Skip to content

Policy

Build and evaluate attestation policies.

Decision dataclass 

Decision(outcome: str, reason: str, message: str)

Result of evaluating a policy against a context.

Supports boolean evaluation: if decision: is equivalent to if decision.allowed.

outcome instance-attribute 

outcome: str

Policy result: "allow" or "deny".

reason instance-attribute 

reason: str

Short machine-readable reason (e.g. "revoked", "capability_missing").

message instance-attribute 

message: str

Human-readable explanation of the decision.

outcome_enum property 

outcome_enum: Outcome

Parse the outcome string into a typed :class:Outcome enum.

reason_enum property 

reason_enum: ReasonCode

Parse the reason string into a typed :class:ReasonCode enum.

PolicyBuilder 

PolicyBuilder()

Fluent builder for Auths access policies.

Examples:

policy = PolicyBuilder.standard("sign_commit").build()

policy = (PolicyBuilder()
    .not_revoked()
    .not_expired()
    .require_capability("sign_commit")
    .require_issuer("did:keri:EOrg123")
    .build())

standard classmethod 

standard(capability: str) -> PolicyBuilder

The "80% policy": not revoked, not expired, requires one capability.

from_json classmethod 

from_json(json_str: str) -> PolicyBuilder

Reconstruct a PolicyBuilder from a JSON policy expression.

Parameters:

  • json_str (str) –

    JSON string from to_json() or config files.

Returns:

  • PolicyBuilder

    A new PolicyBuilder with the parsed predicates.

Examples:

builder = PolicyBuilder.from_json(stored_json)
policy = builder.build()

available_predicates classmethod 

available_predicates() -> list[str]

Return the list of available predicate method names.

available_presets classmethod 

available_presets() -> list[str]

Return the list of available preset policy names.

any_of classmethod 

any_of(*builders: PolicyBuilder) -> PolicyBuilder

Create a policy that passes if ANY of the given policies pass.

expires_after 

expires_after(seconds: int) -> PolicyBuilder

Require at least seconds of remaining validity.

issued_within 

issued_within(seconds: int) -> PolicyBuilder

Require the attestation was issued within seconds ago.

or_policy 

or_policy(other: PolicyBuilder) -> PolicyBuilder

Combine with another policy using OR logic.

negate 

negate() -> PolicyBuilder

Negate the entire policy (all current predicates).

build 

build() -> CompiledPolicy

Compile the policy. Raises ValueError on invalid combinations.

to_json 

to_json() -> str

Export the policy as JSON (for storage in config files).