Skip to main content

Deny by default

The Code Step validator rejects any function or method call that is not on the allow-list below. Validation runs before execution, so disallowed calls never run.

Built-in Functions

abs(value)      all(values)       any(values)   bool(value)
dict(value)     enumerate(values) float(value)  int(value)
len(value)      list(value)       max(values)   min(values)
print(*values)  range(stop)       round(value)  set(value)
sorted(values)  str(value)        sum(values)   tuple(value)
print(...) writes a user-facing system note for Code Step diagnostics. It supports multiple values plus sep and end; multi-line output is split into separate system notes. range accepts range(stop), range(start, stop), and range(start, stop, step).

Allowed Methods

value.append(item)     value.endswith("x")  value.get("key")
value.join(items)      value.lower()        value.lstrip()
value.replace("a","b") value.rstrip()       value.split(",")
value.startswith("x")  value.strip()        value.upper()
Most allowed methods are string methods. get is allow-listed for dictionary-style values, and append is allow-listed for list-building.

Flow Helpers

coalesce(value, default)
is_empty(value)
is_not_empty(value)
map_value(key, mapping, default)
  • coalesce(value, default) — returns default when value is None or ""
  • is_empty(value) — true for None, "", [], or {}
  • is_not_empty(value) — the inverse of is_empty
  • map_value(key, mapping, default) — lowercases and strips string keys before lookup

Type Helpers

is_string(value)   is_number(value)
is_list(value)     is_dict(value)
is_number returns true for int or float, but false for bool.

Object and Path Helpers

get_variable(ref, default)          set_variable(ref, value)
get_object(type_id, path, default)  set_object(type_id, path, value)
get_path(obj, path, default)        set_path(obj, path, value)
commit_contact_timezone(iana, state, city)
commit_composite_outputs()
Prefer {{...}} placeholder syntax for normal variable access. Use these helpers when working with dynamic dictionaries inside the code.
  • commit_contact_timezone(iana, state, city) — validates an Australian IANA timezone, updates the current contact’s timezone and location, refreshes runtime calendar timezone state, and writes the canonical {{contact.*}} and {{timezone.*}} result variables. With no arguments it reads {{timezone.resolved_iana}}, {{timezone.resolved_state}}, and {{timezone.resolved_city}}.
  • commit_composite_outputs() — inside a sub-flow, commits declared parent composite output variables before the sub-flow returns, and returns the sorted output ids it mapped. Outside a composite context it returns an empty list.

Date Helpers

now()       today()
parse_datetime(value)
format_datetime(value, fmt)
timezone_offset(iana, at)
parse_datetime uses Python ISO parsing:
parse_datetime("2026-05-29")
parse_datetime("2026-05-29T14:30:00")
timezone_offset(iana, at) returns the UTC offset for an IANA timezone at a specific datetime. If at is omitted it uses the current datetime; if at has no offset it is treated as local wall time in the supplied timezone. Invalid input returns "".
timezone_offset("Australia/Sydney", "2026-06-02T10:00:00")

Random Helpers

random_int(min_value, max_value)
random_choice(values)
random_shuffle(values)
  • random_int(min_value, max_value) — an integer between the bounds, inclusive
  • random_choice(values) — one item from a non-empty list, or None when empty
  • random_shuffle(values) — a shuffled copy of the list; the original is not mutated

Regex Helper

regex_match(pattern, value)
def run():
    email = {{contact.email}}
    return regex_match(r"^[^@\s]+@[^@\s]+\.[^@\s]+$", email)

JSON Helpers

json_loads(value)   json_dumps(value)
Parse a JSON string into Python data:
def run():
    raw = {{webhook.response}}
    data = json_loads(raw)
    return bool(data.get("email"))
Serialize Python data into a JSON string:
def run():
    payload = {"email": {{contact.email}}, "active": True}
    {{webhook.response}} = json_dumps(payload)
    return True

Not Allowed

  • import or from ... import ...
  • Filesystem, network, shell, or subprocess access
  • Reflection and dynamic execution — eval, exec, compile, open, __import__
  • Dunder names or dunder attributes
  • Lambdas, nested functions, classes
  • Any unlisted function or method

Next Steps