coder
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 7 additions & 8 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 7 additions & 8 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 7 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 7 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 1 addition & 1 deletion b/‎coderd/apidoc/docs.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 1 addition & 1 deletion b/‎coderd/apidoc/swagger.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apikey.go
Lines changed: 19 additions & 22 deletions b/‎coderd/apikey.go
Lines changed: 19 additions & 22 deletions
diff --git a/‎coderd/apikey_rolelifetime_test.go
Lines changed: 51 additions & 54 deletions b/‎coderd/apikey_rolelifetime_test.go
Lines changed: 51 additions & 54 deletions
@@ -51,14 +51,13 @@ OPTIONS:
           all available experiments.
 
       --max-token-lifetime-expression string, $CODER_MAX_TOKEN_LIFETIME_EXPRESSION
-          A CEL expression that determines the maximum token lifetime based on
-          user attributes. The expression has access to 'subject'
-          (rbac.Subject), 'globalMaxDuration' (time.Duration),
-          and'defaultDuration' (time.Duration). Must return a duration string
-          (e.g., duration("168h")). Example: 'subject.roles.exists(r, r.name ==
-          "owner") ? duration(globalMaxDuration) : duration(defaultDuration)'.
-          See https://github.com/google/cel-spec for CEL expression syntax and
-          examples.
+          An expr expression that determines the maximum token lifetime based on
+          user attributes. The expression has access to 'subject' (Subject),
+          'globalMaxDuration' (time.Duration), and 'defaultDuration'
+          (time.Duration). Must return a duration (e.g., duration("168h")).
+          Example: 'any(subject.Roles, .Name == "owner") ? duration("720h") :
+          duration("168h")'. See https://github.com/expr-lang/expr for expr
+          expression syntax and examples.
 
       --postgres-auth password|awsiamrds, $CODER_PG_AUTH (default: password)
           Type of auth to use when connecting to postgres. For AWS RDS, using
 
@@ -445,13 +445,12 @@ experiments: []
 # performed once per day.
 # (default: false, type: bool)
 updateCheck: false
-# A CEL expression that determines the maximum token lifetime based on user
-# attributes. The expression has access to 'subject' (rbac.Subject),
-# 'globalMaxDuration' (time.Duration), and'defaultDuration' (time.Duration). Must
-# return a duration string (e.g., duration("168h")). Example:
-# 'subject.roles.exists(r, r.name == "owner") ? duration(globalMaxDuration) :
-# duration(defaultDuration)'. See https://github.com/google/cel-spec for CEL
-# expression syntax and examples.
+# An expr expression that determines the maximum token lifetime based on user
+# attributes. The expression has access to 'subject' (Subject),
+# 'globalMaxDuration' (time.Duration), and 'defaultDuration' (time.Duration). Must
+# return a duration (e.g., duration("168h")). Example: 'any(subject.Roles, .Name
+# == "owner") ? duration("720h") : duration("168h")'. See
+# https://github.com/expr-lang/expr for expr expression syntax and examples.
 # (default: <unset>, type: string)
 maxTokenLifetimeExpression: ""
 # The default lifetime duration for API tokens. This value is used when creating a
 
@@ -9,17 +9,18 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
-	"github.com/google/cel-go/common/types"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"golang.org/x/xerrors"
 
+	"github.com/expr-lang/expr"
+
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/audit"
-	celtoken "github.com/coder/coder/v2/coderd/cel"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
+	exprtoken "github.com/coder/coder/v2/coderd/expr"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac"
@@ -392,7 +393,7 @@ func (api *API) validateAPIKeyLifetime(ctx context.Context, lifetime time.Durati
 }
 
 // getMaxTokenLifetimeForUser determines the maximum token lifetime a user is entitled to
-// based on their attributes and the CEL expression configuration.
+// based on their attributes and the expr expression configuration.
 func (api *API) getMaxTokenLifetimeForUser(ctx context.Context, subject rbac.Subject) time.Duration {
 	// Compiled at startup no need to recheck here.
 	program, _ := api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()
@@ -404,34 +405,30 @@ func (api *API) getMaxTokenLifetimeForUser(ctx context.Context, subject rbac.Sub
 	globalMax := api.DeploymentValues.Sessions.MaximumTokenDuration.Value()
 	defaultDuration := api.DeploymentValues.Sessions.DefaultTokenDuration.Value()
 
-	// Convert subject to CEL-friendly format
-	celSubject := celtoken.ConvertSubjectToCEL(subject)
+	// Convert subject to expr-friendly format
+	exprSubject := exprtoken.ConvertSubjectToExpr(subject)
 
-	// Evaluate CEL expression with typed struct
+	// Evaluate expr expression with typed struct
 	// TODO: Consider adding timeout protection in future iterations
-	out, _, err := program.Eval(map[string]interface{}{
-		"subject":           celSubject,
-		"globalMaxDuration": globalMax,
-		"defaultDuration":   defaultDuration,
+	out, err := expr.Run(program, map[string]interface{}{
+		"subject":           exprSubject,
+		"globalMaxDuration": int64(globalMax),
+		"defaultDuration":   int64(defaultDuration),
 	})
 	if err != nil {
-		api.Logger.Error(ctx, "the CEL evaluation failed, using default duration", slog.Error(err))
+		api.Logger.Error(ctx, "the expr evaluation failed, using default duration", slog.Error(err))
 		return defaultDuration
 	}
 
-	// Convert result to time.Duration
-	// CEL returns types.Duration, not time.Duration directly
-	switch v := out.Value().(type) {
-	case types.Duration:
-		return v.Duration
-	case time.Duration:
-		return v
-	default:
-		api.Logger.Error(ctx, "the CEL expression did not return a duration, using default duration",
-			slog.F("result_type", fmt.Sprintf("%T", out.Value())),
-			slog.F("result_value", out.Value()))
+	// Convert result to time.Duration (expr returns int64 due to AsInt64 constraint)
+	intVal, ok := out.(int64)
+	if !ok {
+		api.Logger.Error(ctx, "the expr expression did not return an int64, using default duration",
+			slog.F("result_type", fmt.Sprintf("%T", out)),
+			slog.F("result_value", out))
 		return defaultDuration
 	}
+	return time.Duration(intVal)
 }
 
 func (api *API) createAPIKey(ctx context.Context, params apikey.CreateParams) (*http.Cookie, *database.APIKey, error) {
 
@@ -7,8 +7,8 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	"github.com/coder/coder/v2/coderd/cel"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/expr"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/serpent"
 )
@@ -39,9 +39,9 @@ func createClientWithRoleTokenLifetimes(t *testing.T, roleTokenLifetimeExpressio
 	t.Logf("MaximumTokenDuration: %v", api.DeploymentValues.Sessions.MaximumTokenDuration.Value())
 	// Check if we have a compiled program
 	if program != nil {
-		t.Logf("CEL expression compiled successfully")
+		t.Logf("expr expression compiled successfully")
 	} else {
-		t.Logf("No CEL expression configured")
+		t.Logf("No expr expression configured")
 	}
 
 	// Create the first user
@@ -53,29 +53,29 @@ func createClientWithRoleTokenLifetimes(t *testing.T, roleTokenLifetimeExpressio
 func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 	t.Parallel()
 
-	t.Run("ServerStartupWithValidCELExpressions", func(t *testing.T) {
+	t.Run("ServerStartupWithValidExprExpressions", func(t *testing.T) {
 		t.Parallel()
 
-		// Test server starts successfully with valid CEL expressions
+		// Test server starts successfully with valid expr expressions
 		testCases := []struct {
-			name          string
-			celExpression string
+			name           string
+			exprExpression string
 		}{
 			{
-				name:          "ValidRoleBasedExpression",
-				celExpression: `subject.roles.exists(r, r.name == "owner") ? duration("168h") : subject.roles.exists(r, r.name == "user-admin") ? duration("72h") : duration("24h")`,
+				name:           "ValidRoleBasedExpression",
+				exprExpression: `any(subject.Roles, .Name == "owner") ? duration("168h") : any(subject.Roles, .Name == "user-admin") ? duration("72h") : duration("24h")`,
 			},
 			{
-				name:          "ValidSimpleExpression",
-				celExpression: `duration(globalMaxDuration)`,
+				name:           "ValidSimpleExpression",
+				exprExpression: `duration(globalMaxDuration)`,
 			},
 			{
-				name:          "EmptyExpression",
-				celExpression: ``,
+				name:           "EmptyExpression",
+				exprExpression: ``,
 			},
 			{
-				name:          "EmailBasedExpression",
-				celExpression: `subject.email.endsWith("@company.com") ? duration("720h") : duration("24h")`,
+				name:           "EmailBasedExpression",
+				exprExpression: `subject.Email endsWith "@company.com") ? duration("720h") : duration("24h")`,
 			},
 		}
 
@@ -85,7 +85,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 				t.Parallel()
 
 				dv := coderdtest.DeploymentValues(t)
-				dv.Sessions.MaximumTokenDurationExpression = serpent.String(tc.celExpression)
+				dv.Sessions.MaximumTokenDurationExpression = serpent.String(tc.exprExpression)
 
 				// Should create successfully
 				client := coderdtest.New(t, &coderdtest.Options{
@@ -96,21 +96,21 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 		}
 	})
 
-	t.Run("InvalidCELExpressions", func(t *testing.T) {
+	t.Run("InvalidExprExpressions", func(t *testing.T) {
 		t.Parallel()
 
-		// Test that invalid CEL expressions fail validation
+		// Test that invalid expr expressions fail validation
 		testCases := []struct {
-			name          string
-			celExpression string
+			name           string
+			exprExpression string
 		}{
 			{
-				name:          "InvalidCELSyntax",
-				celExpression: `subject.roles.exists(r, r.name == "owner" ? duration("168h")`, // Missing closing parenthesis
+				name:           "InvalidExprSyntax",
+				exprExpression: `any(subject.Roles, .Name == "owner" ? duration("168h")`, // Missing closing parenthesis
 			},
 			{
-				name:          "UndefinedVariable",
-				celExpression: `unknownVariable ? duration("720h") : duration("168h")`,
+				name:           "UndefinedVariable",
+				exprExpression: `unknownVariable ? duration("720h") : duration("168h")`,
 			},
 		}
 
@@ -119,17 +119,14 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				t.Parallel()
 
-				// For invalid CEL expressions, try to create the environment and compile
-				env, err := cel.NewTokenLifetimeEnvironment(cel.EnvironmentOptions{})
-				require.NoError(t, err)
-
-				_, issues := env.Compile(tc.celExpression)
-				if issues != nil && issues.Err() != nil {
-					// CEL compilation failed as expected
+				// For invalid expr expressions, try to compile
+				_, err := expr.CompileTokenLifetimeExpression(tc.exprExpression)
+				if err != nil {
+					// expr compilation failed as expected
 					return
 				}
 				// If compilation succeeded but we expected failure, that's also a test failure
-				t.Fatalf("Expected CEL expression to fail compilation but it succeeded: %s", tc.celExpression)
+				t.Fatalf("Expected expr expression to fail compilation but it succeeded: %s", tc.exprExpression)
 			})
 		}
 	})
@@ -139,8 +136,8 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 
 		// Test actual token creation with various user role combinations
 		// Note: The first user created is an "Owner" (capital O)
-		// Global max is 720h (30 days), CEL expression provides role-specific rules
-		client := createClientWithRoleTokenLifetimes(t, `subject.roles.exists(r, r.name == "owner") ? duration("168h") : subject.roles.exists(r, r.name == "user-admin") ? duration("72h") : subject.roles.exists(r, r.name == "member") ? duration("24h") : duration(globalMaxDuration)`, 720*time.Hour)
+		// Global max is 720h (30 days), expr expression provides role-specific rules
+		client := createClientWithRoleTokenLifetimes(t, `any(subject.Roles, .Name == "owner") ? duration("168h") : any(subject.Roles, .Name == "user-admin") ? duration("72h") : any(subject.Roles, .Name == "member") ? duration("24h") : duration(globalMaxDuration)`, 720*time.Hour)
 
 		ctx := context.Background()
 
@@ -149,13 +146,13 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 		require.NoError(t, err)
 		t.Logf("Token config max lifetime: %v (expected 720h - global max)", tokenConfig.MaxTokenLifetime)
 
-		// Test owner can create token up to what the CEL expression allows (168h)
+		// Test owner can create token up to what the expr expression allows (168h)
 		_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 167 * time.Hour,
 		})
 		require.NoError(t, err)
 
-		// Test owner cannot exceed what the CEL expression allows (168h)
+		// Test owner cannot exceed what the expr expression allows (168h)
 		_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 169 * time.Hour,
 		})
@@ -167,7 +164,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 		t.Parallel()
 
 		// Test that users without specific role configs fall back to global max
-		client := createClientWithRoleTokenLifetimes(t, `subject.roles.exists(r, r.name == "user-admin") ? duration("168h") : duration(globalMaxDuration)`, 48*time.Hour)
+		client := createClientWithRoleTokenLifetimes(t, `any(subject.Roles, .Name == "user-admin") ? duration("168h") : duration(globalMaxDuration)`, 48*time.Hour)
 
 		ctx := context.Background()
 
@@ -198,9 +195,9 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 	t.Run("RoleSpecificShorterThanGlobal", func(t *testing.T) {
 		t.Parallel()
 
-		// Test CEL expression that chooses between role-specific and global max
+		// Test expr expression that chooses between role-specific and global max
 		// Note: The first user created is an "Owner" (capital O)
-		client := createClientWithRoleTokenLifetimes(t, `subject.roles.exists(r, r.name == "owner") ? duration(globalMaxDuration) : duration("24h")`, 168*time.Hour) // 7 days global
+		client := createClientWithRoleTokenLifetimes(t, `any(subject.Roles, .Name == "owner") ? duration(globalMaxDuration) : duration("24h")`, 168*time.Hour) // 7 days global
 
 		ctx := context.Background()
 
@@ -214,7 +211,7 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 		require.NoError(t, err)
 		t.Logf("User roles: %v", user.Roles)
 
-		// Owner gets the global max (168h) because the CEL expression returns globalMaxDuration
+		// Owner gets the global max (168h) because the expr expression returns globalMaxDuration
 		_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 167 * time.Hour,
 		})
@@ -231,20 +228,20 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 	t.Run("OrganizationSpecificRoles", func(t *testing.T) {
 		t.Parallel()
 
-		// This test verifies that organization-specific role configurations work with CEL expressions
+		// This test verifies that organization-specific role configurations work with expr expressions
 
-		// Set up a client with organization-specific role configurations using CEL
-		celExpression := `
-			subject.roles.exists(r, r.name == "owner" && r.orgID == "") ? duration("720h") :
-			subject.roles.exists(r, r.name == "member" && r.orgID == "") ? duration("24h") :
-			subject.roles.exists(r, r.name == "organization-member" && r.orgID != "") ? duration("48h") :
-			subject.roles.exists(r, r.name == "organization-admin" && r.orgID != "") ? duration("168h") :
+		// Set up a client with organization-specific role configurations using expr
+		exprExpression := `
+			any(subject.Roles, .Name == "owner" && .OrgID == "") ? duration("720h") :
+			any(subject.Roles, .Name == "member" && .OrgID == "") ? duration("24h") :
+			any(subject.Roles, .Name == "organization-member" && .OrgID != "") ? duration("48h") :
+			any(subject.Roles, .Name == "organization-admin" && .OrgID != "") ? duration("168h") :
 			duration(defaultDuration)
 		`
 
 		dv := coderdtest.DeploymentValues(t)
 		dv.Sessions.MaximumTokenDuration = serpent.Duration(720 * time.Hour)
-		dv.Sessions.MaximumTokenDurationExpression = serpent.String(celExpression)
+		dv.Sessions.MaximumTokenDurationExpression = serpent.String(exprExpression)
 
 		// Create the client, database, and get the API instance
 		client, closer, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
@@ -254,15 +251,15 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 			_ = closer.Close()
 		})
 
-		// Compile the CEL expression
+		// Compile the expr expression
 		ctx := context.Background()
 		_, err := api.DeploymentValues.Sessions.CompiledMaximumTokenDurationProgram()
 		require.NoError(t, err)
 
 		// Create the first user
 		_ = coderdtest.CreateFirstUser(t, client)
 
-		// Test that the CEL expression is working for the site-wide owner role
+		// Test that the expr expression is working for the site-wide owner role
 		// The first user gets site-wide owner role, so should get 720h
 		_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 719 * time.Hour,
@@ -280,21 +277,21 @@ func TestRoleBasedTokenLifetimes_Integration(t *testing.T) {
 	t.Run("OrganizationRoleWithoutConfig", func(t *testing.T) {
 		t.Parallel()
 
-		// Test CEL expression with fallback behavior for unconfigured roles
+		// Test expr expression with fallback behavior for unconfigured roles
 
 		// Set up a client with only site-wide role configurations (no org-specific roles)
-		client := createClientWithRoleTokenLifetimes(t, `subject.roles.exists(r, r.name == "owner") ? duration("720h") : subject.roles.exists(r, r.name == "member") ? duration("24h") : duration(globalMaxDuration)`, 168*time.Hour)
+		client := createClientWithRoleTokenLifetimes(t, `any(subject.Roles, .Name == "owner") ? duration("720h") : any(subject.Roles, .Name == "member") ? duration("24h") : duration(globalMaxDuration)`, 168*time.Hour)
 
 		ctx := context.Background()
 
-		// Test that the first user (owner) gets 720h according to the CEL expression,
+		// Test that the first user (owner) gets 720h according to the expr expression,
 		// not the global max (168h)
 		_, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 719 * time.Hour,
 		})
 		require.NoError(t, err)
 
-		// Test that owner cannot exceed what CEL expression allows (720h)
+		// Test that owner cannot exceed what expr expression allows (720h)
 		_, err = client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
 			Lifetime: 721 * time.Hour,
 		})