feat(automation): add sandboxed template environment

surfsense_backend/app/automations/templating/environment.py

@@ -0,0 +1,43 @@
+"""SandboxedEnvironment construction with the audited filter/test allowlist."""
+
+from __future__ import annotations
+
+import json
+from datetime import datetime
+from typing import Any
+
+from jinja2 import StrictUndefined
+from jinja2.sandbox import SandboxedEnvironment
+
+from .allowlist import ALLOWED_FILTERS, ALLOWED_TESTS
+from .filters import filter_date, filter_slugify
+
+
+def _finalize(value: Any) -> Any:
+    """Stringify common non-string values at output sites."""
+    if value is None:
+        return ""
+    if isinstance(value, str):
+        return value
+    if isinstance(value, datetime):
+        return value.isoformat()
+    if isinstance(value, list | dict):
+        return json.dumps(value, ensure_ascii=False, default=str)
+    return value
+
+
+def _build_env() -> SandboxedEnvironment:
+    env = SandboxedEnvironment(
+        autoescape=False,
+        undefined=StrictUndefined,
+        finalize=_finalize,
+    )
+    env.globals.clear()
+    env.filters = {k: v for k, v in env.filters.items() if k in ALLOWED_FILTERS}
+    env.filters["date"] = filter_date
+    env.filters["slugify"] = filter_slugify
+    env.tests = {k: v for k, v in env.tests.items() if k in ALLOWED_TESTS}
+    return env
+
+
+ENV: SandboxedEnvironment = _build_env()