wu-framework 1.1.16 → 1.1.17

package/dist/wu-framework.dev.js

@@ -24,19 +24,27 @@ class WuLogger {
    * Detectar si estamos en desarrollo
    */
   detectEnvironment() {
-    // Múltiples formas de detectar desarrollo
-    return (
-      // Vite development
-      window.location.hostname === 'localhost' ||
-      window.location.hostname === '127.0.0.1' ||
-      window.location.port !== '' ||
-      // NODE_ENV si está disponible
-      (typeof process !== 'undefined' && process.env?.NODE_ENV === 'development') ||
-      // URL params para forzar debug
-      new URLSearchParams(window.location.search).has('wu-debug') ||
-      // Manual override
-      window.WU_DEBUG === true
-    );
+    // 1. Explicit flag takes priority
+    if (typeof window !== 'undefined' && window.WU_DEBUG === true) return true;
+    if (typeof window !== 'undefined' && window.WU_DEBUG === false) return false;
+
+    // 2. NODE_ENV check (works in bundlers and Node)
+    if (typeof process !== 'undefined' && process.env?.NODE_ENV === 'production') return false;
+    if (typeof process !== 'undefined' && process.env?.NODE_ENV === 'development') return true;
+
+    // 3. Browser heuristics (only if window exists)
+    if (typeof window !== 'undefined' && window.location) {
+      const hostname = window.location.hostname;
+      if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '[::1]') return true;
+
+      // URL param override
+      try {
+        if (new URLSearchParams(window.location.search).has('wu-debug')) return true;
+      } catch {}
+    }
+
+    // 4. Default: assume production
+    return false;
   }
 
   /**
@@ -136,69 +144,178 @@ var wuLogger = /*#__PURE__*/Object.freeze({
 });
 
 /**
- * 🚀 WU-LOADER: SISTEMA DE CARGA DINÁMICA UNIVERSAL
+ * WU-LOADER: SISTEMA DE CARGA DINAMICA UNIVERSAL
  * Carga aplicaciones y componentes sin depender del framework
+ *
+ * Cache strategy: LRU with TTL eviction.
+ * Entries track lastAccess time. When the cache reaches maxCacheSize,
+ * the least recently accessed entry is evicted. Entries older than
+ * cacheTTL are treated as stale and removed on access or eviction.
  */
 
 
+/**
+ * @typedef {Object} WuLoaderOptions
+ * @property {number} [maxCacheSize=50] - Maximum cache entries
+ * @property {number} [cacheTTL=1800000] - Cache TTL in ms (default 30min)
+ */
+
+/**
+ * @typedef {Object} WuLoaderStats
+ * @property {number} cached - Number of cached entries
+ * @property {number} loading - Number of in-flight loads
+ * @property {number} maxCacheSize - Max cache size setting
+ * @property {number} cacheTTL - Cache TTL setting
+ * @property {string[]} cacheKeys - Cached URL keys
+ */
+
 class WuLoader {
-  constructor() {
+  /**
+   * @param {Object} options
+   * @param {number} [options.maxCacheSize=50] - Maximum number of entries in the cache
+   * @param {number} [options.cacheTTL=1800000] - Time-to-live for cache entries in ms (default 30 minutes)
+   */
+  constructor(options = {}) {
+    this.maxCacheSize = options.maxCacheSize ?? 50;
+    this.cacheTTL = options.cacheTTL ?? 1800000;
     this.cache = new Map();
     this.loadingPromises = new Map();
 
-    logger.debug('[WuLoader] 📦 Dynamic loader initialized');
+    logger.debug('[WuLoader] Dynamic loader initialized');
   }
 
   /**
-   * Cargar aplicación completa
-   * @param {string} appUrl - URL base de la aplicación
-   * @param {Object} manifest - Manifest de la aplicación
-   * @returns {string} Código JavaScript de la aplicación
+   * Read from cache with TTL validation and LRU access tracking.
+   * Returns undefined if the entry does not exist or has expired.
+   * @param {string} key
+   * @returns {string|undefined}
+   */
+  _cacheGet(key) {
+    if (!this.cache.has(key)) {
+      return undefined;
+    }
+
+    const entry = this.cache.get(key);
+    const now = Date.now();
+
+    if (now - entry.timestamp > this.cacheTTL) {
+      this.cache.delete(key);
+      logger.debug(`[WuLoader] Cache expired for: ${key}`);
+      return undefined;
+    }
+
+    // Promote: delete and re-insert so iteration order reflects recency.
+    // Map iteration order in JS follows insertion order, so the oldest
+    // inserted entry is always first -- exactly what we need for LRU eviction.
+    this.cache.delete(key);
+    entry.lastAccess = now;
+    this.cache.set(key, entry);
+
+    return entry.code;
+  }
+
+  /**
+   * Write to cache. Evicts stale and LRU entries before inserting.
+   * @param {string} key
+   * @param {string} code
+   */
+  _cacheSet(key, code) {
+    // If the key already exists, remove it first so re-insertion
+    // moves it to the end (most-recently-used position).
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    }
+
+    this._evictIfNeeded();
+
+    const now = Date.now();
+    this.cache.set(key, {
+      code,
+      timestamp: now,
+      lastAccess: now
+    });
+  }
+
+  /**
+   * Evict entries until cache is below maxCacheSize.
+   *
+   * Two-pass strategy:
+   *   1. Remove all expired entries (TTL exceeded).
+   *   2. If still at capacity, remove the least recently accessed entry.
+   *      Because Map preserves insertion order and _cacheGet promotes on
+   *      access, the first key from the iterator is always the LRU entry.
+   */
+  _evictIfNeeded() {
+    const now = Date.now();
+
+    // Pass 1: purge expired entries
+    for (const [key, entry] of this.cache) {
+      if (now - entry.timestamp > this.cacheTTL) {
+        this.cache.delete(key);
+        logger.debug(`[WuLoader] Evicted expired entry: ${key}`);
+      }
+    }
+
+    // Pass 2: evict LRU entries until we are under the limit
+    while (this.cache.size >= this.maxCacheSize) {
+      // Map.keys().next() gives us the oldest-inserted key (LRU)
+      const oldestKey = this.cache.keys().next().value;
+      this.cache.delete(oldestKey);
+      logger.debug(`[WuLoader] Evicted LRU entry: ${oldestKey}`);
+    }
+  }
+
+  /**
+   * Cargar aplicacion completa
+   * @param {string} appUrl - URL base de la aplicacion
+   * @param {Object} manifest - Manifest de la aplicacion
+   * @returns {string} Codigo JavaScript de la aplicacion
    */
   async loadApp(appUrl, manifest) {
     const entryFile = manifest?.entry || 'index.js';
     const fullUrl = `${appUrl}/${entryFile}`;
 
-    logger.debug(`[WuLoader] 📥 Loading app from: ${fullUrl}`);
+    logger.debug(`[WuLoader] Loading app from: ${fullUrl}`);
 
     try {
-      // Verificar cache
-      if (this.cache.has(fullUrl)) {
-        logger.debug(`[WuLoader] ⚡ Cache hit for: ${fullUrl}`);
-        return this.cache.get(fullUrl);
+      // Check cache with TTL and LRU tracking
+      const cached = this._cacheGet(fullUrl);
+      if (cached !== undefined) {
+        logger.debug(`[WuLoader] Cache hit for: ${fullUrl}`);
+        return cached;
       }
 
-      // Verificar si ya está cargando
+      // Check if already loading
       if (this.loadingPromises.has(fullUrl)) {
-        logger.debug(`[WuLoader] ⏳ Loading in progress for: ${fullUrl}`);
+        logger.debug(`[WuLoader] Loading in progress for: ${fullUrl}`);
         return await this.loadingPromises.get(fullUrl);
       }
 
-      // Crear promesa de carga
+      // Create loading promise
       const loadingPromise = this.fetchCode(fullUrl);
       this.loadingPromises.set(fullUrl, loadingPromise);
 
       const code = await loadingPromise;
 
-      // Limpiar promesa de carga y cachear resultado
+      // Clean up loading promise and cache result
       this.loadingPromises.delete(fullUrl);
-      this.cache.set(fullUrl, code);
+      this._cacheSet(fullUrl, code);
 
-      logger.debug(`[WuLoader] ✅ App loaded successfully: ${fullUrl}`);
+      logger.debug(`[WuLoader] App loaded successfully: ${fullUrl}`);
       return code;
 
     } catch (error) {
       this.loadingPromises.delete(fullUrl);
-      console.error(`[WuLoader] ❌ Failed to load app: ${fullUrl}`, error);
+      console.error(`[WuLoader] Failed to load app: ${fullUrl}`, error);
       throw new Error(`Failed to load app from ${fullUrl}: ${error.message}`);
     }
   }
 
   /**
-   * Cargar componente específico
-   * @param {string} appUrl - URL base de la aplicación
+   * Cargar componente especifico
+   * @param {string} appUrl - URL base de la aplicacion
    * @param {string} componentPath - Ruta del componente
-   * @returns {Function} Función del componente
+   * @returns {Function} Funcion del componente
    */
   async loadComponent(appUrl, componentPath) {
     // Normalizar ruta del componente
@@ -212,13 +329,13 @@ class WuLoader {
 
     const fullUrl = `${appUrl}/${normalizedPath}`;
 
-    logger.debug(`[WuLoader] 🧩 Loading component from: ${fullUrl}`);
+    logger.debug(`[WuLoader] Loading component from: ${fullUrl}`);
 
     try {
-      // Cargar código del componente
+      // Cargar codigo del componente
       const code = await this.loadCode(fullUrl);
 
-      // Crear función que retorna el componente
+      // Crear funcion que retorna el componente
       const componentFunction = new Function('require', 'module', 'exports', `
         ${code}
         return typeof module.exports === 'function' ? module.exports :
@@ -235,39 +352,40 @@ class WuLoader {
 
       const component = componentFunction(fakeRequire, fakeModule, fakeModule.exports);
 
-      logger.debug(`[WuLoader] ✅ Component loaded: ${componentPath}`);
+      logger.debug(`[WuLoader] Component loaded: ${componentPath}`);
       return component;
 
     } catch (error) {
-      console.error(`[WuLoader] ❌ Failed to load component: ${componentPath}`, error);
+      console.error(`[WuLoader] Failed to load component: ${componentPath}`, error);
       throw new Error(`Failed to load component ${componentPath}: ${error.message}`);
     }
   }
 
   /**
-   * Cargar código con cache
+   * Cargar codigo con cache
    * @param {string} url - URL del archivo
-   * @returns {string} Código JavaScript
+   * @returns {string} Codigo JavaScript
    */
   async loadCode(url) {
-    // Verificar cache
-    if (this.cache.has(url)) {
-      return this.cache.get(url);
+    // Check cache with TTL and LRU tracking
+    const cached = this._cacheGet(url);
+    if (cached !== undefined) {
+      return cached;
     }
 
-    // Verificar si ya está cargando
+    // Check if already loading
     if (this.loadingPromises.has(url)) {
       return await this.loadingPromises.get(url);
     }
 
-    // Crear promesa de carga
+    // Create loading promise
     const loadingPromise = this.fetchCode(url);
     this.loadingPromises.set(url, loadingPromise);
 
     try {
       const code = await loadingPromise;
       this.loadingPromises.delete(url);
-      this.cache.set(url, code);
+      this._cacheSet(url, code);
       return code;
     } catch (error) {
       this.loadingPromises.delete(url);
@@ -276,9 +394,9 @@ class WuLoader {
   }
 
   /**
-   * Realizar fetch del código
+   * Realizar fetch del codigo
    * @param {string} url - URL del archivo
-   * @returns {string} Código JavaScript
+   * @returns {string} Codigo JavaScript
    */
   async fetchCode(url) {
     const response = await fetch(url, {
@@ -306,25 +424,25 @@ class WuLoader {
    * @param {Array} appConfigs - Configuraciones de aplicaciones
    */
   async preload(appConfigs) {
-    logger.debug(`[WuLoader] 🚀 Preloading ${appConfigs.length} apps...`);
+    logger.debug(`[WuLoader] Preloading ${appConfigs.length} apps...`);
 
     const preloadPromises = appConfigs.map(async (config) => {
       try {
         await this.loadApp(config.url, config.manifest);
-        logger.debug(`[WuLoader] ✅ Preloaded: ${config.name}`);
+        logger.debug(`[WuLoader] Preloaded: ${config.name}`);
       } catch (error) {
-        logger.warn(`[WuLoader] ⚠️ Failed to preload ${config.name}:`, error.message);
+        logger.warn(`[WuLoader] Failed to preload ${config.name}:`, error.message);
       }
     });
 
     await Promise.allSettled(preloadPromises);
-    logger.debug(`[WuLoader] 🎉 Preload completed`);
+    logger.debug(`[WuLoader] Preload completed`);
   }
 
   /**
-   * Verificar si una URL está disponible
+   * Verificar si una URL esta disponible
    * @param {string} url - URL a verificar
-   * @returns {boolean} True si está disponible
+   * @returns {boolean} True si esta disponible
    */
   async isAvailable(url) {
     try {
@@ -368,9 +486,9 @@ class WuLoader {
       try {
         const component = await this.loadComponent(app.url, exportPath);
         resolved.set(importPath, component);
-        logger.debug(`[WuLoader] ✅ Resolved dependency: ${importPath}`);
+        logger.debug(`[WuLoader] Resolved dependency: ${importPath}`);
       } catch (error) {
-        console.error(`[WuLoader] ❌ Failed to resolve: ${importPath}`, error);
+        console.error(`[WuLoader] Failed to resolve: ${importPath}`, error);
       }
     }
 
@@ -379,7 +497,7 @@ class WuLoader {
 
   /**
    * Limpiar cache
-   * @param {string} pattern - Patrón opcional para limpiar URLs específicas
+   * @param {string} pattern - Patron opcional para limpiar URLs especificas
    */
   clearCache(pattern) {
     if (pattern) {
@@ -387,21 +505,23 @@ class WuLoader {
       for (const [url] of this.cache) {
         if (regex.test(url)) {
           this.cache.delete(url);
-          logger.debug(`[WuLoader] 🗑️ Cleared cache for: ${url}`);
+          logger.debug(`[WuLoader] Cleared cache for: ${url}`);
         }
       }
     } else {
       this.cache.clear();
-      logger.debug(`[WuLoader] 🗑️ Cache cleared completely`);
+      logger.debug(`[WuLoader] Cache cleared completely`);
     }
   }
 
   /**
-   * Obtener estadísticas del loader
+   * Obtener estadisticas del loader
    */
   getStats() {
     return {
       cached: this.cache.size,
+      maxCacheSize: this.maxCacheSize,
+      cacheTTL: this.cacheTTL,
       loading: this.loadingPromises.size,
       cacheKeys: Array.from(this.cache.keys())
     };
@@ -899,8 +1019,9 @@ class WuStyleBridge {
 
 
 class WuProxySandbox {
-  constructor(appName) {
+  constructor(appName, options = {}) {
     this.appName = appName;
+    this.options = options;
     this.proxy = null;
     this.fakeWindow = Object.create(null);
     this.active = false;
@@ -2667,6 +2788,29 @@ class WuManifest {
       }
     }
 
+    // Validate optional fields
+    if (manifest.styleMode !== undefined) {
+      const validModes = ['shared', 'isolated', 'fully-isolated'];
+      if (!validModes.includes(manifest.styleMode)) {
+        logger.warn(`[WuManifest] Invalid styleMode "${manifest.styleMode}", defaulting to "shared". Valid: ${validModes.join(', ')}`);
+        manifest.styleMode = 'shared';
+      }
+    }
+
+    if (manifest.version !== undefined && typeof manifest.version !== 'string') {
+      logger.warn('[WuManifest] version must be a string, ignoring');
+      delete manifest.version;
+    }
+
+    if (manifest.folder !== undefined) {
+      if (typeof manifest.folder !== 'string') {
+        logger.warn('[WuManifest] folder must be a string, ignoring');
+        delete manifest.folder;
+      } else if (this._hasDangerousPatterns(manifest.folder)) {
+        throw new Error('folder contains dangerous patterns');
+      }
+    }
+
     // Normalizar y limpiar manifest
     return this.normalize(manifest);
   }
@@ -2884,6 +3028,15 @@ class WuManifest {
  * - API minimalista: get(), set(), on()
  */
 
+/**
+ * @typedef {Object} WuStoreMetrics
+ * @property {number} reads - Total read operations
+ * @property {number} writes - Total write operations
+ * @property {number} notifications - Total notifications sent
+ * @property {number} bufferUtilization - Ring buffer utilization (0-1)
+ * @property {number} listenerCount - Active listener count
+ */
+
 class WuStore {
   constructor(bufferSize = 256) {
     // Ring Buffer configuration
@@ -2939,8 +3092,9 @@ class WuStore {
   set(path, value) {
     this.metrics.writes++;
 
-    // Write to ring buffer (lock-free)
-    const sequence = this.cursor++;
+    // Write to ring buffer (lock-free, wraps at buffer boundary)
+    const sequence = this.cursor;
+    this.cursor = (this.cursor + 1) % (this.bufferSize * this.bufferSize);
     const index = sequence & this.mask;
 
     // Reuse buffer slot (zero allocation)
@@ -3027,7 +3181,7 @@ class WuStore {
   getMetrics() {
     return {
       ...this.metrics,
-      bufferUtilization: (this.cursor % this.bufferSize) / this.bufferSize,
+      bufferUtilization: Math.min(1, this.cursor / this.bufferSize),
       listenerCount: this.listeners.size + this.patternListeners.size
     };
   }
@@ -3438,6 +3592,9 @@ class WuCache {
       cooldownUntil: 0
     };
 
+    // Rate limit notification flag (log only once per cooldown)
+    this._rateLimitNotified = false;
+
     // Memory cache
     this.memoryCache = new Map();
 
@@ -3472,6 +3629,7 @@ class WuCache {
       }
       // Cooldown terminado
       this.rateLimiting.inCooldown = false;
+      this._rateLimitNotified = false;
       this.rateLimiting.operations = [];
     }
 
@@ -3497,7 +3655,22 @@ class WuCache {
   }
 
   /**
-   * 🔐 GET RATE LIMIT STATUS
+   * Handle rate-limited operations: log once per cooldown, return diagnostic object
+   * @param {string} operation - The operation that was rate limited ('get' or 'set')
+   * @param {string} key - The cache key that was rejected
+   * @returns {{ rateLimited: true, operation: string, key: string }}
+   */
+  _onRateLimited(operation, key) {
+    if (!this._rateLimitNotified) {
+      const cooldownRemaining = Math.max(0, this.rateLimiting.cooldownUntil - Date.now());
+      logger.warn(`[WuCache] Rate limited: ${operation} for key "${key}" rejected. ${cooldownRemaining}ms remaining in cooldown.`);
+      this._rateLimitNotified = true;
+    }
+    return { rateLimited: true, operation, key };
+  }
+
+  /**
+   * GET RATE LIMIT STATUS
    */
   getRateLimitStatus() {
     const now = Date.now();
@@ -3521,7 +3694,8 @@ class WuCache {
   get(key) {
     // 🔐 Check rate limit
     if (!this._checkRateLimit()) {
-      return null; // Silently fail on rate limit
+      this._onRateLimited('get', key);
+      return null;
     }
 
     // 1. Buscar en memoria
@@ -3568,7 +3742,8 @@ class WuCache {
   set(key, value, ttl) {
     // 🔐 Check rate limit
     if (!this._checkRateLimit()) {
-      return false; // Reject on rate limit
+      this._onRateLimited('set', key);
+      return false;
     }
 
     try {
@@ -3893,6 +4068,25 @@ class WuCache {
  * - Verificación de apps autorizadas
  */
 
+/**
+ * @typedef {Object} WuEvent
+ * @property {string} name - Event name
+ * @property {*} data - Event payload
+ * @property {number} timestamp - Event timestamp
+ * @property {string} appName - Source app name
+ * @property {Object} meta - Additional metadata
+ * @property {boolean} verified - Whether origin was verified
+ */
+
+/**
+ * @typedef {Object} WuEventBusConfig
+ * @property {number} [maxHistory=100] - Maximum events in history
+ * @property {boolean} [enableReplay=true] - Enable event replay
+ * @property {boolean} [enableWildcards=true] - Enable wildcard matching
+ * @property {boolean} [logEvents=false] - Log all events
+ * @property {boolean} [strictMode=false] - Reject unauthorized events
+ * @property {boolean} [validateOrigin=true] - Validate event origins
+ */
 
 class WuEventBus {
   constructor() {
@@ -3903,16 +4097,21 @@ class WuEventBus {
     this.authorizedApps = new Map(); // appName -> { token, permissions }
     this.trustedEvents = new Set(['wu:*', 'system:*']); // Eventos del sistema
 
+    // Auto-detect production environment for strictMode default
+    const isProduction = typeof process !== 'undefined' && process.env?.NODE_ENV === 'production';
+
     this.config = {
       maxHistory: 100,
       enableReplay: true,
       enableWildcards: true,
       logEvents: false,
       // 🔐 Opciones de seguridad
-      strictMode: false, // Si true, rechaza eventos de apps no autorizadas
+      strictMode: isProduction, // Auto-enabled in production, permissive in development
       validateOrigin: true // Valida que appName sea una app registrada
     };
 
+    this._permissiveWarned = false;
+
     this.stats = {
       emitted: 0,
       subscriptions: 0,
@@ -4010,6 +4209,19 @@ class WuEventBus {
     return `wu_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
   }
 
+  /**
+   * WARN PERMISSIVE MODE: Log a one-time warning when strictMode is off
+   * Alerts developers that events are flowing without authorization checks
+   */
+  _warnPermissiveMode() {
+    if (this._permissiveWarned) return;
+    this._permissiveWarned = true;
+    logger.warn(
+      '[WuEventBus] strictMode is disabled. Events are emitted without authorization checks. ' +
+      'Enable strictMode for production by calling enableStrictMode() or setting NODE_ENV=production.'
+    );
+  }
+
   /**
    * 📢 EMIT: Emitir evento con validación de origen
    * @param {string} eventName - Nombre del evento
@@ -4019,6 +4231,11 @@ class WuEventBus {
   emit(eventName, data, options = {}) {
     const appName = options.appName || 'unknown';
 
+    // Warn once if running in permissive mode (strictMode off)
+    if (!this.config.strictMode) {
+      this._warnPermissiveMode();
+    }
+
     // 🔐 Validar origen si está habilitado
     if (this.config.validateOrigin && this.config.strictMode) {
       if (!this._validateOrigin(eventName, appName, options.token)) {
@@ -4470,7 +4687,7 @@ class WuPerformance {
 
 
 class WuPluginSystem {
-  constructor(core) {
+  constructor(core, options = {}) {
     this._core = core; // Privado - no expuesto a plugins
     this.plugins = new Map();
     this.hooks = new Map();
@@ -4494,7 +4711,7 @@ class WuPluginSystem {
     ];
 
     // 🔐 Timeout para hooks (evita que plugins bloqueen)
-    this.hookTimeout = 5000; // 5 segundos
+    this.hookTimeout = options.hookTimeout || 5000; // Default: 5 segundos
 
     this.availableHooks.forEach(hook => {
       this.hooks.set(hook, []);
@@ -4565,8 +4782,61 @@ class WuPluginSystem {
       logger.warn('[WuPlugin] ⚠️ Plugin has unsafe access to core!');
     }
 
-    // Congelar API para evitar modificaciones
-    return Object.freeze(api);
+    // Congelar API recursivamente para evitar modificaciones en cualquier nivel
+    return WuPluginSystem._deepFreeze(api);
+  }
+
+  /**
+   * Deep-freeze an object and all its nested plain objects and arrays.
+   * Functions, DOM nodes, and other non-plain types are left untouched
+   * so they remain callable / functional. A WeakSet guards against
+   * circular references.
+   *
+   * @param {*} obj - The value to deep-freeze
+   * @param {WeakSet} [seen] - Internal tracker for circular references
+   * @returns {*} The same object, now deeply frozen
+   */
+  static _deepFreeze(obj, seen) {
+    if (obj === null || obj === undefined) {
+      return obj;
+    }
+
+    // Only freeze plain objects and arrays.
+    // Functions must stay invocable; DOM nodes, class instances, etc.
+    // should not be tampered with.
+    const dominated = typeof obj === 'object';
+    if (!dominated) {
+      return obj;
+    }
+
+    const isPlainObject =
+      Object.getPrototypeOf(obj) === Object.prototype ||
+      Object.getPrototypeOf(obj) === null;
+    const isArray = Array.isArray(obj);
+
+    if (!isPlainObject && !isArray) {
+      return obj;
+    }
+
+    // Circular-reference guard
+    if (!seen) {
+      seen = new WeakSet();
+    }
+    if (seen.has(obj)) {
+      return obj;
+    }
+    seen.add(obj);
+
+    // Recurse into own enumerable properties
+    const keys = Object.keys(obj);
+    for (let i = 0; i < keys.length; i++) {
+      const value = obj[keys[i]];
+      if (value !== null && value !== undefined && typeof value === 'object') {
+        WuPluginSystem._deepFreeze(value, seen);
+      }
+    }
+
+    return Object.freeze(obj);
   }
 
   /**
@@ -5377,19 +5647,33 @@ class WuErrorBoundary {
    * @param {Object} context - Contexto
    */
   logError(error, context) {
+    // Truncate stack to first 5 lines to prevent retaining large object references
+    const stack = error.stack ? error.stack.split('\n').slice(0, 5).join('\n') : '';
+
+    // Shallow-copy context to avoid retaining references to live objects
+    const safeContext = {};
+    for (const key of Object.keys(context)) {
+      const val = context[key];
+      if (typeof val === 'string' || typeof val === 'number' || typeof val === 'boolean' || val === null) {
+        safeContext[key] = val;
+      } else {
+        safeContext[key] = String(val);
+      }
+    }
+
     const errorEntry = {
       error: {
         name: error.name,
         message: error.message,
-        stack: error.stack
+        stack
       },
-      context,
+      context: safeContext,
       timestamp: Date.now()
     };
 
     this.errorLog.push(errorEntry);
 
-    // Mantener límite de log
+    // Maintain log limit
     if (this.errorLog.length > this.maxErrorLog) {
       this.errorLog.shift();
     }
@@ -5857,19 +6141,28 @@ class WuHtmlParser {
       return this._cache.get(cacheKey);
     }
 
-    const temp = document.createElement('div');
-    temp.innerHTML = html;
+    const parser = new DOMParser();
+    const doc = parser.parseFromString(html, 'text/html');
 
     const inlineScripts = [];
     const externalScripts = [];
     const inlineStyles = [];
     const externalStyles = [];
 
-    this._extractResources(temp, {
+    const ctx = {
       inlineScripts, externalScripts,
       inlineStyles, externalStyles,
       baseUrl
-    });
+    };
+
+    // DOMParser moves <style>, <link>, and some <script> tags to <head>.
+    // Extract resources from both head and body to capture everything.
+    if (doc.head) {
+      this._extractResources(doc.head, ctx);
+    }
+
+    const temp = doc.body || doc.documentElement;
+    this._extractResources(temp, ctx);
 
     const result = {
       dom: temp.innerHTML,
@@ -6000,6 +6293,52 @@ class WuHtmlParser {
 
 class WuScriptExecutor {
 
+  /**
+   * Dangerous patterns that indicate prototype pollution, sandbox escape,
+   * or direct access to sensitive APIs. Each entry is a regex paired with
+   * a human-readable label used in error messages.
+   *
+   * This is a tripwire, not a full parser. It catches the most common
+   * attack vectors without the overhead of AST analysis.
+   */
+  static DANGEROUS_PATTERNS = [
+    // Prototype pollution vectors
+    { pattern: /constructor\s*\[\s*['"`]constructor['"`]\s*\]/, label: 'constructor chain access (sandbox escape)' },
+    { pattern: /__proto__/, label: '__proto__ access (prototype pollution)' },
+
+    // Sandbox escape via proxy introspection
+    { pattern: /Object\s*\.\s*getPrototypeOf\s*\(\s*proxy\s*\)/, label: 'Object.getPrototypeOf(proxy) (sandbox escape)' },
+
+    // Dynamic code generation that bypasses the sandbox
+    { pattern: /Function\s*\(\s*['"`]/, label: 'Function() constructor (dynamic code generation)' },
+    { pattern: /\beval\s*\(/, label: 'eval() (dynamic code execution)' },
+
+    // Dynamic import escapes the sandbox entirely (runs in global scope)
+    { pattern: /\bimport\s*\(/, label: 'import() (dynamic import escapes sandbox)' },
+
+    // Direct cookie access (should go through proxy traps, not raw document)
+    { pattern: /document\s*\.\s*cookie/, label: 'document.cookie (direct cookie access)' },
+  ];
+
+  /**
+   * Validate script text against known dangerous patterns before execution.
+   * Throws if any pattern matches. This is intentionally lightweight --
+   * pattern detection only, not a full parse.
+   *
+   * @param {string} scriptText - The raw script to validate
+   * @param {string} appName - App identifier (for error context)
+   * @throws {Error} If a dangerous pattern is detected
+   */
+  _validateScript(scriptText, appName) {
+    for (const { pattern, label } of WuScriptExecutor.DANGEROUS_PATTERNS) {
+      if (pattern.test(scriptText)) {
+        const msg = `[ScriptExecutor] Blocked dangerous pattern in "${appName}": ${label}`;
+        logger.wuError(msg);
+        throw new Error(msg);
+      }
+    }
+  }
+
   /**
    * Execute a script string inside the proxy sandbox.
    *
@@ -6016,6 +6355,8 @@ class WuScriptExecutor {
 
     if (!scriptText || !scriptText.trim()) return;
 
+    this._validateScript(scriptText, appName);
+
     const sourceComment = sourceUrl ? `\n//# sourceURL=wu-sandbox:///${appName}/${sourceUrl}\n` : '';
 
     let wrappedCode;
@@ -7666,6 +8007,20 @@ class WuCore {
     } catch (error) {
       logger.wuError(`Mount attempt ${attempt + 1} failed for ${appName}:`, error);
 
+      // Cleanup sandbox to prevent orphaned shadow DOMs
+      try {
+        if (this.sandbox && this.sandbox.sandboxes && this.sandbox.sandboxes.has(appName)) {
+          const sb = this.sandbox.sandboxes.get(appName);
+          if (sb && sb.proxySandbox) {
+            sb.proxySandbox.deactivate();
+          }
+          this.sandbox.sandboxes.delete(appName);
+          logger.wuDebug(`Sandbox cleaned up after mount failure for ${appName}`);
+        }
+      } catch (cleanupError) {
+        logger.wuWarn(`Sandbox cleanup failed for ${appName}:`, cleanupError);
+      }
+
       // Use error boundary for intelligent error handling
       const errorResult = await this.errorBoundary.handle(error, {
         appName,
@@ -15172,10 +15527,20 @@ if (typeof window !== 'undefined' && window.wu && window.wu._isWuFramework) {
 } else {
   wu = new WuCore();
   wu._isWuFramework = true;
+
+  // Also store on a Symbol key for collision-safe access
+  if (typeof window !== 'undefined') {
+    const WU_KEY = Symbol.for('wu-framework');
+    window[WU_KEY] = wu;
+  }
 }
 
 // Expose globally for microfrontends
 if (typeof window !== 'undefined') {
+  // Warn if window.wu exists but is not a Wu Framework instance
+  if (window.wu && !window.wu._isWuFramework) {
+    console.warn('[Wu Framework] window.wu already exists and is not a Wu Framework instance. Overwriting. Use Symbol.for("wu-framework") for collision-safe access.');
+  }
   window.wu = wu;
 
   if (!wu.version) {