feat: add simple expression-evaluator package

[barak007]

This PR introduces a new package @tokey/expression-evaluator - a safe, AST-based expression evaluator that uses a restricted parser instead of eval() or new Function(). Designed for evaluating user-facing conditional expressions (e.g. show/hide rules) against a known context object, with built-in security restrictions.

Supported expressions

• Literals: strings (single, double, backtick quotes), numbers (integer and float), booleans, null, undefined
• Property access: element.tag, declaration.property
• Comparisons: ===, !==, ==, !=, >, <, >=, <=
• Logical operators: &&, ||, ! — with short-circuit evaluation
• Array literals with .includes(): ['a', 'b'].includes(element.tag)
• Parenthesized expressions: (a === 'x') && (b > 1)

Security

• Blocks access to window, document, globalThis, and Object prototype properties (constructor, __proto__, toString)
• Only allows property access on keys that exist in the provided context
• Only allows .includes() on arrays - no other methods permitted

API

• compileExpression(expr): parse once, evaluate many times
• safeEvaluateExpression(expr, context): evaluate once, returns false on any error
• validateExpressionSyntax(expr): syntax check only, returns null if valid