Scripts that can only do what you allow

Pairs every script with a Cedar policy. The script says what to do — the policy says what's allowed. Every command is checked before it runs.

Start the Tutorial →
Script (Rhai)
// Read a file
let content = cat("/tmp/rex/hello.txt");
info(content);

// Try to write to it
write("/tmp/rex/hello.txt", "Goodbye!");
Policy (Cedar)
permit(
    principal,
    action in [
        file_system::Action::"open",
        file_system::Action::"read",
        // "write" is not listed
    ],
    resource
);
Output
[INFO] Hello World!

error: Permission denied:
  file_system::Action::"write" on /tmp/rex/hello.txt
cat() read the file. The policy permits read, so Cedar allowed it.
write() to the same file was blocked. The policy permits open and readwrite is not listed.