Agents wander. Hand one a real task and it will touch files you didn't mean to expose, call a tool you didn't intend, or act outside the job you gave it.

Bounded Systems builds the machinery that keeps an agent inside that job: software delivered by agents but governed like infrastructure. Each kind of system authority — filesystem, network, environment, subprocess — is reached through one sanctioned capability seam, so effects stay attributable and policy stays enforceable at the point of use.

This is the object-capability tradition — least authority, and authority held as an attenuable reference in the lineage of macaroons and Biscuit — carried into agent runs, next to the tools the field already uses: a policy engine that keeps the decision separate from the enforcement (the way Rego does for OPA), and an OS sandbox for containment (Docker, seccomp). An agent's git-writes are signed and attributable to their owner today; egress and external reads are next.

Every claim on this page is graded against the running code — Enforced, Partial, or Aspirational — by an instrument built to catch our own over-statements and file the gap. Docs generate from source and fail CI on drift, and guest-room's specs execute against its engine.

The capability model lives in two codebases: guest-room is the flagship — the model as a single, readable, spec-tested library — and prx runs it at full scale on a stack of small, single-responsibility capability libraries, one for each kind of system authority.

New here? Start with guest-room → START-HERE — the capability model in one readable library, with a runnable quickstart. It is the shortest path from the idea on this page to code you can point an agent at.

A guest-agnostic capability runtime. An agent holds a brokered reference to a service rather than the credentials behind it, and that authority can only be narrowed as it is passed onward, never widened. Its behavior specs execute against the engine, so the docs cannot drift from the code.

The agent-run work-unit CLI, where a work unit is one scoped task an agent owns end-to-end. Capability-scoped agents drive each work unit through one content-addressed, auditable pipeline to a merged PR, with git-writes signed and attributable to their owner. The @bounded-systems/* libraries below each live in their own repo and publish to JSR; prx consumes them as published dependencies.

Each is a narrow capability seam — the one sanctioned access point for one kind of ambient system power — so that effects stay attributable and policy stays enforceable.

Not every @bounded-systems/* package is a capability seam:

• verbspec — spec-driven CLI core: author a verb once as a typed VerbSpec, then project it to CLI, MCP, OpenAPI, and Anthropic tool surfaces. One source, many surfaces.
• prx-config — TUI configuration schema parser/emitter for the L1/L2 tools.

A door made real: a brokered capability an agent acts through, holding a socket to a service rather than the keys behind it. claude-box is the box; its authority is exactly the door references it holds.

The same discipline — draw a boundary, verify at it, let typed proof flow across — applied past system authority to what actually ships.

Every @bounded-systems/* library is a typed node: a verb (a capability that acts) or a noun (data that flows), declared in its own package.json. An arrow A → B means A's contract consumes B's. Generated from each package's bounded.* and drift-checked in CI — 19 verbs (capabilities) · 7 nouns (data) · 30 typed edges.

flowchart TD
  cas["cas · substrate"]
  machine_schema["machine-schema · schema"]
  audit_context["audit-context · context"]
  anchored_chain["anchored-chain · data-structure"]
  anchored_chain_sqlite["anchored-chain-sqlite · store-impl"]
  disposition["disposition · classifier"]
  prx_config["prx-config · config-schema"]
  env["env · capability-seam"]
  fs["fs · capability-seam"]
  host["host · capability-seam"]
  proc["proc · capability-seam"]
  policy["policy · engine"]
  verbspec["verbspec · projection-engine"]
  auth["auth · capability"]
  gh["gh · client"]
  git["git · capability-seam"]
  bd["bd · client"]
  github_budget["github-budget · governor"]
  scout["scout · reader"]
  slack["slack · reader"]
  repo_root["repo-root · resolver"]
  surface_sync["surface-sync · transform"]
  schema_gen["schema-gen · generator"]
  door_kit["door-kit · client"]
  guest_room["guest-room · runtime"]
  ocap_provenance["ocap-provenance · contract"]
  anchored_chain --> cas
  anchored_chain_sqlite --> anchored_chain
  anchored_chain_sqlite --> cas
  auth --> env
  bd --> env
  bd --> policy
  bd --> proc
  gh --> env
  gh --> github_budget
  gh --> policy
  gh --> proc
  git --> env
  git --> fs
  git --> policy
  git --> proc
  github_budget --> audit_context
  github_budget --> env
  github_budget --> proc
  host --> env
  proc --> env
  proc --> policy
  repo_root --> proc
  scout --> anchored_chain
  scout --> anchored_chain_sqlite
  scout --> cas
  slack --> anchored_chain
  slack --> anchored_chain_sqlite
  slack --> cas
  slack --> policy
  surface_sync --> disposition
  classDef noun fill:#1f6f43,stroke:#2ea043,color:#fff;
  classDef verb fill:#1f4f8f,stroke:#388bfd,color:#fff;
  class cas,machine_schema,audit_context,anchored_chain,anchored_chain_sqlite,prx_config,ocap_provenance noun;
  class disposition,env,fs,host,proc,policy,verbspec,auth,gh,git,bd,github_budget,scout,slack,repo_root,surface_sync,schema_gen,door_kit,guest_room verb;

• 🌐 bounded.tools
• 📦 prx on GitHub
• 🚪 guest-room on GitHub

prx, guest-room, and the libraries are source-available under PolyForm Noncommercial 1.0.0.