← Back to Glossary Technology

Powerbox

The inter-grain capability sharing mechanism in Sandstorm/Melusina OS, enabling secure permission delegation via claim tokens and persistent sturdyRefs.

Full Definition

The Powerbox is the capability brokering system at the heart of Sandstorm/Melusina OS. It is the only mechanism through which grains can share access to each other's resources. When a grain needs a capability it doesn't have — access to an Offering, a KYC result, a distribution channel — it requests it through the Powerbox. The request produces a claim token. When the granting grain accepts, the claim token becomes a persistent sturdyRef: a durable, revocable, fine-grained capability reference serialized via Cap'n Proto.

There is no ambient authority. No global permissions. No role-based access control. If a grain doesn't hold a sturdyRef to a resource, that resource does not exist in its universe.

Why It Matters

The Powerbox is what makes Sails.to's security model fundamentally different from every other platform in the industry. In a traditional system, a Broker Portal might have "read access to KYC data" via a database role. That role grants access to all KYC data, for all investors, forever, unless explicitly revoked. One compromised credential and the entire KYC database is exposed.

With the Powerbox, a Broker Portal grain receives a sturdyRef to exactly one KYC result for exactly one investor. It cannot enumerate other results. It cannot escalate its access. It cannot even discover what other capabilities exist. The DAO Manager grain grants Offering access to Brokers through the Powerbox. KYC results flow to Trustees through the Powerbox. Every capability is explicit, auditable, and revocable.

How It Works

  1. Grain A (e.g., Broker Portal) requests a capability from the Powerbox — "I need access to Offering X"
  2. The Powerbox identifies Grain B (e.g., DAO Manager) as the authority for that capability
  3. Grain B evaluates the request and, if authorized, generates a claim token
  4. The claim token is delivered to Grain A and resolved into a persistent sturdyRef via Cap'n Proto
  5. Grain A can now invoke methods on the capability — but only the methods the sturdyRef exposes
  6. The granting grain can revoke the sturdyRef at any time, instantly terminating access

Capability delegation is transitive but attenuating — a grain can share a subset of its own capabilities, never more than it holds.

Related Terms

Grain Cap'n Proto Melusina Trustee

Capabilities, not permissions

Every access explicit. Every delegation auditable. Every grant revocable.

Learn More