@nexart/codemode-sdk 1.5.0 → 1.6.0

package/dist/execute.js

@@ -0,0 +1,283 @@
+/**
+ * NexArt Code Mode Runtime SDK - Canonical Execution Entry Point
+ *
+ * ╔══════════════════════════════════════════════════════════════════════════╗
+ * ║  CODE MODE PROTOCOL v1.2.0 (Phase 3) — CANONICAL ENTRY POINT             ║
+ * ║                                                                          ║
+ * ║  This is the ONLY official way to execute Code Mode.                     ║
+ * ║  All implementations (NexArt, ByX, external) MUST use this function.     ║
+ * ║                                                                          ║
+ * ║  Authority: @nexart/codemode-sdk                                         ║
+ * ╚══════════════════════════════════════════════════════════════════════════╝
+ */
+import { runStaticMode } from './static-engine';
+import { runLoopMode } from './loop-engine';
+import { PROTOCOL_IDENTITY, DEFAULT_CONFIG, } from './types';
+import { getBuilderManifest } from './builder-manifest';
+/**
+ * Validate and normalize VAR array to 10 elements.
+ *
+ * Rules (SDK v1.0.2, Protocol v1.0.0):
+ * - VAR is OPTIONAL: omit or pass [] for empty (defaults to all zeros)
+ * - VAR input length MUST be 0-10 elements (protocol error if > 10)
+ * - VAR values MUST be finite numbers (protocol error if not)
+ * - VAR values MUST be in range 0-100 (protocol error if out of range, NO clamping)
+ * - VAR is read-only inside sketches
+ * - Output is ALWAYS 10 elements (padded with zeros) for protocol consistency
+ */
+function normalizeVars(vars) {
+    if (!vars || !Array.isArray(vars)) {
+        console.log('[CodeMode] No vars provided, using defaults [0,0,0,0,0,0,0,0,0,0]');
+        return [0, 0, 0, 0, 0, 0, 0, 0, 0, 0];
+    }
+    if (vars.length > 10) {
+        throw new Error(`[Code Mode Protocol Error] VAR array must have at most 10 elements, got ${vars.length}`);
+    }
+    const result = [];
+    for (let i = 0; i < vars.length; i++) {
+        const v = vars[i];
+        if (typeof v !== 'number' || !Number.isFinite(v)) {
+            throw new Error(`[Code Mode Protocol Error] VAR[${i}] must be a finite number, got ${typeof v === 'number' ? v : typeof v}`);
+        }
+        if (v < 0 || v > 100) {
+            throw new Error(`[Code Mode Protocol Error] VAR[${i}] = ${v} is out of range. Values must be 0-100.`);
+        }
+        result.push(v);
+    }
+    // Pad with zeros to always have 10 elements for protocol consistency
+    while (result.length < 10) {
+        result.push(0);
+    }
+    return result;
+}
+/**
+ * Validate execution input
+ */
+function validateInput(input) {
+    if (!input.source || typeof input.source !== 'string') {
+        throw new Error('[Code Mode Protocol Error] source is required and must be a string');
+    }
+    if (typeof input.width !== 'number' || input.width <= 0) {
+        throw new Error('[Code Mode Protocol Error] width must be a positive number');
+    }
+    if (typeof input.height !== 'number' || input.height <= 0) {
+        throw new Error('[Code Mode Protocol Error] height must be a positive number');
+    }
+    if (typeof input.seed !== 'number') {
+        throw new Error('[Code Mode Protocol Error] seed is required and must be a number');
+    }
+    if (input.mode !== 'static' && input.mode !== 'loop') {
+        throw new Error('[Code Mode Protocol Error] mode must be "static" or "loop"');
+    }
+    if (input.mode === 'loop') {
+        if (typeof input.totalFrames !== 'number' || input.totalFrames <= 0) {
+            throw new Error('[Code Mode Protocol Error] totalFrames is required for loop mode and must be a positive number');
+        }
+    }
+    // Validate forbidden patterns per CODE_MODE_PROTOCOL.md
+    const forbiddenPatterns = [
+        // Async timing (breaks determinism)
+        { pattern: /setTimeout\s*\(/, name: 'setTimeout' },
+        { pattern: /setInterval\s*\(/, name: 'setInterval' },
+        { pattern: /requestAnimationFrame\s*\(/, name: 'requestAnimationFrame' },
+        // Time-based entropy (breaks determinism)
+        { pattern: /Date\.now\s*\(/, name: 'Date.now() — use time variable instead' },
+        { pattern: /new\s+Date\s*\(/, name: 'new Date() — use time variable instead' },
+        // Unseeded random (use random() instead)
+        { pattern: /Math\.random\s*\(/, name: 'Math.random() — use random() instead (seeded)' },
+        // External IO (breaks determinism)
+        { pattern: /fetch\s*\(/, name: 'fetch() — external IO forbidden' },
+        { pattern: /XMLHttpRequest/, name: 'XMLHttpRequest — external IO forbidden' },
+        // Canvas is pre-initialized
+        { pattern: /createCanvas\s*\(/, name: 'createCanvas() — canvas is pre-initialized' },
+        // DOM manipulation forbidden
+        { pattern: /document\./, name: 'DOM access — document.* forbidden' },
+        { pattern: /window\./, name: 'DOM access — window.* forbidden' },
+        // External imports forbidden
+        { pattern: /\bimport\s+/, name: 'import — external imports forbidden' },
+        { pattern: /\brequire\s*\(/, name: 'require() — external imports forbidden' },
+    ];
+    for (const { pattern, name } of forbiddenPatterns) {
+        if (pattern.test(input.source)) {
+            throw new Error(`[Code Mode Protocol Error] Forbidden pattern: ${name}`);
+        }
+    }
+    // Loop mode specific validation
+    if (input.mode === 'loop') {
+        if (!/function\s+draw\s*\(\s*\)/.test(input.source)) {
+            throw new Error('[Code Mode Protocol Error] Loop mode requires a draw() function');
+        }
+        if (/noLoop\s*\(\s*\)/.test(input.source)) {
+            throw new Error('[Code Mode Protocol Error] noLoop() is forbidden in Loop mode');
+        }
+    }
+}
+/**
+ * Create protocol metadata for the execution result
+ */
+function createMetadata(input, vars) {
+    return {
+        ...PROTOCOL_IDENTITY,
+        seed: input.seed,
+        vars,
+        width: input.width,
+        height: input.height,
+        mode: input.mode,
+        ...(input.mode === 'loop' && input.totalFrames ? { totalFrames: input.totalFrames } : {}),
+    };
+}
+/**
+ * Execute Code Mode in Static mode - delegates to static-engine.ts
+ */
+async function executeStatic(input, vars) {
+    console.log('[CodeMode] Rendered via @nexart/codemode-sdk (Protocol v1.2.0)');
+    console.log('[CodeMode] Execution: Static mode — delegating to static-engine');
+    return new Promise((resolve, reject) => {
+        runStaticMode({
+            mode: 'static',
+            width: input.width,
+            height: input.height,
+        }, {
+            code: input.source,
+            seed: input.seed,
+            vars: vars,
+            onComplete: (result) => {
+                resolve({
+                    image: 'blob' in result ? result.blob : undefined,
+                    frames: 'imageData' in result ? [result.imageData] : undefined,
+                    metadata: createMetadata(input, vars),
+                });
+            },
+            onError: (error) => {
+                reject(error);
+            },
+        });
+    });
+}
+/**
+ * Execute Code Mode in Loop mode - delegates to loop-engine.ts
+ */
+async function executeLoop(input, vars) {
+    console.log('[CodeMode] Rendered via @nexart/codemode-sdk (Protocol v1.2.0)');
+    console.log(`[CodeMode] Execution: Loop mode — delegating to loop-engine (${input.totalFrames} frames)`);
+    const fps = DEFAULT_CONFIG.fps;
+    const duration = (input.totalFrames || 60) / fps;
+    return new Promise((resolve, reject) => {
+        runLoopMode({
+            mode: 'loop',
+            width: input.width,
+            height: input.height,
+            duration: duration,
+            fps: fps,
+        }, {
+            code: input.source,
+            seed: input.seed,
+            vars: vars,
+            onComplete: (result) => {
+                resolve({
+                    video: 'blob' in result && result.type === 'video' ? result.blob : undefined,
+                    metadata: createMetadata(input, vars),
+                });
+            },
+            onError: (error) => {
+                reject(error);
+            },
+        });
+    });
+}
+/**
+ * executeCodeMode — Canonical Code Mode Execution Entry Point
+ *
+ * This is the ONLY official way to execute Code Mode.
+ * All implementations MUST use this function.
+ *
+ * @param input - Execution parameters
+ * @returns Promise<ExecuteCodeModeResult> - Execution result with protocol metadata
+ *
+ * @example
+ * ```typescript
+ * const result = await executeCodeMode({
+ *   source: `function setup() { background(255); ellipse(width/2, height/2, 100); }`,
+ *   width: 1950,
+ *   height: 2400,
+ *   seed: 12345,
+ *   vars: [50, 75, 0, 0, 0, 0, 0, 0, 0, 0],
+ *   mode: 'static'
+ * });
+ *
+ * console.log(result.metadata.protocolVersion); // '1.2.0'
+ * console.log(result.image); // PNG Blob
+ * ```
+ */
+export async function executeCodeMode(input) {
+    // Validate input
+    validateInput(input);
+    // Normalize VAR values
+    const vars = normalizeVars(input.vars);
+    // ╔═══════════════════════════════════════════════════════════════════════╗
+    // ║  BUILDER MANIFEST CONTEXT (v1.6.0)                                    ║
+    // ║                                                                       ║
+    // ║  Internal context for builder attribution.                            ║
+    // ║  This is NOT exposed to sketch code, NOT serialized, NOT logged.      ║
+    // ║  Does NOT affect execution behavior or determinism.                   ║
+    // ╚═══════════════════════════════════════════════════════════════════════╝
+    const _executionContext = {
+        builderManifest: getBuilderManifest(),
+    };
+    // Note: _executionContext is intentionally unused.
+    // It prepares the SDK for future attribution without activating anything.
+    void _executionContext;
+    // Log protocol execution
+    console.log('[CodeMode] ════════════════════════════════════════════════');
+    console.log('[CodeMode] Protocol v1.2.0 — Phase 3 — HARD Enforcement');
+    console.log(`[CodeMode] Mode: ${input.mode}`);
+    console.log(`[CodeMode] Seed: ${input.seed}`);
+    console.log(`[CodeMode] VAR: [${vars.join(', ')}]`);
+    console.log('[CodeMode] ════════════════════════════════════════════════');
+    // Execute based on mode
+    if (input.mode === 'static') {
+        return executeStatic(input, vars);
+    }
+    else {
+        return executeLoop(input, vars);
+    }
+}
+/**
+ * Validate code without executing
+ */
+export function validateCodeModeSource(source, mode) {
+    const errors = [];
+    // Same forbidden patterns as validateInput per CODE_MODE_PROTOCOL.md
+    const forbiddenPatterns = [
+        { pattern: /setTimeout\s*\(/, name: 'setTimeout' },
+        { pattern: /setInterval\s*\(/, name: 'setInterval' },
+        { pattern: /requestAnimationFrame\s*\(/, name: 'requestAnimationFrame' },
+        { pattern: /Date\.now\s*\(/, name: 'Date.now() — use time variable instead' },
+        { pattern: /new\s+Date\s*\(/, name: 'new Date() — use time variable instead' },
+        { pattern: /Math\.random\s*\(/, name: 'Math.random() — use random() instead (seeded)' },
+        { pattern: /fetch\s*\(/, name: 'fetch() — external IO forbidden' },
+        { pattern: /XMLHttpRequest/, name: 'XMLHttpRequest — external IO forbidden' },
+        { pattern: /createCanvas\s*\(/, name: 'createCanvas() — canvas is pre-initialized' },
+        { pattern: /document\./, name: 'DOM access — document.* forbidden' },
+        { pattern: /window\./, name: 'DOM access — window.* forbidden' },
+        { pattern: /\bimport\s+/, name: 'import — external imports forbidden' },
+        { pattern: /\brequire\s*\(/, name: 'require() — external imports forbidden' },
+    ];
+    for (const { pattern, name } of forbiddenPatterns) {
+        if (pattern.test(source)) {
+            errors.push(`Forbidden pattern: ${name}`);
+        }
+    }
+    if (mode === 'loop') {
+        if (!/function\s+draw\s*\(\s*\)/.test(source)) {
+            errors.push('Loop mode requires a draw() function');
+        }
+        if (/noLoop\s*\(\s*\)/.test(source)) {
+            errors.push('noLoop() is forbidden in Loop mode');
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}

package/dist/execution-sandbox.d.ts

@@ -0,0 +1,107 @@
+/**
+ * NexArt Code Mode SDK - Execution Sandbox
+ * Version: 1.6.0 (Protocol v1.2.0)
+ *
+ * ╔══════════════════════════════════════════════════════════════════════════╗
+ * ║  EXECUTION BOUNDARY — HARD ENFORCEMENT                                   ║
+ * ║                                                                          ║
+ * ║  This module enforces determinism by blocking all external entropy       ║
+ * ║  sources at RUNTIME, not just via static pattern scanning.               ║
+ * ║                                                                          ║
+ * ║  Blocked APIs (throw [Code Mode Protocol Error]):                        ║
+ * ║  - Date, Date.now, Date.parse, new Date()                                ║
+ * ║  - performance, performance.now                                          ║
+ * ║  - process (Node.js)                                                     ║
+ * ║  - navigator                                                             ║
+ * ║  - globalThis                                                            ║
+ * ║  - crypto.getRandomValues                                                ║
+ * ║  - Math.random (use seeded random() instead)                             ║
+ * ║  - setTimeout, setInterval, requestAnimationFrame                        ║
+ * ║  - fetch, XMLHttpRequest                                                 ║
+ * ║  - document, window                                                      ║
+ * ║  - import, require                                                       ║
+ * ║                                                                          ║
+ * ║  All blocked symbols throw immediately on access — no silent undefined.  ║
+ * ╚══════════════════════════════════════════════════════════════════════════╝
+ */
+/**
+ * Forbidden APIs - these are injected into the execution scope to override globals
+ */
+export declare const FORBIDDEN_APIS: {
+    readonly Date: (...args: any[]) => never;
+    readonly performance: object;
+    readonly process: object;
+    readonly navigator: object;
+    readonly globalThis: object;
+    readonly crypto: object;
+    readonly setTimeout: (...args: any[]) => never;
+    readonly setInterval: (...args: any[]) => never;
+    readonly clearTimeout: (...args: any[]) => never;
+    readonly clearInterval: (...args: any[]) => never;
+    readonly requestAnimationFrame: (...args: any[]) => never;
+    readonly cancelAnimationFrame: (...args: any[]) => never;
+    readonly fetch: (...args: any[]) => never;
+    readonly XMLHttpRequest: (...args: any[]) => never;
+    readonly WebSocket: (...args: any[]) => never;
+    readonly document: object;
+    readonly window: object;
+    readonly self: object;
+    readonly top: object;
+    readonly parent: object;
+    readonly frames: object;
+    readonly location: object;
+    readonly history: object;
+    readonly localStorage: object;
+    readonly sessionStorage: object;
+    readonly indexedDB: object;
+    readonly caches: object;
+    readonly Notification: (...args: any[]) => never;
+    readonly Worker: (...args: any[]) => never;
+    readonly SharedWorker: (...args: any[]) => never;
+    readonly ServiceWorker: object;
+    readonly Blob: (...args: any[]) => never;
+    readonly File: (...args: any[]) => never;
+    readonly FileReader: (...args: any[]) => never;
+    readonly URL: (...args: any[]) => never;
+    readonly URLSearchParams: (...args: any[]) => never;
+    readonly Headers: (...args: any[]) => never;
+    readonly Request: (...args: any[]) => never;
+    readonly Response: (...args: any[]) => never;
+    readonly EventSource: (...args: any[]) => never;
+    readonly Image: (...args: any[]) => never;
+    readonly Audio: (...args: any[]) => never;
+    readonly Video: (...args: any[]) => never;
+    readonly eval: (...args: any[]) => never;
+    readonly Function: (...args: any[]) => never;
+};
+/**
+ * Create a safe Math object with random() blocked
+ */
+export declare function createSafeMath(): typeof Math;
+/**
+ * List of all forbidden API names for documentation
+ */
+export declare const FORBIDDEN_API_NAMES: string[];
+/**
+ * Build the complete sandbox context for sketch execution.
+ * This includes the p5 runtime plus all forbidden API stubs.
+ */
+export declare function buildSandboxContext(p5Runtime: Record<string, any>): Record<string, any>;
+/**
+ * Create a sandboxed function that executes user code with blocked globals.
+ *
+ * The function is constructed with:
+ * 1. All forbidden APIs as explicit parameters (override globals)
+ * 2. The p5 runtime as explicit parameters
+ * 3. A `with(context)` wrapper for additional safety
+ */
+export declare function createSandboxedExecutor(code: string, additionalParams?: string[]): Function;
+/**
+ * Execute user code in a sandboxed environment.
+ *
+ * @param code - The user sketch code to execute
+ * @param p5Runtime - The p5-like runtime object
+ * @param additionalContext - Additional context variables (frameCount, t, etc.)
+ */
+export declare function executeSandboxed(code: string, p5Runtime: Record<string, any>, additionalContext?: Record<string, any>): void;
+//# sourceMappingURL=execution-sandbox.d.ts.map

package/dist/execution-sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"execution-sandbox.d.ts","sourceRoot":"","sources":["../execution-sandbox.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAyDH;;GAEG;AACH,eAAO,MAAM,cAAc;6BAvD2B,GAAG,EAAE,KAAK,KAAK;;;;;;mCAAf,GAAG,EAAE,KAAK,KAAK;oCAAf,GAAG,EAAE,KAAK,KAAK;qCAAf,GAAG,EAAE,KAAK,KAAK;sCAAf,GAAG,EAAE,KAAK,KAAK;8CAAf,GAAG,EAAE,KAAK,KAAK;6CAAf,GAAG,EAAE,KAAK,KAAK;8BAAf,GAAG,EAAE,KAAK,KAAK;uCAAf,GAAG,EAAE,KAAK,KAAK;kCAAf,GAAG,EAAE,KAAK,KAAK;;;;;;;;;;;;;qCAAf,GAAG,EAAE,KAAK,KAAK;+BAAf,GAAG,EAAE,KAAK,KAAK;qCAAf,GAAG,EAAE,KAAK,KAAK;;6BAAf,GAAG,EAAE,KAAK,KAAK;6BAAf,GAAG,EAAE,KAAK,KAAK;mCAAf,GAAG,EAAE,KAAK,KAAK;4BAAf,GAAG,EAAE,KAAK,KAAK;wCAAf,GAAG,EAAE,KAAK,KAAK;gCAAf,GAAG,EAAE,KAAK,KAAK;gCAAf,GAAG,EAAE,KAAK,KAAK;iCAAf,GAAG,EAAE,KAAK,KAAK;oCAAf,GAAG,EAAE,KAAK,KAAK;8BAAf,GAAG,EAAE,KAAK,KAAK;8BAAf,GAAG,EAAE,KAAK,KAAK;8BAAf,GAAG,EAAE,KAAK,KAAK;6BAAf,GAAG,EAAE,KAAK,KAAK;iCAAf,GAAG,EAAE,KAAK,KAAK;CAqG3D,CAAC;AAEX;;GAEG;AACH,wBAAgB,cAAc,IAAI,OAAO,IAAI,CAU5C;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB,UAA8B,CAAC;AAE/D;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAavF;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,MAAM,EACZ,gBAAgB,GAAE,MAAM,EAAO,GAC9B,QAAQ,CAiBV;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC9B,iBAAiB,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,GAC1C,IAAI,CAsBN"}

package/dist/execution-sandbox.js

@@ -0,0 +1,207 @@
+/**
+ * NexArt Code Mode SDK - Execution Sandbox
+ * Version: 1.6.0 (Protocol v1.2.0)
+ *
+ * ╔══════════════════════════════════════════════════════════════════════════╗
+ * ║  EXECUTION BOUNDARY — HARD ENFORCEMENT                                   ║
+ * ║                                                                          ║
+ * ║  This module enforces determinism by blocking all external entropy       ║
+ * ║  sources at RUNTIME, not just via static pattern scanning.               ║
+ * ║                                                                          ║
+ * ║  Blocked APIs (throw [Code Mode Protocol Error]):                        ║
+ * ║  - Date, Date.now, Date.parse, new Date()                                ║
+ * ║  - performance, performance.now                                          ║
+ * ║  - process (Node.js)                                                     ║
+ * ║  - navigator                                                             ║
+ * ║  - globalThis                                                            ║
+ * ║  - crypto.getRandomValues                                                ║
+ * ║  - Math.random (use seeded random() instead)                             ║
+ * ║  - setTimeout, setInterval, requestAnimationFrame                        ║
+ * ║  - fetch, XMLHttpRequest                                                 ║
+ * ║  - document, window                                                      ║
+ * ║  - import, require                                                       ║
+ * ║                                                                          ║
+ * ║  All blocked symbols throw immediately on access — no silent undefined.  ║
+ * ╚══════════════════════════════════════════════════════════════════════════╝
+ */
+/**
+ * Create a throwing stub for a forbidden API
+ */
+function createForbiddenStub(name) {
+    const stub = function () {
+        throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}`);
+    };
+    return new Proxy(stub, {
+        get(_target, prop) {
+            if (prop === Symbol.toPrimitive || prop === 'toString' || prop === 'valueOf') {
+                return () => { throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}`); };
+            }
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}.${String(prop)}`);
+        },
+        apply() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}()`);
+        },
+        construct() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: new ${name}()`);
+        },
+        set() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name} (assignment blocked)`);
+        },
+        has() {
+            return true;
+        }
+    });
+}
+/**
+ * Create a frozen object that throws on any property access
+ */
+function createForbiddenObject(name) {
+    return new Proxy({}, {
+        get(_target, prop) {
+            if (prop === Symbol.toPrimitive || prop === 'toString' || prop === 'valueOf') {
+                return () => { throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}`); };
+            }
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}.${String(prop)}`);
+        },
+        set() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name} (assignment blocked)`);
+        },
+        has() {
+            return true;
+        },
+        apply() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: ${name}()`);
+        },
+        construct() {
+            throw new Error(`[Code Mode Protocol Error] Forbidden API: new ${name}()`);
+        }
+    });
+}
+/**
+ * Forbidden APIs - these are injected into the execution scope to override globals
+ */
+export const FORBIDDEN_APIS = {
+    Date: createForbiddenStub('Date'),
+    performance: createForbiddenObject('performance'),
+    process: createForbiddenObject('process'),
+    navigator: createForbiddenObject('navigator'),
+    globalThis: createForbiddenObject('globalThis'),
+    crypto: createForbiddenObject('crypto'),
+    setTimeout: createForbiddenStub('setTimeout'),
+    setInterval: createForbiddenStub('setInterval'),
+    clearTimeout: createForbiddenStub('clearTimeout'),
+    clearInterval: createForbiddenStub('clearInterval'),
+    requestAnimationFrame: createForbiddenStub('requestAnimationFrame'),
+    cancelAnimationFrame: createForbiddenStub('cancelAnimationFrame'),
+    fetch: createForbiddenStub('fetch'),
+    XMLHttpRequest: createForbiddenStub('XMLHttpRequest'),
+    WebSocket: createForbiddenStub('WebSocket'),
+    document: createForbiddenObject('document'),
+    window: createForbiddenObject('window'),
+    self: createForbiddenObject('self'),
+    top: createForbiddenObject('top'),
+    parent: createForbiddenObject('parent'),
+    frames: createForbiddenObject('frames'),
+    location: createForbiddenObject('location'),
+    history: createForbiddenObject('history'),
+    localStorage: createForbiddenObject('localStorage'),
+    sessionStorage: createForbiddenObject('sessionStorage'),
+    indexedDB: createForbiddenObject('indexedDB'),
+    caches: createForbiddenObject('caches'),
+    Notification: createForbiddenStub('Notification'),
+    Worker: createForbiddenStub('Worker'),
+    SharedWorker: createForbiddenStub('SharedWorker'),
+    ServiceWorker: createForbiddenObject('ServiceWorker'),
+    Blob: createForbiddenStub('Blob'),
+    File: createForbiddenStub('File'),
+    FileReader: createForbiddenStub('FileReader'),
+    URL: createForbiddenStub('URL'),
+    URLSearchParams: createForbiddenStub('URLSearchParams'),
+    Headers: createForbiddenStub('Headers'),
+    Request: createForbiddenStub('Request'),
+    Response: createForbiddenStub('Response'),
+    EventSource: createForbiddenStub('EventSource'),
+    Image: createForbiddenStub('Image'),
+    Audio: createForbiddenStub('Audio'),
+    Video: createForbiddenStub('Video'),
+    eval: createForbiddenStub('eval'),
+    Function: createForbiddenStub('Function'),
+};
+/**
+ * Create a safe Math object with random() blocked
+ */
+export function createSafeMath() {
+    const safeMath = Object.create(Math);
+    Object.defineProperty(safeMath, 'random', {
+        get() {
+            throw new Error('[Code Mode Protocol Error] Forbidden API: Math.random() — use random() instead (seeded)');
+        },
+        configurable: false,
+        enumerable: true
+    });
+    return Object.freeze(safeMath);
+}
+/**
+ * List of all forbidden API names for documentation
+ */
+export const FORBIDDEN_API_NAMES = Object.keys(FORBIDDEN_APIS);
+/**
+ * Build the complete sandbox context for sketch execution.
+ * This includes the p5 runtime plus all forbidden API stubs.
+ */
+export function buildSandboxContext(p5Runtime) {
+    const safeMath = createSafeMath();
+    const context = {
+        ...FORBIDDEN_APIS,
+        Math: safeMath,
+    };
+    for (const key of Object.keys(p5Runtime)) {
+        context[key] = p5Runtime[key];
+    }
+    return context;
+}
+/**
+ * Create a sandboxed function that executes user code with blocked globals.
+ *
+ * The function is constructed with:
+ * 1. All forbidden APIs as explicit parameters (override globals)
+ * 2. The p5 runtime as explicit parameters
+ * 3. A `with(context)` wrapper for additional safety
+ */
+export function createSandboxedExecutor(code, additionalParams = []) {
+    const forbiddenParamNames = Object.keys(FORBIDDEN_APIS);
+    const allParams = [
+        'context',
+        'Math',
+        ...forbiddenParamNames,
+        ...additionalParams
+    ];
+    const wrappedCode = `
+    "use strict";
+    with(context) {
+      ${code}
+    }
+  `;
+    return new Function(...allParams, wrappedCode);
+}
+/**
+ * Execute user code in a sandboxed environment.
+ *
+ * @param code - The user sketch code to execute
+ * @param p5Runtime - The p5-like runtime object
+ * @param additionalContext - Additional context variables (frameCount, t, etc.)
+ */
+export function executeSandboxed(code, p5Runtime, additionalContext = {}) {
+    const safeMath = createSafeMath();
+    const fullContext = {
+        ...p5Runtime,
+        ...additionalContext,
+        Math: safeMath,
+        ...FORBIDDEN_APIS,
+    };
+    const forbiddenValues = Object.keys(FORBIDDEN_APIS).map(key => FORBIDDEN_APIS[key]);
+    const additionalParamNames = Object.keys(additionalContext);
+    const additionalValues = Object.values(additionalContext);
+    const executor = createSandboxedExecutor(code, additionalParamNames);
+    executor(fullContext, safeMath, ...forbiddenValues, ...additionalValues);
+}

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 /**
  * NexArt Code Mode Runtime SDK
- * Version: 1.5.0 (Protocol v1.2.0)
+ * Version: 1.1.0 (Protocol v1.0.0)
  *
  * ╔══════════════════════════════════════════════════════════════════════════╗
  * ║  @nexart/codemode-sdk — Canonical Code Mode Authority                    ║
@@ -10,9 +10,9 @@
  * ║                                                                          ║
  * ║  Protocol: nexart                                                        ║
  * ║  Engine: codemode                                                        ║
- * ║  SDK Version: 1.5.0                                                      ║
- * ║  Protocol Version: 1.2.0                                                 ║
- * ║  Phase: 3                                                                ║
+ * ║  SDK Version: 1.1.0                                                      ║
+ * ║  Protocol Version: 1.0.0                                                 ║
+ * ║  Phase: 1                                                                ║
  * ║  Enforcement: HARD                                                       ║
  * ╚══════════════════════════════════════════════════════════════════════════╝
  *
@@ -21,23 +21,30 @@
  * import { executeCodeMode } from '@nexart/codemode-sdk';
  *
  * const result = await executeCodeMode({
- *   source: `
- *     function setup() {
- *       background(255);
- *       fill(0);
- *       ellipse(width/2, height/2, 100);
- *     }
- *   `,
- *   mode: 'static',
+ *   source: `function setup() { background(255); ellipse(width/2, height/2, 100); }`,
  *   width: 1950,
  *   height: 2400,
  *   seed: 12345,
- *   vars: [50, 50, 50, 50, 50, 50, 50, 50, 50, 50]
+ *   vars: [50, 0, 0, 0, 0, 0, 0, 0, 0, 0],
+ *   mode: 'static'
  * });
- * console.log('Rendered:', result.blob.size, 'bytes');
+ *
+ * console.log(result.metadata.protocolVersion); // '1.0.0'
  * ```
  */
-export { executeCodeMode, validateCodeModeSource } from './engine';
-export type { ExecuteCodeModeInput, ExecuteCodeModeResult, ProtocolMetadata, RenderResult, TimeVariables, } from './types';
-export { DEFAULT_CONFIG, PROTOCOL_IDENTITY } from './types';
+export { executeCodeMode, validateCodeModeSource } from './execute';
+export type { ExecuteCodeModeInput, ExecuteCodeModeResult, ProtocolMetadata, } from './types';
+export { PROTOCOL_IDENTITY } from './types';
+export { createEngine } from './engine';
+export type { Engine, EngineConfig, RunOptions, RenderResult, ProgressInfo, RenderMode, TimeVariables, } from './types';
+export { DEFAULT_CONFIG } from './types';
+export { renderSoundArtViaCodeMode, canRenderViaCodeMode, getCodeModeAvailableStyles, type SoundArtEngineConfig, type SoundArtRenderOptions, type SoundArtRenderResult, type SoundArtMetadata, } from './soundart-engine';
+export { type SoundSnapshot, type SoundFeatures, createSoundSnapshot, createEmptySoundSnapshot, freezeSoundSnapshot, } from '../../shared/soundSnapshot';
+export { injectSoundGlobals, createSoundGlobals, createEmptySoundGlobals, generateSoundPalette, inferGenreProfile, createSoundHelpers, type SoundGlobals, type GenreProfile, } from './sound-bridge';
+export { getSoundArtSketch, getAvailableSoundArtSketches, isSoundArtSketchAvailable, type SoundArtSketchName, } from './soundart-sketches';
+export { createP5Runtime, type P5Runtime, type P5RuntimeConfig } from './p5-runtime';
+export { renderNoiseViaCodeMode, compileNoiseSystem, canRenderNoiseViaCodeMode, type NoiseEngineConfig, type NoiseRenderOptions, type NoiseRenderResult, type NoiseMetadata, } from './noise-engine';
+export { type NoiseSnapshot, type NoiseParams, type NoiseBlendMode, createNoiseSnapshot, validateNoiseSnapshot, } from '../../shared/noiseSnapshot';
+export { createNoiseGlobals, injectNoiseGlobals, type NoiseGlobals, } from './noise-bridge';
+export { getNoiseSketch, getAvailableNoiseSketchNames, isValidNoiseSketch, type NoiseSketchName, } from './noise-sketches';
 //# sourceMappingURL=index.d.ts.map