An ocap-safe library system, capable of safely passing around macros

[cwebber]

One only need look at the disaster affecting npm-land to see how badly things can get if you can't reason about the principle of least authority on your packages. It would be good to start, a priori, with the assumption that we take this approach. That is to say, rather than a module being able to "reach out" and grab whatever it wants (filesystem access, network access, etc), the module is explicitly "handed access" to such things.

One could make such a system today in Racket, but passing around syntax/macros is another matter; that seems wholly integrated with the module system. I couldn't figure out how to do it.

A key part of this is probably dropping the idea of there being "one" global namespace, but I'm not sure it's absolutely necessary.

Some sources of inspiration:

• A Security Kernel Based on the Lambda Calculus (ie, security as basic argument passing in something like Scheme)
• Agoric's writeup on Safe Javascript Modules
• Discussion of "what are ocaps" with Kate Sills, in case you're new to these concepts