Skip to main content
ast-guard ships with 15 built-in security rules that cover common attack vectors. Each rule can be configured and combined to match your security requirements.

NoGlobalAccessRule

Blocks access to dangerous global objects via member expressions. 
import { NoGlobalAccessRule } from '@enclave-vm/ast';

const rule = new NoGlobalAccessRule({
  blockedGlobals: ['window', 'process', 'global', 'globalThis'],
  allowedMembers: { console: ['log', 'warn', 'error'] },
});
Blocks:
  • window.location
  • process.env
  • global.setTimeout
Allows:
  • console.log() (if configured)

ReservedPrefixRule

Prevents user code from declaring identifiers with reserved prefixes. 
import { ReservedPrefixRule } from '@enclave-vm/ast';

const rule = new ReservedPrefixRule({
  prefixes: ['__ag_', '__safe_'],
  allowedIdentifiers: ['__ag_main'],
});
Blocks:
  • const __ag_hack = 1;
  • let __safe_bypass = true;

NoCallTargetAssignmentRule

Protects critical call targets from being reassigned or shadowed. 
import { NoCallTargetAssignmentRule } from '@enclave-vm/ast';

const rule = new NoCallTargetAssignmentRule({
  protectedTargets: ['callTool', '__safe_callTool'],
});
Blocks:
  • callTool = malicious; - Direct assignment
  • const callTool = () => {}; - Variable shadowing
  • const { callTool } = obj; - Destructuring shadowing
  • function callTool() {} - Function declaration shadowing

UnicodeSecurityRule

Detects Unicode-based attacks including Trojan Source and homoglyphs. 
import { UnicodeSecurityRule } from '@enclave-vm/ast';

const rule = new UnicodeSecurityRule({
  blockBidi: true,          // Block bidirectional text attacks
  blockHomoglyphs: true,    // Block lookalike characters
  blockZeroWidth: true,     // Block zero-width characters
  blockInvisible: true,     // Block invisible formatting
  checkComments: true,      // Also check inside comments
});
Trojan Source attacks (CVE-2021-42574) use Unicode bidirectional control characters to make code appear different than it actually executes. Always enable blockBidi: true for untrusted code.

StaticCallTargetRule

Enforces static string literals for call targets. 
import { StaticCallTargetRule } from '@enclave-vm/ast';

const rule = new StaticCallTargetRule({
  targetFunctions: ['callTool', '__safe_callTool'],
  argumentPosition: 0,
  allowedToolNames: ['users:list', 'billing:*'], // Optional whitelist
});
Blocks:
  • callTool(dynamicName, {}) - Variable as tool name
  • callTool(getToolName(), {}) - Function call as tool name
Allows:
  • callTool('users:list', {}) - Static string literal

NoRegexLiteralRule

Blocks or analyzes regex literals for ReDoS vulnerabilities. 
import { NoRegexLiteralRule } from '@enclave-vm/ast';

// Block all regex (AgentScript preset)
new NoRegexLiteralRule({ blockAll: true });

// Analyze patterns for ReDoS
new NoRegexLiteralRule({
  analyzePatterns: true,
  analysisLevel: 'catastrophic',
  blockThreshold: 80,
  warnThreshold: 50,
});

DisallowedIdentifierRule

Blocks specific identifier names. 
import { DisallowedIdentifierRule } from '@enclave-vm/ast';

const rule = new DisallowedIdentifierRule({
  disallowed: ['eval', 'Function', 'process', 'require'],
});

ForbiddenLoopRule

Restricts which loop constructs are allowed. 
import { ForbiddenLoopRule } from '@enclave-vm/ast';

const rule = new ForbiddenLoopRule({
  allowFor: true,
  allowForOf: true,
  allowWhile: false,
  allowDoWhile: false,
  allowForIn: false,
});

RequiredFunctionCallRule

Ensures code contains required function calls. 
import { RequiredFunctionCallRule } from '@enclave-vm/ast';

const rule = new RequiredFunctionCallRule({
  required: ['callTool'],
  minCalls: 1,
});

UnknownGlobalRule

Rejects references to undeclared identifiers (whitelist mode). 
import { UnknownGlobalRule } from '@enclave-vm/ast';

const rule = new UnknownGlobalRule({
  allowedGlobals: ['callTool', 'Math', 'JSON', 'Array', 'Object'],
  allowStandardGlobals: true, // Allow undefined, null, NaN, etc.
});

NoEvalRule

Blocks eval and dynamic code execution. 
import { NoEvalRule } from '@enclave-vm/ast';

const rule = new NoEvalRule();
Blocks:
  • eval('code')
  • new Function('return 1')
  • setTimeout('code', 100) - String form

NoAsyncRule

Restricts async/await usage. 
import { NoAsyncRule } from '@enclave-vm/ast';

const rule = new NoAsyncRule({
  allowTopLevelAwait: true,
  allowAsyncFunctions: false,
});

NoUserDefinedFunctionsRule

Blocks user-defined functions (prevents recursion). 
import { NoUserDefinedFunctionsRule } from '@enclave-vm/ast';

const rule = new NoUserDefinedFunctionsRule({
  allowArrowFunctions: true, // For array methods
});
Blocks:
  • function foo() {}
  • const fn = function() {}
Allows:
  • array.map(x => x * 2) - Arrow functions (if enabled)

UnreachableCodeRule

Detects code after return/throw statements. 
import { UnreachableCodeRule } from '@enclave-vm/ast';

const rule = new UnreachableCodeRule();

CallArgumentValidationRule

Validates function call arguments. 
import { CallArgumentValidationRule } from '@enclave-vm/ast';

const rule = new CallArgumentValidationRule({
  targetFunctions: ['callTool'],
  minArgs: 1,
  maxArgs: 2,
});

Rule Severity

All rules support severity configuration: 
const rule = new DisallowedIdentifierRule({
  disallowed: ['eval'],
  severity: 'error', // 'error' or 'warning'
});