diff --git a/.gitignore b/.gitignore
index 0c12749..d348f14 100644
--- a/.gitignore
+++ b/.gitignore
@@ -98,3 +98,8 @@ docs/docs.backup.json
 
 **/.cache/
 perf-results.json
+
+# Playwright
+test-results/
+playwright-report/
+libs/browser/e2e/fixtures/enclave-browser-bundle.mjs
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..e88eed3
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,13 @@
+# CLAUDE.md
+
+## Verification
+
+After every code change, the following commands must all pass before considering the work complete:
+
+```bash
+pnpm lint
+pnpm format:check
+pnpm build
+```
+
+Run these from the repository root. Use `npx nx` to target individual projects (e.g., `npx nx build browser`).
diff --git a/apps/browser-demo/.gitignore b/apps/browser-demo/.gitignore
new file mode 100644
index 0000000..81112ee
--- /dev/null
+++ b/apps/browser-demo/.gitignore
@@ -0,0 +1,2 @@
+# Generated enclave bundle
+vendor/enclave-browser-bundle.mjs
diff --git a/apps/browser-demo/eslint.config.mjs b/apps/browser-demo/eslint.config.mjs
new file mode 100644
index 0000000..a23f0f2
--- /dev/null
+++ b/apps/browser-demo/eslint.config.mjs
@@ -0,0 +1,8 @@
+import baseConfig from '../../eslint.config.mjs';
+
+export default [
+  ...baseConfig,
+  {
+    ignores: ['vendor/**'],
+  },
+];
diff --git a/apps/browser-demo/index.html b/apps/browser-demo/index.html
new file mode 100644
index 0000000..884661d
--- /dev/null
+++ b/apps/browser-demo/index.html
@@ -0,0 +1,12 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Browser Enclave Demo</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>
diff --git a/apps/browser-demo/package.json b/apps/browser-demo/package.json
new file mode 100644
index 0000000..24e3bec
--- /dev/null
+++ b/apps/browser-demo/package.json
@@ -0,0 +1,23 @@
+{
+  "name": "browser-demo",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "prebuild": "node scripts/build-enclave-bundle.mjs",
+    "dev": "vite",
+    "build": "vite build"
+  },
+  "dependencies": {
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
+  },
+  "devDependencies": {
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@vitejs/plugin-react": "^4.5.2",
+    "esbuild": "^0.25.0",
+    "typescript": "~5.9.3",
+    "vite": "^6.3.5"
+  }
+}
diff --git a/apps/browser-demo/project.json b/apps/browser-demo/project.json
new file mode 100644
index 0000000..a99a3c2
--- /dev/null
+++ b/apps/browser-demo/project.json
@@ -0,0 +1,28 @@
+{
+  "name": "browser-demo",
+  "sourceRoot": "apps/browser-demo/src",
+  "projectType": "application",
+  "targets": {
+    "prebuild": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "node apps/browser-demo/scripts/build-enclave-bundle.mjs"
+      }
+    },
+    "serve": {
+      "executor": "nx:run-commands",
+      "dependsOn": ["prebuild"],
+      "options": {
+        "command": "npx vite --config apps/browser-demo/vite.config.ts"
+      }
+    },
+    "build": {
+      "executor": "nx:run-commands",
+      "dependsOn": ["prebuild"],
+      "options": {
+        "command": "npx vite build --config apps/browser-demo/vite.config.ts"
+      },
+      "outputs": ["{workspaceRoot}/dist/apps/browser-demo"]
+    }
+  }
+}
diff --git a/apps/browser-demo/scripts/buffer-shim.mjs b/apps/browser-demo/scripts/buffer-shim.mjs
new file mode 100644
index 0000000..ada14ad
--- /dev/null
+++ b/apps/browser-demo/scripts/buffer-shim.mjs
@@ -0,0 +1,13 @@
+/**
+ * Minimal Buffer shim for the browser test bundle.
+ * Only provides Buffer.byteLength which is used by @enclave-vm/ast's size-check.
+ */
+const encoder = new TextEncoder();
+
+if (typeof globalThis.Buffer === 'undefined') {
+  globalThis.Buffer = {
+    byteLength(str) {
+      return encoder.encode(String(str)).byteLength;
+    },
+  };
+}
diff --git a/apps/browser-demo/scripts/build-enclave-bundle.mjs b/apps/browser-demo/scripts/build-enclave-bundle.mjs
new file mode 100644
index 0000000..16ed3fe
--- /dev/null
+++ b/apps/browser-demo/scripts/build-enclave-bundle.mjs
@@ -0,0 +1,30 @@
+/**
+ * Build a self-contained ESM bundle of @enclave-vm/browser for the demo app.
+ *
+ * Inlines all dependencies (ast, acorn, astring, zod) into a single ESM file.
+ * Output goes to vendor/ so Vite can import it as a normal module.
+ */
+
+import { build } from 'esbuild';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const root = path.resolve(__dirname, '../../..');
+
+await build({
+  entryPoints: [path.resolve(root, 'libs/browser/src/index.ts')],
+  bundle: true,
+  format: 'esm',
+  outfile: path.resolve(__dirname, '../vendor/enclave-browser-bundle.mjs'),
+  platform: 'browser',
+  target: 'es2022',
+  external: [],
+  alias: {
+    '@enclave-vm/ast': path.resolve(root, 'libs/ast/src/index.ts'),
+  },
+  inject: [path.resolve(__dirname, 'buffer-shim.mjs')],
+  sourcemap: false,
+  minify: false,
+  logLevel: 'info',
+});
diff --git a/apps/browser-demo/src/App.css b/apps/browser-demo/src/App.css
new file mode 100644
index 0000000..9d3f820
--- /dev/null
+++ b/apps/browser-demo/src/App.css
@@ -0,0 +1,488 @@
+/* ── Reset & Base ── */
+*,
+*::before,
+*::after {
+  box-sizing: border-box;
+  margin: 0;
+  padding: 0;
+}
+
+:root {
+  --bg: #1a1a2e;
+  --bg-panel: #16213e;
+  --bg-input: #0f172a;
+  --bg-hover: #1e3a5f;
+  --text: #eee;
+  --text-dim: #94a3b8;
+  --accent: #4fc3f7;
+  --accent-hover: #81d4fa;
+  --success: #81c784;
+  --warning: #ffb74d;
+  --error: #ef5350;
+  --border: #334155;
+  --radius: 6px;
+}
+
+html,
+body {
+  height: 100%;
+  font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+  background: var(--bg);
+  color: var(--text);
+  line-height: 1.5;
+}
+
+#root {
+  height: 100%;
+}
+
+/* ── App Layout ── */
+.app {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  max-width: 1440px;
+  margin: 0 auto;
+  padding: 16px 24px;
+}
+
+.app-header {
+  text-align: center;
+  padding-bottom: 16px;
+  border-bottom: 1px solid var(--border);
+  margin-bottom: 16px;
+}
+
+.app-header h1 {
+  font-size: 1.5rem;
+  color: var(--accent);
+  font-weight: 600;
+}
+
+.app-subtitle {
+  color: var(--text-dim);
+  font-size: 0.85rem;
+}
+
+.app-main {
+  display: grid;
+  grid-template-columns: 240px 1fr 360px;
+  gap: 16px;
+  flex: 1;
+  min-height: 0;
+  overflow: hidden;
+}
+
+/* ── Panels ── */
+.left-panel,
+.right-panel {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+  overflow-y: auto;
+}
+
+.center-panel {
+  display: flex;
+  flex-direction: column;
+  gap: 12px;
+  min-height: 0;
+}
+
+/* ── Section Label ── */
+.section-label {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  font-size: 0.75rem;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  color: var(--text-dim);
+  margin-bottom: 6px;
+  font-weight: 600;
+}
+
+/* ── Security Picker ── */
+.security-picker {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.segmented-buttons {
+  display: flex;
+  gap: 0;
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  overflow: hidden;
+}
+
+.seg-btn {
+  flex: 1;
+  padding: 6px 2px;
+  background: transparent;
+  color: var(--text-dim);
+  border: none;
+  cursor: pointer;
+  font-size: 0.7rem;
+  font-weight: 500;
+  transition:
+    background-color 0.15s,
+    color 0.15s;
+}
+
+.seg-btn:not(:last-child) {
+  border-right: 1px solid var(--border);
+}
+
+.seg-btn:hover:not(:disabled) {
+  background: var(--bg-hover);
+}
+
+.seg-btn.active {
+  background: var(--accent);
+  color: #000;
+  font-weight: 700;
+}
+
+.seg-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.security-desc {
+  display: block;
+  font-size: 0.7rem;
+  color: var(--text-dim);
+  margin-top: 6px;
+}
+
+/* ── Tool Config ── */
+.tool-config {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.toggle-label {
+  display: inline-flex;
+  align-items: center;
+  gap: 6px;
+  font-size: 0.75rem;
+  color: var(--text);
+  text-transform: none;
+  letter-spacing: normal;
+  font-weight: normal;
+  cursor: pointer;
+}
+
+.toggle-label input[type='checkbox'] {
+  accent-color: var(--accent);
+}
+
+.tool-list {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+  margin-top: 8px;
+}
+
+.tool-item {
+  display: flex;
+  flex-direction: column;
+  padding: 6px 8px;
+  background: var(--bg-input);
+  border-radius: 4px;
+  font-size: 0.75rem;
+}
+
+.tool-item code {
+  color: var(--accent);
+  font-weight: 500;
+}
+
+.tool-desc {
+  color: var(--text-dim);
+  font-size: 0.7rem;
+}
+
+/* ── Examples ── */
+.examples {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.example-group {
+  margin-bottom: 8px;
+}
+
+.example-category {
+  display: block;
+  font-size: 0.65rem;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  margin-bottom: 4px;
+  letter-spacing: 0.05em;
+}
+
+.example-btn {
+  display: inline-block;
+  padding: 3px 8px;
+  margin: 2px;
+  background: var(--bg-input);
+  color: var(--text);
+  border: 1px solid var(--border);
+  border-radius: 4px;
+  cursor: pointer;
+  font-size: 0.72rem;
+  transition:
+    border-color 0.15s,
+    color 0.15s;
+}
+
+.example-btn:hover:not(:disabled) {
+  border-color: var(--accent);
+  color: var(--accent);
+}
+
+.example-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+/* ── Code Editor ── */
+.code-editor {
+  flex: 1;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
+}
+
+.code-textarea {
+  flex: 1;
+  min-height: 200px;
+  padding: 12px;
+  background: var(--bg-input);
+  color: var(--text);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', Menlo, Consolas, monospace;
+  font-size: 0.85rem;
+  line-height: 1.6;
+  resize: none;
+  outline: none;
+  tab-size: 2;
+}
+
+.code-textarea:focus {
+  border-color: var(--accent);
+}
+
+.code-textarea:focus-visible {
+  outline: 2px solid var(--accent);
+  outline-offset: -2px;
+}
+
+.code-textarea:disabled {
+  opacity: 0.6;
+}
+
+/* ── Execution Controls ── */
+.execution-controls {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+}
+
+.run-btn {
+  padding: 8px 32px;
+  background: var(--accent);
+  color: #000;
+  border: none;
+  border-radius: var(--radius);
+  font-weight: 700;
+  font-size: 0.9rem;
+  cursor: pointer;
+  transition: background-color 0.15s;
+}
+
+.run-btn:hover:not(:disabled) {
+  background: var(--accent-hover);
+}
+
+.run-btn:disabled {
+  opacity: 0.5;
+  cursor: not-allowed;
+}
+
+.status-indicator {
+  font-size: 0.75rem;
+  font-weight: 500;
+}
+
+.status-ready {
+  color: var(--success);
+}
+
+.status-loading {
+  color: var(--warning);
+}
+
+.status-initializing {
+  color: var(--warning);
+}
+
+.status-error {
+  color: var(--error);
+}
+
+/* ── Result Display ── */
+.result-display {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.result-empty,
+.console-empty,
+.stats-empty {
+  color: var(--text-dim);
+  font-size: 0.8rem;
+  font-style: italic;
+}
+
+.result-content {
+  padding: 8px;
+  border-radius: 4px;
+}
+
+.result-success {
+  border-left: 3px solid var(--success);
+  background: rgba(129, 199, 132, 0.08);
+}
+
+.result-error {
+  border-left: 3px solid var(--error);
+  background: rgba(239, 83, 80, 0.08);
+}
+
+.result-error-name {
+  color: var(--error);
+  font-weight: 700;
+  font-size: 0.85rem;
+  margin-bottom: 4px;
+}
+
+.result-pre {
+  font-family: 'SF Mono', 'Fira Code', Menlo, Consolas, monospace;
+  font-size: 0.8rem;
+  white-space: pre-wrap;
+  overflow-wrap: anywhere;
+  margin: 0;
+}
+
+/* ── Console Output ── */
+.console-output {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.console-entries {
+  max-height: 200px;
+  overflow-y: auto;
+}
+
+.console-entry {
+  display: flex;
+  gap: 8px;
+  padding: 3px 6px;
+  font-family: 'SF Mono', 'Fira Code', Menlo, Consolas, monospace;
+  font-size: 0.75rem;
+  border-bottom: 1px solid rgba(51, 65, 85, 0.4);
+}
+
+.console-level {
+  font-weight: 600;
+  flex-shrink: 0;
+}
+
+.console-msg {
+  overflow-wrap: anywhere;
+}
+
+.console-log .console-level {
+  color: var(--text-dim);
+}
+
+.console-info .console-level {
+  color: var(--accent);
+}
+
+.console-warn .console-level {
+  color: var(--warning);
+}
+
+.console-error .console-level {
+  color: var(--error);
+}
+
+/* ── Stats Panel ── */
+.stats-panel {
+  background: var(--bg-panel);
+  padding: 12px;
+  border-radius: var(--radius);
+  border: 1px solid var(--border);
+}
+
+.stats-grid {
+  display: grid;
+  grid-template-columns: 1fr 1fr 1fr;
+  gap: 8px;
+}
+
+.stat-item {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  padding: 8px;
+  background: var(--bg-input);
+  border-radius: 4px;
+}
+
+.stat-label {
+  font-size: 0.65rem;
+  text-transform: uppercase;
+  color: var(--text-dim);
+  letter-spacing: 0.03em;
+}
+
+.stat-value {
+  font-size: 1.1rem;
+  font-weight: 700;
+  color: var(--accent);
+  font-family: 'SF Mono', Menlo, Consolas, monospace;
+}
+
+/* ── Responsive ── */
+@media (max-width: 960px) {
+  .app-main {
+    grid-template-columns: 1fr;
+    overflow-y: auto;
+  }
+
+  .left-panel,
+  .right-panel {
+    overflow-y: visible;
+  }
+
+  .code-textarea {
+    min-height: 150px;
+  }
+}
diff --git a/apps/browser-demo/src/App.tsx b/apps/browser-demo/src/App.tsx
new file mode 100644
index 0000000..e25beff
--- /dev/null
+++ b/apps/browser-demo/src/App.tsx
@@ -0,0 +1,124 @@
+import { useState, useCallback, useMemo } from 'react';
+import { useEnclave } from './hooks/use-enclave';
+import { useConsoleCapture } from './hooks/use-console-capture';
+import { createToolHandler, mockTools } from './data/mock-tools';
+import { CodeEditor } from './components/CodeEditor';
+import { SecurityLevelPicker } from './components/SecurityLevelPicker';
+import { ExampleSnippets } from './components/ExampleSnippets';
+import { ToolHandlerConfig } from './components/ToolHandlerConfig';
+import { ExecutionControls } from './components/ExecutionControls';
+import { ConsoleOutput } from './components/ConsoleOutput';
+import { ResultDisplay } from './components/ResultDisplay';
+import { StatsPanel } from './components/StatsPanel';
+import type { SecurityLevel, ConsoleEntry, ExecutionStats, DemoExecutionResult } from './types';
+
+export function App() {
+  const [code, setCode] = useState('return 2 + 2;');
+  const [securityLevel, setSecurityLevel] = useState<SecurityLevel>('STANDARD');
+  const [toolsEnabled, setToolsEnabled] = useState(false);
+  const [running, setRunning] = useState(false);
+  const [result, setResult] = useState<DemoExecutionResult | null>(null);
+  const [consoleEntries, setConsoleEntries] = useState<ConsoleEntry[]>([]);
+  const [stats, setStats] = useState<ExecutionStats | null>(null);
+
+  const toolHandler = useMemo(() => (toolsEnabled ? createToolHandler(mockTools) : undefined), [toolsEnabled]);
+
+  const {
+    ready,
+    loading: enclaveLoading,
+    error: enclaveError,
+    run,
+  } = useEnclave({
+    securityLevel,
+    toolHandler,
+  });
+
+  const { startCapture, stopCapture } = useConsoleCapture();
+
+  const resetExecutionState = useCallback(() => {
+    setResult(null);
+    setConsoleEntries([]);
+    setStats(null);
+  }, []);
+
+  const handleRun = useCallback(async () => {
+    if (!ready || running) return;
+    setRunning(true);
+    resetExecutionState();
+
+    try {
+      startCapture();
+      const execResult = await run(code);
+      setResult(execResult);
+      if (execResult.stats) {
+        setStats({
+          duration: execResult.stats.duration,
+          toolCallCount: execResult.stats.toolCallCount,
+          iterationCount: execResult.stats.iterationCount,
+        });
+      }
+    } catch (err) {
+      const zeroStats = { duration: 0, toolCallCount: 0, iterationCount: 0 };
+      setResult({
+        success: false,
+        error: {
+          name: err instanceof Error ? err.name : 'AppError',
+          message: err instanceof Error ? err.message : String(err),
+        },
+        stats: zeroStats,
+      });
+      setStats(zeroStats);
+    } finally {
+      let captured: ConsoleEntry[] = [];
+      try {
+        captured = stopCapture();
+      } catch (_err) {
+        /* stopCapture failure should not block UI reset */
+      }
+      setConsoleEntries(captured);
+      setRunning(false);
+    }
+  }, [ready, running, code, run, startCapture, stopCapture, resetExecutionState]);
+
+  const handleExampleSelect = useCallback(
+    (exampleCode: string) => {
+      setCode(exampleCode);
+      resetExecutionState();
+    },
+    [resetExecutionState],
+  );
+
+  return (
+    <div className="app">
+      <header className="app-header">
+        <h1>@enclave-vm/browser Demo</h1>
+        <p className="app-subtitle">Sandboxed JavaScript execution using double iframe isolation</p>
+      </header>
+
+      <main className="app-main">
+        <div className="left-panel">
+          <SecurityLevelPicker value={securityLevel} onChange={setSecurityLevel} disabled={running} />
+          <ToolHandlerConfig enabled={toolsEnabled} onToggle={setToolsEnabled} disabled={running} />
+          <ExampleSnippets onSelect={handleExampleSelect} disabled={running} />
+        </div>
+
+        <div className="center-panel">
+          <CodeEditor value={code} onChange={setCode} disabled={running} />
+          <ExecutionControls
+            onRun={handleRun}
+            running={running}
+            ready={ready}
+            enclaveLoading={enclaveLoading}
+            enclaveError={enclaveError}
+          />
+        </div>
+
+        <div className="right-panel">
+          <ResultDisplay result={result} />
+          <ConsoleOutput entries={consoleEntries} />
+          <StatsPanel stats={stats} />
+        </div>
+      </main>
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/CodeEditor.tsx b/apps/browser-demo/src/components/CodeEditor.tsx
new file mode 100644
index 0000000..103f46a
--- /dev/null
+++ b/apps/browser-demo/src/components/CodeEditor.tsx
@@ -0,0 +1,21 @@
+interface CodeEditorProps {
+  value: string;
+  onChange: (value: string) => void;
+  disabled?: boolean;
+}
+
+export function CodeEditor({ value, onChange, disabled }: CodeEditorProps) {
+  return (
+    <div className="code-editor">
+      <label className="section-label">Code</label>
+      <textarea
+        className="code-textarea"
+        value={value}
+        onChange={(e) => onChange(e.target.value)}
+        disabled={disabled}
+        spellCheck={false}
+        placeholder="Enter AgentScript code..."
+      />
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/ConsoleOutput.tsx b/apps/browser-demo/src/components/ConsoleOutput.tsx
new file mode 100644
index 0000000..0505009
--- /dev/null
+++ b/apps/browser-demo/src/components/ConsoleOutput.tsx
@@ -0,0 +1,38 @@
+import type { ConsoleEntry } from '../types';
+
+interface ConsoleOutputProps {
+  entries: ConsoleEntry[];
+}
+
+const LEVEL_CLASS: Record<string, string> = {
+  log: 'console-log',
+  info: 'console-info',
+  warn: 'console-warn',
+  error: 'console-error',
+};
+
+function formatArg(arg: unknown): string {
+  if (typeof arg === 'string') return arg;
+  try {
+    return JSON.stringify(arg, null, 2);
+  } catch {
+    return String(arg);
+  }
+}
+
+export function ConsoleOutput({ entries }: ConsoleOutputProps) {
+  return (
+    <div className="console-output">
+      <label className="section-label">Console ({entries.length})</label>
+      <div className="console-entries">
+        {entries.length === 0 && <div className="console-empty">No console output</div>}
+        {entries.map((entry) => (
+          <div key={entry.id} className={`console-entry ${LEVEL_CLASS[entry.level] ?? ''}`}>
+            <span className="console-level">[{entry.level.toUpperCase()}]</span>
+            <span className="console-msg">{entry.args.map(formatArg).join(' ')}</span>
+          </div>
+        ))}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/ExampleSnippets.tsx b/apps/browser-demo/src/components/ExampleSnippets.tsx
new file mode 100644
index 0000000..0fe89c9
--- /dev/null
+++ b/apps/browser-demo/src/components/ExampleSnippets.tsx
@@ -0,0 +1,36 @@
+import { examples } from '../data/examples';
+
+interface ExampleSnippetsProps {
+  onSelect: (code: string) => void;
+  disabled?: boolean;
+}
+
+const CATEGORIES = ['Basic', 'Async', 'Tools', 'Security'] as const;
+
+export function ExampleSnippets({ onSelect, disabled }: ExampleSnippetsProps) {
+  return (
+    <div className="examples">
+      <label className="section-label">Examples</label>
+      {CATEGORIES.map((category) => {
+        const items = examples.filter((e) => e.category === category);
+        if (items.length === 0) return null;
+        return (
+          <div key={category} className="example-group">
+            <span className="example-category">{category}</span>
+            {items.map((ex) => (
+              <button
+                key={ex.label}
+                className="example-btn"
+                onClick={() => onSelect(ex.code)}
+                disabled={disabled}
+                title={ex.description}
+              >
+                {ex.label}
+              </button>
+            ))}
+          </div>
+        );
+      })}
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/ExecutionControls.tsx b/apps/browser-demo/src/components/ExecutionControls.tsx
new file mode 100644
index 0000000..b600c16
--- /dev/null
+++ b/apps/browser-demo/src/components/ExecutionControls.tsx
@@ -0,0 +1,30 @@
+interface ExecutionControlsProps {
+  onRun: () => void;
+  running: boolean;
+  ready: boolean;
+  enclaveLoading: boolean;
+  enclaveError: string | null;
+}
+
+export function ExecutionControls({ onRun, running, ready, enclaveLoading, enclaveError }: ExecutionControlsProps) {
+  const canRun = ready && !running;
+
+  const status = enclaveLoading ? 'loading' : enclaveError ? 'error' : ready ? 'ready' : 'initializing';
+
+  const statusText = enclaveLoading
+    ? 'Loading enclave...'
+    : enclaveError
+      ? `Error: ${enclaveError}`
+      : ready
+        ? 'Ready'
+        : 'Initializing...';
+
+  return (
+    <div className="execution-controls">
+      <button className="run-btn" onClick={onRun} disabled={!canRun}>
+        {running ? 'Running...' : 'Run'}
+      </button>
+      <span className={`status-indicator status-${status}`}>{statusText}</span>
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/ResultDisplay.tsx b/apps/browser-demo/src/components/ResultDisplay.tsx
new file mode 100644
index 0000000..4cea0c8
--- /dev/null
+++ b/apps/browser-demo/src/components/ResultDisplay.tsx
@@ -0,0 +1,45 @@
+import type { DemoExecutionResult } from '../types';
+
+interface ResultDisplayProps {
+  result: DemoExecutionResult | null;
+}
+
+function formatValue(value: unknown): string {
+  if (value === undefined) return 'undefined';
+  if (value === null) return 'null';
+  if (typeof value === 'string') return value;
+  try {
+    return JSON.stringify(value, null, 2);
+  } catch {
+    return String(value);
+  }
+}
+
+export function ResultDisplay({ result }: ResultDisplayProps) {
+  if (!result) {
+    return (
+      <div className="result-display">
+        <label className="section-label">Result</label>
+        <div className="result-empty">Run code to see results</div>
+      </div>
+    );
+  }
+
+  const isError = !result.success;
+
+  return (
+    <div className="result-display">
+      <label className="section-label">Result</label>
+      <div className={`result-content ${isError ? 'result-error' : 'result-success'}`}>
+        {isError ? (
+          <>
+            <div className="result-error-name">{result.error?.name ?? 'Error'}</div>
+            <pre className="result-pre">{result.error?.message ?? 'Unknown error'}</pre>
+          </>
+        ) : (
+          <pre className="result-pre">{formatValue(result.value)}</pre>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/SecurityLevelPicker.tsx b/apps/browser-demo/src/components/SecurityLevelPicker.tsx
new file mode 100644
index 0000000..e141281
--- /dev/null
+++ b/apps/browser-demo/src/components/SecurityLevelPicker.tsx
@@ -0,0 +1,38 @@
+import type { SecurityLevel } from '../types';
+
+const LEVELS: SecurityLevel[] = ['STRICT', 'SECURE', 'STANDARD', 'PERMISSIVE'];
+
+const DESCRIPTIONS: Record<SecurityLevel, string> = {
+  STRICT: 'Max restrictions, 1K iterations, 5s timeout',
+  SECURE: 'Balanced security, 5K iterations, 15s timeout',
+  STANDARD: 'Default, 10K iterations, unbounded loops',
+  PERMISSIVE: 'Minimal restrictions, 100K iterations',
+};
+
+interface SecurityLevelPickerProps {
+  value: SecurityLevel;
+  onChange: (level: SecurityLevel) => void;
+  disabled?: boolean;
+}
+
+export function SecurityLevelPicker({ value, onChange, disabled }: SecurityLevelPickerProps) {
+  return (
+    <div className="security-picker">
+      <label className="section-label">Security Level</label>
+      <div className="segmented-buttons">
+        {LEVELS.map((level) => (
+          <button
+            key={level}
+            className={`seg-btn ${value === level ? 'active' : ''}`}
+            onClick={() => onChange(level)}
+            disabled={disabled}
+            title={DESCRIPTIONS[level]}
+          >
+            {level}
+          </button>
+        ))}
+      </div>
+      <span className="security-desc">{DESCRIPTIONS[value]}</span>
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/StatsPanel.tsx b/apps/browser-demo/src/components/StatsPanel.tsx
new file mode 100644
index 0000000..652389d
--- /dev/null
+++ b/apps/browser-demo/src/components/StatsPanel.tsx
@@ -0,0 +1,31 @@
+import type { ExecutionStats } from '../types';
+
+interface StatsPanelProps {
+  stats: ExecutionStats | null;
+}
+
+export function StatsPanel({ stats }: StatsPanelProps) {
+  return (
+    <div className="stats-panel">
+      <label className="section-label">Stats</label>
+      {!stats ? (
+        <div className="stats-empty">No execution stats yet</div>
+      ) : (
+        <div className="stats-grid">
+          <div className="stat-item">
+            <span className="stat-label">Duration</span>
+            <span className="stat-value">{stats.duration}ms</span>
+          </div>
+          <div className="stat-item">
+            <span className="stat-label">Tool Calls</span>
+            <span className="stat-value">{stats.toolCallCount}</span>
+          </div>
+          <div className="stat-item">
+            <span className="stat-label">Iterations</span>
+            <span className="stat-value">{stats.iterationCount}</span>
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/components/ToolHandlerConfig.tsx b/apps/browser-demo/src/components/ToolHandlerConfig.tsx
new file mode 100644
index 0000000..97b5805
--- /dev/null
+++ b/apps/browser-demo/src/components/ToolHandlerConfig.tsx
@@ -0,0 +1,31 @@
+import { mockTools } from '../data/mock-tools';
+
+interface ToolHandlerConfigProps {
+  enabled: boolean;
+  onToggle: (enabled: boolean) => void;
+  disabled?: boolean;
+}
+
+export function ToolHandlerConfig({ enabled, onToggle, disabled }: ToolHandlerConfigProps) {
+  return (
+    <div className="tool-config">
+      <div className="section-label">
+        Tool Handler
+        <label className="toggle-label">
+          <input type="checkbox" checked={enabled} onChange={(e) => onToggle(e.target.checked)} disabled={disabled} />
+          <span>{enabled ? 'Enabled' : 'Disabled'}</span>
+        </label>
+      </div>
+      {enabled && (
+        <div className="tool-list">
+          {mockTools.map((tool) => (
+            <div key={tool.name} className="tool-item">
+              <code>{tool.name}</code>
+              <span className="tool-desc">{tool.description}</span>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/apps/browser-demo/src/data/examples.ts b/apps/browser-demo/src/data/examples.ts
new file mode 100644
index 0000000..ad3c01e
--- /dev/null
+++ b/apps/browser-demo/src/data/examples.ts
@@ -0,0 +1,64 @@
+import type { ExampleSnippet } from '../types';
+
+export const examples: ExampleSnippet[] = [
+  {
+    label: 'Arithmetic',
+    category: 'Basic',
+    code: 'return 2 + 2;',
+    description: 'Simple addition — returns 4',
+  },
+  {
+    label: 'Strings',
+    category: 'Basic',
+    code: 'return "hello".toUpperCase();',
+    description: 'String transformation',
+  },
+  {
+    label: 'Loop',
+    category: 'Basic',
+    code: 'let sum = 0;\nfor (let i = 0; i < 1000; i++) sum += i;\nreturn sum;',
+    description: 'Sum 0..999 in a loop — returns 499500',
+  },
+  {
+    label: 'Console',
+    category: 'Basic',
+    code: 'console.log("info message");\nconsole.warn("warning message");\nconsole.error("error message");\nreturn "check console";',
+    description: 'Logs to the sandboxed console',
+  },
+  {
+    label: 'Delay',
+    category: 'Async',
+    code: 'await new Promise(r => setTimeout(r, 100));\nreturn "done after 100ms";',
+    description: 'Async/await with setTimeout',
+  },
+  {
+    label: 'Single Tool Call',
+    category: 'Tools',
+    code: 'const result = await callTool("math:add", { a: 1, b: 2 });\nreturn result;',
+    description: 'Calls the math:add mock tool',
+  },
+  {
+    label: 'Chain Tools',
+    category: 'Tools',
+    code: 'const sum = await callTool("math:add", { a: 10, b: 20 });\nconst reversed = await callTool("string:reverse", { text: String(sum) });\nreturn { sum, reversed };',
+    description: 'Chains math:add then string:reverse',
+  },
+  {
+    label: 'eval() Blocked',
+    category: 'Security',
+    code: 'eval("1+1");',
+    description: 'eval is blocked by AST validation',
+  },
+  {
+    label: 'Prototype Escape',
+    category: 'Security',
+    code: 'const obj = {};\nreturn obj.constructor;',
+    description: 'Constructor access is blocked',
+  },
+  {
+    label: 'Infinite Loop',
+    category: 'Security',
+    code: 'while (true) {\n  // runs forever\n}',
+    description: 'Hits the iteration limit',
+  },
+];
diff --git a/apps/browser-demo/src/data/mock-tools.ts b/apps/browser-demo/src/data/mock-tools.ts
new file mode 100644
index 0000000..9003139
--- /dev/null
+++ b/apps/browser-demo/src/data/mock-tools.ts
@@ -0,0 +1,48 @@
+import type { MockTool } from '../types';
+
+export const mockTools: MockTool[] = [
+  {
+    name: 'math:add',
+    description: 'Adds two numbers (a + b)',
+    handler: async (args) => {
+      const a = Number(args.a ?? 0);
+      const b = Number(args.b ?? 0);
+      return a + b;
+    },
+  },
+  {
+    name: 'string:reverse',
+    description: 'Reverses a string',
+    handler: async (args) => {
+      const text = String(args.text ?? '');
+      return text.split('').reverse().join('');
+    },
+  },
+  {
+    name: 'data:fetch',
+    description: 'Returns mock data for a given key',
+    handler: async (args) => {
+      const key = String(args.key ?? 'default');
+      const data: Record<string, unknown> = {
+        users: [
+          { id: 1, name: 'Alice' },
+          { id: 2, name: 'Bob' },
+        ],
+        config: { theme: 'dark', version: '1.0' },
+        default: { message: 'No data found' },
+      };
+      return data[key] ?? data['default'];
+    },
+  },
+];
+
+export function createToolHandler(tools: MockTool[]) {
+  const toolMap = new Map(tools.map((t) => [t.name, t]));
+  return async (toolName: string, args: Record<string, unknown>) => {
+    const tool = toolMap.get(toolName);
+    if (!tool) {
+      throw new Error(`Unknown tool: ${toolName}`);
+    }
+    return tool.handler(args);
+  };
+}
diff --git a/apps/browser-demo/src/enclave-loader.ts b/apps/browser-demo/src/enclave-loader.ts
new file mode 100644
index 0000000..7445d3c
--- /dev/null
+++ b/apps/browser-demo/src/enclave-loader.ts
@@ -0,0 +1,15 @@
+/**
+ * Lazy loader for the pre-built @enclave-vm/browser bundle.
+ * The bundle is built by esbuild into vendor/enclave-browser-bundle.mjs
+ * and imported as a normal module by Vite.
+ */
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let cached: Promise<any> | null = null;
+
+export async function loadEnclaveModule() {
+  if (!cached) {
+    cached = import('../vendor/enclave-browser-bundle.mjs');
+  }
+  return cached;
+}
diff --git a/apps/browser-demo/src/hooks/use-console-capture.ts b/apps/browser-demo/src/hooks/use-console-capture.ts
new file mode 100644
index 0000000..c6c1f6b
--- /dev/null
+++ b/apps/browser-demo/src/hooks/use-console-capture.ts
@@ -0,0 +1,59 @@
+import { useRef, useCallback } from 'react';
+import type { ConsoleEntry, ConsoleLevel } from '../types';
+
+const ENCLAVE_PREFIX = '[Enclave]';
+
+let nextId = 0;
+
+export function useConsoleCapture() {
+  const entriesRef = useRef<ConsoleEntry[]>([]);
+  const originalsRef = useRef<Record<ConsoleLevel, (...args: unknown[]) => void> | null>(null);
+
+  const startCapture = useCallback(() => {
+    // If already capturing, restore originals first to avoid losing real console references
+    if (originalsRef.current) {
+      const levels: ConsoleLevel[] = ['log', 'info', 'warn', 'error'];
+      for (const level of levels) {
+        console[level] = originalsRef.current[level];
+      }
+      originalsRef.current = null;
+    }
+
+    entriesRef.current = [];
+
+    const levels: ConsoleLevel[] = ['log', 'info', 'warn', 'error'];
+    const originals = {} as Record<ConsoleLevel, (...args: unknown[]) => void>;
+
+    for (const level of levels) {
+      originals[level] = console[level].bind(console);
+      console[level] = (...args: unknown[]) => {
+        // Always pass through to real console
+        originals[level](...args);
+        // Capture only [Enclave] prefixed messages
+        if (args.length > 0 && args[0] === ENCLAVE_PREFIX) {
+          entriesRef.current.push({
+            id: nextId++,
+            level,
+            args: args.slice(1),
+            timestamp: Date.now(),
+          });
+        }
+      };
+    }
+
+    originalsRef.current = originals;
+  }, []);
+
+  const stopCapture = useCallback((): ConsoleEntry[] => {
+    if (originalsRef.current) {
+      const levels: ConsoleLevel[] = ['log', 'info', 'warn', 'error'];
+      for (const level of levels) {
+        console[level] = originalsRef.current[level];
+      }
+      originalsRef.current = null;
+    }
+    return [...entriesRef.current];
+  }, []);
+
+  return { startCapture, stopCapture };
+}
diff --git a/apps/browser-demo/src/hooks/use-enclave.ts b/apps/browser-demo/src/hooks/use-enclave.ts
new file mode 100644
index 0000000..f76c72f
--- /dev/null
+++ b/apps/browser-demo/src/hooks/use-enclave.ts
@@ -0,0 +1,78 @@
+import { useState, useEffect, useRef, useCallback } from 'react';
+import { loadEnclaveModule } from '../enclave-loader';
+import type { SecurityLevel } from '../types';
+
+interface UseEnclaveOptions {
+  securityLevel: SecurityLevel;
+  toolHandler?: (toolName: string, args: Record<string, unknown>) => Promise<unknown>;
+}
+
+export function useEnclave({ securityLevel, toolHandler }: UseEnclaveOptions) {
+  const [ready, setReady] = useState(false);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const enclaveRef = useRef<any>(null);
+  const toolHandlerRef = useRef(toolHandler);
+  toolHandlerRef.current = toolHandler;
+
+  useEffect(() => {
+    let disposed = false;
+
+    async function init() {
+      setLoading(true);
+      setReady(false);
+      setError(null);
+
+      // Dispose previous instance
+      if (enclaveRef.current) {
+        try {
+          enclaveRef.current.dispose();
+        } catch {
+          /* ignore */
+        }
+        enclaveRef.current = null;
+      }
+
+      try {
+        const mod = await loadEnclaveModule();
+        if (disposed) return;
+
+        enclaveRef.current = new mod.BrowserEnclave({
+          securityLevel,
+          toolHandler: toolHandlerRef.current,
+        });
+        setReady(true);
+      } catch (err) {
+        if (!disposed) {
+          setError(err instanceof Error ? err.message : String(err));
+        }
+      } finally {
+        if (!disposed) setLoading(false);
+      }
+    }
+
+    init();
+
+    return () => {
+      disposed = true;
+      if (enclaveRef.current) {
+        try {
+          enclaveRef.current.dispose();
+        } catch {
+          /* ignore */
+        }
+        enclaveRef.current = null;
+      }
+    };
+  }, [securityLevel, toolHandler]);
+
+  const run = useCallback(async (code: string) => {
+    if (!enclaveRef.current) {
+      throw new Error('Enclave not ready');
+    }
+    return enclaveRef.current.run(code);
+  }, []);
+
+  return { ready, loading, error, run };
+}
diff --git a/apps/browser-demo/src/main.tsx b/apps/browser-demo/src/main.tsx
new file mode 100644
index 0000000..43114f1
--- /dev/null
+++ b/apps/browser-demo/src/main.tsx
@@ -0,0 +1,11 @@
+import { StrictMode } from 'react';
+import { createRoot } from 'react-dom/client';
+import { App } from './App';
+import './App.css';
+
+// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+createRoot(document.getElementById('root')!).render(
+  <StrictMode>
+    <App />
+  </StrictMode>,
+);
diff --git a/apps/browser-demo/src/types.ts b/apps/browser-demo/src/types.ts
new file mode 100644
index 0000000..21764c3
--- /dev/null
+++ b/apps/browser-demo/src/types.ts
@@ -0,0 +1,36 @@
+export type ConsoleLevel = 'log' | 'info' | 'warn' | 'error';
+
+export interface ConsoleEntry {
+  id: number;
+  level: ConsoleLevel;
+  args: unknown[];
+  timestamp: number;
+}
+
+export type SecurityLevel = 'STRICT' | 'SECURE' | 'STANDARD' | 'PERMISSIVE';
+
+export interface ExampleSnippet {
+  label: string;
+  category: 'Basic' | 'Async' | 'Tools' | 'Security';
+  code: string;
+  description: string;
+}
+
+export interface MockTool {
+  name: string;
+  description: string;
+  handler: (args: Record<string, unknown>) => Promise<unknown>;
+}
+
+export interface ExecutionStats {
+  duration: number;
+  toolCallCount: number;
+  iterationCount: number;
+}
+
+export interface DemoExecutionResult {
+  success: boolean;
+  value?: unknown;
+  error?: { name: string; message: string; code?: string };
+  stats?: ExecutionStats;
+}
diff --git a/apps/browser-demo/tsconfig.app.json b/apps/browser-demo/tsconfig.app.json
new file mode 100644
index 0000000..42c9fa9
--- /dev/null
+++ b/apps/browser-demo/tsconfig.app.json
@@ -0,0 +1,12 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "../../dist/out-tsc",
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "jsx": "react-jsx",
+    "types": ["vite/client"]
+  },
+  "include": ["src/**/*.ts", "src/**/*.tsx"],
+  "exclude": ["**/*.spec.ts", "**/*.test.ts"]
+}
diff --git a/apps/browser-demo/tsconfig.json b/apps/browser-demo/tsconfig.json
new file mode 100644
index 0000000..478b12f
--- /dev/null
+++ b/apps/browser-demo/tsconfig.json
@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "files": [],
+  "include": [],
+  "references": [{ "path": "./tsconfig.app.json" }],
+  "compilerOptions": {
+    "esModuleInterop": true,
+    "jsx": "react-jsx"
+  }
+}
diff --git a/apps/browser-demo/vite.config.ts b/apps/browser-demo/vite.config.ts
new file mode 100644
index 0000000..d58a049
--- /dev/null
+++ b/apps/browser-demo/vite.config.ts
@@ -0,0 +1,15 @@
+import { defineConfig } from 'vite';
+import react from '@vitejs/plugin-react';
+
+export default defineConfig({
+  root: __dirname,
+  plugins: [react()],
+  server: {
+    port: 4200,
+    open: true,
+  },
+  build: {
+    outDir: '../../dist/apps/browser-demo',
+    emptyOutDir: true,
+  },
+});
diff --git a/docs/docs.json b/docs/docs.json
index ac3a985..8518a22 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -100,6 +100,16 @@
                   "enclave/core-libraries/enclave-vm/configuration"
                 ]
               },
+              {
+                "group": "@enclave-vm/browser",
+                "icon": "browser",
+                "pages": [
+                  "enclave/core-libraries/enclave-browser/overview",
+                  "enclave/core-libraries/enclave-browser/security-architecture",
+                  "enclave/core-libraries/enclave-browser/configuration",
+                  "enclave/core-libraries/enclave-browser/react-integration"
+                ]
+              },
               {
                 "group": "@enclave-vm/ast",
                 "icon": "shield-check",
diff --git a/docs/enclave/core-libraries/enclave-browser/configuration.mdx b/docs/enclave/core-libraries/enclave-browser/configuration.mdx
new file mode 100644
index 0000000..10b2b3b
--- /dev/null
+++ b/docs/enclave/core-libraries/enclave-browser/configuration.mdx
@@ -0,0 +1,183 @@
+---
+title: 'Configuration'
+description: 'Complete configuration reference for @enclave-vm/browser'
+---
+
+This page documents all configuration options for `@enclave-vm/browser`.
+
+## Quick Example
+
+```ts
+import { BrowserEnclave } from '@enclave-vm/browser';
+
+const enclave = new BrowserEnclave({
+  // Security level preset
+  securityLevel: 'SECURE',
+
+  // Core limits
+  timeout: 10000,
+  maxToolCalls: 50,
+  maxIterations: 5000,
+  memoryLimit: 2 * 1024 * 1024, // 2MB
+
+  // Tool handler
+  toolHandler: async (name, args) => {
+    return executeToolSafely(name, args);
+  },
+
+  // Additional options
+  globals: { context: { userId: 'user-123' } },
+  validate: true,
+  transform: true,
+});
+```
+
+## Core Options
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `securityLevel` | string | `'STANDARD'` | Preset: `STRICT`, `SECURE`, `STANDARD`, `PERMISSIVE` |
+| `preset` | string | `'agentscript'` | AST preset: `agentscript`, `strict`, `secure`, `standard`, `permissive` |
+| `timeout` | number | varies | Maximum execution time in milliseconds |
+| `maxToolCalls` | number | varies | Maximum tool calls per execution |
+| `maxIterations` | number | varies | Maximum loop iterations (per loop) |
+| `memoryLimit` | number | 1048576 | Memory limit in bytes (soft tracking) |
+| `toolHandler` | function | - | Async function that handles `callTool()` invocations |
+| `globals` | object | - | Additional globals available in the sandbox (JSON-serializable only) |
+| `validate` | boolean | `true` | Validate code with ast-guard before execution |
+| `transform` | boolean | `true` | Transform code before execution (AgentScript wrappers) |
+| `allowFunctionsInGlobals` | boolean | varies | Whether to allow functions in custom globals |
+
+## Console Limits
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `maxConsoleOutputBytes` | number | varies | Maximum total console output in bytes |
+| `maxConsoleCalls` | number | varies | Maximum number of console calls |
+
+## Security Level Comparison
+
+All "varies" defaults above depend on the selected security level:
+
+| Setting | STRICT | SECURE | STANDARD | PERMISSIVE |
+|---------|--------|--------|----------|------------|
+| `timeout` | 5000 | 15000 | 30000 | 60000 |
+| `maxIterations` | 1000 | 5000 | 10000 | 100000 |
+| `maxToolCalls` | 10 | 50 | 100 | 1000 |
+| `maxConsoleOutputBytes` | 64KB | 256KB | 1MB | 10MB |
+| `maxConsoleCalls` | 100 | 500 | 1000 | 10000 |
+| `maxSanitizeDepth` | 5 | 10 | 20 | 50 |
+| `maxSanitizeProperties` | 50 | 100 | 500 | 1000 |
+| `sanitizeStackTraces` | true | true | false | false |
+| `blockTimingAPIs` | true | false | false | false |
+| `allowUnboundedLoops` | false | false | true | true |
+| `unicodeSecurityCheck` | true | true | false | false |
+| `allowFunctionsInGlobals` | false | false | false | true |
+| `secureProxy.blockConstructor` | true | true | true | false |
+| `secureProxy.blockPrototype` | true | true | true | true |
+| `secureProxy.blockLegacyAccessors` | true | true | true | true |
+| `secureProxy.proxyMaxDepth` | 5 | 10 | 15 | 20 |
+| `secureProxy.throwOnBlocked` | true | true | true | false |
+
+## Secure Proxy Configuration
+
+Override proxy behavior for the current security level:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `secureProxyConfig.blockConstructor` | boolean | varies | Block access to `.constructor` |
+| `secureProxyConfig.blockPrototype` | boolean | varies | Block access to `.__proto__` and `.prototype` |
+| `secureProxyConfig.blockLegacyAccessors` | boolean | varies | Block `__defineGetter__`, `__defineSetter__`, etc. |
+| `secureProxyConfig.proxyMaxDepth` | number | varies | Maximum nesting depth for proxy wrapping |
+| `secureProxyConfig.throwOnBlocked` | boolean | varies | Throw error vs return `undefined` on blocked access |
+
+```ts
+const enclave = new BrowserEnclave({
+  securityLevel: 'STANDARD',
+  secureProxyConfig: {
+    throwOnBlocked: false, // Return undefined instead of throwing
+    proxyMaxDepth: 5,      // Limit proxy nesting
+  },
+});
+```
+
+## Double Iframe Configuration
+
+Configure the outer iframe security barrier:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `doubleIframe.enabled` | boolean | `true` | Enable double iframe isolation |
+| `doubleIframe.parentTimeoutBuffer` | number | `1000` | Extra timeout for outer iframe (ms) |
+| `doubleIframe.parentValidation.validateOperationNames` | boolean | `true` | Validate tool names |
+| `doubleIframe.parentValidation.allowedOperationPattern` | RegExp | - | Whitelist pattern for tool names |
+| `doubleIframe.parentValidation.blockedOperationPatterns` | RegExp[] | - | Blacklist patterns for tool names |
+| `doubleIframe.parentValidation.maxOperationsPerSecond` | number | `100` | Rate limit for tool calls |
+| `doubleIframe.parentValidation.blockSuspiciousSequences` | boolean | `true` | Detect multi-step attack patterns |
+| `doubleIframe.parentValidation.rapidEnumerationThreshold` | number | `30` | Same-operation repetition threshold |
+| `doubleIframe.parentValidation.rapidEnumerationOverrides` | object | `{}` | Per-operation threshold overrides |
+| `doubleIframe.parentValidation.suspiciousPatterns` | array | `[]` | Custom detection patterns |
+
+```ts
+const enclave = new BrowserEnclave({
+  doubleIframe: {
+    enabled: true,
+    parentTimeoutBuffer: 2000,
+    parentValidation: {
+      validateOperationNames: true,
+      allowedOperationPattern: /^[a-z]+:[a-z]+$/i,
+      blockedOperationPatterns: [/^admin:/i, /^system:/i],
+      maxOperationsPerSecond: 50,
+      blockSuspiciousSequences: true,
+    },
+  },
+});
+```
+
+### Built-in Suspicious Patterns
+
+These patterns are detected automatically when `blockSuspiciousSequences` is enabled:
+
+| Pattern | Description |
+|---------|-------------|
+| `EXFIL_LIST_SEND` | List/query operation followed by send/export |
+| `RAPID_ENUMERATION` | Same operation repeated beyond threshold in 5s window |
+| `CREDENTIAL_EXFIL` | Credential access followed by external operation |
+| `BULK_OPERATION` | Bulk/batch/mass/dump operations or unlimited queries |
+| `DELETE_AFTER_ACCESS` | Delete operation after data read (potential cover-up) |
+
+## Custom Globals
+
+Inject read-only data into the sandbox. Only JSON-serializable values are supported — functions cannot cross the iframe boundary.
+
+```ts
+const enclave = new BrowserEnclave({
+  globals: {
+    // These work (JSON-serializable)
+    config: { apiVersion: 'v2', maxRetries: 3 },
+    userId: 'user-123',
+    features: ['search', 'export'],
+
+    // These are silently skipped (not serializable)
+    // handler: () => {},       // function
+    // element: document.body,  // DOM node
+  },
+});
+
+// In sandboxed code:
+// const version = config.apiVersion; // 'v2'
+// const id = userId;                 // 'user-123'
+```
+
+<Warning>
+  Custom globals are only supported with the `agentscript` preset (the default). Using globals with other presets will throw an error.
+</Warning>
+
+Each custom global is also available with a `__safe_` prefix (e.g., `config` and `__safe_config`), matching the pattern used by AgentScript's code transformation.
+
+## Related
+
+- [Overview](/core-libraries/enclave-browser/overview) - Getting started
+- [Security Architecture](/core-libraries/enclave-browser/security-architecture) - Isolation model details
+- [@enclave-vm/core Configuration](/core-libraries/enclave-vm/configuration) - Node.js configuration reference
+- [Security Levels](/core-libraries/enclave-vm/security-levels) - Security preset details
diff --git a/docs/enclave/core-libraries/enclave-browser/overview.mdx b/docs/enclave/core-libraries/enclave-browser/overview.mdx
new file mode 100644
index 0000000..409a91c
--- /dev/null
+++ b/docs/enclave/core-libraries/enclave-browser/overview.mdx
@@ -0,0 +1,131 @@
+---
+title: 'Overview'
+description: 'Secure JavaScript execution in the browser using double iframe isolation — no server required'
+---
+
+`@enclave-vm/browser` brings Enclave's defense-in-depth security model to the browser. Instead of Node.js VM contexts, it uses a **double iframe architecture** with CSP isolation, prototype freezing, and secure proxies to safely execute untrusted and LLM-generated code entirely client-side.
+
+<CardGroup cols={3}>
+  <Card title="AST Validation" icon="shield-check">
+    Block dangerous constructs before execution using ast-guard's AgentScript preset
+  </Card>
+  <Card title="Code Transformation" icon="arrows-rotate">
+    Automatically transform code for safe execution with proxied functions and loop limits
+  </Card>
+  <Card title="Double Iframe Sandbox" icon="browser">
+    Execute in nested iframe isolation with CSP, sandbox attributes, and secure proxies
+  </Card>
+</CardGroup>
+
+## When to Use Browser Enclave
+
+- **Client-side AI code execution** — Run LLM-generated code in the browser without a server round-trip
+- **No server required** — All sandboxing happens in the browser via iframe isolation
+- **Interactive code playgrounds** — Build code editors with live execution and tool integration
+- **Edge and offline scenarios** — Execute sandboxed code without network connectivity
+- **Rapid prototyping** — Let users experiment with AgentScript in the browser
+
+## Browser vs Node.js
+
+| Feature | `@enclave-vm/core` | `@enclave-vm/browser` |
+|---------|--------------------|-----------------------|
+| **Runtime** | Node.js (`vm` module) | Browser (iframe `srcdoc`) |
+| **Isolation** | Double VM nesting | Double iframe nesting |
+| **Network blocking** | VM context restriction | CSP `default-src 'none'` |
+| **Eval blocking** | `codeGeneration: { strings: false }` | CSP blocks `eval`/`Function` |
+| **Worker pool** | `worker_threads` adapter | Not available |
+| **AI scoring gate** | Supported | Not available |
+| **Reference sidecar** | Supported | Not available |
+| **Memory tracking** | V8 heap stats | Soft estimation (String/Array hooks) |
+| **AST validation** | Same (`@enclave-vm/ast`) | Same (`@enclave-vm/ast`) |
+| **Code transformation** | Same (AgentScript) | Same (AgentScript) |
+| **Security levels** | Same 4 levels | Same 4 levels |
+| **Tool system** | Same `callTool()` API | Same `callTool()` API |
+
+## Installation
+
+```bash
+npm install @enclave-vm/browser
+```
+
+## Quick Start
+
+```ts
+import { BrowserEnclave } from '@enclave-vm/browser';
+
+// Create an enclave with a tool handler
+const enclave = new BrowserEnclave({
+  securityLevel: 'STANDARD',
+  timeout: 10000,
+  maxToolCalls: 50,
+  toolHandler: async (toolName, args) => {
+    const response = await fetch(`/api/tools/${toolName}`, {
+      method: 'POST',
+      body: JSON.stringify(args),
+    });
+    return response.json();
+  },
+});
+
+// Execute AgentScript code
+const result = await enclave.run(`
+  const users = await callTool('users:list', { limit: 10 });
+  const active = users.filter(u => u.active);
+  return active.length;
+`);
+
+if (result.success) {
+  console.log('Result:', result.value);
+  console.log('Duration:', result.stats.duration, 'ms');
+} else {
+  console.error('Error:', result.error.message);
+}
+
+// Clean up
+enclave.dispose();
+```
+
+## Execution Results
+
+Every call to `run()` returns a structured result with success/error status and execution statistics:
+
+```ts
+interface ExecutionResult<T> {
+  success: boolean;
+  value?: T;              // Result value (if success)
+  error?: {               // Error details (if failed)
+    name: string;
+    message: string;
+    code?: string;
+    stack?: string;
+    data?: Record<string, unknown>;
+  };
+  stats: {
+    duration: number;      // Execution time in ms
+    toolCallCount: number; // Number of tool calls made
+    iterationCount: number; // Number of loop iterations
+    startTime: number;     // Epoch timestamp
+    endTime: number;       // Epoch timestamp
+  };
+}
+```
+
+## Error Codes
+
+| Code | Meaning | Action |
+|------|---------|--------|
+| `VALIDATION_ERROR` | AST validation failed | Fix the code — blocked construct used |
+| `EXECUTION_TIMEOUT` | Execution exceeded timeout | Optimize or increase timeout |
+| `MAX_TOOL_CALLS` | Tool call limit exceeded | Reduce tool calls or increase limit |
+| `MAX_ITERATIONS` | Loop iteration limit exceeded | Reduce loops or increase limit |
+| `IFRAME_CREATE_FAILED` | Failed to create sandbox iframe | Check browser compatibility |
+| `EXECUTION_ABORTED` | Execution was manually aborted | Expected when calling `abort()` |
+| `ADAPTER_DISPOSED` | Adapter was disposed during execution | Avoid disposing during execution |
+| `ENCLAVE_ERROR` | Unexpected internal error | Check error message for details |
+
+## Related
+
+- [Security Architecture](/core-libraries/enclave-browser/security-architecture) - Double iframe isolation model
+- [Configuration](/core-libraries/enclave-browser/configuration) - All configuration options
+- [React Integration](/core-libraries/enclave-browser/react-integration) - Hooks and component patterns
+- [@enclave-vm/core Overview](/core-libraries/enclave-vm/overview) - Node.js sandbox
diff --git a/docs/enclave/core-libraries/enclave-browser/react-integration.mdx b/docs/enclave/core-libraries/enclave-browser/react-integration.mdx
new file mode 100644
index 0000000..1df3889
--- /dev/null
+++ b/docs/enclave/core-libraries/enclave-browser/react-integration.mdx
@@ -0,0 +1,417 @@
+---
+title: 'React Integration'
+description: 'React hooks, component patterns, and bundling considerations for @enclave-vm/browser'
+---
+
+`@enclave-vm/browser` integrates naturally with React applications. This guide covers hook patterns for lifecycle management, console capture, tool handler wiring, and a complete playground example.
+
+## Basic Hook Pattern
+
+The `useEnclave` hook manages the enclave lifecycle — dynamic import, initialization, re-creation on config changes, and cleanup on unmount:
+
+```tsx
+import { useState, useEffect, useRef, useCallback } from 'react';
+import type { BrowserEnclave, ExecutionResult, SecurityLevel } from '@enclave-vm/browser';
+
+interface UseEnclaveOptions {
+  securityLevel: SecurityLevel;
+  toolHandler?: (toolName: string, args: Record<string, unknown>) => Promise<unknown>;
+}
+
+export function useEnclave({ securityLevel, toolHandler }: UseEnclaveOptions) {
+  const [ready, setReady] = useState(false);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const enclaveRef = useRef<BrowserEnclave | null>(null);
+  const toolHandlerRef = useRef(toolHandler);
+  toolHandlerRef.current = toolHandler;
+
+  useEffect(() => {
+    let disposed = false;
+
+    async function init() {
+      setLoading(true);
+      setReady(false);
+      setError(null);
+
+      // Dispose previous instance
+      if (enclaveRef.current) {
+        enclaveRef.current.dispose();
+        enclaveRef.current = null;
+      }
+
+      try {
+        // Dynamic import for code splitting
+        const { BrowserEnclave } = await import('@enclave-vm/browser');
+        if (disposed) return;
+
+        enclaveRef.current = new BrowserEnclave({
+          securityLevel,
+          toolHandler: toolHandlerRef.current,
+        });
+        setReady(true);
+      } catch (err) {
+        if (!disposed) {
+          setError(err instanceof Error ? err.message : String(err));
+        }
+      } finally {
+        if (!disposed) setLoading(false);
+      }
+    }
+
+    init();
+
+    return () => {
+      disposed = true;
+      if (enclaveRef.current) {
+        enclaveRef.current.dispose();
+        enclaveRef.current = null;
+      }
+    };
+  }, [securityLevel]);
+
+  const run = useCallback(async <T = unknown>(code: string): Promise<ExecutionResult<T>> => {
+    if (!enclaveRef.current) {
+      throw new Error('Enclave not ready');
+    }
+    return enclaveRef.current.run<T>(code);
+  }, []);
+
+  return { ready, loading, error, run };
+}
+```
+
+Key points:
+- **Dynamic import** keeps `@enclave-vm/browser` out of the initial bundle
+- **Ref for toolHandler** avoids re-creating the enclave when the handler identity changes
+- **Cleanup on unmount** calls `dispose()` to remove sandbox iframes
+- **Re-creates on `securityLevel` change** to apply new security configuration
+
+## Using the Hook
+
+```tsx
+function CodeRunner() {
+  const [code, setCode] = useState('return 1 + 1');
+  const [result, setResult] = useState<string>('');
+  const { ready, loading, error, run } = useEnclave({
+    securityLevel: 'STANDARD',
+  });
+
+  const handleRun = async () => {
+    if (!ready) return;
+    try {
+      const res = await run(code);
+      if (res.success) {
+        setResult(`Result: ${JSON.stringify(res.value)} (${res.stats.duration}ms)`);
+      } else {
+        setResult(`Error: ${res.error?.message}`);
+      }
+    } catch (err) {
+      setResult(`Unexpected error: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  };
+
+  if (loading) return <div>Loading enclave...</div>;
+  if (error) return <div>Failed to load: {error}</div>;
+
+  return (
+    <div>
+      <textarea value={code} onChange={e => setCode(e.target.value)} />
+      <button onClick={handleRun} disabled={!ready}>Run</button>
+      <pre>{result}</pre>
+    </div>
+  );
+}
+```
+
+## Console Capture
+
+Sandbox console output is relayed to the host's `console` with an `[Enclave]` prefix. The `useConsoleCapture` hook intercepts these messages:
+
+```tsx
+import { useRef, useCallback } from 'react';
+
+type ConsoleLevel = 'log' | 'info' | 'warn' | 'error';
+
+interface ConsoleEntry {
+  id: number;
+  level: ConsoleLevel;
+  args: unknown[];
+  timestamp: number;
+}
+
+let nextId = 0;
+
+export function useConsoleCapture() {
+  const entriesRef = useRef<ConsoleEntry[]>([]);
+  const originalsRef = useRef<Record<ConsoleLevel, (...args: unknown[]) => void> | null>(null);
+
+  const startCapture = useCallback(() => {
+    // Restore previous originals if already capturing
+    if (originalsRef.current) {
+      for (const level of ['log', 'info', 'warn', 'error'] as ConsoleLevel[]) {
+        console[level] = originalsRef.current[level];
+      }
+    }
+
+    entriesRef.current = [];
+    const originals = {} as Record<ConsoleLevel, (...args: unknown[]) => void>;
+
+    for (const level of ['log', 'info', 'warn', 'error'] as ConsoleLevel[]) {
+      originals[level] = console[level].bind(console);
+      console[level] = (...args: unknown[]) => {
+        originals[level](...args); // Always pass through
+        if (args[0] === '[Enclave]') {
+          entriesRef.current.push({
+            id: nextId++,
+            level,
+            args: args.slice(1), // Remove prefix
+            timestamp: Date.now(),
+          });
+        }
+      };
+    }
+
+    originalsRef.current = originals;
+  }, []);
+
+  const stopCapture = useCallback((): ConsoleEntry[] => {
+    if (originalsRef.current) {
+      for (const level of ['log', 'info', 'warn', 'error'] as ConsoleLevel[]) {
+        console[level] = originalsRef.current[level];
+      }
+      originalsRef.current = null;
+    }
+    return [...entriesRef.current];
+  }, []);
+
+  return { startCapture, stopCapture };
+}
+```
+
+Usage with the enclave hook:
+
+```tsx
+const { run } = useEnclave({ securityLevel: 'STANDARD' });
+const { startCapture, stopCapture } = useConsoleCapture();
+
+const handleRun = async () => {
+  startCapture();
+  try {
+    const result = await run('console.log("hello from sandbox"); return 42;');
+  } finally {
+    const entries = stopCapture();
+    // entries[0].args = ['hello from sandbox']
+  }
+};
+```
+
+## With Tool Handlers
+
+Wire up tool handlers that connect sandbox code to your application:
+
+```tsx
+function ToolExample() {
+  const toolHandler = useCallback(async (name: string, args: Record<string, unknown>) => {
+    switch (name) {
+      case 'users:list':
+        return { items: [{ id: 1, name: 'Alice', active: true }] };
+      case 'users:get':
+        return { id: args.id, name: 'Alice', active: true };
+      default:
+        throw new Error(`Unknown tool: ${name}`);
+    }
+  }, []);
+
+  const { ready, run } = useEnclave({
+    securityLevel: 'SECURE',
+    toolHandler,
+  });
+
+  const handleRun = async () => {
+    const result = await run(`
+      const users = await callTool('users:list', { limit: 10 });
+      return users.items.filter(u => u.active).length;
+    `);
+    console.log(result.value); // 1
+  };
+
+  return <button onClick={handleRun} disabled={!ready}>Run with tools</button>;
+}
+```
+
+## Security Level Picker
+
+A small component for switching security levels:
+
+```tsx
+import type { SecurityLevel } from '@enclave-vm/browser';
+
+const LEVELS: { value: SecurityLevel; label: string; description: string }[] = [
+  { value: 'STRICT', label: 'Strict', description: '5s timeout, 10 tool calls' },
+  { value: 'SECURE', label: 'Secure', description: '15s timeout, 50 tool calls' },
+  { value: 'STANDARD', label: 'Standard', description: '30s timeout, 100 tool calls' },
+  { value: 'PERMISSIVE', label: 'Permissive', description: '60s timeout, 1000 tool calls' },
+];
+
+function SecurityLevelPicker({
+  value,
+  onChange,
+}: {
+  value: SecurityLevel;
+  onChange: (level: SecurityLevel) => void;
+}) {
+  return (
+    <select value={value} onChange={e => onChange(e.target.value as SecurityLevel)}>
+      {LEVELS.map(level => (
+        <option key={level.value} value={level.value}>
+          {level.label} — {level.description}
+        </option>
+      ))}
+    </select>
+  );
+}
+```
+
+## Bundling Considerations
+
+- **ESM only**: `@enclave-vm/browser` is distributed as ESM. Ensure your bundler supports `import()`.
+- **Dynamic import**: Use `import('@enclave-vm/browser')` for code splitting. The library includes `@enclave-vm/ast` which adds to bundle size — dynamic import keeps it off the critical path.
+- **No Node.js dependencies**: The browser package has no `vm`, `worker_threads`, or other Node.js module dependencies.
+- **Dependencies**: Requires `@enclave-vm/ast` (for AST validation and code transformation) and `zod` (for message schema validation).
+
+## Browser Compatibility
+
+| Feature Required | Chrome | Firefox | Safari | Edge |
+|-----------------|--------|---------|--------|------|
+| `iframe srcdoc` | 20+ | 25+ | 6+ | 79+ |
+| `iframe sandbox` | 4+ | 17+ | 5+ | 79+ |
+| `postMessage` | 1+ | 6+ | 4+ | 79+ |
+| `Proxy` | 49+ | 18+ | 10+ | 79+ |
+| `TextEncoder` | 38+ | 18+ | 10.1+ | 79+ |
+| `crypto.randomUUID` | 92+ | 95+ | 15.4+ | 92+ |
+
+**Minimum recommended versions**: Chrome 67+, Firefox 63+, Safari 13+, Edge 79+
+
+<Note>
+  `crypto.randomUUID` has a built-in fallback using `Date.now()` for older browsers, so it is not a hard requirement.
+</Note>
+
+## Complete Example: Code Playground
+
+A full working example combining all patterns:
+
+```tsx
+import { useState, useCallback } from 'react';
+import type { SecurityLevel, ExecutionResult } from '@enclave-vm/browser';
+
+// Import hooks (see patterns above)
+import { useEnclave } from './hooks/use-enclave';
+import { useConsoleCapture } from './hooks/use-console-capture';
+
+function CodePlayground() {
+  const [code, setCode] = useState(`
+const data = await callTool('data:fetch', { query: 'active users' });
+console.log('Fetched', data.length, 'records');
+const sorted = data.sort((a, b) => b.score - a.score);
+return sorted.slice(0, 5);
+  `.trim());
+
+  const [securityLevel, setSecurityLevel] = useState<SecurityLevel>('STANDARD');
+  const [result, setResult] = useState<ExecutionResult | null>(null);
+  const [consoleOutput, setConsoleOutput] = useState<string[]>([]);
+  const [running, setRunning] = useState(false);
+
+  const toolHandler = useCallback(async (name: string, args: Record<string, unknown>) => {
+    // Simulate tool execution
+    if (name === 'data:fetch') {
+      return [
+        { name: 'Alice', score: 95 },
+        { name: 'Bob', score: 87 },
+        { name: 'Charlie', score: 92 },
+      ];
+    }
+    throw new Error(`Unknown tool: ${name}`);
+  }, []);
+
+  const { ready, loading, error, run } = useEnclave({ securityLevel, toolHandler });
+  const { startCapture, stopCapture } = useConsoleCapture();
+
+  const handleRun = async () => {
+    if (!ready || running) return;
+    setRunning(true);
+    setResult(null);
+    setConsoleOutput([]);
+
+    startCapture();
+    try {
+      const res = await run(code);
+      setResult(res);
+    } finally {
+      const entries = stopCapture();
+      setConsoleOutput(entries.map(e => `[${e.level}] ${e.args.join(' ')}`));
+      setRunning(false);
+    }
+  };
+
+  return (
+    <div>
+      <div>
+        <label>Security Level: </label>
+        <select
+          value={securityLevel}
+          onChange={e => setSecurityLevel(e.target.value as SecurityLevel)}
+        >
+          <option value="STRICT">Strict</option>
+          <option value="SECURE">Secure</option>
+          <option value="STANDARD">Standard</option>
+          <option value="PERMISSIVE">Permissive</option>
+        </select>
+      </div>
+
+      <textarea
+        value={code}
+        onChange={e => setCode(e.target.value)}
+        rows={10}
+        style={{ width: '100%', fontFamily: 'monospace' }}
+      />
+
+      <button onClick={handleRun} disabled={!ready || running}>
+        {running ? 'Running...' : 'Run Code'}
+      </button>
+
+      {loading && <p>Loading enclave...</p>}
+      {error && <p style={{ color: 'red' }}>Error: {error}</p>}
+
+      {consoleOutput.length > 0 && (
+        <div>
+          <h3>Console</h3>
+          <pre>{consoleOutput.join('\n')}</pre>
+        </div>
+      )}
+
+      {result && (
+        <div>
+          <h3>{result.success ? 'Result' : 'Error'}</h3>
+          <pre>
+            {result.success
+              ? JSON.stringify(result.value, null, 2)
+              : result.error?.message}
+          </pre>
+          <p>
+            Duration: {result.stats.duration}ms |
+            Tool calls: {result.stats.toolCallCount} |
+            Iterations: {result.stats.iterationCount}
+          </p>
+        </div>
+      )}
+    </div>
+  );
+}
+```
+
+## Related
+
+- [Overview](/core-libraries/enclave-browser/overview) - Getting started with browser enclave
+- [Configuration](/core-libraries/enclave-browser/configuration) - All configuration options
+- [EnclaveJS React](/enclavejs/react) - React bindings for streaming
diff --git a/docs/enclave/core-libraries/enclave-browser/security-architecture.mdx b/docs/enclave/core-libraries/enclave-browser/security-architecture.mdx
new file mode 100644
index 0000000..9eb1b46
--- /dev/null
+++ b/docs/enclave/core-libraries/enclave-browser/security-architecture.mdx
@@ -0,0 +1,265 @@
+---
+title: 'Security Architecture'
+description: 'Deep dive into the double iframe isolation model and 8 security layers protecting browser-based code execution'
+---
+
+`@enclave-vm/browser` implements defense-in-depth through a double iframe architecture. Each execution creates two nested iframes — an outer security barrier and an inner sandbox — with 8 distinct security layers that work together to prevent sandbox escapes.
+
+## Double Iframe Architecture
+
+```mermaid
+%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e8a045', 'primaryTextColor': '#fff', 'primaryBorderColor': '#c78935', 'lineColor': '#c78935', 'secondaryColor': '#f0b865', 'tertiaryColor': '#fff5e6'}}}%%
+flowchart TB
+    subgraph host["Host Page"]
+        subgraph outer["Outer Iframe (Security Barrier)"]
+            subgraph inner["Inner Iframe (Sandbox)"]
+                code["User Code"]
+            end
+        end
+    end
+    style host fill:#fff5e6,stroke:#c78935,color:#333
+    style outer fill:#f0b865,stroke:#c78935,color:#333
+    style inner fill:#e8a045,stroke:#c78935,color:#fff
+    style code fill:#c78935,stroke:#c78935,color:#fff
+```
+
+- **Host Page**: Your application. Creates the outer iframe and handles tool calls.
+- **Outer Iframe**: Security barrier with rate limiting, pattern detection, and name filtering. Relays validated messages between host and inner iframe.
+- **Inner Iframe**: The actual sandbox. Contains prototype hardening, secure proxies, safe runtime wrappers, and the user code.
+
+## The 8 Security Layers
+
+```mermaid
+%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e8a045', 'primaryTextColor': '#fff', 'primaryBorderColor': '#c78935', 'lineColor': '#c78935', 'secondaryColor': '#f0b865', 'tertiaryColor': '#fff5e6'}}}%%
+flowchart TD
+    L1["Layer 1: Content Security Policy"] --> L2["Layer 2: Iframe Sandbox Attribute"]
+    L2 --> L3["Layer 3: Outer Frame Validation"]
+    L3 --> L4["Layer 4: Dangerous Global Removal"]
+    L4 --> L5["Layer 5: Prototype Freezing"]
+    L5 --> L6["Layer 6: Secure Proxy"]
+    L6 --> L7["Layer 7: Safe Runtime Wrappers"]
+    L7 --> L8["Layer 8: Memory Tracking"]
+    style L1 fill:#e8a045,stroke:#c78935,color:#fff
+    style L2 fill:#e8a045,stroke:#c78935,color:#fff
+    style L3 fill:#f0b865,stroke:#c78935,color:#333
+    style L4 fill:#f0b865,stroke:#c78935,color:#333
+    style L5 fill:#e8a045,stroke:#c78935,color:#fff
+    style L6 fill:#e8a045,stroke:#c78935,color:#fff
+    style L7 fill:#f0b865,stroke:#c78935,color:#333
+    style L8 fill:#f0b865,stroke:#c78935,color:#333
+```
+
+### Layer 1: Content Security Policy
+
+Both iframes are created with a strict CSP via `<meta>` tag:
+
+```
+default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'
+```
+
+| Directive | Effect |
+|-----------|--------|
+| `default-src 'none'` | Blocks all network requests (fetch, XHR, WebSocket, images, fonts) |
+| `script-src 'unsafe-inline'` | Allows inline `<script>` but blocks `eval()`, `new Function()`, `setTimeout(string)` |
+| No `'unsafe-eval'` | Equivalent to Node.js VM `codeGeneration: { strings: false, wasm: false }` |
+
+### Layer 2: Iframe Sandbox Attribute
+
+Both iframes use a restrictive sandbox attribute:
+
+```
+sandbox="allow-scripts"
+```
+
+Only `allow-scripts` is enabled. Crucially, `allow-same-origin` is **not** set, which means:
+- The iframe cannot access the host page's DOM, cookies, or storage
+- The iframe cannot read `parent.document` or `top.document`
+- The iframe has a unique `null` origin
+
+### Layer 3: Outer Frame Validation
+
+The outer iframe acts as a security barrier between the host and the inner sandbox. All tool calls from the inner iframe pass through validation:
+
+| Check | Description |
+|-------|-------------|
+| **Rate limiting** | Max operations per second (default: 100) |
+| **Name validation** | Tool names must be non-empty strings |
+| **Whitelist pattern** | Optional regex to allow only specific tool names |
+| **Blacklist patterns** | Multiple regexes to block specific tool names |
+| **Suspicious pattern detection** | Detects multi-step attack sequences (exfiltration, credential theft, etc.) |
+| **Rapid enumeration** | Detects the same operation being called repeatedly (default threshold: 30 in 5s) |
+
+### Layer 4: Dangerous Global Removal
+
+Dangerous globals are deleted from the inner iframe's `window` object based on the security level:
+
+| Global | STRICT | SECURE | STANDARD | PERMISSIVE |
+|--------|--------|--------|----------|------------|
+| `Function`, `eval` | Removed | Removed | Removed | Available |
+| `globalThis` | Removed | Removed | Available | Available |
+| `Proxy`, `Reflect` | Removed | Removed | Available | Available |
+| `SharedArrayBuffer`, `Atomics` | Removed | Removed | Removed | Removed |
+| `WebAssembly` | Removed | Removed | Removed | Removed |
+| `WeakRef`, `FinalizationRegistry` | Removed | Removed | Removed | Available |
+| `ShadowRealm` | Removed | Removed | Removed | Removed |
+| `Iterator`, `AsyncIterator` | Removed | Removed | Available | Available |
+| `performance`, `Temporal` | Removed | Available | Available | Available |
+
+**Always removed** (all security levels):
+`fetch`, `XMLHttpRequest`, `WebSocket`, `EventSource`, `Worker`, `SharedWorker`, `ServiceWorker`, `importScripts`, `localStorage`, `sessionStorage`, `indexedDB`, `caches`, `navigator`, `open`, `close`, `alert`, `confirm`, `prompt`, `document`
+
+### Layer 5: Prototype Freezing
+
+All built-in prototypes are frozen after security patches are applied:
+
+- `Object.prototype`, `Array.prototype`, `Function.prototype`
+- `String.prototype`, `Number.prototype`, `Boolean.prototype`
+- `Date.prototype`, `Error.prototype`, `Promise.prototype`
+- `TypeError.prototype`, `RangeError.prototype`, `SyntaxError.prototype`
+- `ReferenceError.prototype`, `URIError.prototype`, `EvalError.prototype`
+
+Legacy accessor methods (`__lookupGetter__`, `__lookupSetter__`, `__defineGetter__`, `__defineSetter__`) are replaced with no-ops on `Object.prototype`. Error prototypes have `__proto__` shadowed to return `null`.
+
+### Layer 6: Secure Proxy
+
+Every global object exposed to user code is wrapped in a `Proxy` that blocks access to dangerous properties:
+
+| Blocked Property | Purpose |
+|-----------------|---------|
+| `__proto__` | Prevents prototype chain manipulation |
+| `prototype` | Prevents constructor prototype access |
+| `constructor` | Prevents access to native constructors |
+| `__defineGetter__` | Prevents legacy accessor injection |
+| `__defineSetter__` | Prevents legacy accessor injection |
+| `__lookupGetter__` | Prevents legacy accessor introspection |
+| `__lookupSetter__` | Prevents legacy accessor introspection |
+
+The proxy behavior is configurable per security level. At `STRICT` and `SECURE` levels, accessing blocked properties throws an error. At `PERMISSIVE`, it returns `undefined`.
+
+Additionally, dangerous static methods on `Object` are neutralized: `defineProperty`, `defineProperties`, `setPrototypeOf`, `getOwnPropertyDescriptor`, and `getOwnPropertyDescriptors`.
+
+### Layer 7: Safe Runtime Wrappers
+
+User code runs through transformed wrappers that enforce resource limits:
+
+| Wrapper | Purpose |
+|---------|---------|
+| `callTool(name, args)` | Tool calls with count limits and JSON sanitization |
+| `__safe_for` | Traditional for loops with iteration limits |
+| `__safe_while` | While loops with iteration limits |
+| `__safe_doWhile` | Do-while loops with iteration limits |
+| `__safe_forOf` | For-of loops with iteration limits (generator-based) |
+| `__safe_concat` | Safe string/number concatenation |
+| `__safe_template` | Safe template literal handling |
+| `parallel(fns)` | Parallel execution of up to 100 total operations with configurable concurrency (default 10, max 20) |
+| `console` | Console relay with call count and byte limits |
+
+All loop wrappers share a global iteration counter and check for abort signals on every iteration.
+
+### Layer 8: Memory Tracking
+
+Memory-intensive operations are patched to track estimated usage:
+
+| Method | Protection |
+|--------|-----------|
+| `String.prototype.repeat` | Estimates `length * count * 2` bytes before execution |
+| `Array.prototype.join` | Estimates total string output before execution |
+| `Array.prototype.fill` | Estimates `fillCount * 8` bytes before execution |
+
+When the cumulative tracked memory exceeds `memoryLimit` (default: 1MB), a `RangeError` is thrown.
+
+<Warning>
+  Memory tracking in the browser is **estimation-based**. Unlike Node.js where V8 heap statistics provide precise measurements, the browser version tracks only known high-risk operations. It is a defense against obvious memory bombs, not an exact memory budget.
+</Warning>
+
+## Message Protocol
+
+All communication between layers uses `postMessage` with validated messages. Every message includes a `__enclave_msg__: true` discriminator and a `requestId` for correlation.
+
+```mermaid
+%%{init: {'theme': 'base', 'themeVariables': { 'primaryColor': '#e8a045', 'primaryTextColor': '#fff', 'primaryBorderColor': '#c78935', 'lineColor': '#c78935', 'secondaryColor': '#f0b865', 'tertiaryColor': '#fff5e6'}}}%%
+sequenceDiagram
+    participant Host as Host Page
+    participant Outer as Outer Iframe
+    participant Inner as Inner Iframe
+
+    Host->>Outer: Create iframe (srcdoc)
+    Outer->>Inner: Create inner iframe (srcdoc)
+    Outer->>Host: ready
+    Inner->>Inner: Execute user code
+    Inner->>Outer: tool-call {toolName, args, callId}
+    Outer->>Outer: Validate (rate limit, patterns)
+    Outer->>Host: tool-call {toolName, args, callId}
+    Host->>Host: Execute tool handler
+    Host->>Outer: tool-response {result, callId}
+    Outer->>Inner: tool-response {result, callId}
+    Inner->>Outer: result {success, value, stats}
+    Outer->>Host: result {success, value, stats}
+```
+
+### Message Types
+
+| Direction | Type | Description |
+|-----------|------|-------------|
+| Inner/Outer to Host | `tool-call` | Tool invocation with `toolName`, `args`, `callId` |
+| Host to Inner/Outer | `tool-response` | Tool result or error with `callId` |
+| Inner to Host | `result` | Execution result with `success`, `value`/`error`, `stats` |
+| Inner to Host | `console` | Console output with `level` and `args` |
+| Outer to Host | `ready` | Outer iframe initialized |
+| Host to Inner | `abort` | Signal to abort execution |
+
+All messages are validated with Zod schemas. Tool names must match `^[a-zA-Z][a-zA-Z0-9:_-]*$` and be 1–256 characters.
+
+## What's Blocked
+
+| Attack Vector | Protection |
+|---------------|-----------|
+| Network requests | CSP `default-src 'none'` blocks fetch, XHR, WebSocket |
+| `eval` / `new Function` | CSP blocks all forms of code generation from strings |
+| DOM access | `document` shadowed; no `allow-same-origin` on sandbox |
+| Parent frame access | Sandbox prevents reading `parent.document` or `top.document` |
+| Prototype pollution | All prototypes frozen; `__proto__` access blocked by proxy |
+| Infinite loops | All loops wrapped with iteration counters and abort checks |
+| Tool call flooding | Rate limiting in outer frame + per-execution call limits |
+| Data exfiltration | Suspicious pattern detection in outer frame |
+| Memory bombs | String/Array operation tracking with configurable limits |
+| Storage access | `localStorage`, `sessionStorage`, `indexedDB`, `caches` removed |
+
+## What's Available
+
+Sandboxed code has access to a safe subset of JavaScript:
+
+```ts
+// Standard operations
+const arr = [1, 2, 3, 4, 5];
+const doubled = arr.map(x => x * 2);
+const sum = doubled.reduce((a, b) => a + b, 0);
+
+// Tool calls
+const users = await callTool('users:list', { limit: 10 });
+const filtered = users.filter(u => u.active);
+
+// Parallel execution
+const [posts, comments] = await parallel([
+  () => callTool('posts:list', {}),
+  () => callTool('comments:list', {}),
+]);
+
+// Console output (relayed to host)
+console.log('Found', filtered.length, 'active users');
+
+// Standard globals
+const now = new Date();
+const pattern = new RegExp('^test');
+const encoded = JSON.stringify({ result: sum });
+
+// Math operations
+const random = Math.floor(Math.random() * 100);
+```
+
+## Related
+
+- [Overview](/core-libraries/enclave-browser/overview) - Getting started with browser enclave
+- [Configuration](/core-libraries/enclave-browser/configuration) - All configuration options
+- [Double VM Layer](/core-libraries/enclave-vm/double-vm) - Node.js equivalent architecture
+- [Security Levels](/core-libraries/enclave-vm/security-levels) - Security preset details
diff --git a/eslint.config.mjs b/eslint.config.mjs
index 0fd81f8..b8c1d3d 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -5,7 +5,7 @@ export default [
   ...nx.configs['flat/typescript'],
   ...nx.configs['flat/javascript'],
   {
-    ignores: ['**/dist', '**/*.spec.ts', '**/__tests__/**'],
+    ignores: ['**/dist', '**/*.spec.ts', '**/__tests__/**', '**/vendor/**', '**/e2e/fixtures/**'],
   },
   {
     files: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
diff --git a/libs/browser/e2e/buffer-shim.mjs b/libs/browser/e2e/buffer-shim.mjs
new file mode 100644
index 0000000..ada14ad
--- /dev/null
+++ b/libs/browser/e2e/buffer-shim.mjs
@@ -0,0 +1,13 @@
+/**
+ * Minimal Buffer shim for the browser test bundle.
+ * Only provides Buffer.byteLength which is used by @enclave-vm/ast's size-check.
+ */
+const encoder = new TextEncoder();
+
+if (typeof globalThis.Buffer === 'undefined') {
+  globalThis.Buffer = {
+    byteLength(str) {
+      return encoder.encode(String(str)).byteLength;
+    },
+  };
+}
diff --git a/libs/browser/e2e/build-test-bundle.mjs b/libs/browser/e2e/build-test-bundle.mjs
new file mode 100644
index 0000000..5e44c4e
--- /dev/null
+++ b/libs/browser/e2e/build-test-bundle.mjs
@@ -0,0 +1,34 @@
+/**
+ * Build a self-contained ESM bundle for Playwright e2e tests.
+ *
+ * The production build externalises @enclave-vm/ast, acorn, astring, zod.
+ * This script inlines everything so the test-harness.html can load a single
+ * file with no import-map or network requests.
+ */
+
+import { build } from 'esbuild';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const root = path.resolve(__dirname, '../../..');
+
+await build({
+  entryPoints: [path.resolve(__dirname, '../src/index.ts')],
+  bundle: true,
+  format: 'esm',
+  outfile: path.resolve(__dirname, 'fixtures/enclave-browser-bundle.mjs'),
+  platform: 'browser',
+  target: 'es2022',
+  // Inline ALL dependencies (no externals)
+  external: [],
+  // Resolve workspace paths
+  alias: {
+    '@enclave-vm/ast': path.resolve(root, 'libs/ast/src/index.ts'),
+  },
+  // Inject a minimal Buffer shim (ast package uses Buffer.byteLength)
+  inject: [path.resolve(__dirname, 'buffer-shim.mjs')],
+  sourcemap: false,
+  minify: false,
+  logLevel: 'info',
+});
diff --git a/libs/browser/e2e/console-capture.spec.ts b/libs/browser/e2e/console-capture.spec.ts
new file mode 100644
index 0000000..367c9c4
--- /dev/null
+++ b/libs/browser/e2e/console-capture.spec.ts
@@ -0,0 +1,93 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness } from './helpers';
+
+test.describe('console capture', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('console.log relayed to host', async ({ page }) => {
+    const logs: string[] = [];
+    page.on('console', (msg) => {
+      if (msg.type() === 'log') logs.push(msg.text());
+    });
+
+    const result = await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({ timeout: 5000 });
+      const res = await enclave.run('console.log("hello from enclave"); return "ok"');
+      enclave.dispose();
+      return res;
+    });
+
+    // Wait briefly for postMessage relay to reach host console
+    await page.waitForTimeout(200);
+    expect(result.success).toBe(true);
+    expect(logs.some((l) => l.includes('hello from enclave'))).toBe(true);
+  });
+
+  test('console.warn relayed', async ({ page }) => {
+    const warnings: string[] = [];
+    page.on('console', (msg) => {
+      if (msg.type() === 'warning') warnings.push(msg.text());
+    });
+
+    const result = await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({ timeout: 5000 });
+      const res = await enclave.run('console.warn("warning msg"); return "ok"');
+      enclave.dispose();
+      return res;
+    });
+
+    await page.waitForTimeout(200);
+    expect(result.success).toBe(true);
+    expect(warnings.some((w) => w.includes('warning msg'))).toBe(true);
+  });
+
+  test('console.error relayed', async ({ page }) => {
+    const errors: string[] = [];
+    page.on('console', (msg) => {
+      if (msg.type() === 'error') errors.push(msg.text());
+    });
+
+    const result = await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({ timeout: 5000 });
+      const res = await enclave.run('console.error("error msg"); return "ok"');
+      enclave.dispose();
+      return res;
+    });
+
+    await page.waitForTimeout(200);
+    expect(result.success).toBe(true);
+    expect(errors.some((e) => e.includes('error msg'))).toBe(true);
+  });
+
+  test('maxConsoleCalls limit enforced', async ({ page }) => {
+    const logs: string[] = [];
+    page.on('console', (msg) => {
+      if (msg.type() === 'log' && msg.text().includes('[Enclave]')) {
+        logs.push(msg.text());
+      }
+    });
+
+    await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({
+        timeout: 5000,
+        maxConsoleCalls: 3,
+      });
+      await enclave.run(`
+        for (let i = 0; i < 10; i++) {
+          console.log("msg " + i);
+        }
+        return "done";
+      `);
+      enclave.dispose();
+    });
+
+    await page.waitForTimeout(200);
+    expect(logs.length).toBeLessThanOrEqual(3);
+  });
+});
diff --git a/libs/browser/e2e/execution.spec.ts b/libs/browser/e2e/execution.spec.ts
new file mode 100644
index 0000000..cbf370a
--- /dev/null
+++ b/libs/browser/e2e/execution.spec.ts
@@ -0,0 +1,120 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness, runInEnclave } from './helpers';
+
+test.describe('execution', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('returns arithmetic result', async ({ page }) => {
+    const result = await runInEnclave(page, 'return 2 + 3');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(5);
+  });
+
+  test('returns string result', async ({ page }) => {
+    const result = await runInEnclave(page, 'return "hello world"');
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('hello world');
+  });
+
+  test('executes loops and returns result', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        let sum = 0;
+        for (let i = 1; i <= 10; i++) { sum += i; }
+        return sum;
+      `,
+      { securityLevel: 'PERMISSIVE' },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(55);
+  });
+
+  test('handles async code', async ({ page }) => {
+    // Use validate:false because the transformer rewrites Promise to
+    // __safe_Promise which isn't in the default allowed-globals list
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          const val = await Promise.resolve(42);
+          return val;
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(42);
+  });
+
+  test('returns object result', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+      return { name: "test", count: 3 };
+    `,
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toEqual({ name: 'test', count: 3 });
+  });
+
+  test('returns array result', async ({ page }) => {
+    const result = await runInEnclave(page, 'return [1, 2, 3]');
+    expect(result.success).toBe(true);
+    expect(result.value).toEqual([1, 2, 3]);
+  });
+
+  test('injects custom globals', async ({ page }) => {
+    const result = await runInEnclave(page, 'return multiplier * 5', {
+      globals: { multiplier: 10 },
+    });
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(50);
+  });
+
+  test('reports runtime errors', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+      const obj = null;
+      return obj.foo;
+    `,
+    );
+    expect(result.success).toBe(false);
+    expect(result.error).toBeDefined();
+  });
+
+  test('populates stats', async ({ page }) => {
+    const result = await runInEnclave(page, 'return 1');
+    expect(result.success).toBe(true);
+    expect(result.stats).toBeDefined();
+    expect(typeof result.stats.duration).toBe('number');
+    expect(result.stats.duration).toBeGreaterThanOrEqual(0);
+    expect(typeof result.stats.toolCallCount).toBe('number');
+  });
+
+  test('template literals work', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+      const x = "world";
+      return \`hello \${x}\`;
+    `,
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('hello world');
+  });
+
+  test('string concatenation works', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+      return "foo" + "bar";
+    `,
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('foobar');
+  });
+});
diff --git a/libs/browser/e2e/fixtures/debug-inner.html b/libs/browser/e2e/fixtures/debug-inner.html
new file mode 100644
index 0000000..0488836
--- /dev/null
+++ b/libs/browser/e2e/fixtures/debug-inner.html
@@ -0,0 +1,758 @@
+<!doctype html>
+<html>
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'"
+    />
+    <title>Enclave Inner Sandbox</title>
+  </head>
+  <body>
+    <script>
+      'use strict';
+      (function () {
+        var requestId = 'b6a56ba2-c99f-4760-ae88-aa7e5e73447a';
+        var aborted = false;
+        var startTime = Date.now();
+        var toolCallCount = 0;
+        var iterationCount = 0;
+        var consoleCalls = 0;
+        var consoleOutputBytes = 0;
+
+        // Pending tool call resolvers: callId -> { resolve, reject }
+        var pendingToolCalls = {};
+
+        // ============================================================
+        // Safe Error
+        // ============================================================
+        function createSafeError(message, name) {
+          var error = new Error(message);
+          error.name = name || 'Error';
+          try {
+            Object.setPrototypeOf(error, null);
+          } catch (e) {}
+          try {
+            Object.defineProperty(error, 'constructor', {
+              value: null,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+            Object.defineProperty(error, '__proto__', {
+              value: null,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+            Object.defineProperty(error, 'stack', {
+              value: undefined,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+          } catch (e) {}
+          try {
+            Object.freeze(error);
+          } catch (e) {}
+          return error;
+        }
+
+        // ============================================================
+        // Secure Proxy
+        // ============================================================
+        var blockedPropertiesSet = new Set([
+          '__proto__',
+          'prototype',
+          'constructor',
+          '__defineGetter__',
+          '__defineSetter__',
+          '__lookupGetter__',
+          '__lookupSetter__',
+        ]);
+        var proxyCache = new WeakMap();
+
+        function createSecureProxy(obj, depth) {
+          if (depth === undefined) depth = 0;
+          if (depth > 10) return obj;
+          if (obj === null || (typeof obj !== 'object' && typeof obj !== 'function')) return obj;
+          if (proxyCache.has(obj)) return proxyCache.get(obj);
+
+          var proxy = new Proxy(obj, {
+            get: function (target, property, receiver) {
+              var propName = String(property);
+              var descriptor = Object.getOwnPropertyDescriptor(target, property);
+              var isNonConfigurable = descriptor && !descriptor.configurable;
+
+              if (descriptor && isNonConfigurable && 'value' in descriptor && descriptor.writable === false) {
+                return descriptor.value;
+              }
+
+              if (blockedPropertiesSet.has(propName)) {
+                if (isNonConfigurable) return Reflect.get(target, property, receiver);
+                throw createSafeError("Security violation: Access to '" + propName + "' is blocked.");
+              }
+
+              var value = Reflect.get(target, property, receiver);
+              if (typeof value === 'function') {
+                var boundMethod = value.bind(target);
+                return createSecureProxy(boundMethod, depth + 1);
+              }
+              if (value !== null && typeof value === 'object') {
+                return createSecureProxy(value, depth + 1);
+              }
+              return value;
+            },
+            set: function (target, property, value, receiver) {
+              var propName = String(property);
+              if (blockedPropertiesSet.has(propName)) {
+                throw createSafeError("Security violation: Setting '" + propName + "' is blocked.");
+              }
+              return Reflect.set(target, property, value, receiver);
+            },
+            getPrototypeOf: function () {
+              return null;
+            },
+          });
+
+          proxyCache.set(obj, proxy);
+          return proxy;
+        }
+
+        // ============================================================
+        // PostMessage Communication with Outer Iframe
+        // ============================================================
+        function sendToOuter(msg) {
+          msg.__enclave_msg__ = true;
+          msg.requestId = requestId;
+          try {
+            window.parent.postMessage(msg, '*');
+          } catch (e) {
+            /* ignore */
+          }
+        }
+
+        // Listen for messages from outer iframe
+        window.addEventListener('message', function (event) {
+          if (event.source !== window.parent) return;
+          var data = event.data;
+          if (!data || data.__enclave_msg__ !== true) return;
+          if (data.requestId !== requestId) return;
+
+          if (data.type === 'tool-response') {
+            var pending = pendingToolCalls[data.callId];
+            if (pending) {
+              delete pendingToolCalls[data.callId];
+              if (data.error) {
+                pending.reject(createSafeError(data.error.message, data.error.name));
+              } else {
+                pending.resolve(data.result);
+              }
+            }
+          } else if (data.type === 'abort') {
+            aborted = true;
+            var pendingKeys = Object.keys(pendingToolCalls);
+            for (var pk = 0; pk < pendingKeys.length; pk++) {
+              var p = pendingToolCalls[pendingKeys[pk]];
+              if (p && p.reject) {
+                try {
+                  p.reject(createSafeError('Execution aborted', 'AbortError'));
+                } catch (e) {}
+              }
+            }
+            pendingToolCalls = {};
+          }
+        });
+
+        // ============================================================
+        // Safe Runtime Functions
+        // ============================================================
+
+        // Generate unique call IDs
+        var callIdCounter = 0;
+        function generateCallId() {
+          return 'c-' + ++callIdCounter + '-' + Date.now().toString(36) + '-' + Math.random().toString(36).slice(2, 8);
+        }
+
+        function __safe_callTool(toolName, args) {
+          if (aborted) throw createSafeError('Execution aborted');
+
+          toolCallCount++;
+          if (toolCallCount > 100) {
+            throw createSafeError('Maximum tool call limit exceeded (100).');
+          }
+
+          if (typeof toolName !== 'string' || !toolName) {
+            throw createSafeError('Tool name must be a non-empty string', 'TypeError');
+          }
+          if (typeof args !== 'object' || args === null || Array.isArray(args)) {
+            throw createSafeError('Tool arguments must be an object', 'TypeError');
+          }
+
+          // Double sanitization
+          var sanitizedArgs;
+          try {
+            sanitizedArgs = JSON.parse(JSON.stringify(args));
+          } catch (e) {
+            throw createSafeError('Tool arguments must be JSON-serializable');
+          }
+
+          var callId = generateCallId();
+
+          return new Promise(function (resolve, reject) {
+            pendingToolCalls[callId] = { resolve: resolve, reject: reject };
+            sendToOuter({
+              type: 'tool-call',
+              callId: callId,
+              toolName: toolName,
+              args: sanitizedArgs,
+            });
+          });
+        }
+
+        function* __safe_forOf(iterable) {
+          var iterations = 0;
+          for (var item of iterable) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            yield item;
+          }
+        }
+
+        function __safe_for(init, test, update, body) {
+          var iterations = 0;
+          init();
+          while (test()) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+            update();
+          }
+        }
+
+        function __safe_while(test, body) {
+          var iterations = 0;
+          while (test()) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+          }
+        }
+
+        function __safe_doWhile(body, test) {
+          var iterations = 0;
+          do {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+          } while (test());
+        }
+
+        function __safe_concat(left, right) {
+          if (typeof left === 'number' && typeof right === 'number') return left + right;
+          var result = left + right;
+          return result;
+        }
+
+        function __safe_template(quasis) {
+          var values = [];
+          for (var i = 1; i < arguments.length; i++) values.push(arguments[i]);
+          var result = quasis[0];
+          for (var j = 0; j < values.length; j++) {
+            result += String(values[j]) + quasis[j + 1];
+          }
+          return result;
+        }
+
+        function __safe_parallel(fns, options) {
+          if (!Array.isArray(fns)) throw createSafeError('parallel requires an array of functions', 'TypeError');
+          if (fns.length === 0) return Promise.resolve([]);
+          if (fns.length > 100) throw createSafeError('Cannot execute more than 100 operations in parallel.');
+
+          for (var i = 0; i < fns.length; i++) {
+            if (typeof fns[i] !== 'function')
+              throw createSafeError('Item at index ' + i + ' is not a function', 'TypeError');
+          }
+
+          var concurrency = Math.min(Math.max(1, (options && options.maxConcurrency) || 10), 20);
+          var results = new Array(fns.length);
+          var errors = [];
+          var currentIndex = 0;
+
+          function runNext() {
+            return new Promise(function (resolve) {
+              function step() {
+                if (currentIndex >= fns.length) {
+                  resolve();
+                  return;
+                }
+                if (aborted) {
+                  resolve();
+                  return;
+                }
+                var index = currentIndex++;
+                Promise.resolve()
+                  .then(function () {
+                    return fns[index]();
+                  })
+                  .then(function (result) {
+                    results[index] = result;
+                    step();
+                  })
+                  .catch(function (error) {
+                    errors.push({ index: index, error: error });
+                    step();
+                  });
+              }
+              step();
+            });
+          }
+
+          var workers = [];
+          for (var w = 0; w < Math.min(concurrency, fns.length); w++) workers.push(runNext());
+
+          return Promise.all(workers).then(function () {
+            if (errors.length > 0) {
+              var msgs = errors
+                .map(function (e) {
+                  return '[' + e.index + ']: ' + ((e.error && e.error.message) || e.error);
+                })
+                .join('\n');
+              throw createSafeError(errors.length + ' of ' + fns.length + ' parallel operations failed:\n' + msgs);
+            }
+            return results;
+          });
+        }
+
+        // ============================================================
+        // Console Implementation (relayed via postMessage)
+        // ============================================================
+        var safeConsole = {};
+        ['log', 'warn', 'error', 'info'].forEach(function (level) {
+          safeConsole[level] = function () {
+            consoleCalls++;
+            if (consoleCalls > 1000) return;
+
+            var args = [];
+            for (var i = 0; i < arguments.length; i++) {
+              var arg = arguments[i];
+              try {
+                args.push(typeof arg === 'object' ? JSON.parse(JSON.stringify(arg)) : arg);
+              } catch (e) {
+                args.push(String(arg));
+              }
+            }
+
+            var size = 0;
+            try {
+              size = JSON.stringify(args).length;
+            } catch (e) {}
+            consoleOutputBytes += size;
+            if (consoleOutputBytes > 1048576) return;
+
+            sendToOuter({ type: 'console', level: level, args: args });
+          };
+        });
+
+        // ============================================================
+        // Prototype Hardening
+        // ============================================================
+
+        // Shadow __proto__ on error prototypes
+        (function () {
+          var errorProtos = [
+            Error.prototype,
+            TypeError.prototype,
+            RangeError.prototype,
+            SyntaxError.prototype,
+            ReferenceError.prototype,
+            URIError.prototype,
+            EvalError.prototype,
+          ];
+          for (var i = 0; i < errorProtos.length; i++) {
+            try {
+              Object.defineProperty(errorProtos[i], '__proto__', {
+                get: function () {
+                  return null;
+                },
+                set: function () {},
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        })();
+
+        // Block legacy prototype methods
+        (function () {
+          var methods = ['__lookupGetter__', '__lookupSetter__', '__defineGetter__', '__defineSetter__'];
+          for (var i = 0; i < methods.length; i++) {
+            try {
+              Object.defineProperty(Object.prototype, methods[i], {
+                value: function () {
+                  return undefined;
+                },
+                writable: false,
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        })();
+
+        // Memory-safe prototype patches
+        (function () {
+          var ml = 1048576;
+          var totalTracked = 0;
+          function track(bytes) {
+            totalTracked += bytes;
+            if (totalTracked > ml) throw new RangeError('Memory limit exceeded');
+          }
+
+          var stringProto = Object.getPrototypeOf('');
+          var arrayProto = Object.getPrototypeOf([]);
+
+          try {
+            var origRepeat = stringProto.repeat;
+            Object.defineProperty(stringProto, 'repeat', {
+              value: function (count) {
+                var est = this.length * count * 2;
+                if (est > ml) throw new RangeError('String.repeat would exceed memory limit');
+                track(est);
+                return origRepeat.call(this, count);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+
+          try {
+            var origJoin = arrayProto.join;
+            Object.defineProperty(arrayProto, 'join', {
+              value: function (sep) {
+                var s = sep === undefined ? ',' : String(sep);
+                var est = 0;
+                for (var i = 0; i < this.length; i++) {
+                  var item = this[i];
+                  est += item === null || item === undefined ? 0 : String(item).length;
+                  if (i > 0) est += s.length;
+                }
+                est *= 2;
+                if (est > ml) throw new RangeError('Array.join would exceed memory limit');
+                track(est);
+                return origJoin.call(this, sep);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+
+          try {
+            var origFill = arrayProto.fill;
+            Object.defineProperty(arrayProto, 'fill', {
+              value: function (value, start, end) {
+                var len = this.length >>> 0;
+                var k = start === undefined ? 0 : start >> 0;
+                var finalEnd = end === undefined ? len : end >> 0;
+                if (k < 0) k = Math.max(len + k, 0);
+                else k = Math.min(k, len);
+                if (finalEnd < 0) finalEnd = Math.max(len + finalEnd, 0);
+                else finalEnd = Math.min(finalEnd, len);
+                var fillCount = Math.max(0, finalEnd - k);
+                var est = fillCount * 8;
+                if (est > ml) throw new RangeError('Array.fill would exceed memory limit');
+                track(est);
+                return origFill.call(this, value, start, end);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+        })();
+
+        // Freeze all prototypes
+        (function () {
+          var protos = [
+            Object.prototype,
+            Array.prototype,
+            Function.prototype,
+            String.prototype,
+            Number.prototype,
+            Boolean.prototype,
+            Date.prototype,
+            Error.prototype,
+            TypeError.prototype,
+            RangeError.prototype,
+            SyntaxError.prototype,
+            ReferenceError.prototype,
+            URIError.prototype,
+            EvalError.prototype,
+            Promise.prototype,
+          ];
+          for (var i = 0; i < protos.length; i++) {
+            try {
+              Object.freeze(protos[i]);
+            } catch (e) {}
+          }
+        })();
+
+        // ============================================================
+        // Remove Dangerous Globals
+        // ============================================================
+        var dangerousGlobals = [
+          'Function',
+          'eval',
+          'SharedArrayBuffer',
+          'Atomics',
+          'WebAssembly',
+          'ShadowRealm',
+          'WeakRef',
+          'FinalizationRegistry',
+        ];
+        for (var dg = 0; dg < dangerousGlobals.length; dg++) {
+          try {
+            delete window[dangerousGlobals[dg]];
+          } catch (e) {
+            try {
+              window[dangerousGlobals[dg]] = undefined;
+            } catch (e2) {}
+          }
+        }
+
+        // Always remove browser-specific dangerous globals
+        var browserDangerous = [
+          'fetch',
+          'XMLHttpRequest',
+          'WebSocket',
+          'EventSource',
+          'Worker',
+          'SharedWorker',
+          'ServiceWorker',
+          'importScripts',
+          'localStorage',
+          'sessionStorage',
+          'indexedDB',
+          'caches',
+          'navigator',
+          'open',
+          'close',
+          'alert',
+          'confirm',
+          'prompt',
+        ];
+        for (var bd = 0; bd < browserDangerous.length; bd++) {
+          try {
+            delete window[browserDangerous[bd]];
+          } catch (e) {
+            try {
+              window[browserDangerous[bd]] = undefined;
+            } catch (e2) {}
+          }
+        }
+
+        // ============================================================
+        // Inject Safe Globals
+        // ============================================================
+        var SafeObject = function (value) {
+          if (value === null || value === undefined) return {};
+          return Object(value);
+        };
+        var safeObjMethods = [
+          'keys',
+          'values',
+          'entries',
+          'fromEntries',
+          'assign',
+          'is',
+          'hasOwn',
+          'freeze',
+          'isFrozen',
+          'seal',
+          'isSealed',
+          'preventExtensions',
+          'isExtensible',
+          'getOwnPropertyNames',
+          'getOwnPropertySymbols',
+          'getPrototypeOf',
+        ];
+        for (var sm = 0; sm < safeObjMethods.length; sm++) {
+          if (safeObjMethods[sm] in Object) SafeObject[safeObjMethods[sm]] = Object[safeObjMethods[sm]];
+        }
+        SafeObject.create = function (proto, props) {
+          if (props !== undefined) throw createSafeError('Object.create with property descriptors is not allowed');
+          return Object.create(proto);
+        };
+        SafeObject.prototype = Object.prototype;
+
+        var blockedObjMethods = [
+          'defineProperty',
+          'defineProperties',
+          'setPrototypeOf',
+          'getOwnPropertyDescriptor',
+          'getOwnPropertyDescriptors',
+        ];
+        for (var bm = 0; bm < blockedObjMethods.length; bm++) {
+          (function (method) {
+            SafeObject[method] = function () {
+              throw createSafeError('Object.' + method + ' is not allowed (security restriction)');
+            };
+          })(blockedObjMethods[bm]);
+        }
+
+        var _defineProperty = Object.defineProperty;
+
+        // Neutralize dangerous static methods on intrinsic Object
+        (function () {
+          var RealObject = Object.getPrototypeOf({}).constructor;
+          var dangerous = [
+            'getOwnPropertyDescriptors',
+            'getOwnPropertyDescriptor',
+            'defineProperty',
+            'defineProperties',
+            'setPrototypeOf',
+          ];
+          for (var i = 0; i < dangerous.length; i++) {
+            try {
+              delete RealObject[dangerous[i]];
+            } catch (e) {}
+          }
+        })();
+
+        // Define all safe globals as non-writable, non-configurable, non-enumerable
+        var safeGlobals = {
+          __safe_callTool: createSecureProxy(__safe_callTool),
+          callTool: createSecureProxy(__safe_callTool),
+          __safe_forOf: createSecureProxy(__safe_forOf),
+          __safe_for: createSecureProxy(__safe_for),
+          __safe_while: createSecureProxy(__safe_while),
+          __safe_doWhile: createSecureProxy(__safe_doWhile),
+          __safe_concat: __safe_concat,
+          __safe_template: __safe_template,
+          __safe_parallel: createSecureProxy(__safe_parallel),
+          parallel: createSecureProxy(__safe_parallel),
+          __safe_console: safeConsole,
+          console: safeConsole,
+          __maxIterations: 10000,
+          Math: createSecureProxy(Math),
+          JSON: createSecureProxy(JSON),
+          Array: createSecureProxy(Array),
+          Object: createSecureProxy(SafeObject),
+          String: createSecureProxy(String),
+          Number: createSecureProxy(Number),
+          Date: createSecureProxy(Date),
+          Boolean: createSecureProxy(Boolean),
+          RegExp: createSecureProxy(RegExp),
+          Error: createSecureProxy(Error),
+          TypeError: createSecureProxy(TypeError),
+          RangeError: createSecureProxy(RangeError),
+          Promise: createSecureProxy(Promise),
+          undefined: undefined,
+          NaN: NaN,
+          Infinity: Infinity,
+          isNaN: isNaN,
+          isFinite: isFinite,
+          parseInt: parseInt,
+          parseFloat: parseFloat,
+          encodeURI: encodeURI,
+          decodeURI: decodeURI,
+          encodeURIComponent: encodeURIComponent,
+          decodeURIComponent: decodeURIComponent,
+        };
+
+        // Inject custom globals if provided
+        var customGlobals = {};
+        for (var cgKey in customGlobals) {
+          if (customGlobals.hasOwnProperty(cgKey)) {
+            safeGlobals[cgKey] = createSecureProxy(customGlobals[cgKey]);
+            safeGlobals['__safe_' + cgKey] = createSecureProxy(customGlobals[cgKey]);
+          }
+        }
+
+        for (var gKey in safeGlobals) {
+          if (safeGlobals.hasOwnProperty(gKey)) {
+            try {
+              _defineProperty(window, gKey, {
+                value: safeGlobals[gKey],
+                writable: false,
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        }
+
+        // ============================================================
+        // Execute User Code
+        // ============================================================
+        (async function () {
+          // Shadow non-deletable browser globals so user code sees undefined
+          var document = undefined;
+
+          try {
+            // The transformed code defines __ag_main as a function declaration.
+            // We embed it directly — CSP 'unsafe-inline' allows inline scripts
+            // but blocks eval/new Function.
+            async function __ag_main() {
+              return 2 + 3;
+            }
+
+            var result = typeof __ag_main === 'function' ? await __ag_main() : undefined;
+
+            // Sanitize result before sending
+            var safeResult;
+            try {
+              safeResult = JSON.parse(JSON.stringify(result));
+            } catch (e) {
+              safeResult = undefined;
+            }
+
+            sendToOuter({
+              type: 'result',
+              success: true,
+              value: safeResult,
+              stats: {
+                duration: Date.now() - startTime,
+                toolCallCount: toolCallCount,
+                iterationCount: iterationCount,
+                startTime: startTime,
+                endTime: Date.now(),
+              },
+            });
+          } catch (error) {
+            sendToOuter({
+              type: 'result',
+              success: false,
+              error: {
+                name: error && error.name ? String(error.name) : 'Error',
+                message: error && error.message ? String(error.message) : 'Unknown error',
+                code: error && error.code ? String(error.code) : undefined,
+              },
+              stats: {
+                duration: Date.now() - startTime,
+                toolCallCount: toolCallCount,
+                iterationCount: iterationCount,
+                startTime: startTime,
+                endTime: Date.now(),
+              },
+            });
+          }
+        })();
+      })();
+    </script>
+  </body>
+</html>
diff --git a/libs/browser/e2e/fixtures/debug-inner2.html b/libs/browser/e2e/fixtures/debug-inner2.html
new file mode 100644
index 0000000..9ec6dd2
--- /dev/null
+++ b/libs/browser/e2e/fixtures/debug-inner2.html
@@ -0,0 +1,748 @@
+<!doctype html>
+<html>
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'"
+    />
+    <title>Enclave Inner Sandbox</title>
+  </head>
+  <body>
+    <script>
+      'use strict';
+      (function () {
+        var requestId = '36b1648c-d10f-44c7-8cec-63bce4251c99';
+        var aborted = false;
+        var startTime = Date.now();
+        var toolCallCount = 0;
+        var iterationCount = 0;
+        var consoleCalls = 0;
+        var consoleOutputBytes = 0;
+
+        // Pending tool call resolvers: callId -> { resolve, reject }
+        var pendingToolCalls = {};
+
+        // ============================================================
+        // Safe Error
+        // ============================================================
+        function createSafeError(message, name) {
+          var error = new Error(message);
+          error.name = name || 'Error';
+          try {
+            Object.setPrototypeOf(error, null);
+          } catch (e) {}
+          try {
+            Object.defineProperty(error, 'constructor', {
+              value: null,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+            Object.defineProperty(error, '__proto__', {
+              value: null,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+            Object.defineProperty(error, 'stack', {
+              value: undefined,
+              writable: false,
+              configurable: false,
+              enumerable: false,
+            });
+          } catch (e) {}
+          try {
+            Object.freeze(error);
+          } catch (e) {}
+          return error;
+        }
+
+        // ============================================================
+        // Secure Proxy
+        // ============================================================
+        var blockedPropertiesSet = new Set([
+          '__proto__',
+          'prototype',
+          'constructor',
+          '__defineGetter__',
+          '__defineSetter__',
+          '__lookupGetter__',
+          '__lookupSetter__',
+        ]);
+        var proxyCache = new WeakMap();
+
+        function createSecureProxy(obj, depth) {
+          if (depth === undefined) depth = 0;
+          if (depth > 10) return obj;
+          if (obj === null || (typeof obj !== 'object' && typeof obj !== 'function')) return obj;
+          if (proxyCache.has(obj)) return proxyCache.get(obj);
+
+          var proxy = new Proxy(obj, {
+            get: function (target, property, receiver) {
+              var propName = String(property);
+              var descriptor = Object.getOwnPropertyDescriptor(target, property);
+              var isNonConfigurable = descriptor && !descriptor.configurable;
+
+              if (descriptor && isNonConfigurable && 'value' in descriptor && descriptor.writable === false) {
+                return descriptor.value;
+              }
+
+              if (blockedPropertiesSet.has(propName)) {
+                if (isNonConfigurable) return Reflect.get(target, property, receiver);
+                throw createSafeError("Security violation: Access to '" + propName + "' is blocked.");
+              }
+
+              var value = Reflect.get(target, property, receiver);
+              if (typeof value === 'function') {
+                var boundMethod = value.bind(target);
+                return createSecureProxy(boundMethod, depth + 1);
+              }
+              if (value !== null && typeof value === 'object') {
+                return createSecureProxy(value, depth + 1);
+              }
+              return value;
+            },
+            set: function (target, property, value, receiver) {
+              var propName = String(property);
+              if (blockedPropertiesSet.has(propName)) {
+                throw createSafeError("Security violation: Setting '" + propName + "' is blocked.");
+              }
+              return Reflect.set(target, property, value, receiver);
+            },
+            getPrototypeOf: function () {
+              return null;
+            },
+          });
+
+          proxyCache.set(obj, proxy);
+          return proxy;
+        }
+
+        // ============================================================
+        // PostMessage Communication with Outer Iframe
+        // ============================================================
+        function sendToOuter(msg) {
+          msg.__enclave_msg__ = true;
+          msg.requestId = requestId;
+          try {
+            window.parent.postMessage(msg, '*');
+          } catch (e) {
+            /* ignore */
+          }
+        }
+
+        // Listen for messages from outer iframe
+        window.addEventListener('message', function (event) {
+          var data = event.data;
+          if (!data || data.__enclave_msg__ !== true) return;
+          if (data.requestId !== requestId) return;
+
+          if (data.type === 'tool-response') {
+            var pending = pendingToolCalls[data.callId];
+            if (pending) {
+              delete pendingToolCalls[data.callId];
+              if (data.error) {
+                pending.reject(createSafeError(data.error.message, data.error.name));
+              } else {
+                pending.resolve(data.result);
+              }
+            }
+          } else if (data.type === 'abort') {
+            aborted = true;
+          }
+        });
+
+        // ============================================================
+        // Safe Runtime Functions
+        // ============================================================
+
+        // Generate unique call IDs
+        var callIdCounter = 0;
+        function generateCallId() {
+          return 'c-' + ++callIdCounter + '-' + Date.now().toString(36) + '-' + Math.random().toString(36).slice(2, 8);
+        }
+
+        function __safe_callTool(toolName, args) {
+          if (aborted) throw createSafeError('Execution aborted');
+
+          toolCallCount++;
+          if (toolCallCount > 100) {
+            throw createSafeError('Maximum tool call limit exceeded (100).');
+          }
+
+          if (typeof toolName !== 'string' || !toolName) {
+            throw createSafeError('Tool name must be a non-empty string', 'TypeError');
+          }
+          if (typeof args !== 'object' || args === null || Array.isArray(args)) {
+            throw createSafeError('Tool arguments must be an object', 'TypeError');
+          }
+
+          // Double sanitization
+          var sanitizedArgs;
+          try {
+            sanitizedArgs = JSON.parse(JSON.stringify(args));
+          } catch (e) {
+            throw createSafeError('Tool arguments must be JSON-serializable');
+          }
+
+          var callId = generateCallId();
+
+          return new Promise(function (resolve, reject) {
+            pendingToolCalls[callId] = { resolve: resolve, reject: reject };
+            sendToOuter({
+              type: 'tool-call',
+              callId: callId,
+              toolName: toolName,
+              args: sanitizedArgs,
+            });
+          });
+        }
+
+        function* __safe_forOf(iterable) {
+          var iterations = 0;
+          for (var item of iterable) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            yield item;
+          }
+        }
+
+        function __safe_for(init, test, update, body) {
+          var iterations = 0;
+          init();
+          while (test()) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+            update();
+          }
+        }
+
+        function __safe_while(test, body) {
+          var iterations = 0;
+          while (test()) {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+          }
+        }
+
+        function __safe_doWhile(body, test) {
+          var iterations = 0;
+          do {
+            if (aborted) throw createSafeError('Execution aborted');
+            iterations++;
+            iterationCount++;
+            if (iterations > 10000) {
+              throw createSafeError('Maximum iteration limit exceeded (10000).');
+            }
+            body();
+          } while (test());
+        }
+
+        function __safe_concat(left, right) {
+          if (typeof left === 'number' && typeof right === 'number') return left + right;
+          var result = left + right;
+          return result;
+        }
+
+        function __safe_template(quasis) {
+          var values = [];
+          for (var i = 1; i < arguments.length; i++) values.push(arguments[i]);
+          var result = quasis[0];
+          for (var j = 0; j < values.length; j++) {
+            result += String(values[j]) + quasis[j + 1];
+          }
+          return result;
+        }
+
+        function __safe_parallel(fns, options) {
+          if (!Array.isArray(fns)) throw createSafeError('parallel requires an array of functions', 'TypeError');
+          if (fns.length === 0) return Promise.resolve([]);
+          if (fns.length > 100) throw createSafeError('Cannot execute more than 100 operations in parallel.');
+
+          for (var i = 0; i < fns.length; i++) {
+            if (typeof fns[i] !== 'function')
+              throw createSafeError('Item at index ' + i + ' is not a function', 'TypeError');
+          }
+
+          var concurrency = Math.min(Math.max(1, (options && options.maxConcurrency) || 10), 20);
+          var results = new Array(fns.length);
+          var errors = [];
+          var currentIndex = 0;
+
+          function runNext() {
+            return new Promise(function (resolve) {
+              function step() {
+                if (currentIndex >= fns.length) {
+                  resolve();
+                  return;
+                }
+                if (aborted) {
+                  resolve();
+                  return;
+                }
+                var index = currentIndex++;
+                Promise.resolve()
+                  .then(function () {
+                    return fns[index]();
+                  })
+                  .then(function (result) {
+                    results[index] = result;
+                    step();
+                  })
+                  .catch(function (error) {
+                    errors.push({ index: index, error: error });
+                    step();
+                  });
+              }
+              step();
+            });
+          }
+
+          var workers = [];
+          for (var w = 0; w < Math.min(concurrency, fns.length); w++) workers.push(runNext());
+
+          return Promise.all(workers).then(function () {
+            if (errors.length > 0) {
+              var msgs = errors
+                .map(function (e) {
+                  return '[' + e.index + ']: ' + ((e.error && e.error.message) || e.error);
+                })
+                .join('\n');
+              throw createSafeError(errors.length + ' of ' + fns.length + ' parallel operations failed:\n' + msgs);
+            }
+            return results;
+          });
+        }
+
+        // ============================================================
+        // Console Implementation (relayed via postMessage)
+        // ============================================================
+        var safeConsole = {};
+        ['log', 'warn', 'error', 'info'].forEach(function (level) {
+          safeConsole[level] = function () {
+            consoleCalls++;
+            if (consoleCalls > 1000) return;
+
+            var args = [];
+            for (var i = 0; i < arguments.length; i++) {
+              var arg = arguments[i];
+              try {
+                args.push(typeof arg === 'object' ? JSON.parse(JSON.stringify(arg)) : arg);
+              } catch (e) {
+                args.push(String(arg));
+              }
+            }
+
+            var size = 0;
+            try {
+              size = JSON.stringify(args).length;
+            } catch (e) {}
+            consoleOutputBytes += size;
+            if (consoleOutputBytes > 1048576) return;
+
+            sendToOuter({ type: 'console', level: level, args: args });
+          };
+        });
+
+        // ============================================================
+        // Prototype Hardening
+        // ============================================================
+
+        // Shadow __proto__ on error prototypes
+        (function () {
+          var errorProtos = [
+            Error.prototype,
+            TypeError.prototype,
+            RangeError.prototype,
+            SyntaxError.prototype,
+            ReferenceError.prototype,
+            URIError.prototype,
+            EvalError.prototype,
+          ];
+          for (var i = 0; i < errorProtos.length; i++) {
+            try {
+              Object.defineProperty(errorProtos[i], '__proto__', {
+                get: function () {
+                  return null;
+                },
+                set: function () {},
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        })();
+
+        // Block legacy prototype methods
+        (function () {
+          var methods = ['__lookupGetter__', '__lookupSetter__', '__defineGetter__', '__defineSetter__'];
+          for (var i = 0; i < methods.length; i++) {
+            try {
+              Object.defineProperty(Object.prototype, methods[i], {
+                value: function () {
+                  return undefined;
+                },
+                writable: false,
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        })();
+
+        // Memory-safe prototype patches
+        (function () {
+          var ml = 1048576;
+          var totalTracked = 0;
+          function track(bytes) {
+            totalTracked += bytes;
+            if (totalTracked > ml) throw new RangeError('Memory limit exceeded');
+          }
+
+          var stringProto = Object.getPrototypeOf('');
+          var arrayProto = Object.getPrototypeOf([]);
+
+          try {
+            var origRepeat = stringProto.repeat;
+            Object.defineProperty(stringProto, 'repeat', {
+              value: function (count) {
+                var est = this.length * count * 2;
+                if (est > ml) throw new RangeError('String.repeat would exceed memory limit');
+                track(est);
+                return origRepeat.call(this, count);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+
+          try {
+            var origJoin = arrayProto.join;
+            Object.defineProperty(arrayProto, 'join', {
+              value: function (sep) {
+                var s = sep === undefined ? ',' : String(sep);
+                var est = 0;
+                for (var i = 0; i < this.length; i++) {
+                  var item = this[i];
+                  est += item === null || item === undefined ? 0 : String(item).length;
+                  if (i > 0) est += s.length;
+                }
+                est *= 2;
+                if (est > ml) throw new RangeError('Array.join would exceed memory limit');
+                track(est);
+                return origJoin.call(this, sep);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+
+          try {
+            var origFill = arrayProto.fill;
+            Object.defineProperty(arrayProto, 'fill', {
+              value: function (value, start, end) {
+                var len = this.length >>> 0;
+                var k = start === undefined ? 0 : start >> 0;
+                var finalEnd = end === undefined ? len : end >> 0;
+                if (k < 0) k = Math.max(len + k, 0);
+                else k = Math.min(k, len);
+                if (finalEnd < 0) finalEnd = Math.max(len + finalEnd, 0);
+                else finalEnd = Math.min(finalEnd, len);
+                var fillCount = Math.max(0, finalEnd - k);
+                var est = fillCount * 8;
+                if (est > ml) throw new RangeError('Array.fill would exceed memory limit');
+                track(est);
+                return origFill.call(this, value, start, end);
+              },
+              writable: false,
+              configurable: false,
+            });
+          } catch (e) {}
+        })();
+
+        // Freeze all prototypes
+        (function () {
+          var protos = [
+            Object.prototype,
+            Array.prototype,
+            Function.prototype,
+            String.prototype,
+            Number.prototype,
+            Boolean.prototype,
+            Date.prototype,
+            Error.prototype,
+            TypeError.prototype,
+            RangeError.prototype,
+            SyntaxError.prototype,
+            ReferenceError.prototype,
+            URIError.prototype,
+            EvalError.prototype,
+            Promise.prototype,
+          ];
+          for (var i = 0; i < protos.length; i++) {
+            try {
+              Object.freeze(protos[i]);
+            } catch (e) {}
+          }
+        })();
+
+        // ============================================================
+        // Remove Dangerous Globals
+        // ============================================================
+        var dangerousGlobals = [
+          'Function',
+          'eval',
+          'SharedArrayBuffer',
+          'Atomics',
+          'WebAssembly',
+          'ShadowRealm',
+          'WeakRef',
+          'FinalizationRegistry',
+        ];
+        for (var dg = 0; dg < dangerousGlobals.length; dg++) {
+          try {
+            delete window[dangerousGlobals[dg]];
+          } catch (e) {
+            try {
+              window[dangerousGlobals[dg]] = undefined;
+            } catch (e2) {}
+          }
+        }
+
+        // Always remove browser-specific dangerous globals
+        var browserDangerous = [
+          'fetch',
+          'XMLHttpRequest',
+          'WebSocket',
+          'EventSource',
+          'Worker',
+          'SharedWorker',
+          'ServiceWorker',
+          'importScripts',
+          'localStorage',
+          'sessionStorage',
+          'indexedDB',
+          'caches',
+          'navigator',
+          'open',
+          'close',
+          'alert',
+          'confirm',
+          'prompt',
+        ];
+        for (var bd = 0; bd < browserDangerous.length; bd++) {
+          try {
+            delete window[browserDangerous[bd]];
+          } catch (e) {
+            try {
+              window[browserDangerous[bd]] = undefined;
+            } catch (e2) {}
+          }
+        }
+
+        // ============================================================
+        // Inject Safe Globals
+        // ============================================================
+        var SafeObject = function (value) {
+          if (value === null || value === undefined) return {};
+          return Object(value);
+        };
+        var safeObjMethods = [
+          'keys',
+          'values',
+          'entries',
+          'fromEntries',
+          'assign',
+          'is',
+          'hasOwn',
+          'freeze',
+          'isFrozen',
+          'seal',
+          'isSealed',
+          'preventExtensions',
+          'isExtensible',
+          'getOwnPropertyNames',
+          'getOwnPropertySymbols',
+          'getPrototypeOf',
+        ];
+        for (var sm = 0; sm < safeObjMethods.length; sm++) {
+          if (safeObjMethods[sm] in Object) SafeObject[safeObjMethods[sm]] = Object[safeObjMethods[sm]];
+        }
+        SafeObject.create = function (proto, props) {
+          if (props !== undefined) throw createSafeError('Object.create with property descriptors is not allowed');
+          return Object.create(proto);
+        };
+        SafeObject.prototype = Object.prototype;
+
+        var blockedObjMethods = [
+          'defineProperty',
+          'defineProperties',
+          'setPrototypeOf',
+          'getOwnPropertyDescriptor',
+          'getOwnPropertyDescriptors',
+        ];
+        for (var bm = 0; bm < blockedObjMethods.length; bm++) {
+          (function (method) {
+            SafeObject[method] = function () {
+              throw createSafeError('Object.' + method + ' is not allowed (security restriction)');
+            };
+          })(blockedObjMethods[bm]);
+        }
+
+        // Save reference to Object.defineProperty before neutralizing it
+        var _defineProperty = Object.defineProperty;
+
+        // Neutralize dangerous static methods on intrinsic Object
+        (function () {
+          var RealObject = Object.getPrototypeOf({}).constructor;
+          var dangerous = [
+            'getOwnPropertyDescriptors',
+            'getOwnPropertyDescriptor',
+            'defineProperty',
+            'defineProperties',
+            'setPrototypeOf',
+          ];
+          for (var i = 0; i < dangerous.length; i++) {
+            try {
+              delete RealObject[dangerous[i]];
+            } catch (e) {}
+          }
+        })();
+
+        // Define all safe globals as non-writable, non-configurable, non-enumerable
+        var safeGlobals = {
+          __safe_callTool: createSecureProxy(__safe_callTool),
+          callTool: createSecureProxy(__safe_callTool),
+          __safe_forOf: createSecureProxy(__safe_forOf),
+          __safe_for: createSecureProxy(__safe_for),
+          __safe_while: createSecureProxy(__safe_while),
+          __safe_doWhile: createSecureProxy(__safe_doWhile),
+          __safe_concat: __safe_concat,
+          __safe_template: __safe_template,
+          __safe_parallel: createSecureProxy(__safe_parallel),
+          parallel: createSecureProxy(__safe_parallel),
+          __safe_console: safeConsole,
+          console: safeConsole,
+          __maxIterations: 10000,
+          Math: createSecureProxy(Math),
+          JSON: createSecureProxy(JSON),
+          Array: createSecureProxy(Array),
+          Object: createSecureProxy(SafeObject),
+          String: createSecureProxy(String),
+          Number: createSecureProxy(Number),
+          Date: createSecureProxy(Date),
+          Boolean: createSecureProxy(Boolean),
+          RegExp: createSecureProxy(RegExp),
+          Error: createSecureProxy(Error),
+          TypeError: createSecureProxy(TypeError),
+          RangeError: createSecureProxy(RangeError),
+          Promise: createSecureProxy(Promise),
+          undefined: undefined,
+          NaN: NaN,
+          Infinity: Infinity,
+          isNaN: isNaN,
+          isFinite: isFinite,
+          parseInt: parseInt,
+          parseFloat: parseFloat,
+          encodeURI: encodeURI,
+          decodeURI: decodeURI,
+          encodeURIComponent: encodeURIComponent,
+          decodeURIComponent: decodeURIComponent,
+        };
+
+        // Inject custom globals if provided
+        var customGlobals = {};
+        for (var cgKey in customGlobals) {
+          if (customGlobals.hasOwnProperty(cgKey)) {
+            safeGlobals[cgKey] = createSecureProxy(customGlobals[cgKey]);
+            safeGlobals['__safe_' + cgKey] = createSecureProxy(customGlobals[cgKey]);
+          }
+        }
+
+        for (var gKey in safeGlobals) {
+          if (safeGlobals.hasOwnProperty(gKey)) {
+            try {
+              _defineProperty(window, gKey, {
+                value: safeGlobals[gKey],
+                writable: false,
+                configurable: false,
+                enumerable: false,
+              });
+            } catch (e) {}
+          }
+        }
+
+        // ============================================================
+        // Execute User Code
+        // ============================================================
+        (async function () {
+          // Shadow non-deletable browser globals so user code sees undefined
+          var document = undefined;
+
+          try {
+            // The transformed code defines __ag_main as a function declaration.
+            // We embed it directly — CSP 'unsafe-inline' allows inline scripts
+            // but blocks eval/new Function.
+            async function __ag_main() {
+              return 42;
+            }
+
+            var result = typeof __ag_main === 'function' ? await __ag_main() : undefined;
+
+            // Sanitize result before sending
+            var safeResult;
+            try {
+              safeResult = JSON.parse(JSON.stringify(result));
+            } catch (e) {
+              safeResult = undefined;
+            }
+
+            sendToOuter({
+              type: 'result',
+              success: true,
+              value: safeResult,
+              stats: {
+                duration: Date.now() - startTime,
+                toolCallCount: toolCallCount,
+                iterationCount: iterationCount,
+                startTime: startTime,
+                endTime: Date.now(),
+              },
+            });
+          } catch (error) {
+            sendToOuter({
+              type: 'result',
+              success: false,
+              error: {
+                name: error && error.name ? String(error.name) : 'Error',
+                message: error && error.message ? String(error.message) : 'Unknown error',
+                code: error && error.code ? String(error.code) : undefined,
+              },
+              stats: {
+                duration: Date.now() - startTime,
+                toolCallCount: toolCallCount,
+                iterationCount: iterationCount,
+                startTime: startTime,
+                endTime: Date.now(),
+              },
+            });
+          }
+        })();
+      })();
+    </script>
+  </body>
+</html>
diff --git a/libs/browser/e2e/fixtures/debug-outer.html b/libs/browser/e2e/fixtures/debug-outer.html
new file mode 100644
index 0000000..37ac80e
--- /dev/null
+++ b/libs/browser/e2e/fixtures/debug-outer.html
@@ -0,0 +1,358 @@
+<!doctype html>
+<html>
+  <head>
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'"
+    />
+    <title>Enclave Outer Sandbox</title>
+  </head>
+  <body>
+    <script>
+      'use strict';
+      (function () {
+        var requestId = '4ccc7a32-bd28-4db5-811d-2ea209be9e6b';
+        var aborted = false;
+        var completed = false;
+
+        // ============================================================
+        // Safe Error
+        // ============================================================
+        function createSafeError(message, name) {
+          var error = new Error(message);
+          error.name = name || 'Error';
+          try {
+            Object.setPrototypeOf(error, null);
+          } catch (e) {}
+          try {
+            Object.freeze(error);
+          } catch (e) {}
+          return error;
+        }
+
+        // ============================================================
+        // Validation Configuration
+        // ============================================================
+        var validationConfig = {
+          validateOperationNames: true,
+          maxOperationsPerSecond: 100,
+          blockSuspiciousSequences: true,
+          rapidEnumerationThreshold: 30,
+          rapidEnumerationOverrides: {},
+        };
+
+        // Suspicious pattern detectors
+        var suspiciousPatterns = [
+          {
+            id: 'EXFIL_LIST_SEND',
+            description: 'List/query followed by send/export (potential exfiltration)',
+            detect: function (operationName, args, history) {
+              var recentQueries = history.filter(function (h) {
+                return (
+                  /list|query|get|fetch|read|search|find|select/i.test(h.operationName) &&
+                  Date.now() - h.timestamp < 5000
+                );
+              });
+              var isSendOperation = /send|export|post|write|upload|publish|emit|transmit|forward/i.test(operationName);
+              return recentQueries.length > 0 && isSendOperation;
+            },
+          },
+          {
+            id: 'RAPID_ENUMERATION',
+            description: 'Rapid enumeration of resources',
+            detect: function (operationName, args, history) {
+              var now = Date.now();
+              var recentSame = history.filter(function (h) {
+                return h.operationName === operationName && now - h.timestamp < 5000;
+              });
+              var threshold = 30;
+              try {
+                if (typeof validationConfig !== 'undefined') {
+                  threshold =
+                    (validationConfig.rapidEnumerationOverrides &&
+                      validationConfig.rapidEnumerationOverrides[operationName]) ||
+                    validationConfig.rapidEnumerationThreshold ||
+                    30;
+                }
+              } catch (e) {
+                threshold = 30;
+              }
+              return recentSame.length > threshold;
+            },
+          },
+          {
+            id: 'CREDENTIAL_EXFIL',
+            description: 'Credential access followed by external operation',
+            detect: function (operationName, args, history) {
+              var recentCreds = history.filter(function (h) {
+                return (
+                  /secret|credential|password|token|key|auth|api[_-]?key/i.test(h.operationName) &&
+                  Date.now() - h.timestamp < 10000
+                );
+              });
+              var isExternal = /http|api|external|webhook|slack|email|sms|notification/i.test(operationName);
+              return recentCreds.length > 0 && isExternal;
+            },
+          },
+          {
+            id: 'BULK_OPERATION',
+            description: 'Bulk/batch operation detected',
+            detect: function (operationName, args, history) {
+              var isBulk = /\b(bulk|batch|mass|dump)\b|export[_-]all\b/i.test(operationName);
+              if (typeof args === 'object' && args !== null) {
+                try {
+                  var argStr = JSON.stringify(args).toLowerCase();
+                  if (/limit.*[0-9]{4,}|"\*"|no[_-]?limit/i.test(argStr)) return true;
+                } catch (e) {}
+              }
+              return isBulk;
+            },
+          },
+          {
+            id: 'DELETE_AFTER_ACCESS',
+            description: 'Delete operation after data access (potential cover-up)',
+            detect: function (operationName, args, history) {
+              var isDelete = /delete|remove|destroy|purge|clear|wipe|erase/i.test(operationName);
+              if (!isDelete) return false;
+              var recentAccess = history.filter(function (h) {
+                return (
+                  /list|query|get|fetch|read|search|find|select/i.test(h.operationName) &&
+                  Date.now() - h.timestamp < 30000
+                );
+              });
+              return recentAccess.length > 0;
+            },
+          },
+        ];
+
+        // Operation history for pattern detection
+        var operationHistory = [];
+
+        // Tool call counter
+        var toolCallCount = 0;
+
+        // ============================================================
+        // Validation Logic (ported from parent-vm-bootstrap.ts)
+        // ============================================================
+        function validateOperation(operationName, args) {
+          var now = Date.now();
+
+          // Sliding window cleanup
+          while (operationHistory.length > 0 && now - operationHistory[0].timestamp > 2000) {
+            operationHistory.shift();
+          }
+
+          // Rate limiting
+          var recentOps = operationHistory.filter(function (h) {
+            return now - h.timestamp < 1000;
+          });
+          if (recentOps.length >= validationConfig.maxOperationsPerSecond) {
+            throw createSafeError(
+              'Operation rate limit exceeded (' + validationConfig.maxOperationsPerSecond + ' operations/second)',
+            );
+          }
+
+          // Name validation
+          if (typeof operationName !== 'string' || !operationName) {
+            throw createSafeError('Operation name must be a non-empty string', 'TypeError');
+          }
+
+          // Whitelist check
+          if (validationConfig.validateOperationNames && typeof allowedOperationPattern !== 'undefined') {
+            if (!allowedOperationPattern.test(operationName)) {
+              throw createSafeError('Operation "' + operationName + '" does not match allowed pattern');
+            }
+          }
+
+          // Blacklist check
+          if (typeof blockedOperationPatterns !== 'undefined') {
+            for (var i = 0; i < blockedOperationPatterns.length; i++) {
+              if (blockedOperationPatterns[i].test(operationName)) {
+                throw createSafeError('Operation "' + operationName + '" matches blocked pattern');
+              }
+            }
+          }
+
+          // Suspicious sequence detection
+          if (validationConfig.blockSuspiciousSequences) {
+            for (var j = 0; j < suspiciousPatterns.length; j++) {
+              var pattern = suspiciousPatterns[j];
+              var detected = false;
+              try {
+                detected = !!pattern.detect(operationName, args, operationHistory);
+              } catch (e) {
+                detected = false;
+              }
+              if (detected) {
+                throw createSafeError('Suspicious pattern detected: ' + pattern.description + ' [' + pattern.id + ']');
+              }
+            }
+          }
+        }
+
+        // ============================================================
+        // Message Sending
+        // ============================================================
+        function sendToHost(msg) {
+          msg.__enclave_msg__ = true;
+          msg.requestId = requestId;
+          try {
+            window.parent.postMessage(msg, '*');
+          } catch (e) {}
+        }
+
+        var innerFrame = null;
+
+        function sendToInner(msg) {
+          msg.__enclave_msg__ = true;
+          msg.requestId = requestId;
+          if (innerFrame && innerFrame.contentWindow) {
+            try {
+              innerFrame.contentWindow.postMessage(msg, '*');
+            } catch (e) {}
+          }
+        }
+
+        // ============================================================
+        // Message Relay Logic (Three-Hop)
+        // ============================================================
+        window.addEventListener('message', function (event) {
+          var data = event.data;
+          if (!data || data.__enclave_msg__ !== true) return;
+          if (completed) return;
+
+          var fromInner = innerFrame && event.source === innerFrame.contentWindow;
+          var fromHost = event.source === window.parent;
+          if (data.requestId !== requestId) return;
+
+          // Messages from inner iframe (tool-call, result, console)
+          if (data.type === 'tool-call') {
+            if (!fromInner) return;
+            // Validate before forwarding to host
+            try {
+              // Double sanitize args
+              var sanitizedArgs;
+              try {
+                sanitizedArgs = JSON.parse(JSON.stringify(data.args));
+              } catch (e) {
+                throw createSafeError('Tool arguments must be JSON-serializable');
+              }
+
+              toolCallCount++;
+              validateOperation(data.toolName, sanitizedArgs);
+
+              // Record in history
+              operationHistory.push({
+                operationName: data.toolName,
+                timestamp: Date.now(),
+                argKeys: sanitizedArgs && typeof sanitizedArgs === 'object' ? Object.keys(sanitizedArgs) : [],
+              });
+
+              // Forward validated tool call to host
+              sendToHost({
+                type: 'tool-call',
+                callId: data.callId,
+                toolName: data.toolName,
+                args: sanitizedArgs,
+              });
+            } catch (error) {
+              // Validation failed - send error back to inner as tool-response
+              sendToInner({
+                type: 'tool-response',
+                callId: data.callId,
+                error: {
+                  name: error && error.name ? String(error.name) : 'ValidationError',
+                  message: error && error.message ? String(error.message) : 'Validation failed',
+                },
+              });
+            }
+          } else if (data.type === 'result') {
+            if (!fromInner) return;
+            // Forward execution result to host
+            completed = true;
+            sendToHost({
+              type: 'result',
+              success: data.success,
+              value: data.value,
+              error: data.error,
+              stats: data.stats,
+            });
+          } else if (data.type === 'console') {
+            if (!fromInner) return;
+            // Forward console output to host
+            sendToHost({
+              type: 'console',
+              level: data.level,
+              args: data.args,
+            });
+          } else if (data.type === 'tool-response') {
+            if (!fromHost) return;
+            // Message from host - forward tool response to inner
+            sendToInner({
+              type: 'tool-response',
+              callId: data.callId,
+              result: data.result,
+              error: data.error,
+            });
+          } else if (data.type === 'abort') {
+            if (!fromHost) return;
+            // Abort from host - forward to inner and destroy it
+            aborted = true;
+            sendToInner({ type: 'abort' });
+            // Remove inner iframe for hard termination
+            if (innerFrame && innerFrame.parentNode) {
+              innerFrame.parentNode.removeChild(innerFrame);
+              innerFrame = null;
+            }
+          }
+        });
+
+        // ============================================================
+        // Create Inner Iframe
+        // ============================================================
+        var innerHtml =
+          "<!DOCTYPE html><html><head><meta http-equiv=\"Content-Security-Policy\" content=\"default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'\"><title>Enclave Inner Sandbox<\/title><\/head><body><script>\"use strict\";\n(function() {\n  var requestId = \"4ccc7a32-bd28-4db5-811d-2ea209be9e6b\";\n  var aborted = false;\n  var startTime = Date.now();\n  var toolCallCount = 0;\n  var iterationCount = 0;\n  var consoleCalls = 0;\n  var consoleOutputBytes = 0;\n\n  // Pending tool call resolvers: callId -> { resolve, reject }\n  var pendingToolCalls = {};\n\n  // ============================================================\n  // Safe Error\n  // ============================================================\n  function createSafeError(message, name) {\n    var error = new Error(message);\n    error.name = name || 'Error';\n    try { Object.setPrototypeOf(error, null); } catch(e) {}\n    try {\n      Object.defineProperty(error, 'constructor', { value: null, writable: false, configurable: false, enumerable: false });\n      Object.defineProperty(error, '__proto__', { value: null, writable: false, configurable: false, enumerable: false });\n      Object.defineProperty(error, 'stack', { value: undefined, writable: false, configurable: false, enumerable: false });\n    } catch(e) {}\n    try { Object.freeze(error); } catch(e) {}\n    return error;\n  }\n\n  // ============================================================\n  // Secure Proxy\n  // ============================================================\n  var blockedPropertiesSet = new Set([\"__proto__\",\"prototype\",\"constructor\",\"__defineGetter__\",\"__defineSetter__\",\"__lookupGetter__\",\"__lookupSetter__\"]);\n  var proxyCache = new WeakMap();\n\n  function createSecureProxy(obj, depth) {\n    if (depth === undefined) depth = 0;\n    if (depth > 10) return obj;\n    if (obj === null || (typeof obj !== 'object' && typeof obj !== 'function')) return obj;\n    if (proxyCache.has(obj)) return proxyCache.get(obj);\n\n    var proxy = new Proxy(obj, {\n      get: function(target, property, receiver) {\n        var propName = String(property);\n        var descriptor = Object.getOwnPropertyDescriptor(target, property);\n        var isNonConfigurable = descriptor && !descriptor.configurable;\n\n        if (descriptor && isNonConfigurable && 'value' in descriptor && descriptor.writable === false) {\n          return descriptor.value;\n        }\n\n        if (blockedPropertiesSet.has(propName)) {\n          if (isNonConfigurable) return Reflect.get(target, property, receiver);\n          throw createSafeError(\"Security violation: Access to '\" + propName + \"' is blocked.\");\n        }\n\n        var value = Reflect.get(target, property, receiver);\n        if (typeof value === 'function') {\n          var boundMethod = value.bind(target);\n          return createSecureProxy(boundMethod, depth + 1);\n        }\n        if (value !== null && typeof value === 'object') {\n          return createSecureProxy(value, depth + 1);\n        }\n        return value;\n      },\n      set: function(target, property, value, receiver) {\n        var propName = String(property);\n        if (blockedPropertiesSet.has(propName)) {\n          throw createSafeError(\"Security violation: Setting '\" + propName + \"' is blocked.\");\n        }\n        return Reflect.set(target, property, value, receiver);\n      },\n      getPrototypeOf: function() { return null; }\n    });\n\n    proxyCache.set(obj, proxy);\n    return proxy;\n  }\n\n  // ============================================================\n  // PostMessage Communication with Outer Iframe\n  // ============================================================\n  function sendToOuter(msg) {\n    msg.__enclave_msg__ = true;\n    msg.requestId = requestId;\n    try {\n      window.parent.postMessage(msg, '*');\n    } catch(e) { /* ignore */ }\n  }\n\n  // Listen for messages from outer iframe\n  window.addEventListener('message', function(event) {\n    var data = event.data;\n    if (!data || data.__enclave_msg__ !== true) return;\n\n    if (data.type === 'tool-response') {\n      var pending = pendingToolCalls[data.callId];\n      if (pending) {\n        delete pendingToolCalls[data.callId];\n        if (data.error) {\n          pending.reject(createSafeError(data.error.message, data.error.name));\n        } else {\n          pending.resolve(data.result);\n        }\n      }\n    } else if (data.type === 'abort') {\n      aborted = true;\n    }\n  });\n\n  // ============================================================\n  // Safe Runtime Functions\n  // ============================================================\n\n  // Generate unique call IDs\n  var callIdCounter = 0;\n  function generateCallId() {\n    return 'c-' + (++callIdCounter) + '-' + Date.now().toString(36) + '-' + Math.random().toString(36).slice(2, 8);\n  }\n\n  function __safe_callTool(toolName, args) {\n    if (aborted) throw createSafeError('Execution aborted');\n\n    toolCallCount++;\n    if (toolCallCount > 100) {\n      throw createSafeError('Maximum tool call limit exceeded (100).');\n    }\n\n    if (typeof toolName !== 'string' || !toolName) {\n      throw createSafeError('Tool name must be a non-empty string', 'TypeError');\n    }\n    if (typeof args !== 'object' || args === null || Array.isArray(args)) {\n      throw createSafeError('Tool arguments must be an object', 'TypeError');\n    }\n\n    // Double sanitization\n    var sanitizedArgs;\n    try { sanitizedArgs = JSON.parse(JSON.stringify(args)); }\n    catch(e) { throw createSafeError('Tool arguments must be JSON-serializable'); }\n\n    var callId = generateCallId();\n\n    return new Promise(function(resolve, reject) {\n      pendingToolCalls[callId] = { resolve: resolve, reject: reject };\n      sendToOuter({\n        type: 'tool-call',\n        callId: callId,\n        toolName: toolName,\n        args: sanitizedArgs\n      });\n    });\n  }\n\n  function* __safe_forOf(iterable) {\n    var iterations = 0;\n    for (var item of iterable) {\n      if (aborted) throw createSafeError('Execution aborted');\n      iterations++;\n      iterationCount++;\n      if (iterations > 10000) {\n        throw createSafeError('Maximum iteration limit exceeded (10000).');\n      }\n      yield item;\n    }\n  }\n\n  function __safe_for(init, test, update, body) {\n    var iterations = 0;\n    init();\n    while (test()) {\n      if (aborted) throw createSafeError('Execution aborted');\n      iterations++;\n      iterationCount++;\n      if (iterations > 10000) {\n        throw createSafeError('Maximum iteration limit exceeded (10000).');\n      }\n      body();\n      update();\n    }\n  }\n\n  function __safe_while(test, body) {\n    var iterations = 0;\n    while (test()) {\n      if (aborted) throw createSafeError('Execution aborted');\n      iterations++;\n      iterationCount++;\n      if (iterations > 10000) {\n        throw createSafeError('Maximum iteration limit exceeded (10000).');\n      }\n      body();\n    }\n  }\n\n  function __safe_doWhile(body, test) {\n    var iterations = 0;\n    do {\n      if (aborted) throw createSafeError('Execution aborted');\n      iterations++;\n      iterationCount++;\n      if (iterations > 10000) {\n        throw createSafeError('Maximum iteration limit exceeded (10000).');\n      }\n      body();\n    } while (test());\n  }\n\n  function __safe_concat(left, right) {\n    if (typeof left === 'number' && typeof right === 'number') return left + right;\n    var result = (left) + (right);\n    return result;\n  }\n\n  function __safe_template(quasis) {\n    var values = [];\n    for (var i = 1; i < arguments.length; i++) values.push(arguments[i]);\n    var result = quasis[0];\n    for (var j = 0; j < values.length; j++) {\n      result += String(values[j]) + quasis[j + 1];\n    }\n    return result;\n  }\n\n  function __safe_parallel(fns, options) {\n    if (!Array.isArray(fns)) throw createSafeError('parallel requires an array of functions', 'TypeError');\n    if (fns.length === 0) return Promise.resolve([]);\n    if (fns.length > 100) throw createSafeError('Cannot execute more than 100 operations in parallel.');\n\n    for (var i = 0; i < fns.length; i++) {\n      if (typeof fns[i] !== 'function') throw createSafeError('Item at index ' + i + ' is not a function', 'TypeError');\n    }\n\n    var concurrency = Math.min(Math.max(1, (options && options.maxConcurrency) || 10), 20);\n    var results = new Array(fns.length);\n    var errors = [];\n    var currentIndex = 0;\n\n    function runNext() {\n      return new Promise(function(resolve) {\n        function step() {\n          if (currentIndex >= fns.length) { resolve(); return; }\n          if (aborted) { resolve(); return; }\n          var index = currentIndex++;\n          Promise.resolve().then(function() { return fns[index](); }).then(function(result) {\n            results[index] = result;\n            step();\n          }).catch(function(error) {\n            errors.push({ index: index, error: error });\n            step();\n          });\n        }\n        step();\n      });\n    }\n\n    var workers = [];\n    for (var w = 0; w < Math.min(concurrency, fns.length); w++) workers.push(runNext());\n\n    return Promise.all(workers).then(function() {\n      if (errors.length > 0) {\n        var msgs = errors.map(function(e) { return '[' + e.index + ']: ' + (e.error && e.error.message || e.error); }).join('\\n');\n        throw createSafeError(errors.length + ' of ' + fns.length + ' parallel operations failed:\\n' + msgs);\n      }\n      return results;\n    });\n  }\n\n  // ============================================================\n  // Console Implementation (relayed via postMessage)\n  // ============================================================\n  var safeConsole = {};\n  ['log', 'warn', 'error', 'info'].forEach(function(level) {\n    safeConsole[level] = function() {\n      consoleCalls++;\n      if (consoleCalls > 1000) return;\n\n      var args = [];\n      for (var i = 0; i < arguments.length; i++) {\n        var arg = arguments[i];\n        try { args.push(typeof arg === 'object' ? JSON.parse(JSON.stringify(arg)) : arg); }\n        catch(e) { args.push(String(arg)); }\n      }\n\n      var size = 0;\n      try { size = JSON.stringify(args).length; } catch(e) {}\n      consoleOutputBytes += size;\n      if (consoleOutputBytes > 1048576) return;\n\n      sendToOuter({ type: 'console', level: level, args: args });\n    };\n  });\n\n  // ============================================================\n  // Prototype Hardening\n  // ============================================================\n\n  // Shadow __proto__ on error prototypes\n  (function() {\n    var errorProtos = [\n      Error.prototype, TypeError.prototype, RangeError.prototype,\n      SyntaxError.prototype, ReferenceError.prototype, URIError.prototype, EvalError.prototype\n    ];\n    for (var i = 0; i < errorProtos.length; i++) {\n      try {\n        Object.defineProperty(errorProtos[i], '__proto__', {\n          get: function() { return null; },\n          set: function() {},\n          configurable: false,\n          enumerable: false\n        });\n      } catch(e) {}\n    }\n  })();\n\n  // Block legacy prototype methods\n  (function() {\n    var methods = ['__lookupGetter__', '__lookupSetter__', '__defineGetter__', '__defineSetter__'];\n    for (var i = 0; i < methods.length; i++) {\n      try {\n        Object.defineProperty(Object.prototype, methods[i], {\n          value: function() { return undefined; },\n          writable: false,\n          configurable: false,\n          enumerable: false\n        });\n      } catch(e) {}\n    }\n  })();\n\n  // Memory-safe prototype patches\n  (function() {\n    var ml = 1048576;\n    var totalTracked = 0;\n    function track(bytes) {\n      totalTracked += bytes;\n      if (totalTracked > ml) throw new RangeError('Memory limit exceeded');\n    }\n\n    var stringProto = Object.getPrototypeOf('');\n    var arrayProto = Object.getPrototypeOf([]);\n\n    try {\n      var origRepeat = stringProto.repeat;\n      Object.defineProperty(stringProto, 'repeat', { value: function(count) {\n        var est = this.length * count * 2;\n        if (est > ml) throw new RangeError('String.repeat would exceed memory limit');\n        track(est);\n        return origRepeat.call(this, count);\n      }, writable: false, configurable: false });\n    } catch(e) {}\n\n    try {\n      var origJoin = arrayProto.join;\n      Object.defineProperty(arrayProto, 'join', { value: function(sep) {\n        var s = sep === undefined ? ',' : String(sep);\n        var est = 0;\n        for (var i = 0; i < this.length; i++) {\n          var item = this[i];\n          est += (item === null || item === undefined) ? 0 : String(item).length;\n          if (i > 0) est += s.length;\n        }\n        est *= 2;\n        if (est > ml) throw new RangeError('Array.join would exceed memory limit');\n        track(est);\n        return origJoin.call(this, sep);\n      }, writable: false, configurable: false });\n    } catch(e) {}\n\n    try {\n      var origFill = arrayProto.fill;\n      Object.defineProperty(arrayProto, 'fill', { value: function(value, start, end) {\n        var len = this.length >>> 0;\n        var k = (start === undefined ? 0 : (start >> 0));\n        var finalEnd = (end === undefined ? len : (end >> 0));\n        if (k < 0) k = Math.max(len + k, 0); else k = Math.min(k, len);\n        if (finalEnd < 0) finalEnd = Math.max(len + finalEnd, 0); else finalEnd = Math.min(finalEnd, len);\n        var fillCount = Math.max(0, finalEnd - k);\n        var est = fillCount * 8;\n        if (est > ml) throw new RangeError('Array.fill would exceed memory limit');\n        track(est);\n        return origFill.call(this, value, start, end);\n      }, writable: false, configurable: false });\n    } catch(e) {}\n  })();\n\n  // Freeze all prototypes\n  (function() {\n    var protos = [\n      Object.prototype, Array.prototype, Function.prototype,\n      String.prototype, Number.prototype, Boolean.prototype,\n      Date.prototype, Error.prototype, TypeError.prototype,\n      RangeError.prototype, SyntaxError.prototype, ReferenceError.prototype,\n      URIError.prototype, EvalError.prototype, Promise.prototype\n    ];\n    for (var i = 0; i < protos.length; i++) {\n      try { Object.freeze(protos[i]); } catch(e) {}\n    }\n  })();\n\n  // ============================================================\n  // Remove Dangerous Globals\n  // ============================================================\n  var dangerousGlobals = [\"Function\",\"eval\",\"SharedArrayBuffer\",\"Atomics\",\"WebAssembly\",\"ShadowRealm\",\"WeakRef\",\"FinalizationRegistry\"];\n  for (var dg = 0; dg < dangerousGlobals.length; dg++) {\n    try { delete window[dangerousGlobals[dg]]; } catch(e) {\n      try { window[dangerousGlobals[dg]] = undefined; } catch(e2) {}\n    }\n  }\n\n  // Always remove browser-specific dangerous globals\n  var browserDangerous = [\n    'fetch', 'XMLHttpRequest', 'WebSocket', 'EventSource',\n    'Worker', 'SharedWorker', 'ServiceWorker',\n    'importScripts', 'localStorage', 'sessionStorage',\n    'indexedDB', 'caches', 'navigator',\n    'open', 'close', 'alert', 'confirm', 'prompt'\n  ];\n  for (var bd = 0; bd < browserDangerous.length; bd++) {\n    try { delete window[browserDangerous[bd]]; } catch(e) {\n      try { window[browserDangerous[bd]] = undefined; } catch(e2) {}\n    }\n  }\n\n  // ============================================================\n  // Inject Safe Globals\n  // ============================================================\n  var SafeObject = function(value) {\n    if (value === null || value === undefined) return {};\n    return Object(value);\n  };\n  var safeObjMethods = [\n    'keys', 'values', 'entries', 'fromEntries', 'assign', 'is', 'hasOwn',\n    'freeze', 'isFrozen', 'seal', 'isSealed', 'preventExtensions', 'isExtensible',\n    'getOwnPropertyNames', 'getOwnPropertySymbols', 'getPrototypeOf'\n  ];\n  for (var sm = 0; sm < safeObjMethods.length; sm++) {\n    if (safeObjMethods[sm] in Object) SafeObject[safeObjMethods[sm]] = Object[safeObjMethods[sm]];\n  }\n  SafeObject.create = function(proto, props) {\n    if (props !== undefined) throw createSafeError('Object.create with property descriptors is not allowed');\n    return Object.create(proto);\n  };\n  SafeObject.prototype = Object.prototype;\n\n  var blockedObjMethods = ['defineProperty', 'defineProperties', 'setPrototypeOf', 'getOwnPropertyDescriptor', 'getOwnPropertyDescriptors'];\n  for (var bm = 0; bm < blockedObjMethods.length; bm++) {\n    (function(method) {\n      SafeObject[method] = function() {\n        throw createSafeError('Object.' + method + ' is not allowed (security restriction)');\n      };\n    })(blockedObjMethods[bm]);\n  }\n\n  // Neutralize dangerous static methods on intrinsic Object\n  (function() {\n    var RealObject = Object.getPrototypeOf({}).constructor;\n    var dangerous = ['getOwnPropertyDescriptors', 'getOwnPropertyDescriptor', 'defineProperty', 'defineProperties', 'setPrototypeOf'];\n    for (var i = 0; i < dangerous.length; i++) { try { delete RealObject[dangerous[i]]; } catch(e) {} }\n  })();\n\n  // Define all safe globals as non-writable, non-configurable, non-enumerable\n  var safeGlobals = {\n    __safe_callTool: createSecureProxy(__safe_callTool),\n    callTool: createSecureProxy(__safe_callTool),\n    __safe_forOf: createSecureProxy(__safe_forOf),\n    __safe_for: createSecureProxy(__safe_for),\n    __safe_while: createSecureProxy(__safe_while),\n    __safe_doWhile: createSecureProxy(__safe_doWhile),\n    __safe_concat: __safe_concat,\n    __safe_template: __safe_template,\n    __safe_parallel: createSecureProxy(__safe_parallel),\n    parallel: createSecureProxy(__safe_parallel),\n    __safe_console: safeConsole,\n    console: safeConsole,\n    __maxIterations: 10000,\n    Math: createSecureProxy(Math),\n    JSON: createSecureProxy(JSON),\n    Array: createSecureProxy(Array),\n    Object: createSecureProxy(SafeObject),\n    String: createSecureProxy(String),\n    Number: createSecureProxy(Number),\n    Date: createSecureProxy(Date),\n    Boolean: createSecureProxy(Boolean),\n    RegExp: createSecureProxy(RegExp),\n    Error: createSecureProxy(Error),\n    TypeError: createSecureProxy(TypeError),\n    RangeError: createSecureProxy(RangeError),\n    Promise: createSecureProxy(Promise),\n    undefined: undefined,\n    NaN: NaN,\n    Infinity: Infinity,\n    isNaN: isNaN,\n    isFinite: isFinite,\n    parseInt: parseInt,\n    parseFloat: parseFloat,\n    encodeURI: encodeURI,\n    decodeURI: decodeURI,\n    encodeURIComponent: encodeURIComponent,\n    decodeURIComponent: decodeURIComponent\n  };\n\n  // Inject custom globals if provided\n  var customGlobals = {};\n  for (var cgKey in customGlobals) {\n    if (customGlobals.hasOwnProperty(cgKey)) {\n      safeGlobals[cgKey] = createSecureProxy(customGlobals[cgKey]);\n      safeGlobals['__safe_' + cgKey] = createSecureProxy(customGlobals[cgKey]);\n    }\n  }\n\n  for (var gKey in safeGlobals) {\n    if (safeGlobals.hasOwnProperty(gKey)) {\n      try {\n        Object.defineProperty(window, gKey, {\n          value: safeGlobals[gKey],\n          writable: false,\n          configurable: false,\n          enumerable: false\n        });\n      } catch(e) {}\n    }\n  }\n\n  // ============================================================\n  // Execute User Code\n  // ============================================================\n  (async function() {\n    var document = undefined;\n\n    try {\n      // The transformed code defines __ag_main as a function declaration.\n      // We embed it directly — CSP 'unsafe-inline' allows inline scripts\n      // but blocks eval/new Function.\n      async function __ag_main() {\n  return 2 + 3;\n}\n\n\n      var result = typeof __ag_main === 'function' ? await __ag_main() : undefined;\n\n      // Sanitize result before sending\n      var safeResult;\n      try {\n        safeResult = JSON.parse(JSON.stringify(result));\n      } catch(e) {\n        safeResult = undefined;\n      }\n\n      sendToOuter({\n        type: 'result',\n        success: true,\n        value: safeResult,\n        stats: {\n          duration: Date.now() - startTime,\n          toolCallCount: toolCallCount,\n          iterationCount: iterationCount,\n          startTime: startTime,\n          endTime: Date.now()\n        }\n      });\n    } catch(error) {\n      sendToOuter({\n        type: 'result',\n        success: false,\n        error: {\n          name: (error && error.name) ? String(error.name) : 'Error',\n          message: (error && error.message) ? String(error.message) : 'Unknown error',\n          code: (error && error.code) ? String(error.code) : undefined\n        },\n        stats: {\n          duration: Date.now() - startTime,\n          toolCallCount: toolCallCount,\n          iterationCount: iterationCount,\n          startTime: startTime,\n          endTime: Date.now()\n        }\n      });\n    }\n  })();\n})();<\/script><\/body><\/html>";
+
+        innerFrame = document.createElement('iframe');
+        innerFrame.sandbox = 'allow-scripts';
+        innerFrame.srcdoc = innerHtml;
+        innerFrame.style.display = 'none';
+        document.body.appendChild(innerFrame);
+
+        // Signal ready to host
+        sendToHost({ type: 'ready' });
+
+        // ============================================================
+        // Timeout Handling
+        // ============================================================
+        var timeout = 2000;
+        setTimeout(function () {
+          if (!completed) {
+            completed = true;
+            // Hard kill inner iframe
+            if (innerFrame && innerFrame.parentNode) {
+              innerFrame.parentNode.removeChild(innerFrame);
+              innerFrame = null;
+            }
+            sendToHost({
+              type: 'result',
+              success: false,
+              error: {
+                name: 'TimeoutError',
+                message: 'Execution timed out after ' + timeout + 'ms',
+                code: 'EXECUTION_TIMEOUT',
+              },
+              stats: {
+                duration: timeout,
+                toolCallCount: toolCallCount,
+                iterationCount: 0,
+                startTime: Date.now() - timeout,
+                endTime: Date.now(),
+              },
+            });
+          }
+        }, timeout);
+      })();
+    </script>
+  </body>
+</html>
diff --git a/libs/browser/e2e/fixtures/serve.json b/libs/browser/e2e/fixtures/serve.json
new file mode 100644
index 0000000..b308df8
--- /dev/null
+++ b/libs/browser/e2e/fixtures/serve.json
@@ -0,0 +1,3 @@
+{
+  "cleanUrls": false
+}
diff --git a/libs/browser/e2e/fixtures/test-harness.html b/libs/browser/e2e/fixtures/test-harness.html
new file mode 100644
index 0000000..e4d5dea
--- /dev/null
+++ b/libs/browser/e2e/fixtures/test-harness.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <title>Enclave Browser E2E Test Harness</title>
+  </head>
+  <body>
+    <script type="module">
+      import * as EnclaveBrowser from './enclave-browser-bundle.mjs';
+      window.EnclaveBrowser = EnclaveBrowser;
+      window.__enclaveReady = true;
+    </script>
+  </body>
+</html>
diff --git a/libs/browser/e2e/global-setup.ts b/libs/browser/e2e/global-setup.ts
new file mode 100644
index 0000000..18d57ff
--- /dev/null
+++ b/libs/browser/e2e/global-setup.ts
@@ -0,0 +1,10 @@
+import { execFileSync } from 'node:child_process';
+import path from 'node:path';
+
+export default function globalSetup() {
+  const bundleScript = path.resolve(__dirname, 'build-test-bundle.mjs');
+  execFileSync('node', [bundleScript], {
+    cwd: path.resolve(__dirname, '..'),
+    stdio: 'inherit',
+  });
+}
diff --git a/libs/browser/e2e/helpers.ts b/libs/browser/e2e/helpers.ts
new file mode 100644
index 0000000..1f96e14
--- /dev/null
+++ b/libs/browser/e2e/helpers.ts
@@ -0,0 +1,87 @@
+import type { Page } from '@playwright/test';
+
+/**
+ * Navigate to the test harness and wait for the bundle to be ready.
+ */
+export async function loadHarness(page: Page) {
+  await page.goto('/test-harness');
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  await page.waitForFunction(() => (window as any).__enclaveReady === true, null, {
+    timeout: 10_000,
+  });
+}
+
+/** Options forwarded to BrowserEnclave constructor inside evaluate(). */
+export interface RunOptions {
+  securityLevel?: string;
+  timeout?: number;
+  maxIterations?: number;
+  maxToolCalls?: number;
+  maxConsoleCalls?: number;
+  globals?: Record<string, unknown>;
+  validate?: boolean;
+  transform?: boolean;
+}
+
+/**
+ * Create a BrowserEnclave inside the page, run code, dispose, return result.
+ */
+export async function runInEnclave(page: Page, code: string, opts: RunOptions = {}) {
+  return page.evaluate(
+    ({ code, opts }) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave(opts);
+      return enclave.run(code).then(
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (result: any) => {
+          enclave.dispose();
+          return result;
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (err: any) => {
+          enclave.dispose();
+          throw err;
+        },
+      );
+    },
+    { code, opts },
+  );
+}
+
+/**
+ * Run code that needs a tool handler.
+ *
+ * page.evaluate() cannot transfer functions across the serialization boundary.
+ * Instead the caller passes the handler body as a string which is reconstructed
+ * inside the page via `new Function()`.  The host page is NOT subject to the
+ * iframe CSP so `new Function()` works fine there.
+ */
+export async function runWithToolHandler(page: Page, code: string, handlerBody: string, opts: RunOptions = {}) {
+  return page.evaluate(
+    ({ code, handlerBody, opts }) => {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const EB = (window as any).EnclaveBrowser;
+      // Reconstruct the handler inside the page
+      const handler = new Function('name', 'args', handlerBody) as (
+        name: string,
+        args: Record<string, unknown>,
+      ) => Promise<unknown>;
+      const asyncHandler = (name: string, args: Record<string, unknown>) => Promise.resolve(handler(name, args));
+      const enclave = new EB.BrowserEnclave({ ...opts, toolHandler: asyncHandler });
+      return enclave.run(code).then(
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (result: any) => {
+          enclave.dispose();
+          return result;
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        (err: any) => {
+          enclave.dispose();
+          throw err;
+        },
+      );
+    },
+    { code, handlerBody, opts },
+  );
+}
diff --git a/libs/browser/e2e/protocol.spec.ts b/libs/browser/e2e/protocol.spec.ts
new file mode 100644
index 0000000..4e8e190
--- /dev/null
+++ b/libs/browser/e2e/protocol.spec.ts
@@ -0,0 +1,95 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness } from './helpers';
+
+test.describe('protocol', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('isEnclaveMessage identifies valid messages', async ({ page }) => {
+    const result = await page.evaluate(() => {
+      const EB = (window as any).EnclaveBrowser;
+      return [
+        EB.isEnclaveMessage({ __enclave_msg__: true, type: 'ready' }),
+        EB.isEnclaveMessage({ __enclave_msg__: true, type: 'tool-call', requestId: '1' }),
+      ];
+    });
+    expect(result).toEqual([true, true]);
+  });
+
+  test('isEnclaveMessage rejects non-enclave data', async ({ page }) => {
+    const result = await page.evaluate(() => {
+      const EB = (window as any).EnclaveBrowser;
+      return [
+        EB.isEnclaveMessage(null),
+        EB.isEnclaveMessage(undefined),
+        EB.isEnclaveMessage(42),
+        EB.isEnclaveMessage('string'),
+        EB.isEnclaveMessage({}),
+        EB.isEnclaveMessage({ __enclave_msg__: false, type: 'ready' }),
+        EB.isEnclaveMessage({ type: 'ready' }),
+      ];
+    });
+    expect(result).toEqual([false, false, false, false, false, false, false]);
+  });
+
+  test('type guards work correctly', async ({ page }) => {
+    const result = await page.evaluate(() => {
+      const EB = (window as any).EnclaveBrowser;
+      return {
+        toolCall: EB.isToolCallMessage({ type: 'tool-call' }),
+        toolCallNeg: EB.isToolCallMessage({ type: 'result' }),
+        result: EB.isResultMessage({ type: 'result' }),
+        resultNeg: EB.isResultMessage({ type: 'tool-call' }),
+        console: EB.isConsoleMessage({ type: 'console' }),
+        consoleNeg: EB.isConsoleMessage({ type: 'result' }),
+        ready: EB.isReadyMessage({ type: 'ready' }),
+        readyNeg: EB.isReadyMessage({ type: 'result' }),
+      };
+    });
+    expect(result.toolCall).toBe(true);
+    expect(result.toolCallNeg).toBe(false);
+    expect(result.result).toBe(true);
+    expect(result.resultNeg).toBe(false);
+    expect(result.console).toBe(true);
+    expect(result.consoleNeg).toBe(false);
+    expect(result.ready).toBe(true);
+    expect(result.readyNeg).toBe(false);
+  });
+
+  test('generateId produces unique strings', async ({ page }) => {
+    const result = await page.evaluate(() => {
+      const EB = (window as any).EnclaveBrowser;
+      const id1 = EB.generateId();
+      const id2 = EB.generateId();
+      return {
+        id1Type: typeof id1,
+        id2Type: typeof id2,
+        id1Len: id1.length > 0,
+        different: id1 !== id2,
+      };
+    });
+    expect(result.id1Type).toBe('string');
+    expect(result.id2Type).toBe('string');
+    expect(result.id1Len).toBe(true);
+    expect(result.different).toBe(true);
+  });
+
+  test('Zod schema validates tool-call message', async ({ page }) => {
+    // The Zod schemas are internal but we can test via the bundle
+    const result = await page.evaluate(() => {
+      const EB = (window as any).EnclaveBrowser;
+      // Check that the type guard works for a well-formed message
+      const msg = {
+        __enclave_msg__: true,
+        type: 'tool-call',
+        requestId: 'req-123',
+        callId: 'call-456',
+        toolName: 'users:list',
+        args: { limit: 10 },
+      };
+      return EB.isEnclaveMessage(msg) && EB.isToolCallMessage(msg);
+    });
+    expect(result).toBe(true);
+  });
+});
diff --git a/libs/browser/e2e/security-isolation.spec.ts b/libs/browser/e2e/security-isolation.spec.ts
new file mode 100644
index 0000000..ece8f2b
--- /dev/null
+++ b/libs/browser/e2e/security-isolation.spec.ts
@@ -0,0 +1,119 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness, runInEnclave } from './helpers';
+
+test.describe('security isolation', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('parent window not accessible from sandbox', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          try {
+            var p = window.parent;
+            var title = p.document.title;
+            return title;
+          } catch (e) {
+            return "blocked";
+          }
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('blocked');
+  });
+
+  test('fetch is removed from sandbox', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          return typeof fetch;
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('undefined');
+  });
+
+  test('document is removed from sandbox', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          return typeof document;
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('undefined');
+  });
+
+  test('XMLHttpRequest is removed from sandbox', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          return typeof XMLHttpRequest;
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('undefined');
+  });
+
+  test('CSP blocks eval at runtime', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          try {
+            eval("1+1");
+            return "eval worked";
+          } catch(e) {
+            return "eval blocked: " + e.message;
+          }
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(String(result.value)).toContain('eval blocked');
+  });
+
+  test('CSP blocks Function constructor at runtime', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          try {
+            var fn = new Function("return 1");
+            return "Function worked";
+          } catch(e) {
+            return "Function blocked: " + e.message;
+          }
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(String(result.value)).toContain('Function blocked');
+  });
+
+  test('dispose cleans up iframes', async ({ page }) => {
+    const iframeCount = await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({ timeout: 5000 });
+      await enclave.run('return 1');
+      enclave.dispose();
+      return document.querySelectorAll('iframe').length;
+    });
+    expect(iframeCount).toBe(0);
+  });
+});
diff --git a/libs/browser/e2e/timeout.spec.ts b/libs/browser/e2e/timeout.spec.ts
new file mode 100644
index 0000000..5928266
--- /dev/null
+++ b/libs/browser/e2e/timeout.spec.ts
@@ -0,0 +1,70 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness, runInEnclave } from './helpers';
+
+test.describe('timeout and iteration limits', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('infinite loop is killed by iteration limit', async ({ page }) => {
+    // In browsers, while(true){} blocks the entire process (same-thread iframes).
+    // The AST transform injects iteration counters that enforce limits.
+    // validate: false bypasses static analysis that rejects while(true).
+    const result = await runInEnclave(
+      page,
+      `
+        while (true) {}
+        return "never";
+      `,
+      { validate: false, maxIterations: 1000, timeout: 5000 },
+    );
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toMatch(/iteration limit/i);
+  });
+
+  test('iteration limit enforced', async ({ page }) => {
+    // Use PERMISSIVE so loops pass validation, but set maxIterations low
+    const result = await runInEnclave(
+      page,
+      `
+        let x = 0;
+        for (let i = 0; i < 999999; i++) { x++; }
+        return x;
+      `,
+      { maxIterations: 100, securityLevel: 'PERMISSIVE' },
+    );
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toMatch(/iteration limit/i);
+  });
+
+  test('code within timeout succeeds', async ({ page }) => {
+    // Simple delay that completes within timeout
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          await new Promise(function(r) { setTimeout(r, 50); });
+          return "done";
+        }
+      `,
+      { validate: false, transform: false, timeout: 5000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toBe('done');
+  });
+
+  test('delay exceeding timeout fails', async ({ page }) => {
+    const result = await runInEnclave(
+      page,
+      `
+        async function __ag_main() {
+          await new Promise(function(r) { setTimeout(r, 10000); });
+          return "late";
+        }
+      `,
+      { validate: false, transform: false, timeout: 500 },
+    );
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toMatch(/timed out/i);
+  });
+});
diff --git a/libs/browser/e2e/tool-calls.spec.ts b/libs/browser/e2e/tool-calls.spec.ts
new file mode 100644
index 0000000..8f3ce8d
--- /dev/null
+++ b/libs/browser/e2e/tool-calls.spec.ts
@@ -0,0 +1,109 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness, runWithToolHandler } from './helpers';
+
+test.describe('tool calls', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('single tool call returns result', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        const users = await callTool("users:list", { limit: 5 });
+        return users;
+      `,
+      `return { items: [{ id: 1 }, { id: 2 }] };`,
+      { timeout: 10000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toEqual({ items: [{ id: 1 }, { id: 2 }] });
+  });
+
+  test('sequential tool calls', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        const a = await callTool("add", { x: 1, y: 2 });
+        const b = await callTool("add", { x: 3, y: 4 });
+        return [a, b];
+      `,
+      `return args.x + args.y;`,
+      { timeout: 10000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.value).toEqual([3, 7]);
+  });
+
+  test('tool handler error propagates', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        const val = await callTool("fail", {});
+        return val;
+      `,
+      `throw new Error("tool failed");`,
+      { timeout: 10000 },
+    );
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toContain('tool failed');
+  });
+
+  test('no handler returns error', async ({ page }) => {
+    const result = await page.evaluate(async () => {
+      const EB = (window as any).EnclaveBrowser;
+      const enclave = new EB.BrowserEnclave({
+        timeout: 10000,
+      });
+      const res = await enclave.run('const r = await callTool("test", {}); return r;');
+      enclave.dispose();
+      return res;
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toContain('No tool handler configured');
+  });
+
+  test('tool name validation rejects invalid names', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        const val = await callTool("", {});
+        return val;
+      `,
+      `return "ok";`,
+      { timeout: 10000 },
+    );
+    expect(result.success).toBe(false);
+  });
+
+  test('max tool calls limit enforced', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        for (let i = 0; i < 20; i++) {
+          await callTool("ping", { i: i });
+        }
+        return "done";
+      `,
+      `return "pong";`,
+      { maxToolCalls: 5, securityLevel: 'PERMISSIVE', timeout: 10000 },
+    );
+    expect(result.success).toBe(false);
+    expect(result.error?.message).toMatch(/tool call limit/i);
+  });
+
+  test('tool call stats tracked', async ({ page }) => {
+    const result = await runWithToolHandler(
+      page,
+      `
+        await callTool("a", {});
+        await callTool("b", {});
+        return "done";
+      `,
+      `return "ok";`,
+      { timeout: 10000 },
+    );
+    expect(result.success).toBe(true);
+    expect(result.stats.toolCallCount).toBe(2);
+  });
+});
diff --git a/libs/browser/e2e/validation.spec.ts b/libs/browser/e2e/validation.spec.ts
new file mode 100644
index 0000000..d9df746
--- /dev/null
+++ b/libs/browser/e2e/validation.spec.ts
@@ -0,0 +1,104 @@
+import { test, expect } from '@playwright/test';
+import { loadHarness, runInEnclave } from './helpers';
+
+test.describe('AST validation', () => {
+  test.beforeEach(async ({ page }) => {
+    await loadHarness(page);
+  });
+
+  test('blocks eval()', async ({ page }) => {
+    const result = await runInEnclave(page, 'eval("1 + 1")', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks new Function()', async ({ page }) => {
+    const result = await runInEnclave(page, 'new Function("return 1")', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks Function() without new', async ({ page }) => {
+    const result = await runInEnclave(page, 'Function("return 1")', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks __proto__ access', async ({ page }) => {
+    const result = await runInEnclave(page, 'const p = ({}).__proto__', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks constructor chain', async ({ page }) => {
+    const result = await runInEnclave(page, 'const c = [].constructor.constructor; c("return 1")()', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks globalThis', async ({ page }) => {
+    const result = await runInEnclave(page, 'const g = globalThis', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks __defineGetter__', async ({ page }) => {
+    const result = await runInEnclave(page, '({}).__defineGetter__("x", function() { return 1; })', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks setTimeout with string argument', async ({ page }) => {
+    const result = await runInEnclave(page, 'setTimeout("alert(1)", 100)', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks prototype property access', async ({ page }) => {
+    const result = await runInEnclave(page, 'const p = String.prototype', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('blocks constructor access', async ({ page }) => {
+    const result = await runInEnclave(page, 'const c = ({}).constructor', {
+      securityLevel: 'STRICT',
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.name).toBe('ValidationError');
+  });
+
+  test('allows valid code to pass validation', async ({ page }) => {
+    const result = await runInEnclave(page, 'return 1 + 2', {
+      securityLevel: 'STANDARD',
+    });
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(3);
+  });
+
+  test('skips validation when disabled', async ({ page }) => {
+    const result = await runInEnclave(page, 'return 42', {
+      validate: false,
+    });
+    expect(result.success).toBe(true);
+    expect(result.value).toBe(42);
+  });
+});
diff --git a/libs/browser/package.json b/libs/browser/package.json
new file mode 100644
index 0000000..ec9bd6f
--- /dev/null
+++ b/libs/browser/package.json
@@ -0,0 +1,44 @@
+{
+  "name": "@enclave-vm/browser",
+  "version": "2.11.0",
+  "description": "Browser sandbox runtime for secure JavaScript code execution using double iframe isolation",
+  "author": "AgentFront <info@agentfront.dev>",
+  "homepage": "https://github.com/agentfront/enclave",
+  "license": "Apache-2.0",
+  "keywords": [
+    "sandbox",
+    "iframe",
+    "enclave",
+    "enclave-vm",
+    "agentscript",
+    "llm",
+    "javascript",
+    "execution",
+    "security",
+    "browser"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agentfront/enclave.git"
+  },
+  "bugs": {
+    "url": "https://github.com/agentfront/enclave/issues"
+  },
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    "./package.json": "./package.json",
+    ".": {
+      "development": "./src/index.ts",
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "default": "./dist/index.mjs"
+    }
+  },
+  "dependencies": {
+    "@enclave-vm/ast": "2.11.0",
+    "acorn": "8.15.0",
+    "astring": "1.9.0",
+    "zod": "^4.3.6"
+  }
+}
diff --git a/libs/browser/playwright.config.ts b/libs/browser/playwright.config.ts
new file mode 100644
index 0000000..7bed1f6
--- /dev/null
+++ b/libs/browser/playwright.config.ts
@@ -0,0 +1,28 @@
+import { defineConfig } from '@playwright/test';
+import path from 'node:path';
+
+export default defineConfig({
+  testDir: path.resolve(__dirname, 'e2e'),
+  testMatch: '**/*.spec.ts',
+  globalSetup: path.resolve(__dirname, 'e2e/global-setup.ts'),
+  timeout: 60_000,
+  retries: 0,
+  workers: 1,
+  use: {
+    baseURL: 'http://localhost:4400',
+    headless: true,
+  },
+  webServer: {
+    command: 'npx serve -l 4400 --no-clipboard e2e/fixtures',
+    cwd: __dirname,
+    port: 4400,
+    reuseExistingServer: !process.env.CI,
+    timeout: 10_000,
+  },
+  projects: [
+    {
+      name: 'chromium',
+      use: { browserName: 'chromium' },
+    },
+  ],
+});
diff --git a/libs/browser/project.json b/libs/browser/project.json
new file mode 100644
index 0000000..43b6507
--- /dev/null
+++ b/libs/browser/project.json
@@ -0,0 +1,52 @@
+{
+  "name": "browser",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "libs/browser/src",
+  "projectType": "library",
+  "tags": ["scope:publishable", "type:lib", "versioning:independent"],
+  "implicitDependencies": ["ast"],
+  "targets": {
+    "build-esm": {
+      "executor": "@nx/esbuild:esbuild",
+      "dependsOn": ["^build"],
+      "outputs": ["{options.outputPath}"],
+      "options": {
+        "outputPath": "libs/browser/dist",
+        "main": "libs/browser/src/index.ts",
+        "tsConfig": "libs/browser/tsconfig.lib.json",
+        "format": ["esm"],
+        "declaration": true,
+        "declarationRootDir": "libs/browser/src",
+        "bundle": true,
+        "thirdParty": false,
+        "platform": "browser",
+        "assets": ["libs/browser/README.md", "LICENSE", "libs/browser/package.json"],
+        "esbuildOptions": {
+          "outExtension": { ".js": ".mjs" },
+          "external": ["@enclave-vm/ast", "acorn", "acorn-walk", "astring", "zod"]
+        }
+      }
+    },
+    "build": {
+      "executor": "nx:run-commands",
+      "dependsOn": ["build-esm"],
+      "options": {
+        "command": "node scripts/strip-dist-from-pkg.js libs/browser/dist/package.json"
+      }
+    },
+    "test-e2e": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "npx playwright test --config=playwright.config.ts",
+        "cwd": "libs/browser"
+      }
+    },
+    "nx-release-publish": {
+      "executor": "@nx/js:release-publish",
+      "dependsOn": ["build"],
+      "options": {
+        "packageRoot": "libs/browser/dist"
+      }
+    }
+  }
+}
diff --git a/libs/browser/src/adapters/iframe-adapter.ts b/libs/browser/src/adapters/iframe-adapter.ts
new file mode 100644
index 0000000..d014ca5
--- /dev/null
+++ b/libs/browser/src/adapters/iframe-adapter.ts
@@ -0,0 +1,374 @@
+/**
+ * Iframe Adapter
+ *
+ * Implements the sandbox adapter interface using a double iframe architecture.
+ * Creates an outer iframe (security barrier) containing an inner iframe (user code).
+ *
+ * This is the browser equivalent of DoubleVmWrapper from @enclave-vm/core.
+ *
+ * @packageDocumentation
+ */
+
+import type {
+  ExecutionResult,
+  ExecutionStats,
+  SecurityLevel,
+  ToolHandler,
+  SerializedIframeConfig,
+  SerializableSuspiciousPattern,
+  DoubleIframeConfig,
+  SecureProxyLevelConfig,
+} from '../types';
+import {
+  isEnclaveMessage,
+  isToolCallMessage,
+  isResultMessage,
+  isConsoleMessage,
+  isReadyMessage,
+  generateId,
+} from './iframe-protocol';
+import { generateOuterIframeHtml } from './outer-iframe-bootstrap';
+import { IFRAME_SANDBOX } from './iframe-html-builder';
+
+/**
+ * Execution context passed to the adapter
+ */
+export interface IframeExecutionContext {
+  config: SerializedIframeConfig;
+  toolHandler?: ToolHandler;
+  securityLevel: SecurityLevel;
+  doubleIframeConfig: DoubleIframeConfig;
+  secureProxyConfig: SecureProxyLevelConfig;
+  blockedProperties: string[];
+  suspiciousPatterns: SerializableSuspiciousPattern[];
+  validationConfig: {
+    validateOperationNames: boolean;
+    allowedOperationPatternSource?: string;
+    allowedOperationPatternFlags?: string;
+    blockedOperationPatternSources?: string[];
+    blockedOperationPatternFlags?: string[];
+    maxOperationsPerSecond: number;
+    blockSuspiciousSequences: boolean;
+    rapidEnumerationThreshold: number;
+    rapidEnumerationOverrides: Record<string, number>;
+  };
+}
+
+/**
+ * IframeAdapter - Executes code in a double iframe sandbox
+ */
+export class IframeAdapter {
+  private outerIframe: HTMLIFrameElement | null = null;
+  private disposed = false;
+  private executing = false;
+  private pendingSettle: ((result: ExecutionResult<unknown>) => void) | null = null;
+  private currentExecutionStart = 0;
+
+  /**
+   * Execute code in the double iframe sandbox
+   */
+  async execute<T = unknown>(code: string, context: IframeExecutionContext): Promise<ExecutionResult<T>> {
+    if (this.disposed) {
+      throw new Error('IframeAdapter has been disposed');
+    }
+    if (this.executing) {
+      throw new Error('IframeAdapter: concurrent execution not supported');
+    }
+    this.executing = true;
+
+    const requestId = generateId();
+    const startTime = Date.now();
+    this.currentExecutionStart = startTime;
+
+    // Default stats
+    const defaultStats: ExecutionStats = {
+      duration: 0,
+      toolCallCount: 0,
+      iterationCount: 0,
+      startTime,
+      endTime: 0,
+    };
+
+    return new Promise<ExecutionResult<T>>((resolve) => {
+      let settled = false;
+      let timeoutId: ReturnType<typeof setTimeout> | null = null;
+      let messageHandler: ((event: MessageEvent) => void) | null = null;
+
+      const cleanup = () => {
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+          timeoutId = null;
+        }
+        if (messageHandler) {
+          window.removeEventListener('message', messageHandler);
+          messageHandler = null;
+        }
+        // Remove iframe
+        if (this.outerIframe && this.outerIframe.parentNode) {
+          this.outerIframe.parentNode.removeChild(this.outerIframe);
+          this.outerIframe = null;
+        }
+      };
+
+      const settle = (result: ExecutionResult<T>) => {
+        if (settled) return;
+        settled = true;
+        this.executing = false;
+        this.pendingSettle = null;
+        cleanup();
+        resolve(result);
+      };
+
+      this.pendingSettle = settle as (result: ExecutionResult<unknown>) => void;
+
+      // Set up message listener
+      messageHandler = (event: MessageEvent) => {
+        const data = event.data;
+        if (!isEnclaveMessage(data)) return;
+        if (event.source !== this.outerIframe?.contentWindow) return;
+
+        if (isToolCallMessage(data) && data.requestId === requestId) {
+          // Tool call from the sandbox - relay to toolHandler
+          if (!context.toolHandler) {
+            // Send error back
+            this.sendToOuter({
+              __enclave_msg__: true,
+              type: 'tool-response',
+              requestId,
+              callId: data.callId,
+              error: {
+                name: 'Error',
+                message: 'No tool handler configured',
+              },
+            });
+            return;
+          }
+
+          // Execute tool handler and relay result/error
+          const callId = data.callId;
+          const toolHandler = context.toolHandler;
+          (async () => {
+            try {
+              const result = await toolHandler(data.toolName, data.args);
+              // Sanitize result through JSON round-trip
+              let safeResult: unknown;
+              try {
+                safeResult = JSON.parse(JSON.stringify(result));
+              } catch {
+                safeResult = undefined;
+              }
+
+              this.sendToOuter({
+                __enclave_msg__: true,
+                type: 'tool-response',
+                requestId,
+                callId,
+                result: safeResult,
+              });
+            } catch (error: unknown) {
+              const err = error instanceof Error ? error : new Error(typeof error === 'string' ? error : String(error));
+              this.sendToOuter({
+                __enclave_msg__: true,
+                type: 'tool-response',
+                requestId,
+                callId,
+                error: {
+                  name: err.name,
+                  message: err.message,
+                },
+              });
+            }
+          })();
+        } else if (isResultMessage(data) && data.requestId === requestId) {
+          // Execution result
+          const stats: ExecutionStats = data.stats
+            ? {
+                duration: data.stats.duration,
+                toolCallCount: data.stats.toolCallCount,
+                iterationCount: data.stats.iterationCount,
+                startTime: data.stats.startTime,
+                endTime: data.stats.endTime,
+              }
+            : {
+                ...defaultStats,
+                duration: Date.now() - startTime,
+                endTime: Date.now(),
+              };
+
+          if (data.success) {
+            settle({
+              success: true,
+              value: data.value as T,
+              stats,
+            });
+          } else {
+            settle({
+              success: false,
+              error: data.error
+                ? {
+                    name: data.error.name,
+                    message: data.error.message,
+                    code: data.error.code,
+                  }
+                : {
+                    name: 'ExecutionError',
+                    message: 'Unknown execution error',
+                  },
+              stats,
+            });
+          }
+        } else if (isConsoleMessage(data) && data.requestId === requestId) {
+          // Console output - relay to host console
+          switch (data.level) {
+            case 'log':
+              console.log('[Enclave]', ...data.args);
+              break;
+            case 'warn':
+              console.warn('[Enclave]', ...data.args);
+              break;
+            case 'error':
+              console.error('[Enclave]', ...data.args);
+              break;
+            case 'info':
+              console.info('[Enclave]', ...data.args);
+              break;
+          }
+        } else if (isReadyMessage(data)) {
+          // Outer iframe is ready - no action needed, inner will auto-execute
+        }
+      };
+
+      window.addEventListener('message', messageHandler);
+
+      // Set up hard timeout with iframe.remove()
+      const totalTimeout = context.config.timeout + (context.doubleIframeConfig.parentTimeoutBuffer || 1000);
+      timeoutId = setTimeout(() => {
+        settle({
+          success: false,
+          error: {
+            name: 'TimeoutError',
+            message: `Execution timed out after ${context.config.timeout}ms`,
+            code: 'EXECUTION_TIMEOUT',
+          },
+          stats: {
+            ...defaultStats,
+            duration: Date.now() - startTime,
+            endTime: Date.now(),
+          },
+        });
+      }, totalTimeout);
+
+      // Generate outer iframe HTML
+      try {
+        const outerHtml = generateOuterIframeHtml({
+          userCode: code,
+          config: context.config,
+          requestId,
+          suspiciousPatterns: context.suspiciousPatterns,
+          validationConfig: context.validationConfig,
+        });
+
+        // Create outer iframe
+        this.outerIframe = document.createElement('iframe');
+        this.outerIframe.sandbox = IFRAME_SANDBOX;
+        this.outerIframe.srcdoc = outerHtml;
+        this.outerIframe.style.position = 'absolute';
+        this.outerIframe.style.width = '0';
+        this.outerIframe.style.height = '0';
+        this.outerIframe.style.border = 'none';
+        this.outerIframe.style.overflow = 'hidden';
+        this.outerIframe.setAttribute('aria-hidden', 'true');
+
+        document.body.appendChild(this.outerIframe);
+      } catch (error: unknown) {
+        const err = error instanceof Error ? error : new Error(typeof error === 'string' ? error : String(error));
+        settle({
+          success: false,
+          error: {
+            name: 'IframeError',
+            message: `Failed to create sandbox iframe: ${err.message}`,
+            code: 'IFRAME_CREATE_FAILED',
+          },
+          stats: {
+            ...defaultStats,
+            duration: Date.now() - startTime,
+            endTime: Date.now(),
+          },
+        });
+      }
+    });
+  }
+
+  /**
+   * Send a message to the outer iframe
+   */
+  private sendToOuter(msg: Record<string, unknown>): void {
+    if (this.outerIframe && this.outerIframe.contentWindow) {
+      try {
+        // '*' is required: srcdoc iframes have a null origin, so no specific targetOrigin can be used.
+        // Re-evaluate if loading strategy changes to blob URLs or a known origin.
+        this.outerIframe.contentWindow.postMessage(msg, '*');
+      } catch {
+        // Iframe may have been removed
+      }
+    }
+  }
+
+  /**
+   * Abort current execution
+   */
+  abort(requestId: string): void {
+    this.sendToOuter({
+      __enclave_msg__: true,
+      type: 'abort',
+      requestId,
+    });
+
+    // Settle the pending promise with an AbortError so it doesn't hang until timeout
+    if (this.pendingSettle) {
+      this.pendingSettle({
+        success: false,
+        error: {
+          name: 'AbortError',
+          message: 'Execution was aborted',
+          code: 'EXECUTION_ABORTED',
+        },
+        stats: {
+          duration: this.currentExecutionStart ? Date.now() - this.currentExecutionStart : 0,
+          toolCallCount: 0,
+          iterationCount: 0,
+          startTime: this.currentExecutionStart,
+          endTime: Date.now(),
+        },
+      });
+    }
+  }
+
+  /**
+   * Dispose the adapter and cleanup
+   */
+  dispose(): void {
+    this.disposed = true;
+    if (this.pendingSettle) {
+      this.pendingSettle({
+        success: false,
+        error: {
+          name: 'DisposedError',
+          message: 'IframeAdapter was disposed during execution',
+          code: 'ADAPTER_DISPOSED',
+        },
+        stats: {
+          duration: this.currentExecutionStart ? Date.now() - this.currentExecutionStart : 0,
+          toolCallCount: 0,
+          iterationCount: 0,
+          startTime: this.currentExecutionStart,
+          endTime: Date.now(),
+        },
+      });
+    }
+    if (this.outerIframe && this.outerIframe.parentNode) {
+      this.outerIframe.parentNode.removeChild(this.outerIframe);
+      this.outerIframe = null;
+    }
+  }
+}
diff --git a/libs/browser/src/adapters/iframe-html-builder.ts b/libs/browser/src/adapters/iframe-html-builder.ts
new file mode 100644
index 0000000..e608923
--- /dev/null
+++ b/libs/browser/src/adapters/iframe-html-builder.ts
@@ -0,0 +1,103 @@
+/**
+ * Iframe HTML Builder
+ *
+ * Generates HTML content for sandboxed iframes with CSP meta tags.
+ * Used by the outer and inner iframe bootstraps to create secure srcdoc content.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Content Security Policy for sandboxed iframes
+ *
+ * - default-src 'none': Blocks all network (fetch, XHR, WebSocket, images)
+ * - script-src 'unsafe-inline': Allows inline <script> but blocks eval/Function/setTimeout(string)
+ * - No 'unsafe-eval': Equivalent to VM's codeGeneration: { strings: false, wasm: false }
+ */
+const IFRAME_CSP = "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'";
+
+/**
+ * Build a complete HTML document for use in iframe srcdoc
+ *
+ * @param scriptContent - JavaScript code to embed in a <script> tag
+ * @param options - Additional options
+ * @returns Complete HTML string suitable for srcdoc
+ */
+export function buildIframeHtml(
+  scriptContent: string,
+  options?: {
+    /** Additional CSP directives to append */
+    extraCsp?: string;
+    /** Title for the document */
+    title?: string;
+  },
+): string {
+  const csp = options?.extraCsp ? `${IFRAME_CSP}; ${options.extraCsp}` : IFRAME_CSP;
+  const title = options?.title ?? 'Enclave Sandbox';
+
+  return (
+    '<!DOCTYPE html>' +
+    '<html><head>' +
+    `<meta http-equiv="Content-Security-Policy" content="${escapeHtmlAttr(csp)}">` +
+    `<title>${escapeHtml(title)}</title>` +
+    '</head><body>' +
+    `<script>${scriptContent}</script>` +
+    '</body></html>'
+  );
+}
+
+/**
+ * Escape a string for safe use in an HTML attribute value
+ */
+function escapeHtmlAttr(str: string): string {
+  return str.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
+/**
+ * Escape a string for safe use in HTML text content
+ */
+function escapeHtml(str: string): string {
+  return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
+/**
+ * JSON.stringify with HTML-safe escaping for embedding in <script> tags.
+ *
+ * Prevents `</script>` breakout and `<!--` HTML comment injection
+ * from any JSON-serialized value.
+ */
+export function safeJsonStringify(value: unknown): string {
+  return JSON.stringify(value).replace(/<\//g, '<\\/').replace(/<!--/g, '<\\!--');
+}
+
+/**
+ * Escape a string for safe embedding inside a JavaScript string literal
+ * within an HTML <script> tag.
+ *
+ * Handles:
+ * - </script> injection (script tag breakout)
+ * - Backslash escaping
+ * - Newlines, carriage returns
+ * - Null bytes
+ * - Unicode line/paragraph separators
+ */
+export function escapeForScriptEmbed(str: string): string {
+  return str
+    .replace(/\\/g, '\\\\')
+    .replace(/'/g, "\\'")
+    .replace(/"/g, '\\"')
+    .replace(/`/g, '\\`')
+    .replace(/\$/g, '\\$')
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r')
+    .replace(/\0/g, '\\0')
+    .replace(/\u2028/g, '\\u2028')
+    .replace(/\u2029/g, '\\u2029')
+    .replace(/<\/script>/gi, '<\\/script>');
+}
+
+/**
+ * Get the iframe sandbox attribute value
+ * Only allow-scripts is enabled — NO allow-same-origin
+ */
+export const IFRAME_SANDBOX = 'allow-scripts';
diff --git a/libs/browser/src/adapters/iframe-protocol.ts b/libs/browser/src/adapters/iframe-protocol.ts
new file mode 100644
index 0000000..94fe06e
--- /dev/null
+++ b/libs/browser/src/adapters/iframe-protocol.ts
@@ -0,0 +1,243 @@
+/**
+ * Iframe PostMessage Protocol
+ *
+ * Typed message protocol for communication between host page, outer iframe,
+ * and inner iframe. All messages carry `__enclave_msg__: true` discriminator.
+ *
+ * Mirrors the structure of libs/core/src/adapters/worker-pool/protocol.ts
+ *
+ * @packageDocumentation
+ */
+
+import { z } from 'zod';
+import type { SerializedIframeConfig } from '../types';
+
+// ============================================================================
+// Serialized Error (cross-boundary safe)
+// ============================================================================
+
+export interface SerializedError {
+  name: string;
+  message: string;
+  code?: string;
+  stack?: string;
+}
+
+// ============================================================================
+// Execution Statistics
+// ============================================================================
+
+export interface WorkerExecutionStats {
+  duration: number;
+  toolCallCount: number;
+  iterationCount: number;
+  startTime: number;
+  endTime: number;
+}
+
+// ============================================================================
+// Host -> Outer Iframe Messages
+// ============================================================================
+
+export interface ExecuteMessage {
+  __enclave_msg__: true;
+  type: 'execute';
+  requestId: string;
+  code: string;
+  config: SerializedIframeConfig;
+}
+
+export interface ToolResponseMessage {
+  __enclave_msg__: true;
+  type: 'tool-response';
+  requestId: string;
+  callId: string;
+  result?: unknown;
+  error?: SerializedError;
+}
+
+export interface AbortMessage {
+  __enclave_msg__: true;
+  type: 'abort';
+  requestId: string;
+}
+
+export type HostToOuterMessage = ExecuteMessage | ToolResponseMessage | AbortMessage;
+
+// ============================================================================
+// Outer Iframe -> Host Messages
+// ============================================================================
+
+export interface ReadyMessage {
+  __enclave_msg__: true;
+  type: 'ready';
+}
+
+export interface ToolCallMessage {
+  __enclave_msg__: true;
+  type: 'tool-call';
+  requestId: string;
+  callId: string;
+  toolName: string;
+  args: Record<string, unknown>;
+}
+
+export interface ResultMessage {
+  __enclave_msg__: true;
+  type: 'result';
+  requestId: string;
+  success: boolean;
+  value?: unknown;
+  error?: SerializedError;
+  stats: WorkerExecutionStats;
+}
+
+export interface ConsoleMessage {
+  __enclave_msg__: true;
+  type: 'console';
+  requestId: string;
+  level: 'log' | 'warn' | 'error' | 'info';
+  args: unknown[];
+}
+
+export type OuterToHostMessage = ReadyMessage | ToolCallMessage | ResultMessage | ConsoleMessage;
+
+// ============================================================================
+// Outer <-> Inner Iframe Messages (same protocol, outer acts as relay)
+// ============================================================================
+
+export type InnerToOuterMessage = ToolCallMessage | ResultMessage | ConsoleMessage;
+export type OuterToInnerMessage = ToolResponseMessage | AbortMessage;
+
+// ============================================================================
+// Validation Schemas
+// ============================================================================
+
+const TOOL_NAME_PATTERN = /^[a-zA-Z][a-zA-Z0-9:_-]*$/;
+const ID_PATTERN = /^[a-zA-Z0-9-]+$/;
+
+export const toolCallMessageSchema = z
+  .object({
+    __enclave_msg__: z.literal(true),
+    type: z.literal('tool-call'),
+    requestId: z.string().min(1).max(100).regex(ID_PATTERN),
+    callId: z.string().min(1).max(100).regex(ID_PATTERN),
+    toolName: z.string().min(1).max(256).regex(TOOL_NAME_PATTERN),
+    args: z.record(z.string(), z.unknown()),
+  })
+  .strict();
+
+export const resultMessageSchema = z
+  .object({
+    __enclave_msg__: z.literal(true),
+    type: z.literal('result'),
+    requestId: z.string().min(1).max(100).regex(ID_PATTERN),
+    success: z.boolean(),
+    value: z.unknown().optional(),
+    error: z
+      .object({
+        name: z.string().max(100),
+        message: z.string().max(10000),
+        code: z.string().max(100).optional(),
+        stack: z.string().max(10000).optional(),
+      })
+      .optional(),
+    stats: z.object({
+      duration: z.number().nonnegative(),
+      toolCallCount: z.number().nonnegative().int(),
+      iterationCount: z.number().nonnegative().int(),
+      startTime: z.number().nonnegative(),
+      endTime: z.number().nonnegative(),
+    }),
+  })
+  .strict();
+
+export const consoleMessageSchema = z
+  .object({
+    __enclave_msg__: z.literal(true),
+    type: z.literal('console'),
+    requestId: z.string().min(1).max(100).regex(ID_PATTERN),
+    level: z.enum(['log', 'warn', 'error', 'info']),
+    args: z.array(z.unknown()).max(100),
+  })
+  .strict();
+
+export const readyMessageSchema = z
+  .object({
+    __enclave_msg__: z.literal(true),
+    type: z.literal('ready'),
+  })
+  .strict();
+
+export const toolResponseMessageSchema = z
+  .object({
+    __enclave_msg__: z.literal(true),
+    type: z.literal('tool-response'),
+    requestId: z.string().min(1).max(100).regex(ID_PATTERN),
+    callId: z.string().min(1).max(100).regex(ID_PATTERN),
+    result: z.unknown().optional(),
+    error: z
+      .object({
+        name: z.string().max(100),
+        message: z.string().max(10000),
+        code: z.string().max(100).optional(),
+      })
+      .optional(),
+  })
+  .strict();
+
+// ============================================================================
+// Type Guards
+// ============================================================================
+
+/**
+ * Check if a postMessage event data is an enclave message
+ */
+export function isEnclaveMessage(data: unknown): data is { __enclave_msg__: true; type: string } {
+  return (
+    data !== null &&
+    typeof data === 'object' &&
+    (data as Record<string, unknown>)['__enclave_msg__'] === true &&
+    typeof (data as Record<string, unknown>)['type'] === 'string'
+  );
+}
+
+export function isToolCallMessage(msg: { type: string }): msg is ToolCallMessage {
+  return msg.type === 'tool-call';
+}
+
+export function isResultMessage(msg: { type: string }): msg is ResultMessage {
+  return msg.type === 'result';
+}
+
+export function isConsoleMessage(msg: { type: string }): msg is ConsoleMessage {
+  return msg.type === 'console';
+}
+
+export function isReadyMessage(msg: { type: string }): msg is ReadyMessage {
+  return msg.type === 'ready';
+}
+
+export function isToolResponseMessage(msg: { type: string }): msg is ToolResponseMessage {
+  return msg.type === 'tool-response';
+}
+
+/**
+ * Generate a unique ID for requests/calls
+ * Falls back to Math.random-based ID if crypto.randomUUID is unavailable
+ * (sandboxed iframes without allow-same-origin may lack crypto.randomUUID)
+ */
+export function generateId(): string {
+  try {
+    return crypto.randomUUID();
+  } catch {
+    // Fallback for sandboxed contexts
+    return (
+      Date.now().toString(36) +
+      '-' +
+      Math.random().toString(36).slice(2, 10) +
+      '-' +
+      Math.random().toString(36).slice(2, 10)
+    );
+  }
+}
diff --git a/libs/browser/src/adapters/inner-iframe-bootstrap.ts b/libs/browser/src/adapters/inner-iframe-bootstrap.ts
new file mode 100644
index 0000000..204aa8c
--- /dev/null
+++ b/libs/browser/src/adapters/inner-iframe-bootstrap.ts
@@ -0,0 +1,727 @@
+/**
+ * Inner Iframe Bootstrap Generator
+ *
+ * Generates the HTML/JS content for the inner iframe where user code executes.
+ * This is the innermost sandbox: it contains the safe runtime, prototype
+ * hardening, frozen globals, and the user code itself.
+ *
+ * Communication with the outer iframe is via postMessage only.
+ *
+ * @packageDocumentation
+ */
+
+import { buildIframeHtml, safeJsonStringify } from './iframe-html-builder';
+import type { SerializedIframeConfig } from '../types';
+
+export interface InnerIframeBootstrapOptions {
+  userCode: string;
+  config: SerializedIframeConfig;
+  requestId: string;
+}
+
+/**
+ * Generate the inner iframe HTML content
+ */
+export function generateInnerIframeHtml(options: InnerIframeBootstrapOptions): string {
+  const { userCode, config, requestId } = options;
+
+  const script = generateInnerIframeScript(userCode, config, requestId);
+  return buildIframeHtml(script, { title: 'Enclave Inner Sandbox' });
+}
+
+function generateInnerIframeScript(userCode: string, config: SerializedIframeConfig, requestId: string): string {
+  const blockedProperties = safeJsonStringify(config.blockedProperties);
+  const throwOnBlocked = config.throwOnBlocked;
+  const maxIterations = config.maxIterations;
+  const maxToolCalls = config.maxToolCalls;
+  const memoryLimit = config.memoryLimit;
+  const maxConsoleCalls = config.maxConsoleCalls;
+  const maxConsoleOutputBytes = config.maxConsoleOutputBytes;
+
+  return `
+"use strict";
+(function() {
+  var requestId = ${safeJsonStringify(requestId)};
+  var aborted = false;
+  var startTime = Date.now();
+  var toolCallCount = 0;
+  var iterationCount = 0;
+  var consoleCalls = 0;
+  var consoleOutputBytes = 0;
+
+  // Pending tool call resolvers: callId -> { resolve, reject }
+  var pendingToolCalls = {};
+
+  // ============================================================
+  // Safe Error
+  // ============================================================
+  function createSafeError(message, name) {
+    var error = new Error(message);
+    // Use _defineProperty (saved before neutralization) to set name as own property,
+    // since Error.prototype.name is frozen and direct assignment throws in strict mode.
+    try { _defineProperty(error, 'name', { value: name || 'Error', writable: false, configurable: false, enumerable: false }); }
+    catch(e) { try { error.name = name || 'Error'; } catch(e2) {} }
+    try { Object.setPrototypeOf(error, null); } catch(e) {}
+    try {
+      _defineProperty(error, 'constructor', { value: null, writable: false, configurable: false, enumerable: false });
+      _defineProperty(error, '__proto__', { value: null, writable: false, configurable: false, enumerable: false });
+      _defineProperty(error, 'stack', { value: undefined, writable: false, configurable: false, enumerable: false });
+    } catch(e) {}
+    try { Object.freeze(error); } catch(e) {}
+    return error;
+  }
+
+  // ============================================================
+  // Secure Proxy
+  // ============================================================
+
+  // Save built-in references BEFORE they get neutralized/replaced
+  var _getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor;
+  var _ReflectGet = typeof Reflect !== 'undefined' ? Reflect.get : function(t,p) { return t[p]; };
+  var _ReflectSet = typeof Reflect !== 'undefined' ? Reflect.set : function(t,p,v) { t[p]=v; return true; };
+  var _Proxy = typeof Proxy !== 'undefined' ? Proxy : undefined;
+
+  var blockedPropertiesSet = new Set(${blockedProperties});
+  var proxyCache = new WeakMap();
+
+  function createSecureProxy(obj, depth) {
+    if (depth === undefined) depth = 0;
+    if (depth > 10) return obj;
+    if (obj === null || (typeof obj !== 'object' && typeof obj !== 'function')) return obj;
+    if (proxyCache.has(obj)) return proxyCache.get(obj);
+
+    var proxy = new _Proxy(obj, {
+      get: function(target, property, receiver) {
+        var propName = String(property);
+        var descriptor = _getOwnPropertyDescriptor(target, property);
+        var isNonConfigurable = descriptor && !descriptor.configurable;
+
+        if (descriptor && isNonConfigurable && 'value' in descriptor && descriptor.writable === false) {
+          return descriptor.value;
+        }
+
+        if (blockedPropertiesSet.has(propName)) {
+          if (isNonConfigurable) return _ReflectGet(target, property, receiver);
+          ${
+            throwOnBlocked
+              ? `throw createSafeError("Security violation: Access to '" + propName + "' is blocked.");`
+              : `return undefined;`
+          }
+        }
+
+        var value = _ReflectGet(target, property, receiver);
+        if (typeof value === 'function') {
+          var boundMethod = value.bind(target);
+          return createSecureProxy(boundMethod, depth + 1);
+        }
+        if (value !== null && typeof value === 'object') {
+          return createSecureProxy(value, depth + 1);
+        }
+        return value;
+      },
+      set: function(target, property, value, receiver) {
+        var propName = String(property);
+        if (blockedPropertiesSet.has(propName)) {
+          ${
+            throwOnBlocked
+              ? `throw createSafeError("Security violation: Setting '" + propName + "' is blocked.");`
+              : `return false;`
+          }
+        }
+        return _ReflectSet(target, property, value, receiver);
+      },
+      getPrototypeOf: function() { return null; }
+    });
+
+    proxyCache.set(obj, proxy);
+    return proxy;
+  }
+
+  // ============================================================
+  // PostMessage Communication with Outer Iframe
+  // ============================================================
+  function sendToOuter(msg) {
+    msg.__enclave_msg__ = true;
+    msg.requestId = requestId;
+    try {
+      window.parent.postMessage(msg, '*');
+    } catch(e) { /* ignore */ }
+  }
+
+  // Listen for messages from outer iframe
+  window.addEventListener('message', function(event) {
+    if (event.source !== window.parent) return;
+    var data = event.data;
+    if (!data || data.__enclave_msg__ !== true) return;
+    if (data.requestId !== requestId) return;
+
+    if (data.type === 'tool-response') {
+      var pending = pendingToolCalls[data.callId];
+      if (pending) {
+        delete pendingToolCalls[data.callId];
+        if (data.error) {
+          pending.reject(createSafeError(data.error.message, data.error.name));
+        } else {
+          pending.resolve(data.result);
+        }
+      }
+    } else if (data.type === 'abort') {
+      aborted = true;
+      var pendingKeys = Object.keys(pendingToolCalls);
+      for (var pk = 0; pk < pendingKeys.length; pk++) {
+        var p = pendingToolCalls[pendingKeys[pk]];
+        if (p && p.reject) {
+          try { p.reject(createSafeError('Execution aborted', 'AbortError')); } catch(e) {}
+        }
+      }
+      pendingToolCalls = {};
+    }
+  });
+
+  // ============================================================
+  // Safe Runtime Functions
+  // ============================================================
+
+  // Generate unique call IDs
+  var callIdCounter = 0;
+  function generateCallId() {
+    return 'c-' + (++callIdCounter) + '-' + Date.now().toString(36) + '-' + Math.random().toString(36).slice(2, 8);
+  }
+
+  function __safe_callTool(toolName, args) {
+    if (aborted) throw createSafeError('Execution aborted');
+
+    toolCallCount++;
+    if (toolCallCount > ${maxToolCalls}) {
+      throw createSafeError('Maximum tool call limit exceeded (${maxToolCalls}).');
+    }
+
+    if (typeof toolName !== 'string' || !toolName) {
+      throw createSafeError('Tool name must be a non-empty string', 'TypeError');
+    }
+    if (typeof args !== 'object' || args === null || Array.isArray(args)) {
+      throw createSafeError('Tool arguments must be an object', 'TypeError');
+    }
+
+    // Double sanitization
+    var sanitizedArgs;
+    try { sanitizedArgs = JSON.parse(JSON.stringify(args)); }
+    catch(e) { throw createSafeError('Tool arguments must be JSON-serializable'); }
+
+    var callId = generateCallId();
+
+    return new Promise(function(resolve, reject) {
+      pendingToolCalls[callId] = { resolve: resolve, reject: reject };
+      sendToOuter({
+        type: 'tool-call',
+        callId: callId,
+        toolName: toolName,
+        args: sanitizedArgs
+      });
+    });
+  }
+
+  function* __safe_forOf(iterable) {
+    var iterations = 0;
+    for (var item of iterable) {
+      if (aborted) throw createSafeError('Execution aborted');
+      iterations++;
+      iterationCount++;
+      if (iterations > ${maxIterations}) {
+        throw createSafeError('Maximum iteration limit exceeded (${maxIterations}).');
+      }
+      yield item;
+    }
+  }
+
+  function __safe_for(init, test, update, body) {
+    var iterations = 0;
+    init();
+    while (test()) {
+      if (aborted) throw createSafeError('Execution aborted');
+      iterations++;
+      iterationCount++;
+      if (iterations > ${maxIterations}) {
+        throw createSafeError('Maximum iteration limit exceeded (${maxIterations}).');
+      }
+      body();
+      update();
+    }
+  }
+
+  function __safe_while(test, body) {
+    var iterations = 0;
+    while (test()) {
+      if (aborted) throw createSafeError('Execution aborted');
+      iterations++;
+      iterationCount++;
+      if (iterations > ${maxIterations}) {
+        throw createSafeError('Maximum iteration limit exceeded (${maxIterations}).');
+      }
+      body();
+    }
+  }
+
+  function __safe_doWhile(body, test) {
+    var iterations = 0;
+    do {
+      if (aborted) throw createSafeError('Execution aborted');
+      iterations++;
+      iterationCount++;
+      if (iterations > ${maxIterations}) {
+        throw createSafeError('Maximum iteration limit exceeded (${maxIterations}).');
+      }
+      body();
+    } while (test());
+  }
+
+  function __safe_concat(left, right) {
+    if (typeof left === 'number' && typeof right === 'number') return left + right;
+    var result = (left) + (right);
+    return result;
+  }
+
+  function __safe_template(quasis) {
+    var values = [];
+    for (var i = 1; i < arguments.length; i++) values.push(arguments[i]);
+    var result = quasis[0];
+    for (var j = 0; j < values.length; j++) {
+      result += String(values[j]) + quasis[j + 1];
+    }
+    return result;
+  }
+
+  function __safe_parallel(fns, options) {
+    if (!Array.isArray(fns)) throw createSafeError('parallel requires an array of functions', 'TypeError');
+    if (fns.length === 0) return Promise.resolve([]);
+    if (fns.length > 100) throw createSafeError('Cannot execute more than 100 operations in parallel.');
+
+    for (var i = 0; i < fns.length; i++) {
+      if (typeof fns[i] !== 'function') throw createSafeError('Item at index ' + i + ' is not a function', 'TypeError');
+    }
+
+    var concurrency = Math.min(Math.max(1, (options && options.maxConcurrency) || 10), 20);
+    var results = new Array(fns.length);
+    var errors = [];
+    var currentIndex = 0;
+
+    function runNext() {
+      return new Promise(function(resolve) {
+        function step() {
+          if (currentIndex >= fns.length) { resolve(); return; }
+          if (aborted) { resolve(); return; }
+          var index = currentIndex++;
+          Promise.resolve().then(function() { return fns[index](); }).then(function(result) {
+            results[index] = result;
+            step();
+          }).catch(function(error) {
+            errors.push({ index: index, error: error });
+            step();
+          });
+        }
+        step();
+      });
+    }
+
+    var workers = [];
+    for (var w = 0; w < Math.min(concurrency, fns.length); w++) workers.push(runNext());
+
+    return Promise.all(workers).then(function() {
+      if (errors.length > 0) {
+        var msgs = errors.map(function(e) { return '[' + e.index + ']: ' + (e.error && e.error.message || e.error); }).join('\\n');
+        throw createSafeError(errors.length + ' of ' + fns.length + ' parallel operations failed:\\n' + msgs);
+      }
+      return results;
+    });
+  }
+
+  // ============================================================
+  // Console Implementation (relayed via postMessage)
+  // ============================================================
+  var safeConsole = {};
+  ['log', 'warn', 'error', 'info'].forEach(function(level) {
+    safeConsole[level] = function() {
+      consoleCalls++;
+      if (consoleCalls > ${maxConsoleCalls}) return;
+
+      var args = [];
+      for (var i = 0; i < arguments.length; i++) {
+        var arg = arguments[i];
+        try { args.push(typeof arg === 'object' ? JSON.parse(JSON.stringify(arg)) : arg); }
+        catch(e) { args.push(String(arg)); }
+      }
+
+      var size = 0;
+      try { size = JSON.stringify(args).length; } catch(e) {}
+      consoleOutputBytes += size;
+      if (consoleOutputBytes > ${maxConsoleOutputBytes}) return;
+
+      sendToOuter({ type: 'console', level: level, args: args });
+    };
+  });
+
+  // ============================================================
+  // Prototype Hardening
+  // ============================================================
+
+  // Shadow __proto__ on error prototypes
+  (function() {
+    var errorProtos = [
+      Error.prototype, TypeError.prototype, RangeError.prototype,
+      SyntaxError.prototype, ReferenceError.prototype, URIError.prototype, EvalError.prototype
+    ];
+    for (var i = 0; i < errorProtos.length; i++) {
+      try {
+        Object.defineProperty(errorProtos[i], '__proto__', {
+          get: function() { return null; },
+          set: function() {},
+          configurable: false,
+          enumerable: false
+        });
+      } catch(e) {}
+    }
+  })();
+
+  // Block legacy prototype methods
+  (function() {
+    var methods = ['__lookupGetter__', '__lookupSetter__', '__defineGetter__', '__defineSetter__'];
+    for (var i = 0; i < methods.length; i++) {
+      try {
+        Object.defineProperty(Object.prototype, methods[i], {
+          value: function() { return undefined; },
+          writable: false,
+          configurable: false,
+          enumerable: false
+        });
+      } catch(e) {}
+    }
+  })();
+
+  // Memory-safe prototype patches (must run BEFORE freeze)
+  (function() {
+    var ml = ${memoryLimit};
+    if (ml <= 0) return;
+    var totalTracked = 0;
+    function track(bytes) {
+      totalTracked += bytes;
+      if (totalTracked > ml) throw new RangeError('Memory limit exceeded');
+    }
+
+    var stringProto = Object.getPrototypeOf('');
+    var arrayProto = Object.getPrototypeOf([]);
+
+    try {
+      var origRepeat = stringProto.repeat;
+      Object.defineProperty(stringProto, 'repeat', { value: function(count) {
+        var est = this.length * count * 2;
+        if (est > ml) throw new RangeError('String.repeat would exceed memory limit');
+        track(est);
+        return origRepeat.call(this, count);
+      }, writable: false, configurable: false });
+    } catch(e) {}
+
+    try {
+      var origJoin = arrayProto.join;
+      Object.defineProperty(arrayProto, 'join', { value: function(sep) {
+        var s = sep === undefined ? ',' : String(sep);
+        var est = 0;
+        for (var i = 0; i < this.length; i++) {
+          var item = this[i];
+          est += (item === null || item === undefined) ? 0 : String(item).length;
+          if (i > 0) est += s.length;
+        }
+        est *= 2;
+        if (est > ml) throw new RangeError('Array.join would exceed memory limit');
+        track(est);
+        return origJoin.call(this, sep);
+      }, writable: false, configurable: false });
+    } catch(e) {}
+
+    try {
+      var origFill = arrayProto.fill;
+      Object.defineProperty(arrayProto, 'fill', { value: function(value, start, end) {
+        var len = this.length >>> 0;
+        var k = (start === undefined ? 0 : (start >> 0));
+        var finalEnd = (end === undefined ? len : (end >> 0));
+        if (k < 0) k = Math.max(len + k, 0); else k = Math.min(k, len);
+        if (finalEnd < 0) finalEnd = Math.max(len + finalEnd, 0); else finalEnd = Math.min(finalEnd, len);
+        var fillCount = Math.max(0, finalEnd - k);
+        var est = fillCount * 8;
+        if (est > ml) throw new RangeError('Array.fill would exceed memory limit');
+        track(est);
+        return origFill.call(this, value, start, end);
+      }, writable: false, configurable: false });
+    } catch(e) {}
+  })();
+
+  // Freeze all prototypes
+  (function() {
+    var protos = [
+      Object.prototype, Array.prototype, Function.prototype,
+      String.prototype, Number.prototype, Boolean.prototype,
+      Date.prototype, Error.prototype, TypeError.prototype,
+      RangeError.prototype, SyntaxError.prototype, ReferenceError.prototype,
+      URIError.prototype, EvalError.prototype, Promise.prototype
+    ];
+    for (var i = 0; i < protos.length; i++) {
+      try { Object.freeze(protos[i]); } catch(e) {}
+    }
+  })();
+
+  // ============================================================
+  // Remove Dangerous Globals
+  // ============================================================
+  var dangerousGlobals = ${safeJsonStringify(getDangerousGlobals(config.securityLevel))};
+  for (var dg = 0; dg < dangerousGlobals.length; dg++) {
+    try { delete window[dangerousGlobals[dg]]; } catch(e) {
+      try { window[dangerousGlobals[dg]] = undefined; } catch(e2) {}
+    }
+  }
+
+  // Always remove browser-specific dangerous globals
+  // Note: 'location' is intentionally omitted — setting window.location = undefined
+  // triggers a navigation that kills the iframe's event loop.
+  // location is already restricted by the sandbox (no allow-same-origin).
+  var browserDangerous = [
+    'fetch', 'XMLHttpRequest', 'WebSocket', 'EventSource',
+    'Worker', 'SharedWorker', 'ServiceWorker',
+    'importScripts', 'localStorage', 'sessionStorage',
+    'indexedDB', 'caches', 'navigator',
+    'open', 'close', 'alert', 'confirm', 'prompt'
+  ];
+  for (var bd = 0; bd < browserDangerous.length; bd++) {
+    try { delete window[browserDangerous[bd]]; } catch(e) {
+      try { window[browserDangerous[bd]] = undefined; } catch(e2) {}
+    }
+  }
+
+  // Note: window.document is a non-configurable accessor property that cannot be
+  // deleted or redefined. It is shadowed via 'var document = undefined' in the
+  // user code execution scope below.
+
+  // ============================================================
+  // Inject Safe Globals
+  // ============================================================
+  var SafeObject = function(value) {
+    if (value === null || value === undefined) return {};
+    return Object(value);
+  };
+  var safeObjMethods = [
+    'keys', 'values', 'entries', 'fromEntries', 'assign', 'is', 'hasOwn',
+    'freeze', 'isFrozen', 'seal', 'isSealed', 'preventExtensions', 'isExtensible',
+    'getOwnPropertyNames', 'getOwnPropertySymbols', 'getPrototypeOf'
+  ];
+  for (var sm = 0; sm < safeObjMethods.length; sm++) {
+    if (safeObjMethods[sm] in Object) SafeObject[safeObjMethods[sm]] = Object[safeObjMethods[sm]];
+  }
+  SafeObject.create = function(proto, props) {
+    if (props !== undefined) throw createSafeError('Object.create with property descriptors is not allowed');
+    return Object.create(proto);
+  };
+  SafeObject.prototype = Object.prototype;
+
+  var blockedObjMethods = ['defineProperty', 'defineProperties', 'setPrototypeOf', 'getOwnPropertyDescriptor', 'getOwnPropertyDescriptors'];
+  for (var bm = 0; bm < blockedObjMethods.length; bm++) {
+    (function(method) {
+      SafeObject[method] = function() {
+        throw createSafeError('Object.' + method + ' is not allowed (security restriction)');
+      };
+    })(blockedObjMethods[bm]);
+  }
+
+  // Save reference to Object.defineProperty before neutralizing it
+  var _defineProperty = Object.defineProperty;
+
+  // Neutralize dangerous static methods on intrinsic Object
+  (function() {
+    var RealObject = Object.getPrototypeOf({}).constructor;
+    var dangerous = ['getOwnPropertyDescriptors', 'getOwnPropertyDescriptor', 'defineProperty', 'defineProperties', 'setPrototypeOf'];
+    for (var i = 0; i < dangerous.length; i++) { try { delete RealObject[dangerous[i]]; } catch(e) {} }
+  })();
+
+  // Define all safe globals as non-writable, non-configurable, non-enumerable
+  var safeGlobals = {
+    __safe_callTool: createSecureProxy(__safe_callTool),
+    callTool: createSecureProxy(__safe_callTool),
+    __safe_forOf: createSecureProxy(__safe_forOf),
+    __safe_for: createSecureProxy(__safe_for),
+    __safe_while: createSecureProxy(__safe_while),
+    __safe_doWhile: createSecureProxy(__safe_doWhile),
+    __safe_concat: __safe_concat,
+    __safe_template: __safe_template,
+    __safe_parallel: createSecureProxy(__safe_parallel),
+    parallel: createSecureProxy(__safe_parallel),
+    __safe_console: safeConsole,
+    console: safeConsole,
+    __maxIterations: ${maxIterations},
+    Math: createSecureProxy(Math),
+    JSON: createSecureProxy(JSON),
+    Array: createSecureProxy(Array),
+    Object: createSecureProxy(SafeObject),
+    String: createSecureProxy(String),
+    Number: createSecureProxy(Number),
+    Date: createSecureProxy(Date),
+    Boolean: createSecureProxy(Boolean),
+    RegExp: createSecureProxy(RegExp),
+    Error: createSecureProxy(Error),
+    TypeError: createSecureProxy(TypeError),
+    RangeError: createSecureProxy(RangeError),
+    Promise: createSecureProxy(Promise),
+    undefined: undefined,
+    NaN: NaN,
+    Infinity: Infinity,
+    isNaN: isNaN,
+    isFinite: isFinite,
+    parseInt: parseInt,
+    parseFloat: parseFloat,
+    encodeURI: encodeURI,
+    decodeURI: decodeURI,
+    encodeURIComponent: encodeURIComponent,
+    decodeURIComponent: decodeURIComponent
+  };
+
+  // Inject custom globals if provided
+  var customGlobals = ${safeJsonStringify(config.globals || {})};
+  for (var cgKey in customGlobals) {
+    if (customGlobals.hasOwnProperty(cgKey)) {
+      safeGlobals[cgKey] = createSecureProxy(customGlobals[cgKey]);
+      safeGlobals['__safe_' + cgKey] = createSecureProxy(customGlobals[cgKey]);
+    }
+  }
+
+  for (var gKey in safeGlobals) {
+    if (safeGlobals.hasOwnProperty(gKey)) {
+      try {
+        _defineProperty(window, gKey, {
+          value: safeGlobals[gKey],
+          writable: false,
+          configurable: false,
+          enumerable: false
+        });
+      } catch(e) {}
+    }
+  }
+
+  // ============================================================
+  // Execute User Code
+  // ============================================================
+  (async function() {
+    // Shadow non-deletable browser globals so user code sees undefined
+    var document = undefined;
+
+    try {
+      // The transformed code defines __ag_main as a function declaration.
+      // We embed it directly — CSP 'unsafe-inline' allows inline scripts
+      // but blocks eval/new Function.
+      ${generateUserCodeExecution(userCode)}
+
+      var result = typeof __ag_main === 'function' ? await __ag_main() : undefined;
+
+      // Sanitize result before sending
+      var safeResult;
+      try {
+        safeResult = JSON.parse(JSON.stringify(result));
+      } catch(e) {
+        safeResult = undefined;
+      }
+
+      sendToOuter({
+        type: 'result',
+        success: true,
+        value: safeResult,
+        stats: {
+          duration: Date.now() - startTime,
+          toolCallCount: toolCallCount,
+          iterationCount: iterationCount,
+          startTime: startTime,
+          endTime: Date.now()
+        }
+      });
+    } catch(error) {
+      sendToOuter({
+        type: 'result',
+        success: false,
+        error: {
+          name: (typeof error === 'string') ? 'Error' : ((error && error.name) ? String(error.name) : 'Error'),
+          message: (typeof error === 'string') ? error : ((error && error.message) ? String(error.message) : 'Unknown error'),
+          code: (typeof error === 'string') ? undefined : ((error && error.code) ? String(error.code) : undefined)
+        },
+        stats: {
+          duration: Date.now() - startTime,
+          toolCallCount: toolCallCount,
+          iterationCount: iterationCount,
+          startTime: startTime,
+          endTime: Date.now()
+        }
+      });
+    }
+  })();
+})();
+`.trim();
+}
+
+/**
+ * Generate the user code execution block.
+ * Since we can't use new Function() (CSP blocks eval),
+ * we embed the code directly in the script.
+ */
+function generateUserCodeExecution(userCode: string): string {
+  // The user code has already been transformed by @enclave-vm/ast
+  // and contains __ag_main() function definition.
+  // We embed it directly - it runs in the same script context.
+  // Escape closing script tags to prevent HTML parser breakout
+  // when embedded via buildIframeHtml's <script>${content}</script>
+  return userCode.replace(/<\//g, '<\\/');
+}
+
+/**
+ * Dangerous globals to remove per security level
+ */
+function getDangerousGlobals(securityLevel: string): string[] {
+  const base: Record<string, string[]> = {
+    STRICT: [
+      'Function',
+      'eval',
+      'globalThis',
+      'Proxy',
+      'Reflect',
+      'SharedArrayBuffer',
+      'Atomics',
+      'WebAssembly',
+      'Iterator',
+      'AsyncIterator',
+      'ShadowRealm',
+      'WeakRef',
+      'FinalizationRegistry',
+      'performance',
+      'Temporal',
+    ],
+    SECURE: [
+      'Function',
+      'eval',
+      'globalThis',
+      'Proxy',
+      'SharedArrayBuffer',
+      'Atomics',
+      'WebAssembly',
+      'Iterator',
+      'AsyncIterator',
+      'ShadowRealm',
+      'WeakRef',
+      'FinalizationRegistry',
+    ],
+    STANDARD: [
+      'Function',
+      'eval',
+      'SharedArrayBuffer',
+      'Atomics',
+      'WebAssembly',
+      'ShadowRealm',
+      'WeakRef',
+      'FinalizationRegistry',
+    ],
+    PERMISSIVE: ['ShadowRealm', 'SharedArrayBuffer', 'Atomics', 'WebAssembly'],
+  };
+
+  return base[securityLevel] || base['STANDARD'];
+}
diff --git a/libs/browser/src/adapters/outer-iframe-bootstrap.ts b/libs/browser/src/adapters/outer-iframe-bootstrap.ts
new file mode 100644
index 0000000..9c601e6
--- /dev/null
+++ b/libs/browser/src/adapters/outer-iframe-bootstrap.ts
@@ -0,0 +1,382 @@
+/**
+ * Outer Iframe Bootstrap Generator
+ *
+ * Generates the HTML/JS content for the outer iframe which acts as the
+ * security barrier between the host page and the inner iframe where
+ * user code runs.
+ *
+ * The outer iframe:
+ * - Creates and manages the inner iframe
+ * - Validates tool calls (rate limiting, pattern detection, name whitelisting)
+ * - Relays validated messages between inner iframe and host page
+ * - Handles console relay
+ * - Enforces timeouts
+ *
+ * This is the browser equivalent of parent-vm-bootstrap.ts from @enclave-vm/core.
+ *
+ * @packageDocumentation
+ */
+
+import { buildIframeHtml, safeJsonStringify } from './iframe-html-builder';
+import { generateInnerIframeHtml } from './inner-iframe-bootstrap';
+import type { SerializedIframeConfig, SerializableSuspiciousPattern } from '../types';
+
+export interface OuterIframeBootstrapOptions {
+  userCode: string;
+  config: SerializedIframeConfig;
+  requestId: string;
+  suspiciousPatterns: SerializableSuspiciousPattern[];
+  validationConfig: {
+    validateOperationNames: boolean;
+    allowedOperationPatternSource?: string;
+    allowedOperationPatternFlags?: string;
+    blockedOperationPatternSources?: string[];
+    blockedOperationPatternFlags?: string[];
+    maxOperationsPerSecond: number;
+    blockSuspiciousSequences: boolean;
+    rapidEnumerationThreshold: number;
+    rapidEnumerationOverrides: Record<string, number>;
+  };
+}
+
+/**
+ * Generate the outer iframe HTML content
+ */
+export function generateOuterIframeHtml(options: OuterIframeBootstrapOptions): string {
+  const script = generateOuterIframeScript(options);
+  return buildIframeHtml(script, { title: 'Enclave Outer Sandbox' });
+}
+
+function generateOuterIframeScript(options: OuterIframeBootstrapOptions): string {
+  const { userCode, config, requestId, suspiciousPatterns, validationConfig } = options;
+
+  // Pre-generate the inner iframe HTML
+  const innerHtml = generateInnerIframeHtml({
+    userCode,
+    config,
+    requestId,
+  });
+
+  const patternDetectorsCode = generatePatternDetectors(suspiciousPatterns);
+
+  return `
+"use strict";
+(function() {
+  var requestId = ${safeJsonStringify(requestId)};
+  var aborted = false;
+  var completed = false;
+
+  // ============================================================
+  // Safe Error
+  // ============================================================
+  function createSafeError(message, name) {
+    var error = new Error(message);
+    error.name = name || 'Error';
+    try { Object.setPrototypeOf(error, null); } catch(e) {}
+    try { Object.freeze(error); } catch(e) {}
+    return error;
+  }
+
+  // ============================================================
+  // Validation Configuration
+  // ============================================================
+  var validationConfig = ${safeJsonStringify({
+    validateOperationNames: validationConfig.validateOperationNames,
+    maxOperationsPerSecond: validationConfig.maxOperationsPerSecond,
+    blockSuspiciousSequences: validationConfig.blockSuspiciousSequences,
+    rapidEnumerationThreshold: validationConfig.rapidEnumerationThreshold,
+    rapidEnumerationOverrides: validationConfig.rapidEnumerationOverrides,
+  })};
+
+  ${
+    validationConfig.allowedOperationPatternSource
+      ? `var allowedOperationPattern = new RegExp(${safeJsonStringify(validationConfig.allowedOperationPatternSource)}, ${safeJsonStringify(validationConfig.allowedOperationPatternFlags || '')});`
+      : ''
+  }
+
+  ${
+    validationConfig.blockedOperationPatternSources
+      ? `var blockedOperationPatterns = [${validationConfig.blockedOperationPatternSources
+          .map(
+            (src, i) =>
+              `new RegExp(${safeJsonStringify(src)}, ${safeJsonStringify(validationConfig.blockedOperationPatternFlags?.[i] || '')})`,
+          )
+          .join(',')}];`
+      : ''
+  }
+
+  // Suspicious pattern detectors
+  var suspiciousPatterns = ${patternDetectorsCode};
+
+  // Operation history for pattern detection
+  var operationHistory = [];
+
+  // Tool call counter
+  var toolCallCount = 0;
+
+  // ============================================================
+  // Validation Logic (ported from parent-vm-bootstrap.ts)
+  // ============================================================
+  function validateOperation(operationName, args) {
+    var now = Date.now();
+
+    // Sliding window cleanup
+    while (operationHistory.length > 0 && now - operationHistory[0].timestamp > 2000) {
+      operationHistory.shift();
+    }
+
+    // Rate limiting
+    var recentOps = operationHistory.filter(function(h) { return now - h.timestamp < 1000; });
+    if (recentOps.length >= validationConfig.maxOperationsPerSecond) {
+      throw createSafeError('Operation rate limit exceeded (' + validationConfig.maxOperationsPerSecond + ' operations/second)');
+    }
+
+    // Name validation
+    if (typeof operationName !== 'string' || !operationName) {
+      throw createSafeError('Operation name must be a non-empty string', 'TypeError');
+    }
+
+    // Whitelist check
+    if (validationConfig.validateOperationNames && typeof allowedOperationPattern !== 'undefined') {
+      allowedOperationPattern.lastIndex = 0;
+      if (!allowedOperationPattern.test(operationName)) {
+        throw createSafeError('Operation "' + operationName + '" does not match allowed pattern');
+      }
+    }
+
+    // Blacklist check
+    if (typeof blockedOperationPatterns !== 'undefined') {
+      for (var i = 0; i < blockedOperationPatterns.length; i++) {
+        blockedOperationPatterns[i].lastIndex = 0;
+        if (blockedOperationPatterns[i].test(operationName)) {
+          throw createSafeError('Operation "' + operationName + '" matches blocked pattern');
+        }
+      }
+    }
+
+    // Suspicious sequence detection
+    if (validationConfig.blockSuspiciousSequences) {
+      for (var j = 0; j < suspiciousPatterns.length; j++) {
+        var pattern = suspiciousPatterns[j];
+        var detected = false;
+        try { detected = !!pattern.detect(operationName, args, operationHistory); }
+        catch(e) { detected = false; }
+        if (detected) {
+          throw createSafeError('Suspicious pattern detected: ' + pattern.description + ' [' + pattern.id + ']');
+        }
+      }
+    }
+  }
+
+  // ============================================================
+  // Message Sending
+  // ============================================================
+  function sendToHost(msg) {
+    msg.__enclave_msg__ = true;
+    msg.requestId = requestId;
+    try { window.parent.postMessage(msg, '*'); } catch(e) {}
+  }
+
+  var innerFrame = null;
+
+  function sendToInner(msg) {
+    msg.__enclave_msg__ = true;
+    msg.requestId = requestId;
+    if (innerFrame && innerFrame.contentWindow) {
+      try { innerFrame.contentWindow.postMessage(msg, '*'); } catch(e) {}
+    }
+  }
+
+  // ============================================================
+  // Message Relay Logic (Three-Hop)
+  // ============================================================
+  window.addEventListener('message', function(event) {
+    var data = event.data;
+    if (!data || data.__enclave_msg__ !== true) return;
+    if (completed) return;
+
+    var fromInner = (innerFrame && event.source === innerFrame.contentWindow);
+    var fromHost = (event.source === window.parent);
+    if (data.requestId !== requestId) return;
+
+    // Messages from inner iframe (tool-call, result, console)
+    if (data.type === 'tool-call') {
+      if (!fromInner) return;
+      // Validate before forwarding to host
+      try {
+        // Double sanitize args
+        var sanitizedArgs;
+        try { sanitizedArgs = JSON.parse(JSON.stringify(data.args)); }
+        catch(e) { throw createSafeError('Tool arguments must be JSON-serializable'); }
+
+        toolCallCount++;
+        validateOperation(data.toolName, sanitizedArgs);
+
+        // Record in history
+        operationHistory.push({
+          operationName: data.toolName,
+          timestamp: Date.now(),
+          argKeys: sanitizedArgs && typeof sanitizedArgs === 'object' ? Object.keys(sanitizedArgs) : []
+        });
+
+        // Forward validated tool call to host
+        sendToHost({
+          type: 'tool-call',
+          callId: data.callId,
+          toolName: data.toolName,
+          args: sanitizedArgs
+        });
+      } catch(error) {
+        // Validation failed - send error back to inner as tool-response
+        sendToInner({
+          type: 'tool-response',
+          callId: data.callId,
+          error: {
+            name: (error && error.name) ? String(error.name) : 'ValidationError',
+            message: (error && error.message) ? String(error.message) : 'Validation failed'
+          }
+        });
+      }
+    }
+    else if (data.type === 'result') {
+      if (!fromInner) return;
+      // Forward execution result to host
+      completed = true;
+      sendToHost({
+        type: 'result',
+        success: data.success,
+        value: data.value,
+        error: data.error,
+        stats: data.stats
+      });
+    }
+    else if (data.type === 'console') {
+      if (!fromInner) return;
+      // Forward console output to host
+      sendToHost({
+        type: 'console',
+        level: data.level,
+        args: data.args
+      });
+    }
+    else if (data.type === 'tool-response') {
+      if (!fromHost) return;
+      // Message from host - forward tool response to inner
+      sendToInner({
+        type: 'tool-response',
+        callId: data.callId,
+        result: data.result,
+        error: data.error
+      });
+    }
+    else if (data.type === 'abort') {
+      if (!fromHost) return;
+      // Abort from host - forward to inner and destroy it
+      aborted = true;
+      sendToInner({ type: 'abort' });
+      // Remove inner iframe for hard termination
+      if (innerFrame && innerFrame.parentNode) {
+        innerFrame.parentNode.removeChild(innerFrame);
+        innerFrame = null;
+      }
+    }
+  });
+
+  // ============================================================
+  // Create Inner Iframe
+  // ============================================================
+  var innerHtml = ${JSON.stringify(innerHtml).replace(/<\//g, '<\\/')};
+
+  innerFrame = document.createElement('iframe');
+  innerFrame.sandbox = 'allow-scripts';
+  innerFrame.srcdoc = innerHtml;
+  innerFrame.style.cssText = 'position:absolute;width:0;height:0;border:none;overflow:hidden;';
+  document.body.appendChild(innerFrame);
+
+  // Signal ready to host
+  sendToHost({ type: 'ready' });
+
+  // ============================================================
+  // Timeout Handling
+  // ============================================================
+  var timeout = ${config.timeout};
+  setTimeout(function() {
+    if (!completed) {
+      completed = true;
+      // Hard kill inner iframe
+      if (innerFrame && innerFrame.parentNode) {
+        innerFrame.parentNode.removeChild(innerFrame);
+        innerFrame = null;
+      }
+      sendToHost({
+        type: 'result',
+        success: false,
+        error: {
+          name: 'TimeoutError',
+          message: 'Execution timed out after ' + timeout + 'ms',
+          code: 'EXECUTION_TIMEOUT'
+        },
+        stats: {
+          duration: timeout,
+          toolCallCount: toolCallCount,
+          iterationCount: 0,
+          startTime: Date.now() - timeout,
+          endTime: Date.now()
+        }
+      });
+    }
+  }, timeout);
+})();
+`.trim();
+}
+
+/**
+ * Dangerous patterns that should not appear in detectBody.
+ * Duplicated from libs/core/src/double-vm/suspicious-patterns.ts
+ * because the browser package does not depend on core.
+ */
+const DANGEROUS_BODY_PATTERNS = [
+  /\bfunction\s+[a-zA-Z_$][a-zA-Z0-9_$]*\s*\(/g, // Named function declarations
+  /\bclass\s+[a-zA-Z_$]/g, // Class declarations
+  /\brequire\s*\(/g, // CommonJS require
+  /\bimport\s*\(/g, // Dynamic import
+  /\bimport\s+/g, // Static import
+  /\bglobal\b/g, // Global object
+  /\bglobalThis\b/g, // GlobalThis object
+  /\bprocess\b/g, // Node.js process
+  /<\/script/gi, // Script tag breakout
+  /<!--/g, // HTML comment injection
+];
+
+function validateDetectBody(detectBody: string, patternId: string): void {
+  for (const pattern of DANGEROUS_BODY_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(detectBody)) {
+      throw new Error(
+        `Pattern "${patternId}": detectBody contains potentially dangerous code. ` +
+          `Custom patterns should only contain detection logic, not function declarations, ` +
+          `imports, or global object access.`,
+      );
+    }
+  }
+}
+
+/**
+ * Generate code for pattern detectors
+ */
+function generatePatternDetectors(patterns: SerializableSuspiciousPattern[]): string {
+  if (patterns.length === 0) return '[]';
+
+  for (const p of patterns) {
+    validateDetectBody(p.detectBody, p.id);
+  }
+
+  const patternDefs = patterns
+    .map(
+      (p) =>
+        `{ id: ${safeJsonStringify(p.id)}, description: ${safeJsonStringify(p.description)}, detect: function(operationName, args, history) { ${p.detectBody} } }`,
+    )
+    .join(',\n    ');
+
+  return `[${patternDefs}]`;
+}
diff --git a/libs/browser/src/browser-enclave.ts b/libs/browser/src/browser-enclave.ts
new file mode 100644
index 0000000..c75840b
--- /dev/null
+++ b/libs/browser/src/browser-enclave.ts
@@ -0,0 +1,476 @@
+/**
+ * BrowserEnclave - Browser-based Safe AgentScript Execution Environment
+ *
+ * Provides a sandboxed environment using double iframe isolation for
+ * executing AgentScript code in the browser with:
+ * - AST validation (via @enclave-vm/ast)
+ * - Code transformation
+ * - Runtime safety wrappers
+ * - Resource limits (timeout, iterations, tool calls)
+ * - Double iframe defense-in-depth
+ *
+ * @packageDocumentation
+ */
+
+import {
+  JSAstValidator,
+  createAgentScriptPreset,
+  createStrictPreset,
+  createSecurePreset,
+  createStandardPreset,
+  createPermissivePreset,
+  getAgentScriptGlobals,
+  transformAgentScript,
+  isWrappedInMain,
+  type ValidationIssue,
+} from '@enclave-vm/ast';
+import { IframeAdapter, type IframeExecutionContext } from './adapters/iframe-adapter';
+import type {
+  BrowserEnclaveOptions,
+  ExecutionResult,
+  ToolHandler,
+  SecurityLevel,
+  AstPreset,
+  SecureProxyLevelConfig,
+  DoubleIframeConfig,
+  SerializedIframeConfig,
+  SerializableSuspiciousPattern,
+} from './types';
+import { SECURITY_LEVEL_CONFIGS, DEFAULT_DOUBLE_IFRAME_CONFIG } from './types';
+
+/**
+ * Default security level
+ */
+const DEFAULT_SECURITY_LEVEL: SecurityLevel = 'STANDARD';
+
+/**
+ * Blocked properties for secure proxy per security level
+ */
+function getBlockedProperties(config: SecureProxyLevelConfig): string[] {
+  const blocked: string[] = [];
+
+  if (config.blockPrototype) {
+    blocked.push('__proto__', 'prototype');
+  }
+  if (config.blockConstructor) {
+    blocked.push('constructor');
+  }
+  if (config.blockLegacyAccessors) {
+    blocked.push('__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__');
+  }
+
+  return blocked;
+}
+
+/**
+ * Default suspicious patterns (serialized for iframe injection)
+ */
+const DEFAULT_SERIALIZED_PATTERNS: SerializableSuspiciousPattern[] = [
+  {
+    id: 'EXFIL_LIST_SEND',
+    description: 'List/query followed by send/export (potential exfiltration)',
+    detectBody: `
+      var recentQueries = history.filter(function(h) {
+        return /list|query|get|fetch|read|search|find|select/i.test(h.operationName) && Date.now() - h.timestamp < 5000;
+      });
+      var isSendOperation = /send|export|post|write|upload|publish|emit|transmit|forward/i.test(operationName);
+      return recentQueries.length > 0 && isSendOperation;
+    `,
+  },
+  {
+    id: 'RAPID_ENUMERATION',
+    description: 'Rapid enumeration of resources',
+    detectBody: `
+      var now = Date.now();
+      var recentSame = history.filter(function(h) {
+        return h.operationName === operationName && now - h.timestamp < 5000;
+      });
+      var threshold = 30;
+      try {
+        if (typeof validationConfig !== 'undefined') {
+          threshold = (validationConfig.rapidEnumerationOverrides && validationConfig.rapidEnumerationOverrides[operationName])
+            || validationConfig.rapidEnumerationThreshold || 30;
+        }
+      } catch(e) { threshold = 30; }
+      return recentSame.length > threshold;
+    `,
+  },
+  {
+    id: 'CREDENTIAL_EXFIL',
+    description: 'Credential access followed by external operation',
+    detectBody: `
+      var recentCreds = history.filter(function(h) {
+        return /secret|credential|password|token|key|auth|api[_-]?key/i.test(h.operationName) && Date.now() - h.timestamp < 10000;
+      });
+      var isExternal = /http|api|external|webhook|slack|email|sms|notification/i.test(operationName);
+      return recentCreds.length > 0 && isExternal;
+    `,
+  },
+  {
+    id: 'BULK_OPERATION',
+    description: 'Bulk/batch operation detected',
+    detectBody: `
+      var isBulk = /\\b(bulk|batch|mass|dump)\\b|export[_-]all\\b/i.test(operationName);
+      if (typeof args === 'object' && args !== null) {
+        try {
+          var argStr = JSON.stringify(args).toLowerCase();
+          if (/limit.*[0-9]{4,}|"\\*"|no[_-]?limit/i.test(argStr)) return true;
+        } catch(e) {}
+      }
+      return isBulk;
+    `,
+  },
+  {
+    id: 'DELETE_AFTER_ACCESS',
+    description: 'Delete operation after data access (potential cover-up)',
+    detectBody: `
+      var isDelete = /delete|remove|destroy|purge|clear|wipe|erase/i.test(operationName);
+      if (!isDelete) return false;
+      var recentAccess = history.filter(function(h) {
+        return /list|query|get|fetch|read|search|find|select/i.test(h.operationName) && Date.now() - h.timestamp < 30000;
+      });
+      return recentAccess.length > 0;
+    `,
+  },
+];
+
+/**
+ * BrowserEnclave - Safe AgentScript Execution in the Browser
+ *
+ * @example
+ * ```typescript
+ * import { BrowserEnclave } from '@enclave-vm/browser';
+ *
+ * const enclave = new BrowserEnclave({
+ *   securityLevel: 'STRICT',
+ *   toolHandler: async (name, args) => {
+ *     return fetch(`/api/tools/${name}`, {
+ *       method: 'POST',
+ *       body: JSON.stringify(args),
+ *     }).then(r => r.json());
+ *   },
+ * });
+ *
+ * const result = await enclave.run(`
+ *   const users = await callTool('users:list', {});
+ *   return users.items.length;
+ * `);
+ *
+ * enclave.dispose();
+ * ```
+ */
+export class BrowserEnclave {
+  private readonly securityLevel: SecurityLevel;
+  private readonly validator: JSAstValidator;
+  private readonly validateCode: boolean;
+  private readonly transformCode: boolean;
+  private readonly customGlobalNames: string[];
+  private readonly adapter: IframeAdapter;
+  private readonly config: {
+    timeout: number;
+    maxIterations: number;
+    maxToolCalls: number;
+    maxConsoleOutputBytes: number;
+    maxConsoleCalls: number;
+    sanitizeStackTraces: boolean;
+    maxSanitizeDepth: number;
+    maxSanitizeProperties: number;
+    memoryLimit: number;
+    globals: Record<string, unknown>;
+    toolHandler?: ToolHandler;
+    secureProxyConfig: SecureProxyLevelConfig;
+  };
+  private readonly doubleIframeConfig: DoubleIframeConfig;
+  private readonly customSerializablePatterns: SerializableSuspiciousPattern[];
+
+  constructor(options: BrowserEnclaveOptions = {}) {
+    this.securityLevel = options.securityLevel ?? DEFAULT_SECURITY_LEVEL;
+
+    const levelConfig = SECURITY_LEVEL_CONFIGS[this.securityLevel];
+
+    // Merge secure proxy config
+    const secureProxyConfig: SecureProxyLevelConfig = {
+      ...levelConfig.secureProxy,
+      ...(options.secureProxyConfig ?? {}),
+    };
+
+    // Build config
+    this.config = {
+      timeout: options.timeout ?? levelConfig.timeout,
+      maxIterations: options.maxIterations ?? levelConfig.maxIterations,
+      maxToolCalls: options.maxToolCalls ?? levelConfig.maxToolCalls,
+      maxConsoleOutputBytes: options.maxConsoleOutputBytes ?? levelConfig.maxConsoleOutputBytes,
+      maxConsoleCalls: options.maxConsoleCalls ?? levelConfig.maxConsoleCalls,
+      sanitizeStackTraces: levelConfig.sanitizeStackTraces,
+      maxSanitizeDepth: levelConfig.maxSanitizeDepth,
+      maxSanitizeProperties: levelConfig.maxSanitizeProperties,
+      memoryLimit: options.memoryLimit ?? 1 * 1024 * 1024,
+      globals: options.globals ?? {},
+      toolHandler: options.toolHandler,
+      secureProxyConfig,
+    };
+
+    // Extract custom global names
+    this.customGlobalNames = Object.keys(this.config.globals);
+    const customAllowedGlobals = this.customGlobalNames.flatMap((name) => [name, `__safe_${name}`]);
+
+    // Create validator
+    const presetName: AstPreset = options.preset ?? 'agentscript';
+
+    if (this.customGlobalNames.length > 0 && presetName !== 'agentscript') {
+      throw new Error(
+        "Custom globals are only supported with the 'agentscript' preset. " +
+          'Remove globals or switch to preset: "agentscript".',
+      );
+    }
+
+    this.validator = this.createValidator(presetName, customAllowedGlobals);
+
+    // Config flags
+    this.validateCode = options.validate !== false;
+    this.transformCode = options.transform !== false;
+
+    // Store custom serializable patterns
+    this.customSerializablePatterns = options.customSerializablePatterns ?? [];
+
+    // Build double iframe config
+    this.doubleIframeConfig = this.buildDoubleIframeConfig(options.doubleIframe);
+
+    // Create adapter
+    this.adapter = new IframeAdapter();
+  }
+
+  /**
+   * Execute AgentScript code in the browser sandbox
+   */
+  async run<T = unknown>(code: string, toolHandler?: ToolHandler): Promise<ExecutionResult<T>> {
+    const startTime = Date.now();
+
+    try {
+      // Step 1: Transform
+      let transformedCode = code;
+      if (this.transformCode) {
+        const needsWrapping = !isWrappedInMain(code);
+        transformedCode = transformAgentScript(code, {
+          wrapInMain: needsWrapping,
+          transformCallTool: true,
+          transformLoops: true,
+          additionalIdentifiers: this.customGlobalNames,
+        });
+      }
+
+      // Step 2: Validate
+      if (this.validateCode) {
+        const validationResult = await this.validator.validate(transformedCode);
+        if (!validationResult.valid) {
+          const errorMessages = this.formatValidationErrors(validationResult.issues);
+          return {
+            success: false,
+            error: {
+              name: 'ValidationError',
+              message: `AgentScript validation failed:\n${errorMessages}`,
+              code: 'VALIDATION_ERROR',
+              data: { issues: validationResult.issues },
+            },
+            stats: {
+              duration: Date.now() - startTime,
+              toolCallCount: 0,
+              iterationCount: 0,
+              startTime,
+              endTime: Date.now(),
+            },
+          };
+        }
+      }
+
+      // Step 3: Build serialized config for iframes
+      const serializedConfig: SerializedIframeConfig = {
+        timeout: this.config.timeout,
+        maxIterations: this.config.maxIterations,
+        maxToolCalls: this.config.maxToolCalls,
+        maxConsoleOutputBytes: this.config.maxConsoleOutputBytes,
+        maxConsoleCalls: this.config.maxConsoleCalls,
+        sanitizeStackTraces: this.config.sanitizeStackTraces,
+        maxSanitizeDepth: this.config.maxSanitizeDepth,
+        maxSanitizeProperties: this.config.maxSanitizeProperties,
+        securityLevel: this.securityLevel,
+        memoryLimit: this.config.memoryLimit,
+        blockedProperties: getBlockedProperties(this.config.secureProxyConfig),
+        throwOnBlocked: this.config.secureProxyConfig.throwOnBlocked,
+        allowComposites: false,
+        globals: this.serializeGlobals(this.config.globals),
+      };
+
+      // Step 4: Build validation config for outer iframe
+      const pv = this.doubleIframeConfig.parentValidation;
+      const validationConfig = {
+        validateOperationNames: pv.validateOperationNames,
+        allowedOperationPatternSource: pv.allowedOperationPattern?.source,
+        allowedOperationPatternFlags: pv.allowedOperationPattern?.flags,
+        blockedOperationPatternSources: pv.blockedOperationPatterns?.map((p) => p.source),
+        blockedOperationPatternFlags: pv.blockedOperationPatterns?.map((p) => p.flags),
+        maxOperationsPerSecond: pv.maxOperationsPerSecond,
+        blockSuspiciousSequences: pv.blockSuspiciousSequences,
+        rapidEnumerationThreshold: pv.rapidEnumerationThreshold,
+        rapidEnumerationOverrides: pv.rapidEnumerationOverrides,
+      };
+
+      // Step 5: Build execution context
+      const executionContext: IframeExecutionContext = {
+        config: serializedConfig,
+        toolHandler: toolHandler || this.config.toolHandler,
+        securityLevel: this.securityLevel,
+        doubleIframeConfig: this.doubleIframeConfig,
+        secureProxyConfig: this.config.secureProxyConfig,
+        blockedProperties: serializedConfig.blockedProperties,
+        // Function-based SuspiciousPattern[] from parentValidation are not serialized here;
+        // they require a serialization bridge (see serializePatterns in @enclave-vm/core).
+        // String-based SerializableSuspiciousPattern[] from customSerializablePatterns are
+        // appended directly since they are already in serializable form.
+        suspiciousPatterns: [...DEFAULT_SERIALIZED_PATTERNS, ...this.customSerializablePatterns],
+        validationConfig,
+      };
+
+      // Step 6: Execute via IframeAdapter
+      return await this.adapter.execute<T>(transformedCode, executionContext);
+    } catch (error: unknown) {
+      const err = error as Error;
+      return {
+        success: false,
+        error: {
+          name: err.name || 'EnclaveError',
+          message: err.message || 'Unknown enclave error',
+          stack: err.stack,
+          code: 'ENCLAVE_ERROR',
+        },
+        stats: {
+          duration: Date.now() - startTime,
+          toolCallCount: 0,
+          iterationCount: 0,
+          startTime,
+          endTime: Date.now(),
+        },
+      };
+    }
+  }
+
+  /**
+   * Serialize globals for iframe injection (strip functions)
+   */
+  private serializeGlobals(globals: Record<string, unknown>): Record<string, unknown> {
+    const serializable: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(globals)) {
+      if (typeof value === 'function') continue; // Functions can't cross iframe boundary
+      try {
+        // Verify JSON round-trippable
+        serializable[key] = JSON.parse(JSON.stringify(value));
+      } catch {
+        // Skip non-serializable values
+      }
+    }
+    return serializable;
+  }
+
+  /**
+   * Get the security level
+   */
+  getSecurityLevel(): SecurityLevel {
+    return this.securityLevel;
+  }
+
+  /**
+   * Dispose the enclave and cleanup resources
+   */
+  dispose(): void {
+    this.adapter.dispose();
+  }
+
+  /**
+   * Create a validator based on the selected preset
+   */
+  private createValidator(presetName: AstPreset, customAllowedGlobals: string[]): JSAstValidator {
+    const securityLevelGlobals = getAgentScriptGlobals(this.securityLevel);
+    const enclaveSpecificGlobals = [
+      'parallel',
+      '__safe_parallel',
+      '__safe_concat',
+      '__safe_template',
+      'console',
+      '__safe_console',
+    ];
+    const allAllowedGlobals = [...securityLevelGlobals, ...enclaveSpecificGlobals, ...customAllowedGlobals];
+
+    switch (presetName) {
+      case 'agentscript':
+        return new JSAstValidator(
+          createAgentScriptPreset({
+            securityLevel: this.securityLevel,
+            allowedGlobals: allAllowedGlobals,
+            allowDynamicArrayFill: this.config.memoryLimit > 0,
+          }),
+        );
+      case 'strict':
+        return new JSAstValidator(createStrictPreset());
+      case 'secure':
+        return new JSAstValidator(createSecurePreset());
+      case 'standard':
+        return new JSAstValidator(createStandardPreset());
+      case 'permissive':
+        return new JSAstValidator(createPermissivePreset());
+      default: {
+        const _exhaustiveCheck: never = presetName;
+        throw new Error(`Unknown preset: ${_exhaustiveCheck}`);
+      }
+    }
+  }
+
+  /**
+   * Build double iframe configuration
+   */
+  private buildDoubleIframeConfig(options?: Partial<DoubleIframeConfig>): DoubleIframeConfig {
+    if (!options) {
+      return {
+        ...DEFAULT_DOUBLE_IFRAME_CONFIG,
+        parentValidation: {
+          ...DEFAULT_DOUBLE_IFRAME_CONFIG.parentValidation,
+          suspiciousPatterns: [...DEFAULT_DOUBLE_IFRAME_CONFIG.parentValidation.suspiciousPatterns],
+          rapidEnumerationOverrides: { ...DEFAULT_DOUBLE_IFRAME_CONFIG.parentValidation.rapidEnumerationOverrides },
+        },
+      };
+    }
+
+    return {
+      enabled: options.enabled ?? DEFAULT_DOUBLE_IFRAME_CONFIG.enabled,
+      parentTimeoutBuffer: options.parentTimeoutBuffer ?? DEFAULT_DOUBLE_IFRAME_CONFIG.parentTimeoutBuffer,
+      parentValidation: {
+        ...DEFAULT_DOUBLE_IFRAME_CONFIG.parentValidation,
+        ...options.parentValidation,
+        suspiciousPatterns: [
+          ...DEFAULT_DOUBLE_IFRAME_CONFIG.parentValidation.suspiciousPatterns,
+          ...(options.parentValidation?.suspiciousPatterns ?? []),
+        ],
+      },
+    };
+  }
+
+  /**
+   * Format validation errors
+   */
+  private formatValidationErrors(issues: ValidationIssue[]): string {
+    const seen = new Set<string>();
+    const uniqueErrors: string[] = [];
+
+    for (const issue of issues) {
+      const locationStr = issue.location ? `:${issue.location.line}:${issue.location.column}` : '';
+      const key = `${issue.code}|${issue.message}|${locationStr}`;
+
+      if (!seen.has(key)) {
+        seen.add(key);
+        const formattedLocation = issue.location ? ` (line ${issue.location.line})` : '';
+        uniqueErrors.push(`${issue.code}${formattedLocation}: ${issue.message}`);
+      }
+    }
+
+    return uniqueErrors.join('\n');
+  }
+}
diff --git a/libs/browser/src/index.ts b/libs/browser/src/index.ts
new file mode 100644
index 0000000..86cceaf
--- /dev/null
+++ b/libs/browser/src/index.ts
@@ -0,0 +1,67 @@
+/**
+ * @enclave-vm/browser - Browser-based Safe AgentScript Execution
+ *
+ * Provides sandboxed execution for AgentScript code in the browser using
+ * double iframe isolation:
+ * - Outer iframe: Security barrier with validation, rate limiting, pattern detection
+ * - Inner iframe: User code execution with safe runtime and frozen globals
+ *
+ * Both iframes use sandbox="allow-scripts" (no allow-same-origin) with CSP
+ * meta tags that block eval, Function constructor, and all network access.
+ *
+ * @packageDocumentation
+ */
+
+// Main BrowserEnclave class
+export { BrowserEnclave } from './browser-enclave';
+
+// Types
+export type {
+  BrowserEnclaveOptions,
+  SecurityLevel,
+  AstPreset,
+  ToolHandler,
+  ExecutionResult,
+  ExecutionError,
+  ExecutionStats,
+  SecurityLevelConfig,
+  SecureProxyLevelConfig,
+  DoubleIframeConfig,
+  ParentValidationConfig,
+  SuspiciousPattern,
+  SerializableSuspiciousPattern,
+  OperationHistory,
+  SerializedIframeConfig,
+} from './types';
+
+// Security level configurations
+export { SECURITY_LEVEL_CONFIGS, DEFAULT_DOUBLE_IFRAME_CONFIG } from './types';
+
+// Iframe adapter (for advanced usage)
+export { IframeAdapter } from './adapters/iframe-adapter';
+export type { IframeExecutionContext } from './adapters/iframe-adapter';
+
+// Protocol types (for advanced usage)
+export type {
+  HostToOuterMessage,
+  OuterToHostMessage,
+  InnerToOuterMessage,
+  OuterToInnerMessage,
+  ToolCallMessage,
+  ResultMessage,
+  ConsoleMessage,
+  ReadyMessage,
+  SerializedError,
+  WorkerExecutionStats,
+} from './adapters/iframe-protocol';
+export {
+  isEnclaveMessage,
+  isToolCallMessage,
+  isResultMessage,
+  isConsoleMessage,
+  isReadyMessage,
+  generateId,
+} from './adapters/iframe-protocol';
+
+// Utilities
+export { utf8ByteLength } from './utils/utf8-byte-length';
diff --git a/libs/browser/src/types.ts b/libs/browser/src/types.ts
new file mode 100644
index 0000000..367e5ed
--- /dev/null
+++ b/libs/browser/src/types.ts
@@ -0,0 +1,352 @@
+/**
+ * Browser Enclave Types
+ *
+ * Configuration types for the browser-based sandbox using double iframe isolation.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Security levels (mirrored from @enclave-vm/core for browser independence)
+ */
+export type SecurityLevel = 'STRICT' | 'SECURE' | 'STANDARD' | 'PERMISSIVE';
+
+/**
+ * AST validation preset
+ */
+export type AstPreset = 'agentscript' | 'strict' | 'secure' | 'standard' | 'permissive';
+
+/**
+ * Tool call handler function
+ */
+export type ToolHandler = (toolName: string, args: Record<string, unknown>) => Promise<unknown>;
+
+/**
+ * Execution result from the browser sandbox
+ */
+export interface ExecutionResult<T = unknown> {
+  success: boolean;
+  value?: T;
+  error?: ExecutionError;
+  stats: ExecutionStats;
+}
+
+/**
+ * Execution error details
+ */
+export interface ExecutionError {
+  message: string;
+  name: string;
+  stack?: string;
+  code?: string;
+  data?: Record<string, unknown>;
+}
+
+/**
+ * Execution statistics
+ */
+export interface ExecutionStats {
+  duration: number;
+  toolCallCount: number;
+  iterationCount: number;
+  startTime: number;
+  endTime: number;
+}
+
+/**
+ * Secure proxy configuration
+ */
+export interface SecureProxyLevelConfig {
+  blockConstructor: boolean;
+  blockPrototype: boolean;
+  blockLegacyAccessors: boolean;
+  proxyMaxDepth: number;
+  throwOnBlocked: boolean;
+}
+
+/**
+ * Security level configuration
+ */
+export interface SecurityLevelConfig {
+  timeout: number;
+  maxIterations: number;
+  maxToolCalls: number;
+  maxSanitizeDepth: number;
+  maxSanitizeProperties: number;
+  sanitizeStackTraces: boolean;
+  blockTimingAPIs: boolean;
+  allowUnboundedLoops: boolean;
+  unicodeSecurityCheck: boolean;
+  allowFunctionsInGlobals: boolean;
+  maxConsoleOutputBytes: number;
+  maxConsoleCalls: number;
+  secureProxy: SecureProxyLevelConfig;
+}
+
+/**
+ * Pre-defined security level configurations (mirrored from core)
+ */
+export const SECURITY_LEVEL_CONFIGS: Record<SecurityLevel, SecurityLevelConfig> = {
+  STRICT: {
+    timeout: 5000,
+    maxIterations: 1000,
+    maxToolCalls: 10,
+    maxSanitizeDepth: 5,
+    maxSanitizeProperties: 50,
+    sanitizeStackTraces: true,
+    blockTimingAPIs: true,
+    allowUnboundedLoops: false,
+    unicodeSecurityCheck: true,
+    allowFunctionsInGlobals: false,
+    maxConsoleOutputBytes: 64 * 1024,
+    maxConsoleCalls: 100,
+    secureProxy: {
+      blockConstructor: true,
+      blockPrototype: true,
+      blockLegacyAccessors: true,
+      proxyMaxDepth: 5,
+      throwOnBlocked: true,
+    },
+  },
+  SECURE: {
+    timeout: 15000,
+    maxIterations: 5000,
+    maxToolCalls: 50,
+    maxSanitizeDepth: 10,
+    maxSanitizeProperties: 100,
+    sanitizeStackTraces: true,
+    blockTimingAPIs: false,
+    allowUnboundedLoops: false,
+    unicodeSecurityCheck: true,
+    allowFunctionsInGlobals: false,
+    maxConsoleOutputBytes: 256 * 1024,
+    maxConsoleCalls: 500,
+    secureProxy: {
+      blockConstructor: true,
+      blockPrototype: true,
+      blockLegacyAccessors: true,
+      proxyMaxDepth: 10,
+      throwOnBlocked: true,
+    },
+  },
+  STANDARD: {
+    timeout: 30000,
+    maxIterations: 10000,
+    maxToolCalls: 100,
+    maxSanitizeDepth: 20,
+    maxSanitizeProperties: 500,
+    sanitizeStackTraces: false,
+    blockTimingAPIs: false,
+    allowUnboundedLoops: true,
+    unicodeSecurityCheck: false,
+    allowFunctionsInGlobals: false,
+    maxConsoleOutputBytes: 1024 * 1024,
+    maxConsoleCalls: 1000,
+    secureProxy: {
+      blockConstructor: true,
+      blockPrototype: true,
+      blockLegacyAccessors: true,
+      proxyMaxDepth: 15,
+      throwOnBlocked: true,
+    },
+  },
+  PERMISSIVE: {
+    timeout: 60000,
+    maxIterations: 100000,
+    maxToolCalls: 1000,
+    maxSanitizeDepth: 50,
+    maxSanitizeProperties: 1000,
+    sanitizeStackTraces: false,
+    blockTimingAPIs: false,
+    allowUnboundedLoops: true,
+    unicodeSecurityCheck: false,
+    allowFunctionsInGlobals: true,
+    maxConsoleOutputBytes: 10 * 1024 * 1024,
+    maxConsoleCalls: 10000,
+    secureProxy: {
+      blockConstructor: false,
+      blockPrototype: true,
+      blockLegacyAccessors: true,
+      proxyMaxDepth: 20,
+      throwOnBlocked: false,
+    },
+  },
+};
+
+/**
+ * Suspicious pattern detector
+ */
+export interface SuspiciousPattern {
+  id: string;
+  description: string;
+  detect: (operationName: string, args: unknown, history: OperationHistory[]) => boolean;
+}
+
+/**
+ * Serializable suspicious pattern for passing to iframe
+ */
+export interface SerializableSuspiciousPattern {
+  id: string;
+  description: string;
+  detectBody: string;
+}
+
+/**
+ * Operation history entry for pattern detection
+ */
+export interface OperationHistory {
+  operationName: string;
+  timestamp: number;
+  argKeys: string[];
+}
+
+/**
+ * Parent validation configuration
+ */
+export interface ParentValidationConfig {
+  validateOperationNames: boolean;
+  allowedOperationPattern?: RegExp;
+  blockedOperationPatterns?: RegExp[];
+  maxOperationsPerSecond: number;
+  blockSuspiciousSequences: boolean;
+  rapidEnumerationThreshold: number;
+  rapidEnumerationOverrides: Record<string, number>;
+  suspiciousPatterns: SuspiciousPattern[];
+}
+
+/**
+ * Double iframe configuration
+ */
+export interface DoubleIframeConfig {
+  enabled: boolean;
+  parentTimeoutBuffer: number;
+  parentValidation: ParentValidationConfig;
+}
+
+/**
+ * Options for creating a BrowserEnclave instance
+ */
+export interface BrowserEnclaveOptions {
+  /**
+   * Security level preset
+   * @default 'STANDARD'
+   */
+  securityLevel?: SecurityLevel;
+
+  /**
+   * AST validation preset
+   * @default 'agentscript'
+   */
+  preset?: AstPreset;
+
+  /**
+   * Maximum execution time in milliseconds
+   */
+  timeout?: number;
+
+  /**
+   * Maximum number of tool calls allowed
+   */
+  maxToolCalls?: number;
+
+  /**
+   * Maximum number of loop iterations (per loop)
+   */
+  maxIterations?: number;
+
+  /**
+   * Maximum memory limit in bytes (soft tracking only in browser)
+   */
+  memoryLimit?: number;
+
+  /**
+   * Custom globals to inject into the sandbox
+   */
+  globals?: Record<string, unknown>;
+
+  /**
+   * Tool call handler
+   */
+  toolHandler?: ToolHandler;
+
+  /**
+   * Whether to validate code before execution
+   * @default true
+   */
+  validate?: boolean;
+
+  /**
+   * Whether to transform code before execution
+   * @default true
+   */
+  transform?: boolean;
+
+  /**
+   * Whether to allow functions in custom globals
+   */
+  allowFunctionsInGlobals?: boolean;
+
+  /**
+   * Secure proxy configuration override
+   */
+  secureProxyConfig?: Partial<SecureProxyLevelConfig>;
+
+  /**
+   * Double iframe configuration
+   */
+  doubleIframe?: Partial<DoubleIframeConfig>;
+
+  /**
+   * Custom serializable suspicious patterns for the outer iframe validation layer.
+   * These are string-based (SerializableSuspiciousPattern[]) and are injected directly
+   * into the outer iframe script. For function-based patterns (SuspiciousPattern[]),
+   * use doubleIframe.parentValidation.suspiciousPatterns instead.
+   */
+  customSerializablePatterns?: SerializableSuspiciousPattern[];
+
+  /**
+   * Maximum console output bytes
+   */
+  maxConsoleOutputBytes?: number;
+
+  /**
+   * Maximum console calls
+   */
+  maxConsoleCalls?: number;
+}
+
+/**
+ * Serialized config sent to iframes (no functions)
+ */
+export interface SerializedIframeConfig {
+  timeout: number;
+  maxIterations: number;
+  maxToolCalls: number;
+  maxConsoleOutputBytes: number;
+  maxConsoleCalls: number;
+  sanitizeStackTraces: boolean;
+  maxSanitizeDepth: number;
+  maxSanitizeProperties: number;
+  securityLevel: SecurityLevel;
+  memoryLimit: number;
+  blockedProperties: string[];
+  throwOnBlocked: boolean;
+  allowComposites: boolean;
+  globals?: Record<string, unknown>;
+}
+
+/**
+ * Default double iframe configuration
+ */
+export const DEFAULT_DOUBLE_IFRAME_CONFIG: DoubleIframeConfig = {
+  enabled: true,
+  parentTimeoutBuffer: 1000,
+  parentValidation: {
+    validateOperationNames: true,
+    maxOperationsPerSecond: 100,
+    blockSuspiciousSequences: true,
+    rapidEnumerationThreshold: 30,
+    rapidEnumerationOverrides: {},
+    suspiciousPatterns: [],
+  },
+};
diff --git a/libs/browser/src/utils/utf8-byte-length.ts b/libs/browser/src/utils/utf8-byte-length.ts
new file mode 100644
index 0000000..9f22a67
--- /dev/null
+++ b/libs/browser/src/utils/utf8-byte-length.ts
@@ -0,0 +1,20 @@
+/**
+ * UTF-8 Byte Length Utility
+ *
+ * Browser replacement for Node.js Buffer.byteLength().
+ * Uses TextEncoder which is available in all modern browsers.
+ *
+ * @packageDocumentation
+ */
+
+const encoder = new TextEncoder();
+
+/**
+ * Calculate the UTF-8 byte length of a string
+ *
+ * @param value - The string to measure
+ * @returns The byte length in UTF-8 encoding
+ */
+export function utf8ByteLength(value: string): number {
+  return encoder.encode(value).byteLength;
+}
diff --git a/libs/browser/tsconfig.json b/libs/browser/tsconfig.json
new file mode 100644
index 0000000..e0465a9
--- /dev/null
+++ b/libs/browser/tsconfig.json
@@ -0,0 +1,28 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "module": "ESNext",
+    "target": "ES2022",
+    "moduleResolution": "Bundler",
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "allowJs": true,
+    "strictNullChecks": true,
+    "importHelpers": true,
+    "noImplicitOverride": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "noPropertyAccessFromIndexSignature": true,
+    "lib": ["ES2022", "DOM"]
+  },
+  "files": [],
+  "include": [],
+  "references": [
+    {
+      "path": "./tsconfig.lib.json"
+    },
+    {
+      "path": "./tsconfig.spec.json"
+    }
+  ]
+}
diff --git a/libs/browser/tsconfig.lib.json b/libs/browser/tsconfig.lib.json
new file mode 100644
index 0000000..b9f3891
--- /dev/null
+++ b/libs/browser/tsconfig.lib.json
@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "declaration": true,
+    "paths": {}
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["jest.config.ts", "src/**/*.spec.ts", "src/**/*.test.ts", "src/**/__tests__/**"]
+}
diff --git a/libs/core/src/double-vm/suspicious-patterns.ts b/libs/core/src/double-vm/suspicious-patterns.ts
index 81d22ac..6ff2546 100644
--- a/libs/core/src/double-vm/suspicious-patterns.ts
+++ b/libs/core/src/double-vm/suspicious-patterns.ts
@@ -272,6 +272,8 @@ const DANGEROUS_BODY_PATTERNS = [
   /\bglobal\b/g, // Global object
   /\bglobalThis\b/g, // GlobalThis object
   /\bprocess\b/g, // Node.js process
+  /<\/script/gi, // Script tag breakout
+  /<!--/g, // HTML comment injection
 ];
 
 /**
diff --git a/package.json b/package.json
index f4cc05b..6a4ecbd 100644
--- a/package.json
+++ b/package.json
@@ -29,13 +29,13 @@
     "@eslint/js": "^9.39.2",
     "@nx/esbuild": "22.4.4",
     "@nx/eslint": "22.4.4",
-    "esbuild": "^0.27.2",
     "@nx/eslint-plugin": "22.4.4",
     "@nx/jest": "22.4.4",
     "@nx/js": "22.4.4",
     "@nx/node": "22.4.4",
     "@nx/webpack": "22.4.4",
     "@nx/workspace": "22.4.4",
+    "@playwright/test": "^1.58.2",
     "@swc-node/register": "~1.11.1",
     "@swc/core": "~1.15.11",
     "@swc/helpers": "~0.5.18",
@@ -49,6 +49,7 @@
     "@types/react": "^19.2.10",
     "@types/react-dom": "^19.2.3",
     "@types/supertest": "^6.0.3",
+    "esbuild": "^0.27.2",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
     "husky": "^9.1.7",
@@ -62,6 +63,7 @@
     "prettier": "^3.7.4",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
+    "serve": "^14.2.5",
     "supertest": "^7.2.2",
     "ts-jest": "^29.4.6",
     "ts-node": "10.9.2",
diff --git a/tsconfig.base.json b/tsconfig.base.json
index e4d78a9..6370a1c 100644
--- a/tsconfig.base.json
+++ b/tsconfig.base.json
@@ -28,7 +28,8 @@
       "@enclave-vm/broker": ["libs/broker/src/index.ts"],
       "@enclave-vm/client": ["libs/client/src/index.ts"],
       "@enclave-vm/react": ["libs/react/src/index.ts"],
-      "@enclave-vm/runtime": ["libs/runtime/src/index.ts"]
+      "@enclave-vm/runtime": ["libs/runtime/src/index.ts"],
+      "@enclave-vm/browser": ["libs/browser/src/index.ts"]
     }
   },
   "exclude": ["node_modules", "tmp"]
diff --git a/yarn.lock b/yarn.lock
index 4c34da0..ed894f6 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -27,6 +27,15 @@
     js-tokens "^4.0.0"
     picocolors "^1.1.1"
 
+"@babel/code-frame@^7.29.0":
+  version "7.29.0"
+  resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.29.0.tgz#7cd7a59f15b3cc0dcd803038f7792712a7d0b15c"
+  integrity sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==
+  dependencies:
+    "@babel/helper-validator-identifier" "^7.28.5"
+    js-tokens "^4.0.0"
+    picocolors "^1.1.1"
+
 "@babel/compat-data@^7.28.6":
   version "7.28.6"
   resolved "https://registry.yarnpkg.com/@babel/compat-data/-/compat-data-7.28.6.tgz#103f466803fa0f059e82ccac271475470570d74c"
@@ -53,6 +62,27 @@
     json5 "^2.2.3"
     semver "^6.3.1"
 
+"@babel/core@^7.28.0":
+  version "7.29.0"
+  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.29.0.tgz#5286ad785df7f79d656e88ce86e650d16ca5f322"
+  integrity sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==
+  dependencies:
+    "@babel/code-frame" "^7.29.0"
+    "@babel/generator" "^7.29.0"
+    "@babel/helper-compilation-targets" "^7.28.6"
+    "@babel/helper-module-transforms" "^7.28.6"
+    "@babel/helpers" "^7.28.6"
+    "@babel/parser" "^7.29.0"
+    "@babel/template" "^7.28.6"
+    "@babel/traverse" "^7.29.0"
+    "@babel/types" "^7.29.0"
+    "@jridgewell/remapping" "^2.3.5"
+    convert-source-map "^2.0.0"
+    debug "^4.1.0"
+    gensync "^1.0.0-beta.2"
+    json5 "^2.2.3"
+    semver "^6.3.1"
+
 "@babel/generator@^7.27.5", "@babel/generator@^7.28.6":
   version "7.28.6"
   resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.28.6.tgz#48dcc65d98fcc8626a48f72b62e263d25fc3c3f1"
@@ -64,6 +94,17 @@
     "@jridgewell/trace-mapping" "^0.3.28"
     jsesc "^3.0.2"
 
+"@babel/generator@^7.29.0":
+  version "7.29.1"
+  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.29.1.tgz#d09876290111abbb00ef962a7b83a5307fba0d50"
+  integrity sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==
+  dependencies:
+    "@babel/parser" "^7.29.0"
+    "@babel/types" "^7.29.0"
+    "@jridgewell/gen-mapping" "^0.3.12"
+    "@jridgewell/trace-mapping" "^0.3.28"
+    jsesc "^3.0.2"
+
 "@babel/helper-annotate-as-pure@^7.27.1", "@babel/helper-annotate-as-pure@^7.27.3":
   version "7.27.3"
   resolved "https://registry.yarnpkg.com/@babel/helper-annotate-as-pure/-/helper-annotate-as-pure-7.27.3.tgz#f31fd86b915fc4daf1f3ac6976c59be7084ed9c5"
@@ -222,6 +263,13 @@
   dependencies:
     "@babel/types" "^7.28.6"
 
+"@babel/parser@^7.29.0":
+  version "7.29.0"
+  resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.29.0.tgz#669ef345add7d057e92b7ed15f0bac07611831b6"
+  integrity sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==
+  dependencies:
+    "@babel/types" "^7.29.0"
+
 "@babel/plugin-bugfix-firefox-class-in-computed-class-key@^7.28.5":
   version "7.28.5"
   resolved "https://registry.yarnpkg.com/@babel/plugin-bugfix-firefox-class-in-computed-class-key/-/plugin-bugfix-firefox-class-in-computed-class-key-7.28.5.tgz#fbde57974707bbfa0376d34d425ff4fa6c732421"
@@ -724,6 +772,20 @@
   dependencies:
     "@babel/helper-plugin-utils" "^7.27.1"
 
+"@babel/plugin-transform-react-jsx-self@^7.27.1":
+  version "7.27.1"
+  resolved "https://registry.yarnpkg.com/@babel/plugin-transform-react-jsx-self/-/plugin-transform-react-jsx-self-7.27.1.tgz#af678d8506acf52c577cac73ff7fe6615c85fc92"
+  integrity sha512-6UzkCs+ejGdZ5mFFC/OCUrv028ab2fp1znZmCZjAOBKiBK2jXD1O+BPSfX8X2qjJ75fZBMSnQn3Rq2mrBJK2mw==
+  dependencies:
+    "@babel/helper-plugin-utils" "^7.27.1"
+
+"@babel/plugin-transform-react-jsx-source@^7.27.1":
+  version "7.27.1"
+  resolved "https://registry.yarnpkg.com/@babel/plugin-transform-react-jsx-source/-/plugin-transform-react-jsx-source-7.27.1.tgz#dcfe2c24094bb757bf73960374e7c55e434f19f0"
+  integrity sha512-zbwoTsBruTeKB9hSq73ha66iFeJHuaFkUbwvqElnygoNbj/jHRsSeokowZFN3CZ64IvEqcmmkVe89OPXc7ldAw==
+  dependencies:
+    "@babel/helper-plugin-utils" "^7.27.1"
+
 "@babel/plugin-transform-regenerator@^7.28.6":
   version "7.28.6"
   resolved "https://registry.yarnpkg.com/@babel/plugin-transform-regenerator/-/plugin-transform-regenerator-7.28.6.tgz#6ca2ed5b76cff87980f96eaacfc2ce833e8e7a1b"
@@ -964,6 +1026,19 @@
     "@babel/types" "^7.28.6"
     debug "^4.3.1"
 
+"@babel/traverse@^7.29.0":
+  version "7.29.0"
+  resolved "https://registry.yarnpkg.com/@babel/traverse/-/traverse-7.29.0.tgz#f323d05001440253eead3c9c858adbe00b90310a"
+  integrity sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==
+  dependencies:
+    "@babel/code-frame" "^7.29.0"
+    "@babel/generator" "^7.29.0"
+    "@babel/helper-globals" "^7.28.0"
+    "@babel/parser" "^7.29.0"
+    "@babel/template" "^7.28.6"
+    "@babel/types" "^7.29.0"
+    debug "^4.3.1"
+
 "@babel/types@^7.0.0", "@babel/types@^7.20.7", "@babel/types@^7.27.1", "@babel/types@^7.27.3", "@babel/types@^7.28.2", "@babel/types@^7.28.5", "@babel/types@^7.28.6", "@babel/types@^7.4.4":
   version "7.28.6"
   resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.28.6.tgz#c3e9377f1b155005bcc4c46020e7e394e13089df"
@@ -972,6 +1047,14 @@
     "@babel/helper-string-parser" "^7.27.1"
     "@babel/helper-validator-identifier" "^7.28.5"
 
+"@babel/types@^7.29.0":
+  version "7.29.0"
+  resolved "https://registry.yarnpkg.com/@babel/types/-/types-7.29.0.tgz#9f5b1e838c446e72cf3cd4b918152b8c605e37c7"
+  integrity sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==
+  dependencies:
+    "@babel/helper-string-parser" "^7.27.1"
+    "@babel/helper-validator-identifier" "^7.28.5"
+
 "@bcoe/v8-coverage@^0.2.3":
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz#75a2e8b51cb758a7553d6804a5932d7aace75c39"
@@ -1039,131 +1122,261 @@
   dependencies:
     tslib "^2.4.0"
 
+"@esbuild/aix-ppc64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/aix-ppc64/-/aix-ppc64-0.25.12.tgz#80fcbe36130e58b7670511e888b8e88a259ed76c"
+  integrity sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==
+
 "@esbuild/aix-ppc64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz#521cbd968dcf362094034947f76fa1b18d2d403c"
   integrity sha512-GZMB+a0mOMZs4MpDbj8RJp4cw+w1WV5NYD6xzgvzUJ5Ek2jerwfO2eADyI6ExDSUED+1X8aMbegahsJi+8mgpw==
 
+"@esbuild/android-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-arm64/-/android-arm64-0.25.12.tgz#8aa4965f8d0a7982dc21734bf6601323a66da752"
+  integrity sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==
+
 "@esbuild/android-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/android-arm64/-/android-arm64-0.27.2.tgz#61ea550962d8aa12a9b33194394e007657a6df57"
   integrity sha512-pvz8ZZ7ot/RBphf8fv60ljmaoydPU12VuXHImtAs0XhLLw+EXBi2BLe3OYSBslR4rryHvweW5gmkKFwTiFy6KA==
 
+"@esbuild/android-arm@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-arm/-/android-arm-0.25.12.tgz#300712101f7f50f1d2627a162e6e09b109b6767a"
+  integrity sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==
+
 "@esbuild/android-arm@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/android-arm/-/android-arm-0.27.2.tgz#554887821e009dd6d853f972fde6c5143f1de142"
   integrity sha512-DVNI8jlPa7Ujbr1yjU2PfUSRtAUZPG9I1RwW4F4xFB1Imiu2on0ADiI/c3td+KmDtVKNbi+nffGDQMfcIMkwIA==
 
+"@esbuild/android-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/android-x64/-/android-x64-0.25.12.tgz#87dfb27161202bdc958ef48bb61b09c758faee16"
+  integrity sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==
+
 "@esbuild/android-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/android-x64/-/android-x64-0.27.2.tgz#a7ce9d0721825fc578f9292a76d9e53334480ba2"
   integrity sha512-z8Ank4Byh4TJJOh4wpz8g2vDy75zFL0TlZlkUkEwYXuPSgX8yzep596n6mT7905kA9uHZsf/o2OJZubl2l3M7A==
 
+"@esbuild/darwin-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/darwin-arm64/-/darwin-arm64-0.25.12.tgz#79197898ec1ff745d21c071e1c7cc3c802f0c1fd"
+  integrity sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==
+
 "@esbuild/darwin-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/darwin-arm64/-/darwin-arm64-0.27.2.tgz#2cb7659bd5d109803c593cfc414450d5430c8256"
   integrity sha512-davCD2Zc80nzDVRwXTcQP/28fiJbcOwvdolL0sOiOsbwBa72kegmVU0Wrh1MYrbuCL98Omp5dVhQFWRKR2ZAlg==
 
+"@esbuild/darwin-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/darwin-x64/-/darwin-x64-0.25.12.tgz#146400a8562133f45c4d2eadcf37ddd09718079e"
+  integrity sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==
+
 "@esbuild/darwin-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/darwin-x64/-/darwin-x64-0.27.2.tgz#e741fa6b1abb0cd0364126ba34ca17fd5e7bf509"
   integrity sha512-ZxtijOmlQCBWGwbVmwOF/UCzuGIbUkqB1faQRf5akQmxRJ1ujusWsb3CVfk/9iZKr2L5SMU5wPBi1UWbvL+VQA==
 
+"@esbuild/freebsd-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-arm64/-/freebsd-arm64-0.25.12.tgz#1c5f9ba7206e158fd2b24c59fa2d2c8bb47ca0fe"
+  integrity sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==
+
 "@esbuild/freebsd-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.2.tgz#2b64e7116865ca172d4ce034114c21f3c93e397c"
   integrity sha512-lS/9CN+rgqQ9czogxlMcBMGd+l8Q3Nj1MFQwBZJyoEKI50XGxwuzznYdwcav6lpOGv5BqaZXqvBSiB/kJ5op+g==
 
+"@esbuild/freebsd-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/freebsd-x64/-/freebsd-x64-0.25.12.tgz#ea631f4a36beaac4b9279fa0fcc6ca29eaeeb2b3"
+  integrity sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==
+
 "@esbuild/freebsd-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/freebsd-x64/-/freebsd-x64-0.27.2.tgz#e5252551e66f499e4934efb611812f3820e990bb"
   integrity sha512-tAfqtNYb4YgPnJlEFu4c212HYjQWSO/w/h/lQaBK7RbwGIkBOuNKQI9tqWzx7Wtp7bTPaGC6MJvWI608P3wXYA==
 
+"@esbuild/linux-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm64/-/linux-arm64-0.25.12.tgz#e1066bce58394f1b1141deec8557a5f0a22f5977"
+  integrity sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==
+
 "@esbuild/linux-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-arm64/-/linux-arm64-0.27.2.tgz#dc4acf235531cd6984f5d6c3b13dbfb7ddb303cb"
   integrity sha512-hYxN8pr66NsCCiRFkHUAsxylNOcAQaxSSkHMMjcpx0si13t1LHFphxJZUiGwojB1a/Hd5OiPIqDdXONia6bhTw==
 
+"@esbuild/linux-arm@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-arm/-/linux-arm-0.25.12.tgz#452cd66b20932d08bdc53a8b61c0e30baf4348b9"
+  integrity sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==
+
 "@esbuild/linux-arm@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-arm/-/linux-arm-0.27.2.tgz#56a900e39240d7d5d1d273bc053daa295c92e322"
   integrity sha512-vWfq4GaIMP9AIe4yj1ZUW18RDhx6EPQKjwe7n8BbIecFtCQG4CfHGaHuh7fdfq+y3LIA2vGS/o9ZBGVxIDi9hw==
 
+"@esbuild/linux-ia32@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-ia32/-/linux-ia32-0.25.12.tgz#b24f8acc45bcf54192c7f2f3be1b53e6551eafe0"
+  integrity sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==
+
 "@esbuild/linux-ia32@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-ia32/-/linux-ia32-0.27.2.tgz#d4a36d473360f6870efcd19d52bbfff59a2ed1cc"
   integrity sha512-MJt5BRRSScPDwG2hLelYhAAKh9imjHK5+NE/tvnRLbIqUWa+0E9N4WNMjmp/kXXPHZGqPLxggwVhz7QP8CTR8w==
 
+"@esbuild/linux-loong64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-loong64/-/linux-loong64-0.25.12.tgz#f9cfffa7fc8322571fbc4c8b3268caf15bd81ad0"
+  integrity sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==
+
 "@esbuild/linux-loong64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-loong64/-/linux-loong64-0.27.2.tgz#fcf0ab8c3eaaf45891d0195d4961cb18b579716a"
   integrity sha512-lugyF1atnAT463aO6KPshVCJK5NgRnU4yb3FUumyVz+cGvZbontBgzeGFO1nF+dPueHD367a2ZXe1NtUkAjOtg==
 
+"@esbuild/linux-mips64el@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-mips64el/-/linux-mips64el-0.25.12.tgz#575a14bd74644ffab891adc7d7e60d275296f2cd"
+  integrity sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==
+
 "@esbuild/linux-mips64el@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-mips64el/-/linux-mips64el-0.27.2.tgz#598b67d34048bb7ee1901cb12e2a0a434c381c10"
   integrity sha512-nlP2I6ArEBewvJ2gjrrkESEZkB5mIoaTswuqNFRv/WYd+ATtUpe9Y09RnJvgvdag7he0OWgEZWhviS1OTOKixw==
 
+"@esbuild/linux-ppc64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-ppc64/-/linux-ppc64-0.25.12.tgz#75b99c70a95fbd5f7739d7692befe60601591869"
+  integrity sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==
+
 "@esbuild/linux-ppc64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-ppc64/-/linux-ppc64-0.27.2.tgz#3846c5df6b2016dab9bc95dde26c40f11e43b4c0"
   integrity sha512-C92gnpey7tUQONqg1n6dKVbx3vphKtTHJaNG2Ok9lGwbZil6DrfyecMsp9CrmXGQJmZ7iiVXvvZH6Ml5hL6XdQ==
 
+"@esbuild/linux-riscv64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-riscv64/-/linux-riscv64-0.25.12.tgz#2e3259440321a44e79ddf7535c325057da875cd6"
+  integrity sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==
+
 "@esbuild/linux-riscv64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-riscv64/-/linux-riscv64-0.27.2.tgz#173d4475b37c8d2c3e1707e068c174bb3f53d07d"
   integrity sha512-B5BOmojNtUyN8AXlK0QJyvjEZkWwy/FKvakkTDCziX95AowLZKR6aCDhG7LeF7uMCXEJqwa8Bejz5LTPYm8AvA==
 
+"@esbuild/linux-s390x@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-s390x/-/linux-s390x-0.25.12.tgz#17676cabbfe5928da5b2a0d6df5d58cd08db2663"
+  integrity sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==
+
 "@esbuild/linux-s390x@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-s390x/-/linux-s390x-0.27.2.tgz#f7a4790105edcab8a5a31df26fbfac1aa3dacfab"
   integrity sha512-p4bm9+wsPwup5Z8f4EpfN63qNagQ47Ua2znaqGH6bqLlmJ4bx97Y9JdqxgGZ6Y8xVTixUnEkoKSHcpRlDnNr5w==
 
+"@esbuild/linux-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/linux-x64/-/linux-x64-0.25.12.tgz#0583775685ca82066d04c3507f09524d3cd7a306"
+  integrity sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==
+
 "@esbuild/linux-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/linux-x64/-/linux-x64-0.27.2.tgz#2ecc1284b1904aeb41e54c9ddc7fcd349b18f650"
   integrity sha512-uwp2Tip5aPmH+NRUwTcfLb+W32WXjpFejTIOWZFw/v7/KnpCDKG66u4DLcurQpiYTiYwQ9B7KOeMJvLCu/OvbA==
 
+"@esbuild/netbsd-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-arm64/-/netbsd-arm64-0.25.12.tgz#f04c4049cb2e252fe96b16fed90f70746b13f4a4"
+  integrity sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==
+
 "@esbuild/netbsd-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.2.tgz#e2863c2cd1501845995cb11adf26f7fe4be527b0"
   integrity sha512-Kj6DiBlwXrPsCRDeRvGAUb/LNrBASrfqAIok+xB0LxK8CHqxZ037viF13ugfsIpePH93mX7xfJp97cyDuTZ3cw==
 
+"@esbuild/netbsd-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/netbsd-x64/-/netbsd-x64-0.25.12.tgz#77da0d0a0d826d7c921eea3d40292548b258a076"
+  integrity sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==
+
 "@esbuild/netbsd-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/netbsd-x64/-/netbsd-x64-0.27.2.tgz#93f7609e2885d1c0b5a1417885fba8d1fcc41272"
   integrity sha512-HwGDZ0VLVBY3Y+Nw0JexZy9o/nUAWq9MlV7cahpaXKW6TOzfVno3y3/M8Ga8u8Yr7GldLOov27xiCnqRZf0tCA==
 
+"@esbuild/openbsd-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-arm64/-/openbsd-arm64-0.25.12.tgz#6296f5867aedef28a81b22ab2009c786a952dccd"
+  integrity sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==
+
 "@esbuild/openbsd-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.2.tgz#a1985604a203cdc325fd47542e106fafd698f02e"
   integrity sha512-DNIHH2BPQ5551A7oSHD0CKbwIA/Ox7+78/AWkbS5QoRzaqlev2uFayfSxq68EkonB+IKjiuxBFoV8ESJy8bOHA==
 
+"@esbuild/openbsd-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/openbsd-x64/-/openbsd-x64-0.25.12.tgz#f8d23303360e27b16cf065b23bbff43c14142679"
+  integrity sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==
+
 "@esbuild/openbsd-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/openbsd-x64/-/openbsd-x64-0.27.2.tgz#8209e46c42f1ffbe6e4ef77a32e1f47d404ad42a"
   integrity sha512-/it7w9Nb7+0KFIzjalNJVR5bOzA9Vay+yIPLVHfIQYG/j+j9VTH84aNB8ExGKPU4AzfaEvN9/V4HV+F+vo8OEg==
 
+"@esbuild/openharmony-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/openharmony-arm64/-/openharmony-arm64-0.25.12.tgz#49e0b768744a3924be0d7fd97dd6ce9b2923d88d"
+  integrity sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==
+
 "@esbuild/openharmony-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.2.tgz#8fade4441893d9cc44cbd7dcf3776f508ab6fb2f"
   integrity sha512-LRBbCmiU51IXfeXk59csuX/aSaToeG7w48nMwA6049Y4J4+VbWALAuXcs+qcD04rHDuSCSRKdmY63sruDS5qag==
 
+"@esbuild/sunos-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/sunos-x64/-/sunos-x64-0.25.12.tgz#a6ed7d6778d67e528c81fb165b23f4911b9b13d6"
+  integrity sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==
+
 "@esbuild/sunos-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/sunos-x64/-/sunos-x64-0.27.2.tgz#980d4b9703a16f0f07016632424fc6d9a789dfc2"
   integrity sha512-kMtx1yqJHTmqaqHPAzKCAkDaKsffmXkPHThSfRwZGyuqyIeBvf08KSsYXl+abf5HDAPMJIPnbBfXvP2ZC2TfHg==
 
+"@esbuild/win32-arm64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-arm64/-/win32-arm64-0.25.12.tgz#9ac14c378e1b653af17d08e7d3ce34caef587323"
+  integrity sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==
+
 "@esbuild/win32-arm64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/win32-arm64/-/win32-arm64-0.27.2.tgz#1c09a3633c949ead3d808ba37276883e71f6111a"
   integrity sha512-Yaf78O/B3Kkh+nKABUF++bvJv5Ijoy9AN1ww904rOXZFLWVc5OLOfL56W+C8F9xn5JQZa3UX6m+IktJnIb1Jjg==
 
+"@esbuild/win32-ia32@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-ia32/-/win32-ia32-0.25.12.tgz#918942dcbbb35cc14fca39afb91b5e6a3d127267"
+  integrity sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==
+
 "@esbuild/win32-ia32@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/win32-ia32/-/win32-ia32-0.27.2.tgz#1b1e3a63ad4bef82200fef4e369e0fff7009eee5"
   integrity sha512-Iuws0kxo4yusk7sw70Xa2E2imZU5HoixzxfGCdxwBdhiDgt9vX9VUCBhqcwY7/uh//78A1hMkkROMJq9l27oLQ==
 
+"@esbuild/win32-x64@0.25.12":
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.25.12.tgz#9bdad8176be7811ad148d1f8772359041f46c6c5"
+  integrity sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==
+
 "@esbuild/win32-x64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/win32-x64/-/win32-x64-0.27.2.tgz#9e585ab6086bef994c6e8a5b3a0481219ada862b"
@@ -2407,6 +2620,143 @@
   resolved "https://registry.yarnpkg.com/@pkgr/core/-/core-0.2.9.tgz#d229a7b7f9dac167a156992ef23c7f023653f53b"
   integrity sha512-QNqXyfVS2wm9hweSYD2O7F0G06uurj9kZ96TRQE5Y9hU7+tgdZwIkbAKc5Ocy1HxEY2kuDQa6cQ1WRs/O5LFKA==
 
+"@playwright/test@^1.58.2":
+  version "1.58.2"
+  resolved "https://registry.yarnpkg.com/@playwright/test/-/test-1.58.2.tgz#b0ad585d2e950d690ef52424967a42f40c6d2cbd"
+  integrity sha512-akea+6bHYBBfA9uQqSYmlJXn61cTa+jbO87xVLCWbTqbWadRVmhxlXATaOjOgcBaWU4ePo0wB41KMFv3o35IXA==
+  dependencies:
+    playwright "1.58.2"
+
+"@rolldown/pluginutils@1.0.0-beta.27":
+  version "1.0.0-beta.27"
+  resolved "https://registry.yarnpkg.com/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz#47d2bf4cef6d470b22f5831b420f8964e0bf755f"
+  integrity sha512-+d0F4MKMCbeVUJwG96uQ4SgAznZNSq93I3V+9NHA4OpvqG8mRCpGdKmK8l/dl02h2CCDHwW2FqilnTyDcAnqjA==
+
+"@rollup/rollup-android-arm-eabi@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.59.0.tgz#a6742c74c7d9d6d604ef8a48f99326b4ecda3d82"
+  integrity sha512-upnNBkA6ZH2VKGcBj9Fyl9IGNPULcjXRlg0LLeaioQWueH30p6IXtJEbKAgvyv+mJaMxSm1l6xwDXYjpEMiLMg==
+
+"@rollup/rollup-android-arm64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.59.0.tgz#97247be098de4df0c11971089fd2edf80a5da8cf"
+  integrity sha512-hZ+Zxj3SySm4A/DylsDKZAeVg0mvi++0PYVceVyX7hemkw7OreKdCvW2oQ3T1FMZvCaQXqOTHb8qmBShoqk69Q==
+
+"@rollup/rollup-darwin-arm64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.59.0.tgz#674852cf14cf11b8056e0b1a2f4e872b523576cf"
+  integrity sha512-W2Psnbh1J8ZJw0xKAd8zdNgF9HRLkdWwwdWqubSVk0pUuQkoHnv7rx4GiF9rT4t5DIZGAsConRE3AxCdJ4m8rg==
+
+"@rollup/rollup-darwin-x64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.59.0.tgz#36dfd7ed0aaf4d9d89d9ef983af72632455b0246"
+  integrity sha512-ZW2KkwlS4lwTv7ZVsYDiARfFCnSGhzYPdiOU4IM2fDbL+QGlyAbjgSFuqNRbSthybLbIJ915UtZBtmuLrQAT/w==
+
+"@rollup/rollup-freebsd-arm64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.59.0.tgz#2f87c2074b4220260fdb52a9996246edfc633c22"
+  integrity sha512-EsKaJ5ytAu9jI3lonzn3BgG8iRBjV4LxZexygcQbpiU0wU0ATxhNVEpXKfUa0pS05gTcSDMKpn3Sx+QB9RlTTA==
+
+"@rollup/rollup-freebsd-x64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.59.0.tgz#9b5a26522a38a95dc06616d1939d4d9a76937803"
+  integrity sha512-d3DuZi2KzTMjImrxoHIAODUZYoUUMsuUiY4SRRcJy6NJoZ6iIqWnJu9IScV9jXysyGMVuW+KNzZvBLOcpdl3Vg==
+
+"@rollup/rollup-linux-arm-gnueabihf@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.59.0.tgz#86aa4859385a8734235b5e40a48e52d770758c3a"
+  integrity sha512-t4ONHboXi/3E0rT6OZl1pKbl2Vgxf9vJfWgmUoCEVQVxhW6Cw/c8I6hbbu7DAvgp82RKiH7TpLwxnJeKv2pbsw==
+
+"@rollup/rollup-linux-arm-musleabihf@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.59.0.tgz#cbe70e56e6ece8dac83eb773b624fc9e5a460976"
+  integrity sha512-CikFT7aYPA2ufMD086cVORBYGHffBo4K8MQ4uPS/ZnY54GKj36i196u8U+aDVT2LX4eSMbyHtyOh7D7Zvk2VvA==
+
+"@rollup/rollup-linux-arm64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.59.0.tgz#d14992a2e653bc3263d284bc6579b7a2890e1c45"
+  integrity sha512-jYgUGk5aLd1nUb1CtQ8E+t5JhLc9x5WdBKew9ZgAXg7DBk0ZHErLHdXM24rfX+bKrFe+Xp5YuJo54I5HFjGDAA==
+
+"@rollup/rollup-linux-arm64-musl@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.59.0.tgz#2fdd1ddc434ea90aeaa0851d2044789b4d07f6da"
+  integrity sha512-peZRVEdnFWZ5Bh2KeumKG9ty7aCXzzEsHShOZEFiCQlDEepP1dpUl/SrUNXNg13UmZl+gzVDPsiCwnV1uI0RUA==
+
+"@rollup/rollup-linux-loong64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.59.0.tgz#8a181e6f89f969f21666a743cd411416c80099e7"
+  integrity sha512-gbUSW/97f7+r4gHy3Jlup8zDG190AuodsWnNiXErp9mT90iCy9NKKU0Xwx5k8VlRAIV2uU9CsMnEFg/xXaOfXg==
+
+"@rollup/rollup-linux-loong64-musl@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.59.0.tgz#904125af2babc395f8061daa27b5af1f4e3f2f78"
+  integrity sha512-yTRONe79E+o0FWFijasoTjtzG9EBedFXJMl888NBEDCDV9I2wGbFFfJQQe63OijbFCUZqxpHz1GzpbtSFikJ4Q==
+
+"@rollup/rollup-linux-ppc64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.59.0.tgz#a57970ac6864c9a3447411a658224bdcf948be22"
+  integrity sha512-sw1o3tfyk12k3OEpRddF68a1unZ5VCN7zoTNtSn2KndUE+ea3m3ROOKRCZxEpmT9nsGnogpFP9x6mnLTCaoLkA==
+
+"@rollup/rollup-linux-ppc64-musl@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.59.0.tgz#bb84de5b26870567a4267666e08891e80bb56a63"
+  integrity sha512-+2kLtQ4xT3AiIxkzFVFXfsmlZiG5FXYW7ZyIIvGA7Bdeuh9Z0aN4hVyXS/G1E9bTP/vqszNIN/pUKCk/BTHsKA==
+
+"@rollup/rollup-linux-riscv64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.59.0.tgz#72d00d2c7fb375ce3564e759db33f17a35bffab9"
+  integrity sha512-NDYMpsXYJJaj+I7UdwIuHHNxXZ/b/N2hR15NyH3m2qAtb/hHPA4g4SuuvrdxetTdndfj9b1WOmy73kcPRoERUg==
+
+"@rollup/rollup-linux-riscv64-musl@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.59.0.tgz#4c166ef58e718f9245bd31873384ba15a5c1a883"
+  integrity sha512-nLckB8WOqHIf1bhymk+oHxvM9D3tyPndZH8i8+35p/1YiVoVswPid2yLzgX7ZJP0KQvnkhM4H6QZ5m0LzbyIAg==
+
+"@rollup/rollup-linux-s390x-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.59.0.tgz#bb5025cde9a61db478c2ca7215808ad3bce73a09"
+  integrity sha512-oF87Ie3uAIvORFBpwnCvUzdeYUqi2wY6jRFWJAy1qus/udHFYIkplYRW+wo+GRUP4sKzYdmE1Y3+rY5Gc4ZO+w==
+
+"@rollup/rollup-linux-x64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.59.0.tgz#9b66b1f9cd95c6624c788f021c756269ffed1552"
+  integrity sha512-3AHmtQq/ppNuUspKAlvA8HtLybkDflkMuLK4DPo77DfthRb71V84/c4MlWJXixZz4uruIH4uaa07IqoAkG64fg==
+
+"@rollup/rollup-linux-x64-musl@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.59.0.tgz#b007ca255dc7166017d57d7d2451963f0bd23fd9"
+  integrity sha512-2UdiwS/9cTAx7qIUZB/fWtToJwvt0Vbo0zmnYt7ED35KPg13Q0ym1g442THLC7VyI6JfYTP4PiSOWyoMdV2/xg==
+
+"@rollup/rollup-openbsd-x64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.59.0.tgz#e8b357b2d1aa2c8d76a98f5f0d889eabe93f4ef9"
+  integrity sha512-M3bLRAVk6GOwFlPTIxVBSYKUaqfLrn8l0psKinkCFxl4lQvOSz8ZrKDz2gxcBwHFpci0B6rttydI4IpS4IS/jQ==
+
+"@rollup/rollup-openharmony-arm64@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.59.0.tgz#96c2e3f4aacd3d921981329831ff8dde492204dc"
+  integrity sha512-tt9KBJqaqp5i5HUZzoafHZX8b5Q2Fe7UjYERADll83O4fGqJ49O1FsL6LpdzVFQcpwvnyd0i+K/VSwu/o/nWlA==
+
+"@rollup/rollup-win32-arm64-msvc@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.59.0.tgz#2d865149d706d938df8b4b8f117e69a77646d581"
+  integrity sha512-V5B6mG7OrGTwnxaNUzZTDTjDS7F75PO1ae6MJYdiMu60sq0CqN5CVeVsbhPxalupvTX8gXVSU9gq+Rx1/hvu6A==
+
+"@rollup/rollup-win32-ia32-msvc@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.59.0.tgz#abe1593be0fa92325e9971c8da429c5e05b92c36"
+  integrity sha512-UKFMHPuM9R0iBegwzKF4y0C4J9u8C6MEJgFuXTBerMk7EJ92GFVFYBfOZaSGLu6COf7FxpQNqhNS4c4icUPqxA==
+
+"@rollup/rollup-win32-x64-gnu@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.59.0.tgz#c4af3e9518c9a5cd4b1c163dc81d0ad4d82e7eab"
+  integrity sha512-laBkYlSS1n2L8fSo1thDNGrCTQMmxjYY5G0WFWjFFYZkKPjsMBsgJfGf4TLxXrF6RyhI60L8TMOjBMvXiTcxeA==
+
+"@rollup/rollup-win32-x64-msvc@4.59.0":
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.59.0.tgz#4584a8a87b29188a4c1fe987a9fcf701e256d86c"
+  integrity sha512-2HRCml6OztYXyJXAvdDXPKcawukWY2GpR5/nxKp4iBgiO3wcoEGkAaqctIbZcNB6KlUQBIqt8VYkNSj2397EfA==
+
 "@sinclair/typebox@^0.27.8":
   version "0.27.8"
   resolved "https://registry.yarnpkg.com/@sinclair/typebox/-/typebox-0.27.8.tgz#6667fac16c436b5434a387a34dedb013198f6e6e"
@@ -2884,11 +3234,18 @@
   resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.7.tgz#50ae4353eaaddc04044279812f52c8c65857dbcb"
   integrity sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ==
 
-"@types/react-dom@^19.2.3":
+"@types/react-dom@^19.0.0", "@types/react-dom@^19.2.3":
   version "19.2.3"
   resolved "https://registry.yarnpkg.com/@types/react-dom/-/react-dom-19.2.3.tgz#c1e305d15a52a3e508d54dca770d202cb63abf2c"
   integrity sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==
 
+"@types/react@^19.0.0":
+  version "19.2.14"
+  resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.14.tgz#39604929b5e3957e3a6fa0001dafb17c7af70bad"
+  integrity sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==
+  dependencies:
+    csstype "^3.2.2"
+
 "@types/react@^19.2.10":
   version "19.2.10"
   resolved "https://registry.yarnpkg.com/@types/react/-/react-19.2.10.tgz#f3ea799e6b4cebad6dfd231c238fc9de7652e2d2"
@@ -3197,6 +3554,18 @@
   resolved "https://registry.yarnpkg.com/@unrs/resolver-binding-win32-x64-msvc/-/resolver-binding-win32-x64-msvc-1.11.1.tgz#538b1e103bf8d9864e7b85cc96fa8d6fb6c40777"
   integrity sha512-lrW200hZdbfRtztbygyaq/6jP6AKE8qQN2KvPcJ+x7wiD038YtnYtZ82IMNJ69GJibV7bwL3y9FgK+5w/pYt6g==
 
+"@vitejs/plugin-react@^4.5.2":
+  version "4.7.0"
+  resolved "https://registry.yarnpkg.com/@vitejs/plugin-react/-/plugin-react-4.7.0.tgz#647af4e7bb75ad3add578e762ad984b90f4a24b9"
+  integrity sha512-gUu9hwfWvvEDBBmgtAowQCojwZmJ5mcLn3aufeCsitijs3+f2NsrPtlAWIR6OPiqljl96GVCUbLe0HyqIpVaoA==
+  dependencies:
+    "@babel/core" "^7.28.0"
+    "@babel/plugin-transform-react-jsx-self" "^7.27.1"
+    "@babel/plugin-transform-react-jsx-source" "^7.27.1"
+    "@rolldown/pluginutils" "1.0.0-beta.27"
+    "@types/babel__core" "^7.20.5"
+    react-refresh "^0.17.0"
+
 "@webassemblyjs/ast@1.14.1", "@webassemblyjs/ast@^1.14.1":
   version "1.14.1"
   resolved "https://registry.yarnpkg.com/@webassemblyjs/ast/-/ast-1.14.1.tgz#a9f6a07f2b03c95c8d38c4536a1fdfb521ff55b6"
@@ -3341,6 +3710,11 @@
     js-yaml "^3.10.0"
     tslib "^2.4.0"
 
+"@zeit/schemas@2.36.0":
+  version "2.36.0"
+  resolved "https://registry.yarnpkg.com/@zeit/schemas/-/schemas-2.36.0.tgz#7a1b53f4091e18d0b404873ea3e3c83589c765f2"
+  integrity sha512-7kjMwcChYEzMKjeex9ZFXkt1AyNov9R5HZtjBKVsmVpw7pa7ZtlCGvCBC2vnnXctaYN+aRI61HjIqeetZW5ROg==
+
 "@zkochan/js-yaml@0.0.7":
   version "0.0.7"
   resolved "https://registry.yarnpkg.com/@zkochan/js-yaml/-/js-yaml-0.0.7.tgz#4b0cb785220d7c28ce0ec4d0804deb5d821eae89"
@@ -3407,6 +3781,16 @@ ajv-keywords@^5.1.0:
   dependencies:
     fast-deep-equal "^3.1.3"
 
+ajv@8.12.0:
+  version "8.12.0"
+  resolved "https://registry.yarnpkg.com/ajv/-/ajv-8.12.0.tgz#d1a0527323e22f53562c567c00991577dfbe19d1"
+  integrity sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==
+  dependencies:
+    fast-deep-equal "^3.1.1"
+    json-schema-traverse "^1.0.0"
+    require-from-string "^2.0.2"
+    uri-js "^4.2.2"
+
 ajv@^6.12.4, ajv@^6.12.5:
   version "6.12.6"
   resolved "https://registry.yarnpkg.com/ajv/-/ajv-6.12.6.tgz#baf5a62e802b07d977034586f8c3baf5adf26df4"
@@ -3427,6 +3811,13 @@ ajv@^8.0.0, ajv@^8.12.0, ajv@^8.9.0:
     json-schema-traverse "^1.0.0"
     require-from-string "^2.0.2"
 
+ansi-align@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-align/-/ansi-align-3.0.1.tgz#0cdf12e111ace773a86e9a1fad1225c43cb19a59"
+  integrity sha512-IOfwwBF5iczOjp/WeY4YxyjqAFMQoZufdQWDd19SEExbVLNXqvpzSJ/M7Za4/sCPmQ0+GRquoA7bGcINcxew6w==
+  dependencies:
+    string-width "^4.1.0"
+
 ansi-colors@^4.1.1:
   version "4.1.3"
   resolved "https://registry.yarnpkg.com/ansi-colors/-/ansi-colors-4.1.3.tgz#37611340eb2243e70cc604cad35d63270d48781b"
@@ -3486,6 +3877,16 @@ anymatch@^3.1.3, anymatch@~3.1.2:
     normalize-path "^3.0.0"
     picomatch "^2.0.4"
 
+arch@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/arch/-/arch-2.2.0.tgz#1bc47818f305764f23ab3306b0bfc086c5a29d11"
+  integrity sha512-Of/R0wqp83cgHozfIYLbBMnej79U/SVGOOyuB3VVFv1NRM/PSFMK12x9KVtiYzJqmnU5WR2qp0Z5rHb7sWGnFQ==
+
+arg@5.0.2:
+  version "5.0.2"
+  resolved "https://registry.yarnpkg.com/arg/-/arg-5.0.2.tgz#c81433cc427c92c4dcf4865142dbca6f15acd59c"
+  integrity sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==
+
 arg@^4.1.0:
   version "4.1.3"
   resolved "https://registry.yarnpkg.com/arg/-/arg-4.1.3.tgz#269fc7ad5b8e42cb63c896d5666017261c144089"
@@ -3754,6 +4155,20 @@ boolbase@^1.0.0:
   resolved "https://registry.yarnpkg.com/boolbase/-/boolbase-1.0.0.tgz#68dff5fbe60c51eb37725ea9e3ed310dcc1e776e"
   integrity sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==
 
+boxen@7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/boxen/-/boxen-7.0.0.tgz#9e5f8c26e716793fc96edcf7cf754cdf5e3fbf32"
+  integrity sha512-j//dBVuyacJbvW+tvZ9HuH03fZ46QcaKvvhZickZqtB271DxJ7SNRSNxrV/dZX0085m7hISRZWbzWlJvx/rHSg==
+  dependencies:
+    ansi-align "^3.0.1"
+    camelcase "^7.0.0"
+    chalk "^5.0.1"
+    cli-boxes "^3.0.0"
+    string-width "^5.1.2"
+    type-fest "^2.13.0"
+    widest-line "^4.0.1"
+    wrap-ansi "^8.0.1"
+
 brace-expansion@^1.1.7:
   version "1.1.12"
   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.12.tgz#ab9b454466e5a8cc3a187beaad580412a9c5b843"
@@ -3826,6 +4241,11 @@ bundle-name@^4.1.0:
   dependencies:
     run-applescript "^7.0.0"
 
+bytes@3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.0.0.tgz#d32815404d689699f85a4ea4fa8755dd13a96048"
+  integrity sha512-pMhOfFDPiv9t5jjIXkHosWmkSyQbvsgEVNkz0ERHbuLh2T/7j4Mqqpz523Fe8MVY89KC6Sh/QfS2sM+SjgFDcw==
+
 bytes@3.1.2, bytes@~3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/bytes/-/bytes-3.1.2.tgz#8b0beeb98605adf1b128fa4386403c009e0221a5"
@@ -3867,6 +4287,11 @@ camelcase@^6.3.0:
   resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-6.3.0.tgz#5685b95eb209ac9c0c177467778c9c84df58ba9a"
   integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==
 
+camelcase@^7.0.0:
+  version "7.0.1"
+  resolved "https://registry.yarnpkg.com/camelcase/-/camelcase-7.0.1.tgz#f02e50af9fd7782bc8b88a3558c32fd3a388f048"
+  integrity sha512-xlx1yCK2Oc1APsPXDL2LdlNP6+uu8OCDdhOBSVT279M/S+y75O30C2VuD8T2ogdePBBl7PfPF4504tnLgX3zfw==
+
 caniuse-api@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/caniuse-api/-/caniuse-api-3.0.0.tgz#5e4d90e2274961d46291997df599e3ed008ee4c0"
@@ -3882,6 +4307,18 @@ caniuse-lite@^1.0.0, caniuse-lite@^1.0.30001759, caniuse-lite@^1.0.30001760:
   resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001766.tgz#b6f6b55cb25a2d888d9393104d14751c6a7d6f7a"
   integrity sha512-4C0lfJ0/YPjJQHagaE9x2Elb69CIqEPZeG0anQt9SIvIoOH4a4uaRl73IavyO+0qZh6MDLH//DrXThEYKHkmYA==
 
+chalk-template@0.4.0:
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/chalk-template/-/chalk-template-0.4.0.tgz#692c034d0ed62436b9062c1707fadcd0f753204b"
+  integrity sha512-/ghrgmhfY8RaSdeo43hNXxpoHAtxdbskUHjPpfqUWGttFgycUhYPGx3YZBCnUCvOa7Doivn1IZec3DEGFoMgLg==
+  dependencies:
+    chalk "^4.1.2"
+
+chalk@5.0.1:
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/chalk/-/chalk-5.0.1.tgz#ca57d71e82bb534a296df63bbacc4a1c22b2a4b6"
+  integrity sha512-Fo07WOYGqMfCWHOzSXOt2CxDbC6skS/jO9ynEcmpANMoPrD+W1r1K6Vx7iNm+AQmETU1Xr2t+n8nzkV9t6xh3w==
+
 chalk@^4.0.0, chalk@^4.1.0, chalk@^4.1.2:
   version "4.1.2"
   resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01"
@@ -3890,6 +4327,11 @@ chalk@^4.0.0, chalk@^4.1.0, chalk@^4.1.2:
     ansi-styles "^4.1.0"
     supports-color "^7.1.0"
 
+chalk@^5.0.1:
+  version "5.6.2"
+  resolved "https://registry.yarnpkg.com/chalk/-/chalk-5.6.2.tgz#b1238b6e23ea337af71c7f8a295db5af0c158aea"
+  integrity sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==
+
 char-regex@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/char-regex/-/char-regex-1.0.2.tgz#d744358226217f981ed58f479b1d6bcc29545dcf"
@@ -3937,6 +4379,11 @@ cjs-module-lexer@^2.1.0:
   resolved "https://registry.yarnpkg.com/cjs-module-lexer/-/cjs-module-lexer-2.2.0.tgz#b3ca5101843389259ade7d88c77bd06ce55849ca"
   integrity sha512-4bHTS2YuzUvtoLjdy+98ykbNB5jS0+07EvFNXerqZQJ89F7DI6ET7OQo/HJuW6K0aVsKA9hj9/RVb2kQVOrPDQ==
 
+cli-boxes@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/cli-boxes/-/cli-boxes-3.0.0.tgz#71a10c716feeba005e4504f36329ef0b17cf3145"
+  integrity sha512-/lzGpEWL/8PfI0BmBOPRwp0c/wFNX1RdUML3jK/RcSBA9T8mZDdQpqYBKtCFTOfQbwPqWEOpjqW+Fnayc0969g==
+
 cli-cursor@3.1.0, cli-cursor@^3.1.0:
   version "3.1.0"
   resolved "https://registry.yarnpkg.com/cli-cursor/-/cli-cursor-3.1.0.tgz#264305a7ae490d1d03bf0c9ba7c925d1753af307"
@@ -3969,6 +4416,15 @@ cli-truncate@^5.0.0:
     slice-ansi "^7.1.0"
     string-width "^8.0.0"
 
+clipboardy@3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/clipboardy/-/clipboardy-3.0.0.tgz#f3876247404d334c9ed01b6f269c11d09a5e3092"
+  integrity sha512-Su+uU5sr1jkUy1sGRpLKjKrvEOVXgSgiSInwa/qeID6aJ07yh+5NWc3h2QfjHjBnfX4LhtFcuAWKUsJ3r+fjbg==
+  dependencies:
+    arch "^2.2.0"
+    execa "^5.1.1"
+    is-wsl "^2.2.0"
+
 cliui@^8.0.1:
   version "8.0.1"
   resolved "https://registry.yarnpkg.com/cliui/-/cliui-8.0.1.tgz#0c04b075db02cbfe60dc8e6cf2f5486b1a3608aa"
@@ -4067,7 +4523,7 @@ compressible@~2.0.18:
   dependencies:
     mime-db ">= 1.43.0 < 2"
 
-compression@^1.8.1:
+compression@1.8.1, compression@^1.8.1:
   version "1.8.1"
   resolved "https://registry.yarnpkg.com/compression/-/compression-1.8.1.tgz#4a45d909ac16509195a9a28bd91094889c180d79"
   integrity sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==
@@ -4095,6 +4551,11 @@ connect-history-api-fallback@^2.0.0:
   resolved "https://registry.yarnpkg.com/connect-history-api-fallback/-/connect-history-api-fallback-2.0.0.tgz#647264845251a0daf25b97ce87834cace0f5f1c8"
   integrity sha512-U73+6lQFmfiNPrYbXqr6kZ1i1wiRqXnp2nhMsINseWXO8lDau0LGEffJ8kQi4EjLZympVgRdvqjAgiZ1tgzDDA==
 
+content-disposition@0.5.2:
+  version "0.5.2"
+  resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.2.tgz#0cf68bb9ddf5f2be7961c3a85178cb85dba78cb4"
+  integrity sha512-kRGRZw3bLlFISDBgwTSA1TMBFN6J6GWDeubmDE3AF+3+yXL8hTWv8r5rkLbqYXY4RjPk/EzHnClI3zQf1cFmHA==
+
 content-disposition@~0.5.4:
   version "0.5.4"
   resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.4.tgz#8b82b4efac82512a02bb0b1dcec9d2c5e8eb5bfe"
@@ -4369,6 +4830,11 @@ dedent@^1.6.0:
   resolved "https://registry.yarnpkg.com/dedent/-/dedent-1.7.1.tgz#364661eea3d73f3faba7089214420ec2f8f13e15"
   integrity sha512-9JmrhGZpOlEgOLdQgSm0zxFaYoQon408V1v49aqTWuXENVlnCuY9JBZcXZiCsZQWDjTm5Qf/nIvAy77mXDAjEg==
 
+deep-extend@^0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/deep-extend/-/deep-extend-0.6.0.tgz#c4fa7c95404a17a9c3e8ca7e1537312b736330ac"
+  integrity sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==
+
 deep-is@^0.1.3:
   version "0.1.4"
   resolved "https://registry.yarnpkg.com/deep-is/-/deep-is-0.1.4.tgz#a6f2dce612fadd2ef1f519b73551f17e85199831"
@@ -4699,6 +5165,38 @@ es-set-tostringtag@^2.1.0:
     has-tostringtag "^1.0.2"
     hasown "^2.0.2"
 
+esbuild@^0.25.0:
+  version "0.25.12"
+  resolved "https://registry.yarnpkg.com/esbuild/-/esbuild-0.25.12.tgz#97a1d041f4ab00c2fce2f838d2b9969a2d2a97a5"
+  integrity sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==
+  optionalDependencies:
+    "@esbuild/aix-ppc64" "0.25.12"
+    "@esbuild/android-arm" "0.25.12"
+    "@esbuild/android-arm64" "0.25.12"
+    "@esbuild/android-x64" "0.25.12"
+    "@esbuild/darwin-arm64" "0.25.12"
+    "@esbuild/darwin-x64" "0.25.12"
+    "@esbuild/freebsd-arm64" "0.25.12"
+    "@esbuild/freebsd-x64" "0.25.12"
+    "@esbuild/linux-arm" "0.25.12"
+    "@esbuild/linux-arm64" "0.25.12"
+    "@esbuild/linux-ia32" "0.25.12"
+    "@esbuild/linux-loong64" "0.25.12"
+    "@esbuild/linux-mips64el" "0.25.12"
+    "@esbuild/linux-ppc64" "0.25.12"
+    "@esbuild/linux-riscv64" "0.25.12"
+    "@esbuild/linux-s390x" "0.25.12"
+    "@esbuild/linux-x64" "0.25.12"
+    "@esbuild/netbsd-arm64" "0.25.12"
+    "@esbuild/netbsd-x64" "0.25.12"
+    "@esbuild/openbsd-arm64" "0.25.12"
+    "@esbuild/openbsd-x64" "0.25.12"
+    "@esbuild/openharmony-arm64" "0.25.12"
+    "@esbuild/sunos-x64" "0.25.12"
+    "@esbuild/win32-arm64" "0.25.12"
+    "@esbuild/win32-ia32" "0.25.12"
+    "@esbuild/win32-x64" "0.25.12"
+
 esbuild@^0.27.2:
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/esbuild/-/esbuild-0.27.2.tgz#d83ed2154d5813a5367376bb2292a9296fc83717"
@@ -5020,7 +5518,7 @@ fb-watchman@^2.0.2:
   dependencies:
     bser "2.1.1"
 
-fdir@^6.5.0:
+fdir@^6.4.4, fdir@^6.5.0:
   version "6.5.0"
   resolved "https://registry.yarnpkg.com/fdir/-/fdir-6.5.0.tgz#ed2ab967a331ade62f18d077dae192684d50d350"
   integrity sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==
@@ -5208,7 +5706,12 @@ fs-monkey@^1.0.4:
   resolved "https://registry.yarnpkg.com/fs-monkey/-/fs-monkey-1.1.0.tgz#632aa15a20e71828ed56b24303363fb1414e5997"
   integrity sha512-QMUezzXWII9EV5aTFXW1UBVUO77wYPpjqIF8/AviUCThNeSYZykpoTixUeaNNBwmCev0AMDWMAni+f8Hxb1IFw==
 
-fsevents@^2.3.3, fsevents@~2.3.2:
+fsevents@2.3.2:
+  version "2.3.2"
+  resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.2.tgz#8a526f78b8fdf4623b709e0b975c52c24c02fd1a"
+  integrity sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==
+
+fsevents@^2.3.3, fsevents@~2.3.2, fsevents@~2.3.3:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.3.tgz#cac6407785d03675a2a5e1a5305c697b347d90d6"
   integrity sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==
@@ -5573,6 +6076,11 @@ inherits@2.0.4, inherits@^2.0.1, inherits@^2.0.3, inherits@^2.0.4, inherits@~2.0
   resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
 
+ini@~1.3.0:
+  version "1.3.8"
+  resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.8.tgz#a29da425b48806f34767a4efce397269af28432c"
+  integrity sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==
+
 ip-regex@^4.1.0:
   version "4.3.0"
   resolved "https://registry.yarnpkg.com/ip-regex/-/ip-regex-4.3.0.tgz#687275ab0f57fa76978ff8f4dddc8a23d5990db5"
@@ -5673,6 +6181,11 @@ is-plain-obj@^3.0.0:
   resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-3.0.0.tgz#af6f2ea14ac5a646183a5bbdb5baabbc156ad9d7"
   integrity sha512-gwsOE28k+23GP1B6vFl1oVh/WOzmawBrKwo5Ev6wMKzPkaXaCDIQKzLnvsA42DRlbVTWorkgTKIviAKCWkfUwA==
 
+is-port-reachable@4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/is-port-reachable/-/is-port-reachable-4.0.0.tgz#dac044091ef15319c8ab2f34604d8794181f8c2d"
+  integrity sha512-9UoipoxYmSk6Xy7QFgRv2HDyaysmgSG75TFQs6S+3pDM7ZhKTF/bskZV+0UlABHzKjNVhPjYCLfeZUEg1wXxig==
+
 is-potential-custom-element-name@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz#171ed6f19e3ac554394edf78caa05784a45bebb5"
@@ -6668,6 +7181,18 @@ mime-db@1.52.0:
   resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.54.0.tgz#cddb3ee4f9c64530dff640236661d42cb6a314f5"
   integrity sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==
 
+mime-db@~1.33.0:
+  version "1.33.0"
+  resolved "https://registry.yarnpkg.com/mime-db/-/mime-db-1.33.0.tgz#a3492050a5cb9b63450541e39d9788d2272783db"
+  integrity sha512-BHJ/EKruNIqJf/QahvxwQZXKygOQ256myeN/Ew+THcAa5q+PjyTTMMeNQC4DZw5AwfvelsUrA6B67NKMqXDbzQ==
+
+mime-types@2.1.18:
+  version "2.1.18"
+  resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.18.tgz#6f323f60a83d11146f831ff11fd66e2fe5503bb8"
+  integrity sha512-lc/aahn+t4/SWV/qcmumYjymLsWfN3ELhpmVuUFjgsORruuZPVSwAQryq+HHGvO/SI2KVX26bx+En+zhM8g8hQ==
+  dependencies:
+    mime-db "~1.33.0"
+
 mime-types@^2.1.12, mime-types@^2.1.27, mime-types@~2.1.24, mime-types@~2.1.34, mime-types@~2.1.35:
   version "2.1.35"
   resolved "https://registry.yarnpkg.com/mime-types/-/mime-types-2.1.35.tgz#381a871b62a734450660ae3deee44813f70d959a"
@@ -6726,7 +7251,7 @@ minimatch@10.1.1, minimatch@^10.1.1:
   dependencies:
     "@isaacs/brace-expansion" "^5.0.0"
 
-minimatch@^3.0.4, minimatch@^3.1.2:
+minimatch@3.1.2, minimatch@^3.0.4, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
   integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
@@ -6747,7 +7272,7 @@ minimatch@^9.0.4, minimatch@^9.0.5:
   dependencies:
     brace-expansion "^2.0.1"
 
-minimist@^1.2.5, minimist@^1.2.6:
+minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6:
   version "1.2.8"
   resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
   integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
@@ -7153,6 +7678,11 @@ path-exists@^5.0.0:
   resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-5.0.0.tgz#a6aad9489200b21fab31e49cf09277e5116fb9e7"
   integrity sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==
 
+path-is-inside@1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/path-is-inside/-/path-is-inside-1.0.2.tgz#365417dede44430d1c11af61027facf074bdfc53"
+  integrity sha512-DUWJr3+ULp4zXmol/SZkFf3JGsS9/SIv+Y3Rt93/UjPpDpklB5f1er4O3POIbUuUJ3FXgqte2Q7SrU6zAqwk8w==
+
 path-key@^3.0.0, path-key@^3.1.0:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/path-key/-/path-key-3.1.1.tgz#581f6ade658cbba65a0d3380de7753295054f375"
@@ -7171,6 +7701,11 @@ path-scurry@^1.11.1:
     lru-cache "^10.2.0"
     minipass "^5.0.0 || ^6.0.2 || ^7.0.0"
 
+path-to-regexp@3.3.0:
+  version "3.3.0"
+  resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-3.3.0.tgz#f7f31d32e8518c2660862b644414b6d5c63a611b"
+  integrity sha512-qyCH421YQPS2WFDxDjftfc1ZR5WKQzVzqsp4n9M2kQhVOo/ByahFoUNJfl58kOcEGfQ//7weFTDhm+ss8Ecxgw==
+
 path-to-regexp@~0.1.12:
   version "0.1.12"
   resolved "https://registry.yarnpkg.com/path-to-regexp/-/path-to-regexp-0.1.12.tgz#d5e1a12e478a976d432ef3c58d534b9923164bb7"
@@ -7247,6 +7782,20 @@ pkijs@^3.3.3:
     pvutils "^1.1.3"
     tslib "^2.8.1"
 
+playwright-core@1.58.2:
+  version "1.58.2"
+  resolved "https://registry.yarnpkg.com/playwright-core/-/playwright-core-1.58.2.tgz#ac5f5b4b10d29bcf934415f0b8d133b34b0dcb13"
+  integrity sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==
+
+playwright@1.58.2:
+  version "1.58.2"
+  resolved "https://registry.yarnpkg.com/playwright/-/playwright-1.58.2.tgz#afe547164539b0bcfcb79957394a7a3fa8683cfd"
+  integrity sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==
+  dependencies:
+    playwright-core "1.58.2"
+  optionalDependencies:
+    fsevents "2.3.2"
+
 postcss-calc@^9.0.1:
   version "9.0.1"
   resolved "https://registry.yarnpkg.com/postcss-calc/-/postcss-calc-9.0.1.tgz#a744fd592438a93d6de0f1434c572670361eb6c6"
@@ -7510,7 +8059,7 @@ postcss-value-parser@^4.0.0, postcss-value-parser@^4.1.0, postcss-value-parser@^
   resolved "https://registry.yarnpkg.com/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz#723c09920836ba6d3e5af019f92bc0971c02e514"
   integrity sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==
 
-postcss@^8.4.24, postcss@^8.4.33, postcss@^8.4.38:
+postcss@^8.4.24, postcss@^8.4.33, postcss@^8.4.38, postcss@^8.5.3:
   version "8.5.6"
   resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.5.6.tgz#2825006615a619b4f62a9e7426cc120b349a8f3c"
   integrity sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==
@@ -7611,6 +8160,11 @@ randombytes@^2.1.0:
   dependencies:
     safe-buffer "^5.1.0"
 
+range-parser@1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e"
+  integrity sha512-kA5WQoNVo4t9lNx2kQNFCxKeBl5IbbSNBl1M/tLkw9WCn+hxNBAW5Qh8gdhs63CJnhjJ2zQWFoqPJP2sK1AV5A==
+
 range-parser@^1.2.1, range-parser@~1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031"
@@ -7626,7 +8180,17 @@ raw-body@~2.5.3:
     iconv-lite "~0.4.24"
     unpipe "~1.0.0"
 
-react-dom@^19.2.4:
+rc@^1.0.1, rc@^1.1.6:
+  version "1.2.8"
+  resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
+  integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
+  dependencies:
+    deep-extend "^0.6.0"
+    ini "~1.3.0"
+    minimist "^1.2.0"
+    strip-json-comments "~2.0.1"
+
+react-dom@^19.0.0, react-dom@^19.2.4:
   version "19.2.4"
   resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.2.4.tgz#6fac6bd96f7db477d966c7ec17c1a2b1ad8e6591"
   integrity sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==
@@ -7643,7 +8207,12 @@ react-is@^18.3.1:
   resolved "https://registry.yarnpkg.com/react-is/-/react-is-18.3.1.tgz#e83557dc12eae63a99e003a46388b1dcbb44db7e"
   integrity sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==
 
-react@^19.2.4:
+react-refresh@^0.17.0:
+  version "0.17.0"
+  resolved "https://registry.yarnpkg.com/react-refresh/-/react-refresh-0.17.0.tgz#b7e579c3657f23d04eccbe4ad2e58a8ed51e7e53"
+  integrity sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==
+
+react@^19.0.0, react@^19.2.4:
   version "19.2.4"
   resolved "https://registry.yarnpkg.com/react/-/react-19.2.4.tgz#438e57baa19b77cb23aab516cf635cd0579ee09a"
   integrity sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==
@@ -7726,6 +8295,21 @@ regexpu-core@^6.3.1:
     unicode-match-property-ecmascript "^2.0.0"
     unicode-match-property-value-ecmascript "^2.2.1"
 
+registry-auth-token@3.3.2:
+  version "3.3.2"
+  resolved "https://registry.yarnpkg.com/registry-auth-token/-/registry-auth-token-3.3.2.tgz#851fd49038eecb586911115af845260eec983f20"
+  integrity sha512-JL39c60XlzCVgNrO+qq68FoNb56w/m7JYvGR2jT5iR1xBrUA3Mfx5Twk5rqTThPmQKMWydGmq8oFtDlxfrmxnQ==
+  dependencies:
+    rc "^1.1.6"
+    safe-buffer "^5.0.1"
+
+registry-url@3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/registry-url/-/registry-url-3.1.0.tgz#3d4ef870f73dde1d77f0cf9a381432444e174942"
+  integrity sha512-ZbgR5aZEdf4UKZVBPYIgaglBmSF2Hi94s2PcIHhRGFjKYu+chjJdYfHn4rt3hB6eCKLJ8giVIIfgMa1ehDfZKA==
+  dependencies:
+    rc "^1.0.1"
+
 regjsgen@^0.8.0:
   version "0.8.0"
   resolved "https://registry.yarnpkg.com/regjsgen/-/regjsgen-0.8.0.tgz#df23ff26e0c5b300a6470cad160a9d090c3a37ab"
@@ -7815,6 +8399,40 @@ rfdc@^1.4.1:
   resolved "https://registry.yarnpkg.com/rfdc/-/rfdc-1.4.1.tgz#778f76c4fb731d93414e8f925fbecf64cce7f6ca"
   integrity sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==
 
+rollup@^4.34.9:
+  version "4.59.0"
+  resolved "https://registry.yarnpkg.com/rollup/-/rollup-4.59.0.tgz#cf74edac17c1486f562d728a4d923a694abdf06f"
+  integrity sha512-2oMpl67a3zCH9H79LeMcbDhXW/UmWG/y2zuqnF2jQq5uq9TbM9TVyXvA4+t+ne2IIkBdrLpAaRQAvo7YI/Yyeg==
+  dependencies:
+    "@types/estree" "1.0.8"
+  optionalDependencies:
+    "@rollup/rollup-android-arm-eabi" "4.59.0"
+    "@rollup/rollup-android-arm64" "4.59.0"
+    "@rollup/rollup-darwin-arm64" "4.59.0"
+    "@rollup/rollup-darwin-x64" "4.59.0"
+    "@rollup/rollup-freebsd-arm64" "4.59.0"
+    "@rollup/rollup-freebsd-x64" "4.59.0"
+    "@rollup/rollup-linux-arm-gnueabihf" "4.59.0"
+    "@rollup/rollup-linux-arm-musleabihf" "4.59.0"
+    "@rollup/rollup-linux-arm64-gnu" "4.59.0"
+    "@rollup/rollup-linux-arm64-musl" "4.59.0"
+    "@rollup/rollup-linux-loong64-gnu" "4.59.0"
+    "@rollup/rollup-linux-loong64-musl" "4.59.0"
+    "@rollup/rollup-linux-ppc64-gnu" "4.59.0"
+    "@rollup/rollup-linux-ppc64-musl" "4.59.0"
+    "@rollup/rollup-linux-riscv64-gnu" "4.59.0"
+    "@rollup/rollup-linux-riscv64-musl" "4.59.0"
+    "@rollup/rollup-linux-s390x-gnu" "4.59.0"
+    "@rollup/rollup-linux-x64-gnu" "4.59.0"
+    "@rollup/rollup-linux-x64-musl" "4.59.0"
+    "@rollup/rollup-openbsd-x64" "4.59.0"
+    "@rollup/rollup-openharmony-arm64" "4.59.0"
+    "@rollup/rollup-win32-arm64-msvc" "4.59.0"
+    "@rollup/rollup-win32-ia32-msvc" "4.59.0"
+    "@rollup/rollup-win32-x64-gnu" "4.59.0"
+    "@rollup/rollup-win32-x64-msvc" "4.59.0"
+    fsevents "~2.3.2"
+
 rrweb-cssom@^0.8.0:
   version "0.8.0"
   resolved "https://registry.yarnpkg.com/rrweb-cssom/-/rrweb-cssom-0.8.0.tgz#3021d1b4352fbf3b614aaeed0bc0d5739abe0bc2"
@@ -8088,6 +8706,19 @@ serialize-javascript@^6.0.0, serialize-javascript@^6.0.1, serialize-javascript@^
   dependencies:
     randombytes "^2.1.0"
 
+serve-handler@6.1.6:
+  version "6.1.6"
+  resolved "https://registry.yarnpkg.com/serve-handler/-/serve-handler-6.1.6.tgz#50803c1d3e947cd4a341d617f8209b22bd76cfa1"
+  integrity sha512-x5RL9Y2p5+Sh3D38Fh9i/iQ5ZK+e4xuXRd/pGbM4D13tgo/MGwbttUk8emytcr1YYzBYs+apnUngBDFYfpjPuQ==
+  dependencies:
+    bytes "3.0.0"
+    content-disposition "0.5.2"
+    mime-types "2.1.18"
+    minimatch "3.1.2"
+    path-is-inside "1.0.2"
+    path-to-regexp "3.3.0"
+    range-parser "1.2.0"
+
 serve-index@^1.9.1:
   version "1.9.2"
   resolved "https://registry.yarnpkg.com/serve-index/-/serve-index-1.9.2.tgz#2988e3612106d78a5e4849ddff552ce7bd3d9bcb"
@@ -8111,6 +8742,23 @@ serve-static@~1.16.2:
     parseurl "~1.3.3"
     send "~0.19.1"
 
+serve@^14.2.5:
+  version "14.2.5"
+  resolved "https://registry.yarnpkg.com/serve/-/serve-14.2.5.tgz#569e333b99a484b3a6d25acce4a569c8c4f96373"
+  integrity sha512-Qn/qMkzCcMFVPb60E/hQy+iRLpiU8PamOfOSYoAHmmF+fFFmpPpqa6Oci2iWYpTdOUM3VF+TINud7CfbQnsZbA==
+  dependencies:
+    "@zeit/schemas" "2.36.0"
+    ajv "8.12.0"
+    arg "5.0.2"
+    boxen "7.0.0"
+    chalk "5.0.1"
+    chalk-template "0.4.0"
+    clipboardy "3.0.0"
+    compression "1.8.1"
+    is-port-reachable "4.0.0"
+    serve-handler "6.1.6"
+    update-check "1.5.4"
+
 setprototypeof@1.2.0, setprototypeof@~1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/setprototypeof/-/setprototypeof-1.2.0.tgz#66c9a24a73f9fc28cbe66b09fed3d33dcaf1b424"
@@ -8421,6 +9069,11 @@ strip-json-comments@^3.1.1:
   resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
   integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
 
+strip-json-comments@~2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-2.0.1.tgz#3c531942e908c2697c0ec344858c286c7ca0a60a"
+  integrity sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ==
+
 style-loader@^3.3.0:
   version "3.3.4"
   resolved "https://registry.yarnpkg.com/style-loader/-/style-loader-3.3.4.tgz#f30f786c36db03a45cbd55b6a70d930c479090e7"
@@ -8578,7 +9231,7 @@ thunky@^1.0.2:
   resolved "https://registry.yarnpkg.com/thunky/-/thunky-1.1.0.tgz#5abaf714a9405db0504732bbccd2cedd9ef9537d"
   integrity sha512-eHY7nBftgThBqOyHGVN+l8gF0BucP09fMo0oO/Lb0w1OF80dJv+lDVpXG60WMQvkcxAkNybKsrEIE3ZtKGmPrA==
 
-tinyglobby@^0.2.12, tinyglobby@^0.2.15:
+tinyglobby@^0.2.12, tinyglobby@^0.2.13, tinyglobby@^0.2.15:
   version "0.2.15"
   resolved "https://registry.yarnpkg.com/tinyglobby/-/tinyglobby-0.2.15.tgz#e228dd1e638cea993d2fdb4fcd2d4602a79951c2"
   integrity sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==
@@ -8752,6 +9405,11 @@ type-fest@^0.21.3:
   resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-0.21.3.tgz#d260a24b0198436e133fa26a524a6d65fa3b2e37"
   integrity sha512-t0rzBq87m3fVcduHDUFhKmyyX+9eo6WQjZvf51Ea/M0Q7+T374Jp1aUiyUl0GKxp8M/OETVHSDvmkyPgvX+X2w==
 
+type-fest@^2.13.0:
+  version "2.19.0"
+  resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-2.19.0.tgz#88068015bb33036a598b952e55e9311a60fd3a9b"
+  integrity sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==
+
 type-fest@^4.41.0:
   version "4.41.0"
   resolved "https://registry.yarnpkg.com/type-fest/-/type-fest-4.41.0.tgz#6ae1c8e5731273c2bf1f58ad39cbae2c91a46c58"
@@ -8906,6 +9564,14 @@ update-browserslist-db@^1.2.0:
     escalade "^3.2.0"
     picocolors "^1.1.1"
 
+update-check@1.5.4:
+  version "1.5.4"
+  resolved "https://registry.yarnpkg.com/update-check/-/update-check-1.5.4.tgz#5b508e259558f1ad7dbc8b4b0457d4c9d28c8743"
+  integrity sha512-5YHsflzHP4t1G+8WGPlvKbJEbAJGCgw+Em+dGR1KmBUbr1J36SJBqlHLjR7oob7sco5hWHGQVcr9B2poIVDDTQ==
+  dependencies:
+    registry-auth-token "3.3.2"
+    registry-url "3.1.0"
+
 uri-js@^4.2.2:
   version "4.4.1"
   resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.4.1.tgz#9b1a52595225859e55f669d928f88c6c57f2a77e"
@@ -8968,6 +9634,20 @@ vfile@^6.0.0:
     "@types/unist" "^3.0.0"
     vfile-message "^4.0.0"
 
+vite@^6.3.5:
+  version "6.4.1"
+  resolved "https://registry.yarnpkg.com/vite/-/vite-6.4.1.tgz#afbe14518cdd6887e240a4b0221ab6d0ce733f96"
+  integrity sha512-+Oxm7q9hDoLMyJOYfUYBuHQo+dkAloi33apOPP56pzj+vsdJDzr+j1NISE5pyaAuKL4A3UD34qd0lx5+kfKp2g==
+  dependencies:
+    esbuild "^0.25.0"
+    fdir "^6.4.4"
+    picomatch "^4.0.2"
+    postcss "^8.5.3"
+    rollup "^4.34.9"
+    tinyglobby "^0.2.13"
+  optionalDependencies:
+    fsevents "~2.3.3"
+
 w3c-xmlserializer@^5.0.0:
   version "5.0.0"
   resolved "https://registry.yarnpkg.com/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz#f925ba26855158594d907313cedd1476c5967f6c"
@@ -9144,6 +9824,13 @@ which@^2.0.1:
   dependencies:
     isexe "^2.0.0"
 
+widest-line@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/widest-line/-/widest-line-4.0.1.tgz#a0fc673aaba1ea6f0a0d35b3c2795c9a9cc2ebf2"
+  integrity sha512-o0cyEG0e8GPzT4iGHphIOh0cJOV8fivsXxddQasHPHfoZf1ZexrfeA21w2NaEN1RHE+fXlfISmOE8R9N3u3Qig==
+  dependencies:
+    string-width "^5.0.1"
+
 word-wrap@^1.2.5:
   version "1.2.5"
   resolved "https://registry.yarnpkg.com/word-wrap/-/word-wrap-1.2.5.tgz#d2c45c6dd4fbce621a66f136cbe328afd0410b34"
@@ -9172,7 +9859,7 @@ wrap-ansi@^7.0.0:
     string-width "^4.1.0"
     strip-ansi "^6.0.0"
 
-wrap-ansi@^8.1.0:
+wrap-ansi@^8.0.1, wrap-ansi@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-8.1.0.tgz#56dc22368ee570face1b49819975d9b9a5ead214"
   integrity sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==