Audit the code for sandbox escapes

[simonw]

As a starting point I had Claude Opus 4.5 via https://claude.ai/ run pip install micro-javascript and try a bunch of things, it found all sorts of issues: https://claude.ai/share/322d3593-7fd0-44bf-838f-fc6b72db442c

That feedback formatted as a TODO list:

• Wrap Python callables in secure proxy objects - When Python functions are passed between exposed functions, they retain __globals__ access which allows __builtins__.__import__('os').system(). Create a SafeCallable wrapper that blocks attribute access.
• Validate callable arguments in VM - Before passing Python callables as arguments to other Python functions, wrap them to prevent __globals__ access.
• Fix String.repeat() to check size before allocation - Currently 'x'.repeat(100000000) creates 100MB string ignoring memory_limit. Add pre-allocation check: if len(s) * count > max_string_length: raise MemoryLimitError.
• Fix VM._add() to check string concatenation size - The + operator for strings has no size limit. Add check before return str_a + str_b.
• Fix String.split('') to check result array size - Splitting into characters creates array of len(s) elements with no limit check.
• Fix Array(n) constructor to check length - No limit on array size creation.
• Fix _check_limits() to measure actual memory, not just stack depth - Currently only counts len(stack) * 100, so a 100MB string counts as 100 bytes.
• Add max_string_length parameter to Context - Allow users to configure maximum string size (default 10MB).
• Add max_array_length parameter to Context - Allow users to configure maximum array length (default 1M elements).
• Fix String.match() to use internal regex engine - Currently uses Python's re module which bypasses the safe regex VM.
• Fix String.replace() to use internal regex engine - Currently uses Python's re module directly.
• Fix String.search() to use internal regex engine - Currently uses Python's re module directly.
• Fix String.split(regex) to use internal regex engine - Currently uses Python's re module directly.
• Add JS-level recursion limit - Currently relies on Python's recursion limit. Add configurable max_recursion_depth parameter.
• Convert regex parser to iterative - Deep nesting like (((((... causes Python RecursionError. (Noted in open-problems.md)
• Consider freezing built-in prototypes - Object.prototype.x = 1 currently succeeds and affects all objects.
• Add max_json_depth parameter - Limit JSON.parse nesting depth to prevent stack overflow.
• Add max_object_keys parameter - Limit number of keys in objects.
• Document security limitations prominently - Users should know this is not a complete sandbox for untrusted code.