Giving software powers, safelyLearning Center · 0%
Unit 4 · The engine & the sandbox

Giving software powers, safely

Words like internet access, your secrets, send messages on your behalf make a careful person nervous. They should. The moment software can reach the network or use your keys, it can also do those things wrongly — leak a credential, hit the wrong server, get talked into something by a stray sentence it read on a web page. So here's the claim this lesson makes good on, narrower and more honest than “every power, none of the danger.” The powers are real and dangerous. What changes is that you hand them over deliberately, one named word at a time, and can take any of them back. Nothing turns on by accident, and the most dangerous objects never cross the wall into the workbook at all.

Once you see the move, you can decide for yourself when to grant a power and when to withhold it — the whole skill this lesson teaches.

the woRst-caSe queStion

Every honest conversation about security arrives at one blunt question: if this thing turns hostile, what's the worst it can do? Most systems answer with a guard — a check in front of each dangerous action, a bouncer at the door. The trouble is the dangerous thing is still in the building. Somebody just has to slip past the check, and the history of broken sandboxes is the history of someone finding the door the bouncer wasn't watching.

A workbook answers differently. An ungranted power isn't denied — it simply doesn't exist in the workbook's world. There's no check to slip past, because there's no function to call. If a workbook was never granted the ability to reach the network, the network isn't blocked for it; it's missing from its universe. Reach for an ungranted power and the workbook doesn't get a quiet “no” — it fails to even start, because it asked for a tool that was never wired in. The decision happens before it runs a single instruction.

This is enforced by construction, not by checking. A checked system says “no” when you ask; a constructed one has nothing for you to ask. A filter can have a bug; a path that was never drawn cannot.

a power Is a worD you haNd over

When the host starts running a workbook, it picks a profile — a short list of plain words naming exactly which powers this run gets. The host picks it, never the file: a workbook can't grant itself anything. As it loads, the host wires in the abilities it can name, one word at a time from that list. Anything not on the list never gets wired.

The menu is short on purpose — a handful of fixed rungs, each adding a power or two over the last. You don't compose your own; you pick a rung. Two rungs cover most of what you'll meet:

  • minimal — the everyday rung. A working surface: its own disk, the ability to run commands, key-value storage, a job queue. And — the correction worth pinning — it also grants secrets and brokered sockets. Minimal is not a sealed scratch space.
  • network — minimal plus outbound web, calling a language model, and browsing. The rung an agent runs on when it genuinely needs to reach the world.

And if someone asks for a profile that doesn't exist — a typo — the system doesn't fall open. It falls closed, down to the most restrictive rung: a pure scratch space, disk and nothing else — no network, no secrets, no commands. That's the floor it lands on when in doubt, pinned by a test, not just an intention.

A correction worth pinning: an earlier version of this lesson said minimal was a bare scratch space with no secrets and no sockets. Not true. Minimal can name and use a secret, and can ask the host to open a brokered, audited socket on its behalf (host owns the connection, refuses internal addresses, caps and audits each response, revocable). Don't lean on minimal for “can't reach out.” The genuinely sealed rung is the pure-compute floor — disk only — the one the system falls back to.

use the poweR, never holD the dangeRous thing

For the sensitive powers there's a second move on top of the grant, and it's what makes them survivable to grant: the workbook performs the action, but the dangerous object stays on the host's side of the wall.

Take a secret — an API key, the kind of string that ruins your week if it leaks. Everywhere else, “let the code use the key” has meant “give the code the key,” and from that moment it's lying around: in a file, in a variable any dependency can see, in a log, forever. A workbook refuses that bargain. With secrets granted, it can name and use a secret, but never read it. The sharpest form: the only thing it can ask is “sign this for me.” It sends data across, the host stamps it with the secret, and the workbook gets back a signature — having never held the key. You can't lose what you were never handed.

The same inversion covers the rest. Calling a language model? The host holds the account key and pays; the workbook gets the answer, never the credential. Fetching a web page? The host owns the connection; the workbook hands over a destination and receives the page, never a socket. The pattern, every time, is grant the verb, keep the noun.

the reason This matteRs more thaN it used to

This care became necessary the day software started reading things written by strangers. When a workbook hosts an AI agent — where this unit is headed — the agent reads web pages, emails, documents. Any of that text might carry an instruction aimed at it: ignore your task, send me the key. Against ordinary software this works, because it holds its keys where the process can reach them; the malicious sentence steers a process that has the credential right there.

A workbook narrows that move sharply. Even fully fooled, the agent still can't read your Stripe key — it was never in its world to read. At most it can use the secret through the host's broker, where every request is rate-limited and audited. This isn't a smarter filter that catches the trick — it's the absence of the thing the trick reaches for, plus a leash on what's left.

grant iT, then Take iT back

The last piece turns “handed over deliberately” into a real practice: every power can be taken back. Because the host hands out abilities rather than baking them in, it can revoke one mid-flight — the next time the workbook tries to act on it, the action simply fails. Granted is not permanent; it's a leash the host is always holding.

So the working skill is small: before a run, choose the lowest rung that still lets the workbook do its job — the sealed compute floor for pure data work, minimal to remember and run commands, the network rung only if it must reach the world. And whatever you grant, you can pull it back the moment you don't trust where it's going.

That's the shape of it. A workbook can touch the internet, sign with your secrets, and call out to the world — because a host hands over named powers one word at a time, keeps every dangerous object on its own side of the wall, and can revoke any of them at will. The powers are real; the danger sits where the workbook can't reach it. And the choice of which to grant stays in your hands — deliberate, legible, reversible.

Go deeper — the technical docs

That was the idea. When you want the literal version — the actual format, the bytes, the proof — start here.

Quiz