Selection Rules Design
Selection rules determine which operations are subject to governance evaluation. Well-designed rules balance security coverage with performance impact.
What is the selection rule structure?
Each selection rule contains a match condition and an action. Rules are evaluated in order; first match wins.
{
"rule_id": "unique_identifier",
"priority": 100, // Lower = higher priority
"match": {
"operation_type": "EXECUTE", // Operation category
"subject_pattern": "prod-*", // Glob pattern
"metadata": { // Optional metadata match
"environment": "production"
}
},
"action": "EVALUATE", // What to do if matched
"measurement_override": null // Optional custom measurement
}What are the available actions?
Selection rules can trigger three different behaviors:
EVALUATE
Full governance evaluation. Measure current state, compare to baseline, apply enforcement mapping. Emit receipt regardless of outcome.
PASS_THROUGH
Skip governance for this operation. No measurement, no receipt. Use for operations known to be safe or too frequent for governance overhead.
DENY
Block operation unconditionally without evaluation. Emit receipt documenting the denial. Use for operations that should never proceed.
How does pattern matching work?
The subject_pattern field uses glob-style matching for flexibility:
Pattern Matches ──────────────────────────────────────── * Everything prod-* prod-api, prod-worker, prod-db *-api frontend-api, backend-api api-v? api-v1, api-v2, api-v3 model-[0-9]* model-001, model-123 !test-* NOT test-anything (negation)
What is the evaluation order?
Rules are evaluated by priority (ascending). First matching rule determines the action. If no rule matches, the default action applies.
// Rule evaluation order
1. Sort rules by priority (ascending)
2. For each rule:
- Evaluate match conditions
- If all conditions match:
- Apply action
- Stop evaluation (first match wins)
3. If no rule matched:
- Apply default_action from policy
// Example priority ordering
Priority 10: "deny_admin_access" // Checked first
Priority 50: "evaluate_prod_ops" // Checked second
Priority 100: "passthrough_healthcheck" // Checked third
Priority 999: "default_evaluate" // FallbackHow do I avoid privacy leakage?
Selection rules are included in the policy artifact. Be careful not to encode sensitive information in patterns or metadata.
- ✕Avoid: Patterns that reveal customer names, internal project codes, or security classifications
- ✕Avoid: Metadata that includes user IDs, account numbers, or personally identifiable information
- ✓Use: Abstract categories like "tier-1", "production", "high-risk"
- ✓Use: Hash-based identifiers when specific matching is needed
Common rule patterns
These patterns address common governance scenarios:
// Deny list: Block specific operations
{
"rule_id": "block_deprecated",
"priority": 1,
"match": { "subject_pattern": "deprecated-*" },
"action": "DENY"
}
// Allow list: Only evaluate known workloads
{
"rule_id": "evaluate_approved",
"priority": 10,
"match": { "subject_pattern": "approved-*" },
"action": "EVALUATE"
}
// Exclude noise: Skip frequent low-risk ops
{
"rule_id": "skip_metrics",
"priority": 50,
"match": { "operation_type": "METRICS_PUSH" },
"action": "PASS_THROUGH"
}
// Environment-based: Stricter in production
{
"rule_id": "prod_strict",
"priority": 100,
"match": { "metadata": { "env": "prod" } },
"action": "EVALUATE",
"measurement_override": { "interval_ms": 500 }
}Frequently asked questions
How many rules can a policy have?
The specification doesn't define a limit, but evaluation is O(n) in rule count. Keep rules under 100 for responsive evaluation. Use pattern consolidation if you have many similar rules.
Can rules reference external data?
No. Rules must be self-contained within the policy artifact. External lookups would break offline verification. Pre-compute any external data into the policy at mint time.
What if I need regex patterns?
The base specification uses glob patterns. Enterprise extensions support regex with explicit opt-in. Glob is preferred because it's safer (no ReDoS risks) and faster to evaluate.