Security Through Capabilities
Worka’s security model is based on bounded capability, not on blind trust.
The pack should only receive the power it needs to do its job:
- the tools it is meant to expose
- the host services it is meant to call
- the outbound destinations it is meant to reach
- the connections and secrets it is meant to use
Without a capability model, every pack becomes a high-trust component. That creates three problems immediately:
- it is harder to review what the pack can do
- it is harder to explain a failure or security incident
- it is harder to reuse the pack in lower-trust environments
Bounded capability keeps the pack small enough to understand.
Capability surfaces to think about
When you review a pack, think about capability in at least these dimensions:
- tool surface
- outbound network reach
- host service access
- connection and secret access
- workspace or shared-view exposure
Each one should be intentional.
Start narrow, then widen only when needed
The safest default is:
- few tools
- few outbound domains
- one clear connection provider if needed
- limited host-service use
If the pack later needs more power, expand it deliberately. That is much easier than starting broad and trying to claw access back later.