@ondc/automation-mock-runner 1.3.43 → 1.3.44

package/dist/lib/MockRunner.d.ts

@@ -1,4 +1,5 @@
 import { BaseCodeRunner } from "./runners/base-runner";
+import { RunnerOptions } from "./runners/runner-factory";
 import { MockPlaygroundConfigType } from "./types/mock-config";
 import { Logger } from "./utils/logger";
 import { ExecutionResult } from "./types/execution-results";
@@ -7,6 +8,14 @@ export declare class MockRunner {
     private static sharedRunner;
     logger: Logger;
     private static getSharedRunner;
+    /**
+     * Initialize (or replace) the process-wide shared runner with explicit
+     * options. Call this once at service boot — before constructing any
+     * MockRunner — to configure the fetch allowlist and worker pool settings.
+     *
+     * If a shared runner already exists it is terminated and replaced.
+     */
+    static initSharedRunner(options?: RunnerOptions): BaseCodeRunner;
     constructor(config: MockPlaygroundConfigType, skipValidation?: boolean);
     getRunnerInstance(): BaseCodeRunner;
     getConfig(): {
@@ -69,9 +78,9 @@ export declare class MockRunner {
         success: boolean;
         errors?: import("zod/v4/core").$ZodIssue[];
     };
-    runGeneratePayload(actionId: string, inputs?: any): Promise<ExecutionResult>;
+    runGeneratePayload(actionId: string, inputs?: any, extraSessionData?: Record<string, any>): Promise<ExecutionResult>;
     runGeneratePayloadWithSession(actionId: string, sessionData: any): Promise<ExecutionResult>;
-    runValidatePayload(actionId: string, targetPayload: any): Promise<ExecutionResult>;
+    runValidatePayload(actionId: string, targetPayload: any, extraSessionData?: Record<string, any>): Promise<ExecutionResult>;
     runValidatePayloadWithSession(actionId: string, targetPayload: any, sessionData: any): Promise<ExecutionResult>;
     runMeetRequirements(actionId: string): Promise<ExecutionResult>;
     runMeetRequirementsWithSession(actionId: string, sessionData: any): Promise<ExecutionResult>;

package/dist/lib/MockRunner.js

@@ -18,6 +18,27 @@ class MockRunner {
         }
         return MockRunner.sharedRunner;
     }
+    /**
+     * Initialize (or replace) the process-wide shared runner with explicit
+     * options. Call this once at service boot — before constructing any
+     * MockRunner — to configure the fetch allowlist and worker pool settings.
+     *
+     * If a shared runner already exists it is terminated and replaced.
+     */
+    static initSharedRunner(options = {}) {
+        const logger = logger_1.Logger.getInstance();
+        if (MockRunner.sharedRunner) {
+            logger.warn("Replacing existing shared runner");
+            try {
+                MockRunner.sharedRunner.terminate();
+            }
+            catch (e) {
+                logger.error("Failed to terminate previous shared runner", {}, e);
+            }
+        }
+        MockRunner.sharedRunner = runner_factory_1.RunnerFactory.createRunner(options, logger);
+        return MockRunner.sharedRunner;
+    }
     constructor(config, skipValidation = false) {
         this.logger = logger_1.Logger.getInstance();
         if (!skipValidation) {
@@ -55,7 +76,7 @@ class MockRunner {
         const res = (0, validateConfig_1.validateConfigWithErrors)(this.config);
         return res;
     }
-    async runGeneratePayload(actionId, inputs = {}) {
+    async runGeneratePayload(actionId, inputs = {}, extraSessionData) {
         const executionId = this.logger.createExecutionContext(actionId);
         const startTime = Date.now();
         try {
@@ -73,6 +94,9 @@ class MockRunner {
             // Deep clone to avoid mutations
             const defaultPayload = JSON.parse(JSON.stringify(step.mock.defaultPayload));
             const sessionData = await this.getSessionDataUpToStep(index);
+            if (extraSessionData) {
+                Object.assign(sessionData, extraSessionData);
+            }
             // Validate inputs against schema if provided
             if (step.mock.inputs?.jsonSchema && Object.keys(inputs).length > 0) {
                 // TODO: Add JSON schema validation for inputs
@@ -191,7 +215,7 @@ class MockRunner {
             };
         }
     }
-    async runValidatePayload(actionId, targetPayload) {
+    async runValidatePayload(actionId, targetPayload, extraSessionData) {
         try {
             const baseActionId = MockRunner.resolveBaseActionId(actionId);
             const step = this.config.steps.find((s) => s.action_id === baseActionId);
@@ -201,6 +225,9 @@ class MockRunner {
             const index = this.config.steps.findIndex((s) => s.action_id === baseActionId);
             const schema = (0, function_registry_1.getFunctionSchema)("validate");
             const sessionData = await this.getSessionDataUpToStep(index);
+            if (extraSessionData) {
+                Object.assign(sessionData, extraSessionData);
+            }
             const result = await this.getRunnerInstance().execute(MockRunner.decodeBase64(step.mock.validate), schema, [targetPayload, sessionData]);
             return result;
         }

package/dist/lib/configHelper.js

@@ -11,6 +11,7 @@ const MockRunner_1 = require("./MockRunner");
 const uuid_1 = require("uuid");
 const terser_1 = require("terser");
 const validateConfig_1 = require("./utils/validateConfig");
+const helpers_1 = require("./helpers");
 function createInitialMockConfig(domain, version, flowId) {
     return {
         meta: {
@@ -32,65 +33,9 @@ function createInitialMockConfig(domain, version, flowId) {
         steps: [],
         transaction_history: [],
         validationLib: "",
-        helperLib: MockRunner_1.MockRunner.encodeBase64(defaultHelpers),
+        helperLib: MockRunner_1.MockRunner.encodeBase64(helpers_1.DEFAULT_HELPER_LIB),
     };
 }
-const defaultHelpers = `/*
-	Custom helper functions available in all mock generation functions.
-	these are appended below the generate function for each step.
-*/
-
-const createFormURL = (domain,formId, sessionData) => {
-	const baseURL = sessionData.mockBaseUrl;
-	const transactionId = sessionData.transactionId[0];
-	const sessionId = sessionData.sessionId;
-	return \`\${baseURL}/forms/\${domain}/\${formId}/?transaction_id=\${transactionId}&session_id=\${sessionId}\`;
-}
-
-// Generates a UUID v4
-function uuidv4() {
-	return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
-	  const r = Math.random() * 16 | 0;
-	  const v = c === 'x' ? r : (r & 0x3 | 0x8);
-	  return v.toString(16);
-	});
-}
-
-// Generate a 6 digit string ID
-function generate6DigitId() {
-	return Math.floor(100000 + Math.random() * 900000).toString();
-}
-
-// Returns the current ISO timestamp
-function currentTimestamp() {
-	return new Date().toISOString();
-}
-
-// Converts ISO 8601 duration string to total seconds
-const isoDurToSec = (duration) => {
-  const durRE = /P((\d+)Y)?((\d+)M)?((\d+)W)?((\d+)D)?T?((\d+)H)?((\d+)M)?((\d+)S)?/;
-  const s = durRE.exec(duration);
-  if (!s) return 0;
-  
-  return (Number(s?.[2]) || 0) * 31536000 +
-	(Number(s?.[4]) || 0) * 2628288 +
-	(Number(s?.[6]) || 0) * 604800 +
-	(Number(s?.[8]) || 0) * 86400 +
-	(Number(s?.[10]) || 0) * 3600 +
-	(Number(s?.[12]) || 0) * 60 +
-	(Number(s?.[14]) || 0);
-};
-
-const setCityFromInputs = (payload, inputs) => {
-	if (!inputs) return "*";
-	let version = payload.context.version || payload.context.core_version || "2.0.0";
-	if (version.startsWith("1")) {
-		payload.context.city = inputs.city_code ?? "*";
-	} else {
-		payload.context.location.city.code = inputs.city_code ?? "*";
-	}
-}
-`;
 function convertToFlowConfig(config) {
     const flowConfig = {};
     flowConfig.id = config.meta.flowId;
@@ -172,13 +117,25 @@ function convertToFlowConfig(config) {
         if (step.mock.inputs !== undefined &&
             step.mock.inputs !== null &&
             Object.keys(step.mock.inputs).length > 0) {
-            flowStep.input = [
-                {
-                    name: step.mock.inputs.id,
-                    type: step.mock.inputs.id,
-                    schema: step.mock.inputs.jsonSchema,
-                },
-            ];
+            if (step.mock.inputs.id == "finvu_verification") {
+                flowStep.input = [
+                    {
+                        name: "finvu_verification",
+                        label: "Complete Account Aggregator Verification",
+                        type: "FINVU_REDIRECT",
+                        payloadField: "$.context.aa_consent_verified",
+                    },
+                ];
+            }
+            else {
+                flowStep.input = [
+                    {
+                        name: step.mock.inputs.id,
+                        type: step.mock.inputs.id,
+                        schema: step.mock.inputs.jsonSchema,
+                    },
+                ];
+            }
         }
         if (step.mock.inputs?.oldInputs) {
             flowStep.input = step.mock.inputs.oldInputs;

package/dist/lib/constants/function-registry.js

@@ -26,7 +26,7 @@ exports.FUNCTION_REGISTRY = {
             description: "The generated payload object to be sent in the API request",
         },
         description: "Generates the mock payload for an API call",
-        timeout: 35 * 1000,
+        timeout: 45 * 1000,
         defaultBody: `  return defaultPayload;`,
         template: (body) => `/**
  * Generates the mock payload for an API call in the transaction flow.

package/dist/lib/helpers/default-helpers.d.ts

@@ -0,0 +1,13 @@
+export function getSubscriberUrl(sessionData: any, type: any): any;
+export function uuidv4(): string;
+export function generate6DigitId(): string;
+export function currentTimestamp(): string;
+export function isoDurToSec(duration: any): number;
+export function setCityFromInputs(payload: any, inputs: any): "*" | undefined;
+export function createFormURL(domain: any, formId: any, sessionData: any): string;
+export function generateConsentHandler(sessionData: any, { custId, templateName, consentDescription, redirectUrl, }: {
+    custId: any;
+    templateName?: string | undefined;
+    consentDescription?: string | undefined;
+    redirectUrl?: string | undefined;
+}): Promise<any>;

package/dist/lib/helpers/default-helpers.js

@@ -0,0 +1,173 @@
+"use strict";
+/*
+ * Default helpers available to every `generate()` in a mock step.
+ *
+ * Authoring rules (enforced by how this file is consumed, not by tooling):
+ *   1. Use `function` declarations only. Arrow `const x = () => {}` stringifies
+ *      as an expression — it won't hoist or concat cleanly when each function
+ *      is `.toString()`-ed into the helper bundle.
+ *   2. No `require` / `import` inside function bodies. The VM sandbox has no
+ *      module system. Only sandbox-whitelisted globals (Math, Date, JSON, …)
+ *      and sibling helpers are in scope.
+ *   3. Cross-helper calls are fine — every function declaration lands in the
+ *      same flat script after assembly, and declarations hoist.
+ *   4. Put docs INSIDE the function body (first statement). Leading comments
+ *      above a declaration are dropped by `fn.toString()`, so they never
+ *      reach the assembled bundle.
+ *   5. If the helper needs request-scope data, take `sessionData` as an
+ *      explicit parameter. Free-variable references to `sessionData` do NOT
+ *      resolve at runtime — helpers are declared at script scope, `sessionData`
+ *      is only a parameter of `generate()`.
+ *
+ * The `module.exports = {...}` line at the bottom is only used by Node
+ * (index.ts and the Jest tests). `fn.toString()` never includes it, so it
+ * doesn't leak into the sandbox string.
+ */
+function getSubscriberUrl(sessionData, type) {
+    // Resolve the BPP or BAP subscriber URL from session data.
+    // Usage: getSubscriberUrl(sessionData, "bpp")
+    if (type === "bpp") {
+        return sessionData.bppUri;
+    }
+    else {
+        return sessionData.bapUri;
+    }
+}
+function uuidv4() {
+    // Generates a UUID v4 (RFC 4122, random-based).
+    return "xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx".replace(/[xy]/g, function (c) {
+        const r = (Math.random() * 16) | 0;
+        const v = c === "x" ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}
+function generate6DigitId() {
+    // Generate a 6-digit numeric string ID in [100000, 999999].
+    return Math.floor(100000 + Math.random() * 900000).toString();
+}
+function currentTimestamp() {
+    // Returns the current ISO-8601 UTC timestamp (e.g. "2026-04-23T12:34:56.789Z").
+    return new Date().toISOString();
+}
+function isoDurToSec(duration) {
+    /*
+     * Convert an ISO 8601 duration string (e.g. "PT1H30M", "P2DT3H") to total seconds.
+     * Returns 0 for unparseable input.
+     * Approximations used: 1 week = 7 days, 1 month ≈ 30.42 days (2628288 sec),
+     * 1 year = 365 days. Not calendar-exact.
+     */
+    const durRE = /P((\d+)Y)?((\d+)M)?((\d+)W)?((\d+)D)?T?((\d+)H)?((\d+)M)?((\d+)S)?/;
+    const s = durRE.exec(duration);
+    if (!s)
+        return 0;
+    return ((Number(s?.[2]) || 0) * 31536000 +
+        (Number(s?.[4]) || 0) * 2628288 +
+        (Number(s?.[6]) || 0) * 604800 +
+        (Number(s?.[8]) || 0) * 86400 +
+        (Number(s?.[10]) || 0) * 3600 +
+        (Number(s?.[12]) || 0) * 60 +
+        (Number(s?.[14]) || 0));
+}
+function setCityFromInputs(payload, inputs) {
+    /*
+     * Mutates `payload.context` in place to set the city code from `inputs.city_code`.
+     * Version-aware: ONDC v1.x uses flat `context.city`, v2.x uses nested
+     * `context.location.city.code`. Falls back to "*" when city_code is missing.
+     * No-op when `inputs` is falsy.
+     */
+    if (!inputs)
+        return "*";
+    const version = payload.context.version || payload.context.core_version || "2.0.0";
+    if (version.startsWith("1")) {
+        payload.context.city = inputs.city_code ?? "*";
+    }
+    else {
+        payload.context.location.city.code = inputs.city_code ?? "*";
+    }
+}
+function createFormURL(domain, formId, sessionData) {
+    /*
+     * Build a form submission URL from session data.
+     * Reads sessionData.mockBaseUrl, sessionData.transactionId[0], sessionData.sessionId.
+     * Returns: `${baseURL}/forms/${domain}/${formId}/?transaction_id=...&session_id=...`
+     */
+    const baseURL = sessionData.mockBaseUrl;
+    const transactionId = sessionData.transactionId[0];
+    const sessionId = sessionData.sessionId;
+    return `${baseURL}/forms/${domain}/${formId}/?transaction_id=${transactionId}&session_id=${sessionId}`;
+}
+async function generateConsentHandler(sessionData, { custId, templateName = "FINVUDEMO_TESTING", consentDescription = "Gold Loan Account Aggregator Consent", redirectUrl = "https://google.co.in", }) {
+    /*
+     * Generate a consent handler from the Finvu AA Service.
+     * Reads the service base URL from `sessionData.finvuUrl` — the installing
+     * service MUST include that origin in
+     *   MockRunner.initSharedRunner({ allowedFetchBaseUrls: [...] })
+     * otherwise the sandboxed fetch will be blocked.
+     *
+     * Times out after 10s via AbortController.
+     *
+     * @param {Object} sessionData             session data; sessionData.finvuUrl is required
+     * @param {Object} params
+     * @param {string} params.custId           customer ID (required)
+     * @param {string} [params.templateName]
+     * @param {string} [params.consentDescription]
+     * @param {string} [params.redirectUrl]
+     * @returns {Promise<string>} consentHandler
+     */
+    if (!custId) {
+        throw new Error("custId is required");
+    }
+    const baseUrl = sessionData && sessionData.finvuUrl;
+    if (!baseUrl) {
+        throw new Error("sessionData.finvuUrl is required");
+    }
+    const url = `${baseUrl}/finvu-aa/consent/generate`;
+    const payload = {
+        custId,
+        templateName,
+        consentDescription,
+        redirectUrl,
+    };
+    console.log("Calling Finvu AA Service:", url);
+    console.log("Consent request payload:", payload);
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10000);
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify(payload),
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            const text = await res.text();
+            throw new Error(`Request failed: ${res.status} ${text}`);
+        }
+        const data = await res.json();
+        if (!data || !data.consentHandler) {
+            throw new Error("Invalid response: consentHandler missing");
+        }
+        return data.consentHandler;
+    }
+    catch (err) {
+        if (err && err.name === "AbortError") {
+            throw new Error("Request timed out after 10 seconds");
+        }
+        throw err;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+module.exports = {
+    getSubscriberUrl,
+    uuidv4,
+    generate6DigitId,
+    currentTimestamp,
+    isoDurToSec,
+    setCityFromInputs,
+    createFormURL,
+    generateConsentHandler,
+};

package/dist/lib/helpers/default-helpers.test.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Unit tests for the default helper functions + bundle integrity.
+ *
+ * Unit tests import the functions as a normal CJS module and call them.
+ * The bundle test loads DEFAULT_HELPER_LIB into a fresh vm context — this
+ * simulates how the string is actually used in the worker sandbox and
+ * catches any stringification / hoisting / free-variable regressions.
+ */
+export {};

package/dist/lib/helpers/default-helpers.test.js

@@ -0,0 +1,257 @@
+"use strict";
+/**
+ * Unit tests for the default helper functions + bundle integrity.
+ *
+ * Unit tests import the functions as a normal CJS module and call them.
+ * The bundle test loads DEFAULT_HELPER_LIB into a fresh vm context — this
+ * simulates how the string is actually used in the worker sandbox and
+ * catches any stringification / hoisting / free-variable regressions.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const vm = __importStar(require("vm"));
+const default_helpers_1 = require("./default-helpers");
+const index_1 = require("./index");
+describe("default helpers — unit", () => {
+    describe("uuidv4", () => {
+        it("matches the RFC 4122 v4 shape", () => {
+            expect((0, default_helpers_1.uuidv4)()).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+        });
+        it("produces distinct values", () => {
+            expect((0, default_helpers_1.uuidv4)()).not.toBe((0, default_helpers_1.uuidv4)());
+        });
+    });
+    describe("generate6DigitId", () => {
+        it("returns a 6-digit string in [100000, 999999]", () => {
+            for (let i = 0; i < 50; i++) {
+                const id = (0, default_helpers_1.generate6DigitId)();
+                expect(id).toMatch(/^\d{6}$/);
+                const n = parseInt(id, 10);
+                expect(n).toBeGreaterThanOrEqual(100000);
+                expect(n).toBeLessThanOrEqual(999999);
+            }
+        });
+    });
+    describe("currentTimestamp", () => {
+        it("returns a parseable ISO timestamp close to now", () => {
+            const before = Date.now();
+            const ts = (0, default_helpers_1.currentTimestamp)();
+            const after = Date.now();
+            const parsed = Date.parse(ts);
+            expect(parsed).toBeGreaterThanOrEqual(before);
+            expect(parsed).toBeLessThanOrEqual(after);
+            expect(ts.endsWith("Z")).toBe(true);
+        });
+    });
+    describe("isoDurToSec", () => {
+        it.each([
+            ["PT30S", 30],
+            ["PT5M", 300],
+            ["PT1H", 3600],
+            ["P1D", 86400],
+            ["PT1H30M", 5400],
+            ["PT0S", 0],
+        ])("%s → %d sec", (dur, expected) => {
+            expect((0, default_helpers_1.isoDurToSec)(dur)).toBe(expected);
+        });
+        it("returns 0 on unparseable input", () => {
+            expect((0, default_helpers_1.isoDurToSec)("not-a-duration")).toBe(0);
+        });
+    });
+    describe("setCityFromInputs", () => {
+        it("writes flat context.city for v1.x", () => {
+            const payload = { context: { core_version: "1.2.0", city: "*" } };
+            (0, default_helpers_1.setCityFromInputs)(payload, { city_code: "std:080" });
+            expect(payload.context.city).toBe("std:080");
+        });
+        it("writes nested context.location.city.code for v2.x", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "*" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, { city_code: "std:011" });
+            expect(payload.context.location.city.code).toBe("std:011");
+        });
+        it("falls back to '*' when city_code is missing", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "foo" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, {});
+            expect(payload.context.location.city.code).toBe("*");
+        });
+        it("no-ops when inputs is falsy", () => {
+            const payload = {
+                context: { version: "2.0.0", location: { city: { code: "keep" } } },
+            };
+            (0, default_helpers_1.setCityFromInputs)(payload, null);
+            expect(payload.context.location.city.code).toBe("keep");
+        });
+    });
+    describe("createFormURL", () => {
+        it("interpolates domain, formId, transactionId, sessionId", () => {
+            const url = (0, default_helpers_1.createFormURL)("ONDC:RET10", "FORM_A", {
+                mockBaseUrl: "https://mocks.example.com",
+                transactionId: ["txn-xyz"],
+                sessionId: "sess-1",
+            });
+            expect(url).toBe("https://mocks.example.com/forms/ONDC:RET10/FORM_A/?transaction_id=txn-xyz&session_id=sess-1");
+        });
+    });
+    describe("getSubscriberUrl", () => {
+        const sessionData = { bppUri: "https://bpp.example.com", bapUri: "https://bap.example.com" };
+        it("returns bppUri when type is 'bpp'", () => {
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "bpp")).toBe("https://bpp.example.com");
+        });
+        it("returns bapUri otherwise", () => {
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "bap")).toBe("https://bap.example.com");
+            expect((0, default_helpers_1.getSubscriberUrl)(sessionData, "anything-else")).toBe("https://bap.example.com");
+        });
+    });
+    describe("generateConsentHandler", () => {
+        function fakeResponse(init) {
+            return {
+                ok: init.ok,
+                status: init.status ?? (init.ok ? 200 : 500),
+                json: init.json ?? (async () => ({})),
+                text: init.text ?? (async () => ""),
+            };
+        }
+        let fetchSpy;
+        beforeEach(() => {
+            fetchSpy = jest.spyOn(global, "fetch");
+        });
+        afterEach(() => {
+            fetchSpy.mockRestore();
+        });
+        it("throws when custId is missing", async () => {
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu" }, {})).rejects.toThrow("custId is required");
+            expect(fetchSpy).not.toHaveBeenCalled();
+        });
+        it("throws when sessionData.finvuUrl is missing", async () => {
+            await expect((0, default_helpers_1.generateConsentHandler)({}, { custId: "c1" })).rejects.toThrow("sessionData.finvuUrl is required");
+            expect(fetchSpy).not.toHaveBeenCalled();
+        });
+        it("POSTs JSON to /finvu-aa/consent/generate and returns consentHandler", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: true,
+                json: async () => ({ consentHandler: "HANDLE-123" }),
+            }));
+            const result = await (0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local:3002" }, { custId: "cust-42" });
+            expect(result).toBe("HANDLE-123");
+            expect(fetchSpy).toHaveBeenCalledTimes(1);
+            const [url, init] = fetchSpy.mock.calls[0];
+            expect(url).toBe("http://finvu.local:3002/finvu-aa/consent/generate");
+            expect(init?.method).toBe("POST");
+            expect((init?.headers)["Content-Type"]).toBe("application/json");
+            const body = JSON.parse(init?.body);
+            expect(body).toEqual({
+                custId: "cust-42",
+                templateName: "FINVUDEMO_TESTING",
+                consentDescription: "Gold Loan Account Aggregator Consent",
+                redirectUrl: "https://google.co.in",
+            });
+            expect(init?.signal).toBeDefined();
+        });
+        it("throws 'Request failed' on non-OK responses", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: false,
+                status: 503,
+                text: async () => "Service Unavailable",
+            }));
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Request failed: 503 Service Unavailable");
+        });
+        it("throws when consentHandler is missing from response body", async () => {
+            fetchSpy.mockResolvedValueOnce(fakeResponse({
+                ok: true,
+                json: async () => ({ somethingElse: true }),
+            }));
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Invalid response: consentHandler missing");
+        });
+        it("surfaces AbortError as a timeout message", async () => {
+            fetchSpy.mockImplementationOnce(async () => {
+                const err = new Error("aborted");
+                err.name = "AbortError";
+                throw err;
+            });
+            await expect((0, default_helpers_1.generateConsentHandler)({ finvuUrl: "http://finvu.local" }, { custId: "c1" })).rejects.toThrow("Request timed out after 10 seconds");
+        });
+    });
+});
+describe("DEFAULT_HELPER_LIB bundle", () => {
+    const EXPECTED_NAMES = [
+        "getSubscriberUrl",
+        "uuidv4",
+        "generate6DigitId",
+        "currentTimestamp",
+        "isoDurToSec",
+        "setCityFromInputs",
+        "createFormURL",
+        "generateConsentHandler",
+    ];
+    function loadBundle() {
+        const sandbox = {};
+        vm.createContext(sandbox);
+        vm.runInContext(index_1.DEFAULT_HELPER_LIB, sandbox);
+        return sandbox;
+    }
+    it("does not leak `module.exports` or `require` into the bundle source", () => {
+        expect(index_1.DEFAULT_HELPER_LIB).not.toMatch(/module\.exports/);
+        expect(index_1.DEFAULT_HELPER_LIB).not.toMatch(/\brequire\s*\(/);
+    });
+    it("declares every expected helper as a function", () => {
+        const sandbox = loadBundle();
+        for (const name of EXPECTED_NAMES) {
+            expect(typeof sandbox[name]).toBe("function");
+        }
+    });
+    it("round-trips key helpers when executed in the vm context", () => {
+        const sandbox = loadBundle();
+        expect(sandbox.uuidv4()).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/);
+        expect(sandbox.generate6DigitId()).toMatch(/^\d{6}$/);
+        expect(sandbox.isoDurToSec("PT1H")).toBe(3600);
+        const payload = {
+            context: { version: "2.0.0", location: { city: { code: "*" } } },
+        };
+        sandbox.setCityFromInputs(payload, { city_code: "std:022" });
+        expect(payload.context.location.city.code).toBe("std:022");
+        expect(sandbox.getSubscriberUrl({ bppUri: "http://bpp" }, "bpp")).toBe("http://bpp");
+    });
+    it("preserves in-body docs so playground users see them", () => {
+        // Guard against a future refactor silently dropping the in-body comments
+        // the way the pre-refactor .toString() pattern did.
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("Generates a UUID v4");
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("ISO 8601 duration");
+        expect(index_1.DEFAULT_HELPER_LIB).toContain("Finvu AA Service");
+    });
+});

package/dist/lib/helpers/index.d.ts

@@ -0,0 +1 @@
+export declare const DEFAULT_HELPER_LIB: string;

package/dist/lib/helpers/index.js

@@ -0,0 +1,47 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_HELPER_LIB = void 0;
+const defaultHelperFns = __importStar(require("./default-helpers"));
+const HEADER = `/*
+	Custom helper functions available in all mock generate() functions.
+	Assembled from src/lib/helpers/default-helpers.js — edit there.
+*/`;
+exports.DEFAULT_HELPER_LIB = [
+    HEADER,
+    ...Object.values(defaultHelperFns)
+        .filter((v) => typeof v === "function")
+        .map((f) => f.toString()),
+].join("\n\n");

package/dist/lib/runners/node-runner.d.ts

@@ -1,6 +1,19 @@
 import { FunctionSchema } from "../constants/function-registry";
 import { ExecutionResult } from "../types/execution-results";
 import { BaseCodeRunner } from "./base-runner";
+export interface NodeRunnerOptions {
+    maxMemoryMB?: number;
+    poolSize?: number;
+    maxExecutionsPerWorker?: number;
+    maxWorkerAgeMs?: number;
+    /**
+     * Base URLs that `generate` functions may fetch. Each entry is parsed with
+     * `new URL(entry)`; a request is allowed iff its origin matches the entry's
+     * origin AND its pathname is a strict segment-prefix of the entry's pathname.
+     * Absent / empty → fetch is not injected (blocked).
+     */
+    allowedFetchBaseUrls?: string[];
+}
 export declare class NodeRunner implements BaseCodeRunner {
     private pool;
     private waitQueue;
@@ -11,12 +24,8 @@ export declare class NodeRunner implements BaseCodeRunner {
     private readonly poolSize;
     private readonly maxExecutionsPerWorker;
     private readonly maxWorkerAgeMs;
-    constructor(options?: {
-        maxMemoryMB?: number;
-        poolSize?: number;
-        maxExecutionsPerWorker?: number;
-        maxWorkerAgeMs?: number;
-    });
+    private readonly allowedFetchBaseUrls;
+    constructor(options?: NodeRunnerOptions);
     private createPooledWorker;
     /**
      * Terminate old worker (frees its V8 isolate) and replace with a fresh one.

package/dist/lib/runners/node-runner.js

@@ -52,6 +52,7 @@ class NodeRunner {
         this.maxExecutionsPerWorker =
             options.maxExecutionsPerWorker || MAX_EXECUTIONS_PER_WORKER;
         this.maxWorkerAgeMs = options.maxWorkerAgeMs || MAX_WORKER_AGE_MS;
+        this.allowedFetchBaseUrls = options.allowedFetchBaseUrls ?? [];
         // Pre-warm the pool
         for (let i = 0; i < this.poolSize; i++) {
             this.pool.push(this.createPooledWorker());
@@ -66,6 +67,9 @@ class NodeRunner {
                 codeRangeSizeMb: 16,
             },
             env: {},
+            workerData: {
+                allowedFetchBaseUrls: this.allowedFetchBaseUrls,
+            },
         });
         const pw = {
             worker,

package/dist/lib/runners/runner-factory.d.ts

@@ -1,6 +1,7 @@
 import { Worker } from "worker_threads";
 import { BrowserRunner } from "./browser-runner";
-import { NodeRunner } from "./node-runner";
+import { NodeRunner, NodeRunnerOptions } from "./node-runner";
+export type RunnerOptions = NodeRunnerOptions;
 /**
  * Factory for creating workers in both browser and Node.js environments
  */
@@ -21,5 +22,5 @@ export declare class RunnerFactory {
     /**
      * Creates appropriate runner based on environment
      */
-    static createRunner(options?: any, logger?: any): BrowserRunner | NodeRunner;
+    static createRunner(options?: RunnerOptions, logger?: any): BrowserRunner | NodeRunner;
 }

package/dist/lib/validators/code-validator.js

@@ -316,7 +316,9 @@ CodeValidator.FORBIDDEN_GLOBALS = [
     "SharedWorker",
     "WebSocket",
     "XMLHttpRequest",
-    "fetch",
+    // `fetch` is allowed past static analysis and gated at runtime in the
+    // worker sandbox: injected only for `generate` and only when the
+    // configured allowlist matches origin + path prefix.
 ];
 CodeValidator.FORBIDDEN_PROPERTIES = [
     "localStorage",

package/dist/test/GenerateFetchAndTimeout.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for generate-only fetch allowlist + 45s sandbox setTimeout cap.
+ */
+export {};

package/dist/test/GenerateFetchAndTimeout.test.js

@@ -0,0 +1,240 @@
+"use strict";
+/**
+ * Tests for generate-only fetch allowlist + 45s sandbox setTimeout cap.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const http = __importStar(require("http"));
+const MockRunner_1 = require("../lib/MockRunner");
+const function_registry_1 = require("../lib/constants/function-registry");
+function baseConfig() {
+    return {
+        meta: { domain: "ONDC:TRV14", version: "2.0.0", flowId: "fetch-test" },
+        transaction_data: {
+            transaction_id: "e9e0b5cb-3f15-48a1-9d86-d4d643f0909d",
+            latest_timestamp: "1970-01-01T00:00:00.000Z",
+        },
+        steps: [],
+        transaction_history: [],
+        validationLib: "",
+        helperLib: "",
+    };
+}
+function stepWithGenerate(runner, actionId, genSource) {
+    const step = runner.getDefaultStep("search", actionId);
+    step.mock.generate = MockRunner_1.MockRunner.encodeBase64(genSource);
+    step.mock.inputs = {};
+    return step;
+}
+async function resetSharedRunner() {
+    const sr = MockRunner_1.MockRunner.sharedRunner;
+    if (sr?.terminate) {
+        await sr.terminate();
+    }
+    MockRunner_1.MockRunner.sharedRunner = undefined;
+}
+describe("generate timeout = 45s", () => {
+    afterEach(resetSharedRunner);
+    it("schema advertises a 45s timeout for generate", () => {
+        expect(function_registry_1.FUNCTION_REGISTRY.generate.timeout).toBe(45 * 1000);
+        expect((0, function_registry_1.getFunctionSchema)("generate").timeout).toBe(45 * 1000);
+    });
+    it("other function kinds keep their tighter timeouts", () => {
+        expect(function_registry_1.FUNCTION_REGISTRY.validate.timeout).toBe(5000);
+        expect(function_registry_1.FUNCTION_REGISTRY.meetsRequirements.timeout).toBe(3000);
+    });
+    it("sandbox setTimeout accepts delays up to 45000ms (was capped at 35000)", async () => {
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "delayed", `async function generate(defaultPayload, sessionData) {
+					// Just exercise the clamp — schedule but don't await.
+					setTimeout(() => {}, 40000);
+					return { scheduled: true };
+				}`));
+        const res = await r.runGeneratePayload("delayed", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ scheduled: true });
+    });
+    it("sandbox setTimeout still rejects delays above 45000ms", async () => {
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "too-long", `async function generate(defaultPayload, sessionData) {
+					setTimeout(() => {}, 60000);
+					return {};
+				}`));
+        const res = await r.runGeneratePayload("too-long", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/1-45000ms/);
+    });
+});
+describe("fetch allowlist (generate-only)", () => {
+    let server;
+    let baseUrl;
+    beforeAll(async () => {
+        server = http.createServer((req, res) => {
+            switch (req.url) {
+                case "/v1/ping":
+                    res.writeHead(200, { "content-type": "text/plain" });
+                    res.end("pong");
+                    return;
+                case "/v1/redir":
+                    res.writeHead(302, { location: "http://127.0.0.1:1/nope" });
+                    res.end();
+                    return;
+                case "/v10/foo":
+                    res.writeHead(200);
+                    res.end("v10");
+                    return;
+                case "/other":
+                    res.writeHead(200);
+                    res.end("other");
+                    return;
+                default:
+                    res.writeHead(404);
+                    res.end();
+            }
+        });
+        await new Promise((r) => server.listen(0, "127.0.0.1", () => r()));
+        const addr = server.address();
+        baseUrl = `http://127.0.0.1:${addr.port}`;
+    });
+    afterAll(async () => {
+        await new Promise((r) => server.close(() => r()));
+    });
+    afterEach(resetSharedRunner);
+    it("fetch is undefined when allowlist is empty/unset", async () => {
+        // No initSharedRunner → default runner has no allowlist.
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "fetch-undef", `async function generate(defaultPayload, sessionData) {
+					return { t: typeof fetch };
+				}`));
+        const res = await r.runGeneratePayload("fetch-undef", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ t: "undefined" });
+    });
+    it("allows fetch matching origin + path prefix", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "ok", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/v1/ping");
+					const body = await res.text();
+					return { body };
+				}`));
+        const res = await r.runGeneratePayload("ok", {});
+        expect(res.success).toBe(true);
+        expect(res.result).toEqual({ body: "pong" });
+    });
+    it("rejects URLs with non-allowlisted path prefix", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "bad-path", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/other");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("bad-path", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("treats /v1 as a strict segment prefix (no /v10/* match)", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "prefix-strict", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("${baseUrl}/v10/foo");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("prefix-strict", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("rejects different origin even with matching path", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "bad-origin", `async function generate(defaultPayload, sessionData) {
+					const res = await fetch("http://example.invalid/v1/ping");
+					return { body: await res.text() };
+				}`));
+        const res = await r.runGeneratePayload("bad-origin", {});
+        expect(res.success).toBe(false);
+        expect(res.error?.message || "").toMatch(/fetch blocked/);
+    });
+    it("blocks 3xx redirects (no allowlist bypass via Location header)", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        r.getConfig().steps.push(stepWithGenerate(r, "redir", `async function generate(defaultPayload, sessionData) {
+					await fetch("${baseUrl}/v1/redir");
+					return { ok: true };
+				}`));
+        const res = await r.runGeneratePayload("redir", {});
+        expect(res.success).toBe(false);
+        // undici surfaces a TypeError when redirect:'error' encounters a 3xx
+        expect((res.error?.message || "").toLowerCase()).toMatch(/redirect|fetch failed/);
+    });
+    it("fetch is not injected into validate even when allowlist is configured", async () => {
+        MockRunner_1.MockRunner.initSharedRunner({
+            allowedFetchBaseUrls: [`${baseUrl}/v1`],
+        });
+        const cfg = baseConfig();
+        const r = new MockRunner_1.MockRunner(cfg);
+        const step = r.getDefaultStep("search", "validate-pure");
+        step.mock.inputs = {};
+        step.mock.validate = MockRunner_1.MockRunner.encodeBase64(`function validate(targetPayload, sessionData) {
+				return {
+					valid: typeof fetch === "undefined",
+					code: 200,
+					description: "fetch-absence probe",
+				};
+			}`);
+        r.getConfig().steps.push(step);
+        const res = await r.runValidatePayload("validate-pure", {});
+        expect(res.success).toBe(true);
+        expect(res.result?.valid).toBe(true);
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ondc/automation-mock-runner",
-	"version": "1.3.43",
+	"version": "1.3.44",
 	"description": "A TypeScript library for ONDC automation mock runner",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",
@@ -45,7 +45,7 @@
 	"author": "ONDC Development Team <dev@ondc.org>",
 	"license": "ISC",
 	"engines": {
-		"node": ">=16.0.0"
+		"node": ">=18.0.0"
 	},
 	"repository": {
 		"type": "git",

package/public/node-worker.js

@@ -1,8 +1,73 @@
-const { parentPort } = require("worker_threads");
+const { parentPort, workerData } = require("worker_threads");
 const vm = require("vm");
 
+const ALLOWED_FETCH_BASE_URLS = Array.isArray(workerData?.allowedFetchBaseUrls)
+	? workerData.allowedFetchBaseUrls
+	: [];
+
+// Parse + normalize allowlist entries once per worker.
+// Each entry contributes { origin, pathname } where pathname has no trailing
+// slash; matching requires request.origin === entry.origin AND the request
+// pathname is a strict segment-prefix of entry.pathname (so `/v1` matches
+// `/v1` and `/v1/foo` but NOT `/v10/foo`).
+const PARSED_ALLOWLIST = ALLOWED_FETCH_BASE_URLS.map((raw) => {
+	try {
+		const u = new URL(raw);
+		let pathname = u.pathname;
+		if (pathname.endsWith("/") && pathname !== "/") {
+			pathname = pathname.slice(0, -1);
+		}
+		return { origin: u.origin, pathname };
+	} catch {
+		return null;
+	}
+}).filter(Boolean);
+
+function isFetchAllowed(requestUrl) {
+	let parsed;
+	try {
+		parsed = new URL(requestUrl);
+	} catch {
+		return false;
+	}
+	let reqPath = parsed.pathname;
+	if (reqPath.endsWith("/") && reqPath !== "/") {
+		reqPath = reqPath.slice(0, -1);
+	}
+	for (const entry of PARSED_ALLOWLIST) {
+		if (parsed.origin !== entry.origin) continue;
+		if (entry.pathname === "" || entry.pathname === "/") return true;
+		if (reqPath === entry.pathname) return true;
+		if (reqPath.startsWith(entry.pathname + "/")) return true;
+	}
+	return false;
+}
+
+function makeScopedFetch() {
+	if (typeof globalThis.fetch !== "function") {
+		return undefined;
+	}
+	if (PARSED_ALLOWLIST.length === 0) {
+		return undefined;
+	}
+	return async function scopedFetch(input, init) {
+		const requestUrl =
+			typeof input === "string"
+				? input
+				: input && typeof input.url === "string"
+				? input.url
+				: String(input);
+		if (!isFetchAllowed(requestUrl)) {
+			throw new Error(
+				`fetch blocked: ${requestUrl} is not in the configured allowlist`,
+			);
+		}
+		return globalThis.fetch(input, { ...(init || {}), redirect: "error" });
+	};
+}
+
 // Create a secure sandbox context
-function createSandbox() {
+function createSandbox(functionName) {
 	const logs = [];
 
 	// Safe console implementation that captures logs
@@ -108,12 +173,17 @@ function createSandbox() {
 		decodeURIComponent,
 		// Utility functions for ONDC operations
 		setTimeout: (fn, delay) => {
-			if (delay < 1 || delay > 35 * 1000) {
-				throw new Error("Timeout must be between 1-35000ms");
+			if (delay < 1 || delay > 45 * 1000) {
+				throw new Error("Timeout must be between 1-45000ms");
 			}
 			return setTimeout(fn, delay);
 		},
 		clearTimeout,
+		// AbortController is a pure control-flow primitive with no I/O of its
+		// own — safe to expose unconditionally. Needed by helpers that pair
+		// `fetch` with a timeout (see generateConsentHandler).
+		AbortController,
+		AbortSignal,
 		// Blocked globals
 		require: undefined,
 		process: undefined,
@@ -128,6 +198,28 @@ function createSandbox() {
 		Function: undefined,
 	};
 
+	// Only `generate` gets outbound HTTP — validate/meetsRequirements/getSave
+	// stay pure. Fetch itself is still gated by the allowlist inside the wrapper.
+	if (functionName === "generate") {
+		const scopedFetch = makeScopedFetch();
+		if (scopedFetch) {
+			sandbox.fetch = scopedFetch;
+			if (typeof globalThis.URL === "function") sandbox.URL = globalThis.URL;
+			if (typeof globalThis.URLSearchParams === "function") {
+				sandbox.URLSearchParams = globalThis.URLSearchParams;
+			}
+			if (typeof globalThis.Headers === "function") {
+				sandbox.Headers = globalThis.Headers;
+			}
+			if (typeof globalThis.Request === "function") {
+				sandbox.Request = globalThis.Request;
+			}
+			if (typeof globalThis.Response === "function") {
+				sandbox.Response = globalThis.Response;
+			}
+		}
+	}
+
 	return { sandbox, logs };
 }
 
@@ -138,7 +230,7 @@ parentPort?.on("message", async (message) => {
 
 	try {
 		// Create fresh sandbox for each execution
-		const { sandbox, logs } = createSandbox();
+		const { sandbox, logs } = createSandbox(functionName);
 
 		// Create VM context with timeout
 		const context = vm.createContext(sandbox);
@@ -151,7 +243,7 @@ parentPort?.on("message", async (message) => {
 
 		// Execute the script
 		script.runInContext(context, {
-			timeout: timeout || 35000,
+			timeout: timeout || 45000,
 			breakOnSigint: true,
 		});