Your agent creates its own tools at runtime. Declarative JSON pipelines validated, sandboxed in WASM, and approved by humans before activation. The long tail of automation—solved without writing a single line of production code.
Eight step types that cover every data pipeline pattern—without a single line of arbitrary code.
When your agent encounters a task that no built-in tool handles—scraping a niche real estate site, polling a custom API, transforming data from an obscure format—it doesn't need a developer. It writes a declarative JSON pipeline using eight composable step types and submits it for approval. No code generation. No eval. No risk.
The DSL is a closed Zod discriminated union—no arbitrary step types can be injected. Every pipeline is validated against 55 reserved names, 12 SSRF patterns, and 17 code blocklist patterns before it ever reaches the sandbox.
Pipeline Definition (JSON DSL)
==============================
{
"name": "track_apartment_prices",
"description": "Monitor rental prices
in target neighborhoods",
"steps": [
{
"type": "web_search",
"query": "{{input.neighborhood}}
apartments for rent"
},
{
"type": "fetch_url",
"url": "{{steps[0].output.urls[0]}}"
},
{
"type": "extract",
"pattern": "\\$[\\d,]+/mo",
"source": "{{steps[1].output}}"
},
{
"type": "when",
"condition": "input.notify === true",
"then": {
"type": "email",
"to": "{{input.recipient}}",
"subject": "Price Update",
"body": "{{steps[2].output}}"
}
}
]
}QuickJS compiled to WebAssembly. Zero access to Node.js, the filesystem, or the network.
Every transform, filter, and when step runs
inside a QuickJS WASM sandbox—a JavaScript engine compiled to WebAssembly with
absolutely no access to your host environment. No require(). No
process.env. No fetch(). No fs. Just pure
data-in, data-out computation with hard resource limits.
This is the same isolation model used by Cloudflare Workers and Shopify Functions. Your agent can write arbitrary JavaScript transformations, and the worst outcome is a timeout—never a security breach.
6-Layer Defense-in-Depth
==============================
Layer 1: DSL Validation
Zod schema, 55 reserved names,
SSRF patterns, code blocklist,
500-char code limit, max 10 steps
Layer 2: QuickJS WASM Sandbox
Zero Node.js / filesystem / network
50 MB memory, 5s CPU timeout
Fresh context per execution
Layer 3: safeFetch SSRF Prevention
DNS resolve -> IP blacklist
RFC 1918, loopback, link-local,
Docker-internal, cloud metadata
Layer 4: HITL Approval
Full pipeline code shown to reviewer
Human sees every regex, URL, step
Auto-activates only on test pass
Layer 5: Trust Gating (OPEN+)
Only agents with trust >= 70
Rate limited: 3 builds/min max
Layer 6: SkillTrace Audit Trail
Every execution logged with
latency, input hash, output hashEvery skill your agent builds is reviewed, tested, and approved before it touches production data.
When your agent calls build_skill, the approval request shows the
complete pipeline definition to a human reviewer—every step type, every regex
pattern, every URL, every transformation. No hidden logic. No black-box execution.
Approvers see exactly what will run before granting permission.
The result: your agents adapt to new data sources and workflows in minutes instead of sprint cycles, while your security team retains full control over what runs in production.
Skill Lifecycle
==============================
1. Agent encounters novel task
"Track prices on CustomSite.com"
2. Agent writes pipeline definition
4 steps: fetch -> extract ->
transform -> format
3. HITL approval requested
Reviewer sees full pipeline:
- URL: customsite.com/listings
- Regex: \$[\d,]+
- Transform: sort by price
- Format: markdown table
4. Reviewer approves via Telegram
[Approve] [Deny]
5. Pipeline test-runs automatically
Input: { query: "test" }
Output: validated, no errors
6. Skill auto-activates
Status: pending -> active
Available for all future tasks
7. After 30 days of inactivity
Status: active -> expired
Agent can rebuild if neededStop writing one-off integrations. Deploy an agent that adapts to new data sources on its own—with full human oversight.