docs: polish public docs wording (#12)

aallam · web-flow · commit 942499d8ebeb · 2026-04-07T22:28:35.000+02:00
Align the security and trust-model language across the site, architecture docs, and package READMEs.

Clarify the remote executor setup by separating the host-side and runner-side examples.
diff --git a/README.md b/README.md
@@ -2,15 +2,15 @@
 
 # execbox
 
-Secure code execution for [Model Context Protocol](https://modelcontextprotocol.io/) tools and wrapped MCP servers.
+Portable code execution for [Model Context Protocol](https://modelcontextprotocol.io/) tools and wrapped MCP servers.
 
 [![License](https://img.shields.io/github/license/aallam/execbox?style=flat-square)](https://github.com/aallam/execbox/blob/main/LICENSE)
 [![Docs](https://img.shields.io/badge/docs-site-0ea5e9?style=flat-square)](https://execbox.aallam.com)
 [![Packages](https://img.shields.io/badge/packages-7-111827?style=flat-square)](#package-map)
 
 </div>
 
-Execbox turns host tool catalogs into callable guest namespaces, supports MCP wrapping on both sides of the boundary, and lets you choose where guest JavaScript runs: in-process, in a worker, in a child process, or behind your own remote transport.
+Execbox turns host tool catalogs into callable guest namespaces, supports MCP wrapping on both sides of the boundary, and lets you place guest JavaScript where it fits your deployment: in-process, in a worker, in a child process, or behind your own remote transport.
 
 ## Package Map
 
diff --git a/docs/architecture/README.md b/docs/architecture/README.md
@@ -85,7 +85,7 @@ sequenceDiagram
 
 ## Trust Model and Security Posture
 
-Execbox reduces accidental exposure, but it does not claim a hard security boundary for hostile code in its default deployment model.
+Execbox provides defense-in-depth controls around guest execution, but hard isolation still depends on the executor and deployment boundary you choose.
 
 ```mermaid
 flowchart LR
@@ -103,7 +103,7 @@ flowchart LR
 
 Key implications:
 
-- The real capability boundary is the provider/tool surface, not the JavaScript syntax itself.
+- The provider/tool surface is the capability boundary, not the JavaScript syntax itself.
 - Fresh runtimes, schema validation, JSON-only boundaries, timeouts, memory limits, and bounded logs are defense-in-depth features.
 - In-process execution still shares the host process. Use a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
 - Wrapping third-party MCP servers is a separate dependency-trust decision from letting end users author guest code.
diff --git a/docs/architecture/execbox-executors.md b/docs/architecture/execbox-executors.md
@@ -122,7 +122,7 @@ The four executors expose the same public result shape, but they enforce limits
 
 ## Security and Operational Trade-offs
 
-- All four executors are documented as best-effort isolation, not hard hostile-code boundaries.
+- All four executors provide defense-in-depth measures, not standalone hard hostile-code boundaries.
 - QuickJS is the easiest operational default and has the cleanest shared runtime story.
 - Remote execution keeps the same executor API while moving the runtime behind an app-defined boundary, but execbox deliberately does not ship the network stack for you.
 - Process-backed QuickJS gives a stronger lifecycle split than worker threads, but it is still not equivalent to a container or VM boundary.
diff --git a/docs/architecture/index.md b/docs/architecture/index.md
@@ -56,11 +56,11 @@ At a high level, execbox always follows the same model:
 
 ## Trust model and security posture
 
-Execbox reduces accidental exposure, but it does not claim a hard security boundary for hostile code in its default deployment model.
+Execbox provides defense-in-depth controls around guest execution, but hard isolation still depends on the executor and deployment boundary you choose.
 
 Key implications:
 
-- The real capability boundary is the provider/tool surface, not the JavaScript syntax itself.
+- The provider/tool surface is the capability boundary, not the JavaScript syntax itself.
 - Fresh runtimes, schema validation, JSON-only boundaries, timeouts, memory limits, and bounded logs are defense-in-depth features.
 - In-process execution still shares the host process. Use a separate process, container, VM, or similar boundary when the code source is hostile or multi-tenant.
 - Wrapping third-party MCP servers is a separate dependency-trust decision from letting end users author guest code.
diff --git a/docs/examples.md b/docs/examples.md
@@ -1,6 +1,6 @@
 # Examples
 
-Use the examples when you want a runnable starting point rather than package-by-package reference material.
+Use these examples when you want a runnable starting point instead of reading package-by-package reference material first.
 
 ## Run everything
 
@@ -17,7 +17,7 @@ npm run examples
 | [`execbox-basic.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-basic.ts) | Resolve a provider and execute guest code with QuickJS. | You want the smallest end-to-end example. |
 | [`execbox-process.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-process.ts) | Run the same provider flow inside a child-process executor. | You want a stronger lifecycle boundary than in-process execution. |
 | [`execbox-worker.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-worker.ts) | Run the same provider flow inside a worker-thread executor. | You want QuickJS off the main thread. |
-| [`execbox-remote.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-remote.ts) | Run the same provider flow through a transport-backed executor. | You already own the remote boundary and want execbox to plug into it. |
+| [`execbox-remote.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-remote.ts) | Run the same provider flow through a transport-backed executor. | You already own the runtime boundary and want execbox to plug into it. |
 | [`execbox-mcp-provider.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-mcp-provider.ts) | Wrap MCP tools into a provider and execute against them. | You want guest code to call upstream MCP tools as code. |
 | [`execbox-mcp-server.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-mcp-server.ts) | Expose `mcp_search_tools`, `mcp_execute_code`, and `mcp_code`. | You want downstream MCP clients to execute code against a wrapped tool namespace. |
 | [`execbox-isolated-vm-basic.ts`](https://github.com/aallam/execbox/blob/main/examples/execbox-isolated-vm-basic.ts) | Run the same provider flow on the `isolated-vm` backend. | You explicitly want the `isolated-vm` runtime. |
diff --git a/docs/getting-started.md b/docs/getting-started.md
@@ -1,6 +1,6 @@
 # Getting Started
 
-Execbox works best when you start small: define one provider, run one snippet, then choose a stronger boundary only when your deployment needs it.
+Execbox works best when you start with QuickJS, get one provider flow working, and then choose a stronger boundary only when your deployment needs it.
 
 ## Requirements
 
@@ -46,7 +46,7 @@ console.log(result);
 
 ## Which package should I use?
 
-- Use `@execbox/quickjs` first unless you already know you need a stronger boundary.
+- Use `@execbox/quickjs` first unless you already know you need a separate runtime boundary.
 - Use `@execbox/process` when you want QuickJS semantics in a separate child process.
 - Use `@execbox/worker` when you want QuickJS off the main thread with pooled workers.
 - Use `@execbox/remote` when your runtime already lives behind an application-owned transport.
diff --git a/docs/index.md b/docs/index.md
@@ -6,7 +6,7 @@ titleTemplate: false
 hero:
   name: execbox
   text: Portable code execution for MCP tools
-  tagline: Turn host tool catalogs into callable code, choose the execution boundary that fits your deployment, and keep your security claims honest.
+  tagline: Turn host tool catalogs into callable code, add defense-in-depth controls around guest execution, and choose the boundary that fits your deployment.
   actions:
     - theme: brand
       text: Getting Started
@@ -49,10 +49,10 @@ That split gives you one execution contract across QuickJS, worker-thread, child
 
 ## Security posture
 
-Execbox is intentionally conservative about its claims:
+Execbox provides defense-in-depth controls around guest code execution:
 
 - It provides fresh runtimes, JSON-only boundaries, schema validation, bounded logs, and execution limits.
-- It does **not** claim a hard security boundary for hostile code in its default deployment model.
-- The real capability boundary is the provider/tool surface you expose.
+- Hard isolation depends on the executor and deployment boundary you choose.
+- The provider/tool surface is the capability boundary.
 
 Read [Security](/security) before deciding which executor to use in production.
diff --git a/docs/security.md b/docs/security.md
@@ -1,6 +1,6 @@
 # Security & Boundaries
 
-Execbox reduces accidental exposure, but it does not market itself as a hard security boundary for hostile code in its default deployment model.
+Execbox provides defense-in-depth controls for guest code execution. The isolation level you get depends on the executor and deployment boundary you choose.
 
 ## What execbox does provide
 
@@ -21,7 +21,7 @@ Execbox reduces accidental exposure, but it does not market itself as a hard sec
 
 The provider/tool surface is the capability boundary.
 
-If guest code can call a dangerous tool, guest code can exercise that authority. Execbox changes how tool access is exposed and controlled; it does not erase the authority behind the tool itself.
+Providers are explicit capability grants. If guest code can call a dangerous tool, guest code can exercise that authority. Execbox changes how tool access is exposed and controlled; it does not erase the authority behind the tool itself.
 
 ## Choosing the right boundary
 
diff --git a/examples/README.md b/examples/README.md
@@ -5,7 +5,7 @@ Runnable examples for the `@execbox/*` package family.
 [![Examples](https://img.shields.io/badge/examples-runnable-0ea5e9?style=flat-square)](https://github.com/aallam/execbox/tree/main/examples)
 [![CI](https://img.shields.io/github/actions/workflow/status/aallam/execbox/ci.yml?branch=main&style=flat-square&label=CI)](https://github.com/aallam/execbox/actions/workflows/ci.yml)
 
-## Run Them
+## Run the examples
 
 ```bash
 npm install
@@ -20,6 +20,8 @@ npm run example:execbox-isolated-vm
 npm run verify:isolated-vm
 ```
 
+See the public [Examples docs](https://execbox.aallam.com/examples) for when to start with each example.
+
 ## Execbox
 
 | File                                                             | What it shows                                                  |
diff --git a/packages/core/README.md b/packages/core/README.md
@@ -50,7 +50,7 @@ Swap in `@execbox/remote` when you want the same API but a caller-managed remote
 ## Security Posture
 
 - Execbox gives you fresh execution state, JSON-only tool boundaries, schema validation, timeout handling, memory limits, and bounded logs.
-- Execbox does not give you a hard security boundary for hostile code by itself. The actual boundary depends on which executor you pair it with.
+- Hard isolation depends on the executor and deployment boundary you pair with `@execbox/core`.
 - Providers are explicit capability grants. Every tool you expose is authority you are handing to guest code.
 - In the default deployment model, provider and MCP tool definitions are controlled by the application, not by the end user.
 - Third-party MCP integrations should be reviewed as dependency-trust decisions, not folded into the primary end-user attacker model.
diff --git a/packages/isolated-vm/README.md b/packages/isolated-vm/README.md
@@ -39,7 +39,7 @@ npm install @execbox/core @execbox/isolated-vm
 
 - Each execution gets a fresh `isolated-vm` context with JSON-only tool and result boundaries.
 - In the default deployment model, provider definitions are controlled by the host application, while hostile users control guest code and tool inputs.
-- This package is still in-process execution. It should not be marketed or relied on as a hard security boundary for hostile code.
+- This package is still in-process execution. It is not a substitute for a separate trust boundary such as a container or VM.
 - Providers remain the real capability boundary. If a tool is dangerous, guest code can invoke it.
 
 ## Architecture Docs
@@ -78,4 +78,4 @@ npm run verify:isolated-vm
 
 The required CI lane runs the isolated-vm suite on Node 24 with `--no-node-snapshot`, which is the best local environment to match when validating native-runtime changes.
 
-`isolated-vm` is not documented here as a hard security boundary. If process stability matters more than in-process performance, prefer process isolation around the executor.
+If process stability and trust separation matter more than in-process performance, prefer process or remote isolation around the executor.
diff --git a/packages/process/README.md b/packages/process/README.md
@@ -101,7 +101,7 @@ Queue wait time is pool backpressure, not execution time. The configured executi
 ## Security Notes
 
 - This package improves lifecycle isolation by moving the QuickJS runtime to a fresh child process.
-- It is still not documented as a hard hostile-code boundary equivalent to a container or VM.
+- It strengthens the lifecycle boundary, but it is still not equivalent to a container or VM for hostile code.
 - Providers remain the real capability boundary.
 - Internally it is a thin transport adapter over the shared `execbox-protocol` host session and the shared QuickJS protocol endpoint.
 
diff --git a/packages/protocol/README.md b/packages/protocol/README.md
@@ -38,7 +38,7 @@ npm install @execbox/core @execbox/protocol
 
 - This package is protocol glue, not a sandbox.
 - It does not provide isolation by itself.
-- The host tool surface remains the real capability boundary.
+- The host tool surface remains the capability boundary.
 - Worker/process lifecycle isolation comes from the surrounding executor package, not from this package alone.
 
 ## Architecture Docs
diff --git a/packages/quickjs/README.md b/packages/quickjs/README.md
@@ -18,8 +18,8 @@ Docs: https://execbox.aallam.com
 - Each execution gets a fresh QuickJS runtime with no ambient Node globals injected by execbox.
 - Tool calls cross a JSON-only bridge, and executor timeouts propagate abort signals to in-flight provider work.
 - In the default deployment model, provider definitions are controlled by the host application, while hostile users control guest code and tool inputs.
-- This package is not presented as a hard security boundary for hostile code. It is best-effort in-process isolation.
-- If you need a stronger boundary, run execbox behind a separate process or container.
+- This package is designed for host-controlled deployments and does not by itself create a hard isolation boundary for hostile code.
+- If you need a stronger boundary, move execution into a separate process, container, or remote runtime.
 
 ## Architecture Docs
 
diff --git a/packages/remote/README.md b/packages/remote/README.md
@@ -11,7 +11,7 @@ Docs: https://execbox.aallam.com
 
 - you want execbox execution to live outside the application process
 - you already own the transport and runtime deployment shape
-- you want to keep the same `Executor` API while swapping in a stronger boundary
+- you want to keep the same `Executor` API while placing execution behind an application-defined boundary
 
 ## Install
 
@@ -21,9 +21,11 @@ npm install @execbox/core @execbox/remote
 
 ## Usage
 
+Host side:
+
 ```ts
 import { resolveProvider } from "@execbox/core";
-import { RemoteExecutor, attachQuickJsRemoteEndpoint } from "@execbox/remote";
+import { RemoteExecutor } from "@execbox/remote";
 
 const provider = resolveProvider({
   name: "tools",
@@ -44,6 +46,12 @@ const result = await executor.execute(
   [provider],
   { timeoutMs: 250 },
 );
+```
+
+Runner side:
+
+```ts
+import { attachQuickJsRemoteEndpoint } from "@execbox/remote";
 
 attachQuickJsRemoteEndpoint(myRunnerPort);
 ```
@@ -54,8 +62,8 @@ attachQuickJsRemoteEndpoint(myRunnerPort);
 
 ## Security Notes
 
-- This package improves the process boundary by moving execution behind a caller-supplied transport.
-- It is still not a hard security boundary by itself. Your actual trust boundary depends on the remote runtime you deploy.
+- This package moves execution behind a caller-supplied transport.
+- The actual trust boundary depends on the remote runtime and operational controls you deploy behind that transport.
 - Providers remain the capability boundary.
 - The package is intentionally small: it does not create servers, own authentication, or prescribe an HTTP/WebSocket framework.
 
diff --git a/packages/worker/README.md b/packages/worker/README.md
@@ -100,8 +100,8 @@ Queue wait time is pool backpressure, not execution time. The configured executi
 
 ## Security Notes
 
-- This package improves lifecycle isolation by moving the QuickJS runtime to a worker thread.
-- It is still same-process execution and is not documented as a hard hostile-code boundary.
+- This package moves the QuickJS runtime to a worker thread for better lifecycle isolation.
+- It remains same-process execution, so hard isolation depends on a stronger boundary than a worker thread alone.
 - Providers remain the real capability boundary.
 - Internally it is a thin transport adapter over the shared `execbox-protocol` host session and the shared QuickJS protocol endpoint.
 
