{
"$type": "site.standard.document",
"content": "---\ntitle: \"Out of the browser: on the power of interfaces for agentic AI\"\ndescription: \"The leap from browser-based ChatGPT to terminal-native coding agents isn't\n about smarter models---it's about removing the sandbox.\"\ntags:\n - ai\n---\n\nWhen OpenAI [launched ChatGPT](https://openai.com/index/chatgpt/) on November\n30, 2022, it was a text box in a browser. That conversational call-and-response\ninterface was a big part of what made it a hit---the fastest-growing technology\nproduct in history, reaching 100 million users in two months. But that's not\nwhat this post is about.\n\nThis post is about why \"AI coding in the terminal\" is such a big deal, and why\nit's arguably more about **interfaces** than about models.\n\nTo understand why, start with the browser---a security marvel in its own right.\n\n<svg class=\"browser-window\" width=\"100%\" viewBox=\"0 0 500 300\" xmlns=\"http://www.w3.org/2000/svg\">\n <!-- Window frame -->\n <rect x=\"0\" y=\"0\" width=\"500\" height=\"300\" rx=\"8\" class=\"window-bg\"/>\n <rect x=\"0\" y=\"0\" width=\"500\" height=\"36\" rx=\"8\" class=\"titlebar\"/>\n <rect x=\"0\" y=\"28\" width=\"500\" height=\"8\" class=\"titlebar\"/>\n\n <!-- Traffic lights -->\n <circle cx=\"20\" cy=\"18\" r=\"6\" fill=\"#ff5f57\"/>\n <circle cx=\"40\" cy=\"18\" r=\"6\" fill=\"#ffbd2e\"/>\n <circle cx=\"60\" cy=\"18\" r=\"6\" fill=\"#28c940\"/>\n\n <!-- URL bar -->\n <rect x=\"80\" y=\"8\" width=\"340\" height=\"20\" rx=\"4\" class=\"url-bar\"/>\n <text x=\"100\" y=\"22\" font-size=\"11\" font-family=\"system-ui, sans-serif\" class=\"url-text\">š chat.openai.com</text>\n\n <!-- Content area - ChatGPT style interface -->\n <rect x=\"20\" y=\"50\" width=\"460\" height=\"180\" rx=\"4\" class=\"content-area\"/>\n\n <!-- Chat messages -->\n <rect x=\"40\" y=\"70\" width=\"280\" height=\"40\" rx=\"8\" class=\"ai-message\"/>\n <text x=\"55\" y=\"95\" font-size=\"12\" font-family=\"system-ui, sans-serif\" class=\"message-text\">Hello! How can I help you today?</text>\n\n <rect x=\"180\" y=\"125\" width=\"280\" height=\"30\" rx=\"8\" class=\"user-message\"/>\n <text x=\"195\" y=\"145\" font-size=\"12\" font-family=\"system-ui, sans-serif\" class=\"user-text\">Can you edit my files?</text>\n\n <rect x=\"40\" y=\"170\" width=\"200\" height=\"30\" rx=\"8\" class=\"ai-message\"/>\n <text x=\"55\" y=\"190\" font-size=\"12\" font-family=\"system-ui, sans-serif\" class=\"message-text\">I cannot access your files.</text>\n\n <!-- Input box at bottom -->\n <rect x=\"20\" y=\"250\" width=\"420\" height=\"35\" rx=\"8\" class=\"input-box\"/>\n <text x=\"35\" y=\"272\" font-size=\"12\" font-family=\"system-ui, sans-serif\" class=\"placeholder-text\">Message ChatGPT...</text>\n <rect x=\"450\" y=\"255\" width=\"25\" height=\"25\" rx=\"4\" class=\"send-btn\"/>\n</svg>\n\nModern web browsers are incredible feats of sandboxing engineering. When you\nvisit a website, that site's code runs in a carefully isolated environment. It\ncan't read your files. It can't run programs on your computer. It can't even\nreliably[^cors] visit other websites on your behalf. This isolation is achieved\nthrough a\n[multi-process architecture](https://www.browserstack.com/guide/what-is-browser-sandboxing)\nwhere untrusted web content runs in restricted processes that can only\ncommunicate with the rest of your system through tightly controlled channels.\n\n[^cors]:\n [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) is a whole\n thing, but broadly speaking browsers are designed to prevent cross-origin\n resource shenanigans.\n\nThis sandboxing is why you can visit sketchy websites and (mostly) not worry\nabout them stealing your passwords or deleting your files. What happens in the\nbrowser stays in the browser.\n\nBut that same sandboxing that protects you also constrains what ChatGPT (or\nany browser-based AI) can actually _do_. It can generate text, show you\nimages, even run some sandboxed JavaScript. But it can't create files on\nyour computer, run your test suite, commit code to git, or do any of the\nthousand other things you do when you're actually building software.\n\nEnter the terminal.\n\n<svg class=\"terminal-window\" width=\"100%\" viewBox=\"0 0 500 280\" xmlns=\"http://www.w3.org/2000/svg\">\n <!-- Window frame -->\n <rect x=\"0\" y=\"0\" width=\"500\" height=\"280\" rx=\"8\" class=\"terminal-bg\"/>\n <rect x=\"0\" y=\"0\" width=\"500\" height=\"36\" rx=\"8\" class=\"terminal-titlebar\"/>\n <rect x=\"0\" y=\"28\" width=\"500\" height=\"8\" class=\"terminal-titlebar\"/>\n\n <!-- Traffic lights -->\n <circle cx=\"20\" cy=\"18\" r=\"6\" fill=\"#ff5f57\"/>\n <circle cx=\"40\" cy=\"18\" r=\"6\" fill=\"#ffbd2e\"/>\n <circle cx=\"60\" cy=\"18\" r=\"6\" fill=\"#28c940\"/>\n\n <!-- Title -->\n\n<text x=\"250\" y=\"22\" text-anchor=\"middle\" font-size=\"12\" font-family=\"system-ui, sans-serif\" class=\"terminal-title\">Terminal\nā zsh</text>\n\n <!-- Terminal content -->\n\n<text x=\"20\" y=\"65\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"prompt\">~</text>\n<text x=\"35\" y=\"65\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"command\">claude\n\"fix the bug in auth.py\"</text>\n\n<text x=\"20\" y=\"90\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"output\">ā\nReading auth.py...</text>\n<text x=\"20\" y=\"115\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"output\">ā\nFound issue on line 42</text>\n<text x=\"20\" y=\"140\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"output\">ā\nEditing auth.py...</text>\n<text x=\"20\" y=\"165\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"output\">ā\nRunning pytest...</text>\n<text x=\"20\" y=\"190\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"success\">ā\nAll tests passing</text>\n<text x=\"20\" y=\"215\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"output\">ā\nCommitting changes...</text>\n\n<text x=\"20\" y=\"250\" font-size=\"13\" font-family=\"ui-monospace, monospace\" class=\"prompt\">~</text>\n<rect x=\"35\" y=\"238\" width=\"8\" height=\"16\" class=\"cursor\"/> </svg>\n\nThe terminal is almost the anti-browser: a text-only interface to doing\n**everything** on your computer. You can create, read, edit, and delete\nfiles (or entire hard drives), run programs, install software, and access\nthe network (potentially exfiltrating sensitive documents along the way).\nThe terminal is powerful, and dangerous, precisely _because_ it has no\nsandbox.[^sandbox]\n\n[^sandbox]:\n Yes, you can run things in\n [dev containers](https://code.visualstudio.com/docs/devcontainers/containers)\n or VMs to limit the blast radius. But in practice, most developers (myself\n included) run these tools directly on their machines. See the normalisation\n of deviance discussion below.\n\nThis is why software developers use it. Building software involves a constant\ncycle of editing files, running compilers, executing tests, managing version\ncontrol, and deploying to servers. All of these are terminal operations. And\ncrucially, the people using the terminal are expected to know what they're doing\nand to take responsibility for the commands they run.\n\nWhat makes the terminal particularly interesting for LLMs is this: **it's all\ntext**. Both the inputs (commands with a specific syntax) and the outputs (error\nmessages, logs, success confirmations) are designed to be read by\nhumans---specifically, programmers who need to understand what's happening and\ndebug when things go wrong.\n\nLLMs are really good at text. They can understand error messages, reason about\nwhat went wrong, and generate the next command to try. And because the terminal\nruns commands quickly, you can put an LLM in a loop: try something, see the\nresult, adjust, repeat. This is what\n[Anthropic's whitepaper on building effective agents](https://www.anthropic.com/engineering/building-effective-agents)\ncalls tightening the feedback loop---letting the model iterate without waiting\nfor a human to approve every step.\n\nThis is what kicked off the terminal-native AI boom. When Anthropic\n[announced Claude Code](https://www.anthropic.com/news/claude-3-7-sonnet) in\nFebruary 2025, the model update wasn't a quantum leap; Claude 3.7 Sonnet came\nwith it, but Sonnet 3.5 was already pretty capable. What they released was a new\n**interface**: an agentic command-line tool that could search and read code,\nedit files, write and run tests, and commit to git. Same models[^models-better],\ndifferent interface, dramatically more useful for actual software development.\nIf you don't believe me about how big a deal this is, check the socials.\n\n[^models-better]:\n Ok, the models _are_ getting better all the time. But I think the leap out\n of the browser is the main thing.\n\nAnd everyone else noticed. OpenAI\n[launched Codex CLI](https://openai.com/index/introducing-codex/) in April 2025.\nGoogle followed with\n[Gemini CLI](https://blog.google/innovation-and-ai/technology/developers-tools/introducing-gemini-cli-open-source-ai-agent/).\nThe open source community jumped in too:\n[OpenCode](https://github.com/opencode-ai/opencode) now has over 95,000 GitHub\nstars, [Pi](https://lucumr.pocoo.org/2026/1/31/pi/) (built by Armin Ronacher and\nMario Zechner, powering OpenClaw) takes a minimal-agent approach, and\n[Claudia](https://github.com/getAsterisk/claudia) wraps Claude Code in a GUI for\nthose who want the power without the terminal aesthetic.\n\nThis is an innovation in **interfaces**, not just models.\n\nAll this power comes with obvious risk, of course. An LLM running in your\nterminal can do anything you can do in your terminal, including stealing\nyour SSH keys, reading your `.env` files, or, as\n[Johann Rehberger points out](https://embracethered.com/blog/posts/2025/the-normalization-of-deviance-in-ai/),\nwiping your production database.\n\nSo far, the frontier models have been pretty well-behaved[^yolo]. But Rehberger\ndraws a sobering parallel to the Space Shuttle Challenger disaster and the\nconcept of \"normalisation of deviance\": repeated exposure to risky behaviour\nwithout negative consequences leads people to accept that risk as normal.\n\n[^yolo]:\n Even though many developers run these tools with automatic approval for all\n actions (colloquially known as \"YOLO mode\"). I'm one of them š\n\nAs\n[Simon Willison notes](https://simonwillison.net/2025/Dec/10/normalization-of-deviance/):\n\n> In the absence of any headline-grabbing examples of prompt injection\n> vulnerabilities causing real economic harm, will anyone care?\n\nThe incentives for speed and automation are strong. The incentives for security\nare... well, they're there in principle, but it's easy to forget why the\nguardrails existed in the first place.\n\nWhich brings me to the thing I keep coming back to: the story here is about\nwhat an interface lets the model do, more than how smart the model itself is. I've\n[written before](/blog/2025/07/17/agentic-ai-llms-with-stones/) about how\nagentic AI is really just about giving LLMs tools (stones to throw, in the\n\"sticks and stones\" sense). But the terminal-native AI wave has clarified\nsomething for me: the _power_ of agentic AI comes from the interface, not just\nthe tools themselves.\n\nThe browser sandbox was always a security feature, not a limitation of the\nunderlying AI. ChatGPT could always _tell_ you to run `rm -rf /`; it just\ncouldn't do it itself. By moving to the terminal, we haven't made the models\nsmarter; we've given them permission to actually do things.\n\nThat's both the promise and the peril. The models can now iterate without asking\nand do real work in tight feedback loops. But they can also make real mistakes\nwith real consequences, in ways that browser-based AI never could.\n\nIf you're going to use these tools---and if you're a software developer in 2026,\nyou probably should---just remember that you're not using a smarter AI. You're\nusing the same AI with the safety guards removed. Plan accordingly.\n\n<!-- styles for the SVG diagrams (light/dark mode) -->\n<style scoped>\n.browser-window {\n .window-bg { fill: #ffffff; stroke: #d1d5db; stroke-width: 1; }\n .titlebar { fill: #f3f4f6; }\n .url-bar { fill: #ffffff; stroke: #d1d5db; stroke-width: 1; }\n .url-text { fill: #374151; }\n .content-area { fill: #f9fafb; }\n .ai-message { fill: #e5e7eb; }\n .user-message { fill: #10a37f; }\n .message-text { fill: #1f2937; }\n .user-text { fill: #ffffff; }\n .input-box { fill: #ffffff; stroke: #d1d5db; stroke-width: 1; }\n .placeholder-text { fill: #9ca3af; }\n .send-btn { fill: #10a37f; }\n}\n\n.terminal-window {\n .terminal-bg { fill: #1e1e1e; }\n .terminal-titlebar { fill: #323232; }\n .terminal-title { fill: #a0a0a0; }\n .prompt { fill: #4ec9b0; }\n .command { fill: #dcdcaa; }\n .output { fill: #cccccc; }\n .success { fill: #4ec9b0; }\n .cursor { fill: #cccccc; animation: blink 1s step-end infinite; }\n}\n\n.dark {\n .browser-window {\n .window-bg { fill: #1f2937; stroke: #374151; }\n .titlebar { fill: #374151; }\n .url-bar { fill: #1f2937; stroke: #4b5563; }\n .url-text { fill: #d1d5db; }\n .content-area { fill: #111827; }\n .ai-message { fill: #374151; }\n .message-text { fill: #f3f4f6; }\n .input-box { fill: #1f2937; stroke: #4b5563; }\n .placeholder-text { fill: #6b7280; }\n }\n\n .terminal-window {\n .terminal-bg { fill: #0d1117; }\n .terminal-titlebar { fill: #161b22; }\n .terminal-title { fill: #8b949e; }\n .prompt { fill: #7ee787; }\n .command { fill: #ffa657; }\n .output { fill: #c9d1d9; }\n .success { fill: #7ee787; }\n .cursor { fill: #c9d1d9; }\n }\n}\n\n@keyframes blink {\n 50% { opacity: 0; }\n}\n</style>\n",
"createdAt": "2026-05-13T23:14:41.306Z",
"description": "The leap from browser-based ChatGPT to terminal-native coding agents isn't about smarter models---it's about removing the sandbox.",
"path": "/blog/2026/02/05/out-of-the-browser-on-the-power-of-interfaces-for-agentic-ai",
"publishedAt": "2026-02-05T00:00:00.000Z",
"site": "at://did:plc:tevykrhi4kibtsipzci76d76/site.standard.publication/self",
"tags": [
"ai"
],
"textContent": "The leap from browser-based ChatGPT to terminal-native coding agents isn't about smarter models---it's about removing the sandbox.",
"title": "Out of the browser: on the power of interfaces for agentic AI"
}