@utdk/isolate 0.1.0-dev.646adf4

package/dist/src/types.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Options for a single sandboxed tool call.
+ */
+export interface ExecuteOptions {
+    /**
+     * Provider module specifier, e.g. `@utdk/github`.
+     * Resolved from the host Node.js module system, not from inside the sandbox.
+     */
+    module: string;
+    /**
+     * Dot-notation path to the operation on the client object, e.g. `users.getByUsername`.
+     */
+    operation: string;
+    /**
+     * Arguments passed to the operation.
+     */
+    args?: Record<string, unknown>;
+    /**
+     * Credentials injected by the gateway at call time.
+     * Keys are environment-variable-style names (e.g. `GITHUB_TOKEN`).
+     * These are NEVER written to `process.env`; the sandbox context has no
+     * access to `process` at all.
+     */
+    credentials?: Record<string, string>;
+    /**
+     * Execution timeout in milliseconds (default: 30 000).
+     * Once exceeded, the isolate rejects with a `TimeoutError`.
+     */
+    timeout?: number;
+}
+/**
+ * Result of a sandboxed execution.
+ */
+export interface ExecuteResult {
+    /** The value returned by the operation. */
+    data: unknown;
+    /** Wall-clock duration of the execution in milliseconds. */
+    durationMs: number;
+}
+/**
+ * A single entry from a provider's `utdk.auth` config array in `package.json`.
+ */
+export interface UtdkAuthConfig {
+    auth_type: "api_key" | "oauth2" | "basic" | "none";
+    /** For api_key: the header value pattern, e.g. "Bearer ${GITHUB_TOKEN}" */
+    api_key?: string;
+    /** For api_key: the header name, e.g. "Authorization" */
+    var_name?: string;
+    /** For oauth2: client id pattern, e.g. "${SPOTIFY_CLIENT_ID}" */
+    client_id?: string;
+    /** For oauth2: client secret pattern, e.g. "${SPOTIFY_CLIENT_SECRET}" */
+    client_secret?: string;
+    /** For oauth2: token URL */
+    token_url?: string;
+    /** For oauth2: flow type */
+    flow?: string;
+}
+/**
+ * Error thrown when an execution exceeds its timeout.
+ */
+export declare class TimeoutError extends Error {
+    constructor(timeoutMs: number);
+}

package/dist/src/types.js

@@ -0,0 +1,10 @@
+/**
+ * Error thrown when an execution exceeds its timeout.
+ */
+export class TimeoutError extends Error {
+    constructor(timeoutMs) {
+        super(`Isolate execution timed out after ${timeoutMs}ms`);
+        this.name = "TimeoutError";
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/src/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAgEA;;GAEG;AACH,MAAM,OAAO,YAAa,SAAQ,KAAK;IACrC,YAAY,SAAiB;QAC3B,KAAK,CAAC,qCAAqC,SAAS,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF"}

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@utdk/isolate",
+  "version": "0.1.0-dev.646adf4",
+  "type": "module",
+  "description": "Sandboxed Node.js vm.createContext execution runtime for @utdk tool calls",
+  "keywords": [
+    "sandbox",
+    "isolate",
+    "vm",
+    "utdk"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "@utdk/common": "0.1.0-dev.646adf4"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "typescript": "^5.7.3",
+    "vitest": "2.1.5"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "check-types": "tsc -p tsconfig.json --noEmit",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "clean": "rm -rf dist",
+    "test": "vitest run"
+  }
+}

package/src/bridge.ts

@@ -0,0 +1,219 @@
+/**
+ * Credential bridge for the Isolate runtime.
+ *
+ * The bridge is the ONLY channel through which credentials and provider
+ * operations enter the sandboxed vm context. It is created in the host context
+ * (where Node.js module loading works normally) and exposed as `__bridge__`
+ * inside the sandbox.
+ *
+ * Design:
+ *   - The provider module is dynamically imported in the HOST context, so it
+ *     can resolve its own dependencies normally.
+ *   - Credentials are mapped to an `AuthProvider` from `@utdk/common`, which
+ *     injects them into HTTP request headers at call time.
+ *   - The operation function is resolved via dot-notation path on the client.
+ *   - The sandbox script calls `await __bridge__.call(args)` — it never
+ *     touches `process.env` or any host filesystem API.
+ */
+
+import { ApiKey, BearerToken, type AuthProvider } from "@utdk/common";
+import type { UtdkAuthConfig } from "./types.js";
+
+// ---------------------------------------------------------------------------
+// Credential resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolves an `AuthProvider` from a flat credentials map and the provider's
+ * `utdk.auth` config array (from its `package.json`).
+ *
+ * Supported patterns:
+ *   api_key   – Bearer header:  `api_key: "Bearer ${TOKEN_NAME}"`
+ *   api_key   – Raw header:     `api_key: "${TOKEN_NAME}"`
+ *   oauth2    – Pre-resolved:   looks for `PROVIDER_ACCESS_TOKEN` key
+ *
+ * Falls back to `BearerToken(firstValue)` when the auth config is absent or
+ * the pattern is not recognised.
+ */
+export function resolveAuthProvider(
+  credentials: Record<string, string>,
+  authConfigs: UtdkAuthConfig[] = [],
+): AuthProvider | undefined {
+  if (Object.keys(credentials).length === 0) {
+    return undefined;
+  }
+
+  for (const config of authConfigs) {
+    if (config.auth_type === "api_key" && config.api_key) {
+      // Pattern: "Bearer ${TOKEN_NAME}"
+      const bearerMatch = config.api_key.match(/^Bearer \$\{([^}]+)\}$/);
+      if (bearerMatch) {
+        const varName = bearerMatch[1];
+        if (varName && credentials[varName]) {
+          return new BearerToken(credentials[varName]);
+        }
+      }
+
+      // Pattern: "${TOKEN_NAME}"  (raw header value)
+      const rawMatch = config.api_key.match(/^\$\{([^}]+)\}$/);
+      if (rawMatch) {
+        const varName = rawMatch[1];
+        if (varName && credentials[varName]) {
+          return new ApiKey({
+            headerName: config.var_name ?? "X-Api-Key",
+            value: credentials[varName],
+          });
+        }
+      }
+    }
+
+    if (config.auth_type === "oauth2") {
+      // Gateway pre-resolves OAuth2 tokens and passes them as ACCESS_TOKEN
+      // e.g. credentials = { SPOTIFY_ACCESS_TOKEN: 'eyJ...' }
+      const tokenKey = Object.keys(credentials).find(
+        (k) =>
+          k.endsWith("_ACCESS_TOKEN") ||
+          k.endsWith("_TOKEN"),
+      );
+      const tokenValue = tokenKey ? credentials[tokenKey] : undefined;
+      if (tokenKey && tokenValue) {
+        return new BearerToken(tokenValue);
+      }
+    }
+  }
+
+  // Fallback: treat the first credential value as a Bearer token
+  const firstValue = Object.values(credentials)[0];
+  if (firstValue !== undefined) {
+    return new BearerToken(firstValue);
+  }
+
+  return undefined;
+}
+
+// ---------------------------------------------------------------------------
+// Auth config extraction
+// ---------------------------------------------------------------------------
+
+/** Shape of the `utdk` field in a provider's package.json. */
+interface UtdkField {
+  auth?: UtdkAuthConfig[];
+  [key: string]: unknown;
+}
+
+/** Shape of a provider's package.json. */
+interface ProviderPackageJson {
+  utdk?: UtdkField;
+  [key: string]: unknown;
+}
+
+/**
+ * Extracts the `utdk.auth` array from a provider module's package.json.
+ * Returns an empty array if the module does not export a `packageJson`
+ * property or if the config is absent.
+ */
+export function extractAuthConfigs(providerModule: Record<string, unknown>): UtdkAuthConfig[] {
+  const pkg = providerModule["packageJson"] as ProviderPackageJson | undefined;
+  return pkg?.utdk?.auth ?? [];
+}
+
+// ---------------------------------------------------------------------------
+// Operation resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolves a dot-notation operation path on a client object.
+ *
+ * @example
+ * resolveOperation(client, 'users.getByUsername')
+ * // → client.users.getByUsername (as a bound function)
+ */
+export function resolveOperation(
+  client: unknown,
+  operationPath: string,
+): (...args: unknown[]) => Promise<unknown> {
+  const segments = operationPath.split(".");
+  let current: unknown = client;
+
+  for (const segment of segments) {
+    if (current === null || current === undefined || typeof current !== "object") {
+      throw new TypeError(
+        `Cannot resolve operation path "${operationPath}": "${segment}" is not an object`,
+      );
+    }
+    current = (current as Record<string, unknown>)[segment];
+  }
+
+  if (typeof current !== "function") {
+    throw new TypeError(
+      `Operation "${operationPath}" resolved to ${typeof current}, expected a function`,
+    );
+  }
+
+  return current as (...args: unknown[]) => Promise<unknown>;
+}
+
+// ---------------------------------------------------------------------------
+// Bridge creation
+// ---------------------------------------------------------------------------
+
+export interface BridgeOptions {
+  /** The resolved operation function (from host context) */
+  operation: (...args: unknown[]) => Promise<unknown>;
+}
+
+/**
+ * Creates a bridge object that is safe to expose inside a vm context.
+ *
+ * The bridge has a single method, `call(args)`, which invokes the pre-resolved
+ * provider operation with the given arguments. Credentials are already baked
+ * into the operation via the auth provider — the sandbox script never sees
+ * them.
+ */
+export function createBridge(options: BridgeOptions): { call: (args: Record<string, unknown>) => Promise<unknown> } {
+  return {
+    async call(args: Record<string, unknown>): Promise<unknown> {
+      return options.operation(args);
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Provider loading
+// ---------------------------------------------------------------------------
+
+/** Name of the factory function pattern in provider modules. */
+const CREATE_CLIENT_PATTERN = /^create[A-Z].+Client$/;
+
+/**
+ * Locates and invokes the `create*Client` factory in a provider module.
+ *
+ * Provider modules export a `create<Name>Client(options?)` function that
+ * returns a `Promise<Client>`. This helper finds it and calls it with the
+ * supplied auth provider.
+ *
+ * @throws if no factory function matching `create*Client` is found.
+ */
+export async function loadProviderClient(
+  providerModule: Record<string, unknown>,
+  auth: AuthProvider | undefined,
+): Promise<unknown> {
+  // Find the first create*Client export
+  const factoryEntry = Object.entries(providerModule).find(([name, value]) =>
+    CREATE_CLIENT_PATTERN.test(name) && typeof value === "function",
+  );
+
+  if (!factoryEntry) {
+    throw new Error(
+      "Provider module does not export a create*Client function. " +
+      `Exports found: ${Object.keys(providerModule).join(", ")}`,
+    );
+  }
+
+  const [, factory] = factoryEntry;
+  const client = await (factory as (options?: unknown) => Promise<unknown>)(
+    auth ? { auth } : {},
+  );
+
+  return client;
+}

package/src/index.ts

@@ -0,0 +1,11 @@
+export { Isolate } from "./isolate.js";
+export { createSandboxContext } from "./sandbox.js";
+export {
+  createBridge,
+  extractAuthConfigs,
+  loadProviderClient,
+  resolveAuthProvider,
+  resolveOperation,
+} from "./bridge.js";
+export type { ExecuteOptions, ExecuteResult, TimeoutError, UtdkAuthConfig } from "./types.js";
+export { TimeoutError as IsolateTimeoutError } from "./types.js";

package/src/isolate.ts

@@ -0,0 +1,202 @@
+/**
+ * Isolate — sandboxed Node.js vm execution runtime for @utdk tool calls.
+ *
+ * Each call to `execute()` runs in a fresh `vm.createContext()` sandbox:
+ *   - No access to `process.env`, `fs`, `child_process`, `require`, or any
+ *     other Node.js host API that could leak credentials or touch the disk.
+ *   - Credentials are injected by the gateway at call time via a controlled
+ *     bridge object (`__bridge__`). The sandbox script only calls the bridge;
+ *     it never receives raw credential strings.
+ *   - Module cache is isolated per call (new context each time, no
+ *     cross-call state leakage).
+ *   - Timeout is enforced via `Promise.race`; runaway async operations are
+ *     rejected with a `TimeoutError`.
+ *
+ * For synchronous CPU spin-loops an additional `vm.Script` timeout guard is
+ * applied; the async watchdog covers everything else.
+ *
+ * ## Architecture
+ *
+ * ```
+ *  caller
+ *    │
+ *    ▼
+ *  Isolate.execute(options)
+ *    │
+ *    ├─ [host]  dynamically import provider module
+ *    ├─ [host]  resolve auth provider from credentials + utdk.auth config
+ *    ├─ [host]  create provider client with auth provider
+ *    ├─ [host]  resolve operation function (dot-notation path)
+ *    ├─ [host]  create bridge  { call(args) => operationFn(args) }
+ *    │
+ *    ├─ [vm]   createContext(minimal globals + __bridge__ + __args__)
+ *    └─ [vm]   run `__bridge__.call(__args__)` inside sandbox
+ *                 └─ [host, via bridge] call provider with credentials
+ *                       └─ [network] HTTP request with injected auth headers
+ * ```
+ *
+ * ## ESM / vm.Module note
+ *
+ * Node.js 20+ supports `vm.SourceTextModule` (ESM) with the
+ * `--experimental-vm-modules` flag. The current implementation uses the
+ * stable `vm.Script` API for the thin orchestration script, which is
+ * sufficient because:
+ *   - The script is one line (`__bridge__.call(__args__)`).
+ *   - Full provider code runs outside the sandbox (in host context) behind
+ *     the bridge abstraction.
+ *
+ * If future requirements call for running provider code itself inside an ESM
+ * module sandbox, upgrade to `vm.SourceTextModule` with a custom linker
+ * (see `upgrade notes` in the README).
+ */
+
+import vm from "node:vm";
+import {
+  createBridge,
+  extractAuthConfigs,
+  loadProviderClient,
+  resolveAuthProvider,
+  resolveOperation,
+} from "./bridge.js";
+import { createSandboxContext } from "./sandbox.js";
+import { TimeoutError, type ExecuteOptions, type ExecuteResult } from "./types.js";
+
+/** Script executed inside the sandbox for every tool call. */
+const SANDBOX_SCRIPT = new vm.Script("__bridge__.call(__args__)");
+
+/**
+ * Sandboxed execution runtime for @utdk tool calls.
+ *
+ * @example
+ * ```typescript
+ * const isolate = new Isolate();
+ * const result = await isolate.execute({
+ *   module: '@utdk/github',
+ *   operation: 'users.getByUsername',
+ *   args: { username: 'octocat' },
+ *   credentials: { GITHUB_TOKEN: '<injected-by-gateway>' },
+ *   timeout: 10_000,
+ * });
+ * console.log(result.data, `(${result.durationMs}ms)`);
+ * ```
+ */
+export class Isolate {
+  /**
+   * Executes a single @utdk tool call inside a fresh vm sandbox.
+   *
+   * Steps:
+   * 1. Dynamically import the provider module (host context, cached by Node.js).
+   * 2. Resolve an `AuthProvider` from the supplied credentials and the
+   *    provider's `utdk.auth` config. Credentials are NEVER written to
+   *    `process.env`.
+   * 3. Instantiate the provider client with the auth provider.
+   * 4. Resolve the operation function via dot-notation path.
+   * 5. Create a bridge and a fresh vm context.
+   * 6. Run the sandbox script `__bridge__.call(__args__)` inside the context.
+   * 7. Race the execution against the timeout.
+   *
+   * @throws `TimeoutError` if execution exceeds `options.timeout`.
+   * @throws `TypeError`    if the operation path does not resolve to a function.
+   * @throws `Error`        on provider loading or HTTP failures.
+   */
+  async execute(options: ExecuteOptions): Promise<ExecuteResult> {
+    const {
+      module: moduleName,
+      operation,
+      args = {},
+      credentials = {},
+      timeout = 30_000,
+    } = options;
+
+    const startMs = performance.now();
+
+    // ------------------------------------------------------------------
+    // Step 1: Load the provider module in HOST context
+    // ------------------------------------------------------------------
+    // Dynamic import is Node.js-cached so repeated calls to the same
+    // provider do not re-parse the module. The provider runs in host
+    // context (not in the sandbox) — it is trusted code.
+    const providerModule = (await import(moduleName)) as Record<string, unknown>;
+
+    // ------------------------------------------------------------------
+    // Step 2: Resolve auth provider from credentials
+    // ------------------------------------------------------------------
+    const authConfigs = extractAuthConfigs(providerModule);
+    const auth = resolveAuthProvider(credentials, authConfigs);
+
+    // ------------------------------------------------------------------
+    // Step 3: Create the provider client with credential injection
+    // ------------------------------------------------------------------
+    const client = await loadProviderClient(providerModule, auth);
+
+    // ------------------------------------------------------------------
+    // Step 4: Resolve the operation function
+    // ------------------------------------------------------------------
+    const operationFn = resolveOperation(client, operation);
+
+    // ------------------------------------------------------------------
+    // Step 5: Create the credential bridge and sandboxed vm context
+    // ------------------------------------------------------------------
+    // The bridge is created in host context and passed into the sandbox.
+    // The sandbox script can only call bridge.call(args) — it cannot
+    // reach process.env, require, fs, or any host API.
+    const bridge = createBridge({ operation: operationFn });
+
+    const context = createSandboxContext({
+      extraGlobals: {
+        __bridge__: bridge,
+        __args__: args,
+      },
+    });
+
+    // ------------------------------------------------------------------
+    // Step 6 + 7: Run inside sandbox, race against timeout
+    // ------------------------------------------------------------------
+    const data = await this._runWithTimeout(context, timeout);
+
+    const durationMs = performance.now() - startMs;
+    return { data, durationMs };
+  }
+
+  /**
+   * Runs `SANDBOX_SCRIPT` in the given context and races against a timeout.
+   *
+   * The synchronous `vm.Script` timeout (`timeout` option in runInContext)
+   * guards against infinite synchronous loops. The async watchdog (Promise.race)
+   * guards against long-running await chains.
+   */
+  private _runWithTimeout(context: vm.Context, timeoutMs: number): Promise<unknown> {
+    // The synchronous portion of the script (if any) is bounded by the vm timeout.
+    // For the async portion we use Promise.race.
+    let resultPromise: Promise<unknown>;
+
+    try {
+      // runInContext returns whatever the script evaluates to.
+      // For our one-liner that calls an async bridge method, this is a Promise.
+      const scriptResult = SANDBOX_SCRIPT.runInContext(context, {
+        // Guard against synchronous infinite loops / busy spins.
+        // This only applies to the synchronous execution phase; async
+        // continuations are handled by the Promise.race below.
+        timeout: timeoutMs,
+      }) as unknown;
+
+      resultPromise = Promise.resolve(scriptResult);
+    } catch (err) {
+      return Promise.reject(err);
+    }
+
+    // Async watchdog
+    const timeoutPromise = new Promise<never>((_, reject) => {
+      const timer = setTimeout(() => {
+        reject(new TimeoutError(timeoutMs));
+      }, timeoutMs);
+
+      // Don't keep the process alive if only the timer is pending
+      if (typeof (timer as NodeJS.Timeout).unref === "function") {
+        (timer as NodeJS.Timeout).unref();
+      }
+    });
+
+    return Promise.race([resultPromise, timeoutPromise]);
+  }
+}

package/src/sandbox.ts

@@ -0,0 +1,139 @@
+/**
+ * Sandbox context creation for the Isolate runtime.
+ *
+ * A sandboxed vm context is created per tool call. The context provides a
+ * minimal set of safe globals and explicitly excludes `process`, `require`,
+ * `fs`, `child_process`, and other Node.js host APIs that could leak
+ * environment variables or allow filesystem/subprocess access.
+ *
+ * The credential bridge (`__bridge__`) and call arguments (`__args__`) are
+ * the only channels through which external state enters the sandbox.
+ */
+
+import vm from "node:vm";
+
+type ConsoleMethod = "log" | "error" | "warn" | "info" | "debug";
+
+const PREFIXED_METHODS: ConsoleMethod[] = ["log", "error", "warn", "info", "debug"];
+
+function createPrefixedConsole(prefix: string): Record<ConsoleMethod, (...args: unknown[]) => void> {
+  const console_: Pick<Console, ConsoleMethod> = console;
+  return Object.fromEntries(
+    PREFIXED_METHODS.map((method) => [method, (...args: unknown[]) => console_[method](prefix, ...args)]),
+  ) as Record<ConsoleMethod, (...args: unknown[]) => void>;
+}
+
+const sandboxConsole = createPrefixedConsole("[sandbox]");
+
+export interface SandboxOptions {
+  /**
+   * Additional globals to expose inside the vm context.
+   * Use sparingly; every addition is a potential escape hatch.
+   */
+  extraGlobals?: Record<string, unknown>;
+}
+
+/**
+ * Creates a fresh, restricted vm context.
+ *
+ * Accessible globals:
+ *   console, JSON, Math, Date, Promise, Array, Object, String, Number,
+ *   Boolean, Error, TypeError, RangeError, Map, Set, WeakMap, WeakSet,
+ *   Symbol, typed arrays, ArrayBuffer, URL, URLSearchParams,
+ *   TextEncoder, TextDecoder, setTimeout, clearTimeout, setInterval,
+ *   clearInterval, parseInt, parseFloat, isNaN, isFinite, encodeURI,
+ *   decodeURI, encodeURIComponent, decodeURIComponent, Infinity, NaN,
+ *   undefined.
+ *
+ * Deliberately excluded:
+ *   process, require, global, Buffer, __dirname, __filename,
+ *   fs, child_process, net, http, https, os, crypto (node:crypto),
+ *   and any other Node.js built-in that exposes host resources.
+ *
+ * @param options - Optional extra globals to inject.
+ * @returns A contextified vm sandbox object.
+ */
+export function createSandboxContext(options: SandboxOptions = {}): vm.Context {
+  const sandbox: Record<string, unknown> = {
+    // Safe builtins
+    console: sandboxConsole,
+    JSON,
+    Math,
+    Date,
+    Promise,
+    Array,
+    Object,
+    String,
+    Number,
+    Boolean,
+    Error,
+    EvalError,
+    RangeError,
+    ReferenceError,
+    SyntaxError,
+    TypeError,
+    URIError,
+    Map,
+    Set,
+    WeakMap,
+    WeakSet,
+    WeakRef,
+    Symbol,
+    BigInt,
+
+    // Typed arrays
+    ArrayBuffer,
+    SharedArrayBuffer,
+    DataView,
+    Int8Array,
+    Uint8Array,
+    Uint8ClampedArray,
+    Int16Array,
+    Uint16Array,
+    Int32Array,
+    Uint32Array,
+    Float32Array,
+    Float64Array,
+    BigInt64Array,
+    BigUint64Array,
+
+    // Web-compatible globals
+    URL,
+    URLSearchParams,
+    TextEncoder,
+    TextDecoder,
+
+    // Timers (these are host-side and safe to expose)
+    setTimeout,
+    clearTimeout,
+    setInterval,
+    clearInterval,
+
+    // Standard globals
+    parseInt,
+    parseFloat,
+    isNaN,
+    isFinite,
+    encodeURI,
+    decodeURI,
+    encodeURIComponent,
+    decodeURIComponent,
+    Infinity,
+    NaN,
+    undefined,
+
+    // Explicitly do NOT add:
+    //   process        — would expose process.env (credential leak)
+    //   require        — would allow arbitrary module imports
+    //   global         — alias for Node.js global; exposes process
+    //   Buffer         — not needed in sandboxed operations
+    //   __dirname      — filesystem information leak
+    //   __filename     — filesystem information leak
+    //   fetch          — injected separately per-operation via bridge (see bridge.ts)
+    //   crypto         — would allow subtle attacks; excluded for now
+
+    ...options.extraGlobals,
+  };
+
+  return vm.createContext(sandbox);
+}