# Script Security Policy

UnifiedControl `.uctlx` files can contain event handler code. This is necessary for designable `ContentControl` / UserControl-style content, but it creates a security boundary.

## Current dev-0.4.0 rule

- Code is saved and loaded as definition data.
- Code is not executed by `Open`, package read, Inspector, Preview, or Designer Canvas.
- `ScriptSecurityPolicyService` validates handler shape and warns for risky patterns such as `eval`, `new Function`, or `document.write`.
- Handler definitions use `executionPolicy: "host-approved-only"`.

## Future runtime rule

A future Run/Preview runtime must require all of the following:

1. Host option such as `allowScriptExecution: true`.
2. Capability review for requested permissions such as network, storage, hostApi or clipboard.
3. Sandbox strategy, for example iframe sandbox or Worker.
4. Error capture and audit event logging.
5. No direct exposure of internal Host objects.

The designer may edit and save handler code, but it must not silently execute untrusted content packages.

## dev-0.4.1 handler validation UX

The event-handler editor includes a Validate action. Validation results are displayed inside the dialog before save. Warnings are stored in the handler's `security.validation` metadata when the handler is saved.

Safe Preview does not execute handlers even when handler definitions are present.


## dev-0.4.5 Test Run Execution

`RestrictedScriptRunner` is introduced for Designer Test Run. It blocks execution unless `allowScriptExecution` is true, validates handler definitions before execution, emits execution lifecycle events, and applies an execution timeout. This is an initial restricted runner, not a full browser security sandbox; production Hosts can replace it or wrap it with iframe/Worker isolation.
