llmguard: replace raw eval() with a safe AST-based evaluator

[RinZ27]

Hardened the policy evaluation by ditching raw eval(). Instead of relying on a whitelist and then compiling, I wrote a dedicated AST walker that only knows how to handle the specific logic we actually use. It keeps things strictly contained while preserving all the boolean and comparison features we need.

• Removed eval(compile(tree, ...)) entirely.
• Added a _safe_eval method to compute results based on a strict set of supported operations.
• Maintained support for existing policy logic.

[crivetimihai]

Review and Updates

Rebased onto main and made the following changes:

Fixes Applied

1. Short-circuit evaluation - Fixed a security regression where eager evaluation of and/or operands could turn a deny into an allow when a missing filter caused an exception. Now uses lazy evaluation to preserve Python's short-circuit semantics:

   • False and MissingFilter → returns False (deny) without evaluating MissingFilter
   • True or MissingFilter → returns True (allow) without evaluating MissingFilter

2. Removed deprecated ast.Num - Removed handling for ast.Num which is deprecated and removed in Python 3.14. Not needed since Python 3.11+ uses ast.Constant for all literals.

Tests Added

Added tests/test_policy.py with 24 unit tests covering:

• Short-circuit semantics (4 tests)
• Boolean operations (8 tests)
• Constant handling (2 tests)
• Security/rejection of dangerous operations (6 tests)
• Edge cases (4 tests)

Behavioral Note

The new evaluator accepts boolean constants (True/False) in policies. This is a minor behavioral change from the old code which rejected them on Python 3.11+ (returning "Invalid expression"). The new behavior is more intuitive: policy: "False" now correctly denies rather than allowing due to a truthy error string.