problem
Every current path for "website asks an agent to do something" hands the website control of the agent — its prompts, its tools, its outputs. The user is reduced to a credential.
~/projects/ezafezaf.sudoscience.dev →
EZAF
prototypeaka “Easy Agentic Federation”
# user-owned effect routing for agentic work
Websites may request agentic work, but users control review, execution, routing, and result release.
The protocol handler is one instantiation. The primitive underneath: EZAF is an effect-routing layer for user-controlled authority — any surface can propose work, any runtime can request effects, any handler can satisfy them, and the user controls authority, policy, continuity, and release.
thesis
Let websites ask your agent to do work without letting websites control your agent. The website initiates; the user's local environment decides what runs, where it runs, with what tools, on what data, and what leaves.
federation loop
the smallest useful protocol surface
invocation link
A website creates an ezaf:// protocol-handler URL pointing at a fetchable request manifest.
request manifest
Origin, prompt, inputs, requested capabilities, callback, state nonce, expiry — declared up front, reviewable as a unit.
local review
The user inspects origin, tools, backend, and prompt before the agent does any work. No execution before approval.
explicit continuation
Approved output returns through a callback, extension handoff, or local rendezvous handle. No release before approval.
security contract
what websites cannot do
run silently
No execution happens before the user approves the reviewed manifest.
receive early
The website gets nothing until the user releases the previewed result.
use undeclared tools
Capabilities outside the manifest do not execute.
redirect callbacks
Cross-origin callback destinations are warned or blocked by default.
effects, not authority
agents should emit effects, not hold authority
The agent-sandboxing question — no firewall/proxy/temp credentials, bash can't reach the secret, streaming I/O — was asked publicly by an eval-platform founder, and it has no clean answer while the agent is a monolithic CLI holding credentials and running tools. The sandbox is a symptom of the wrong abstraction.
the core invariant
Agents may request effects; handlers possess authority; untrusted code receives only effect results. The model API key becomes an implementation detail of the model.complete handler — there is nothing for bash to leak.
ambient APIs vs explicit effects
Today the agent has power and the sandbox subtracts it after the fact. Better: the agent has no power and handlers grant specific effects — model.complete, shell.run, fs.read/write, net.fetch, artifact.release, user.ask. State + Event → State + Effects; the handlers own the dirty world.
hooks are the migration wedge
v0 wrap existing CLIs → v1 structured effect log → v2 hooks as guards → v3 hooks as routers (delegate to EZAF handlers: sandbox, CI, WASI, human approval) → v4 split model client from tool runner → v5 native effect-mode agents. Nothing is replaced; authority is relocated.
the eval dividend
Typed effect traces beat transcripts as eval artifacts: did the agent request the right effects, ask for excess authority, route correctly, recover from denials, leak into stdout? The architecture that makes sandboxing tractable makes behavior testable.
field card: emulate vs relocate
Filed by hand, the way Rhett's logos agent will file it: vercel-labs/just-bash ("Bash for Agents") sandboxes by emulation — a pure-TypeScript bash over a virtual filesystem, so there is no real process to leak from. Relation: adjacent prior art; impact: complicates — and concedes the premise: the interpreter is a handler that owns the whole world. Emulate or relocate, the authority leaves the agent either way.
roadmap
trust moves from prompts to provenance
browser extension bridge
Tracks the initiating tab, brokers callback state, and places approved results back where the request started.
signed intents
Manifests verifiable against a trusted origin or known publisher key.
trust registry
Origins, keys, callbacks, and capability defaults as a user-editable policy layer.
artifacts
status, honestly
site & link builderlive
ezaf.sudoscience.dev
effects doctrinelive
ezaf site /effects — the sandbox is the wrong boundary; move authority into handlers
agentic workflow cookbook (ports)prototype
the effects invariant in workflow form: recipes request work through typed ports — task executor, completeness judge, clock — and the harness owns the authority; the same recipe runs under Temporal and AWS durable Lambdas because no engine leaked in
approval gate, liveprototype
the EZAF loop you can click: in desh's browser shell (desh.sudoscience.dev/demo), a canned agent requests typed effects — reads pass by policy, writes and releases gate on you — and approvals, denials, and the agent's adaptation to a denial all land on the session ledger
manifest shapeprototype
versioned request/continuation types
local handlerprototype
Electron protocol handler with review console (ezaf-prototype repo)
hooks adapterroadmap
PreToolUse → typed effect requests routed through EZAF handlers
signed intents & registryroadmap
provenance layer
edges
connected investigations
A website proposes agentic work; the user's environment reviews, routes, executes, previews, and releases it. That distinction is the product — and it generalized the day a stranger asked for a rock-solid agent sandbox and the honest answer was: wrong abstraction.