Pilot google/cel-go as policy evaluation engine

[haasonsaas]

Context

• Source: https://github.com/google/cel-go (2.9k★)
• CEL (Common Expression Language) is the policy engine behind Kubernetes admission controllers, Envoy RBAC, and GCP IAM Conditions.

Why

• mcp-firewall today enforces allow/deny policies for MCP tools, resources, prompts, and methods. Most rules are simple predicates on JSON-RPC envelopes — a natural CEL fit.
• CEL is: side-effect-free, statically typed, fast (µs eval), sandboxed, with a familiar expression syntax that's easier for humans to author than Rego.
• Keeps the door open to reuse the same rule surface in governance, approvals, and meter budget enforcement.

Plan

• Prototype CEL-based rule evaluator alongside existing policy path (feature-flag)
• Port a representative set of current rules to CEL; benchmark eval time
• Define evalops-specific CEL variables: request.tool, request.resource, identity.agent_id, context.budget_remaining, etc.
• Decide: replace current engine, or run CEL as a pre-filter in front of it

Non-goals

• Full OPA/Rego replacement in services that need Datalog-style joins (governance may still want Rego)