Skip to main content
CodeCall security layers CodeCall security layers CodeCall implements bank-grade security through a defense-in-depth architecture. Every script passes through five security layers before execution, ensuring that even if one layer is bypassed, others catch malicious behavior.

100+ Attack Vectors Blocked

Pre-Scanner + AST Guard blocks ReDoS, BiDi attacks, eval, prototype pollution, and more

Layer 0 Defense

Pre-Scanner catches attacks BEFORE parser execution - blocks parser-level DoS

Zero Trust Runtime

Enclave sandbox with whitelist-only globals and resource limits

Security Pipeline

Every script goes through this 5-layer pipeline:

Layer 0: Pre-Scanner (Defense-in-Depth)

The Pre-Scanner is a new security layer that runs BEFORE the JavaScript parser (acorn). It provides defense-in-depth protection against attacks that could DoS or exploit the parser itself.

Why Layer 0?

Traditional security scanners operate on the AST (Abstract Syntax Tree), which means they rely on the parser completing successfully. Sophisticated attackers can exploit this by:
  1. Parser DoS: Deeply nested brackets/braces can cause stack overflow in recursive descent parsers
  2. ReDoS at Parse Time: Complex regex literals can hang the parser
  3. Memory Exhaustion: Large inputs can exhaust memory before validation
  4. Trojan Source Attacks: Unicode BiDi characters can make code appear different from how it executes

Mandatory Limits (Cannot Be Disabled)

These limits are enforced regardless of configuration:
LimitValuePurpose
Max Input Size100 MB (absolute) / 50 KB (AgentScript preset)Prevents memory exhaustion
Max Nesting Depth200 levelsPrevents stack overflow
Max Line Length100,000 charsHandles minified code safely
Max Regex Length1,000 charsPrevents ReDoS
Max Regex Count50Limits ReDoS attack surface

Pre-Scanner Attacks Blocked

Blocked Patterns:
  • (a+)+ - Nested quantifiers
  • (a|a)+ - Overlapping alternation
  • (.*a)+ - Greedy backtracking
  • (a+){2,} - Star in repetition
Why: These patterns cause exponential backtracking that can hang the parser or runtime for hours.
Blocked Characters:
  • U+202E (Right-to-Left Override)
  • U+2066 (Left-to-Right Isolate)
  • U+2069 (Pop Directional Isolate)
Why: Makes code appear different from how it executes (CVE-2021-42574).
Blocked:
  • Deeply nested brackets: (((((((((x)))))))))
  • Deeply nested braces: {{{{{{{{{}}}}}}}}}
Why: Recursive descent parsers can overflow their stack on deep nesting.
Blocked:
  • Inputs > 50KB (AgentScript preset)
  • Inputs > configured maxInputSize
Why: Large inputs can exhaust memory before validation completes.
Blocked:
  • \x00 characters anywhere in input
Why: Often indicates binary data injection or attack payloads.

Pre-Scanner Configuration

CodeCall uses the AgentScript preset which provides the strictest pre-scanning: 
// AgentScript Pre-Scanner settings (automatic with CodeCall)
{
  regexMode: 'block',        // Block ALL regex literals
  maxInputSize: 50_000,      // 50KB limit
  maxNestingDepth: 30,       // Conservative nesting
  bidiMode: 'strict',        // Block all BiDi characters
}

Layer 1: AST Validation

AST Guard parses JavaScript into an Abstract Syntax Tree and validates every node against security rules before any code executes.

Blocked Constructs

Blocked:
  • eval('malicious code') - Dynamic code execution
  • new Function('return process')() - Function constructor
  • setTimeout(() => {}, 0) - Timer-based execution
  • setInterval, setImmediate - Async execution escape
Why: These allow arbitrary code injection that bypasses AST validation.
Blocked:
  • process.env.SECRET - Node.js process access
  • require('fs') - Module loading
  • window.location - Browser globals
  • global, globalThis - Global object access
  • this - Context leakage
Why: Prevents sandbox escape and system access.
Blocked:
  • obj.__proto__ = {} - Direct prototype manipulation
  • obj.constructor.prototype - Indirect prototype access
  • Object.prototype.polluted = true - Global prototype pollution
Why: Prototype pollution can corrupt the entire runtime.
Blocked:
  • Bidirectional override characters (CVE-2021-42574)
  • Homoglyph attacks (Cyrillic ‘a’ vs Latin ‘a’)
  • Zero-width characters
  • Invisible formatting characters
Why: Makes code appear different from how it executes.
Blocked:
  • while (true) {} - Unbounded while loops
  • do {} while (true) - Unbounded do-while loops
  • for (key in obj) - Prototype chain walking
  • Recursive function definitions
Why: Can freeze the server or exhaust memory.

AgentScript Preset

CodeCall uses the AgentScript preset - the most restrictive preset designed for LLM-generated code: The AgentScript preset enforces these rules:
RuleSettingRationale
Allowed globalscallTool, getTool, codecallContext, Math, JSON, Array, Object, String, Number, Date, console (optional)Whitelist-only access to safe built-ins
for loopsAllowedBounded iteration with maxIterations enforcement
for-of loopsAllowedBounded by array length + maxIterations
while loopsBlockedUnbounded — risk of infinite loops
do-while loopsBlockedUnbounded — risk of infinite loops
for-in loopsBlockedWalks prototype chain — security risk
Arrow functionsAllowedNo recursion risk (anonymous)
Function declarationsBlockedEnables recursion and hoisting tricks

What’s Allowed

// ✅ Tool calls
const users = await callTool('users:list', { limit: 100 });

// ✅ Variables
const filtered = users.filter(u => u.active);
let count = 0;

// ✅ Bounded loops
for (let i = 0; i < users.length; i++) { count++; }
for (const user of users) { console.log(user.name); }

// ✅ Array methods with arrow functions
const names = users.map(u => u.name);
const total = users.reduce((sum, u) => sum + u.score, 0);

// ✅ Safe built-ins
const max = Math.max(1, 2, 3);
const parsed = JSON.parse('{"a":1}');
const keys = Object.keys(obj);

// ✅ Context access (read-only)
const tenant = codecallContext.tenantId;

// ✅ Return values
return { count, names, total };

Layer 2: Code Transformation

After AST validation passes, code is transformed for safe execution:

Transformations Applied

OriginalTransformedPurpose
Top-level codeasync function __ag_main() { ... }Enable top-level await
callTool(...)__safe_callTool(...)Proxy through Enclave
for (...)Iteration-limited versionEnforce maxIterations
console.log(...)__safe_console.log(...)Capture for logging

Example

// Input
const users = await callTool('users:list', {});
for (const user of users) {
  console.log(user.name);
}
return users.length;

// Transformed
async function __ag_main() {
  const users = await __safe_callTool('users:list', {});
  __safe_forOf(users, (user) => {
    __safe_console.log(user.name);
  });
  return users.length;
}

Reserved Prefixes

User code cannot declare identifiers with these prefixes:
  • __ag_ - AgentScript internal functions
  • __safe_ - Safe runtime proxies
// ❌ BLOCKED by AST validation
const __ag_hack = 'foo';
let __safe_bypass = 123;

Layer 3: Runtime Sandbox

Enclave executes transformed code in an isolated Node.js vm context.

Isolation Guarantees

Fresh Context

Each execution gets a new, isolated context with no access to the host environment

Controlled Globals

Only whitelisted globals available: Math, JSON, Array, Object, etc.

No Module Access

No require, import, or dynamic module loading

No Async Escape

No setTimeout, setInterval, or Promise.race tricks

Resource Limits

LimitDefaultPurpose
timeoutMs3,500msMaximum execution time
maxIterations5,000Maximum loop iterations
maxToolCalls100Maximum tool invocations
maxConsoleOutputBytes64KBMaximum console output (I/O flood protection)
maxConsoleCalls100Maximum console calls (I/O flood protection)
CodeCallPlugin.init({
  vm: {
    preset: 'secure',  // Uses defaults above
    timeoutMs: 5000,   // Override timeout
  },
});

VM Presets

PresetTimeoutIterationsTool CallsConsole OutputConsole CallsUse Case
locked_down2s2,0001032KB50Ultra-sensitive data
secure3.5s5,00010064KB100Production default
balanced5s10,000200256KB500Complex workflows
experimental10s20,0005001MB1000Development only

Security Levels vs VM Presets

Don’t confuse Enclave Security Levels with CodeCall VM Presets - they serve different purposes but work together.
The Enclave library uses Security Levels (STRICT, SECURE, STANDARD, PERMISSIVE) for internal configuration, while CodeCall exposes VM Presets (locked_down, secure, balanced, experimental) as a user-friendly interface. Mapping:
VM PresetEnclave Security LevelDescription
locked_downSTRICTMaximum security, minimal capabilities
secureSECUREProduction-safe with reasonable limits
balancedSTANDARDMore flexibility for complex scripts
experimentalPERMISSIVEDevelopment/testing only
Enclave Security Level Defaults:
ConfigSTRICTSECURESTANDARDPERMISSIVE
timeout2,000ms3,500ms5,000ms10,000ms
maxIterations2,0005,00010,00020,000
maxToolCalls10100200500
maxConsoleOutputBytes32KB64KB256KB1MB
maxConsoleCalls501005001,000
maxSanitizeDepth5101520
maxSanitizeProperties5001,0005,00010,000
When configuring CodeCall, use VM Presets: 
CodeCallPlugin.init({
  vm: {
    preset: 'secure',  // Maps to SECURE level
    timeoutMs: 5000,   // Override specific values as needed
  },
});

Self-Reference Guard

Critical Security Feature: Scripts cannot call CodeCall meta-tools from within scripts. 
// Inside codecall:execute script
// ❌ BLOCKED - Self-reference detected
const result = await callTool('codecall:execute', {
  script: 'return "nested"'
});
// Returns: { success: false, error: { code: 'SELF_REFERENCE_BLOCKED' } }

// ❌ Also blocked
await callTool('codecall:search', { query: 'users' });
await callTool('codecall:describe', { toolNames: ['users:list'] });
await callTool('codecall:invoke', { tool: 'users:list', input: {} });

Why This Matters

Without self-reference blocking, an attacker could:
  1. Recursive execution: codecall:execute calls itself infinitely
  2. Sandbox escape: Nest executions to accumulate privileges
  3. Resource exhaustion: Each nested call multiplies resource usage
  4. Audit bypass: Hide malicious calls in nested scripts

Implementation

The guard runs before any other security checks: 
// execute.tool.ts - First line of callTool handler
assertNotSelfReference(toolName);  // Throws if codecall:* tool

Tool Access Control

Beyond the Self-Reference Guard, CodeCall controls which tools scripts can invoke through two configuration options.

includeTools Filter

The includeTools option on CodeCallPlugin.init() filters which tools are available to CodeCall at the global level: 
CodeCallPlugin.init({
  includeTools: (tool) => {
    // Block admin tools
    if (tool.name.startsWith('admin:')) return false;
    // Block destructive tools
    if (tool.metadata?.annotations?.destructiveHint) return false;
    return true;
  },
});

Direct Invoke Allowlist

For the codecall:invoke meta-tool, restrict which tools can be called directly: 
CodeCallPlugin.init({
  directCalls: {
    enabled: true,
    allowedTools: ['users:list', 'users:get', 'orders:list'],
  },
});

Per-Tool Metadata

Individual tools opt in or out via the codecall metadata field: 
@Tool({
  name: 'admin:deleteUser',
  codecall: {
    enabledInCodeCall: false,  // Not available in scripts
    visibleInListTools: true,  // Still visible for direct use
  },
})

Default Blocked Patterns

Internally, the ToolAccessControlService blocks these patterns by default:
  • system:* - System administration tools
  • internal:* - Internal/private tools
  • __* - Internal implementation tools
  • codecall:* - Self-reference (via the Self-Reference Guard)

Layer 4: Output Sanitization

All outputs are sanitized before returning to the client through two mechanisms: Value Sanitization (structure/content) and Stack Trace Sanitization (information leakage).

Value Sanitization Rules

RuleDefaultPurpose
maxDepth20Prevent deeply nested objects
maxProperties10,000Limit total object keys
maxStringLength10,000Truncate oversized strings
maxArrayLength1,000Truncate large arrays

What Gets Stripped

Value sanitization removes potentially dangerous content:
StrippedReason
FunctionsPrevents code injection
SymbolsPrevents prototype manipulation
__proto__ keysPrevents prototype pollution
constructor keysPrevents constructor tampering
Getters/SettersPrevents trap execution

Type Handling

The sanitizer handles special JavaScript types safely: 
// Input types are converted to safe representations
DateISO string
Error{ name, message, code? }
RegExpstring pattern
Mapplain object
Setarray
Buffer"[Buffer]"
ArrayBuffer"[ArrayBuffer]"

Circular Reference Detection

// Script returns circular reference
const obj = { name: 'test' };
obj.self = obj;
return obj;

// Sanitized output
{
  "name": "test",
  "self": "[Circular]"
}

Information Leakage Prevention (Stack Trace Sanitization)

Stack traces can reveal sensitive information about your infrastructure. CodeCall sanitizes 40+ patterns from error messages.
File System Paths Redacted:
CategoryExamples
Unix home/Users/john/, /home/deploy/
System paths/var/log/, /etc/, /tmp/
App paths/app/, /srv/, /opt/
WindowsC:\Users\, D:\Projects\, UNC paths
Package Manager Paths Redacted:
ManagerPatterns
npmnode_modules/, .npm/
yarn.yarn/, yarn-cache/
pnpm.pnpm/, pnpm-store/
workspacepackages/, libs/
Cloud/Container Paths Redacted:
EnvironmentPatterns
Docker/docker/, container IDs
Kubernetes/var/run/secrets/, pod names
AWSLambda paths, ECS task IDs
GCPCloud Run paths, function IDs
AzureFunctions paths, container IDs
CI/CD Paths Redacted:
  • GitHub Actions: /runner/, /_work/
  • GitLab CI: /builds/, CI variables
  • Jenkins: /var/jenkins/, workspace paths
  • CircleCI: /circleci/, project paths
Credentials Redacted: 
Bearer [token]     → Bearer [REDACTED]
Authorization: ... → Authorization: [REDACTED]
api_key=xxx        → api_key=[REDACTED]
password=xxx       → password=[REDACTED]
Network Information Redacted:
  • Internal hostnames: *.internal, *.local
  • Private IPs: 10.x.x.x, 192.168.x.x, 172.16-31.x.x
  • Service URLs: Internal load balancers, databases

Example: Before and After

// Before sanitization (DANGEROUS - leaks infrastructure details)
{
  "error": {
    "message": "Cannot read property 'foo' of undefined",
    "stack": "TypeError: Cannot read property 'foo'\n    at processUser (/home/deploy/app/src/handlers/users.ts:42:15)\n    at /home/deploy/app/node_modules/@company/sdk/dist/index.js:156:23",
    "path": "/home/deploy/app/src/handlers/users.ts",
    "env": "production",
    "dbHost": "postgres.internal.company.com"
  }
}

// After sanitization (SAFE)
{
  "error": {
    "message": "Cannot read property 'foo' of undefined",
    "stack": "TypeError: Cannot read property 'foo'\n    at processUser (...)\n    at (...)",
    "code": "RUNTIME_ERROR"
  }
}

Error Categories

CodeCall categorizes all errors for safe exposure:
CategoryCodeExposed To ClientContains
SyntaxSYNTAX_ERRORMessage + locationLine/column of error
ValidationVALIDATION_ERRORRule that failedBlocked construct
TimeoutTIMEOUTDuration-
Self-ReferenceSELF_REFERENCE_BLOCKEDTool name-
Tool Not FoundTOOL_NOT_FOUNDTool name-
Tool ErrorTOOL_ERRORSanitized message-
RuntimeRUNTIME_ERRORSanitized message-
// Example error response
{
  "status": "illegal_access",
  "error": {
    "kind": "IllegalBuiltinAccess",
    "message": "Identifier 'eval' is not allowed in AgentScript"
  }
}

Security Checklist

Before deploying CodeCall to production:
1

Choose VM Preset

Use secure for production, locked_down for sensitive data.
vm: { preset: 'secure' }
2

Configure Tool Allowlists

Limit which tools are accessible via CodeCall.
codecall: { enabledInCodeCall: true }  // per-tool
includeTools: (tool) => !tool.name.startsWith('admin:')  // global
3

Verify Stack Trace Sanitization

Output sanitization is enabled by default. Verify that error responses don’t leak file paths or internal details in your staging environment.
4

Test Security Boundaries

Run the attack vector tests from ast-guard’s security audit.

Threat Model

What CodeCall Protects Against

Code Injection

AST validation blocks eval, Function, and dynamic code execution

Sandbox Escape

Isolated vm context with no access to Node.js APIs or globals

Data Exfiltration

Tool access control and iteration limits restrict data movement patterns

Prototype Pollution

Blocked at AST level and isolated at runtime

Resource Exhaustion

Timeouts, iteration limits, and tool call caps

I/O Flood Attacks

Console output size and call count limits prevent logging abuse

Information Leakage

Stack traces and file paths sanitized from outputs

Recursive Execution

Self-reference guard blocks codecall:* tool calls

What CodeCall Does NOT Protect Against

CodeCall is not a silver bullet. Defense-in-depth means combining CodeCall with other security measures.
ThreatMitigation
Tool abuseUse enabledInCodeCall: false on sensitive tools
Algorithmic complexityScripts can run O(n²) within limits - monitor performance
Memory exhaustionLarge arrays/objects within timeout - set reasonable limits
Tool side effectsTool calls have real effects - use read-only tools where possible
Business logic bugsScript logic errors are not security issues

AST Guard

Deep dive into AST validation rules, presets, and custom rule creation (separate repository)

Enclave

Runtime sandbox configuration, sidecar storage, and advanced options (separate repository)

Security Audit

Full list of 100+ blocked attack vectors including Layer 0 Pre-Scanner

Configuration

Complete configuration reference for security settings

AgentScript Guide

What’s allowed and blocked in the scripting language

Production & Scaling

Security checklist and best practices for production