Policy Grammar

Rules are declarative JSON. The policy engine evaluates every value passing through the compiler and applies the most restrictive matching action.

Rule shape

Each rule is a JSON object with an id, a condition tree, an action, and metadata:

{
  "id": "redact-ssn",
  "description": "Redact US Social Security numbers",
  "severity": "high",
  "condition": {
    "type": "regex",
    "pattern": "\\b\\d{3}-\\d{2}-\\d{4}\\b"
  },
  "action": "redact",
  "replacement": "[REDACTED_SSN]"
}

Condition types

# regex        — pattern match against the value
{ "type": "regex", "pattern": "", "flags": "i" }

# contains     — case-sensitive substring
{ "type": "contains", "value": "confidential" }

# equals       — exact match
{ "type": "equals", "value": "internal-only" }

# classify     — ML classifier tag produced by the core engine
{ "type": "classify", "tag": "pii:email" }

# and / or / not — boolean combinators
{ "type": "and", "rules": [ { "type": "contains", "value": "password" }, { "type": "regex", "pattern": "[A-Z0-9]{8,}" } ] }
{ "type": "or",  "rules": [ ... ] }
{ "type": "not", "rule": { "type": "regex", "pattern": "^public:" } }

Actions

# allow       — value passes through unchanged
# redact      — value is replaced by "replacement" (default: [REDACTED])
# block       — compilation fails with a PolicyViolation error
# audit-only  — value passes, but the match is recorded in the audit log
# warn        — value passes, emits a warning in the response

Severity

# low      — informational
# medium   — default; logged to audit
# high     — logged + included in monthly compliance report
# critical — logged + may trigger webhook / pager

Conflict resolution

# If multiple rules match the same value, the most restrictive wins:
#
#   block > redact > warn > audit-only > allow
#
# Severities break ties: a "high" redact beats a "medium" redact.
#
# Order within the rules array is irrelevant — the engine is order-free.

Full example

{
  "rules": [
    {
      "id": "pii-email",
      "description": "Redact email addresses in compiled output",
      "condition": { "type": "classify", "tag": "pii:email" },
      "action": "redact",
      "replacement": "[REDACTED_EMAIL]",
      "severity": "medium"
    },
    {
      "id": "no-company-secrets",
      "description": "Never compile anything marked internal",
      "condition": {
        "type": "or",
        "rules": [
          { "type": "contains", "value": "[INTERNAL]" },
          { "type": "regex", "pattern": "(?i)confidential|proprietary" }
        ]
      },
      "action": "block",
      "severity": "critical"
    },
    {
      "id": "audit-code-context",
      "description": "Log any code blocks in compiled context",
      "condition": { "type": "regex", "pattern": "```[\\s\\S]*?```" },
      "action": "audit-only",
      "severity": "low"
    }
  ]
}

Templates

Pre-built packs for common compliance frameworks. Review and customize before relying on them for your regulatory obligations.

# Built-in templates (apply via CLI or API):
soullayer policy apply-template --name hipaa
soullayer policy apply-template --name gdpr
soullayer policy apply-template --name soc2
soullayer policy apply-template --name pci-dss

# Templates are additive — they merge into your existing rules.
# Remove one with: soullayer policy remove-template --name hipaa