Semantic, not textual
String matching catches the obvious; symbol resolution catches the clever. Both passes consume one shared catalog of dangerous APIs, so a newly discovered bypass is fixed once for every app on the engine.
The riskiest thing an agent platform can do is let the model write executable code. It's also the most powerful. SwarmMarshal's answer is a substrate where structure is declared — so the system can leverage it — and behavior is authored as real C#, compiled and executed inside a sandbox engineered for exactly this job.
Authored code compiles through the real C# compiler, deliberately bypassing the scripting API: scripting resolves references from assembly files on disk, which don't exist on iOS, Android, or single-file publishes. SwarmMarshal builds metadata references straight out of the runtime's loaded images instead — so the same authored tool runs on a trimmed mobile build as on a desktop.
Before anything compiles, authored code passes a fast regex screen and a Roslyn semantic pass that resolves actual symbols — so a reflection pivot like walking from an object to its assembly's types resolves to a blocked symbol even though no forbidden token appears in the text.
String matching catches the obvious; symbol resolution catches the clever. Both passes consume one shared catalog of dangerous APIs, so a newly discovered bypass is fixed once for every app on the engine.
Hosts compose their own tiers from the shared lists — never-allowed versus needs-approval versus fine. A display-formatting snippet gets pure compute only; a data tool gets compute plus the web channel; nothing gets raw sockets or the filesystem.
Raw HTTP clients are blocked by the safety gate. All web egress flows through a single instrumented channel — one place for logging, limits, and authentication.
Scripts name a credential handle; the host injects the bearer token, header, or query secret at call time. The model authors code that uses credentials it never sees.
An agent-facing broker runs full OAuth device-code flows — start, poll, store — returning only the verification URL and user code to the agent. Tokens land in the credential store, never in the transcript.
Every call is logged for provenance, and imported apps run under per-app egress policy — a shared applet doesn't inherit your network.
When an agent's bulk-refresh tool works, the engine registers it as the refresh routine — future refreshes run the compiled tool with zero model calls. A portfolio applet that spent ~42 calls per refresh now spends none. The engine even auto-adopts a qualifying tool if the model forgets to register it, and self-heals back to the model loop when a tool breaks so it can be diagnosed and re-authored.
Describing an app produces a full structured blueprint — schema, views, workflow rules, automations — with screenshots folded in through a vision pass. Independent verifier agents then challenge the result before you ever see it.
Pre-save checks confirm the app can actually run and satisfies the promised kind — including a flood-fill playability check that rejects a generated maze game with unreachable pellets or sealed-off space.
When the model fails or verification fails, a deterministic heuristic starter is offered instead — and it is never passed off as an AI build. Edits keep field identity stable across regenerations, so a rename is a rename, not a drop-and-recreate that eats your data.
Prose like "orders over $5,000 need director sign-off" becomes an enforced workflow transition guard — and a guard that can't evaluate a required value blocks the transition. Automations have the opposite polarity: a rule that can't judge must not fire, because the failure mode of automations is notification spam. Idempotency fire-keys make sure a re-run can never double-fire a rule.
A .vibe package is a deterministic, identity-neutral snapshot of a whole app — schema, views, agents, authored tools, optionally data — that strips install identity on export and reassigns it on import so sharing never collides with the source. Imported authored code lands unapproved, capability review happens on import, and a signed website catalog with a pinned publisher key covers publicly distributed apps.
Authored tools run on models chosen by Model Scout, and their facts flow into the context engine.