Skip to content
codemode-workers
Esc
navigateopen⌘Jpreview
On this page

Security

The sandbox invariants codemode-workers guarantees, and the residual risks to know before you ship.

Security

Invariants

All of these are integration-tested against real isolates:

  1. Fresh isolate per call. No state crosses calls; code is compiled into the module source, never eval’d.
  2. search isolates have no network. Their globalOutbound is null — no network, ever.
  3. Credentials live outside the sandbox. They sit in the gate’s props. Agent code cannot read the token (verified) or the env/props.
  4. The gate is the only exit and it is strict. It 403s any non-allowlisted host before the request leaves, refuses to attach credentials over a non-https scheme, and forwards with redirect: "manual" so a 3xx never carries the credential to another host.

Residual risks

Know these before you ship.

  • Host allowlist is by hostname, not host (matching the cloudflare-mcp pattern). If the allowlisted host also serves other things on other ports, agent code can reach them with the credential attached. Pin the port yourself (pass host:port and match url.host) if that matters for your API.
  • A leaked credential is recoverable if the allowlisted API reflects request headers (debug/echo endpoints, verbose error bodies that quote the auth header). This is inherent to any credential-injecting proxy. Confirm your API has no header-reflecting surface, and scope the injected token to least privilege.
  • api.request returns upstream error bodies to the agent. By design (the agent needs to see what failed), but it means anything the upstream reflects on error is agent-readable.
  • Execution timeout is opt-in (timeoutMs). Without it, the platform CPU limit is the only backstop against long-running agent code. Set MCP-level rate limiting at the operator layer.

Was this page helpful?