containerd · wlkrm · Nov 21, 2025 · Feb 23, 2026
diff --git a/crates/containerd-shim-wasm/src/sandbox/context.rs b/crates/containerd-shim-wasm/src/sandbox/context.rs
@@ -1,4 +1,5 @@
 use std::borrow::Cow;
+use std::collections::HashMap;
 use std::path::{Path, PathBuf};
 
 use anyhow::{Context, bail};
@@ -32,6 +33,12 @@ pub trait RuntimeContext: Send + Sync {
     ///   "my_module.wat" -> { source: File("my_module.wat"), func: "_start", name: "Some(my_module)", arg0: "my_module.wat" }
     ///   "#init" -> { source: File(""), func: "init", name: None, arg0: "#init" }
     fn entrypoint(&self) -> Entrypoint;
+
+    /// Returns the annotations map from the OCI runtime spec, if any.
+    ///
+    /// Annotations are provided by the runtime (for example `ctr --annotation key=value`) and
+    /// are available on the `Spec` as a map of string key/values.
+    fn annotations(&self) -> &Option<HashMap<String, String>>;
 }
 
 /// The source for a WASI module / components.
@@ -136,6 +143,10 @@ impl RuntimeContext for WasiContext<'_> {
             name: module_name,
         }
     }
+
+    fn annotations(&self) -> &Option<HashMap<String, String>> {
+        self.spec.annotations()
+    }
 }
 
 /// The type of a wasm binary.

diff --git a/crates/containerd-shim-wasmtime/README.md b/crates/containerd-shim-wasmtime/README.md
@@ -27,7 +27,7 @@ upon receiving a terminate or interrupt signal in the container.
 
 This can be very useful on the Wasm-first platforms to allow instance-per-request isolation:
 
-> Eeach Wasm instance serves only one HTTP request, and then goes away. This is fantastic for security and bug
+> Each Wasm instance serves only one HTTP request, and then goes away. This is fantastic for security and bug
 > mitigation: the blast radius of an exploit or guest-runtime bug is only a single request, and can never see the data
 > from other users of the platform or even other requests by the same user. [3]
 

diff --git a/docs/src/benchmarks.md b/docs/src/benchmarks.md
@@ -36,12 +36,10 @@ This is for Wasmtime shim. We use `hey` to load test the Wasmtime shim running "
 
 We built a distroless container image with `wasmtime` runtime installed. Then we run stress-test for `wasmtime` shim and the distroless container for the same workload. The result is shown below.
 
-| Runtime | Tasks | Time | Throughput |
-|---------|-------|------|------------|
-| runwasi wasmtime | 1000 | 3s 31ms 663us 672ns | 329.85 tasks/s |
-| runc distroless wasmtime | 1000 | 11s 795ms 27us 285ns | 84.78 tasks/s |
-
-
+| Runtime                  | Tasks | Time                 | Throughput     |
+| ------------------------ | ----- | -------------------- | -------------- |
+| runwasi wasmtime         | 1000  | 3s 31ms 663us 672ns  | 329.85 tasks/s |
+| runc distroless wasmtime | 1000  | 11s 795ms 27us 285ns | 84.78 tasks/s  |
 
 The Dockerfile for the distroless container is shown below.
 
@@ -85,6 +83,6 @@ We use [benchmark-action](https://github.com/benchmark-action/github-action-benc
 
 If you want to contribute to the benchmarks, whether it's adding a new benchmark or improving the existing ones, or just want to share your ideas, please refer to the following issue:
 
-- [Bencharking issue #97](https://github.com/containerd/runwasi/issues/97)
+- [Benchmarking issue #97](https://github.com/containerd/runwasi/issues/97)
 
 Any PRs are welcome!