[mike_hearn]

FWIW although it's not WebAssembly based, you can do that with GraalVM. It has a concept of language contexts which can be sandboxed including those constraints. There are two caveats:

1. Sandboxing for CPU time and max allowed memory requires the enterprise edition, so you'd have to pay for it.

2. The Python engine isn't 100% compatible with regular Python, although that may not matter for your use case as the compatibility is pretty good and issues mostly show up around extension modules.

[sebk]

Unfortunately there are at least two more major caveats:

1. Capability control only works for JavaScript (https://www.graalvm.org/latest/reference-manual/embed-langua...)

2. The documentation says in no uncertain terms that running untrusted code is unsupported (https://www.graalvm.org/latest/security-guide/#security-mode...)