enforcement

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 12, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Overview

Package enforcement provides the concrete Enforcement and Activator implementations that compose the safety subsystems (policy, rate limiting, dry-run, truncation, bootstrap) into the MCP server's pluggable interfaces.

This package sits between the protocol core (mcp) and the domain-specific safety packages, keeping both layers decoupled.

Index

Constants

This section is empty.

Variables

View Source
var ErrConfirmationRequired = errors.New("confirmation token required")

ErrConfirmationRequired is returned by BeforeCall when a high-risk tool call (per mcp.RiskClass.IsHighRisk()) arrives without a confirmation token. It is the "you should preview first" signal — not a bug, not a policy denial, just a request for the operator's agent to round-trip through dry_run:true to obtain a token. See docs/adr/0018-risk-class-confirmation-tokens.md.

Functions

This section is empty.

Types

type Gate

type Gate struct {
	Policy    *policy.Policy
	Bootstrap *bootstrap.Config
}

Gate implements mcp.Activator using policy and bootstrap.

func (*Gate) Clone

func (g *Gate) Clone() *Gate

func (*Gate) IsGroupAllowed

func (g *Gate) IsGroupAllowed(group string) bool

IsGroupAllowed checks whether the policy permits activating a group.

func (*Gate) OnActivate

func (g *Gate) OnActivate(names []string)

OnActivate marks tools as visible in the bootstrap layer.

func (*Gate) OnDeactivate added in v1.2.1

func (g *Gate) OnDeactivate(names []string)

OnDeactivate removes runtime visibility markers for dynamically registered tools.

type Pipeline

type Pipeline struct {
	Policy     *policy.Policy
	Bootstrap  *bootstrap.Config
	RateLimit  *ratelimit.RateLimiter
	DryRun     dryrun.Config
	Truncation truncate.Config
	// Confirmation gates non-dry-run high-risk tool calls behind an
	// HMAC token minted on the dry-run preview. nil disables the
	// gate entirely (development / opted-out deployments); the
	// runtime is responsible for emitting the deprecation/risk
	// warning when nil is observed under a hosted profile. See
	// docs/adr/0018-risk-class-confirmation-tokens.md.
	Confirmation *confirmation.Signer
}

Pipeline implements mcp.Enforcement by composing the safety subsystems.

func (*Pipeline) AfterCall

func (p *Pipeline) AfterCall(result any) (any, error)

AfterCall applies post-processing (truncation) to a successful result.

Tool handlers return typed structs (e.g. ResultEnvelope) which the truncate package's type switch can't walk. We first marshal once to estimate the response size; under-budget results return unchanged. Over-budget results are JSON-roundtripped into a generic map[string]any / []any tree before calling Truncate so the walker sees the whole structure.

On marshal/unmarshal failure, local/default deployments fail open and return the original result unchanged. Hosted profiles set FailClosedOnError so a truncation failure returns a tool error instead of sending an over-budget payload to the client.

func (*Pipeline) BeforeCall

func (p *Pipeline) BeforeCall(ctx context.Context, name string, args map[string]any, hints mcp.ToolHints, schema map[string]any, lookupHandler func(string) (mcp.ToolHandler, bool)) (any, func(), error)

BeforeCall runs the enforcement pipeline before a tool handler:

  1. Schema validation (W2-01)
  2. Policy gate
  3. Confirmation gate for high-risk non-dry-run calls (ADR 0018)
  4. Rate limit acquire
  5. Dry-run intercept / confirmation-token mint on high-risk dry-run

func (*Pipeline) Clone

func (p *Pipeline) Clone() *Pipeline

func (*Pipeline) FilterTool

func (p *Pipeline) FilterTool(name string, hints mcp.ToolHints) bool

FilterTool reports whether a tool should be listed in tools/list.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL