Maybe this is a dumb question, but the "shell" this sets up in which it runs "node" is just some VM in the browser, right? It's not literally executing shell commands or opening ports on the host machine, is it?
Everything nodebox does is scoped to the current browser window, it has no access to any part of the hostmachine, it's not really a vm but actually a new web worker which runs the Node.js code you request. This is heavily relying on the sandboxing browsers do by default and is therefore really secure.
It's very interesting. In that example with the express router, where you're creating `index.js` inside a filesystem inside nodebox, is that whole filesystem just stored by that one webworker? Also, when you invoke express to listen on port 3000 and get back some URL to set the `previewIframe.src`, is that some blob URL returned from the webworker? (in which case how would you set up sockets?) Or is that URL accessible to any other browser tab?