Address code review feedback - add security notes and fix user context

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/foundation/core/src/formula-engine.ts

@@ -164,6 +164,11 @@ export class FormulaEngine {
 
   /**
    * Execute the expression in a sandboxed environment
+   * 
+   * SECURITY NOTE: Uses Function constructor for dynamic evaluation.
+   * While we check for blocked operations, this is not a complete security sandbox.
+   * For production use with untrusted formulas, consider using a proper sandboxing library
+   * like vm2 or implementing an AST-based evaluator.
    */
   private executeExpression(
     expression: string,
@@ -267,6 +272,10 @@ export class FormulaEngine {
 
   /**
    * Execute function with timeout protection
+   * 
+   * NOTE: This implements post-execution timeout validation, not pre-emptive interruption.
+   * The function will run to completion and then check if it exceeded the timeout.
+   * For true interruption, platform-specific mechanisms (Worker threads) would be needed.
    */
   private executeWithTimeout(
     func: Function,
@@ -515,6 +524,10 @@ export class FormulaEngine {
 
   /**
    * Validate a formula expression without executing it
+   * 
+   * SECURITY NOTE: Uses Function constructor for syntax validation.
+   * This doesn't execute the code but creates a function object.
+   * For stricter validation, consider using a parser library like @babel/parser.
    */
   validate(expression: string): { valid: boolean; errors: string[] } {
     const errors: string[] = [];

packages/foundation/core/src/repository.ts

@@ -156,7 +156,8 @@ export class ObjectRepository {
             },
             current_user: {
                 id: this.context.userId || '',
-                name: this.context.userId,
+                // TODO: Retrieve actual user name from user object if available
+                name: undefined,
                 email: undefined,
                 role: this.context.roles?.[0],
             },

packages/foundation/core/test/formula-integration.test.ts

@@ -186,9 +186,9 @@ describe('Formula Integration', () => {
       mockDriver.setMockData('order', [
         {
           _id: '1',
-          subtotal: 5000,  // Changed to 5000 to be in "Medium" range (> 1000, < 10000)
-          discount_rate: 10, // 10%
-          tax_rate: 8, // 8%
+          subtotal: 5000,
+          discount_rate: 10,
+          tax_rate: 8,
           status: 'confirmed',
           created_at: new Date('2026-01-01'),
         },
@@ -198,7 +198,6 @@ describe('Formula Integration', () => {
       const result = await ctx.object('order').findOne('1');
 
       expect(result).toBeDefined();
-      // 5000 * 0.9 * 1.08 = 4860
       expect(result.final_price).toBeCloseTo(4860, 1);
       expect(result.risk_level).toBe('Medium');
     });