious about the IPC layer between agents. When agents communicate with each other, is there any access control on what one agent can request from another? Or is it open by default?

In practice the moment you have multiple agents that persist and talk to each other, you need some kind of permission model — otherwise one rogue agent can access everything through a chain of IPC calls. Even if each individual sandbox is secure.

The Rust + WASM combo is solid for this. We use Rust for similar reasons — memory safety matters a lot more when agents run autonomously.