@enclave-vm/browser brings Enclave’s defense-in-depth security model to the browser. Instead of Node.js VM contexts, it uses a double iframe architecture with CSP isolation, prototype freezing, and secure proxies to safely execute untrusted and LLM-generated code entirely client-side.
AST Validation
Block dangerous constructs before execution using ast-guard’s AgentScript preset
Code Transformation
Automatically transform code for safe execution with proxied functions and loop limits
Double Iframe Sandbox
Execute in nested iframe isolation with CSP, sandbox attributes, and secure proxies
When to Use Browser Enclave
- Client-side AI code execution — Run LLM-generated code in the browser without a server round-trip
- No server required — All sandboxing happens in the browser via iframe isolation
- Interactive code playgrounds — Build code editors with live execution and tool integration
- Edge and offline scenarios — Execute sandboxed code without network connectivity
- Rapid prototyping — Let users experiment with AgentScript in the browser
Browser vs Node.js
Installation
Quick Start
Execution Results
Every call torun() returns a structured result with success/error status and execution statistics:
Error Codes
Related
- Security Architecture - Double iframe isolation model
- Configuration - All configuration options
- React Integration - Hooks and component patterns
- @enclave-vm/core Overview - Node.js sandbox