Remove foot-gun per thread evaluattor fucntion.

Author: dbernstein

src/palace/manager/api/admin/controller/patron_auth_services.py

@@ -23,7 +23,7 @@
 )
 from palace.manager.api.authentication.patron_blocking_rules.rule_engine import (
     RuleValidationError,
-    get_evaluator,
+    make_evaluator,
     validate_rule_expression,
 )
 from palace.manager.integration.goals import Goals
@@ -175,7 +175,7 @@ def process_validate_patron_blocking_rule(self) -> Response | ProblemDetail:
             # missing test_identifier, network error, or ILS error response.
             live_values = protocol_class.fetch_live_rule_validation_values(settings)
 
-            evaluator = get_evaluator()
+            evaluator = make_evaluator()
             try:
                 validate_rule_expression(rule_expr, live_values, evaluator)
             except RuleValidationError as exc:

src/palace/manager/api/authentication/patron_blocking_rules/rule_engine.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 
 import re
-import threading
 from collections.abc import Callable, Mapping
 from dataclasses import dataclass, field
 from datetime import date
@@ -196,45 +195,11 @@ def age_in_years(
 )
 
 
-_evaluator_local: threading.local = threading.local()
-
-
-def get_evaluator(
-    allowed_functions: dict[str, Callable[..., Any]] | None = None,
-) -> EvalWithCompoundTypes:
-    """Return a per-thread evaluator for rule expression evaluation.
-
-    Admin validation and runtime blocking both use this so the evaluator
-    lifecycle is unified.  The evaluator is cached per thread and reused;
-    :func:`validate_rule_expression` and :func:`evaluate_rule_expression_strict_bool`
-    clear ``evaluator.names`` after each call so no data leaks between rules.
-
-    :param allowed_functions: Override the function whitelist.  Pass an empty
-        dict to disallow all functions.  Only the first call per thread uses
-        this; subsequent calls ignore it.
-    :returns: A configured :class:`~simpleeval.EvalWithCompoundTypes`.
-    """
-    evaluator = getattr(_evaluator_local, "evaluator", None)
-    if evaluator is None:
-        functions = (
-            allowed_functions
-            if allowed_functions is not None
-            else dict(DEFAULT_ALLOWED_FUNCTIONS)
-        )
-        evaluator = EvalWithCompoundTypes(functions=functions, names={})
-        _evaluator_local.evaluator = evaluator
-    return _evaluator_local.evaluator
-
-
 def make_evaluator(
     allowed_functions: dict[str, Callable[..., Any]] | None = None,
 ) -> EvalWithCompoundTypes:
     """Create a fresh locked-down :class:`~simpleeval.EvalWithCompoundTypes`.
 
-    Prefer :func:`get_evaluator` for production use so admin and runtime share
-    the same per-thread evaluator.  Use this when you need an isolated
-    evaluator (e.g. tests, or custom function sets).
-
     :param allowed_functions: Override the function whitelist.  Pass an empty
         dict to disallow all functions.
     :returns: A configured :class:`~simpleeval.EvalWithCompoundTypes`.
@@ -286,8 +251,7 @@ def validate_rule_expression(
         trial evaluation.  For live validation this is the dict returned by
         ``fetch_live_rule_validation_values``; it contains all raw SIP2
         response fields plus the normalised ``fines`` key.
-    :param evaluator: A locked-down evaluator from :func:`get_evaluator` or
-        :func:`make_evaluator`.
+    :param evaluator: A locked-down evaluator from :func:`make_evaluator`.
     :raises RuleValidationError: On any validation failure.
     """
     if not expr or not expr.strip():
@@ -344,8 +308,7 @@ def evaluate_rule_expression_strict_bool(
 
     :param expr: The raw rule expression string (same as stored).
     :param values: Mapping of placeholder key → runtime value.
-    :param evaluator: A locked-down evaluator from :func:`get_evaluator` or
-        :func:`make_evaluator`.
+    :param evaluator: A locked-down evaluator from :func:`make_evaluator`.
     :param rule_name: Optional identifier for the rule, included in error messages.
     :returns: ``True`` if the patron should be *blocked*, ``False`` otherwise.
     :raises RuleEvaluationError: On missing placeholders, parse/eval errors, or

src/palace/manager/integration/patron_auth/patron_blocking.py

@@ -20,7 +20,7 @@
 from palace.manager.api.authentication.patron_blocking_rules.rule_engine import (
     RuleEvaluationError,
     evaluate_rule_expression_strict_bool,
-    get_evaluator,
+    make_evaluator,
 )
 from palace.manager.api.problem_details import BLOCKED_BY_POLICY
 from palace.manager.util import MoneyUtility
@@ -124,10 +124,6 @@ def check_patron_blocking_rules_with_evaluator(
     evaluation continues with the next rule.  Only rules that successfully
     evaluate to ``True`` cause a block.
 
-    Uses a per-thread evaluator from :func:`~palace.manager.api.authentication
-    .patron_blocking_rules.rule_engine.get_evaluator` so the function is safe
-    to call from concurrent requests.
-
     :param rules: The list of :class:`PatronBlockingRule` objects for the library.
     :param values: Runtime placeholder values; for SIP2 providers this is the
         full raw SIP2 response dict (see :func:`build_values_from_sip2_info`).
@@ -136,7 +132,7 @@ def check_patron_blocking_rules_with_evaluator(
         (HTTP 403) if the patron should be blocked, or ``None`` if
         authentication should proceed normally.
     """
-    evaluator = get_evaluator()
+    evaluator = make_evaluator()
 
     for rule in rules:
         try: