diff --git a/Cargo.lock b/Cargo.lock
index 2827ba85..6535fe70 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1114,30 +1114,6 @@ dependencies = [
  "crossbeam-utils",
 ]
 
-[[package]]
-name = "crossbeam-deque"
-version = "0.8.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "715e8152b692bba2d374b53d4875445368fdf21a94751410af607a5ac677d1fc"
-dependencies = [
- "cfg-if",
- "crossbeam-epoch",
- "crossbeam-utils",
-]
-
-[[package]]
-name = "crossbeam-epoch"
-version = "0.9.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f916dfc5d356b0ed9dae65f1db9fc9770aa2851d2662b988ccf4fe3516e86348"
-dependencies = [
- "autocfg",
- "cfg-if",
- "crossbeam-utils",
- "memoffset",
- "scopeguard",
-]
-
 [[package]]
 name = "crossbeam-queue"
 version = "0.3.6"
@@ -2205,26 +2181,6 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc"
 
-[[package]]
-name = "ittapi"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "663fe0550070071ff59e981864a9cd3ee1c869ed0a088140d9ac4dc05ea6b1a1"
-dependencies = [
- "anyhow",
- "ittapi-sys",
- "log",
-]
-
-[[package]]
-name = "ittapi-sys"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e21911b7183f38c71d75ab478a527f314e28db51027037ece2e5511ed9410703"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "jobserver"
 version = "0.1.25"
@@ -2284,12 +2240,6 @@ dependencies = [
  "spin",
 ]
 
-[[package]]
-name = "leb128"
-version = "0.2.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "884e2677b40cc8c339eaefcb701c32ef1fd2493d71118dc0ca4b6a736c93bd67"
-
 [[package]]
 name = "lettre"
 version = "0.10.1"
@@ -2876,15 +2826,6 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d"
 
-[[package]]
-name = "memfd"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "480b5a5de855d11ff13195950bdc8b98b5e942ef47afc447f6615cdcc4e15d80"
-dependencies = [
- "rustix",
-]
-
 [[package]]
 name = "memoffset"
 version = "0.6.5"
@@ -3073,10 +3014,11 @@ checksum = "86f0b0d4bf799edbc74508c1e8bf170ff5f41238e5f8225603ca7caaae2b7860"
 [[package]]
 name = "opa-wasm"
 version = "0.1.0"
-source = "git+https://github.com/matrix-org/rust-opa-wasm.git#f838595670747b0644b6bfd9829fca5d63bbee66"
+source = "git+https://github.com/matrix-org/rust-opa-wasm.git#74262db0d12948f1af31ebc9e85bd56286d56b3e"
 dependencies = [
  "anyhow",
  "base64",
+ "cc",
  "digest 0.10.5",
  "hex",
  "hmac",
@@ -3084,7 +3026,6 @@ dependencies = [
  "md-5",
  "parse-size",
  "rand",
- "rayon-core",
  "semver",
  "serde",
  "serde_json",
@@ -3812,30 +3753,6 @@ dependencies = [
  "getrandom",
 ]
 
-[[package]]
-name = "rayon"
-version = "1.5.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd99e5772ead8baa5215278c9b15bf92087709e9c1b2d1f97cdb5a183c933a7d"
-dependencies = [
- "autocfg",
- "crossbeam-deque",
- "either",
- "rayon-core",
-]
-
-[[package]]
-name = "rayon-core"
-version = "1.9.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "258bcdb5ac6dad48491bb2992db6b7cf74878b0384908af124823d118c99683f"
-dependencies = [
- "crossbeam-channel",
- "crossbeam-deque",
- "crossbeam-utils",
- "num_cpus",
-]
-
 [[package]]
 name = "redox_syscall"
 version = "0.2.16"
@@ -5442,15 +5359,6 @@ version = "0.2.83"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f"
 
-[[package]]
-name = "wasm-encoder"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5816e88e8ea7335016aa62eb0485747f786136d505a9b3890f8c400211d9b5f"
-dependencies = [
- "leb128",
-]
-
 [[package]]
 name = "wasmparser"
 version = "0.89.1"
@@ -5477,7 +5385,6 @@ dependencies = [
  "once_cell",
  "paste",
  "psm",
- "rayon",
  "serde",
  "target-lexicon",
  "wasmparser",
@@ -5487,7 +5394,6 @@ dependencies = [
  "wasmtime-fiber",
  "wasmtime-jit",
  "wasmtime-runtime",
- "wat",
  "windows-sys 0.36.1",
 ]
 
@@ -5585,7 +5491,6 @@ dependencies = [
  "cfg-if",
  "cpp_demangle",
  "gimli",
- "ittapi",
  "log",
  "object",
  "rustc-demangle",
@@ -5594,7 +5499,6 @@ dependencies = [
  "target-lexicon",
  "thiserror",
  "wasmtime-environ",
- "wasmtime-jit-debug",
  "wasmtime-runtime",
  "windows-sys 0.36.1",
 ]
@@ -5605,9 +5509,7 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "25e82d4ef93296785de7efca92f7679dc67fe68a13b625a5ecc8d7503b377a37"
 dependencies = [
- "object",
  "once_cell",
- "rustix",
 ]
 
 [[package]]
@@ -5623,7 +5525,6 @@ dependencies = [
  "libc",
  "log",
  "mach",
- "memfd",
  "memoffset",
  "paste",
  "rand",
@@ -5648,27 +5549,6 @@ dependencies = [
  "wasmparser",
 ]
 
-[[package]]
-name = "wast"
-version = "48.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84825b5ac7164df8260c9e2b2e814075334edbe7ac426f2469b93a5eeac23cce"
-dependencies = [
- "leb128",
- "memchr",
- "unicode-width",
- "wasm-encoder",
-]
-
-[[package]]
-name = "wat"
-version = "1.0.50"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "129da4a03ec6d2a815f42c88f641824e789d5be0d86d2f90aa8a218c7068e0be"
-dependencies = [
- "wast",
-]
-
 [[package]]
 name = "watchman_client"
 version = "0.8.0"
diff --git a/Dockerfile b/Dockerfile
index 8097cb35..791173a2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -115,6 +115,8 @@ RUN cargo chef cook \
   --bin mas-cli \
   --release \
   --recipe-path recipe.json \
+  --no-default-features \
+  --features docker \
   --target $(/docker-arch-to-rust-target.sh "${TARGETPLATFORM}") \
   --package mas-cli
 
@@ -128,6 +130,8 @@ RUN cargo auditable zigbuild \
   --locked \
   --release \
   --bin mas-cli \
+  --no-default-features \
+  --features docker \
   --target $(/docker-arch-to-rust-target.sh "${TARGETPLATFORM}")
 
 # Move the binary to avoid having to guess its name in the next stage
@@ -138,10 +142,6 @@ RUN mv target/$(/docker-arch-to-rust-target.sh "${TARGETPLATFORM}")/release/mas-
 ##################################
 FROM --platform=${TARGETPLATFORM} gcr.io/distroless/cc-debian${DEBIAN_VERSION}:debug-nonroot AS debug
 
-# Inject a wasmtime config which disables cache to avoid issues running with a read-only root filesystem
-ENV XDG_CONFIG_HOME=/etc
-COPY ./misc/wasmtime-config.toml /etc/wasmtime/config.toml
-
 COPY --from=builder /usr/local/bin/mas-cli /usr/local/bin/mas-cli
 WORKDIR /
 ENTRYPOINT ["/usr/local/bin/mas-cli"]
@@ -151,10 +151,6 @@ ENTRYPOINT ["/usr/local/bin/mas-cli"]
 ###################
 FROM --platform=${TARGETPLATFORM} gcr.io/distroless/cc-debian${DEBIAN_VERSION}:nonroot
 
-# Inject a wasmtime config which disables cache to avoid issues running with a read-only root filesystem
-ENV XDG_CONFIG_HOME=/etc
-COPY ./misc/wasmtime-config.toml /etc/wasmtime/config.toml
-
 COPY --from=builder /usr/local/bin/mas-cli /usr/local/bin/mas-cli
 WORKDIR /
 ENTRYPOINT ["/usr/local/bin/mas-cli"]
diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml
index 3a588157..4817b57f 100644
--- a/crates/cli/Cargo.toml
+++ b/crates/cli/Cargo.toml
@@ -55,7 +55,13 @@ mas-listener = { path = "../listener" }
 indoc = "1.0.7"
 
 [features]
-default = ["otlp", "jaeger", "zipkin", "prometheus", "native-roots"]
+default = ["otlp", "jaeger", "zipkin", "prometheus", "webpki-roots", "policy-cache"]
+
+# Features used in the Docker image
+docker = ["otlp", "jaeger", "zipkin", "prometheus", "native-roots"]
+
+# Enable wasmtime compilation cache
+policy-cache = ["mas-policy/cache"]
 
 # Use the native root certificates
 native-roots = ["mas-http/native-roots", "mas-handlers/native-roots"]
diff --git a/crates/policy/Cargo.toml b/crates/policy/Cargo.toml
index d1c691dd..33fbfc1f 100644
--- a/crates/policy/Cargo.toml
+++ b/crates/policy/Cargo.toml
@@ -13,7 +13,10 @@ serde_json = "1.0.87"
 thiserror = "1.0.37"
 tokio = { version = "1.21.2", features = ["io-util", "rt"] }
 tracing = "0.1.37"
-wasmtime = "1.0.1"
+wasmtime = { version = "1.0.1", default-features = false, features = ["async", "cranelift"] }
 
 mas-data-model = { path = "../data-model" }
 oauth2-types = { path = "../oauth2-types" }
+
+[features]
+cache = ["wasmtime/cache"]
diff --git a/crates/policy/src/lib.rs b/crates/policy/src/lib.rs
index 7b2a20c8..a3b7a176 100644
--- a/crates/policy/src/lib.rs
+++ b/crates/policy/src/lib.rs
@@ -52,6 +52,7 @@ pub enum LoadError {
     #[error("failed to instantiate a test instance")]
     Instantiate(#[source] anyhow::Error),
 
+    #[cfg(feature = "cache")]
     #[error("could not load wasmtime cache configuration")]
     CacheSetup(#[source] anyhow::Error),
 }
@@ -76,6 +77,8 @@ impl PolicyFactory {
         let mut config = Config::default();
         config.async_support(true);
         config.cranelift_opt_level(wasmtime::OptLevel::Speed);
+
+        #[cfg(feature = "cache")]
         config
             .cache_config_load_default()
             .map_err(LoadError::CacheSetup)?;