Skip to content
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
This repository was archived by the owner on Apr 16, 2026. It is now read-only.

Upgrade policy engine to full CEL evaluation #11

Description

@haasonsaas

Summary

The policy condition evaluator is a hand-rolled parser that only supports &&, basic equality, and a single .exists() function. This is too limited for real policy expressions.

Current state

  • internal/authz/policy/engine.go:141-212 — custom condition parser
  • Supports: request.tool == "github", session.agent_id == "agent_123", session.tool_context.exists(t, t == "browser")
  • Only && (AND) — no || (OR), no ! (NOT), no parentheses
  • No regex or glob matching
  • No string functions (startsWith, contains, endsWith)
  • No time functions for temporal policies
  • Conditions are parsed at evaluation time, not pre-compiled

Required work

  • Replace the custom parser with github.com/google/cel-go
  • Define a CEL environment with the available variables: request.*, session.*, grant.*
  • Pre-compile conditions at policy registration time — reject invalid expressions early
  • Add a standard function library: string functions, time functions, list operations
  • Support full boolean logic: &&, ||, !, parentheses
  • Add policy validation endpoint or CLI command to test conditions before deployment
  • Migrate existing condition strings (simple equality) to CEL syntax (should be backwards-compatible)

Files

  • internal/authz/policy/engine.go — replace evaluator
  • internal/authz/policy/engine_test.go — update tests for CEL expressions

Priority

Medium — current evaluator works for basic cases but won't scale to real policy needs.

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions