Quickstart

Install the cc CLI, write a one-rule policy, and evaluate it against a JSON document. Five minutes end to end.

1. Install the CLI

go install github.com/mikemackintosh/crowdcontrol/cmd/cc@latest

If you don't have Go installed, see the installation page for binary releases and other options.

2. Write a policy

mkdir -p policies
cat > policies/rules.cc <<'EOF'
forbid "no-admin-deletes-by-interns" {
  user.role == "intern"
  request.action == "delete"
  resource.environment == "production"
  message "{user.name} is an intern and cannot delete production resources"
}
EOF

3. Create an input document

cat > input.json <<'EOF'
{
  "user":     {"name": "alex", "role": "intern"},
  "request":  {"action": "delete"},
  "resource": {"environment": "production"}
}
EOF

4. Evaluate

cc evaluate --policy ./policies --input ./input.json

Output:

DENY: alex is an intern and cannot delete production resources (no-admin-deletes-by-interns)

The process exits with status 1 because at least one forbid rule denied the document.

Tip

Use cc evaluate --explain to get a per-condition trace showing exactly which checks fired and what values were resolved.

5. Add an escape clause

Most real policies need exceptions. Use unless:

forbid "no-admin-deletes-by-interns" {
  user.role == "intern"
  request.action == "delete"
  resource.environment == "production"

  unless user.groups contains "platform-oncall"

  message "{user.name} is an intern and cannot delete production resources"
}

Now the rule fires unless the user is on the platform on-call rotation. Multiple unless clauses are OR'd — any one being true saves the rule.

What's next

Language reference — every operator, quantifier, and built-in.
Example policies — realistic patterns for Terraform, GitHub, K8s.
Embedding in Go — use CrowdControl from inside your service.
Schema validation — catch typos at lint time.