exec Command
exec Command
Section titled “exec Command”The exec command executes a policy or rule from a policy pack. This is the primary way to test and run your policies locally.
Syntax
Section titled “Syntax”sentrie exec <FQN> [OPTIONS]Description
Section titled “Description”The exec command loads a policy pack, executes a specific rule or all exported rules in a policy, and displays the results. You can provide facts (input data) via command-line flags or from a JSON file.
Arguments
Section titled “Arguments”FQN (required)
Section titled “FQN (required)”The Fully Qualified Name (FQN) that identifies the namespace, policy, and optionally the rule to execute.
Format: namespace/policy/rule or namespace/policy
namespace/policy- Execute all exported rules in the policynamespace/policy/rule- Execute only the specific rule
Examples:
user_management/user_access- Execute all exported rules in theuser_accesspolicyuser_management/user_access/allow_user- Execute only theallow_userrulecom/example/auth/access_control/check_permission- Execute a specific rule in a nested namespace
Options
Section titled “Options”--pack-location
Section titled “--pack-location”Specifies the directory containing the policy pack to load.
sentrie exec user_management/user_access --pack-location ./my-policy-packDefault: ./ (current directory)
Examples:
--pack-location ./policies- Load policies from./policiesdirectory--pack-location /path/to/policy-pack- Load policies from absolute path
--output
Section titled “--output”Specifies the output format for the results.
sentrie exec user_management/user_access --output jsonDefault: table
Valid values:
table- Human-readable table format (default)json- JSON format for programmatic consumption
Table Format Example:
Namespace: user_managementPolicy: user_access
Rules: ✓ allow_admin: ✓ True ✓ allow_user: ✓ True
Values: ✓ allow_admin: true ✓ allow_user: true
Attachments: ✓ allow_user: reason: User has admin roleJSON Format Example:
[ { "namespace": "user_management", "policyName": "user_access", "ruleName": "allow_admin", "decision": { "state": "TRUE", "value": true }, "attachments": {} }, { "namespace": "user_management", "policyName": "user_access", "ruleName": "allow_user", "decision": { "state": "TRUE", "value": true }, "attachments": { "reason": "User has admin role" } }]--fact-file
Section titled “--fact-file”Specifies a JSON file containing facts to use for policy execution.
sentrie exec user_management/user_access --fact-file ./facts.jsonDefault: (empty - no file)
File Format: The file must contain valid JSON with a top-level object:
{ "user": { "role": "admin", "status": "active" }, "context": { "environment": "production" }}Note: Facts from --fact-file are loaded first, then facts from --facts flag override any conflicting keys.
--facts
Section titled “--facts”Provides facts directly as a JSON string.
sentrie exec user_management/user_access --facts '{"user":{"role":"admin","status":"active"}}'Default: {} (empty object)
Fact Merging:
If both --fact-file and --facts are provided, the facts from --facts will override any conflicting keys from the file. This allows you to use a base fact file and override specific values on the command line.
Example:
# facts.json contains: {"user": {"role": "user", "status": "active"}}# Command line overrides the rolesentrie exec user_management/user_access \ --fact-file ./facts.json \ --facts '{"user":{"role":"admin"}}'# Result: user.role = "admin", user.status = "active"Examples
Section titled “Examples”Execute a specific rule with inline facts
Section titled “Execute a specific rule with inline facts”sentrie exec user_management/user_access/allow_user \ --facts '{"user":{"role":"admin","status":"active"}}'Execute all exported rules in a policy
Section titled “Execute all exported rules in a policy”sentrie exec user_management/user_access \ --facts '{"user":{"role":"admin","status":"active"}}'Execute with facts from a file
Section titled “Execute with facts from a file”sentrie exec user_management/user_access \ --fact-file ./user-facts.jsonExecute with facts from file and override specific values
Section titled “Execute with facts from file and override specific values”sentrie exec user_management/user_access \ --fact-file ./base-facts.json \ --facts '{"user":{"role":"admin"}}'Execute and output as JSON
Section titled “Execute and output as JSON”sentrie exec user_management/user_access \ --facts '{"user":{"role":"admin"}}' \ --output jsonExecute from a different pack location
Section titled “Execute from a different pack location”sentrie exec com/example/auth/access_control/check_permission \ --pack-location ./policy-pack \ --fact-file ./user-facts.json \ --output jsonPipe JSON output to another tool
Section titled “Pipe JSON output to another tool”sentrie exec user_management/user_access \ --facts '{"user":{"role":"admin"}}' \ --output json | jq '.[0].decision.value'Decision States
Section titled “Decision States”The command output includes decision states:
TRUE(✓ True) - The rule evaluated to trueFALSE(⨯ False) - The rule evaluated to falseUNKNOWN(• Unknown) - The rule evaluated to unknown (e.g., whenwhencondition is false and no default is provided)
Error Handling
Section titled “Error Handling”If the command encounters errors:
- Invalid FQN: Returns an error if the namespace, policy, or rule is not found
- Invalid facts: Returns an error if facts don’t match expected types or shapes
- Policy errors: Returns an error if policy evaluation fails
- File errors: Returns an error if
--fact-filecannot be read or parsed
Output Destination
Section titled “Output Destination”All output is written to stdout, making it easy to:
- Pipe results to other commands
- Redirect to files
- Process programmatically (with JSON output)
See Also
Section titled “See Also”- Executing Policies - Detailed guide on executing policies
- CLI Reference - Complete CLI documentation
- Policy Language Reference - Learn about writing policies