Documentation
¶
Overview ¶
Package enforcement provides the concrete Enforcement and Activator implementations that compose the safety subsystems (policy, rate limiting, dry-run, truncation, bootstrap) into the MCP server's pluggable interfaces.
This package sits between the protocol core (mcp) and the domain-specific safety packages, keeping both layers decoupled.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Gate ¶
Gate implements mcp.Activator using policy and bootstrap.
func (*Gate) IsGroupAllowed ¶
IsGroupAllowed checks whether the policy permits activating a group.
func (*Gate) OnActivate ¶
OnActivate marks tools as visible in the bootstrap layer.
func (*Gate) OnDeactivate ¶ added in v1.2.1
OnDeactivate removes runtime visibility markers for dynamically registered tools.
type Pipeline ¶
type Pipeline struct {
Policy *policy.Policy
Bootstrap *bootstrap.Config
RateLimit *ratelimit.RateLimiter
DryRun dryrun.Config
Truncation truncate.Config
}
Pipeline implements mcp.Enforcement by composing the safety subsystems.
func (*Pipeline) AfterCall ¶
AfterCall applies post-processing (truncation) to a successful result.
Tool handlers return typed structs (e.g. ResultEnvelope) which the truncate package's type switch can't walk. We first marshal once to estimate the response size; under-budget results return unchanged. Over-budget results are JSON-roundtripped into a generic map[string]any / []any tree before calling Truncate so the walker sees the whole structure.
On marshal/unmarshal failure, local/default deployments fail open and return the original result unchanged. Hosted profiles set FailClosedOnError so a truncation failure returns a tool error instead of sending an over-budget payload to the client.
func (*Pipeline) BeforeCall ¶
func (p *Pipeline) BeforeCall(ctx context.Context, name string, args map[string]any, hints mcp.ToolHints, schema map[string]any, lookupHandler func(string) (mcp.ToolHandler, bool)) (any, func(), error)
BeforeCall runs the enforcement pipeline before a tool handler:
- Schema validation (W2-01)
- Policy gate
- Rate limit acquire
- Dry-run intercept