guard

package

v0.0.114 Latest Latest Go to latest Published: Feb 11, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/github/gh-aw-mcpg

Links

Open Source Insights

Documentation ¶

Overview ¶

Package guard provides security context management and guard registry for the MCP Gateway.

This package is responsible for managing security labels (DIFC - Decentralized Information Flow Control) and storing/retrieving agent identifiers in request contexts.

Relationship with internal/auth:

- internal/auth: Primary authentication logic (header parsing, validation) - internal/guard: Security context management (agent ID tracking, guard registry)

For authentication-related operations, always use the internal/auth package directly.

Example:

// Extract agent ID from auth header and store in context
agentID := auth.ExtractAgentID(authHeader)
ctx = guard.SetAgentIDInContext(ctx, agentID)

// Retrieve agent ID from context
agentID := guard.GetAgentIDFromContext(ctx) // Returns "default" if not found

Index ¶

func GetAgentIDFromContext(ctx context.Context) string
func GetRegisteredGuardTypes() []string
func RegisterGuardType(name string, factory GuardFactory)
func SetAgentIDInContext(ctx context.Context, agentID string) context.Context
func SetRequestStateInContext(ctx context.Context, state RequestState) context.Context
type BackendCaller
type ContextKey
type Guard
- func CreateGuard(name string) (Guard, error)
type GuardFactory
type NoopGuard
- func NewNoopGuard() *NoopGuard
type Registry
- func NewRegistry() *Registry
type RequestState
- func GetRequestStateFromContext(ctx context.Context) RequestState

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetAgentIDFromContext ¶

func GetAgentIDFromContext(ctx context.Context) string

GetAgentIDFromContext extracts the agent ID from the context Returns "default" if not found

func GetRegisteredGuardTypes ¶

func GetRegisteredGuardTypes() []string

GetRegisteredGuardTypes returns all registered guard type names

func RegisterGuardType ¶

func RegisterGuardType(name string, factory GuardFactory)

RegisterGuardType registers a guard type with a factory function This allows dynamic guard creation by name

func SetAgentIDInContext ¶

func SetAgentIDInContext(ctx context.Context, agentID string) context.Context

SetAgentIDInContext sets the agent ID in the context

func SetRequestStateInContext ¶

func SetRequestStateInContext(ctx context.Context, state RequestState) context.Context

SetRequestStateInContext stores guard request state in context

Types ¶

type BackendCaller ¶

type BackendCaller interface {
	// CallTool makes a read-only call to the backend MCP server
	// This is used by guards to gather metadata for labeling
	CallTool(ctx context.Context, toolName string, args interface{}) (interface{}, error)
}

BackendCaller provides a way for guards to make read-only calls to the backend to gather information needed for labeling (e.g., fetching issue author)

type ContextKey ¶

type ContextKey string

ContextKey is used for storing values in context

const (
	// AgentIDContextKey stores the agent ID in the request context
	AgentIDContextKey ContextKey = "difc-agent-id"

	// RequestStateContextKey stores guard-specific request state
	RequestStateContextKey ContextKey = "difc-request-state"
)

type Guard ¶

type Guard interface {
	// Name returns the identifier for this guard (e.g., "github", "noop")
	Name() string

	// LabelResource determines the resource being accessed and its labels
	// This may call the backend (via BackendCaller) to gather metadata needed for labeling
	// Returns:
	//   - resource: The labeled resource (simple or nested structure for fine-grained filtering)
	//   - operation: The type of operation (Read, Write, or ReadWrite)
	//   - error: Any error that occurred during labeling
	LabelResource(ctx context.Context, toolName string, args interface{}, backend BackendCaller, caps *difc.Capabilities) (*difc.LabeledResource, difc.OperationType, error)

	// LabelResponse labels the response data after a successful backend call
	// This is used for fine-grained filtering of collections
	// Returns:
	//   - labeledData: The response data with per-item labels (if applicable)
	//   - error: Any error that occurred during labeling
	// If the guard returns nil for labeledData, the reference monitor will use the
	// resource labels from LabelResource for the entire response
	LabelResponse(ctx context.Context, toolName string, result interface{}, backend BackendCaller, caps *difc.Capabilities) (difc.LabeledData, error)
}

Guard handles DIFC labeling for a specific MCP server Guards ONLY label resources - they do NOT make access control decisions The Reference Monitor (in the server) uses guard-provided labels to enforce DIFC policies

func CreateGuard ¶

func CreateGuard(name string) (Guard, error)

CreateGuard creates a guard instance by name using registered factories

type GuardFactory ¶

type GuardFactory func() (Guard, error)

GuardFactory is a function that creates a guard instance

type NoopGuard ¶

type NoopGuard struct{}

NoopGuard is the default guard that performs no DIFC labeling It allows all operations by returning empty labels (no restrictions)

func NewNoopGuard ¶

func NewNoopGuard() *NoopGuard

NewNoopGuard creates a new noop guard

func (*NoopGuard) LabelResource ¶

func (g *NoopGuard) LabelResource(ctx context.Context, toolName string, args interface{}, backend BackendCaller, caps *difc.Capabilities) (*difc.LabeledResource, difc.OperationType, error)

LabelResource returns an empty resource with no label requirements Conservatively assumes all operations could be writes

func (*NoopGuard) LabelResponse ¶

func (g *NoopGuard) LabelResponse(ctx context.Context, toolName string, result interface{}, backend BackendCaller, caps *difc.Capabilities) (difc.LabeledData, error)

LabelResponse returns nil, indicating no fine-grained labeling The reference monitor will use the resource labels for the entire response

func (*NoopGuard) Name ¶

func (g *NoopGuard) Name() string

Name returns the identifier for this guard

type Registry ¶

type Registry struct {
	// contains filtered or unexported fields
}

Registry manages guard instances for different MCP servers

func NewRegistry ¶

func NewRegistry() *Registry

NewRegistry creates a new guard registry

func (*Registry) Get ¶

func (r *Registry) Get(serverID string) Guard

Get retrieves the guard for a server, or returns a noop guard if not found

func (*Registry) GetGuardInfo ¶

func (r *Registry) GetGuardInfo() map[string]string

GetGuardInfo returns information about all registered guards

func (*Registry) Has ¶

func (r *Registry) Has(serverID string) bool

Has checks if a guard is registered for a server

func (*Registry) List ¶

func (r *Registry) List() []string

List returns all registered server IDs

func (*Registry) Register ¶

func (r *Registry) Register(serverID string, guard Guard)

Register registers a guard for a specific server

func (*Registry) Remove ¶

func (r *Registry) Remove(serverID string)

Remove removes a guard registration

type RequestState ¶

type RequestState interface{}

RequestState represents any state that the guard needs to pass from request to response This is useful when the guard needs to carry information from LabelResource to LabelResponse

func GetRequestStateFromContext ¶

func GetRequestStateFromContext(ctx context.Context) RequestState

GetRequestStateFromContext retrieves guard request state from context

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL