fix: reject empty value for comparison and matches operators

Empty values produced expressions like ${{ flow.name == "" }} which
are technically valid but likely unintended. The exists operator
correctly allows empty values since it takes no argument.

Author: dangrondahl

internal/policywizard/forms.go

@@ -383,12 +383,20 @@ func (m *Model) applyFormValues(fv formValues) {
 		case "exists":
 			m.storeSubExpr(policy.ExistsExpr(m.exprContext))
 		case "matches":
+			if fv.str == "" {
+				m.validationErr = "regex pattern is required for matches"
+				return
+			}
 			if err := validateRegex(fv.str); err != nil {
 				m.validationErr = err.Error()
 				return
 			}
 			m.storeSubExpr(policy.MatchesExpr(m.exprContext, fv.str))
 		default:
+			if fv.str == "" {
+				m.validationErr = "value is required"
+				return
+			}
 			m.storeSubExpr(policy.ComparisonExpr(m.exprContext, fv.operator, fv.str))
 		}
 

internal/policywizard/forms_test.go

@@ -454,6 +454,28 @@ func TestApply_ExprCustomOp_SwitchOperatorClearsError(t *testing.T) {
 	require.Len(t, m.pendingExprs, 1)
 }
 
+func TestApply_ExprCustomOp_EmptyValueRejected(t *testing.T) {
+	m := newTestModel()
+	m.step = stepExprCustomOp
+	m.exprContext = "flow.name"
+
+	m.applyFormValues(formValues{operator: "==", str: ""})
+
+	assert.Empty(t, m.pendingExprs)
+	assert.Contains(t, m.validationErr, "value is required")
+}
+
+func TestApply_ExprCustomOp_MatchesEmptyRegexRejected(t *testing.T) {
+	m := newTestModel()
+	m.step = stepExprCustomOp
+	m.exprContext = "flow.name"
+
+	m.applyFormValues(formValues{operator: "matches", str: ""})
+
+	assert.Empty(t, m.pendingExprs)
+	assert.Contains(t, m.validationErr, "regex pattern is required")
+}
+
 func TestApply_ExprCustomOp_ExistsStoresPending(t *testing.T) {
 	m := newTestModel()
 	m.step = stepExprCustomOp