Upgrade policy engine to full CEL evaluation

[haasonsaas]

Summary

The policy condition evaluator is a hand-rolled parser that only supports &&, basic equality, and a single .exists() function. This is too limited for real policy expressions.

Current state

• internal/authz/policy/engine.go:141-212 — custom condition parser
• Supports: request.tool == "github", session.agent_id == "agent_123", session.tool_context.exists(t, t == "browser")
• Only && (AND) — no || (OR), no ! (NOT), no parentheses
• No regex or glob matching
• No string functions (startsWith, contains, endsWith)
• No time functions for temporal policies
• Conditions are parsed at evaluation time, not pre-compiled

Required work

• Replace the custom parser with github.com/google/cel-go
• Define a CEL environment with the available variables: request.*, session.*, grant.*
• Pre-compile conditions at policy registration time — reject invalid expressions early
• Add a standard function library: string functions, time functions, list operations
• Support full boolean logic: &&, ||, !, parentheses
• Add policy validation endpoint or CLI command to test conditions before deployment
• Migrate existing condition strings (simple equality) to CEL syntax (should be backwards-compatible)

Files

• internal/authz/policy/engine.go — replace evaluator
• internal/authz/policy/engine_test.go — update tests for CEL expressions

Priority

Medium — current evaluator works for basic cases but won't scale to real policy needs.

🤖 Generated with Claude Code