Documentation
¶
Overview ¶
Package enforcement provides the concrete Enforcement and Activator implementations that compose the safety subsystems (policy, rate limiting, dry-run, truncation, bootstrap) into the MCP server's pluggable interfaces.
This package sits between the protocol core (mcp) and the domain-specific safety packages, keeping both layers decoupled.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrConfirmationRequired = errors.New("confirmation token required")
ErrConfirmationRequired is returned by BeforeCall when a high-risk tool call (per mcp.RiskClass.IsHighRisk()) arrives without a confirmation token. It is the "you should preview first" signal — not a bug, not a policy denial, just a request for the operator's agent to round-trip through dry_run:true to obtain a token. See docs/adr/0018-risk-class-confirmation-tokens.md.
Functions ¶
This section is empty.
Types ¶
type Gate ¶
Gate implements mcp.Activator using policy and bootstrap.
func (*Gate) IsGroupAllowed ¶
IsGroupAllowed checks whether the policy permits activating a group.
func (*Gate) OnActivate ¶
OnActivate marks tools as visible in the bootstrap layer.
func (*Gate) OnDeactivate ¶ added in v1.2.1
OnDeactivate removes runtime visibility markers for dynamically registered tools.
type Pipeline ¶
type Pipeline struct {
Policy *policy.Policy
Bootstrap *bootstrap.Config
RateLimit *ratelimit.RateLimiter
DryRun dryrun.Config
Truncation truncate.Config
// Confirmation gates non-dry-run high-risk tool calls behind an
// HMAC token minted on the dry-run preview. nil disables the
// gate entirely (development / opted-out deployments); the
// runtime is responsible for emitting the deprecation/risk
// warning when nil is observed under a hosted profile. See
// docs/adr/0018-risk-class-confirmation-tokens.md.
Confirmation *confirmation.Signer
}
Pipeline implements mcp.Enforcement by composing the safety subsystems.
func (*Pipeline) AfterCall ¶
AfterCall applies post-processing (truncation) to a successful result.
Tool handlers return typed structs (e.g. ResultEnvelope) which the truncate package's type switch can't walk. We first marshal once to estimate the response size; under-budget results return unchanged. Over-budget results are JSON-roundtripped into a generic map[string]any / []any tree before calling Truncate so the walker sees the whole structure.
On marshal/unmarshal failure, local/default deployments fail open and return the original result unchanged. Hosted profiles set FailClosedOnError so a truncation failure returns a tool error instead of sending an over-budget payload to the client.
func (*Pipeline) BeforeCall ¶
func (p *Pipeline) BeforeCall(ctx context.Context, name string, args map[string]any, hints mcp.ToolHints, schema map[string]any, lookupHandler func(string) (mcp.ToolHandler, bool)) (any, func(), error)
BeforeCall runs the enforcement pipeline before a tool handler:
- Schema validation (W2-01)
- Policy gate
- Confirmation gate for high-risk non-dry-run calls (ADR 0018)
- Rate limit acquire
- Dry-run intercept / confirmation-token mint on high-risk dry-run