ScriptLite — a sandboxed ECMAScript subset interpreter for PHP (with optional C extension)

I've been working on Cockpit , a headless CMS, for a while now. One thing that kept coming up was the need for user-defined logic — computed fields, validation rules, content transformations, stuff like that. The kind of thing where you want your CMS users to write small snippets of logic without giving them the keys to the entire PHP runtime. I looked at existing options. V8js is heavy and a pain to deploy. Lua doesn't feel right for a web-focused CMS where most users already know JavaScript. Expression languages are too limited once you need a loop or a callback. So I started building my own. What began as a simple expression evaluator for Cockpit turned into a full ECMAScript subset interpreter: ScriptLite . What it does It runs JavaScript (ES5/ES6 subset) inside PHP. No filesystem access, no network, no eval , no require — scripts can only touch the data you explicitly pass in. Think of it as a sandbox where users write logic and you control exactly what they can see and do. $engin