Security
The sandbox invariants codemode-workers guarantees, and the residual risks to know before you ship.
Security
Invariants
All of these are integration-tested against real isolates:
- Fresh isolate per call. No state crosses calls; code is compiled into the module source, never
eval’d. searchisolates have no network. TheirglobalOutboundisnull— no network, ever.- Credentials live outside the sandbox. They sit in the gate’s
props. Agent code cannot read the token (verified) or theenv/props. - The gate is the only exit and it is strict. It 403s any non-allowlisted host before the request leaves, refuses to attach credentials over a non-
httpsscheme, and forwards withredirect: "manual"so a 3xx never carries the credential to another host.
Residual risks
Know these before you ship.
- Host allowlist is by hostname, not host (matching the cloudflare-mcp pattern). If the allowlisted host also serves other things on other ports, agent code can reach them with the credential attached. Pin the port yourself (pass
host:portand matchurl.host) if that matters for your API. - A leaked credential is recoverable if the allowlisted API reflects request headers (debug/echo endpoints, verbose error bodies that quote the auth header). This is inherent to any credential-injecting proxy. Confirm your API has no header-reflecting surface, and scope the injected token to least privilege.
api.requestreturns upstream error bodies to the agent. By design (the agent needs to see what failed), but it means anything the upstream reflects on error is agent-readable.- Execution timeout is opt-in (
timeoutMs). Without it, the platform CPU limit is the only backstop against long-running agent code. Set MCP-level rate limiting at the operator layer.