# Security Hardening / dev-0.7.0

The dev-0.7.0 script policy remains definition-first and host-approved.

Implemented hardening:

- Handler code is never auto-executed on Open.
- Test Run and Runtime execution require explicit `allowScriptExecution`.
- RestrictedScriptRunner shadows common globals such as `window`, `document`, `localStorage`, `fetch`, `XMLHttpRequest`, `Function`, and `eval` inside the compiled handler scope.
- `alert()` is redirected to `api.log()` during restricted execution.
- ScriptSecurityPolicyService scans handlers and content-level requested capabilities.
- SecurityAuditService summarizes component count, handler count, warnings, and errors.

This is still a browser-side restricted runner, not a full security boundary equivalent to an isolated origin iframe or Worker sandbox. Production Hosts can replace the runner or enforce stronger isolation.
