governance

package

v0.5.4 Latest Latest Go to latest Published: Jun 2, 2026 License: MIT Imports: 11 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/fyne-coder/gongcli_mcp

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func NoExclusionsConfigFingerprint() string
func NormalizeName(value string) string
func RuleHash(configFingerprint string, matchedLists []string) string
type Audit
- func AuditCandidates(candidates []Candidate, cfg *Config) *Audit
- func BuildAudit(ctx context.Context, store CandidateStore, cfg *Config) (*Audit, error)
type BlocklistGuard
- func NewBlocklistGuard(rawTerms []string) *BlocklistGuard
- func NewBlocklistGuardFromConfig(cfg *Config) *BlocklistGuard
- func (g *BlocklistGuard) Empty() bool
- func (g *BlocklistGuard) MatchAny(values []string) bool
- func (g *BlocklistGuard) MatchValue(value string) bool
- func (g *BlocklistGuard) TermCount() int
type Candidate
type CandidateStore
type Config
- func LoadFile(path string) (*Config, error)
- func NoExclusionsConfig() *Config
- func ParseYAML(body []byte) (*Config, error)
- func (c *Config) Fingerprint() string
- func (c *Config) Targets() []Target
type Entry
type IngestDecision
- func EvaluateCallPayload(raw json.RawMessage, cfg *Config) (IngestDecision, error)
type List
type Match
type RuntimeSnapshot
- func Snapshot(ctx context.Context, path string, store CandidateStore) (RuntimeSnapshot, error)
type Target

Constants ¶

View Source

const (
	ListNoAI                 = "no_ai"
	ListNotificationRequired = "notification_required"

	// NoExclusionsConfigSHA256 is the stable fingerprint for the explicit
	// operator contract that declares no customer governance exclusions.
	NoExclusionsConfigSHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)

Variables ¶

This section is empty.

Functions ¶

func NoExclusionsConfigFingerprint ¶ added in v0.5.4

func NoExclusionsConfigFingerprint() string

NoExclusionsConfigFingerprint returns the stable config fingerprint for the explicit no-exclusions operator contract.

func NormalizeName ¶

func NormalizeName(value string) string

func RuleHash ¶ added in v0.4.0

func RuleHash(configFingerprint string, matchedLists []string) string

Types ¶

type Audit ¶

type Audit struct {
	ConfigEntries       int      `json:"config_entries"`
	ConfigAliases       int      `json:"config_aliases"`
	CandidateValues     int      `json:"candidate_values"`
	MatchedEntries      []Match  `json:"matched_entries"`
	UnmatchedEntries    []Target `json:"unmatched_entries"`
	SuppressedCallIDs   []string `json:"suppressed_call_ids,omitempty"`
	SuppressedCallCount int      `json:"suppressed_call_count"`
}

func AuditCandidates ¶

func AuditCandidates(candidates []Candidate, cfg *Config) *Audit

func BuildAudit ¶

func BuildAudit(ctx context.Context, store CandidateStore, cfg *Config) (*Audit, error)

type BlocklistGuard ¶ added in v0.4.0

type BlocklistGuard struct {
	// contains filtered or unexported fields
}

BlocklistGuard is a normalized, read-only view over the blocklist/restricted names that defend MCP serialization paths from emitting customer-identifying values when source-to-serving redaction or scoped-reader grants miss a row.

The guard is intentionally simple: it normalizes input the same way AuditCandidates does (NormalizeName), then reports whether a value contains any blocklisted target as a whole-word substring. It is not a primary authorization layer — it backs up the source-to-serving redaction and the MCP account-query gate.

func NewBlocklistGuard ¶ added in v0.4.0

func NewBlocklistGuard(rawTerms []string) *BlocklistGuard

NewBlocklistGuard builds a guard from raw restricted-name strings. Empty or blank entries are dropped. The guard preserves only the normalized form so callers can audit it without leaking original casing back through logs.

func NewBlocklistGuardFromConfig ¶ added in v0.4.0

func NewBlocklistGuardFromConfig(cfg *Config) *BlocklistGuard

NewBlocklistGuardFromConfig is a convenience that wraps NewBlocklistGuard over every list+alias target in the supplied governance Config.

func (*BlocklistGuard) Empty ¶ added in v0.4.0

func (g *BlocklistGuard) Empty() bool

Empty reports whether the guard has no blocklist terms loaded. A nil guard is treated as empty.

func (*BlocklistGuard) MatchAny ¶ added in v0.4.0

func (g *BlocklistGuard) MatchAny(values []string) bool

MatchAny reports whether any of the supplied values matches a blocklisted target.

func (*BlocklistGuard) MatchValue ¶ added in v0.4.0

func (g *BlocklistGuard) MatchValue(value string) bool

MatchValue reports whether the given value contains any blocklisted target as a whole-word substring after NormalizeName. Empty/blank input is never a match.

func (*BlocklistGuard) TermCount ¶ added in v0.4.0

func (g *BlocklistGuard) TermCount() int

TermCount returns the number of distinct normalized terms loaded into the guard. The terms themselves are not exposed so callers cannot accidentally log them.

type Candidate ¶

type Candidate struct {
	CallID string
	Source string
	Value  string
}

type CandidateStore ¶

type CandidateStore interface {
	GovernanceNameCandidates(ctx context.Context) ([]Candidate, error)
	GovernanceDataFingerprint(ctx context.Context) (string, error)
}

type Config ¶

type Config struct {
	Version int             `json:"version" yaml:"version"`
	Lists   map[string]List `json:"lists" yaml:"lists"`
}

func LoadFile ¶

func LoadFile(path string) (*Config, error)

func NoExclusionsConfig ¶ added in v0.5.4

func NoExclusionsConfig() *Config

NoExclusionsConfig returns the in-memory governance config used when an operator explicitly declares that no customer exclusions exist.

func ParseYAML ¶

func ParseYAML(body []byte) (*Config, error)

func (*Config) Fingerprint ¶ added in v0.3.4

func (c *Config) Fingerprint() string

func (*Config) Targets ¶

func (c *Config) Targets() []Target

type Entry ¶

type Entry struct {
	Name    string   `json:"name" yaml:"name"`
	Aliases []string `json:"aliases,omitempty" yaml:"aliases,omitempty"`
	Reason  string   `json:"reason,omitempty" yaml:"reason,omitempty"`
	Notes   string   `json:"notes,omitempty" yaml:"notes,omitempty"`
}

type IngestDecision ¶ added in v0.4.0

type IngestDecision struct {
	CallID         string
	Skip           bool
	MatchedLists   []string
	SourceCategory string
}

func EvaluateCallPayload ¶ added in v0.4.0

func EvaluateCallPayload(raw json.RawMessage, cfg *Config) (IngestDecision, error)

type List ¶

type List struct {
	Description string  `json:"description,omitempty" yaml:"description,omitempty"`
	Action      string  `json:"action,omitempty" yaml:"action,omitempty"`
	Customers   []Entry `json:"customers" yaml:"customers"`
}

type Match ¶

type Match struct {
	List       string `json:"list"`
	Name       string `json:"name"`
	Alias      string `json:"alias,omitempty"`
	Normalized string `json:"normalized"`
	CallCount  int    `json:"call_count"`
}

type RuntimeSnapshot ¶

type RuntimeSnapshot struct {
	ConfigSize    int64
	ConfigModTime int64
	Data          string
}

func Snapshot ¶

func Snapshot(ctx context.Context, path string, store CandidateStore) (RuntimeSnapshot, error)

type Target ¶

type Target struct {
	List       string `json:"list"`
	Name       string `json:"name"`
	Alias      string `json:"alias,omitempty"`
	Normalized string `json:"normalized"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL