Conditional Attestations
The ::{condition} syntax modifier makes attestation requirements conditional. The attestation is only required when the condition evaluates to true, enabling context-aware security controls.
Not a Separate Type
Conditional is not a separate attestation type. It's a syntax modifier that can be applied to both internal and external attestation requirements in policies. The attestation itself is still either internal or external.
Syntax
The conditional syntax appends a condition to the attestation key using double colons:
attestation_key::{condition}
Examples:
manager_approval::{amount > 10000}
security_review::{risk_level == "high"}
compliance_check::{region in ["EU", "UK"]}Without Condition
Attestation is always required:
With Condition
Attestation required only when condition is true:
Policy Examples
{
"policy_id": "team:trading",
"description": "Trading team with tiered approval thresholds",
"resources": ["banking:wire_transfer", "api:external:*"],
"attestations": [
"manager_approval::{params.amount > 10000}",
"security_review::{params.risk_level == 'high'}",
"gdpr_compliance::{params.region IN ['EU', 'UK', 'EEA']}"
],
"constraints": {
"attestations": {
"manager_approval": {
"approval_criteria": "role:manager",
"timeout": 300
},
"security_review": {
"approval_criteria": "role:security",
"timeout": 600
},
"gdpr_compliance": {
"approval_criteria": "role:compliance",
"time_to_live": 86400
}
}
}
}How It Works
Request: wire_transfer(amount=5000)
│
▼
┌─────────────────┐
│ Policy Check │
│ │
│ Attestation: │
│ manager_approval│
│ ::{amount>10000}│
└────────┬────────┘
│
▼
┌─────────────────┐
│ Evaluate: │
│ 5000 > 10000? │
│ = FALSE │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Attestation NOT │
│ required │
│ → Continue │
└─────────────────┘
Request: wire_transfer(amount=50000)
│
▼
┌─────────────────┐
│ Policy Check │
│ │
│ Attestation: │
│ manager_approval│
│ ::{amount>10000}│
└────────┬────────┘
│
▼
┌─────────────────┐
│ Evaluate: │
│ 50000 > 10000? │
│ = TRUE │
└────────┬────────┘
│
▼
┌─────────────────┐
│ Attestation IS │
│ required │
│ → Request/Check │
└─────────────────┘Condition Expressions
Conditions can reference parameters, principal attributes, and context state using standard comparison operators:
Condition References
| Reference | Description | Example |
|---|---|---|
| params.X | Invocation parameter | params.amount > 5000 |
| principal.X | Authenticated user attribute | principal.user_id == 'admin' |
| principal.has_role('X') | Role check | principal.has_role('manager') |
| principal.has_group('X') | Group membership check | principal.has_group('trading') |
| context.has_attestation('X') | Existing attestation check | context.has_attestation('mfa') |
Operators
| Operator | Description | Example |
|---|---|---|
| >, >=, <, <= | Numeric comparison | params.amount > 10000 |
| ==, != | Equality comparison | params.status == "active" |
| IN | Value in list | params.region IN ["EU", "UK"] |
| NOT IN | Value not in list | params.status NOT IN ["closed"] |
| AND | Logical AND | params.amount > 1000 AND params.region == "EU" |
| OR | Logical OR | params.priority == 'high' OR params.amount > 50000 |
| NOT, () | Negation, grouping | NOT principal.has_role('intern') |
{
"attestations": [
// Tiered approval based on amount
"team_lead_approval::{params.amount > 1000 AND params.amount <= 10000}",
"manager_approval::{params.amount > 10000 AND params.amount <= 50000}",
"director_approval::{params.amount > 50000}",
// Skip approval if user already has MFA attestation
"extra_verification::{NOT context.has_attestation('mfa_complete')}",
// Region-specific compliance
"gdpr_review::{params.region IN ['EU', 'UK', 'EEA'] AND params.data_type == 'PII'}"
]
}Reference Examples
Different reference types enable context-aware security controls:
Operation Parameters
Reference values passed to the operation via params.*:
// Operation: transfer(amount=5000, dest="ACCT-1")
{
"attestations": [
"approval::{params.amount > 1000}",
"external_review::{params.dest != 'internal'}"
]
}Principal & Context
Reference authenticated user attributes and workflow state:
{
"attestations": [
// Skip if user is a manager
"approval::{NOT principal.has_role('manager')}",
// Require if no prior MFA
"mfa::{NOT context.has_attestation('mfa_verified')}"
]
}Common Use Cases
Threshold-Based Approval
Require approval only when values exceed thresholds. Small transactions proceed automatically; large ones need sign-off.
Region-Specific Compliance
Apply compliance requirements based on data location or user region. GDPR checks for EU users, CCPA for California, etc.
Risk-Based Controls
Require additional verification for high-risk operations while allowing low-risk operations to proceed smoothly.
Data Classification
Apply different attestation requirements based on the sensitivity of the data being processed.
Combining with Internal/External
The conditional syntax works with both internal and external attestations:
Conditional + Internal
Require a workflow attestation only under certain conditions:
// Policy: validation required for external data
{
"attestations": [
"data_validated::{params.source == 'external'}"
]
}
// Tool sets this attestation after validation:
context.attestations.set(
"data_validated",
{"checksum": "abc123"},
max_uses=3
)Conditional + External
Require human approval only under certain conditions:
// Policy: manager approval for large amounts
{
"attestations": [
"manager_approval::{params.amount > 10000}"
],
"constraints": {
"attestations": {
"manager_approval": {
"approval_criteria": "role:manager",
"timeout": 300
}
}
}
}Best Practices
- -Keep conditions simple: Complex nested conditions are harder to audit and debug
- -Use meaningful thresholds: Base thresholds on business requirements, not arbitrary numbers
- -Document conditions: Add comments explaining why each condition exists
- -Test edge cases: Verify behavior at condition boundaries (e.g., amount = 10000 exactly)
- -Consider defaults: Think about what happens when the referenced parameter is missing