spring-ai-playground

description: Default Tools - Utilities reference. 26 pure-compute tools - text, datetime, math, security, encoding, crypto, CSV. No network, no env vars, no filesystem.

Default Tools - Utilities

The 26 tools in default-tool-specs-builtin.json (16) and default-tool-specs-builtin-helpers.json (10) cover text manipulation, date arithmetic, math, security scanners, encoding, cryptographic primitives, and CSV serialisation / parsing. They share one property - no network, no filesystem, no env vars. Everything runs in-memory at sandbox L0 by default; the only outside helpers in play are safety.parser.csv for formatCsv / parseCsv and crypto.subtle for the crypto group - both still purely in-memory.

Because they ride on JVM stdlib - java.security.MessageDigest, javax.crypto, JCE, the JDK regex engine - every one of these runs identically on macOS, Windows, and Linux. See Tool Studio: Cross-platform by design for the mechanics.

The 26 tools split by concern.

Browse the 26 utilities { #browse-the-utilities }

Every tool below runs at sandbox L0 with no env vars. Use the directory on the Default Tools index for cross-page search; this page is the full per-tool reference for the 26.

timezoneConvert 🆓

:material-clock-alert-outline:

datetime · util L0

Converts a moment in time between IANA time zones. Returns the same instant rendered in the target zone (ISO with offset).

**Params** `text` · `toTimeZone`

**Env** -

Click for full reference · params · sandbox · JS source

dateDiff 🆓

:material-calendar-arrow-right:

datetime · util L0

Computes b - a in the requested unit (days|hours|minutes|seconds|milliseconds). Returns a number which may be fractional.

**Params** `a` · `b` · `unit`

**Env** -

Click for full reference · params · sandbox · JS source

urlEncode 🆓

:material-link-variant:

text · util L0

Percent-encodes a string for use in a URL component. Equivalent to encodeURIComponent.

**Params** `text`

**Env** -

Click for full reference · params · sandbox · JS source

dateMath 🆓

:material-calendar-clock:

datetime · util L0

**Params** `text` · `amount` · `unit`

**Env** -

Click for full reference · params · sandbox · JS source

parseDate 🆓

:material-calendar-import:

datetime · util L0

Parses a date/time string (ISO 8601 or RFC 2822) and returns its components plus epochMillis.

**Params** `text` · `timeZone`

**Env** -

Click for full reference · params · sandbox · JS source

cronNext 🆓

:material-timer-cog-outline:

datetime · util L0

Computes the next datetime matching a standard 5-field cron expression (minute hour day month weekday). Supports * , - / and ? (treated as *). Returns ISO timestamp in UTC.

**Params** `expression` · `from` · `count`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `expression` | `STRING` | ✓ | Cron expression (5 fields) | | `from` | `STRING` | | Starting ISO datetime (default: now) | | `count` | `INTEGER` | | Number of next occurrences to return (default 1, max 100) | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Computes the next N occurrences matching a 5-field cron expression. * * Field layout: minute hour day-of-month month day-of-week * Supports `*`, `?`, comma lists (`1,3,5`), ranges (`1-5`) and step * suffixes (`* / 15`, `1-23/2`). * * All times are computed in UTC and returned as ISO timestamps. * * Pure ES2024 - Date + Set, no external scheduler library. */ if (expression == null || expression === '') throw new Error('expression required'); const fields = String(expression).trim().split(/\s+/); if (fields.length !== 5) throw new Error('expected 5 cron fields, got ' + fields.length); const ranges = [[0, 59], [0, 23], [1, 31], [1, 12], [0, 6]]; function parseField(spec, [min, max]) { // '*' / '?' → full range if (spec === '*' || spec === '?') { const out = new Set(); for (let i = min; i <= max; i++) out.add(i); return out; } const out = new Set(); for (const part of spec.split(',')) { const stepIdx = part.indexOf('/'); const step = stepIdx >= 0 ? parseInt(part.slice(stepIdx + 1), 10) : 1; const range = stepIdx >= 0 ? part.slice(0, stepIdx) : part; let from, to; if (range === '*') { from = min; to = max; } else if (range.includes('-')) { const [aa, bb] = range.split('-').map(s => parseInt(s, 10)); from = aa; to = bb; } else { const v = parseInt(range, 10); from = v; to = v; } for (let i = from; i <= to; i += step) out.add(i); } return out; } const sets = fields.map((f, i) => parseField(f, ranges[i])); const start = (from && from !== '') ? new Date(String(from)) : new Date(); if (isNaN(start.getTime())) throw new Error('invalid from: ' + from); const want = count == null ? 1 : Number(count); if (!Number.isInteger(want) || want < 1 || want > 100) throw new Error('count must be 1..100'); const results = []; const d = new Date(start.getTime()); d.setUTCSeconds(0, 0); d.setUTCMinutes(d.getUTCMinutes() + 1); const limit = 366 * 24 * 60; // walk up to one year forward let steps = 0; while (results.length < want && steps < limit) { steps++; if (sets[0].has(d.getUTCMinutes()) && sets[1].has(d.getUTCHours()) && sets[2].has(d.getUTCDate()) && sets[3].has(d.getUTCMonth() + 1) && sets[4].has(d.getUTCDay())) { results.push(d.toISOString()); } d.setUTCMinutes(d.getUTCMinutes() + 1); } if (results.length === 0) throw new Error('no occurrence found within one year'); return results; ```

diffText 🆓

:material-file-compare:

text · util L0

Returns a line-by-line diff between two texts. Each entry is {op, line} where op is one of '=' (unchanged), '-' (only in a), '+' (only in b).

**Params** `a` · `b`

**Env** -

Click for full reference · params · sandbox · JS source

sortLines 🆓

:material-sort-alphabetical-ascending:

text · util L0

Sorts lines of text alphabetically. Supports reverse and case-insensitive options.

**Params** `text` · `reverse` · `caseInsensitive`

**Env** -

Click for full reference · params · sandbox · JS source

piiDetect 🆓

:material-shield-account-outline:

security · util L0

Scans text for personally identifiable information patterns (email, US SSN, US phone, credit card, IPv4). Returns an array of {type, masked, index}.

**Params** `text`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `text` | `STRING` | ✓ | Text to scan | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Scans text for common PII patterns and returns each finding with its * masked value + character offset. * * Detected: * email (RFC-shaped, very permissive) * us-phone ((+1)? AAA-PPP-NNNN with delimiters) * us-ssn (AAA-GG-SSSS, valid area/group/serial blocks) * ipv4 (0-255.0-255.0-255.0-255) * credit-card (13-19 digits + Luhn checksum) * * Each finding's value is masked so the raw PII never leaves the tool. * Pure ES2024. */ if (text == null || text === '') return []; const s = String(text); function luhn(num) { // Standard mod-10 check used by all major card brands. let sum = 0, even = false; for (let i = num.length - 1; i >= 0; i--) { let d = num.charCodeAt(i) - 48; if (d < 0 || d > 9) return false; if (even) { d *= 2; if (d > 9) d -= 9; } sum += d; even = !even; } return sum > 0 && sum % 10 === 0; } const mask = v => v.length <= 6 ? '*'.repeat(v.length) : v.slice(0, 2) + '*'.repeat(v.length - 4) + v.slice(-2); const patterns = [ { type: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g }, { type: 'us-phone', re: /\b(?:\+?1[-. ]?)?$?[2-9]\d{2}$?[-. ]?\d{3}[-. ]?\d{4}\b/g }, { type: 'us-ssn', re: /\b(?!000|666|9\d{2})\d{3}[- ](?!00)\d{2}[- ](?!0000)\d{4}\b/g }, { type: 'ipv4', re: /\b(?:25[0-5]|2[0-4]\d|1?\d{1,2})(?:\.(?:25[0-5]|2[0-4]\d|1?\d{1,2})){3}\b/g }, ]; const out = []; for (const { type, re } of patterns) { for (const m of s.matchAll(re)) { out.push({ type, masked: mask(m[0]), index: m.index }); } } // Credit card detection - extract digit groups then validate Luhn. const ccRe = /\b(?:\d[ -]?){13,19}\b/g; for (const m of s.matchAll(ccRe)) { const digits = m[0].replace(/[ -]/g, ''); if (digits.length >= 13 && digits.length <= 19 && luhn(digits)) { out.push({ type: 'credit-card', masked: mask(digits), index: m.index }); } } out.sort((x, y) => x.index - y.index); return out; ```

regexExtract 🆓

:material-regex:

text · util L0

Returns all regex matches in the input. With the 'g' flag every match is returned; without it the first match (with capture groups) is returned.

**Params** `text` · `pattern` · `flags`

**Env** -

Click for full reference · params · sandbox · JS source

formatDate 🆓

:material-calendar-text-outline:

datetime · util L0

Formats a date (ISO string or epoch ms) using a pattern with tokens yyyy/MM/dd HH:mm:ss SSS. Time zone aware.

**Params** `text` · `pattern` · `timeZone`

**Env** -

Click for full reference · params · sandbox · JS source

stats 🆓

:material-sigma:

math · util L0

Returns summary statistics (count, sum, min, max, mean, median, stddev) for an array of numbers.

**Params** `numbers`

**Env** -

Click for full reference · params · sandbox · JS source

secretPatternDetect 🆓

:material-key-alert-outline:

security · util L0

Scans text for well-known secret patterns (AWS keys, GitHub tokens, Slack tokens, OpenAI keys, Stripe keys, private keys). Returns an array of {type, masked, index}.

**Params** `text`

**Env** -

Click for full reference · params · sandbox · JS source

regexReplace 🆓

:material-find-replace:

text · util L0

Replaces regex matches in the input with the given replacement string. Supports $1, $2 group back-references.

**Params** `text` · `pattern` · `replacement` · `flags`

**Env** -

Click for full reference · params · sandbox · JS source

evalExpression 🆓

:material-calculator-variant-outline:

math · util L0

Evaluates a safe arithmetic/logical expression (no eval, no host access). Supports + - * / % ** parens, &&, ||, !, ==, !=, <, <=, >, >=, and numeric/string/boolean literals plus variables from the variables object.

**Params** `expression` · `variables`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `expression` | `STRING` | ✓ | Expression to evaluate | | `variables` | `OBJECT` | | Map of variable bindings | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Safe arithmetic / logical expression evaluator. * * Supports: + - * / % ** ( ) ! * && || ! == != < <= > >= * number / string literals, true / false / null * variables resolved from the `variables` parameter. * * Does NOT call `eval`, `new Function`, or any host class - the parser is * hand-written so untrusted expressions cannot break out of the sandbox. * * Pure ES2024. */ if (expression == null || expression === '') throw new Error('expression required'); // Copy polyglot foreign map into a plain JS object once. const rawVars = variables || {}; const vars = {}; for (const k of Object.keys(rawVars)) vars[k] = rawVars[k]; const src = String(expression); let i = 0; function peek() { return src[i]; } function next() { return src[i++]; } function skipWs() { while (i < src.length && /\s/.test(src[i])) i++; } function readNumber() { let s = ''; while (i < src.length && /[0-9.]/.test(src[i])) s += next(); if (i < src.length && (src[i] === 'e' || src[i] === 'E')) { s += next(); if (src[i] === '+' || src[i] === '-') s += next(); while (i < src.length && /[0-9]/.test(src[i])) s += next(); } const n = parseFloat(s); if (!Number.isFinite(n)) throw new Error('bad number: ' + s); return n; } function readString(q) { next(); let s = ''; while (i < src.length && src[i] !== q) { if (src[i] === '\\' && i + 1 < src.length) { i++; s += src[i++]; continue; } s += next(); } if (src[i] !== q) throw new Error('unterminated string'); next(); return s; } function readIdent() { let s = ''; while (i < src.length && /[A-Za-z0-9_$]/.test(src[i])) s += next(); return s; } function parseValue() { skipWs(); const c = peek(); if (c === '(') { next(); const v = parseExpr(); skipWs(); if (next() !== ')') throw new Error('missing )'); return v; } if (c === '!') { next(); return !parseValue(); } if (c === '-') { next(); return -parseValue(); } if (c === '+') { next(); return +parseValue(); } if (c === '"' || c === "'") return readString(c); if (/[0-9.]/.test(c)) return readNumber(); if (/[A-Za-z_$]/.test(c)) { const id = readIdent(); if (id === 'true') return true; if (id === 'false') return false; if (id === 'null') return null; if (!(id in vars)) throw new Error('undefined variable: ' + id); return vars[id]; } throw new Error('unexpected: ' + c); } // Operator precedence climbing - Pow > Mul/Div > Add/Sub > Cmp > Eq > And > Or. function parsePow() { let a = parseValue(); skipWs(); if (src[i] === '*' && src[i+1] === '*') { i += 2; return a ** parsePow(); } return a; } function parseMul() { let a = parsePow(); while (true) { skipWs(); const c = peek(); if (c === '*' && src[i+1] !== '*') { next(); a = a * parsePow(); } else if (c === '/') { next(); a = a / parsePow(); } else if (c === '%') { next(); a = a % parsePow(); } else break; } return a; } function parseAdd() { let a = parseMul(); while (true) { skipWs(); const c = peek(); if (c === '+') { next(); a = a + parseMul(); } else if (c === '-') { next(); a = a - parseMul(); } else break; } return a; } function parseCmp() { let a = parseAdd(); skipWs(); if (src[i] === '<' && src[i+1] === '=') { i += 2; return a <= parseAdd(); } if (src[i] === '>' && src[i+1] === '=') { i += 2; return a >= parseAdd(); } if (src[i] === '<') { next(); return a < parseAdd(); } if (src[i] === '>') { next(); return a > parseAdd(); } return a; } function parseEq() { let a = parseCmp(); skipWs(); while (src[i] === '=' && src[i+1] === '=') { i += 2; if (src[i] === '=') i++; a = (a == parseCmp()); skipWs(); } while (src[i] === '!' && src[i+1] === '=') { i += 2; if (src[i] === '=') i++; a = (a != parseCmp()); skipWs(); } return a; } function parseAnd() { let a = parseEq(); skipWs(); while (src[i] === '&' && src[i+1] === '&') { i += 2; a = a && parseEq(); skipWs(); } return a; } function parseOr () { let a = parseAnd(); skipWs(); while (src[i] === '|' && src[i+1] === '|') { i += 2; a = a || parseAnd(); skipWs(); } return a; } function parseExpr() { return parseOr(); } const result = parseExpr(); skipWs(); if (i < src.length) throw new Error('unexpected trailing input at ' + i); return result; ```

formatCsv 🆓

:material-file-table-outline:

data · util L0

Serialises an array of rows into CSV text. Rows may be arrays (use header param) or objects (keys become the header). RFC 4180 quoting.

**Params** `rows` · `header` · `delimiter`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `rows` | `ARRAY` | ✓ | Array of row objects/arrays | | `header` | `ARRAY` | | Optional explicit column order | | `delimiter` | `STRING` | | Field delimiter (default ',') | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Serialises an array of rows into RFC 4180 CSV. * * Rows can be either: * - objects → the first row's keys (or the explicit `header` array) * define the column order. * - arrays → rows are written as-is; pass `header` to add a header row. * * Cells that contain the delimiter, a double-quote, CR or LF are wrapped in * `"..."` and embedded quotes are doubled per RFC 4180. * * Pure ES2024. */ if (rows == null) throw new Error('rows required'); // Polyglot foreign collections aren't iterable through `[...rows]` directly, // so collect via for-of (which works for both JS arrays and Java Lists). const rowArr = []; for (const r of rows) rowArr.push(r); const headerArr = []; if (header != null) for (const h of header) headerArr.push(String(h)); const delim = (typeof delimiter === 'string' && delimiter.length > 0) ? delimiter[0] : ','; function quote(v) { if (v == null) return ''; const s = String(v); if (s.includes(delim) || s.includes('"') || s.includes('\n') || s.includes('\r')) { return '"' + s.replace(/"/g, '""') + '"'; } return s; } function isArrayLike(v) { return v != null && typeof v !== 'string' && typeof v[Symbol.iterator] === 'function'; } // Decide on column order: explicit header > union of object keys > none. let cols = headerArr.length > 0 ? headerArr : null; if (!cols && rowArr.length > 0 && !isArrayLike(rowArr[0])) { const seen = new Set(); cols = []; for (const r of rowArr) { for (const k of Object.keys(r)) { if (!seen.has(k)) { seen.add(k); cols.push(k); } } } } const out = []; if (cols) out.push(cols.map(quote).join(delim)); for (const r of rowArr) { if (isArrayLike(r)) { const cells = []; for (const c of r) cells.push(quote(c)); out.push(cells.join(delim)); } else if (cols) { out.push(cols.map(k => quote(r[k])).join(delim)); } else { out.push(quote(r)); } } return out.join('\n'); ```

base64 🆓

:material-code-tags:

encoding · util L0

Encodes UTF-8 text to base64, or decodes base64 back to UTF-8 text. Use mode='encode' (default) or 'decode'. URL-safe variant via urlSafe=true.

**Params** `text` · `mode` · `urlSafe`

**Env** -

Click for full reference · params · sandbox · JS source

hex 🆓

:material-numeric:

encoding · util L0

Encodes UTF-8 text to hex string, or decodes hex back to UTF-8 text. Use mode='encode' (default) or 'decode'.

**Params** `text` · `mode` · `upperCase`

**Env** -

Click for full reference · params · sandbox · JS source

uuid 🆓

:material-identifier:

crypto · util L0

Generates a cryptographically random UUID v4 string.

**Params** -

**Env** -

Click for full reference · params · sandbox · JS source

hash 🆓

:material-pound:

crypto · util L0

Computes the cryptographic hash of UTF-8 text. Algorithms: SHA-256 (default), SHA-384, SHA-512. Returns lowercase hex.

**Params** `text` · `algorithm`

**Env** -

Click for full reference · params · sandbox · JS source

hmac 🆓

:material-key-variant:

crypto · util L0

Computes an HMAC signature over UTF-8 text using a secret. Algorithms: SHA-256 (default), SHA-384, SHA-512. Returns lowercase hex.

**Params** `secret` · `text` · `algorithm`

**Env** -

Click for full reference · params · sandbox · JS source

secureRandom 🆓

:material-dice-6-outline:

crypto · util L0

Generates cryptographically secure random bytes. encoding: 'hex' (default), 'base64', or 'base64url'.

**Params** `bytes` · `encoding`

**Env** -

Click for full reference · params · sandbox · JS source

passwordGenerate 🆓

:material-form-textbox-password:

crypto · util L0

Generates a strong random password from selected character classes. Uses crypto.getRandomValues for unbiased selection.

**Params** `length` · `includeLowercase` · `includeUppercase` · `includeDigits` · `includeSymbols`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `length` | `INTEGER` | | Password length (default 16, min 4, max 256) | | `includeLowercase` | `BOOLEAN` | | Include a-z | | `includeUppercase` | `BOOLEAN` | | Include A-Z | | `includeDigits` | `BOOLEAN` | | Include 0-9 | | `includeSymbols` | `BOOLEAN` | | Include ASCII punctuation | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Generates a strong random password from selected character classes. * * Guarantees one character from EACH enabled class, then fills the rest * uniformly from the union and shuffles cryptographically. Uses unbiased * rejection sampling - no modulo bias. * * Defaults: length 16, classes lower/upper/digits enabled, symbols off. * Uses host crypto.getRandomValues. */ const len = length == null ? 16 : Number(length); if (!Number.isInteger(len) || len < 4 || len > 256) throw new Error('length must be 4..256'); const lo = 'abcdefghijklmnopqrstuvwxyz'; const up = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; const di = '0123456789'; const sy = '!@#$%^&*()-_=+[]{};:,.<>/?'; const useLo = includeLowercase !== false; const useUp = includeUppercase !== false; const useDi = includeDigits !== false; const useSy = includeSymbols === true; let pool = ''; if (useLo) pool += lo; if (useUp) pool += up; if (useDi) pool += di; if (useSy) pool += sy; if (pool.length === 0) throw new Error('at least one character class required'); const required = []; if (useLo) required.push(lo); if (useUp) required.push(up); if (useDi) required.push(di); if (useSy) required.push(sy); // Unbiased pick via rejection sampling on the high-resolution random pool. function pick(alphabet) { const buf = new Uint32Array(1); const max = Math.floor(0xFFFFFFFF / alphabet.length) * alphabet.length; do { crypto.getRandomValues(buf); } while (buf[0] >= max); return alphabet[buf[0] % alphabet.length]; } const chars = required.map(pick); while (chars.length < len) chars.push(pick(pool)); // Fisher-Yates shuffle, also with rejection-sampled randomness. for (let i = chars.length - 1; i > 0; i--) { const buf = new Uint32Array(1); const max = Math.floor(0xFFFFFFFF / (i + 1)) * (i + 1); do { crypto.getRandomValues(buf); } while (buf[0] >= max); const j = buf[0] % (i + 1); [chars[i], chars[j]] = [chars[j], chars[i]]; } return chars.join(''); ```

jwtDecode 🆓

:material-shield-key-outline:

crypto · util L0

Decodes a JWT without verifying its signature. Returns the header and payload as JSON, plus signaturePresent.

**Params** `token`

**Env** -

Click for full reference · params · sandbox · JS source

jwtVerify 🆓

:material-shield-check-outline:

crypto · util L0

Verifies a HS256/HS384/HS512 JWT signature using a shared secret and returns the decoded payload on success. Also checks exp and nbf claims when present.

**Params** `token` · `secret`

**Env** -

Click for full reference · params · sandbox · JS source

**Parameters** | Param | Type | Req | Description | |---|---|---|---| | `token` | `STRING` | ✓ | JWT compact form | | `secret` | `STRING` | ✓ | Shared HMAC secret | **Sandbox** - Runs at the sandbox **L0** baseline (Safest) - pure compute: no network, no filesystem.

JS source

```javascript /** * Verifies a HS256/HS384/HS512 JWT signature with a shared secret and * returns the decoded payload, plus any structural validity issues. * * Return shape: * { valid, algorithm, header, payload, reasons } * * `reasons` is empty on success; otherwise it lists every failed check * (bad signature, token expired, token not yet valid). * * Uses host WebCrypto + atob. Constant-time-style equality (XOR-accumulate) * so the verifier doesn't leak signature bytes via timing. */ if (token == null || token === '') throw new Error('token required'); if (secret == null || secret === '') throw new Error('secret required'); const parts = String(token).split('.'); if (parts.length !== 3) throw new Error('JWT must have 3 segments'); function b64urlDecode(s) { s = s.replace(/-/g, '+').replace(/_/g, '/'); const pad = s.length % 4; if (pad) s += '='.repeat(4 - pad); return Uint8Array.from(atob(s), c => c.charCodeAt(0)); } function b64urlDecodeJson(s) { return JSON.parse(new TextDecoder().decode(b64urlDecode(s))); } const header = b64urlDecodeJson(parts[0]); const payload = b64urlDecodeJson(parts[1]); const alg = String(header.alg || '').toUpperCase(); const hashAlg = ({ HS256: 'SHA-256', HS384: 'SHA-384', HS512: 'SHA-512' })[alg]; if (!hashAlg) throw new Error('unsupported alg: ' + alg); const keyBytes = new TextEncoder().encode(String(secret)); const key = await crypto.subtle.importKey( 'raw', keyBytes, { name: 'HMAC', hash: hashAlg }, false, ['sign']); const signingInput = new TextEncoder().encode(parts[0] + '.' + parts[1]); const expected = await crypto.subtle.sign('HMAC', key, signingInput); // Constant-time compare expected vs provided signature. const expectedBytes = Array.isArray(expected) ? expected : Array.from(expected); const actualBytes = Array.from(b64urlDecode(parts[2])); let acc = 0; const len = Math.max(expectedBytes.length, actualBytes.length); for (let idx = 0; idx < len; idx++) { acc |= (expectedBytes[idx] || 0) ^ (actualBytes[idx] || 0); } const sigOk = expectedBytes.length === actualBytes.length && acc === 0; const now = Math.floor(Date.now() / 1000); const reasons = []; if (!sigOk) reasons.push('bad signature'); if (typeof payload.exp === 'number' && now >= payload.exp) reasons.push('token expired'); if (typeof payload.nbf === 'number' && now < payload.nbf) reasons.push('token not yet valid'); return { valid: reasons.length === 0, algorithm: alg, header, payload, reasons, }; ```

parseCsv 🆓

:material-file-import-outline:

data · util L0

Parses CSV text into an array of rows. If header=true, each row is an object keyed by the first row.

**Params** `text` · `header` · `delimiter`

**Env** -

Click for full reference · params · sandbox · JS source

Composition patterns (in-memory data pipelines)

The 26 utilities are deliberately I/O-free, which makes them perfect for chains the agent runs entirely in-memory:

Text-shell ETL - regexExtract(text, pattern) → sortLines(text) → formatCsv(rows) to turn raw log/text into structured CSV in one tool turn.
Crypto sign-and-mint - secureRandom(bytes=32) for the secret → hmac(secret, payload) for the signature → base64(text) to wire-encode - issuing a signed token without any Java.type(...) interop.
JWT inspect → re-encode - jwtDecode(token) exposes header + payload → mutate fields in the agent prompt → hmac + base64 to rebuild a signed JWT (HS256/384/512).
Time math chain - parseDate(text) → dateMath(text, amount, unit) → formatDate(text, pattern, timeZone) to normalise a user-supplied datetime to a target zone with a single call.
PII / secret scrub - piiDetect(text) + secretPatternDetect(text) over a chat transcript before forwarding it to a model - both return [{type, masked, index}] so the agent can redact in-place.

Tutorial 8: Default Tool Recipes walks one of these end-to-end (the text-shell ETL chain).

Keys & secrets

None. All 26 utilities run with the default sandbox baseline - no network, no filesystem, no env vars. That is what makes them the safe slice of the catalog to expose to the model with zero setup.

→ Tool Studio: Built-in JavaScript Helpers - the underlying crypto.subtle, safety.parser.csv, regex helpers each of these tools wraps.

This site is open source. Improve this page.