Skip to content

CEL Policies

PolicyMesh evaluates CEL rules against every node in the live graph, in-memory, at scan time. Drop a rule in ~/.cloudslash/policies/ and it is live without a restart.

The Policy Schema

Policies are declared in YAML files. Each rule defines a CEL condition that evaluates against node attributes in the Devi graph.

rules:
  - id: block-expensive-instances
    condition: "cost > 500.0"
    action: block
    message: "Resources costing over $500/mo require VP approval"
    enforcement_mode: enforcing
    target_kinds:
      - "ec2:instance"
      - "compute:instance"
      - "compute:vm"

  - id: require-env-tag
    condition: "!('env' in tags)"
    action: warn
    message: "Missing 'env' tag: SOC2 compliance requires environment tagging"
    enforcement_mode: shadow

  - id: ban-gp2-volumes
    condition: "kind == 'ebs:volume' && props.VolumeType == 'gp2'"
    action: violation
    message: "gp3 is 20% cheaper with decoupled IOPS. Migrate immediately."
    enforcement_mode: enforcing

  - id: detect-public-s3
    condition: "kind == 's3:bucket' && props.public_access == true"
    action: block
    message: "Public S3 bucket detected: data exposure risk"
    enforcement_mode: enforcing

CEL Expression Variables

These variables are computed by the engine pipeline and projected into the CEL evaluation context.

Variable Type Source Description
cost float64 Devi Monthly cost in USD
kind string Graph Resource type (e.g., ec2:instance)
provider string Graph Cloud provider (aws, gcp, azure)
region string Graph Cloud region
tags map[string]str Graph Resource tags
props map[string]any Graph All resource properties
is_waste bool Heuristics Engine waste determination
risk_score float64 Oracle Formal verification risk score (0-100)
reachability string Oracle Network reachability state
phase string s.a.u Remediation phase (flagged, quarantined, purged)

Enforcement Modes

Mode Behavior
enforcing Actively blocks s.a.u remediation and flags violations
shadow Logs violations without blocking: used for testing

Loading Policies

Via CLI Flag

cs scan --rules policies.yaml --fail-on=critical --region us-east-1
cs daemon --rules policies.yaml --region us-east-1

Via Configuration

# ~/.cloudslash/config.yaml
policies:
  active:
    - cost-guardrails
    - soc2-compliance

The daemon loads rules from ~/.cloudslash/policies/<bundle-name>/rules.yaml.

Via REST API

# Add rules dynamically to a running daemon
curl -X POST http://localhost:8080/api/v1/policies \
  -H "Content-Type: application/json" \
  -d '{
    "rules": [{
      "id": "block-public-rds",
      "condition": "kind == \"rds:instance\" && props.PubliclyAccessible == true",
      "action": "block",
      "message": "Public RDS endpoint detected"
    }]
  }'

# Toggle enforcement mode
curl -X POST http://localhost:8080/api/v1/policies/toggle \
  -d '{"rule_id": "block-public-rds"}'

# Dry-run evaluation without persistence
curl -X POST http://localhost:8080/api/v1/policies/dry-run \
  -d '{"condition": "cost > 1000 && provider == \"aws\""}'

Policy Evaluation

In CI/CD

Combine policy rules with the scan gate to enforce compliance in pull request pipelines:

cs scan --rules soc2-compliance.yaml --fail-on=warning --format=github-pr --region us-east-1

The scan exits with code 1 if any rule in soc2-compliance.yaml produces a warning or higher severity finding against the live infrastructure graph.