DocsErrors
Sandbox Restrictions
QSL strategies run in a secure sandbox. Certain JavaScript APIs are blocked to ensure strategies are deterministic, safe, and cannot access external resources.
Forbidden Global APIs
The following identifiers are blocked at the AST level — using them anywhere in your code triggers an immediate error:
| Blocked API | Reason |
|---|---|
eval, Function | Code injection risk |
require, import | Module loading blocked |
fetch, XMLHttpRequest | Network access blocked |
setTimeout, setInterval, setImmediate | Async execution blocked |
clearTimeout, clearInterval | Timer manipulation blocked |
process, global, globalThis | System access blocked |
Proxy, Reflect | Metaprogramming blocked |
WebSocket | Network access blocked |
localStorage, sessionStorage | Browser storage blocked |
document, window, navigator | DOM access blocked |
__dirname, __filename | File system info blocked |
Buffer | Binary data blocked |
SharedArrayBuffer | Shared memory blocked |
Non-Deterministic Code
Strategies must produce identical results on every run with the same inputs. These patterns are blocked:
// Blocked — random values Math.random(); // Blocked — current time dependency new Date(); Date.now(); // Blocked — non-deterministic iteration order for (let key in obj) { }
Control Flow Restrictions
// Blocked — potential infinite loops while (condition) { } do { } while (condition); // Blocked — recursion (function calling itself) function calculate(n) { return calculate(n - 1); // recursion not allowed } // Allowed — for loops are permitted for (let j = 0; j < 10; j++) { }
What You CAN Use
| Available | Examples |
|---|---|
Math (except Math.random) | Math.abs(), Math.max(), Math.min(), Math.floor(), Math.log(), Math.sqrt() |
| Arrays | [].push(), [].map(), [].filter(), [].reduce(), [].slice() |
| Objects | {}, Object.keys(), Object.values() |
| Primitive operations | Arithmetic, comparisons, string operations |
| for loops | for (let i = 0; ...), for (const x of arr) |
| ctx and q | Full strategy API and helper functions |
If You See a Sandbox Error
- Check the error message — it names the forbidden API
- Remove or replace the blocked call
- Use
ctx.stateto store values between bars instead of closures or globals - Use
qhelper functions instead of implementing custom math
Related
sandboxforbiddensecurityrestrictedevalrequirefetchsetTimeoutimport