fix: Validate complex mustache syntax during Check & Save

[viktoravelino]

Jira: LE-160

This pull request adds comprehensive unit tests to ensure that the validate_prompt function correctly rejects complex and invalid Mustache syntax during the validation phase, addressing a previous regression where such syntax was only caught at runtime. It also updates the validation logic to call a dedicated Mustache template security function before extracting variables, ensuring robust pre-validation.

Testing improvements:

• Added a new test suite test_validate_prompt_mustache.py that covers acceptance of simple Mustache variables, rejection of complex Mustache syntax (sections, conditionals, unescaped variables, partials, comments, etc.), invalid variable names, malformed syntax, and mixed content. This ensures that only simple, valid Mustache templates can be saved and that errors are caught early.

Validation logic enhancements:

• Updated validate_prompt in api_utils.py to call validate_mustache_template before extracting variables, preventing complex Mustache syntax from being accepted during "Check & Save". [1] [2]

Summary by CodeRabbit

Release Notes

• New Features

  • Added Mustache template validation in prompt processing to detect and reject complex syntax patterns (sections, conditionals, partials) while supporting simple variable references

• Tests

  • Added unit test coverage for Mustache template validation, including scenarios for valid templates with simple and multiple variables, and rejection of unsupported syntax with descriptive error messages

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

Walkthrough

Adds validation for Mustache template syntax before variable extraction in API utilities. A new test module comprehensively validates that simple variables are accepted while complex Mustache patterns (sections, conditionals, loops, etc.) are rejected with appropriate error messages.

Changes

Cohort / File(s)	Summary
New Mustache Validation Tests src/backend/tests/unit/components/prompts/test_validate_prompt_mustache.py	159 new lines of test coverage for Mustache template validation. Tests acceptance of simple/multiple variables, underscores, numeric suffixes, and empty templates. Includes regression tests rejecting complex syntax (sections, conditionals, inverted sections, unescaped variables, triple braces, partials, comments, nested sections, loops) and malformed syntax with appropriate error assertions.
API Mustache Pre-validation src/lfx/src/lfx/base/prompts/api_utils.py	Adds 5 lines to introduce pre-validation step via validate_mustache_template call when is_mustache is True, prior to variable extraction. Enforces detection of complex Mustache patterns before processing.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 7

✅ Passed checks (7 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding validation for complex mustache syntax during the Check & Save phase.
Docstring Coverage	✅ Passed	Docstring coverage is 96.30% which is sufficient. The required threshold is 80.00%.
Test Coverage For New Implementations	✅ Passed	PR includes comprehensive test coverage with 17+ functional test functions in test_validate_prompt_mustache.py covering acceptance/rejection scenarios, invalid variable names, and malformed syntax. The validate_prompt function correctly integrates the new validation logic.
Test Quality And Coverage	✅ Passed	Test suite demonstrates high quality with 25 comprehensive tests organized into logical groups: 6 acceptance tests for simple variables, 10 rejection tests for complex syntax, 5 invalid name tests, 3 malformed syntax tests, and 2 mixed content tests. All tests properly validate error messages and return values.
Test File Naming And Structure	✅ Passed	The pull request successfully meets all test file naming and structure requirements with comprehensive test coverage.
Excessive Mock Usage Warning	✅ Passed	Test file demonstrates excellent design with zero mocks, directly testing real validate_prompt function behavior using pytest.raises for exceptions and comprehensive coverage of valid and invalid patterns.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/LE-160

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Cristhianzl]

lgtm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.90%. Comparing base (a097b68) to head (d75f2f1).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (41.71%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11461      +/-   ##
==========================================
+ Coverage   34.88%   34.90%   +0.02%     
==========================================
  Files        1420     1420              
  Lines       68215    68217       +2     
  Branches     9984     9984              
==========================================
+ Hits        23797    23812      +15     
+ Misses      43184    43171      -13     
  Partials     1234     1234              

Flag	Coverage Δ
backend	54.21% <ø> (+0.07%)	⬆️
lfx	41.71% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/lfx/src/lfx/base/prompts/api_utils.py	58.01% <100.00%> (+0.65%)	⬆️

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.