fix: parenthesize NegateExpr to avoid operator precedence ambiguity

not flow.name == "prod" could be parsed as (not flow.name) == "prod".
Using not (flow.name == "prod") is unambiguous.

Author: dangrondahl

internal/policy/expression.go

@@ -79,6 +79,7 @@ func UnwrapExpr(expr string) string {
 }
 
 // NegateExpr prefixes a raw (unwrapped) expression with the not operator.
+// Parentheses ensure correct evaluation regardless of operator precedence.
 func NegateExpr(raw string) string {
-	return fmt.Sprintf("not %s", raw)
+	return fmt.Sprintf("not (%s)", raw)
 }

internal/policy/expression_test.go

@@ -95,12 +95,12 @@ func TestUnwrapExpr_AlreadyRaw(t *testing.T) {
 
 func TestNegateExpr(t *testing.T) {
 	result := NegateExpr(`flow.name == "prod"`)
-	assert.Equal(t, `not flow.name == "prod"`, result)
+	assert.Equal(t, `not (flow.name == "prod")`, result)
 }
 
 func TestCombineAndNegate(t *testing.T) {
 	a := UnwrapExpr(FlowNameExpr("prod"))
 	b := NegateExpr(UnwrapExpr(ArtifactNameMatchExpr("^datadog:.*")))
 	result := CombineExprs("and", a, b)
-	assert.Equal(t, `${{ flow.name == "prod" and not matches(artifact.name, "^datadog:.*") }}`, result)
+	assert.Equal(t, `${{ flow.name == "prod" and not (matches(artifact.name, "^datadog:.*")) }}`, result)
 }

internal/policywizard/forms_test.go

@@ -447,7 +447,7 @@ func TestApply_ExprNegate_Yes_NegatesLastPending(t *testing.T) {
 	m.applyFormValues(formValues{confirm: true})
 
 	require.Len(t, m.pendingExprs, 1)
-	assert.Equal(t, `not flow.name == "prod"`, m.pendingExprs[0])
+	assert.Equal(t, `not (flow.name == "prod")`, m.pendingExprs[0])
 }
 
 func TestApply_ExprNegate_No_LeavesUnchanged(t *testing.T) {
@@ -587,7 +587,7 @@ func TestCombineFlow_NegatedExprWithOr(t *testing.T) {
 
 	require.Len(t, m.Policy.Artifacts.TrailCompliance.Exceptions, 1)
 	assert.Equal(t,
-		`${{ not flow.name == "staging" or exists(flow) }}`,
+		`${{ not (flow.name == "staging") or exists(flow) }}`,
 		m.Policy.Artifacts.TrailCompliance.Exceptions[0].If,
 	)
 }