Secure by default. Audited by Tyto.
NyxCode never uses eval() or new Function(). The runtime uses a safe property-access-only evaluator. Expressions are validated against known state keys before execution.
Only declared state and computed variables can be accessed. Attempts to access __proto__, constructor, or other prototype properties are silently ignored.
// Generated runtime validates: if (!__nyx.subscribers.has(name)) return;
All dynamic content is rendered via textContent, not innerHTML. XSS via user input in templates is structurally impossible.
All three findings from Tyto's security review (February 2026) have been resolved:
CRITICAL: new Function() replaced
safeEval() replaces eval/new Function entirely. No arbitrary code execution.
MEDIUM: State-key allowlist
Only declared state/computed keys can be accessed at runtime.
MEDIUM: HTML escaping
All dynamic content uses textContent. XSS is structurally impossible.
Security is not optional. Insecure patterns are compiler errors, not warnings.