v0.1 · Go reference + 6 SDKs

A small, readable policy language

CrowdControl lets you write forbid / warn / permit rules against any JSON document. A security engineer who has never seen a .cc file before should be able to read a policy and understand it in under 30 seconds.

Quickstart Compare vs CEDAR / Cerbos / Rego

forbid "no-public-prod-storage" {
  description "Production storage must not be public"
  owner       "platform-security"

  resource.type == "storage_bucket"
  resource.environment == "production"
  resource.acl in ["public-read", "public-read-write"]

  unless user.groups contains "platform-oncall"

  message "{user.name} cannot make {resource.name} public in prod"
}

Why CrowdControl

Most policy languages were built for runtime authorization: "can this principal perform this action on this resource?" CrowdControl was built for a different question — "is this structured document acceptable under these rules?" — which turns out to cover a huge amount of what teams actually write policies for: Terraform plans, GitHub events, Kubernetes manifests, config files, change reviews.

Readable in 30 seconds

Every rule is a short block. No entity hierarchies, no comprehensions, no unification.

Zero dependencies

The Go reference implementation is pure stdlib. Every SDK uses only its host language's stdlib.

Static schema check

Opt-in JSON schema catches typos and type mismatches before you ship a broken policy.

Explain mode

Per-condition trace shows exactly which check fired and what value it saw. Great for audits.

6 native SDKs

Go, Python, TypeScript, Ruby, Kotlin, PHP — all passing the same conformance suite.

Escape clauses built in

Use unless for exceptions. No awkward negation trees, no policy composition tricks.

A quick tour

CrowdControl rules come in three kinds:

forbid — denies when all conditions match, unless an escape clause saves it.
warn — same as forbid, but non-blocking. Tooling should surface it without failing.
permit — explicit allow. Useful for audit messages and default-deny mode.

Conditions operate on fields of a JSON document using dotted paths:

forbid "risk-score-cap" {
  # arithmetic + aggregates
  count(plan.destroys) * 3 + count(plan.creates) > 20

  unless author.teams contains "platform-team"

  message "risk score too high: {count(plan.destroys)} destroys, {count(plan.creates)} creates"
}

Next steps

Quickstart — install cc and run your first policy.
Language reference — the full grammar, operators, and semantics.
Compare vs CEDAR / Cerbos / Rego — the honest version.
SDKs — embed CrowdControl in Python, TypeScript, Ruby, Kotlin, or PHP.