Skip to main content
This page documents all configuration options for @enclave-vm/browser.

Quick Example

import { BrowserEnclave } from '@enclave-vm/browser';

const enclave = new BrowserEnclave({
  // Security level preset
  securityLevel: 'SECURE',

  // Core limits
  timeout: 10000,
  maxToolCalls: 50,
  maxIterations: 5000,
  memoryLimit: 2 * 1024 * 1024, // 2MB

  // Tool handler
  toolHandler: async (name, args) => {
    return executeToolSafely(name, args);
  },

  // Additional options
  globals: { context: { userId: 'user-123' } },
  validate: true,
  transform: true,
});

Core Options

OptionTypeDefaultDescription
securityLevelstring'STANDARD'Preset: STRICT, SECURE, STANDARD, PERMISSIVE
presetstring'agentscript'AST preset: agentscript, strict, secure, standard, permissive
timeoutnumbervariesMaximum execution time in milliseconds
maxToolCallsnumbervariesMaximum tool calls per execution
maxIterationsnumbervariesMaximum loop iterations (per loop)
memoryLimitnumber1048576Memory limit in bytes (soft tracking)
toolHandlerfunction-Async function that handles callTool() invocations
globalsobject-Additional globals available in the sandbox (JSON-serializable only)
validatebooleantrueValidate code with ast-guard before execution
transformbooleantrueTransform code before execution (AgentScript wrappers)
allowFunctionsInGlobalsbooleanvariesWhether to allow functions in custom globals

Console Limits

OptionTypeDefaultDescription
maxConsoleOutputBytesnumbervariesMaximum total console output in bytes
maxConsoleCallsnumbervariesMaximum number of console calls

Security Level Comparison

All “varies” defaults above depend on the selected security level:
SettingSTRICTSECURESTANDARDPERMISSIVE
timeout5000150003000060000
maxIterations1000500010000100000
maxToolCalls10501001000
maxConsoleOutputBytes64KB256KB1MB10MB
maxConsoleCalls100500100010000
maxSanitizeDepth5102050
maxSanitizeProperties501005001000
sanitizeStackTracestruetruefalsefalse
blockTimingAPIstruefalsefalsefalse
allowUnboundedLoopsfalsefalsetruetrue
unicodeSecurityChecktruetruefalsefalse
allowFunctionsInGlobalsfalsefalsefalsetrue
secureProxy.blockConstructortruetruetruefalse
secureProxy.blockPrototypetruetruetruetrue
secureProxy.blockLegacyAccessorstruetruetruetrue
secureProxy.proxyMaxDepth5101520
secureProxy.throwOnBlockedtruetruetruefalse

Secure Proxy Configuration

Override proxy behavior for the current security level:
OptionTypeDefaultDescription
secureProxyConfig.blockConstructorbooleanvariesBlock access to .constructor
secureProxyConfig.blockPrototypebooleanvariesBlock access to .__proto__ and .prototype
secureProxyConfig.blockLegacyAccessorsbooleanvariesBlock __defineGetter__, __defineSetter__, etc.
secureProxyConfig.proxyMaxDepthnumbervariesMaximum nesting depth for proxy wrapping
secureProxyConfig.throwOnBlockedbooleanvariesThrow error vs return undefined on blocked access
const enclave = new BrowserEnclave({
  securityLevel: 'STANDARD',
  secureProxyConfig: {
    throwOnBlocked: false, // Return undefined instead of throwing
    proxyMaxDepth: 5,      // Limit proxy nesting
  },
});

Double Iframe Configuration

Configure the outer iframe security barrier:
OptionTypeDefaultDescription
doubleIframe.enabledbooleantrueEnable double iframe isolation
doubleIframe.parentTimeoutBuffernumber1000Extra timeout for outer iframe (ms)
doubleIframe.parentValidation.validateOperationNamesbooleantrueValidate tool names
doubleIframe.parentValidation.allowedOperationPatternRegExp-Whitelist pattern for tool names
doubleIframe.parentValidation.blockedOperationPatternsRegExp[]-Blacklist patterns for tool names
doubleIframe.parentValidation.maxOperationsPerSecondnumber100Rate limit for tool calls
doubleIframe.parentValidation.blockSuspiciousSequencesbooleantrueDetect multi-step attack patterns
doubleIframe.parentValidation.rapidEnumerationThresholdnumber30Same-operation repetition threshold
doubleIframe.parentValidation.rapidEnumerationOverridesobject{}Per-operation threshold overrides
doubleIframe.parentValidation.suspiciousPatternsarray[]Custom detection patterns
const enclave = new BrowserEnclave({
  doubleIframe: {
    enabled: true,
    parentTimeoutBuffer: 2000,
    parentValidation: {
      validateOperationNames: true,
      allowedOperationPattern: /^[a-z]+:[a-z]+$/i,
      blockedOperationPatterns: [/^admin:/i, /^system:/i],
      maxOperationsPerSecond: 50,
      blockSuspiciousSequences: true,
    },
  },
});

Built-in Suspicious Patterns

These patterns are detected automatically when blockSuspiciousSequences is enabled:
PatternDescription
EXFIL_LIST_SENDList/query operation followed by send/export
RAPID_ENUMERATIONSame operation repeated beyond threshold in 5s window
CREDENTIAL_EXFILCredential access followed by external operation
BULK_OPERATIONBulk/batch/mass/dump operations or unlimited queries
DELETE_AFTER_ACCESSDelete operation after data read (potential cover-up)

Custom Globals

Inject read-only data into the sandbox. Only JSON-serializable values are supported — functions cannot cross the iframe boundary. 
const enclave = new BrowserEnclave({
  globals: {
    // These work (JSON-serializable)
    config: { apiVersion: 'v2', maxRetries: 3 },
    userId: 'user-123',
    features: ['search', 'export'],

    // These are silently skipped (not serializable)
    // handler: () => {},       // function
    // element: document.body,  // DOM node
  },
});

// In sandboxed code:
// const version = config.apiVersion; // 'v2'
// const id = userId;                 // 'user-123'
Custom globals are only supported with the agentscript preset (the default). Using globals with other presets will throw an error.
Each custom global is also available with a __safe_ prefix (e.g., config and __safe_config), matching the pattern used by AgentScript’s code transformation.