SQRT Predicates

SQRT in Python Code Block

Code blocks in this tutorial are Python literals containing actual SQRT code for ease of testing.

Predicates are boolean expressions used in check rules and conditional updates.

Download Tutorial Script

predicates.py

Value Comparisons

Check argument values against sets or specific values:

# Value comparisons check argument values
value_comparison_examples = r"""
// Check if value is in a set
let IsAdmin = arg1.value in {"admin", "root", "superuser"};

// Equality check
let IsSpecificUser = arg1.value == "alice";

// Values can include type domains
let IsValidPort = port.value in {int 1..65535};

// Check value against regex patterns
let IsEmail = email.value in {str matching r"^[a-z]+@example\\.com$"};
"""

Syntax	Meaning
`arg.value in {...}`	Value is in the set
`arg.value == "x"`	Value equals "x"

Set Comparisons

Compare sets against other sets:

# Set comparisons check relationships between sets
set_comparison_examples = r"""
// Check if sets share any elements
let HasSensitiveTag = data.tags overlaps {"pii", "secret", "confidential"};

// Check if one set is contained in another
let OnlyAllowedTags = data.tags subset of {"public", "internal", "safe"};

// Check if one set contains another
let HasRequiredTags = data.tags superset of {"reviewed", "approved"};

// Check if sets are exactly equal
let ExactMatch = data.tags == {"expected", "tags"};

// Check if set is empty
let NoTags = data.tags is empty;

// Check if set is universal (matches everything)
let OpenAccess = data.consumers is universal;
"""

Syntax	Meaning
`A overlaps B`	A and B share at least one element
`A subset of B`	All elements of A are in B
`A superset of B`	A contains all elements of B
`A == B`	A and B have exactly the same elements
`A is empty`	A has no elements
`A is universal`	A matches everything (`{"*"}`)

Logical Operations

Combine predicates with logical operators:

# Logical operations combine predicates
logical_examples = r"""
// Define base predicates
let IsAdmin = role.value == "admin";
let IsTrusted = user.tags overlaps {"trusted", "verified"};
let IsSensitive = data.tags overlaps {"pii", "secret"};

// AND: both conditions must be true
let AdminAndTrusted = IsAdmin and IsTrusted;

// OR: at least one condition must be true
let AdminOrTrusted = IsAdmin or IsTrusted;

// NOT: negates the condition
let NotAdmin = not IsAdmin;

// Complex combinations
let CanAccessSensitive = (IsAdmin or IsTrusted) and not IsSensitive;
"""

Precedence (highest to lowest): not, and, or

Use parentheses for explicit grouping: (A or B) and not C

Session Predicates

Predicates can reference session state:

# Predicates can reference session state
session_predicate_examples = r"""
// Check session tags
let SessionIsAdmin = @session.tags overlaps {"admin", "elevated"};

// Compare argument tags with session
let ArgsInSession = arg1.tags subset of @session.tags;

// Check session value
let SessionActive = @session.value == "active";
"""

Using Predicates in Tools

Define reusable predicates with let and use them in tool policies:

# Using predicates in tool policies
predicate_tool_examples = r"""
// Define reusable predicates
let IsBlocked = to.value in {"spam@evil.com", "blocked@test.com"};
let IsTrustedSender = from.tags overlaps {"trusted", "internal"};

// Use predicates in tool checks
tool "send_email" {
    must deny when IsBlocked;
    should allow when IsTrustedSender;
    should allow always;
}
"""