CodeCall Plugin - FrontMCP

CodeCall lets LLMs orchestrate hundreds of tools through a code-first interface while maintaining strict security boundaries. Instead of flooding the context window with tool definitions, the model discovers, describes, and executes tools through a sandboxed JavaScript environment.

Scalable Discovery

Search across hundreds of tools using natural language

Code Orchestration

LLMs write JavaScript to combine tools, filter data, and build workflows

Bank-Grade Security

Sandboxed execution with AST validation, resource limits, and audit logging

Direct Invocation

Optionally bypass the VM for simple single-tool calls

Quick Start

npm install @frontmcp/plugins

import { App, Tool, ToolContext } from '@frontmcp/sdk';
import CodeCallPlugin from '@frontmcp/plugins/codecall';

@Tool({
  name: 'users:list',
  description: 'List all users with pagination',
  codecall: {
    enabledInCodeCall: true,
    visibleInListTools: false, // Hidden from direct list, accessible via CodeCall
  },
})
class ListUsersTool extends ToolContext {
  async execute(input: { limit?: number }) {
    return { users: [/* ... */] };
  }
}

@App({
  id: 'example',
  plugins: [
    CodeCallPlugin.init({
      mode: 'codecall_only',
      security: {
        level: 'SECURE', // Bank-grade security preset
      },
    }),
  ],
  tools: [ListUsersTool],
})
export default class ExampleApp {}

The model now sees only four meta-tools:

codecall:search - Find relevant tools
codecall:describe - Get detailed schemas
codecall:execute - Run JavaScript orchestration plans
codecall:invoke - Direct tool calls (optional)

Security Model

CodeCall implements defense-in-depth with multiple security layers:

Security Levels

Choose a preset that matches your threat model:

Level	Timeout	Max Iterations	Tool Calls	Use Case
STRICT	1s	100	5	Ultra-sensitive environments
SECURE	3s	1,000	20	Production default
STANDARD	5s	10,000	50	Internal/trusted models
PERMISSIVE	30s	100,000	200	Development only

CodeCallPlugin.init({
  security: {
    level: 'SECURE', // or 'STRICT', 'STANDARD', 'PERMISSIVE'
    // Override specific limits:
    timeout: 5000, // Override timeout
    maxToolCalls: 30, // Override tool call limit
  },
});

Self-Reference Blocking

Critical Security Feature: Scripts cannot call CodeCall meta-tools from within scripts.

// This is BLOCKED - returns error instead of executing
const result = await callTool('codecall:execute', { script: '...' });
// Result: { success: false, error: { code: 'SELF_REFERENCE_BLOCKED' } }

This prevents:

Recursive script execution (infinite loops)
Sandbox escape attempts
Privilege escalation attacks

AST Validation

Every script is parsed and validated before execution:

Blocked Constructs

eval() and Function() constructor
with statements
Direct property access on dangerous objects
__proto__, constructor, prototype access
Async generators (resource exhaustion)
Import/export (module system bypass)

Allowed Safe Globals

callTool(name, args) - Make tool calls
parallel(fns, options) - Concurrent execution
Math, JSON, Array, Object, String, Number, Date
Custom globals you explicitly allow

Result-Based Error Handling

Security Design: Tool calls return results instead of throwing exceptions:

// Inside sandbox, callTool returns:
type ToolResult<T> =
  | { success: true; data: T }
  | { success: false; error: { code: string; message: string } };

// Usage in script:
const result = await callTool('users:get', { id: '123' });
if (!result.success) {
  // Handle error - no exception escapes
  return { error: result.error.message };
}
return result.data;

This prevents:

Information leakage through stack traces
Internal system path exposure
Exception-based control flow manipulation

Resource Limits

Timeout

Enforced execution time limit prevents infinite loops

Iterations

Loop iteration counter prevents while(true) attacks

Tool Calls

Maximum tool invocations per script execution

// All loops are instrumented:
for (let i = 0; i < 1000; i++) {
  // Each iteration increments counter
  // Throws when maxIterations exceeded
}

Tool Visibility Modes

Control which tools appear in list_tools vs. CodeCall:

`codecall_only` (Recommended)

Hide all tools from list_tools, expose via CodeCall:

CodeCallPlugin.init({ mode: 'codecall_only' });

list_tools: Only CodeCall meta-tools visible
CodeCall: All tools searchable and callable
Override: Set visibleInListTools: true per tool

`codecall_opt_in`

Tools must explicitly opt into CodeCall:

CodeCallPlugin.init({ mode: 'codecall_opt_in' });

@Tool({
  codecall: {
    enabledInCodeCall: true, // Required for CodeCall access
    visibleInListTools: true, // Also visible normally
  },
})

`metadata_driven`

Full control per tool:

CodeCallPlugin.init({ mode: 'metadata_driven' });

@Tool({
  codecall: {
    enabledInCodeCall: true,  // Available in scripts
    visibleInListTools: false, // Hidden from list_tools
  },
})

Meta-Tools Reference

codecall:search

Find tools by natural language query:

{
  "tool": "codecall:search",
  "input": {
    "query": "get user profile information",
    "topK": 5,
    "filter": {
      "appIds": ["user-service"]
    }
  }
}

Response:

{
  "tools": [
    {
      "name": "users:getProfile",
      "description": "Get user profile by ID",
      "score": 0.94,
      "appId": "user-service"
    }
  ]
}

codecall:describe

Get detailed schemas for selected tools:

{
  "tool": "codecall:describe",
  "input": {
    "tools": ["users:getProfile", "users:updateProfile"],
    "options": {
      "includeExamples": true,
      "verbosity": "full"
    }
  }
}

Response includes:

Full JSON Schema for inputs/outputs
Description and usage notes
Example inputs/outputs
Type information with constraints

codecall:execute

Run a JavaScript orchestration script:

{
  "tool": "codecall:execute",
  "input": {
    "script": "const users = await callTool('users:list', { limit: 100 });\nreturn users.data.filter(u => u.active);",
    "context": {
      "tenantId": "t-123"
    }
  }
}

Response:

{
  "status": "success",
  "result": [/* filtered users */],
  "stats": {
    "duration": 234,
    "toolCallCount": 1,
    "iterationCount": 100
  }
}

Error Response:

{
  "status": "error",
  "error": {
    "code": "TOOL_ERROR",
    "message": "Tool 'users:list' failed: Rate limit exceeded",
    "category": "tool_error",
    "suggestion": "The tool call failed. Check the input parameters and try again."
  }
}

codecall:invoke

Direct tool invocation without JavaScript:

{
  "tool": "codecall:invoke",
  "input": {
    "tool": "users:getById",
    "input": { "id": "user-123" }
  }
}

Benefits:

No VM overhead for simple calls
Still enforces access control
Maintains audit logging
Applies output sanitization

AgentScript API

Inside codecall:execute, scripts have access to:

callTool(name, args)

// Returns result object, never throws
const result = await callTool('users:get', { id: '123' });

if (result.success) {
  console.log(result.data);
} else {
  console.log(result.error.message);
}

parallel(functions, options)

Execute multiple operations concurrently:

// Fetch multiple users in parallel
const results = await parallel([
  () => callTool('users:get', { id: '1' }),
  () => callTool('users:get', { id: '2' }),
  () => callTool('users:get', { id: '3' }),
], { maxConcurrency: 10 });

// Results are in order
const [user1, user2, user3] = results;

Limits:

Maximum 100 parallel operations
Maximum 20 concurrent executions
Shares tool call limit with sequential calls

Available Globals

// Safe built-ins
Math.round(3.7);
JSON.parse('{"a":1}');
new Date().toISOString();
[1,2,3].filter(x => x > 1);
Object.keys({ a: 1, b: 2 });

// Context (read-only)
codecallContext.tenantId;
codecallContext.userId;

Audit Logging

CodeCall emits detailed audit events for security monitoring:

import { AuditLoggerService, AUDIT_EVENT_TYPES } from '@frontmcp/plugins/codecall';

// Subscribe to audit events
const auditLogger = scope.get(AuditLoggerService);

auditLogger.subscribe((event) => {
  switch (event.type) {
    case AUDIT_EVENT_TYPES.EXECUTION_START:
      console.log(`Script started: ${event.executionId}`);
      break;
    case AUDIT_EVENT_TYPES.SECURITY_SELF_REFERENCE:
      console.warn(`Self-reference blocked: ${event.toolName}`);
      break;
    case AUDIT_EVENT_TYPES.TOOL_CALL:
      console.log(`Tool called: ${event.toolName}`);
      break;
  }
});

Event Types:

execution:start / execution:success / execution:failure
security:self-reference - Blocked recursive call
security:validation-failure - AST validation failed
tool:call / tool:error - Individual tool calls
resource:limit-exceeded - Hit iteration/timeout/call limits

Error Enrichment

Errors are categorized with actionable suggestions:

Category	Example	Suggestion
`syntax`	Unexpected token	Check JavaScript syntax at line X
`security`	eval is not allowed	Remove prohibited construct
`timeout`	Execution exceeded 3s	Simplify logic or increase timeout
`tool_not_found`	Unknown tool ‘foo’	Use codecall:search to find tools
`tool_error`	Tool threw error	Check tool input parameters
`runtime`	Cannot read property	Debug the script logic

Output Sanitization

All outputs are sanitized before being returned:

// Configuration
CodeCallPlugin.init({
  sanitization: {
    maxDepth: 10,
    maxStringLength: 10000,
    maxArrayLength: 1000,
    maxObjectKeys: 100,
    removeStackTraces: true,
    removeFilePaths: true,
  },
});

Sanitization includes:

Circular reference detection → [circular]
Prototype pollution prevention → removes __proto__, constructor
Large output truncation with warnings
Stack trace removal (configurable)
File path scrubbing (configurable)

Configuration Reference

CodeCallPlugin.init({
  // Tool visibility mode
  mode: 'codecall_only' | 'codecall_opt_in' | 'metadata_driven',

  // Security configuration
  security: {
    level: 'STRICT' | 'SECURE' | 'STANDARD' | 'PERMISSIVE',
    timeout?: number,        // Override timeout (ms)
    maxIterations?: number,  // Override max loop iterations
    maxToolCalls?: number,   // Override max tool invocations
  },

  // Search configuration
  search: {
    topK: 8,                 // Default results per search
    similarityThreshold: 0.5, // Minimum relevance score
  },

  // Describe configuration
  describe: {
    maxTools: 10,            // Max tools per describe call
    includeExamples: true,   // Include example inputs/outputs
  },

  // Direct invocation
  directInvoke: {
    enabled: true,           // Enable codecall:invoke
    allowedTools?: string[], // Whitelist (optional)
  },

  // Output sanitization
  sanitization: {
    maxDepth: 10,
    maxStringLength: 10000,
    removeStackTraces: true,
    removeFilePaths: true,
  },

  // Custom globals for scripts
  globals: {
    MY_CONSTANT: 'value',
    config: { key: 'value' },
  },
});

Best Practices

1. Use SECURE Level in Production

The SECURE preset provides the right balance of functionality and safety:

CodeCallPlugin.init({
  security: { level: 'SECURE' },
});

2. Prefer codecall_only Mode

For large tool sets, hide tools from list_tools to reduce context usage:

CodeCallPlugin.init({
  mode: 'codecall_only',
});

3. Monitor Audit Events

Set up alerting for security events:

auditLogger.subscribe((event) => {
  if (event.type.startsWith('security:')) {
    alertSecurityTeam(event);
  }
});

4. Use Direct Invoke for Simple Calls

Avoid VM overhead for single-tool operations:

{ "tool": "codecall:invoke", "input": { "tool": "users:get", "input": { "id": "123" } } }

5. Include Scoping in Tool Inputs

Always include tenant/user IDs in tool calls:

callTool('users:list', { tenantId: codecallContext.tenantId })

Security Checklist

Choose Security Level

Use SECURE for production, STRICT for ultra-sensitive environments

Enable Audit Logging

Subscribe to audit events and monitor for security incidents

Configure Output Sanitization

Ensure stack traces and file paths are removed in production

Review Tool Access

Use appropriate mode and metadata to control tool visibility

Test Security Boundaries

Verify self-reference blocking and resource limits work correctly

Example: Multi-Tool Workflow

// Script for codecall:execute
async function analyzeUserActivity() {
  // Search across multiple services in parallel
  const [users, orders, sessions] = await parallel([
    () => callTool('users:list', { status: 'active', limit: 100 }),
    () => callTool('orders:recent', { days: 7 }),
    () => callTool('sessions:active', {}),
  ]);

  if (!users.success || !orders.success || !sessions.success) {
    return { error: 'Failed to fetch data' };
  }

  // Join data in JavaScript
  const enrichedUsers = users.data.map(user => {
    const userOrders = orders.data.filter(o => o.userId === user.id);
    const userSession = sessions.data.find(s => s.userId === user.id);

    return {
      ...user,
      recentOrders: userOrders.length,
      isOnline: !!userSession,
      lastActivity: userSession?.lastActivity || user.lastLogin,
    };
  });

  // Filter and sort
  return enrichedUsers
    .filter(u => u.recentOrders > 0)
    .sort((a, b) => b.recentOrders - a.recentOrders)
    .slice(0, 10);
}

return analyzeUserActivity();

Links & Resources

Source Code

View the CodeCall plugin source

Enclave Library

Sandbox execution engine

AST Guard

JavaScript AST validation

Plugin Guide

Learn about FrontMCP plugins

Get Started

Servers

Adapters

Plugins

Guides

Deployment

Scalable Discovery

Code Orchestration

Bank-Grade Security

Direct Invocation

​Quick Start

​Security Model

​Security Levels

​Self-Reference Blocking

​AST Validation

​Result-Based Error Handling

​Resource Limits

Timeout

Iterations

Tool Calls

​Tool Visibility Modes

​codecall_only (Recommended)

​codecall_opt_in

​metadata_driven

​Meta-Tools Reference

​codecall:search

​codecall:describe

​codecall:execute

​codecall:invoke

​AgentScript API

​callTool(name, args)

​parallel(functions, options)

​Available Globals

​Audit Logging

​Error Enrichment

​Output Sanitization

​Configuration Reference

​Best Practices

​Security Checklist

​Example: Multi-Tool Workflow

​Links & Resources