fix(core): replace new Function() with CSP-safe SafeExpressionParser

Replaces eval()-equivalent `new Function()` in ExpressionCache.compileExpression()
with a recursive-descent SafeExpressionParser that works under strict CSP
headers that forbid 'unsafe-eval'.

Supports: comparisons, logical/ternary/nullish ops, arithmetic, unary,
dot/bracket/optional-chaining access, formula functions, Math.*, single-param
arrow functions (.filter/.map/.find), array literals, new Date()/RegExp(), all
literal types.

41 new CSP-safety tests added. All 822 tests pass."

Agent-Logs-Url: https://github.com/objectstack-ai/objectui/sessions/16c7c01e-a482-4f8c-b565-2e084a49162e

Co-authored-by: xuyushun441-sys <255036401+xuyushun441-sys@users.noreply.github.com>

Author: Copilot

CHANGELOG.md

@@ -17,6 +17,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **CSP-safe expression evaluation** (`@object-ui/core`): Replaced `new Function()` in `ExpressionCache.compileExpression()` with a new `SafeExpressionParser` — a recursive-descent interpreter that evaluates expressions without any dynamic code execution. This fixes `Content Security Policy` violations (`'unsafe-eval' is not an allowed source of script`) that occurred when evaluating schema expressions like `${stage !== 'closed_won' && stage !== 'closed_lost'}` in enterprise deployments with strict CSP headers. The `SafeExpressionParser` supports the full ObjectUI expression language: all comparison and logical operators, ternary and nullish coalescing, arithmetic, unary operators (`!`, `-`, `+`, `typeof`), dot/bracket/optional-chaining member access, function calls (formula functions, method calls, `Math.*`), single-param arrow functions (for `.filter(u => u.isActive)`, `.map(x => x.name)` etc.), array literals, `new Date()` / `new RegExp()` constructors, and all literal types. The `ExpressionCache` public API is unchanged. 41 new tests added.
+
 - **CI build errors** (`@object-ui/console`): Removed unused imports (`resolveI18nLabel` in `HomePage.tsx`, `Upload`/`FileText` in `QuickActions.tsx`) that caused TS6133 errors. Fixed `appConfig` → `appConfigs[0]` in `i18n-translations.test.ts` (TS2552). Extracted `customReportsConfig` from aggregated `sharedConfig` into a standalone export so the mock server kernel includes the `sales_performance_q1` report, fixing `ReportView.test.tsx` failures.
 
 - **Charts groupBy value→label resolution** (`@object-ui/plugin-charts`): Chart X-axis labels now display human-readable labels instead of raw values. Select/picklist fields resolve value→label via field metadata options, lookup/master_detail fields batch-fetch referenced record names, and all other fields fall back to `humanizeLabel()` (snake_case → Title Case). Removed hardcoded `value.slice(0, 3)` truncation from `AdvancedChartImpl.tsx` XAxis tick formatters — desktop now shows full labels with angle rotation for long text, mobile truncates at 8 characters with "…".

packages/core/src/evaluator/ExpressionCache.ts

@@ -8,14 +8,16 @@
 
 /**
  * @object-ui/core - Expression Cache
- * 
+ *
  * Caches compiled expressions to avoid re-parsing on every render.
  * Provides significant performance improvement for frequently evaluated expressions.
- * 
+ *
  * @module evaluator
  * @packageDocumentation
  */
 
+import { SafeExpressionParser } from './SafeExpressionParser.js';
+
 /**
  * A compiled expression function that can be executed with context values
  */
@@ -112,16 +114,25 @@ export class ExpressionCache {
   }
 
   /**
-   * Compile an expression into a function
+   * Compile an expression into a CSP-safe callable function.
+   *
+   * Uses `SafeExpressionParser` — a recursive-descent interpreter — instead of
+   * `new Function()` so that the expression engine works under strict
+   * Content Security Policy headers that forbid `'unsafe-eval'`.
+   *
+   * The returned function re-creates the evaluation context on every call by
+   * zipping `varNames` with the positional `args`, matching the contract that
+   * `ExpressionEvaluator` depends on.
    */
   private compileExpression(expression: string, varNames: string[]): CompiledExpression {
-    // SECURITY NOTE: Using Function constructor for expression evaluation.
-    // This is a controlled use case with:
-    // 1. Sanitization check (isDangerous) performed by caller
-    // 2. Strict mode enabled ("use strict")
-    // 3. Limited scope (only varNames variables available)
-    // 4. No access to global objects (process, window, etc.)
-    return new Function(...varNames, `"use strict"; return (${expression});`) as CompiledExpression;
+    return (...args: unknown[]) => {
+      // Reconstruct the named variable context from positional arguments.
+      const context: Record<string, unknown> = {};
+      for (let i = 0; i < varNames.length; i++) {
+        context[varNames[i]] = args[i];
+      }
+      return new SafeExpressionParser().evaluate(expression, context);
+    };
   }
 
   /**