fix: Prevent context attributes from influencing judge template parsing

[jsonbailey]

Requirements

• I have added test coverage for new or changed functionality
• I have followed the repository's pull request submission guidelines
• I have validated my changes against all supported platform versions

Related issues

Addresses SEC-8020. Mirrors the fix applied in the Go server SDK (go-server-sdk@3317871). A matching Python SDK PR has also been opened in launchdarkly/python-server-sdk-ai.

Describe the solution you've provided

The Judge's _interpolateMessage previously used Mustache.render() to substitute {{message_history}} and {{response_to_evaluate}} placeholders (pass 2). Because pass 1 (LDAIClientImpl) already resolves user/context attributes via Mustache, an attacker who controls a context attribute could inject Mustache control sequences (e.g. {{=[ ]=}} delimiter-change tags) that corrupt pass 2, effectively blinding the judge to the actual conversation content.

This PR replaces the Mustache call in _interpolateMessage with a literal Object.entries().reduce() using split().join() for string replacement. Since the judge only ever substitutes two known placeholders, a full template engine is unnecessary. The mustache dependency remains because LDAIClientImpl still uses it for general config interpolation (pass 1).

Key changes:

• Judge.ts: Remove Mustache import; replace Mustache.render() with reduce + split().join() over the known placeholder keys.
• Judge.test.ts: Add template injection prevention describe block with regression tests covering delimiter changes, partials, comments, triple-stache, sections, inverted sections, injection via response, multiple placeholder occurrences, and preservation of Mustache-like syntax inside substituted values.

Describe alternatives you've considered

• Using String.prototype.replaceAll() — not available with the es2020 target; split().join() is the standard workaround.
• Using a for...of loop — disallowed by the repo's ESLint no-restricted-syntax rule; reduce is the idiomatic alternative.
• Escaping Mustache special characters in the input before rendering — more complex and fragile than removing the template engine entirely for this use case.

Additional context

Reviewers should verify:

• The split().join() pattern correctly handles all occurrences of each placeholder (it does — split with a string literal is equivalent to a global literal replace).
• The mustache package remains in dependencies since LDAIClientImpl.ts still imports it for pass 1.
• Tests access _constructEvaluationMessages via (judge as any) cast — this is the simplest way to exercise the interpolation logic end-to-end without mocking the full provider invocation.

Link to Devin session: https://app.devin.ai/sessions/651e799b906748a4834bafefb4a3e3e5
Requested by: @jsonbailey

---

Note

Medium Risk
Touches judge prompt construction logic to mitigate a template-injection vulnerability; while localized, it changes how placeholders are detected/replaced and could affect existing judge message templates that relied on Mustache behavior.

Overview
Hardens Judge prompt construction against template injection. Judge._interpolateMessage no longer uses Mustache.render; it now performs a literal {{key}} string replacement for known variables so attacker-controlled strings like {{=[ ]=}} cannot alter parsing in the second interpolation pass.

Adds a new template injection prevention test suite covering delimiter changes, sections/partials/comments, injection via response/history, multiple placeholder occurrences, and ensuring Mustache-like syntax in substituted values is preserved as literal text.

^{Reviewed by Cursor Bugbot for commit f24a371. Bugbot is set up for automated code reviews on this repo. Configure here.}

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

@cursor review

[github-actions]

@launchdarkly/js-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 25623 bytes
Compressed size limit: 29000
Uncompressed size: 125843 bytes

[github-actions]

@launchdarkly/js-client-sdk size report
This is the brotli compressed size of the ESM build.
Compressed size: 31649 bytes
Compressed size limit: 34000
Uncompressed size: 112792 bytes

[github-actions]

@launchdarkly/browser size report
This is the brotli compressed size of the ESM build.
Compressed size: 179372 bytes
Compressed size limit: 200000
Uncompressed size: 829982 bytes

[github-actions]

@launchdarkly/js-client-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 37169 bytes
Compressed size limit: 38000
Uncompressed size: 204305 bytes

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit fcc72ae. Configure here.}

[joker23]

Just want to make sure that we are okay with this matching since \w+ will only match alphanumerics and _ (?). So whitespace and some common special characters will not pass.

[devin-ai-integration]

Correct — \w+ matches [a-zA-Z0-9_]. The only two placeholders used in pass 2 are message_history and response_to_evaluate, which are purely alphanumeric + underscores. Anything that doesn't match a key in the variables map is left as-is (the callback returns match for unknown keys), so non-matching patterns like {{> partial}} or {{=[ ]=}} pass through untouched.