pub enum CompiledContextCondition {
Show 22 variants
TimeWindow {
start_hour: u8,
end_hour: u8,
days: Vec<u8>,
deny_reason: String,
},
MaxCalls {
tool_pattern: PatternMatcher,
max: u64,
deny_reason: String,
},
AgentId {
allowed: Vec<String>,
blocked: Vec<String>,
deny_reason: String,
},
RequirePreviousAction {
required_tool: String,
deny_reason: String,
},
ForbiddenPreviousAction {
forbidden_tool: String,
deny_reason: String,
},
MaxCallsInWindow {
tool_pattern: PatternMatcher,
max: u64,
window: usize,
deny_reason: String,
},
MaxChainDepth {
max_depth: usize,
deny_reason: String,
},
AgentIdentityMatch {
required_issuer: Option<String>,
required_subject: Option<String>,
required_audience: Option<String>,
required_claims: HashMap<String, String>,
blocked_issuers: Vec<String>,
blocked_subjects: Vec<String>,
require_attestation: bool,
deny_reason: String,
},
AsyncTaskPolicy {
max_concurrent: usize,
max_duration_secs: u64,
require_self_cancel: bool,
deny_reason: String,
},
ResourceIndicator {
allowed_resources: Vec<PatternMatcher>,
require_resource: bool,
deny_reason: String,
},
CapabilityRequired {
required_capabilities: Vec<String>,
blocked_capabilities: Vec<String>,
deny_reason: String,
},
StepUpAuth {
required_level: u8,
deny_reason: String,
},
CircuitBreaker {
tool_pattern: PatternMatcher,
deny_reason: String,
},
DeputyValidation {
require_principal: bool,
max_delegation_depth: u8,
deny_reason: String,
},
ShadowAgentCheck {
require_known_fingerprint: bool,
min_trust_level: u8,
deny_reason: String,
},
SchemaPoisoningCheck {
mutation_threshold: f32,
deny_reason: String,
},
MinVerificationTier {
required_tier: u8,
deny_reason: String,
},
RequireCapabilityToken {
required_issuers: Vec<String>,
min_remaining_depth: u8,
deny_reason: String,
},
SessionStateRequired {
allowed_states: Vec<String>,
deny_reason: String,
},
RequiredActionSequence {
sequence: Vec<String>,
ordered: bool,
deny_reason: String,
},
ForbiddenActionSequence {
sequence: Vec<String>,
ordered: bool,
deny_reason: String,
},
WorkflowTemplate {
adjacency: HashMap<String, Vec<String>>,
governed_tools: HashSet<String>,
entry_points: Vec<String>,
strict: bool,
deny_reason: String,
},
}Expand description
A pre-compiled context condition for session-level policy evaluation.
Context conditions are checked after tool match and path/network rules,
but before policy type dispatch. They require an vellaveto_types::EvaluationContext
to evaluate — when no context is provided, all context conditions are skipped.
Variants§
TimeWindow
Allow tool calls only within a time window.
Fields
MaxCalls
Limit how many times a tool (or tool pattern) can be called per session.
AgentId
Restrict which agent identities can use this policy.
RequirePreviousAction
Require that a specific tool was called earlier in the session.
ForbiddenPreviousAction
Deny if a specific tool was called earlier in the session.
Inverse of RequirePreviousAction — detects forbidden sequences like
read-then-exfiltrate (if read_file was called, deny http_request).
Fields
MaxCallsInWindow
Deny if a tool pattern appears more than max times in the last window
entries of the session history.
Provides sliding-window rate limiting without requiring wall-clock
timestamps. A window of 0 means the entire session history.
Fields
tool_pattern: PatternMatcherMaxChainDepth
OWASP ASI08: Limit the depth of multi-agent call chains.
In multi-hop MCP scenarios, an agent can request another agent to perform actions on its behalf. This condition limits how deep such chains can go to prevent privilege escalation through agent chaining.
Fields
AgentIdentityMatch
OWASP ASI07: Match on cryptographically attested agent identity claims.
Requires a valid X-Agent-Identity JWT header. Policies can match on:
issuer: Required JWT issuer (issclaim)subject: Required JWT subject (subclaim)audience: Required audience (audclaim must contain this value)claims.<key>: Custom claim matching (e.g.,claims.role == "admin")
Unlike AgentId which matches on a simple string, this condition provides
cryptographic attestation of the agent’s identity via JWT signature verification.
Fields
required_audience: Option<String>Required audience. If set, the identity’s aud claim must contain this value.
required_claims: HashMap<String, String>Required custom claims. All specified claims must match. Keys are claim names, values are expected string values.
AsyncTaskPolicy
MCP 2025-11-25: Async task lifecycle policy.
Controls the creation and cancellation of async MCP tasks. Policies can:
- Limit maximum concurrent tasks per session/agent
- Set maximum task duration before automatic expiry
- Restrict task cancellation to the creating agent only
Fields
ResourceIndicator
RFC 8707: OAuth 2.0 Resource Indicator validation.
Validates that OAuth tokens include the expected resource indicators. Resource indicators prevent token replay attacks by binding tokens to specific API endpoints or resource servers.
Fields
allowed_resources: Vec<PatternMatcher>Patterns for allowed resource URIs. Supports glob patterns. If non-empty, at least one pattern must match the token’s resource.
CapabilityRequired
CIMD: Capability-Indexed Message Dispatch.
MCP 2025-11-25 introduces capability negotiation. This condition checks that the client has declared the required capabilities and has not declared any blocked capabilities.
Fields
required_capabilities: Vec<String>Capabilities that must be declared by the client. All listed capabilities must be present.
StepUpAuth
Step-up authentication trigger.
When the current authentication level is below the required level, the policy triggers a step-up authentication challenge instead of denying outright. This allows sensitive operations to require stronger authentication without blocking the session.
Fields
CircuitBreaker
Circuit breaker check (OWASP ASI08).
Prevents cascading failures by temporarily blocking requests to tools that have been failing. The circuit breaker pattern has three states: Closed (normal), Open (blocking), HalfOpen (testing).
Fields
tool_pattern: PatternMatcherPattern to match tool names for circuit breaker tracking.
DeputyValidation
Confused deputy validation (OWASP ASI02).
Validates that the current principal is authorized to perform the requested action, preventing confused deputy attacks where a privileged agent is tricked into acting on behalf of an unprivileged attacker.
Fields
ShadowAgentCheck
Shadow agent detection.
Detects when an unknown agent claims to be a known agent, indicating potential impersonation or shadow agent attack. Fingerprints agents based on JWT claims, client ID, and IP.
Fields
SchemaPoisoningCheck
Schema poisoning protection (OWASP ASI05).
Tracks tool schema changes over time and alerts or blocks when schemas change beyond the configured threshold. Prevents rug-pull attacks where tool behavior changes maliciously.
Fields
MinVerificationTier
Minimum verification tier enforcement.
Requires the agent’s verification tier to meet or exceed a minimum level. Fail-closed: if no verification tier is present in the context, denies.
Fields
RequireCapabilityToken
Capability-based delegation token enforcement.
Requires a valid capability token to be present in the evaluation context. Checks that the token’s holder matches the agent_id, and optionally restricts which issuers are trusted and requires minimum delegation depth.
§Security (MCP Gap #3 — Capability Delegation)
- Fail-closed: missing token = Deny
- Holder must match agent_id (prevents token theft)
- Issuer allowlist prevents unauthorized token sources
- Grant coverage is verified by the proxy layer before attaching to context
Fields
SessionStateRequired
Session state requirement (Phase 23.5).
Only allows actions when the session is in one of the specified states. Fail-closed: if no session_state is present in context, denies.
Fields
RequiredActionSequence
Require an ordered (or unordered) sequence of tools in session history.
Ordered: subsequence match — tools must appear in order, not necessarily consecutive (e.g., A→C→B history matches A→B sequence). Unordered: all tools must appear anywhere in history (set semantics).
Max 20 steps. Fail-closed: empty/shorter history → Deny.
Fields
ForbiddenActionSequence
Deny if a sequence of tools has appeared in session history.
Ordered: subsequence match — if all tools found in order → Deny. Unordered: if all tools present anywhere → Deny.
Max 20 steps. Empty history → Allow (nothing forbidden yet).
§Known limitation (FIND-CREATIVE-004)
previous_actions is bounded at MAX_PREVIOUS_ACTIONS (10,000 entries).
If an attacker performs the forbidden prefix actions and then issues enough
additional tool calls to push the prefix out of the retained history window,
the forbidden sequence will no longer be detected. This is an inherent
trade-off of bounded history. When the history is at capacity, a warning
is emitted so operators can investigate or increase monitoring. Consider
pairing ForbiddenActionSequence with ForbiddenPreviousAction for
individual high-risk tools that must never appear at all.
Fields
WorkflowTemplate
Workflow template: DAG of allowed tool transitions.
Non-governed tools pass through (no restriction). Governed tools must follow the DAG edges: the current tool must be a valid successor of the most recent governed tool in history, or an entry point if no governed tool has been called yet.
Max 50 steps. Cycles rejected at compile time via Kahn’s algorithm.
Trait Implementations§
Source§impl Clone for CompiledContextCondition
impl Clone for CompiledContextCondition
Source§fn clone(&self) -> CompiledContextCondition
fn clone(&self) -> CompiledContextCondition
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more