Chapter 16: Capabilities And Sandboxing

Part III: Host Capabilities and Local App Surfaces

Why this chapter matters

Host capabilities are the safety boundary between Ricochet code and your machine. You should understand that boundary before reading files, calling HTTP, opening sockets, or launching processes.

What you will build

You will build a capability report and walk an approval record from creation to completion.

Concepts in plain English

A capability is permission. Sandboxing means running with fewer permissions until the program proves it needs a specific host power.

The chapter uses these concepts:

Vocabulary and commands

Primary coverage: runtime_capabilities, approval_create, approval_claim, approval_complete, approval_reject, approval_detail, and approval_release.

Capability-specific filesystem, workspace, HTTP, socket, process, PTY, TUI, and webview words are taught in later chapters.

Guided example

Open examples/learn/16-capabilities-and-sandboxing/capability-report.rco and run:

coderco run examples/learn/16-capabilities-and-sandboxing/capability-report.rco

Start by inspecting the runtime’s capability map:

coderuntime_capabilities inspect println drop

Approval records are local runtime objects for exactly-once authorization flows. Create an operation map, then create the approval:

codeoperation map
$operation "capability" "workspace.write" put drop
$operation "summary" "Approve a generated workspace write" put drop

options map
$operation $options approval_create value approval var

The generated token can be claimed once:

code$approval "id" at $approval "token" at approval_claim value claim var
$claim "claimed" at println

Complete or reject the approval after the protected action:

coderesult map
$result "path" "generated/example.txt" put drop
$approval "id" at $result approval_complete value completed var

Inspect the retained record when you need audit state, then release it when the app no longer needs to query it:

code$approval "id" at approval_detail value detail var
$approval "id" at approval_release value drop

How to read the example

Read the command first, then the code. The command grants the host powers the program may use. Inside the program, host calls usually return Result values or retained resource handles, so keep the same habit from Chapter 09: check the result, unwrap deliberately, and release or close resources when you are done.

Try it

Run the same report with a sandboxed profile:

coderco run --capability-profile sandboxed examples/learn/16-capabilities-and-sandboxing/capability-report.rco

The approval flow still works because it is runtime-local. Later chapters show how filesystem, HTTP, sockets, process, PTY, TUI, and webview powers change under sandboxing and allowlists.

Check your understanding

Common mistakes

Safety notes

Capability boundaries come before any destructive or network-capable examples. This chapter does not delete, write files, open sockets, spawn processes, or start UI sessions.

Production guidance

Production commands should request the smallest useful set of host powers. Prefer sandboxed runs for untrusted examples, bug reports, package reviews, and third-party code. Open only the filesystem roots, HTTP hosts, socket hosts, or process roots a task actually needs.

What you know now

You know how Ricochet makes host access explicit, how to inspect the runtime’s current host powers, and how approval records can guard a local operation without granting any power by themselves.

Next step

Continue to Chapter 17: Files, Workspaces, Environment, Config, And Secrets.