Skip to content
Qosm
DocsBlogPrivate betaSign In

Attenuations

Narrowing capabilities so agents get the minimum access they need.

You have a broad read_file capability. But you want the agent to read only one configuration file. In most frameworks, you'd write a runtime check. In Qosm, you use a closure.

// Broad capability from the platform
extern read_file : {path: String} -> Result<String, QosmError> ! {File.Read};

// Attenuated: restricted to /config/
let config_read path = read_file {path: "/config/" ++ path};

// Attenuated further: restricted to one specific file
let app_config _ = read_file {path: "/config/app.toml"};

The agent receives app_config. It's a function that reads exactly one file. It cannot reach read_file — that function was never provided to it. This isn't a permission check. There's nothing to bypass. The agent literally doesn't have the broad function in scope.

Why closures work for security

This might seem too simple to be secure, but that's exactly the point. Qosm doesn't have import, reflection, or dynamic dispatch. A function can only call what's in its scope. When you wrap a capability in a closure, the inner function is captured but not exposed.

let scoped_get url =
  github_get {url: "https://api.github.com/repos/myorg/" ++ url, headers: []};

// The agent receives scoped_get
// It can only access repos under "myorg" — by construction
// Not by a check that might have bugs. By the language semantics.

Workspace-level attenuations

The workspace provides attenuations at the infrastructure level too:

  • Domain restrictions on HTTP capabilities — http_get scoped to api.github.com rejects any request to a different domain
  • Static headers — authentication injected without exposing credentials
  • Pinned tools — MCP tools and OpenAPI endpoints with some arguments pre-filled, creating narrower versions

When you create a capability set with domain: api.github.com and a Bearer token, you're attenuating the raw HTTP capability into something the agent can use safely.

Composing attenuations

Attenuations compose. You can attenuate an already-attenuated capability:

// Start: github_get scoped to api.github.com with auth
// Narrow to a specific org:
let org_repos path = github_get {url: "https://api.github.com/orgs/myorg/" ++ path, headers: []};
// Narrow further to just the repos endpoint:
let list_repos _ = org_repos "repos";

Each layer narrows the scope. The agent only sees the most restricted version.

That covers the core ideas behind Qosm. Now let's put them all together by building a real agent. Tutorial: Self-Healing Agent →