fix(server): reject empty string list evaluator values

[lan17]

Summary

• reject empty-string list entries at list evaluator config validation time
• defensively filter exact empty strings in the evaluator so legacy invalid configs do not compile into a match-all regex
• add evaluator and server regression tests for both validation paths

Testing

• make evaluators-test
• make server-test
• make lint
• make typecheck

Fixes #120

[codecov]

Codecov Report

❌ Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...uiltin/src/agent_control_evaluators/list/config.py	85.71%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[abhinav-galileo]

This catches exact "" but allows whitespace-only strings like " " or "\t" through. Those produce similarly pathological regexes - e.g. \b(\ )\b in contains mode.

Consider using strip():

if any(isinstance(value, str) and value.strip() == "" for value in values):
    raise ValueError("values must not contain empty or whitespace-only strings")

Same change needed in the defensive filter in evaluator.py:38 (if value != "" -> if value.strip()).

[lan17]

Addressed in 319eede.

I broadened the guard from exact "" to any blank/whitespace-only string in both the config validator and the evaluator fallback. That now rejects values like " " and "\t" at validation time and defensively drops them for legacy invalid configs.

[abhinav-galileo]

This tests the denylist path (match_on="match"), but the original report was about an allowlist blocking all calls. Could we add a companion case with match_on="no_match" that asserts matched is False for normal input? That encodes the failure mode that prompted this fix.

Something like:

async def test_legacy_empty_string_allowlist_does_not_block_all(self) -> None:
    config = ListEvaluatorConfig.model_construct(
        values=[""],
        logic="any",
        match_on="no_match",
        match_mode="exact",
        case_sensitive=False,
    )
    evaluator = ListEvaluator(config)
    result = await evaluator.evaluate("legitimate_value")
    assert result.matched is False

[lan17]

Addressed in 319eede.

I added a companion legacy allowlist regression covering match_on="no_match", plus a whitespace-only legacy case. The evaluator tests now cover both the original failure mode and the broadened blank-string hardening.