fix(sandbox): expand CodeSandbox hardening to block realm intrinsics

CodeRabbit review on the SandboxedToolForge -> CodeSandbox consolidation
flagged the extraGlobals denylist as incomplete and the contextObj as
missing five realm intrinsics that node:vm exposes by default but
untrusted sandbox code has no legitimate need for.

Expanded both surfaces in lockstep:
- DANGEROUS_GLOBAL_KEYS now includes Reflect, Proxy, WebAssembly,
  SharedArrayBuffer, Atomics so extraGlobals callers cannot inject them
- contextObj explicitly nulls the same five identifiers so the realm
  intrinsics resolve to undefined inside the sandbox

Closes the Reflect.construct(Function, [...])() reflection escape that
would otherwise sidestep codeGeneration: { strings: false }, blocks
Proxy-based prototype-chain attacks, and removes the SharedArrayBuffer
/ Atomics Spectre side-channel surface. WebAssembly was already
blocked via codeGeneration: { wasm: false } but nulled here for
belt-and-suspenders.

ICodeSandbox.ts JSDoc reorganized to match the categorized denylist.
New test 'drops the expanded danger list' locks the behavior. All 74
CodeSandbox + 29 SandboxedToolForge tests green.

Author: jddunn

src/sandbox/executor/CodeSandbox.ts

@@ -53,6 +53,13 @@ const DEFAULT_CONFIG: SandboxConfig = {
  * we let extraGlobals re-bind them the entire isolation guarantee evaporates.
  * Filtered silently at merge time so a forge-style consumer that includes one
  * of these by accident still gets a working sandbox without a noisy error.
+ *
+ * Categorized:
+ *   - Host-state escape: process, global, globalThis, require
+ *   - Code-generation reflection: eval, Function
+ *   - Realm-reflection / introspection: Reflect, Proxy
+ *   - Memory side-channels (Spectre family): SharedArrayBuffer, Atomics
+ *   - Native compilation surface: WebAssembly
  */
 const DANGEROUS_GLOBAL_KEYS: ReadonlySet<string> = new Set([
   'process',
@@ -61,6 +68,11 @@ const DANGEROUS_GLOBAL_KEYS: ReadonlySet<string> = new Set([
   'require',
   'eval',
   'Function',
+  'Reflect',
+  'Proxy',
+  'WebAssembly',
+  'SharedArrayBuffer',
+  'Atomics',
 ]);
 
 /** Dangerous patterns by language */
@@ -307,6 +319,18 @@ export class CodeSandbox implements ICodeSandbox {
       clearInterval: undefined,
       clearImmediate: undefined,
       queueMicrotask: undefined,
+      // Realm intrinsics that node:vm exposes by default but untrusted
+      // sandbox code has no legitimate need for. Explicitly nulling them
+      // blocks runtime reflection paths (Reflect.construct(Function,...)),
+      // Proxy-based prototype-chain attacks, and the SharedArrayBuffer/
+      // Atomics Spectre side-channel surface. WebAssembly is already
+      // blocked via codeGeneration: { wasm: false } but nulled here for
+      // belt-and-suspenders.
+      Reflect: undefined,
+      Proxy: undefined,
+      WebAssembly: undefined,
+      SharedArrayBuffer: undefined,
+      Atomics: undefined,
     };
 
     // Merge caller-supplied extras AFTER the hardened defaults so an explicit

src/sandbox/executor/ICodeSandbox.ts

@@ -56,9 +56,13 @@ export interface SandboxConfig {
    * SandboxedToolForge) needs to expose allowlisted APIs (`fetch`, `fs`,
    * `crypto`) without forking a second sandbox implementation.
    *
-   * Security-critical keys (`process`, `global`, `globalThis`, `require`,
-   * `eval`, `Function`) are silently dropped from this map at merge time
-   * so callers cannot accidentally undo the sandbox's hardenings.
+   * Security-critical keys are silently dropped from this map at merge time
+   * so callers cannot accidentally undo the sandbox's hardenings:
+   *   - Host-state escape: `process`, `global`, `globalThis`, `require`
+   *   - Code-generation reflection: `eval`, `Function`
+   *   - Realm-reflection / introspection: `Reflect`, `Proxy`
+   *   - Memory side-channels (Spectre family): `SharedArrayBuffer`, `Atomics`
+   *   - Native compilation surface: `WebAssembly`
    */
   extraGlobals?: Record<string, unknown>;
 }

src/sandbox/executor/tests/CodeSandbox.spec.ts

@@ -317,6 +317,37 @@ describe('CodeSandbox — JavaScript execution', () => {
    * rather than passing because `process` is already undefined by
    * default in node:vm contexts.
    */
+  it('drops the expanded danger list (Reflect/Proxy/WebAssembly/SharedArrayBuffer/Atomics)', async () => {
+    const result = await sandbox.execute({
+      language: 'javascript',
+      code: `
+        const safe = typeof safeApi === 'function' ? 'ok' : 'missing';
+        const reflect = typeof Reflect === 'undefined' ? 'blocked' : 'LEAKED';
+        const proxy = typeof Proxy === 'undefined' ? 'blocked' : 'LEAKED';
+        const wasm = typeof WebAssembly === 'undefined' ? 'blocked' : 'LEAKED';
+        const sab = typeof SharedArrayBuffer === 'undefined' ? 'blocked' : 'LEAKED';
+        const atomics = typeof Atomics === 'undefined' ? 'blocked' : 'LEAKED';
+        return safe + ':' + reflect + ':' + proxy + ':' + wasm + ':' + sab + ':' + atomics;
+      `,
+      config: {
+        extraGlobals: {
+          // Caller tries to inject dangerous globals; all dropped.
+          Reflect: { get: () => 'pwned' },
+          Proxy: function () { return 'pwned'; },
+          WebAssembly: { compile: () => 'pwned' },
+          SharedArrayBuffer: function () { return 'pwned'; },
+          Atomics: { load: () => 'pwned' },
+          // Plus a safe one that should land.
+          safeApi: () => 'ok',
+        },
+      },
+    });
+
+    expect(result.status).toBe('success');
+    expect(result.output?.stdout).toContain('ok:blocked:blocked:blocked:blocked:blocked');
+    expect(result.output?.stdout).not.toContain('LEAKED');
+  });
+
   it('drops dangerous keys from extraGlobals while keeping safe ones', async () => {
     const fakeProcess = { env: { LEAKED: 'should-not-reach-sandbox' } };
     const result = await sandbox.execute({