The 6 Layers
Layer 0: Pre-Scanner
Runs BEFORE parsing to catch DoS attacks that could crash the parser:| Check | Limit | Purpose |
|---|---|---|
| Input size | 100MB max | Memory exhaustion |
| Line length | 100K chars | Minified code bombs |
| Nesting depth | 200 levels | Stack overflow |
| String literals | 5MB each | Embedded data attacks |
| Regex patterns | 1K chars | ReDoS prevention |
- BiDi attacks (Trojan Source CVE-2021-42574)
- Invisible characters (zero-width spaces, etc.)
- Homoglyph attacks (lookalike characters)
Layer 1: AST Validation
Static analysis of the parsed AST to block dangerous patterns:Blocked Categories
| Category | Examples | Risk |
|---|---|---|
| Code execution | eval, Function, setTimeout(string) | Arbitrary code injection |
| System access | process, require, import | Host system access |
| Globals | window, global, globalThis | Sandbox escape |
| Prototype | __proto__, constructor | Prototype pollution |
| Metaprogramming | Proxy, Reflect | Interception |
| User functions | function foo(){} | Recursion bombs |
Enforcement
Layer 2: Code Transformation
Valid code is transformed for safe execution:- Main wrapper - Entry point for execution
- Safe callTool - Proxied through host with counting
- Safe loops - Iteration limits enforced
- Safe console - Rate-limited with output capture
Layer 3: AI Scoring Gate
Optional semantic analysis that detects attack patterns beyond static analysis:| Pattern | Score | Example |
|---|---|---|
| Data exfiltration | 50 | list → send sequence |
| Sensitive field access | 35 | Query for passwords/tokens |
| Excessive limits | 25 | limit: 1000000 |
| Loop tool calls | 25 | callTool inside for loop |
| Dynamic tool names | 20 | Variable as tool name |
Layer 4: Runtime Sandbox
Code executes in an isolated Node.js vm context:- Fresh context - No access to host scope
- Controlled globals - Only whitelisted APIs available
- Resource limits - Timeout, iterations, tool calls enforced
- Optional worker isolation - OS-level memory separation
What’s Available in the Sandbox
Layer 5: Output Sanitization
Results are sanitized before returning to the caller:- Stack trace sanitization - Remove internal paths and sensitive info
- Reference resolution - Resolve sidecar tokens to actual data
- Type validation - Ensure result is serializable
Security Level Presets
Enclave provides preset configurations:| Level | Timeout | Iterations | Tool Calls | Use Case |
|---|---|---|---|---|
| STRICT | 5s | 1K | 10 | Untrusted code |
| SECURE | 15s | 5K | 50 | Semi-trusted |
| STANDARD | 30s | 10K | 100 | Internal tools |
| PERMISSIVE | 60s | 100K | 1K | Testing |
What Enclave Protects Against
- Code injection - Blocked by AST validation
- Infinite loops - Limited by maxIterations
- Resource exhaustion - Limited by timeout and limits
- Prototype pollution - Blocked by AST validation
- Sandbox escape - Blocked by controlled globals
- Information leakage - Stack traces sanitized
- ReDoS attacks - Pre-scanner detection
- Unicode attacks - BiDi and homoglyph detection
What Enclave Does NOT Protect Against
- Tool abuse - Scripts can call allowed tools; limit what’s available
- Algorithmic complexity - O(n²) algorithms run within limits
- Business logic attacks - Tool-level validation required
- Side effects - Tool calls have real effects
Best Practices
- Use STRICT for untrusted code - AI-generated, user-submitted
- Limit available tools - Only expose what’s needed
- Validate tool inputs - Check arguments before execution
- Monitor execution - Log tool calls and durations
- Set appropriate limits - Tune for your use case
- Keep updated - Security improvements in new versions
Related
- Architecture - System overview
- AgentScript - Language definition
- Security Levels - Preset details