Internal Changes

bundle/src/main/java/dev/cel/bundle/BUILD.bazel

@@ -104,6 +104,7 @@ java_library(
         ":required_fields_checker",
         "//:auto_value",
         "//bundle:cel",
+        "//checker:proto_type_mask",
         "//checker:standard_decl",
         "//common:compiler_common",
         "//common:container",

bundle/src/main/java/dev/cel/bundle/CelEnvironment.java

@@ -30,6 +30,7 @@
 import dev.cel.checker.CelStandardDeclarations;
 import dev.cel.checker.CelStandardDeclarations.StandardFunction;
 import dev.cel.checker.CelStandardDeclarations.StandardOverload;
+import dev.cel.checker.ProtoTypeMask;
 import dev.cel.common.CelContainer;
 import dev.cel.common.CelFunctionDecl;
 import dev.cel.common.CelOptions;
@@ -134,6 +135,9 @@ public abstract class CelEnvironment {
   /** Limits to set in the environment. */
   public abstract ImmutableSet<Limit> limits();
 
+  /** Context variable to enable in the environment. */
+  public abstract Optional<ContextVariable> contextVariable();
+
   /** Builder for {@link CelEnvironment}. */
   @AutoValue.Builder
   public abstract static class Builder {
@@ -199,6 +203,8 @@ public Builder setLimits(Limit... limits) {
 
     public abstract Builder setLimits(ImmutableSet<Limit> limits);
 
+    public abstract Builder setContextVariable(ContextVariable contextVariable);
+
     abstract CelEnvironment autoBuild();
 
     @CheckReturnValue
@@ -258,6 +264,12 @@ public CelCompiler extend(CelCompiler celCompiler, CelOptions celOptions)
 
       applyStandardLibrarySubset(compilerBuilder);
 
+      contextVariable()
+          .ifPresent(
+              cv ->
+                  compilerBuilder.addProtoTypeMasks(
+                      ProtoTypeMask.ofAllFields(cv.typeName()).withFieldsAsVariableDeclarations()));
+
       return compilerBuilder.build();
     } catch (RuntimeException e) {
       throw new CelEnvironmentException(e.getMessage(), e);
@@ -406,6 +418,17 @@ private static CanonicalCelExtension getExtensionOrThrow(String extensionName) {
     return extension;
   }
 
+  /** Represents a context variable declaration. */
+  @AutoValue
+  public abstract static class ContextVariable {
+    /** Fully qualified type name of the context variable. */
+    public abstract String typeName();
+
+    public static ContextVariable create(String typeName) {
+      return new AutoValue_CelEnvironment_ContextVariable(typeName);
+    }
+  }
+
   /** Represents a policy variable declaration. */
   @AutoValue
   public abstract static class VariableDecl {

bundle/src/main/java/dev/cel/bundle/CelEnvironmentYamlParser.java

@@ -28,6 +28,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import dev.cel.bundle.CelEnvironment.Alias;
+import dev.cel.bundle.CelEnvironment.ContextVariable;
 import dev.cel.bundle.CelEnvironment.ExtensionConfig;
 import dev.cel.bundle.CelEnvironment.FunctionDecl;
 import dev.cel.bundle.CelEnvironment.LibrarySubset;
@@ -320,6 +321,36 @@ private ImmutableSet<String> parseAbbreviations(ParserContext<Node> ctx, Node no
     return builder.build();
   }
 
+  private ContextVariable parseContextVariable(ParserContext<Node> ctx, Node node) {
+    long id = ctx.collectMetadata(node);
+    if (!assertYamlType(ctx, id, node, YamlNodeType.MAP)) {
+      return ContextVariable.create("");
+    }
+
+    MappingNode mapNode = (MappingNode) node;
+    String typeName = "";
+    for (NodeTuple nodeTuple : mapNode.getValue()) {
+      Node keyNode = nodeTuple.getKeyNode();
+      long keyId = ctx.collectMetadata(keyNode);
+      Node valueNode = nodeTuple.getValueNode();
+      String keyName = ((ScalarNode) keyNode).getValue();
+      switch (keyName) {
+        case "type_name":
+          typeName = newString(ctx, valueNode);
+          break;
+        default:
+          ctx.reportError(keyId, String.format("Unsupported context_variable tag: %s", keyName));
+          break;
+      }
+    }
+
+    if (typeName.isEmpty()) {
+      ctx.reportError(id, "Missing required attribute(s): type_name");
+    }
+
+    return ContextVariable.create(typeName);
+  }
+
   private ImmutableSet<VariableDecl> parseVariables(ParserContext<Node> ctx, Node node) {
     long valueId = ctx.collectMetadata(node);
     ImmutableSet.Builder<VariableDecl> variableSetBuilder = ImmutableSet.builder();
@@ -900,6 +931,9 @@ private CelEnvironment.Builder parseConfig(ParserContext<Node> ctx, Node node) {
           case "limits":
             builder.setLimits(parseLimits(ctx, valueNode));
             break;
+          case "context_variable":
+            builder.setContextVariable(parseContextVariable(ctx, valueNode));
+            break;
           default:
             ctx.reportError(id, "Unknown config tag: " + fieldName);
             // continue handling the rest of the nodes

conformance/src/test/java/dev/cel/conformance/policy/BUILD.bazel

@@ -12,6 +12,8 @@ java_library(
     deps = [
         "//:auto_value",
         "//bundle:cel",
+        "//policy:parser_factory",
+        "//policy/testing:k8s_test_tag_handler",
         "//runtime:function_binding",
         "//testing/testrunner:cel_expression_source",
         "//testing/testrunner:cel_test_context",

conformance/src/test/java/dev/cel/conformance/policy/PolicyConformanceTest.java

@@ -18,6 +18,8 @@
 import dev.cel.bundle.Cel;
 import dev.cel.bundle.CelFactory;
 import dev.cel.expr.conformance.proto3.TestAllTypes;
+import dev.cel.policy.CelPolicyParserFactory;
+import dev.cel.policy.testing.K8sTagHandler;
 import dev.cel.runtime.CelFunctionBinding;
 import dev.cel.testing.testrunner.CelExpressionSource;
 import dev.cel.testing.testrunner.CelTestContext;
@@ -77,6 +79,13 @@ public void evaluate() throws Throwable {
                 TestAllTypes.getDescriptor().getFile(),
                 Struct.getDescriptor().getFile());
 
+    // Scopes the custom Kubernetes tag visitor exclusively to k8s tests to prevent non-standard
+    // grammar leakage.
+    if (name.startsWith("k8s/")) {
+      contextBuilder.setCelPolicyParser(
+          CelPolicyParserFactory.newYamlParserBuilder().addTagVisitor(new K8sTagHandler()).build());
+    }
+
     Path yamlConfigPath = Paths.get(dirPath, "config.yaml");
     Path textprotoConfigPath = Paths.get(dirPath, "config.textproto");
 

policy/src/main/java/dev/cel/policy/CelPolicy.java

@@ -252,7 +252,7 @@ public abstract static class Builder implements RequiredFieldsChecker {
 
       abstract Optional<Long> id();
 
-      abstract Optional<Result> result();
+      public abstract Optional<Result> result();
 
       abstract Optional<ValueString> explanation();
 

policy/src/main/java/dev/cel/policy/testing/BUILD.bazel

@@ -0,0 +1,27 @@
+load("@rules_java//java:defs.bzl", "java_library")
+
+package(
+    default_applicable_licenses = [
+        "//:license",
+    ],
+    default_testonly = True,
+    default_visibility = [
+        "//policy/testing:__pkg__",
+    ],
+)
+
+java_library(
+    name = "k8s_tag_handler",
+    srcs = ["K8sTagHandler.java"],
+    tags = [
+    ],
+    deps = [
+        "//common/formats:value_string",
+        "//common/formats:yaml_helper",
+        "//policy",
+        "//policy:parser",
+        "//policy:policy_parser_context",
+        "@maven//:com_google_guava_guava",
+        "@maven//:org_yaml_snakeyaml",
+    ],
+)

policy/src/main/java/dev/cel/policy/testing/K8sTagHandler.java

@@ -0,0 +1,117 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dev.cel.policy.testing;
+
+import com.google.common.annotations.VisibleForTesting;
+import dev.cel.common.formats.ValueString;
+import dev.cel.common.formats.YamlHelper;
+import dev.cel.common.formats.YamlHelper.YamlNodeType;
+import dev.cel.policy.CelPolicy;
+import dev.cel.policy.CelPolicy.Match;
+import dev.cel.policy.CelPolicyParser.TagVisitor;
+import dev.cel.policy.PolicyParserContext;
+import org.yaml.snakeyaml.nodes.Node;
+import org.yaml.snakeyaml.nodes.SequenceNode;
+
+/**
+ * K8sTagHandler is a {@link TagVisitor} implementation to support parsing Kubernetes
+ * ValidatingAdmissionPolicy structures in testing and conformance environments.
+ */
+@VisibleForTesting
+public final class K8sTagHandler implements TagVisitor<Node> {
+
+  @Override
+  public void visitPolicyTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder) {
+    switch (tagName) {
+      case "kind":
+        policyBuilder.putMetadata("kind", ctx.newYamlString(node).value());
+        break;
+      case "metadata":
+        YamlHelper.assertYamlType(ctx, id, node, YamlNodeType.MAP);
+        break;
+      case "spec":
+        CelPolicy.Rule spec = ctx.parseRule(ctx, policyBuilder, node);
+        policyBuilder.setRule(spec);
+        break;
+      default:
+        TagVisitor.super.visitPolicyTag(ctx, id, tagName, node, policyBuilder);
+        break;
+    }
+  }
+
+  @Override
+  public void visitRuleTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder,
+      CelPolicy.Rule.Builder ruleBuilder) {
+    switch (tagName) {
+      case "failurePolicy":
+        policyBuilder.putMetadata(tagName, ctx.newYamlString(node).value());
+        break;
+      case "matchConstraints":
+        YamlHelper.assertYamlType(ctx, id, node, YamlNodeType.MAP);
+        break;
+      case "validations":
+        if (!YamlHelper.assertYamlType(ctx, id, node, YamlNodeType.LIST)) {
+          return;
+        }
+        SequenceNode seqNode = (SequenceNode) node;
+        for (Node valNode : seqNode.getValue()) {
+          ruleBuilder.addMatches(ctx.parseMatch(ctx, policyBuilder, valNode));
+        }
+        break;
+      default:
+        TagVisitor.super.visitRuleTag(ctx, id, tagName, node, policyBuilder, ruleBuilder);
+        break;
+    }
+  }
+
+  @Override
+  public void visitMatchTag(
+      PolicyParserContext<Node> ctx,
+      long id,
+      String tagName,
+      Node node,
+      CelPolicy.Builder policyBuilder,
+      CelPolicy.Match.Builder matchBuilder) {
+    if (!matchBuilder.result().isPresent()) {
+      matchBuilder.setResult(
+          Match.Result.ofOutput(ValueString.of(ctx.nextId(), "'invalid admission request'")));
+    }
+    switch (tagName) {
+      case "expression":
+        // The K8s expression to validate must return false in order to generate a violation
+        // message.
+        ValueString condition = ctx.newSourceString(node);
+        String invertedCondition = "!(" + condition.value() + ")";
+        matchBuilder.setCondition(ValueString.of(condition.id(), invertedCondition));
+        break;
+      case "messageExpression":
+        matchBuilder.setResult(Match.Result.ofOutput(ctx.newSourceString(node)));
+        break;
+      default:
+        TagVisitor.super.visitMatchTag(ctx, id, tagName, node, policyBuilder, matchBuilder);
+        break;
+    }
+  }
+}

policy/src/test/java/dev/cel/policy/BUILD.bazel

@@ -30,9 +30,9 @@ java_library(
         "//policy:compiler_factory",
         "//policy:parser",
         "//policy:parser_factory",
-        "//policy:policy_parser_context",
         "//policy:source",
         "//policy:validation_exception",
+        "//policy/testing:k8s_test_tag_handler",
         "//runtime",
         "//runtime:function_binding",
         "//testing:cel_runtime_flavor",

policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java

@@ -37,12 +37,12 @@
 import dev.cel.extensions.CelOptionalLibrary;
 import dev.cel.parser.CelStandardMacro;
 import dev.cel.parser.CelUnparserFactory;
-import dev.cel.policy.PolicyTestHelper.K8sTagHandler;
 import dev.cel.policy.PolicyTestHelper.PolicyTestSuite;
 import dev.cel.policy.PolicyTestHelper.PolicyTestSuite.PolicyTestSection;
 import dev.cel.policy.PolicyTestHelper.PolicyTestSuite.PolicyTestSection.PolicyTestCase;
 import dev.cel.policy.PolicyTestHelper.PolicyTestSuite.PolicyTestSection.PolicyTestCase.PolicyTestInput;
 import dev.cel.policy.PolicyTestHelper.TestYamlPolicy;
+import dev.cel.policy.testing.K8sTagHandler;
 import dev.cel.runtime.CelFunctionBinding;
 import dev.cel.runtime.CelLateFunctionBindings;
 import dev.cel.testing.CelRuntimeFlavor;

policy/src/test/java/dev/cel/policy/CelPolicyYamlParserTest.java

@@ -22,8 +22,8 @@
 import com.google.testing.junit.testparameterinjector.TestParameterInjector;
 import dev.cel.common.formats.ValueString;
 import dev.cel.policy.CelPolicy.Import;
-import dev.cel.policy.PolicyTestHelper.K8sTagHandler;
 import dev.cel.policy.PolicyTestHelper.TestYamlPolicy;
+import dev.cel.policy.testing.K8sTagHandler;
 import org.junit.Test;
 import org.junit.runner.RunWith;