← All research

Workspace surface: isolating agent context from the global environment

An agent without a defined workspace is an agent that can touch everything. In practice, current systems handle this through convention — don’t write outside your directory, don’t call APIs you weren’t told about. Convention is not architecture.

The workspace surface is the specification layer that makes scope explicit. Every agent process is initialized with a declared workspace: the set of files, services, and state it is authorized to act on for this task.

Not a sandbox

The workspace is not a sandbox in the security sense. Sandboxes are enforcement mechanisms. The workspace surface is a legibility mechanism — it makes the scope of an agent’s authority readable to the human supervising it, and auditable after the fact.