Policy Expression Language

Declarative expression language for policy.where clauses

Purpose

The policy expression language provides a simple, safe, and deterministic way to define access control and behavior constraints in policy.where clauses.

Design Philosophy

Simple

Minimal syntax for common use cases

Safe

No code execution or side effects

Deterministic

Same input always produces same result

JSONPath-like

Familiar to developers using JSON query languages

Grammar

expression     = comparison | logical_expr | literal

comparison     = accessor operator value
logical_expr   = expression logical_op expression
               | "(" expression ")"
               | "not" expression

accessor       = identifier *("." identifier | "[" index "]")
identifier     = ALPHA *(ALPHA | DIGIT | "_")
index          = DIGIT+ | STRING

operator       = "==" | "!=" | ">" | "<" | ">=" | "<="
               | "~" | "!~" | "in" | "not in"
               | "contains" | "starts_with" | "ends_with"

logical_op     = "&&" | "||" | "and" | "or"

value          = STRING | NUMBER | BOOLEAN | NULL | array
array          = "[" [value *("," value)] "]"

STRING         = "'" *CHAR "'"
NUMBER         = ["-"] DIGIT+ ["." DIGIT+]
BOOLEAN        = "true" | "false"
NULL           = "null"

Operators

Comparison Operators

Operator	Description	Example
`==`	Equality	`tool.type == 'http'`
`!=`	Inequality	`tool.type != 'system'`
`>`	Greater than	`message.priority > 5`
`<`	Less than	`context.window < 8192`
`>=`	Greater or equal	`runtime.memory_mb_min >= 512`
`<=`	Less or equal	`runtime.cpu_cores_min <= 4`

String Operators

Operator	Description	Example
`~`	Regex match	`tool.endpoint ~ '^https://internal\\.corp'`
`!~`	Regex non-match	`tool.endpoint !~ 'external'`
`contains`	Substring test	`message.payload contains 'urgent'`
`starts_with`	Prefix test	`agent.id starts_with 'ajson://internal'`
`ends_with`	Suffix test	`tool.endpoint ends_with '.internal.corp'`

Collection Operators

Operator	Description	Example
`in`	Membership test	`tool.type in ['http', 'function']`
`not in`	Non-membership	`tool.type not in ['system', 'plugin']`

Logical Operators

Operator	Description	Example
`&&` / `and`	Logical AND	`tool.type == 'http' && tool.auth.method == 'none'`
`\|\|` / `or`	Logical OR	`message.priority > 8 \|\| message.urgent == true`
`not`	Logical NOT	`not (tool.type in ['system', 'plugin'])`

Operator Precedence

From highest to lowest:

1. Parentheses: ( )
2. Unary: not
3. Comparison: ==, !=, >, <, >=, <=
4. String/Collection: ~, !~, in, not in, contains, starts_with, ends_with
5. Logical AND: &&, and
6. Logical OR: ||, or

Context Variables

Expressions evaluate against a context object containing:

{
  "tool": {          // Current tool being invoked
    "id": "...",
    "type": "...",
    "endpoint": "...",
    ...
  },
  "message": {       // Current message envelope
    "from": "...",
    "to": "...",
    "payload": {...},
    "intent": "...",
    ...
  },
  "agent": {         // Current agent manifest
    "id": "...",
    "name": "...",
    ...
  },
  "runtime": {       // Runtime context
    "environment": "production",
    "timestamp": "2025-11-10T00:00:00Z",
    ...
  }
}

Examples

Simple Comparison

{
  "id": "deny-http-no-auth",
  "effect": "deny",
  "action": "tool.call",
  "where": "tool.type == 'http' && tool.auth.method == 'none'"
}

Denies calls to HTTP tools that don't have authentication configured.

Regex Pattern Matching

{
  "id": "deny-external-endpoints",
  "effect": "deny",
  "action": "tool.call",
  "where": "tool.endpoint !~ '^https://.*\\.internal\\.corp'"
}

Blocks access to any endpoints outside the internal corporate domain.

Complex Logic

{
  "id": "audit-sensitive-messages",
  "effect": "audit",
  "action": "message.send",
  "where": "(message.payload contains 'password' || message.payload contains 'api_key') && not (message.to starts_with 'ajson://internal')"
}

Audits messages containing sensitive keywords being sent to external agents.

Collection Membership

{
  "id": "allow-safe-tools",
  "effect": "allow",
  "action": "tool.call",
  "where": "tool.type in ['function', 'http'] && tool.id in ['tool://safe/search', 'tool://safe/summarize']"
}

Allows only specific whitelisted tools of approved types.

Evaluation Semantics

Type Coercion

Comparisons between incompatible types evaluate to false
String comparisons are case-sensitive
Numbers are compared numerically
Booleans compare by value (true > false)

Missing Fields

Accessing non-existent fields returns null
null == null evaluates to true
null compared to any non-null value evaluates to false

Short-Circuit Evaluation

&&: If left operand is false, right operand is not evaluated
||: If left operand is true, right operand is not evaluated

Implementation Guidance

Security

MUST NOT execute arbitrary code
MUST limit recursion depth (recommended: 10 levels)
MUST prevent regex denial-of-service (ReDoS)
SHOULD implement expression complexity limits

Performance

Evaluate in constant or linear time when possible
Cache compiled expressions
Optimize common patterns (e.g., simple equality)

Error Handling

Syntax errors SHOULD fail policy evaluation (fail-closed)
Runtime errors MAY log warnings
Invalid regex patterns MUST fail at compile time

Future Extensions

Functions: length(), upper(), lower()
Array operations: map(), filter()
Temporal operators: before, after
Quantifiers: exists, forall

Learn More

Read the complete policy expression language specification in Appendix B

View Full Specification

Related Resources

Continue exploring JSON AGENTS

Full Specification

Read the complete JSON Agents specification including the Gov profile with policy definitions

Implementer's Guide

Learn how to implement and evaluate policy expressions in your agent runtime environment

Gov Profile Examples

Explore governance profile examples with real-world policy rules and access control patterns

Getting Started

Quick introduction to JSON Agents including basic policy configuration examples