agentfront · frontegg-david · Dec 11, 2025 · Dec 11, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.0] - 2025-12-11
+
+Hardened ast-guard’s AgentScript preset with additional browser primitive blocks and dynamic import enforcement.
+
+### Updated Libraries
+
+- **ast-guard** v1.1.0 - AgentScript preset now blocks structuredClone/messaging APIs, queueMicrotask, and import() expressions for parity with the Enclave sandbox.
+
 ### Changed
 
 - Updated the documented cache directory default for `LocalLlmConfig` to `~/.enclave/models` in `libs/enclave-vm/src/scoring/types.ts:377` to match the new Enclave pathing.

diff --git a/docs/draft/docs/libraries/ast-guard.mdx b/docs/draft/docs/libraries/ast-guard.mdx
@@ -29,6 +29,14 @@ console.log(result.valid); // true
 - **Security Presets**: STRICT, SECURE, STANDARD, PERMISSIVE
 - **Zero Dependencies**: Only uses acorn for parsing
 
+## AgentScript preset hardening
+
+Use `createAgentScriptPreset()` when you want AST validation to match Enclave's runtime sandbox. The preset now:
+
+- Blocks modern browser primitives like `structuredClone`, `AbortController`/`AbortSignal`, `MessageChannel`/`MessagePort`, `BroadcastChannel`, `TextEncoder`/`TextDecoder`, and `Intl` so those capabilities never reach execution.
+- Treats `queueMicrotask` the same way as timers to guard against microtask flooding attacks.
+- Reports dynamic `import()` expressions through `NoEvalRule`, preventing untrusted code from lazy-loading modules.
+
 ## Security Presets
 
 | Preset | Description |

diff --git a/docs/live/docs/libraries/ast-guard.mdx b/docs/live/docs/libraries/ast-guard.mdx
@@ -29,6 +29,14 @@ console.log(result.valid); // true
 - **Security Presets**: STRICT, SECURE, STANDARD, PERMISSIVE
 - **Zero Dependencies**: Only uses acorn for parsing
 
+## AgentScript preset hardening
+
+Use `createAgentScriptPreset()` when you want AST validation to match Enclave's runtime sandbox. The preset now:
+
+- Blocks modern browser primitives like `structuredClone`, `AbortController`/`AbortSignal`, `MessageChannel`/`MessagePort`, `BroadcastChannel`, `TextEncoder`/`TextDecoder`, and `Intl` so those capabilities never reach execution.
+- Treats `queueMicrotask` the same way as timers to guard against microtask flooding attacks.
+- Reports dynamic `import()` expressions through `NoEvalRule`, preventing untrusted code from lazy-loading modules.
+
 ## Security Presets
 
 | Preset | Description |

diff --git a/libs/ast-guard/CHANGELOG.md b/libs/ast-guard/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Changelog
 
+## [Unreleased]
+
+## [1.1.0] - 2025-12-11
+
+### Added
+
+- AgentScript preset now blocks structuredClone, AbortController/AbortSignal, MessageChannel/MessagePort, BroadcastChannel, TextEncoder/TextDecoder, and Intl before code hits runtime (libs/ast-guard/src/presets/agentscript.preset.ts:292).
+- AgentScript preset treats queueMicrotask as a disallowed timer primitive to mitigate microtask flooding attacks (libs/ast-guard/src/presets/agentscript.preset.ts:311).
+
+### Security
+
+- NoEvalRule now reports dynamic import() expressions so untrusted code cannot lazy-load modules (libs/ast-guard/src/rules/no-eval.rule.ts:4).
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

diff --git a/libs/ast-guard/package.json b/libs/ast-guard/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ast-guard",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "A production-ready AST security guard for JavaScript - validate, protect, and enforce code safety with extensible rules",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave/tree/main/libs/ast-guard",