keep

package

v0.5.0 Latest Latest Go to latest Published: Apr 7, 2026 License: MIT Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/majorcontext/moat

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func GetStarterPack(name string) ([]byte, error)
func ListStarterPacks() []string
func NormalizeHTTPCall(method, host, path string) keeplib.Call
func NormalizeMCPCall(toolName string, params map[string]any, scope string) keeplib.Call
func ResolvePolicyYAML(pc *PolicyConfig, scope, baseDir string) ([]byte, error)
func SafeEvaluate(eng *keeplib.Engine, call keeplib.Call, scope string) (result keeplib.EvalResult, err error)
type PolicyConfig

Constants ¶

This section is empty.

Variables ¶

View Source

var ValidModes = map[string]bool{
	"":        true,
	"enforce": true,
	"audit":   true,
}

ValidModes lists the accepted values for PolicyConfig.Mode.

Functions ¶

func GetStarterPack ¶

func GetStarterPack(name string) ([]byte, error)

GetStarterPack returns the YAML bytes for a named starter pack.

func ListStarterPacks ¶

func ListStarterPacks() []string

ListStarterPacks returns the names of all available starter packs.

func NormalizeHTTPCall ¶

func NormalizeHTTPCall(method, host, path string) keeplib.Call

NormalizeHTTPCall creates a keeplib.Call for an HTTP request. Note: Context.Scope is set to "http-"+host (host-specific) rather than the engine scope ("http"). This means CEL rules using context.scope see the per-host value. The engine scope check in Evaluate uses the scope argument, not Context.Scope, so scope validation is unaffected.

func NormalizeMCPCall ¶

func NormalizeMCPCall(toolName string, params map[string]any, scope string) keeplib.Call

NormalizeMCPCall creates a keeplib.Call for an MCP tools/call invocation.

func ResolvePolicyYAML ¶

func ResolvePolicyYAML(pc *PolicyConfig, scope, baseDir string) ([]byte, error)

ResolvePolicyYAML resolves a PolicyConfig into raw YAML bytes suitable for keep.LoadFromBytes(). baseDir is used to resolve relative file paths; if empty, paths are used as-is.

func SafeEvaluate ¶

func SafeEvaluate(eng *keeplib.Engine, call keeplib.Call, scope string) (result keeplib.EvalResult, err error)

SafeEvaluate wraps Engine.Evaluate with panic recovery so the proxy never crashes due to a Keep evaluation bug.

Types ¶

type PolicyConfig ¶

type PolicyConfig struct {
	Pack string   `yaml:"-"`
	File string   `yaml:"-"`
	Deny []string `yaml:"deny,omitempty"`
	Mode string   `yaml:"mode,omitempty"`
}

PolicyConfig represents a Keep policy parsed from moat.yaml. It accepts three shapes:

Starter pack name: plain string without "/" or ".yaml" suffix
File path: string containing "/" or ending in ".yaml"
Inline rules: YAML mapping with deny/mode fields

func (*PolicyConfig) IsFile ¶

func (p *PolicyConfig) IsFile() bool

func (*PolicyConfig) IsInline ¶

func (p *PolicyConfig) IsInline() bool

func (*PolicyConfig) IsPack ¶

func (p *PolicyConfig) IsPack() bool

func (*PolicyConfig) ToKeepYAML ¶

func (p *PolicyConfig) ToKeepYAML(scope string) ([]byte, error)

ToKeepYAML converts inline rules to Keep's native YAML rule format. Listed deny operations get deny rules; everything else is implicitly allowed (Keep's default behavior for unmatched calls).

func (*PolicyConfig) UnmarshalYAML ¶

func (p *PolicyConfig) UnmarshalYAML(node *yaml.Node) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL