Code Mode Security (Beta)
Secure MCP-as-code execution with sandboxing, AST analysis, and taint tracking.
Code Mode allows agents to execute TypeScript code to chain multiple MCP tools together, rather than making individual tool calls. This approach significantly reduces latency and token usage but introduces new security considerations.
Beta Feature: Code Mode Security is currently in beta. Features and APIs may change.
Edison Watch secures Code Mode with a defense-in-depth architecture combining sandboxed execution, static analysis, and taint-aware data tracking.
Why Code Mode?
Traditional agents suffer from context rot. Every tool call's input and output must be added to the LLM's context window. Connecting an agent to many MCP servers leads to context rot, as tool definitions consume tokens even before any action is taken. For complex data processing (e.g., "summarize these 20 files"), this can consume hundreds of thousands of tokens just to move data around.
Code Mode solves this by letting the agent write a script to process data inside the secure environment. The LLM only sees the final result, often reducing token usage by over 90%.
Security Architecture
Edison Watch employs three layers of defense to make Code Mode safe for enterprise deployment.
1. The Deno Sandbox (RCE Protection)
Code executes in a secure Deno sandbox with strict permissions:
- No Network Access: The script cannot make arbitrary HTTP requests. It can only call allowed MCP tools.
- No Filesystem Write: The script cannot modify the host filesystem.
- Resource Limits: Fixed limits on execution time (90s), memory (256MB), and output size (10MB).
2. AST Analysis (Analyzability)
Before execution, Edison Watch parses the script's Abstract Syntax Tree (AST) to enforce a strict subset of TypeScript. This prevents obfuscation techniques that attackers use to hide malicious behavior.
Strict Mode: We block dynamic features like eval(), new Function(), and dynamic imports
(e.g., import(variable)). Code must be statically analyzable to run.
3. Taint-Aware Trifecta (Data Protection)
The vanilla "Lethal Trifecta" model (blocking Private Data + Untrusted Content + External Communication) can be too aggressive for code execution. Code Mode uses taint tracking to be more precise.
The "Scalpel" Approach
Instead of flagging the entire session when a sensitive tool is called, Edison Watch traces the actual flow of data variables within the script.
Example: The Calendar Problem Imagine an agent reads a calendar invite to check your availability. The invite body contains untrusted content (potential prompt injection), but the start/end times are safe metadata.
- Vanilla Trifecta: Blocks the action because "Calendar" (Private) and "Invite Body" (Untrusted) were accessed, even if the agent only printed the time.
- Code Mode Taint Tracking: Analyzes the script. If the code
console.log(event.startTime)but never logsevent.body, Edison knows the untrusted content never left the sandbox. The action is allowed.
This precision reduces false positives while maintaining strict security guarantees.
Observability
Every Code Mode execution is fully audited. The system records:
- The exact TypeScript code generated by the agent.
- Validation results and any AST errors.
- Console output and return values.
- Which specific data paths were marked as tainted.
These details are stored in the secure audit logs.
Operational Limits
To prevent denial-of-service (DoS) and abuse, Code Mode enforces hard limits:
| Metric | Limit |
|---|---|
| Execution Time | 90 seconds |
| Memory | 256 MB |
| Output Size | 10 MB |