@mcploom/codexec-isolated-vm 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +7 -0
  2. package/package.json +2 -2
package/README.md CHANGED
@@ -33,6 +33,13 @@ npm install @mcploom/codexec @mcploom/codexec-isolated-vm
33
33
  - the optional `isolated-vm` native dependency must install successfully in the host environment
34
34
  - native-addon failures are surfaced when `IsolatedVmExecutor` is constructed or used
35
35
 
36
+ ## Security Notes
37
+
38
+ - Each execution gets a fresh `isolated-vm` context with JSON-only tool and result boundaries.
39
+ - The default threat model assumes provider definitions are controlled by the host application; hostile users control guest code and tool inputs.
40
+ - This package is still in-process execution. It should not be marketed or relied on as a hard security boundary for hostile code.
41
+ - Providers remain the real capability boundary. If a tool is dangerous, guest code can invoke it.
42
+
36
43
  ## Usage
37
44
 
38
45
  ```ts
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mcploom/codexec-isolated-vm",
3
- "version": "0.1.1",
3
+ "version": "0.1.2",
4
4
  "description": "isolated-vm executor for the mcploom codexec core package.",
5
5
  "license": "MIT",
6
6
  "type": "module",
@@ -41,7 +41,7 @@
41
41
  "homepage": "https://github.com/aallam/mcploom/tree/main/packages/codexec-isolated-vm#readme",
42
42
  "bugs": "https://github.com/aallam/mcploom/issues",
43
43
  "dependencies": {
44
- "@mcploom/codexec": "^0.2.0"
44
+ "@mcploom/codexec": "^0.2.1"
45
45
  },
46
46
  "optionalDependencies": {
47
47
  "isolated-vm": "^6.0.1"