What is Regex Validation (Policy)?
Using regular expressions in YAML policies to validate tool call argument values before they reach the MCP server. Regex constraints can enforce email formats, branch naming conventions, file path restrictions, SQL injection prevention patterns, and more.
WHY IT MATTERS
Regular expressions are the most flexible argument validation primitive. While enums work for closed sets and ranges work for numbers, regex handles everything in between — email formats, file paths, URL patterns, naming conventions, and forbidden string patterns.
In MCP tool call governance, regex validation is critical for catching dangerous inputs. A file system server's write_file tool might accept any path — but a regex constraint like ^/home/agent/workspace/ ensures the agent can only write to its designated directory. A database tool might accept any SQL — but a regex blocking DROP|TRUNCATE|DELETE prevents destructive operations.
The power of regex comes with responsibility. Overly complex patterns can cause performance issues (catastrophic backtracking) and overly strict patterns can break legitimate use cases. Policies should use the simplest effective pattern and document what the regex intends to match.
HOW POLICYLAYER USES THIS
Intercept supports regex patterns as argument constraints in YAML policies. The pattern field accepts standard regular expressions that are evaluated against argument values at policy evaluation time. Patterns are compiled once at policy load and evaluated efficiently on each tool call. Failed regex matches produce clear denial messages indicating which argument violated which pattern.