app.engine.dsl_ast module

AST node definitions and the field-access whitelist for the strategy DSL.

This module is pure data + small pure helpers - no I/O, no service dependencies, no async. It is imported by the validator, the interpreter, and the execution context. Keeping it dependency-free is what allows the adversarial test suite to import the whitelist directly and assert on it without spinning up the rest of the app.

Two pieces live here:

  1. The grammar of allowed nodes: NODE_* constants plus the operator whitelists used by compare and arith nodes.

  2. The FIELD_RESOLVERS map - the only legal targets of a field node’s path. Anything outside this map (or the data.<key> prefix) is rejected at validation time, not at runtime. This is what keeps a malicious tenant from writing {"type":"field","path":"__builtins__"} and getting an interpreter handler to evaluate it.

The data.* namespace is open - keys are arbitrary because callers supply data per-event - but the resolver only snapshots scalar values from the request payload, never live attribute lookups.

class app.engine.dsl_ast.FieldResolution(path, kind, method=None, arg_fn=None)[source]

Bases: object

How to obtain the value of a whitelisted field.path at runtime.

Parameters:

  • path (str)

  • kind (str)

  • method (str | None)

  • arg_fn (Callable[[Any], Tuple[Any, ...]] | None)

app.engine.dsl_ast.is_valid_data_path(path)[source]

data.<key> where <key> is [A-Za-z0-9_]+.

Parameters:

path (str)

Return type:

bool

app.engine.dsl_ast.is_parent_field_path(path)[source]

parent.points / parent.case_name - only valid in post_rules.

Parameters:

path (str)

Return type:

bool

app.engine.dsl_ast.is_known_field_path(path)[source]

Either a whitelisted analytic/static path, a parent.* path (context-restricted by validator), or a well-formed data.* key.

Parameters:

path (str)

Return type:

bool

app.engine.dsl_ast.is_valid_case_name(value)[source]

Return whether value is a syntactically valid case name.

A valid case name is a string matching the case-name pattern (_CASE_NAME_RE).

Parameters:

value (Any) – Candidate value to check.

Returns:

boolTrue if value is a well-formed case name.

Return type:

bool

app.engine.dsl_ast.enumerate_field_paths(ast)[source]

Return every path referenced by a field node anywhere in the tree.

Parameters:

ast (Any)

Return type:

Set[str]

app.engine.dsl_ast.iter_program_rules(program)[source]

Iterate the rules list, tolerating a missing key (returns empty).

Parameters:

program (Dict[str, Any])

Return type:

Iterable[Dict[str, Any]]