Technology deep dive

Agent-authored tools: type the data, code the behavior.

The riskiest thing an agent platform can do is let the model write executable code. It's also the most powerful. SwarmMarshal's answer is a substrate where structure is declared — so the system can leverage it — and behavior is authored as real C#, compiled and executed inside a sandbox engineered for exactly this job.

Compilation

Roslyn everywhere — including where Roslyn "doesn't work."

Authored code compiles through the real C# compiler, deliberately bypassing the scripting API: scripting resolves references from assembly files on disk, which don't exist on iOS, Android, or single-file publishes. SwarmMarshal builds metadata references straight out of the runtime's loaded images instead — so the same authored tool runs on a trimmed mobile build as on a desktop.

In-memory compile, content-hash cached Wall-clock timeout — a CPU loop can't hang the host One sandbox shared by Vibes, display formatting, and Today panels
Safety gate

Two analyzers, one dangerous-API catalog.

Before anything compiles, authored code passes a fast regex screen and a Roslyn semantic pass that resolves actual symbols — so a reflection pivot like walking from an object to its assembly's types resolves to a blocked symbol even though no forbidden token appears in the text.

Semantic, not textual

String matching catches the obvious; symbol resolution catches the clever. Both passes consume one shared catalog of dangerous APIs, so a newly discovered bypass is fixed once for every app on the engine.

Policy tiers per host

Hosts compose their own tiers from the shared lists — never-allowed versus needs-approval versus fine. A display-formatting snippet gets pure compute only; a data tool gets compute plus the web channel; nothing gets raw sockets or the filesystem.

Network boundary

One door to the internet, and the model doesn't hold the key.

Raw HTTP clients are blocked by the safety gate. All web egress flows through a single instrumented channel — one place for logging, limits, and authentication.

Credential handles

Scripts name a credential handle; the host injects the bearer token, header, or query secret at call time. The model authors code that uses credentials it never sees.

OAuth without exposure

An agent-facing broker runs full OAuth device-code flows — start, poll, store — returning only the verification URL and user code to the agent. Tokens land in the credential store, never in the transcript.

Audited per app

Every call is logged for provenance, and imported apps run under per-app egress policy — a shared applet doesn't inherit your network.

Accumulating capability

Tools are written once and owned forever.

  1. Author The agent writes a tool with a declared contract — named, typed parameters, a return description, a sample input.
  2. Compile-check Errors come back to the agent to fix — the loop is part of authoring, not a runtime surprise.
  3. Persist & record Tools are saved on the app so capability accumulates across runs. Every invocation stamps a run record — when, ok-or-error, output — and a workbench surface exposes the code, contract, and last run for inspection or hand-editing.
  4. Promote or approve Proven tools can be promoted into the shared service catalog; tools arriving inside imported packages land unapproved and cannot execute until an admin reviews them.
The payoff

The model does the creative work once. Code does the repeated work forever.

When an agent's bulk-refresh tool works, the engine registers it as the refresh routine — future refreshes run the compiled tool with zero model calls. A portfolio applet that spent ~42 calls per refresh now spends none. The engine even auto-adopts a qualifying tool if the model forgets to register it, and self-heals back to the model loop when a tool breaks so it can be diagnosed and re-authored.

App synthesis

Generated apps are verified before they're presented.

Describing an app produces a full structured blueprint — schema, views, workflow rules, automations — with screenshots folded in through a vision pass. Independent verifier agents then challenge the result before you ever see it.

Experience verifiers

Pre-save checks confirm the app can actually run and satisfies the promised kind — including a flood-fill playability check that rejects a generated maze game with unreachable pellets or sealed-off space.

Honest fallback

When the model fails or verification fails, a deterministic heuristic starter is offered instead — and it is never passed off as an AI build. Edits keep field identity stable across regenerations, so a rename is a rename, not a drop-and-recreate that eats your data.

Rule polarity

Guards fail closed. Automations fail inert. On purpose.

Prose like "orders over $5,000 need director sign-off" becomes an enforced workflow transition guard — and a guard that can't evaluate a required value blocks the transition. Automations have the opposite polarity: a rule that can't judge must not fire, because the failure mode of automations is notification spam. Idempotency fire-keys make sure a re-run can never double-fire a rule.

Portability

Apps travel as packages, not as trust.

A .vibe package is a deterministic, identity-neutral snapshot of a whole app — schema, views, agents, authored tools, optionally data — that strips install identity on export and reassigns it on import so sharing never collides with the source. Imported authored code lands unapproved, capability review happens on import, and a signed website catalog with a pinned publisher key covers publicly distributed apps.

Keep reading

The rest of the stack.

Authored tools run on models chosen by Model Scout, and their facts flow into the context engine.