docs(conditions): Add LLM-friendly authoring resources#12
Open
docs(conditions): Add LLM-friendly authoring resources#12
Conversation
Adds six new pages under conditions/ aimed at developers (and their LLMs) authoring conditions hands-off: - building-with-llms: workflow, prompt template, iteration loop - cookbook: 22 worked JSON examples covering every condition type - discord-tipping-bot-deep-dive: annotated walkthrough of a complex Action Control condition (addresses anonymised) - context-variables: cheatsheet of built-ins, naming rules, gotchas - validating-conditions: 40-line script + usage - troubleshooting: common Zod errors mapped to fixes Schema reference is linked directly to taco-web signing-epic so it stays the source of truth without drift. README and SUMMARY updated to surface the new pages.
Drop "most complex/intricate" language and "TACo supports today" phrasing from the deep-dive and cookbook. Conditions are arbitrarily expressive; the example is illustrative, not a ceiling.
Cookbook examples are now copy-paste runnable through
validate-conditions.ts, which expects the full
{ "version": "1.0.0", "condition": {...} } shape that
ConditionExpression.fromObj parses.
Also drop a stray Collab.Land reference in example 12.
Adds links and integration snippets for the JSON Schema variant of the condition schema (sibling to condition-schemas.md), which lands in nucypher/taco-web#772. Covers three integration points: - Editor inline validation via $schema in conditions.json - LLM structured output via tool input_schema - Standalone validation in any language via ajv / jsonschema / etc. building-with-llms gains a JSON Schema integration section. validating-conditions clarifies when to use JSON Schema vs the TypeScript script. README and cookbook pick up shorter pointer notes.
derekpierre
reviewed
Apr 9, 2026
|
|
||
| ## Source | ||
|
|
||
| A reference copy of this script lives in [`discord-taco-web/scripts/validate-conditions.ts`](https://github.com/nucypher/discord-taco-web/blob/main/scripts/validate-conditions.ts) and is used by the Discord tipping bot integration in CI. |
Member
There was a problem hiding this comment.
Is this URL correct? Is this script actually available somewhere in signing-epic or main?
Contributor
Author
There was a problem hiding this comment.
yeah that should be on theref repo, my bad. the script is doing anything fancy https://github.com/theref/discord-taco-web/blob/main/scripts/validate-conditions.ts
Member
There was a problem hiding this comment.
If the script is tested and works well, you can add it to the nucypher/taco-web repos.
Member
There was a problem hiding this comment.
Once this URL is fixed, I can approve.
cygnusv
approved these changes
Apr 10, 2026
Member
cygnusv
left a comment
cygnusv
left a comment
There was a problem hiding this comment.
Great work! My only comment is that my agent friend thought that information is scattered through several files. I created a single skill file that summarizes the process and references these new additions to the docs, although I'm not sure what's the best place to share this.
7 tasks
derekpierre
requested changes
Apr 14, 2026
Member
There was a problem hiding this comment.
Nice work
- Important comment about
"then": truenot being valid for anifThenElseCondition. - Not in this PR, but we'll need a follow-up PR down the road to update the URLs that use the
signing-epicbranch to point tomainoncesigning-epicgets merged and released.
| You are helping me author a TACo condition in JSON. | ||
|
|
||
| Reference material (please read before writing any condition): | ||
| - Schema (source of truth): https://github.com/nucypher/taco-web/blob/signing-epic/packages/taco/schema-docs/condition-schemas.md |
Member
There was a problem hiding this comment.
Do you want to use the json schema file here?
|
|
||
| ## Built-in context variables | ||
|
|
||
| These are automatically populated by the SDK or by the network. You do **not** need to set them yourself. |
Member
There was a problem hiding this comment.
We might need to clarify this a bit; a few clariifications:
- ":signingConditionObject" is the only context var that is automatically populated and does not need to be added to the condition context
- ":userAddress" is a context variable (reserved) whose value can only be provided by an
AuthProviderat request time - ":message", ":signature", ":jwtToken" are default context variables used by ECDSACondition/JWTCondition, but they are not "automatically populated", and they don;t have to be used i.e. the "context variable" for those entries can be called anything, but there is a default value if you don't want to specify your own. This is important because if you had multiple JWTConditions as part of the same condition, you don't necessarily need the same token to be used for both, each can use their own context variable for differentiating what token is for what condition. Same for ECDSACondition.
| 9. [JsonRpcCondition — arbitrary JSON-RPC call](#9-jsonrpccondition--arbitrary-json-rpc) | ||
| 10. [JsonCondition — querying a passed-in payload](#10-jsoncondition--querying-a-context-payload) | ||
| 11. [JwtCondition — verify a signed JWT](#11-jwtcondition--verify-a-jwt) | ||
| 12. [EcdsaCondition — verify a signature](#12-ecdsacondition--verify-an-ed25519-signature) |
Member
There was a problem hiding this comment.
Suggested change
| 12. [EcdsaCondition — verify a signature](#12-ecdsacondition--verify-an-ed25519-signature) | |
| 12. [EcdsaCondition — verify an ECDSA signature](#12-ecdsacondition--verify-an-ed25519-signature) |
Comment on lines
+27
to
+28
| 13. [SigningObjectAttributeCondition — UserOperation field check](#13-signingobjectattributecondition--useroperation-field-check) | ||
| 14. [SigningObjectAbiAttributeCondition — UserOperation calldata check](#14-signingobjectabiattributecondition--validate-calldata) |
Member
There was a problem hiding this comment.
We should mention that this only applies to TACo Action Control, since signing specific.
|
|
||
| ```json | ||
| { | ||
| "version": "1.0.0", |
Member
There was a problem hiding this comment.
I think we should be careful here and use best practice type of examples i.e. having the requester specify the context variable for the wallet address is a bit awkward and not that practical/safe.
Instead you could use a hardcoded solana address for the param, or a blocktime rpc call - both examples can be seen here - https://github.com/nucypher/nucypher/blob/main/tests/acceptance/conditions/test_conditions.py#L907
|
|
||
| ## 13. `SigningObjectAttributeCondition` — UserOperation field check | ||
|
|
||
| Used in TACo Action Control. Validate that an attribute on the object being signed (e.g. an ERC-4337 `UserOperation`) matches an expected value. |
| "parameters": [":userAddress"], | ||
| "returnValueTest": { "comparator": ">", "value": 0 } | ||
| }, | ||
| "thenCondition": true, |
Member
There was a problem hiding this comment.
This is not valid.
Only the else condition can have a boolean, "then" must be a condition.
export const ifThenElseConditionSchema: z.ZodSchema = z.lazy(() =>
baseConditionSchema
.extend({
conditionType: z
.literal(IfThenElseConditionType)
.default(IfThenElseConditionType),
ifCondition: anyConditionSchema,
thenCondition: anyConditionSchema,
elseCondition: z.union([anyConditionSchema, z.boolean()]),
})
Comment on lines
+518
to
+528
| "conditionType": "rpc", | ||
| "chain": 1, | ||
| "method": "eth_getBalance", | ||
| "parameters": [":userAddress", "latest"], | ||
| "returnValueTest": { | ||
| "comparator": "in", | ||
| "value": [ | ||
| "0xALLOWED_ADDRESS_1", | ||
| "0xALLOWED_ADDRESS_2", | ||
| "0xALLOWED_ADDRESS_3" | ||
| ] |
Member
There was a problem hiding this comment.
Not sure this makes sense. The balance (integer) is in a list of addresses?
Did you mean to use a ContextVariableCondition where the :userAddress context variable is in a list of allowed addresses?
| "query": "$.current.rain", | ||
| "returnValueTest": { "comparator": ">", "value": 0 } | ||
| }, | ||
| "thenCondition": true, |
Member
There was a problem hiding this comment.
Same comment here about this not being valid.
| - Whether the JSON API endpoint will return data in the shape your JSONPath expects | ||
| - Whether the user will satisfy the condition at decryption time | ||
|
|
||
| For end-to-end testing, use the [TACo Playground](https://playground.taco.build/) or a local testnet (see [Quickstart](../../../access-control/quickstart-testnet.md)). |
Member
There was a problem hiding this comment.
I don't think the TACo playground is up to date. Not sure our plan here. I guess validation as part of the playground is simpler to update than allowing creation of conditions...?
derekpierre
reviewed
Apr 14, 2026
| - Output a single JSON object (no prose around it) when I ask for a condition. | ||
| - Every field must exist in the schema. Do not invent fields. | ||
| - Context variables start with ":" and match /^:[a-zA-Z_][a-zA-Z0-9_]*$/. | ||
| - CompoundCondition: max 5 operands, max 2 levels of nesting. |
Member
There was a problem hiding this comment.
Couple things here:
- Nested levals were increased from 2 to 4 - feat(conditions): add exponent operator and expand condition limits nucypher#3683, nucypher/taco-web@32f3673
- Nested levels apply to
MultiConditionsi.e. CompoundCondition, IfThenElse, and SequentialCondition
There may be other spots in this PR where "2 levels of nesting" is mentioned.
(cc @cygnusv for also reflecting this in PR nucypher/taco-web#774)
- Cookbook §18 and §21: replace invalid `"thenCondition": true` with real conditions. Only `elseCondition` accepts a boolean in the if-then-else schema. - Cookbook §19: fix NFT-or-allowlist example — replace the broken `eth_getBalance` + `"comparator": "in"` against an address list with a `ContextVariableCondition` on `:userAddress` (the shape `AddressAllowlistCondition` wraps internally). - Cookbook §9 (Solana JsonRpcCondition): hard-code the account address instead of accepting it via `:solanaAddress`. Added a note on when an authenticated channel would be the right pattern. - Cookbook §11 / §12: note that `:jwtToken`, `:message`, and `:signature` are default names that can be renamed — important when a single condition has multiple Jwt/Ecdsa children. - Cookbook §12: retitle as "verify an ECDSA signature" and clarify that `":timestamp:discordPayload"` is a concatenation of two context variables. - Cookbook §13 / §14 / TOC: mark signing-* entries as TACo Action Control only. - Update nesting limit across cookbook §16, building-with-llms prompt template, validating-conditions catch-list, and troubleshooting: 4 levels, counted collectively across CompoundCondition, IfThenElseCondition, and SequentialCondition (per nucypher/nucypher#3683 and taco-web 32f3673). - context-variables: restructure the built-in table to distinguish auto-populated (`:signingConditionObject` only), reserved (`:userAddress`, provided by AuthProvider at request time), and default names (`:message`, `:signature`, `:jwtToken`, which can be overridden). - building-with-llms: reference the JSON Schema export as the primary machine-readable source of truth in the LLM prompt template, with the markdown version alongside. - validating-conditions: fix the script source URL to point at theref/discord-taco-web (where it actually lives) with a note that the link will move once promoted into nucypher/taco-web. - Drop TACo Playground references across validating-conditions, troubleshooting, and building-with-llms — the playground is not currently up to date with signing-epic features. Point readers at the local testnet Quickstart instead.
Member
|
Opened nucypher/taco-web#775 to track updating docs and skill file when signing epic is merged |
Source-verification against taco-web signing-epic surfaced two inaccuracies in the previous commit's context-variables table: - `:nullAddress` is also auto-injected by the node (see `AUTOMATICALLY_INJECTED_CONTEXT_PARAMS` in `taco-web/packages/taco/src/conditions/context/context.ts`) — the previous table claimed `:signingConditionObject` was the only auto-populated variable. Added `:nullAddress` as a row. - Attribution: auto-injection happens on the node side at evaluation time, not by a client-side "signing flow". Reworded accordingly and linked the source file as the authority for future drift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TACo conditions are becoming the primary integration surface, and adopters increasingly author them with LLM assistance. This PR adds six new pages under
for-developers/taco-sdk/references/conditions/designed to make hands-off, LLM-driven condition authoring reliable.The schema reference is linked to `taco-web` `signing-epic` rather than vendored, so it remains the auto-generated source of truth.
`SUMMARY.md` and `conditions/README.md` updated to surface the new pages.
Notes for review
Test plan