The public runtime is designed around a pure evaluation contract.

same expression + same input data = same output

Public XCON Chain does not use eval, does not execute JavaScript, does not call network APIs, and does not persist data.

Rejected features:

• mutation functions
• action execution
• external requests
• private application access
• DOM/CSS access

Use @xcon-chain/lint before rendering untrusted expressions. Use a timeout or worker isolation if expressions come from untrusted users at high volume.