forge-sandbox
V8 sandbox for the Forgemax Code Mode Gateway.
Executes LLM-generated JavaScript in a deno_core isolate with no filesystem,
network, or environment access. The only bridge to the host is through
explicitly registered ops that dispatch to a [ToolDispatcher].
Security model
- V8 isolate: Same process-level isolation as Chrome tabs
- No ambient capabilities: No fs, net, env, or child_process access
- Fresh runtime per call: No state leakage between executions
- Pre-execution validation: Banned patterns caught before reaching V8
- Timeout enforcement: Execution killed after configurable deadline
- Output size limits: Prevents exfiltration of large data sets
- Opaque bindings: Credentials never exposed to sandbox code