General Text & Computing Company

Security & the App Sandbox

Security & the app sandbox

General Text runs apps you didn't write — from the gallery, from a URL, or your own. So the platform makes one structural guarantee about every app, enforced by the browser and the server rather than by trust:

An installed app can talk only to the General Text FileAPI, and can read or write only the files in its own scope. It cannot reach any other server, and it cannot touch the rest of your workspace.

This holds for first-party apps too — we hold ourselves to the same boundary, so "it's just an app" always means the same thing.

What an app can and cannot do

  • Can: read and write files in its own folder, _gtApps/{app}/ — its private storage — and live-sync them.
  • Can, with your permission: read or write a folder (e.g. notes/) or a file type (e.g. *.md) you explicitly grant it.
  • Cannot: see or change anything else in your workspace.
  • Cannot: make a network request to anywhere except General Text. No analytics, no third-party scripts, no "phone home" — even if the app's code tries.

How it's enforced

Four mechanisms, each independent, combine so the guarantee doesn't rest on any single check:

  1. Isolated origin. Every app runs on its own dedicated web origin, separate from the General Text shell. The browser's same-origin policy keeps it walled off from your session and from other apps; your sign-in cookie is never sent to it.
  2. No network egress. A Content-Security-Policy restricts the app's network access to the General Text FileAPI alone. You can verify this yourself in your browser's devtools — a blocked request to anywhere else is the guarantee made visible.
  3. A scoped, short-lived token. When you open an app, General Text issues it a capability token good only for its scope, handed over privately and refreshed automatically. It is the app's only credential.
  4. Server-side enforcement. The FileAPI independently checks that token on every file read, write, and live-sync subscription, and refuses anything outside the app's scope — so a bug or a lie on the client side still can't widen access.

What this means for you as a developer

You don't write any of this — it's automatic. Practically:

  • Keep your app's data under _gtApps/{your-app}/ and it works with zero permissions.
  • To touch the user's own files, request a grant; the user approves the scope.
  • Bundle everything. Because there's no egress, third-party CDN scripts, fonts, or analytics will be blocked. Ship a self-contained build.
  • Your app's data is plain files the user owns — readable by them, their other tools, and their AI, forever.

See Building Apps for the full contract.