@haimkastner/workforce-ai-mcp 1.0.0-rc.2 → 1.0.0-rc.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/README.md +2 -2
  2. package/dist/core/session.js +2 -0
  3. package/dist/index.js +0 -3
  4. package/dist/tool-filter.js +1 -1
  5. package/dist/tools/tools.g.d.ts +1 -1
  6. package/dist/tools/tools.g.js +45 -24
  7. package/package.json +12 -4
  8. package/TOOLS.md +0 -32
  9. package/openapi-mcp.json +0 -1
package/README.md CHANGED
@@ -57,7 +57,7 @@ Add to your `claude_desktop_config.json`:
57
57
  "mcpServers": {
58
58
  "workforce-ai": {
59
59
  "command": "npx",
60
- "args": ["@haimkastner/workforce-ai-mcp"],
60
+ "args": ["--yes", "@haimkastner/workforce-ai-mcp"],
61
61
  "env": {
62
62
  "CP_CI_CLIENT_ID": "your-client-id",
63
63
  "CP_CI_ACCESS_KEY": "your-access-key",
@@ -146,8 +146,8 @@ To enable write operations, set `WRITE_MODE=true`. This unlocks tools that modif
146
146
  | `create_secure_browsing_rule` | Create a new Secure Browsing threat-prevention rule. | write |
147
147
  | `list_file_protection_objects` | List all file-protection policy objects. | read |
148
148
  | `list_domains_objects` | List all domains policy objects. | read |
149
- | `list_dlp_datatypes` | List all available DLP data types (both predefined and custom). | read |
150
149
  | `get_tenant_dlp_datatypes` | Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.. | read |
150
+ | `search_dlp_datatypes` | Search DLP data types by name or description with pagination. | read |
151
151
  | `analyze_shadow_rules` | Find unreachable (shadowed) rules in a rulebase. | read |
152
152
  | `resolve_matching_rule` | Given a user and target, determine which rule in the rulebase would apply. | read |
153
153
  | `search_assets` | Search deployed assets (endpoints/devices) with optional filtering, sorting, text search, and pagination. | read |
package/dist/core/session.js CHANGED
@@ -79,6 +79,8 @@ export class SessionManager {
79
79
  console.error(`[auth] Token refresh failed: ${err}`);
80
80
  }
81
81
  }, delaySeconds * 1000);
82
+ // Don't keep the process alive just for token refresh
83
+ this.refreshTimer.unref();
82
84
  }
83
85
  }
84
86
  /** Shared singleton session manager instance */
package/dist/index.js CHANGED
@@ -16,9 +16,6 @@
16
16
  import { Server } from '@modelcontextprotocol/sdk/server/index.js';
17
17
  import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
18
18
  import { CallToolRequestSchema, ListToolsRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
19
- import dotenv from 'dotenv';
20
- // Load environment variables before importing internal modules
21
- dotenv.config();
22
19
  import { setupStreamableHttpServer } from './core/streamable-http.js';
23
20
  import { toolDefinitionMap } from './tools/tools.g.js';
24
21
  import { executeTool } from './executer/executer.js';
package/dist/tool-filter.js CHANGED
@@ -14,7 +14,7 @@ import { resolve } from 'path';
14
14
  function loadWriteToolNames() {
15
15
  const writeTools = new Set();
16
16
  try {
17
- const specPath = resolve(import.meta.dirname, '..', 'openapi-mcp.json');
17
+ const specPath = resolve(import.meta.dirname, '..', 'specs', 'openapi-mcp.json');
18
18
  const spec = JSON.parse(readFileSync(specPath, 'utf-8'));
19
19
  for (const methods of Object.values(spec.paths)) {
20
20
  for (const operation of Object.values(methods)) {
package/dist/tools/tools.g.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * AUTO-GENERATED FILE — DO NOT EDIT
3
3
  *
4
- * Generated from openapi-mcp.json by scripts/generate-tools.ts
4
+ * Generated from specs/openapi-mcp.json by scripts/generate-tools.ts
5
5
  * Run: npm run generate-tools
6
6
  */
7
7
  import { McpToolDefinition } from '../types/types.js';
package/dist/tools/tools.g.js CHANGED
@@ -1,7 +1,7 @@
1
1
  /**
2
2
  * AUTO-GENERATED FILE — DO NOT EDIT
3
3
  *
4
- * Generated from openapi-mcp.json by scripts/generate-tools.ts
4
+ * Generated from specs/openapi-mcp.json by scripts/generate-tools.ts
5
5
  * Run: npm run generate-tools
6
6
  */
7
7
  import { z } from 'zod';
@@ -538,7 +538,6 @@ export const toolDefinitionMap = new Map([
538
538
  "properties": {
539
539
  "id": {
540
540
  "type": "string",
541
- "format": "uuid",
542
541
  "title": "Id",
543
542
  "description": "UUID of the data type",
544
543
  "default": "",
@@ -634,7 +633,6 @@ export const toolDefinitionMap = new Map([
634
633
  "properties": {
635
634
  "assignment_id": {
636
635
  "type": "string",
637
- "format": "uuid",
638
636
  "title": "Assignment Id",
639
637
  "description": "ID of the user or group"
640
638
  },
@@ -686,7 +684,7 @@ export const toolDefinitionMap = new Map([
686
684
  executionParameters: [],
687
685
  requestBodyContentType: 'application/json',
688
686
  securityRequirements: [{ "HTTPBearer": [] }],
689
- zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "event_type": z.union([z.enum(["file_upload", "file_download", "paste", "prompt", "copy"]), z.null()]).describe("Type of event to apply DLP policy on").optional(), "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "data_types": z.union([z.array(z.object({ "id": z.string().uuid().describe("UUID of the data type").default(""), "name": z.string().describe("Display name of the data type").default(""), "type": z.enum(["PRE_DEFINED", "CUSTOM"]).optional(), "matchingLevel": z.union([z.number().int(), z.null()]).describe("Matching level for the data type").optional() })), z.null()]).describe("DLP Data types").optional(), "action": z.union([z.enum(["prevent", "ask", "redact", "detect", "allow", "block"]), z.null()]).describe("Action to take when DLP rule is triggered").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional() }), "source": z.array(z.object({ "assignment_id": z.string().uuid().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Chats rule.\n\nChats rules control data-loss-prevention for AI chat interactions:\nprompt/response inspection, sensitive-data detection, and file transfer policies.") }),
687
+ zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "event_type": z.union([z.enum(["file_upload", "file_download", "paste", "prompt", "copy"]), z.null()]).describe("Type of event to apply DLP policy on").optional(), "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "data_types": z.union([z.array(z.object({ "id": z.string().describe("UUID of the data type").default(""), "name": z.string().describe("Display name of the data type").default(""), "type": z.enum(["PRE_DEFINED", "CUSTOM"]).optional(), "matchingLevel": z.union([z.number().int(), z.null()]).describe("Matching level for the data type").optional() })), z.null()]).describe("DLP Data types").optional(), "action": z.union([z.enum(["prevent", "ask", "redact", "detect", "allow", "block"]), z.null()]).describe("Action to take when DLP rule is triggered").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional() }), "source": z.array(z.object({ "assignment_id": z.string().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Chats rule.\n\nChats rules control data-loss-prevention for AI chat interactions:\nprompt/response inspection, sensitive-data detection, and file transfer policies.") }),
690
688
  },
691
689
  ],
692
690
  [
@@ -1046,7 +1044,6 @@ export const toolDefinitionMap = new Map([
1046
1044
  "properties": {
1047
1045
  "assignment_id": {
1048
1046
  "type": "string",
1049
- "format": "uuid",
1050
1047
  "title": "Assignment Id",
1051
1048
  "description": "ID of the user or group"
1052
1049
  },
@@ -1098,7 +1095,7 @@ export const toolDefinitionMap = new Map([
1098
1095
  executionParameters: [],
1099
1096
  requestBodyContentType: 'application/json',
1100
1097
  securityRequirements: [{ "HTTPBearer": [] }],
1101
- zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "action": z.union([z.enum(["block", "allow", "ask"]), z.null()]).describe("Action to take for access control").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional(), "download_file_protection": z.union([z.enum(["na", "Block", "Allow", "EmulateInBackground", "WaitForEmulation", "Detect", "Extract"]), z.null()]).describe("File download protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules.").optional(), "upload_file_protection": z.union([z.enum(["na", "Block", "Allow", "EmulateInBackground", "WaitForEmulation", "Detect"]), z.null()]).describe("File upload protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules.").optional() }), "source": z.array(z.object({ "assignment_id": z.string().uuid().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Access rule.\n\nAccess rules control which AI services and applications users are allowed\nto interact with, including allow/block decisions per service.") }),
1098
+ zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "action": z.union([z.enum(["block", "allow", "ask"]), z.null()]).describe("Action to take for access control").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional(), "download_file_protection": z.union([z.enum(["na", "Block", "Allow", "EmulateInBackground", "WaitForEmulation", "Detect", "Extract"]), z.null()]).describe("File download protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules.").optional(), "upload_file_protection": z.union([z.enum(["na", "Block", "Allow", "EmulateInBackground", "WaitForEmulation", "Detect"]), z.null()]).describe("File upload protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules.").optional() }), "source": z.array(z.object({ "assignment_id": z.string().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Access rule.\n\nAccess rules control which AI services and applications users are allowed\nto interact with, including allow/block decisions per service.") }),
1102
1099
  },
1103
1100
  ],
1104
1101
  [
@@ -2072,7 +2069,6 @@ export const toolDefinitionMap = new Map([
2072
2069
  "properties": {
2073
2070
  "assignment_id": {
2074
2071
  "type": "string",
2075
- "format": "uuid",
2076
2072
  "title": "Assignment Id",
2077
2073
  "description": "ID of the user or group"
2078
2074
  },
@@ -2124,7 +2120,7 @@ export const toolDefinitionMap = new Map([
2124
2120
  executionParameters: [],
2125
2121
  requestBodyContentType: 'application/json',
2126
2122
  securityRequirements: [{ "HTTPBearer": [] }],
2127
- zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "action": z.union([z.enum(["block", "allow", "ask"]), z.null()]).describe("Action to take for MCP server").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional(), "clients": z.union([z.object({ "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Mode for client selection").optional(), "selected": z.union([z.array(z.object({ "os": z.union([z.enum(["windows", "macos", "all"]).describe("Operating system enumeration."), z.null()]).describe("Operating system for the client").optional(), "name_id": z.union([z.enum(["claude_desktop", "vscode", "cursor", "windsurf", "zed", "perplexity", "antigravity", "jetbrains", "roo", "cline", "docker_desktop"]).describe("MCP Client name identifier enumeration."), z.null()]).describe("Client name identifier e.g. 'claude_desktop', 'docker_desktop'").optional() })), z.null()]).describe("List of selected clients").optional() }), z.null()]).describe("Desktop clients selection").optional(), "servers": z.union([z.object({ "mcp_servers_mode": z.union([z.enum(["all", "risk_level", "manual", "managed"]).describe("MCP Servers mode enumeration."), z.null()]).describe("Mode for MCP servers selection: all, risk_level, managed, manual").optional(), "risk_level": z.union([z.object({ "use_min": z.union([z.boolean(), z.null()]).describe("Whether to use minimum risk level limit").default(false), "use_max": z.union([z.boolean(), z.null()]).describe("Whether to use maximum risk level limit").default(false), "min": z.union([z.number().int().gte(0), z.null()]).describe("Minimum risk level").optional(), "max": z.union([z.number().int().gte(0), z.null()]).describe("Maximum risk level").optional() }), z.null()]).describe("Risk level configuration for MCP servers").optional(), "managed": z.union([z.object({ "name_ids": z.union([z.array(z.object({ "name_id": z.union([z.string().min(1), z.null()]).describe("Name of the managed MCP").default("") })), z.null()]).describe("List of managed MCP identifiers").optional() }), z.null()]).describe("Managed MCP configuration").optional(), "manual": z.union([z.array(z.object({ "server_type": z.union([z.enum(["all", "node_server", "python_server", "claude_extensions", "executable_server", "unknown_server", "docker_gateway", "docker_runner", "remote_server"]), z.null()]).describe("Type of the MCP server").optional(), "node_server": z.union([z.object({ "package_name": z.union([z.string(), z.null()]).describe("NPM package name e.g. '@modelcontextprotocol/server-github'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for package_name matching").default("exact") }), z.null()]).describe("Node server configuration").optional(), "python_server": z.union([z.object({ "module_name": z.union([z.string(), z.null()]).describe("Python module name e.g. 'modelcontextprotocol_server_github'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for module_name matching").default("exact") }), z.null()]).describe("Python server configuration").optional(), "claude_extensions": z.union([z.object({ "extension_name": z.union([z.string(), z.null()]).describe("Extension name from manifest.json").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for extension_name matching").default("exact") }), z.null()]).describe("Claude extensions configuration").optional(), "executable_server": z.union([z.object({ "executable_path": z.union([z.string(), z.null()]).describe("Path to the executable").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for executable_path matching").default("exact") }), z.null()]).describe("Executable server configuration").optional(), "unknown_server": z.union([z.object({ "args": z.union([z.string(), z.null()]).describe("Arguments for unknown server types").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for args matching").default("exact") }), z.null()]).describe("Unknown server configuration").optional(), "docker_gateway": z.union([z.object({}), z.null()]).describe("Docker gateway configuration").optional(), "docker_runner": z.union([z.object({ "image_name": z.union([z.string(), z.null()]).describe("Docker image name").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for image_name matching").default("exact") }), z.null()]).describe("Docker runner configuration").optional(), "remote_server": z.union([z.object({ "match_mode": z.union([z.enum(["url", "domain"]), z.null()]).describe("Match mode type: 'url' for URL-based matching or 'domain' for domain-based matching").optional(), "url": z.union([z.object({ "url": z.union([z.string(), z.null()]).describe("URL of the remote server").default(""), "match_mode": z.union([z.enum(["exact_url", "url_contains"]).describe("URL matching mode enumeration for remote server URL matching.\n\nMatching modes:\n- EXACT_URL: Matches the exact full URL\n e.g., \"http://sub1.sub2.something.com/alsohere/something\"\n- URL_CONTAINS: Matches if the URL contains the specified string\n e.g., \"alsohere\" matches any URL containing \"alsohere\""), z.null()]).describe("Match mode for URL matching (exact_url or url_contains)").default("exact_url") }), z.null()]).describe("URL configuration for remote server (used when match_mode='url')").optional(), "domain": z.union([z.object({ "domain_name": z.union([z.string(), z.null()]).describe("Domain name of the remote server").default(""), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") }), z.null()]).describe("Domain configuration for remote server (used when match_mode='domain')").optional() }), z.null()]).describe("Remote server configuration").optional() })), z.null()]).describe("List of manual MCP servers").optional() }), z.null()]).describe("MCP servers configuration").optional(), "tooling": z.union([z.object({ "match_mode": z.union([z.enum(["tools_include", "tools_exclude", "operations", "all"]).describe("Match mode for tools enumeration."), z.null()]).describe("Match mode for tools: tools_include, tools_exclude, operations, all").optional(), "tools": z.union([z.array(z.object({ "tool_name": z.union([z.string(), z.null()]).describe("Name of a tool e.g. 'create_issue', 'update_issue'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for tool name matching").default("exact") })), z.null()]).describe("List of tools for matching").optional(), "operations": z.union([z.object({ "CREATE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch CREATE operation").optional(), "READ": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch READ operation").optional(), "UPDATE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch UPDATE operation").optional(), "DELETE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch DELETE operation").optional(), "OTHER": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch OTHER operation (those not detected)").optional() }), z.null()]).describe("Operations match configuration").optional() }), z.null()]).describe("Tooling configuration for MCP").optional() }), "source": z.array(z.object({ "assignment_id": z.string().uuid().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Agents rule.\n\nAgents rules govern agent interactions, including which tools\nagents can invoke and what access controls apply to agent operations.") }),
2123
+ zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "action": z.union([z.enum(["block", "allow", "ask"]), z.null()]).describe("Action to take for MCP server").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional(), "clients": z.union([z.object({ "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Mode for client selection").optional(), "selected": z.union([z.array(z.object({ "os": z.union([z.enum(["windows", "macos", "all"]).describe("Operating system enumeration."), z.null()]).describe("Operating system for the client").optional(), "name_id": z.union([z.enum(["claude_desktop", "vscode", "cursor", "windsurf", "zed", "perplexity", "antigravity", "jetbrains", "roo", "cline", "docker_desktop"]).describe("MCP Client name identifier enumeration."), z.null()]).describe("Client name identifier e.g. 'claude_desktop', 'docker_desktop'").optional() })), z.null()]).describe("List of selected clients").optional() }), z.null()]).describe("Desktop clients selection").optional(), "servers": z.union([z.object({ "mcp_servers_mode": z.union([z.enum(["all", "risk_level", "manual", "managed"]).describe("MCP Servers mode enumeration."), z.null()]).describe("Mode for MCP servers selection: all, risk_level, managed, manual").optional(), "risk_level": z.union([z.object({ "use_min": z.union([z.boolean(), z.null()]).describe("Whether to use minimum risk level limit").default(false), "use_max": z.union([z.boolean(), z.null()]).describe("Whether to use maximum risk level limit").default(false), "min": z.union([z.number().int().gte(0), z.null()]).describe("Minimum risk level").optional(), "max": z.union([z.number().int().gte(0), z.null()]).describe("Maximum risk level").optional() }), z.null()]).describe("Risk level configuration for MCP servers").optional(), "managed": z.union([z.object({ "name_ids": z.union([z.array(z.object({ "name_id": z.union([z.string().min(1), z.null()]).describe("Name of the managed MCP").default("") })), z.null()]).describe("List of managed MCP identifiers").optional() }), z.null()]).describe("Managed MCP configuration").optional(), "manual": z.union([z.array(z.object({ "server_type": z.union([z.enum(["all", "node_server", "python_server", "claude_extensions", "executable_server", "unknown_server", "docker_gateway", "docker_runner", "remote_server"]), z.null()]).describe("Type of the MCP server").optional(), "node_server": z.union([z.object({ "package_name": z.union([z.string(), z.null()]).describe("NPM package name e.g. '@modelcontextprotocol/server-github'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for package_name matching").default("exact") }), z.null()]).describe("Node server configuration").optional(), "python_server": z.union([z.object({ "module_name": z.union([z.string(), z.null()]).describe("Python module name e.g. 'modelcontextprotocol_server_github'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for module_name matching").default("exact") }), z.null()]).describe("Python server configuration").optional(), "claude_extensions": z.union([z.object({ "extension_name": z.union([z.string(), z.null()]).describe("Extension name from manifest.json").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for extension_name matching").default("exact") }), z.null()]).describe("Claude extensions configuration").optional(), "executable_server": z.union([z.object({ "executable_path": z.union([z.string(), z.null()]).describe("Path to the executable").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for executable_path matching").default("exact") }), z.null()]).describe("Executable server configuration").optional(), "unknown_server": z.union([z.object({ "args": z.union([z.string(), z.null()]).describe("Arguments for unknown server types").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for args matching").default("exact") }), z.null()]).describe("Unknown server configuration").optional(), "docker_gateway": z.union([z.object({}), z.null()]).describe("Docker gateway configuration").optional(), "docker_runner": z.union([z.object({ "image_name": z.union([z.string(), z.null()]).describe("Docker image name").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for image_name matching").default("exact") }), z.null()]).describe("Docker runner configuration").optional(), "remote_server": z.union([z.object({ "match_mode": z.union([z.enum(["url", "domain"]), z.null()]).describe("Match mode type: 'url' for URL-based matching or 'domain' for domain-based matching").optional(), "url": z.union([z.object({ "url": z.union([z.string(), z.null()]).describe("URL of the remote server").default(""), "match_mode": z.union([z.enum(["exact_url", "url_contains"]).describe("URL matching mode enumeration for remote server URL matching.\n\nMatching modes:\n- EXACT_URL: Matches the exact full URL\n e.g., \"http://sub1.sub2.something.com/alsohere/something\"\n- URL_CONTAINS: Matches if the URL contains the specified string\n e.g., \"alsohere\" matches any URL containing \"alsohere\""), z.null()]).describe("Match mode for URL matching (exact_url or url_contains)").default("exact_url") }), z.null()]).describe("URL configuration for remote server (used when match_mode='url')").optional(), "domain": z.union([z.object({ "domain_name": z.union([z.string(), z.null()]).describe("Domain name of the remote server").default(""), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") }), z.null()]).describe("Domain configuration for remote server (used when match_mode='domain')").optional() }), z.null()]).describe("Remote server configuration").optional() })), z.null()]).describe("List of manual MCP servers").optional() }), z.null()]).describe("MCP servers configuration").optional(), "tooling": z.union([z.object({ "match_mode": z.union([z.enum(["tools_include", "tools_exclude", "operations", "all"]).describe("Match mode for tools enumeration."), z.null()]).describe("Match mode for tools: tools_include, tools_exclude, operations, all").optional(), "tools": z.union([z.array(z.object({ "tool_name": z.union([z.string(), z.null()]).describe("Name of a tool e.g. 'create_issue', 'update_issue'").default(""), "match_mode": z.union([z.enum(["exact", "contains"]).describe("Matching mode enumeration."), z.null()]).describe("Match mode for tool name matching").default("exact") })), z.null()]).describe("List of tools for matching").optional(), "operations": z.union([z.object({ "CREATE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch CREATE operation").optional(), "READ": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch READ operation").optional(), "UPDATE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch UPDATE operation").optional(), "DELETE": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch DELETE operation").optional(), "OTHER": z.union([z.enum(["match", "unmatch"]).describe("Operation match enumeration."), z.null()]).describe("Match or unmatch OTHER operation (those not detected)").optional() }), z.null()]).describe("Operations match configuration").optional() }), z.null()]).describe("Tooling configuration for MCP").optional() }), "source": z.array(z.object({ "assignment_id": z.string().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Agents rule.\n\nAgents rules govern agent interactions, including which tools\nagents can invoke and what access controls apply to agent operations.") }),
2128
2124
  },
2129
2125
  ],
2130
2126
  [
@@ -2426,7 +2422,6 @@ export const toolDefinitionMap = new Map([
2426
2422
  "properties": {
2427
2423
  "id": {
2428
2424
  "type": "string",
2429
- "format": "uuid",
2430
2425
  "title": "Id",
2431
2426
  "description": "UUID of the data type",
2432
2427
  "default": "",
@@ -2522,7 +2517,6 @@ export const toolDefinitionMap = new Map([
2522
2517
  "properties": {
2523
2518
  "assignment_id": {
2524
2519
  "type": "string",
2525
- "format": "uuid",
2526
2520
  "title": "Assignment Id",
2527
2521
  "description": "ID of the user or group"
2528
2522
  },
@@ -2574,7 +2568,7 @@ export const toolDefinitionMap = new Map([
2574
2568
  executionParameters: [],
2575
2569
  requestBodyContentType: 'application/json',
2576
2570
  securityRequirements: [{ "HTTPBearer": [] }],
2577
- zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "event_type": z.union([z.enum(["file_upload", "file_download", "paste", "prompt", "copy"]), z.null()]).describe("Type of event to apply DLP policy on").optional(), "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "data_types": z.union([z.array(z.object({ "id": z.string().uuid().describe("UUID of the data type").default(""), "name": z.string().describe("Display name of the data type").default(""), "type": z.enum(["PRE_DEFINED", "CUSTOM"]).optional(), "matchingLevel": z.union([z.number().int(), z.null()]).describe("Matching level for the data type").optional() })), z.null()]).describe("DLP Data types").optional(), "action": z.union([z.enum(["prevent", "ask", "redact", "detect", "allow", "block"]), z.null()]).describe("Action to take when DLP rule is triggered").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional() }), "source": z.array(z.object({ "assignment_id": z.string().uuid().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Chats rule.\n\nChats rules control data-loss-prevention for AI chat interactions:\nprompt/response inspection, sensitive-data detection, and file transfer policies.") }),
2571
+ zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "event_type": z.union([z.enum(["file_upload", "file_download", "paste", "prompt", "copy"]), z.null()]).describe("Type of event to apply DLP policy on").optional(), "services_and_application": z.union([z.object({ "domain": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of domains").optional(), "url": z.array(z.object({ "url": z.string().url().describe("Valid URL") })).describe("List of URLs").optional(), "genai_application": z.array(z.object({ "id": z.number().int().gt(0).describe("GenAI application ID"), "mode": z.union([z.enum(["all", "selected_account"]).describe("Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."), z.null()]).describe("Account selection mode: 'all' or 'selected_account'").default("all"), "accounts": z.array(z.object({ "account_id": z.string().describe("Account identifier") }).describe("External-safe twin of Account.")).describe("List of selected accounts (used when mode='selected_account')").optional() })).describe("List of GenAI applications").optional(), "category": z.array(z.object({ "category_id": z.union([z.literal(1), z.literal(3), z.literal(5), z.literal(7), z.literal(11), z.literal(12), z.literal(15), z.literal(32), z.literal(21), z.literal(24), z.literal(25), z.literal(0), z.literal(34), z.literal(35), z.literal(37), z.literal(39), z.literal(41), z.literal(42), z.literal(45), z.literal(47), z.literal(49), z.literal(51), z.literal(53), z.literal(54), z.literal(58), z.literal(59), z.literal(60), z.literal(68), z.literal(69), z.literal(71), z.literal(72), z.literal(74), z.literal(75), z.literal(76), z.literal(51000001), z.literal(51000002), z.literal(52000130), z.literal(50000032), z.literal(52000132), z.literal(60517663), z.literal(60530541), z.literal(60530542), z.literal(60530648), z.literal(31), z.literal(55), z.literal(65), z.literal(66), z.literal(67), z.literal(77), z.literal(51000003), z.literal(51000004), z.literal(51000005), z.literal(52000038), z.literal(60530540), z.literal(9), z.literal(13), z.literal(14), z.literal(17), z.literal(18), z.literal(26), z.literal(33), z.literal(56), z.literal(61), z.literal(62), z.literal(70), z.literal(73), z.literal(78), z.literal(30), z.literal(52000047), z.literal(52000058), z.literal(52000069), z.literal(50000086), z.literal(23), z.literal(52000136), z.literal(52000046), z.literal(52000051), z.literal(60531762)]).describe("URLF Category enumeration with display names as keys and category IDs as values.") })).describe("List of URLF categories").optional(), "mode": z.union([z.enum(["selected", "all"]).describe("Selection mode enumeration."), z.null()]).describe("Whether to apply to all services and applications or to only selected ones").optional() }), z.null()]).describe("Services and application configuration").optional(), "data_types": z.union([z.array(z.object({ "id": z.string().describe("UUID of the data type").default(""), "name": z.string().describe("Display name of the data type").default(""), "type": z.enum(["PRE_DEFINED", "CUSTOM"]).optional(), "matchingLevel": z.union([z.number().int(), z.null()]).describe("Matching level for the data type").optional() })), z.null()]).describe("DLP Data types").optional(), "action": z.union([z.enum(["prevent", "ask", "redact", "detect", "allow", "block"]), z.null()]).describe("Action to take when DLP rule is triggered").optional(), "logging": z.union([z.enum(["enabled", "disabled"]).describe("Logging status enumeration."), z.null()]).describe("Whether logging is enabled").optional() }), "source": z.array(z.object({ "assignment_id": z.string().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Chats rule.\n\nChats rules control data-loss-prevention for AI chat interactions:\nprompt/response inspection, sensitive-data detection, and file transfer policies.") }),
2578
2572
  },
2579
2573
  ],
2580
2574
  [
@@ -2758,7 +2752,6 @@ export const toolDefinitionMap = new Map([
2758
2752
  "properties": {
2759
2753
  "assignment_id": {
2760
2754
  "type": "string",
2761
- "format": "uuid",
2762
2755
  "title": "Assignment Id",
2763
2756
  "description": "ID of the user or group"
2764
2757
  },
@@ -2810,7 +2803,7 @@ export const toolDefinitionMap = new Map([
2810
2803
  executionParameters: [],
2811
2804
  requestBodyContentType: 'application/json',
2812
2805
  securityRequirements: [{ "HTTPBearer": [] }],
2813
- zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "password_reuse": z.union([z.enum(["detect", "prevent", "ask", "off"]).describe("Actions for threat prevention features."), z.null()]).optional(), "zero_phishing": z.union([z.enum(["detect", "prevent", "ask", "off"]).describe("Actions for threat prevention features."), z.null()]).optional(), "safe_search": z.union([z.enum(["on", "off"]).describe("Simple on/off toggle."), z.null()]).optional(), "search_reputation": z.union([z.enum(["on", "off"]).describe("Simple on/off toggle."), z.null()]).optional(), "domain_exclusions": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of excluded domains").optional(), "protected_domains": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of protected domains").optional() }), "source": z.array(z.object({ "assignment_id": z.string().uuid().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Secure Browsing rule.\n\nSecure Browsing rules define threat-prevention policies for web browsing:\nphishing protection, password-reuse detection, and domain-based filtering.") }),
2806
+ zodValidationSchema: z.object({ "requestBody": z.object({ "name": z.string().describe("Human-readable rule name"), "description": z.string().describe("Explanation of the rule's purpose").default(""), "order": z.number().int().describe("Position in the rulebase; lower values are evaluated first and take precedence"), "policy": z.object({ "password_reuse": z.union([z.enum(["detect", "prevent", "ask", "off"]).describe("Actions for threat prevention features."), z.null()]).optional(), "zero_phishing": z.union([z.enum(["detect", "prevent", "ask", "off"]).describe("Actions for threat prevention features."), z.null()]).optional(), "safe_search": z.union([z.enum(["on", "off"]).describe("Simple on/off toggle."), z.null()]).optional(), "search_reputation": z.union([z.enum(["on", "off"]).describe("Simple on/off toggle."), z.null()]).optional(), "domain_exclusions": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of excluded domains").optional(), "protected_domains": z.array(z.object({ "domain": z.string().describe("Valid domain name or IPv4 address"), "match_mode": z.union([z.enum(["exact_host", "any_subdomain"]).describe("Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."), z.null()]).describe("Match mode for domain matching (exact_host or any_subdomain)").default("exact_host") })).describe("List of protected domains").optional() }), "source": z.array(z.object({ "assignment_id": z.string().describe("ID of the user or group"), "display_name": z.string().describe("Human-readable name of the user or group"), "assignment_type": z.enum(["ASSIGNMENT_TYPE_USER", "ASSIGNMENT_TYPE_GROUP", "ASSIGNMENT_TYPE_ENTIRE_ORG"]) }).describe("External-safe twin of Assignment.")).describe("Users or groups this rule applies to; empty means all users").optional() }).describe("Create a new Secure Browsing rule.\n\nSecure Browsing rules define threat-prevention policies for web browsing:\nphishing protection, password-reuse detection, and domain-based filtering.") }),
2814
2807
  },
2815
2808
  ],
2816
2809
  [
@@ -2848,16 +2841,16 @@ export const toolDefinitionMap = new Map([
2848
2841
  },
2849
2842
  ],
2850
2843
  [
2851
- 'list_dlp_datatypes',
2844
+ 'get_tenant_dlp_datatypes',
2852
2845
  {
2853
- name: 'list_dlp_datatypes',
2854
- description: `List all available DLP data types (both predefined and custom). Data types define what sensitive information patterns (credit cards, SSNs, etc.) the DLP engine can detect in chat messages and file transfers.`,
2846
+ name: 'get_tenant_dlp_datatypes',
2847
+ description: `Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.`,
2855
2848
  inputSchema: {
2856
2849
  "type": "object",
2857
2850
  "properties": {}
2858
2851
  },
2859
2852
  method: 'get',
2860
- pathTemplate: '/app/genai-protect-policy/mcp/v1/dlp-datatypes/all',
2853
+ pathTemplate: '/app/genai-protect-policy/mcp/v1/dlp-datatypes/tenant',
2861
2854
  executionParameters: [],
2862
2855
  requestBodyContentType: undefined,
2863
2856
  securityRequirements: [{ "HTTPBearer": [] }],
@@ -2865,20 +2858,48 @@ export const toolDefinitionMap = new Map([
2865
2858
  },
2866
2859
  ],
2867
2860
  [
2868
- 'get_tenant_dlp_datatypes',
2861
+ 'search_dlp_datatypes',
2869
2862
  {
2870
- name: 'get_tenant_dlp_datatypes',
2871
- description: `Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.`,
2863
+ name: 'search_dlp_datatypes',
2864
+ description: `Search DLP data types by name or description with pagination. Returns matching data types sorted by name. Use when you need to find specific DLP data type identifiers for policy configuration.`,
2872
2865
  inputSchema: {
2873
2866
  "type": "object",
2874
- "properties": {}
2867
+ "properties": {
2868
+ "search": {
2869
+ "anyOf": [
2870
+ {
2871
+ "type": "string"
2872
+ },
2873
+ {
2874
+ "type": "null"
2875
+ }
2876
+ ],
2877
+ "description": "Case-insensitive search on data type name and description",
2878
+ "title": "Search"
2879
+ },
2880
+ "limit": {
2881
+ "type": "integer",
2882
+ "maximum": 100,
2883
+ "minimum": 1,
2884
+ "description": "Number of results per page (max 100)",
2885
+ "default": 50,
2886
+ "title": "Limit"
2887
+ },
2888
+ "offset": {
2889
+ "type": "integer",
2890
+ "minimum": 0,
2891
+ "description": "Number of results to skip for pagination",
2892
+ "default": 0,
2893
+ "title": "Offset"
2894
+ }
2895
+ }
2875
2896
  },
2876
2897
  method: 'get',
2877
- pathTemplate: '/app/genai-protect-policy/mcp/v1/dlp-datatypes/tenant',
2878
- executionParameters: [],
2898
+ pathTemplate: '/app/genai-protect-policy/mcp/v1/dlp-datatypes/search',
2899
+ executionParameters: [{ "name": "search", "in": "query" }, { "name": "limit", "in": "query" }, { "name": "offset", "in": "query" }],
2879
2900
  requestBodyContentType: undefined,
2880
2901
  securityRequirements: [{ "HTTPBearer": [] }],
2881
- zodValidationSchema: z.object({}),
2902
+ zodValidationSchema: z.object({ "search": z.union([z.string(), z.null()]).describe("Case-insensitive search on data type name and description").optional(), "limit": z.number().int().gte(1).lte(100).describe("Number of results per page (max 100)").default(50), "offset": z.number().int().gte(0).describe("Number of results to skip for pagination").default(0) }),
2882
2903
  },
2883
2904
  ],
2884
2905
  [
package/package.json CHANGED
@@ -1,8 +1,18 @@
1
1
  {
2
2
  "name": "@haimkastner/workforce-ai-mcp",
3
- "version": "1.0.0-rc.2",
3
+ "version": "1.0.0-rc.4",
4
4
  "description": "MCP server for Workforce AI — policy management, asset visibility, and apps catalog via LLM tool calls",
5
5
  "license": "MIT",
6
+ "keywords": [
7
+ "mcp",
8
+ "model-context-protocol",
9
+ "checkpoint",
10
+ "workforce-ai",
11
+ "ai-security",
12
+ "browse-security",
13
+ "policy",
14
+ "security"
15
+ ],
6
16
  "type": "module",
7
17
  "main": "dist/index.js",
8
18
  "bin": {
@@ -10,8 +20,6 @@
10
20
  },
11
21
  "files": [
12
22
  "dist",
13
- "openapi-mcp.json",
14
- "TOOLS.md",
15
23
  "README.md",
16
24
  "LICENSE"
17
25
  ],
@@ -27,7 +35,6 @@
27
35
  "@hono/node-server": "^1.14.1",
28
36
  "@modelcontextprotocol/sdk": "^1.10.0",
29
37
  "axios": "^1.9.0",
30
- "dotenv": "^17.4.0",
31
38
  "fetch-to-node": "^2.1.0",
32
39
  "hono": "^4.7.7",
33
40
  "uuid": "^11.1.0",
@@ -36,6 +43,7 @@
36
43
  "devDependencies": {
37
44
  "@types/node": "^22.0.0",
38
45
  "@types/uuid": "^10.0.0",
46
+ "dotenv": "^17.4.0",
39
47
  "json-schema-to-zod": "^2.6.1",
40
48
  "tsx": "^4.0.0",
41
49
  "typescript": "^5.7.0"
package/TOOLS.md DELETED
@@ -1,32 +0,0 @@
1
- <!-- AUTO-GENERATED FILE — DO NOT EDIT. Generated by scripts/generate-tools.ts -->
2
-
3
- # Available Tools
4
-
5
- | Tool | Description | Mode |
6
- |---|---|---|
7
- | `list_chats_rules` | List all Chats (GenAI DLP) rules. | read |
8
- | `list_ai_access_rules` | List all AI Access rules that control which AI services and applications users are allowed to interact with. | read |
9
- | `list_web_access_rules` | List all Web Access rules for Browse Security. | read |
10
- | `list_agents_rules` | List all Agents (MCP Server) rules that govern agent interactions. | read |
11
- | `list_secure_browsing_rules` | List all Secure Browsing threat-prevention rules. | read |
12
- | `list_dlp_rules` | List all Browse DLP (Data Loss Prevention) rules for browser security. | read |
13
- | `set_rule_info` | Update the display name and description of a rule identified by its UUID. | write |
14
- | `set_rule_active` | Enable or disable a rule without deleting it. | write |
15
- | `reorder_rule` | Move a rule to a new position in the rulebase. | write |
16
- | `delete_rule` | Permanently delete a rule from the rulebase by its UUID. | write |
17
- | `create_chats_rule` | Create a new Chats (GenAI DLP) rule. | write |
18
- | `create_ai_access_rule` | Create a new AI Access rule that controls which AI services and applications users can interact with. | write |
19
- | `create_agents_rule` | Create a new Agents (MCP Server) rule that governs agent interactions. | write |
20
- | `create_dlp_rule` | Create a new Browse DLP rule for data loss prevention during web browsing. | write |
21
- | `create_secure_browsing_rule` | Create a new Secure Browsing threat-prevention rule. | write |
22
- | `list_file_protection_objects` | List all file-protection policy objects. | read |
23
- | `list_domains_objects` | List all domains policy objects. | read |
24
- | `list_dlp_datatypes` | List all available DLP data types (both predefined and custom). | read |
25
- | `get_tenant_dlp_datatypes` | Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.. | read |
26
- | `analyze_shadow_rules` | Find unreachable (shadowed) rules in a rulebase. | read |
27
- | `resolve_matching_rule` | Given a user and target, determine which rule in the rulebase would apply. | read |
28
- | `search_assets` | Search deployed assets (endpoints/devices) with optional filtering, sorting, text search, and pagination. | read |
29
- | `count_assets` | Get the total count of deployed assets, optionally filtered. | read |
30
- | `search_users` | Search users in the organization with optional text search and pagination. | read |
31
- | `search_apps` | Search the GenAI apps catalog by name, description, or URL. | read |
32
- | `get_apps_by_ids` | Get specific GenAI apps from the catalog by their numeric IDs. | read |
package/openapi-mcp.json DELETED
@@ -1 +0,0 @@
1
- {"openapi":"3.1.0","info":{"title":"Workforce AI MCP API","description":"MCP (Model Context Protocol) API for Workforce AI — policy management, asset visibility, and apps catalog optimized for LLM tool consumption.\n\n## Authentication\nAll endpoints require a valid CloudInfra JWT token passed as a Bearer token in the `Authorization` header.\n\n### Obtaining a JWT Token\n1. Go to the [Infinity Portal API Keys page](https://portal.checkpoint.com/dashboard/settings/api-keys).\n2. Click **New** → **New Account API Key**.\n3. In the **Service** dropdown select **Workforce AI Security** and create the key.\n4. Use the generated API key to obtain a JWT token from CloudInfra.\n5. Include the JWT in every request:\n ```\n Authorization: Bearer <JWT_TOKEN>\n ```\n\n## Tool Access Modes\nEach operation is annotated with `x-access-mode` (read or write). The MCP server can be configured to expose only read tools by default.\n","version":"1.0.0"},"servers":[{"url":"https://cloudinfra-gw.portal.checkpoint.com","description":"Europe Region"},{"url":"https://cloudinfra-gw-us.portal.checkpoint.com","description":"United States Region"}],"paths":{"/app/genai-protect-policy/mcp/v1/policy/chats/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all GenAI DLP chat rules","operationId":"list_chats_rules_mcp_v1_policy_chats_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_chats_rules","x-tool-description":"List all Chats (GenAI DLP) rules. Each rule defines data-loss-prevention policies for AI chat interactions including prompt/response inspection, sensitive-data detection, and file transfer controls. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/policy/ai-access/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all AI Access rules","operationId":"list_ai_access_rules_mcp_v1_policy_ai_access_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_ai_access_rules","x-tool-description":"List all AI Access rules that control which AI services and applications users are allowed to interact with. Each rule specifies allow/block decisions per service. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/policy/web-access/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all Web Access rules","operationId":"list_web_access_rules_mcp_v1_policy_web_access_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_web_access_rules","x-tool-description":"List all Web Access rules for Browse Security. These rules control which websites and web applications users can access through browser security. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/policy/agents/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all Agents rules","operationId":"list_agents_rules_mcp_v1_policy_agents_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_agents_rules","x-tool-description":"List all Agents (MCP Server) rules that govern agent interactions. These rules control which tools agents can invoke and what access controls apply to agent operations. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/policy/secure-browsing/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all Secure Browsing rules","operationId":"list_secure_browsing_rules_mcp_v1_policy_secure_browsing_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_secure_browsing_rules","x-tool-description":"List all Secure Browsing threat-prevention rules. These rules define phishing protection, password-reuse detection, and domain-based filtering for web browsing. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/policy/dlp/rulebase":{"get":{"tags":["MCP Policy Rules"],"summary":"List all Browse DLP rules","operationId":"list_dlp_rules_mcp_v1_policy_dlp_rulebase_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetRulebaseResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_dlp_rules","x-tool-description":"List all Browse DLP (Data Loss Prevention) rules for browser security. These rules control data protection for web browsing sessions including file uploads, downloads, and clipboard operations. Returns rules ordered by priority.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/rules/set-info":{"put":{"tags":["MCP Rule Mutations"],"summary":"Update a rule's name and description","operationId":"set_rule_info_mcp_v1_rules_set_info_put","security":[{"HTTPBearer":[]}],"parameters":[{"name":"rule_id","in":"query","required":true,"schema":{"type":"string","description":"UUID of the rule to update","title":"Rule Id"},"description":"UUID of the rule to update"},{"name":"name","in":"query","required":true,"schema":{"type":"string","description":"New human-readable name for the rule","title":"Name"},"description":"New human-readable name for the rule"},{"name":"description","in":"query","required":false,"schema":{"type":"string","description":"New description of the rule's purpose","default":"","title":"Description"},"description":"New description of the rule's purpose"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"object","additionalProperties":true,"title":"Response Set Rule Info Mcp V1 Rules Set Info Put"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"set_rule_info","x-tool-description":"Update the display name and description of a rule identified by its UUID. Does not change the rule's policy, assignments, or position.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/set-active":{"put":{"tags":["MCP Rule Mutations"],"summary":"Enable or disable a rule","operationId":"set_rule_active_mcp_v1_rules_set_active_put","security":[{"HTTPBearer":[]}],"parameters":[{"name":"rule_id","in":"query","required":true,"schema":{"type":"string","description":"UUID of the rule to update","title":"Rule Id"},"description":"UUID of the rule to update"},{"name":"active","in":"query","required":true,"schema":{"type":"boolean","description":"true to enforce the rule, false to skip it","title":"Active"},"description":"true to enforce the rule, false to skip it"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"object","additionalProperties":true,"title":"Response Set Rule Active Mcp V1 Rules Set Active Put"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"set_rule_active","x-tool-description":"Enable or disable a rule without deleting it. Inactive rules remain in the rulebase but are skipped during policy evaluation. Pass active=true to enforce or active=false to skip.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/reorder":{"put":{"tags":["MCP Rule Mutations"],"summary":"Change a rule's priority position","operationId":"reorder_rule_mcp_v1_rules_reorder_put","security":[{"HTTPBearer":[]}],"parameters":[{"name":"rule_id","in":"query","required":true,"schema":{"type":"string","description":"UUID of the rule to reorder","title":"Rule Id"},"description":"UUID of the rule to reorder"},{"name":"new_order","in":"query","required":true,"schema":{"type":"integer","description":"Target position (1-based). Lower = higher priority","title":"New Order"},"description":"Target position (1-based). Lower = higher priority"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"object","additionalProperties":true,"title":"Response Reorder Rule Mcp V1 Rules Reorder Put"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"reorder_rule","x-tool-description":"Move a rule to a new position in the rulebase. Lower positions have higher priority and are evaluated first. Other rules shift automatically to accommodate.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/delete":{"delete":{"tags":["MCP Rule Mutations"],"summary":"Permanently delete a rule","operationId":"delete_rule_mcp_v1_rules_delete_delete","security":[{"HTTPBearer":[]}],"parameters":[{"name":"rule_id","in":"query","required":true,"schema":{"type":"string","description":"UUID of the rule to delete","title":"Rule Id"},"description":"UUID of the rule to delete"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CommonDeleteRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"delete_rule","x-tool-description":"Permanently delete a rule from the rulebase by its UUID. This action cannot be undone. Remaining rules are re-ordered automatically.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/chats/create":{"post":{"tags":["MCP Rule Mutations"],"summary":"Create a Chats DLP rule","operationId":"create_chats_rule_mcp_v1_rules_chats_create_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddChatsRuleRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"create_chats_rule","x-tool-description":"Create a new Chats (GenAI DLP) rule. Provide a name, priority order, and a policy object defining prompt/response inspection, sensitive-data detection, and file transfer controls. Optionally assign to specific users or groups.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/ai-access/create":{"post":{"tags":["MCP Rule Mutations"],"summary":"Create an AI Access rule","operationId":"create_ai_access_rule_mcp_v1_rules_ai_access_create_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddAccessRuleRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"create_ai_access_rule","x-tool-description":"Create a new AI Access rule that controls which AI services and applications users can interact with. Provide a name, priority order, and a policy defining allow/block decisions per service.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/agents/create":{"post":{"tags":["MCP Rule Mutations"],"summary":"Create an Agents rule","operationId":"create_agents_rule_mcp_v1_rules_agents_create_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddMCPServerRuleRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"create_agents_rule","x-tool-description":"Create a new Agents (MCP Server) rule that governs agent interactions. Define which tools agents can invoke and access controls for agent operations.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/dlp/create":{"post":{"tags":["MCP Rule Mutations"],"summary":"Create a Browse DLP rule","operationId":"create_dlp_rule_mcp_v1_rules_dlp_create_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddChatsRuleRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"create_dlp_rule","x-tool-description":"Create a new Browse DLP rule for data loss prevention during web browsing. Controls file uploads, downloads, and clipboard operations.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/rules/secure-browsing/create":{"post":{"tags":["MCP Rule Mutations"],"summary":"Create a Secure Browsing rule","operationId":"create_secure_browsing_rule_mcp_v1_rules_secure_browsing_create_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddSecureBrowsingRuleRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AddRuleResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"create_secure_browsing_rule","x-tool-description":"Create a new Secure Browsing threat-prevention rule. Define phishing protection, password-reuse detection, and domain-based filtering for web browsing.","x-access-mode":"write"}},"/app/genai-protect-policy/mcp/v1/objects/file-protection":{"get":{"tags":["MCP Objects"],"summary":"List all file-protection objects","operationId":"list_file_protection_objects_mcp_v1_objects_file_protection_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetFileProtectionObjectsResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_file_protection_objects","x-tool-description":"List all file-protection policy objects. These reusable objects define file scanning and emulation settings (download/upload actions, size limits) that can be shared across multiple rules.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/objects/domains":{"get":{"tags":["MCP Objects"],"summary":"List all domains objects","operationId":"list_domains_objects_mcp_v1_objects_domains_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetDomainsObjectsResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_domains_objects","x-tool-description":"List all domains policy objects. These reusable objects define domain allow/block lists that can be shared across multiple rules for domain-based filtering.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/dlp-datatypes/all":{"get":{"tags":["MCP DLP Datatypes"],"summary":"List all DLP data types","operationId":"list_dlp_datatypes_mcp_v1_dlp_datatypes_all_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetDlpDataTypesResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"list_dlp_datatypes","x-tool-description":"List all available DLP data types (both predefined and custom). Data types define what sensitive information patterns (credit cards, SSNs, etc.) the DLP engine can detect in chat messages and file transfers.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/dlp-datatypes/tenant":{"get":{"tags":["MCP DLP Datatypes"],"summary":"Get tenant DLP datatype configuration","operationId":"get_tenant_dlp_datatypes_mcp_v1_dlp_datatypes_tenant_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetDlpTenantDataTypesResponse"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"get_tenant_dlp_datatypes","x-tool-description":"Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/simulation/shadow":{"get":{"tags":["MCP Policy Simulation"],"summary":"Analyze rulebase for shadowed rules","operationId":"analyze_shadow_rules_mcp_v1_simulation_shadow_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"policy_type","in":"query","required":true,"schema":{"$ref":"#/components/schemas/PolicyType","description":"Policy type to analyze. Allowed values: POLICY_TYPE_DLP (Chats/DLP rules), POLICY_TYPE_ACCESS (AI Access/Web Access rules), POLICY_TYPE_MCP_SERVER (Agents rules), POLICY_TYPE_PAAS (PaaS environment rules), POLICY_TYPE_THREAT_PREVENTION (Secure Browsing rules)"},"description":"Policy type to analyze. Allowed values: POLICY_TYPE_DLP (Chats/DLP rules), POLICY_TYPE_ACCESS (AI Access/Web Access rules), POLICY_TYPE_MCP_SERVER (Agents rules), POLICY_TYPE_PAAS (PaaS environment rules), POLICY_TYPE_THREAT_PREVENTION (Secure Browsing rules)"},{"name":"tag","in":"query","required":true,"schema":{"$ref":"#/components/schemas/RuleTag","description":"Rule tag context: 'genai' for AI Security rules, 'browsing' for Browse Security rules, 'general' for product-agnostic rules"},"description":"Rule tag context: 'genai' for AI Security rules, 'browsing' for Browse Security rules, 'general' for product-agnostic rules"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ShadowAnalysisResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"analyze_shadow_rules","x-tool-description":"Find unreachable (shadowed) rules in a rulebase. A rule is shadowed when a higher-priority rule already covers every possible request it could match, making it effectively dead. Returns each shadowed rule with a human-readable explanation of why it is unreachable and which rule shadows it.","x-access-mode":"read"}},"/app/genai-protect-policy/mcp/v1/simulation/resolve":{"post":{"tags":["MCP Policy Simulation"],"summary":"Resolve the matching rule for a user and target","operationId":"resolve_matching_rule_mcp_v1_simulation_resolve_post","requestBody":{"content":{"application/json":{"schema":{"oneOf":[{"$ref":"#/components/schemas/ResolveDLPRequest"},{"$ref":"#/components/schemas/ResolveAccessRequest"},{"$ref":"#/components/schemas/ResolveMCPRequest"},{"$ref":"#/components/schemas/ResolvePaaSRequest"},{"$ref":"#/components/schemas/ResolveTPRequest"}],"title":"Request","discriminator":{"propertyName":"policy_type","mapping":{"POLICY_TYPE_DLP":"#/components/schemas/ResolveDLPRequest","POLICY_TYPE_ACCESS":"#/components/schemas/ResolveAccessRequest","POLICY_TYPE_MCP_SERVER":"#/components/schemas/ResolveMCPRequest","POLICY_TYPE_PAAS":"#/components/schemas/ResolvePaaSRequest","POLICY_TYPE_THREAT_PREVENTION":"#/components/schemas/ResolveTPRequest"}}}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ResolveResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"security":[{"HTTPBearer":[]}],"x-tool-name":"resolve_matching_rule","x-tool-description":"Given a user and target, determine which rule in the rulebase would apply. Simulates policy evaluation to find the single winning rule. The request body varies by policy_type — only these types are supported:\n- POLICY_TYPE_DLP: requires user_id, tag, and target with event_type + one of domain/url/genai_app/category_id\n- POLICY_TYPE_ACCESS: requires user_id, tag, and target with one of domain/url/genai_app/category_id\n- POLICY_TYPE_MCP_SERVER: requires user_id and target with client/server/tool info\n- POLICY_TYPE_PAAS: requires tag and target with environment_id (no user)\n- POLICY_TYPE_THREAT_PREVENTION: requires user_id only\n\nReturns the matched rule's ID, name, and priority order, or null if no rule matches.","x-access-mode":"read"}},"/app/genai-protect-assets/mcp/v1/assets":{"get":{"tags":["MCP Assets"],"summary":"Search deployed assets with filters, sorting, and pagination","operationId":"search_assets_mcp_v1_assets_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"search","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Free text search across device name and user name","title":"Search"},"description":"Free text search across device name and user name"},{"name":"filter_field","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated field names to filter on. Options: device_name, device_sid, device_created_at, device_updated_at, user_name, user_display_name, user_samname, user_created_at, user_updated_at, last_connected, os, os_version, device_type, ip, installer_version, chrome_extension_version, firefox_extension_version, edge_extension_version, brave_extension_version, mcp_version, proxy_version","title":"Filter Field"},"description":"Comma-separated field names to filter on. Options: device_name, device_sid, device_created_at, device_updated_at, user_name, user_display_name, user_samname, user_created_at, user_updated_at, last_connected, os, os_version, device_type, ip, installer_version, chrome_extension_version, firefox_extension_version, edge_extension_version, brave_extension_version, mcp_version, proxy_version"},{"name":"filter_operator","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated operators, one per filter_field. Text fields: equals, in, contains. Date fields: gte, lte, between. Enum fields (os, device_type): equals, in.","title":"Filter Operator"},"description":"Comma-separated operators, one per filter_field. Text fields: equals, in, contains. Date fields: gte, lte, between. Enum fields (os, device_type): equals, in."},{"name":"filter_value","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated single values, one per filter_field. Used with equals, contains, gte, lte operators.","title":"Filter Value"},"description":"Comma-separated single values, one per filter_field. Used with equals, contains, gte, lte operators."},{"name":"filter_values","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Multi-value filters for 'in' and 'between' operators. Semicolon-separated per filter, comma-separated per value within. Example for two filters: 'windows,linux;2024-01-01,2024-12-31'","title":"Filter Values"},"description":"Multi-value filters for 'in' and 'between' operators. Semicolon-separated per filter, comma-separated per value within. Example for two filters: 'windows,linux;2024-01-01,2024-12-31'"},{"name":"sort_field","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated field names to sort by (same options as filter_field)","title":"Sort Field"},"description":"Comma-separated field names to sort by (same options as filter_field)"},{"name":"sort_order","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated sort orders, one per sort_field. Options: asc, desc (default: desc)","title":"Sort Order"},"description":"Comma-separated sort orders, one per sort_field. Options: asc, desc (default: desc)"},{"name":"joins","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated domains to include in the response. Options: users, pings, deployment, policy, status, environment. Omit to return device info only.","title":"Joins"},"description":"Comma-separated domains to include in the response. Options: users, pings, deployment, policy, status, environment. Omit to return device info only."},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","maximum":1000,"minimum":1,"description":"Number of results per page (max 1000)","default":50,"title":"Limit"},"description":"Number of results per page (max 1000)"},{"name":"offset","in":"query","required":false,"schema":{"type":"integer","minimum":0,"description":"Number of results to skip for pagination","default":0,"title":"Offset"},"description":"Number of results to skip for pagination"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AssetsResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"search_assets","x-tool-description":"Search deployed assets (endpoints/devices) with optional filtering, sorting, text search, and pagination. Returns device info, user, deployment status, health, and policy versions.\n\n**Filtering:** Use filter_field, filter_operator, and filter_value as comma-separated lists (positionally matched). For multi-value operators (in, between) use filter_values with semicolons between filters and commas between values.\n\nAvailable fields: device_name, device_sid, device_created_at, device_updated_at, user_name, user_display_name, user_samname, user_created_at, user_updated_at, last_connected, os, os_version, device_type, ip, installer_version, chrome_extension_version, firefox_extension_version, edge_extension_version, brave_extension_version, mcp_version, proxy_version.\n\nOperators: equals, in, contains (text fields), gte, lte, between (date fields).\n\n**Sorting:** Use sort_field and sort_order as comma-separated lists.\n\n**Search:** Free text search across device name and user name.\n\nExamples:\n- Filter by OS: filter_field=os&filter_operator=equals&filter_value=windows\n- Multiple filters: filter_field=os,device_name&filter_operator=equals,contains&filter_value=windows,laptop\n- Sort by name: sort_field=device_name&sort_order=asc\n- Text search: search=john","x-access-mode":"read"}},"/app/genai-protect-assets/mcp/v1/assets/count":{"get":{"tags":["MCP Assets"],"summary":"Count deployed assets with optional filters","operationId":"count_assets_mcp_v1_assets_count_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"search","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Free text search across device name and user name","title":"Search"},"description":"Free text search across device name and user name"},{"name":"filter_field","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated field names to filter on","title":"Filter Field"},"description":"Comma-separated field names to filter on"},{"name":"filter_operator","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated operators, one per filter_field","title":"Filter Operator"},"description":"Comma-separated operators, one per filter_field"},{"name":"filter_value","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Comma-separated single values, one per filter_field","title":"Filter Value"},"description":"Comma-separated single values, one per filter_field"},{"name":"filter_values","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Multi-value filters (semicolon-separated per filter, comma-separated per value)","title":"Filter Values"},"description":"Multi-value filters (semicolon-separated per filter, comma-separated per value)"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AssetsCountResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"count_assets","x-tool-description":"Get the total count of deployed assets, optionally filtered. Supports the same filter_field, filter_operator, filter_value, filter_values and search params as search_assets. Useful for dashboards and summaries.","x-access-mode":"read"}},"/app/genai-protect-assets/mcp/v1/users":{"get":{"tags":["MCP Users"],"summary":"Search users","operationId":"search_users_mcp_v1_users_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"search","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"description":"Case-insensitive search on user name and display name","title":"Search"},"description":"Case-insensitive search on user name and display name"},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","maximum":100,"minimum":1,"description":"Number of results per page (max 100)","default":50,"title":"Limit"},"description":"Number of results per page (max 100)"},{"name":"offset","in":"query","required":false,"schema":{"type":"integer","minimum":0,"description":"Number of results to skip for pagination","default":0,"title":"Offset"},"description":"Number of results to skip for pagination"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UsersResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"search_users","x-tool-description":"Search users in the organization with optional text search and pagination. Returns user IDs, names, display names, and SAM account names. Use when you need to find user identifiers for policy rule assignments.","x-access-mode":"read"}},"/app/genai-protect-apps/mcp/v1/apps/search":{"get":{"tags":["MCP Apps Catalog"],"summary":"Search GenAI apps catalog","operationId":"search_apps_mcp_v1_apps_search_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"search","in":"query","required":true,"schema":{"type":"string","minLength":1,"maxLength":200,"description":"Search term (app name, description, or URL)","title":"Search"},"description":"Search term (app name, description, or URL)"},{"name":"search_by","in":"query","required":false,"schema":{"$ref":"#/components/schemas/SearchBy","description":"Search mode: 'name' matches app name only, 'name_and_description' matches both, 'url' matches app URL","default":"name"},"description":"Search mode: 'name' matches app name only, 'name_and_description' matches both, 'url' matches app URL"}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AppSearchResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"search_apps","x-tool-description":"Search the GenAI apps catalog by name, description, or URL. Returns up to 10 matching apps with their ID, name, description, and page URL. Use this to find app IDs needed for AI Access policy rules.","x-access-mode":"read"}},"/app/genai-protect-apps/mcp/v1/apps/by-ids":{"get":{"tags":["MCP Apps Catalog"],"summary":"Get GenAI apps by IDs","operationId":"get_apps_by_ids_mcp_v1_apps_by_ids_get","security":[{"HTTPBearer":[]}],"parameters":[{"name":"ids","in":"query","required":true,"schema":{"type":"string","description":"Comma-separated list of app IDs (e.g. '123,456,789'). Max 100 IDs.","title":"Ids"},"description":"Comma-separated list of app IDs (e.g. '123,456,789'). Max 100 IDs."}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AppsByIdsResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}},"x-tool-name":"get_apps_by_ids","x-tool-description":"Get specific GenAI apps from the catalog by their numeric IDs. Pass a comma-separated list of app IDs. Returns app details including name, description, and page URL.","x-access-mode":"read"}}},"components":{"schemas":{"AccessPolicy":{"properties":{"services_and_application":{"anyOf":[{"$ref":"#/components/schemas/ServicesAndApplication"},{"type":"null"}],"description":"Services and application configuration"},"action":{"anyOf":[{"type":"string","enum":["block","allow","ask"]},{"type":"null"}],"title":"Action","description":"Action to take for access control"},"logging":{"anyOf":[{"$ref":"#/components/schemas/LoggingStatus"},{"type":"null"}],"description":"Whether logging is enabled"},"download_file_protection":{"anyOf":[{"$ref":"#/components/schemas/FileDownloadActionSupported"},{"type":"null"}],"description":"File download protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules."},"upload_file_protection":{"anyOf":[{"$ref":"#/components/schemas/FileUploadActionSupported"},{"type":"null"}],"description":"File upload protection action. Must be 'na' for GenAI rules; must not be 'na' for Browse rules."}},"type":"object","title":"AccessPolicy"},"AccessTarget":{"properties":{"domain":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Domain","description":"Domain name or IPv4 address"},"url":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Url","description":"Full URL"},"genai_app":{"anyOf":[{"$ref":"#/components/schemas/SimulationGenAIApp"},{"type":"null"}],"description":"GenAI application target"},"category_id":{"anyOf":[{"$ref":"#/components/schemas/URLFCategory"},{"type":"null"}],"description":"URLF category ID"}},"type":"object","title":"AccessTarget","description":"Target for ACCESS rules. Exactly ONE target field must be set."},"Account":{"properties":{"account_id":{"type":"string","title":"Account Id","description":"Account identifier"}},"type":"object","required":["account_id"],"title":"Account","description":"External-safe twin of Account."},"AccountSelectionMode":{"type":"string","enum":["all","selected_account"],"title":"AccountSelectionMode","description":"Account selection mode enumeration.\n\nDetermines which accounts/organizations the policy applies to:\n\n- ALL: Policy applies to all tool instances (e.g., cloud desktop, ChatGPT desktop, etc.),\n regardless of whether they are connected to an account/organization or not.\n\n- SELECTED_ACCOUNT: Policy applies only to tool instances (e.g., cloud desktop, ChatGPT\n desktop, etc.) that are connected to one of the specified account IDs (organization IDs\n in some tools' terminology). Tool instances not connected to any account or connected\n to accounts not in the list will not be affected by this policy."},"AddAccessRuleRequest":{"properties":{"name":{"type":"string","title":"Name","description":"Human-readable rule name"},"description":{"type":"string","title":"Description","description":"Explanation of the rule's purpose","default":""},"order":{"type":"integer","title":"Order","description":"Position in the rulebase; lower values are evaluated first and take precedence"},"policy":{"$ref":"#/components/schemas/AccessPolicy","description":"Access control policy configuration"},"source":{"items":{"$ref":"#/components/schemas/Assignment"},"type":"array","title":"Source","description":"Users or groups this rule applies to; empty means all users"}},"type":"object","required":["name","order","policy"],"title":"AddAccessRuleRequest","description":"Create a new Access rule.\n\nAccess rules control which AI services and applications users are allowed\nto interact with, including allow/block decisions per service."},"AddChatsRuleRequest":{"properties":{"name":{"type":"string","title":"Name","description":"Human-readable rule name"},"description":{"type":"string","title":"Description","description":"Explanation of the rule's purpose","default":""},"order":{"type":"integer","title":"Order","description":"Position in the rulebase; lower values are evaluated first and take precedence"},"policy":{"$ref":"#/components/schemas/ChatsPolicy","description":"Chats policy configuration for chat interactions"},"source":{"items":{"$ref":"#/components/schemas/Assignment"},"type":"array","title":"Source","description":"Users or groups this rule applies to; empty means all users"}},"type":"object","required":["name","order","policy"],"title":"AddChatsRuleRequest","description":"Create a new Chats rule.\n\nChats rules control data-loss-prevention for AI chat interactions:\nprompt/response inspection, sensitive-data detection, and file transfer policies."},"AddMCPServerRuleRequest":{"properties":{"name":{"type":"string","title":"Name","description":"Human-readable rule name"},"description":{"type":"string","title":"Description","description":"Explanation of the rule's purpose","default":""},"order":{"type":"integer","title":"Order","description":"Position in the rulebase; lower values are evaluated first and take precedence"},"policy":{"$ref":"#/components/schemas/AgentsPolicy","description":"Agents policy configuration"},"source":{"items":{"$ref":"#/components/schemas/Assignment"},"type":"array","title":"Source","description":"Users or groups this rule applies to; empty means all users"}},"type":"object","required":["name","order","policy"],"title":"AddMCPServerRuleRequest","description":"Create a new Agents rule.\n\nAgents rules govern agent interactions, including which tools\nagents can invoke and what access controls apply to agent operations."},"AddRuleResponse":{"properties":{"rule_id":{"type":"string","title":"Rule Id","description":"The UUID of the newly created rule"}},"type":"object","required":["rule_id"],"title":"AddRuleResponse","description":"Response returned after creating a rule."},"AddSecureBrowsingRuleRequest":{"properties":{"name":{"type":"string","title":"Name","description":"Human-readable rule name"},"description":{"type":"string","title":"Description","description":"Explanation of the rule's purpose","default":""},"order":{"type":"integer","title":"Order","description":"Position in the rulebase; lower values are evaluated first and take precedence"},"policy":{"$ref":"#/components/schemas/SecureBrowsingPolicy","description":"Secure Browsing policy configuration"},"source":{"items":{"$ref":"#/components/schemas/Assignment"},"type":"array","title":"Source","description":"Users or groups this rule applies to; empty means all users"}},"type":"object","required":["name","order","policy"],"title":"AddSecureBrowsingRuleRequest","description":"Create a new Secure Browsing rule.\n\nSecure Browsing rules define threat-prevention policies for web browsing:\nphishing protection, password-reuse detection, and domain-based filtering."},"AgentsPolicy":{"properties":{"action":{"anyOf":[{"type":"string","enum":["block","allow","ask"]},{"type":"null"}],"title":"Action","description":"Action to take for MCP server"},"logging":{"anyOf":[{"$ref":"#/components/schemas/LoggingStatus"},{"type":"null"}],"description":"Whether logging is enabled"},"clients":{"anyOf":[{"$ref":"#/components/schemas/MCPClients"},{"type":"null"}],"description":"Desktop clients selection"},"servers":{"anyOf":[{"$ref":"#/components/schemas/MCPServers"},{"type":"null"}],"description":"MCP servers configuration"},"tooling":{"anyOf":[{"$ref":"#/components/schemas/Tooling"},{"type":"null"}],"description":"Tooling configuration for MCP"}},"type":"object","title":"AgentsPolicy"},"Assignment":{"properties":{"assignment_id":{"type":"string","format":"uuid","title":"Assignment Id","description":"ID of the user or group"},"display_name":{"type":"string","title":"Display Name","description":"Human-readable name of the user or group"},"assignment_type":{"$ref":"#/components/schemas/AssignmentType","description":"Whether this is a user, group, or entire-org assignment"}},"type":"object","required":["assignment_id","display_name","assignment_type"],"title":"Assignment","description":"External-safe twin of Assignment."},"AssignmentType":{"type":"string","enum":["ASSIGNMENT_TYPE_USER","ASSIGNMENT_TYPE_GROUP","ASSIGNMENT_TYPE_ENTIRE_ORG"],"title":"AssignmentType"},"CategoryItem":{"properties":{"category_id":{"$ref":"#/components/schemas/URLFCategory","description":"Category ID from the supported URLF categories. The following categories are available:\n\n| Category | ID |\n|---|---|\n| Uncategorized | 0 |\n| Computers & Internet | 1 |\n| Education | 3 |\n| Entertainment | 5 |\n| Financial Services | 7 |\n| Gambling | 9 |\n| Government / Military | 11 |\n| Greeting Cards | 12 |\n| Hacking | 13 |\n| Hate / Racism | 14 |\n| Health | 15 |\n| Illegal / Questionable | 17 |\n| Illegal Drugs | 18 |\n| Job Search / Careers | 21 |\n| Media Streams | 23 |\n| News / Media | 24 |\n| Newsgroups / Forums | 25 |\n| Nudity | 26 |\n| Personals / Dating | 30 |\n| Phishing | 31 |\n| Political / Legal | 32 |\n| Pornography | 33 |\n| Real Estate | 34 |\n| Recreation | 35 |\n| Religion | 37 |\n| Restaurants / Dining / Food | 39 |\n| Sex Education | 41 |\n| Shopping | 42 |\n| Alcohol / Tobacco | 45 |\n| Art / Culture | 47 |\n| Blogs / Personal Pages | 49 |\n| Business / Economy | 51 |\n| Software Downloads | 53 |\n| Sports | 54 |\n| Spyware / Malicious Sites | 55 |\n| Tasteless | 56 |\n| Translation | 58 |\n| Travel | 59 |\n| Vehicles | 60 |\n| Violence | 61 |\n| Weapons | 62 |\n| Botnets | 65 |\n| Spam | 66 |\n| Inactive Sites | 67 |\n| Fashion | 68 |\n| Non-Profits / NGOs | 69 |\n| Sex | 70 |\n| General | 71 |\n| Nature / Conservation | 72 |\n| Child Abuse | 73 |\n| URL Filtering | 74 |\n| Lifestyle | 75 |\n| Lingerie / Swimsuit / Suggestive | 76 |\n| Suspicious Content | 77 |\n| Marijuana | 78 |\n| Web Advertisements | 50000032 |\n| Instant Chat | 50000086 |\n| Very Low Risk | 51000001 |\n| Low Risk | 51000002 |\n| Medium Risk | 51000003 |\n| High Risk | 51000004 |\n| Critical Risk | 51000005 |\n| Anonymizer | 52000038 |\n| P2P File Sharing | 52000046 |\n| Instant Messaging | 52000047 |\n| Media Sharing | 52000051 |\n| Games | 52000058 |\n| Social Networking | 52000069 |\n| Email | 52000130 |\n| Search Engines / Portals | 52000132 |\n| File Storage / Sharing | 52000136 |\n| Keyloggers | 60530540 |\n| Occult | 60530541 |\n| Hosting Sites | 60530542 |\n| DDNS / Dynamic DNS | 60530648 |\n| Artificial Intelligence (AI) | 60517663 |\n| Generative AI Tools | 60531762 |\n\n**Note:** GenAI rules only allow category 60531762 (Generative AI Tools), used as \"Any AI tool\". Browse rules can use any *other* category."}},"type":"object","required":["category_id"],"title":"CategoryItem"},"ChatsPolicy":{"properties":{"event_type":{"anyOf":[{"$ref":"#/components/schemas/DLPEventType"},{"type":"null"}],"description":"Type of event to apply DLP policy on"},"services_and_application":{"anyOf":[{"$ref":"#/components/schemas/ServicesAndApplication"},{"type":"null"}],"description":"Services and application configuration"},"data_types":{"anyOf":[{"items":{"$ref":"#/components/schemas/DataType"},"type":"array"},{"type":"null"}],"title":"Data Types","description":"DLP Data types"},"action":{"anyOf":[{"type":"string","enum":["prevent","ask","redact","detect","allow","block"]},{"type":"null"}],"title":"Action","description":"Action to take when DLP rule is triggered"},"logging":{"anyOf":[{"$ref":"#/components/schemas/LoggingStatus"},{"type":"null"}],"description":"Whether logging is enabled"}},"type":"object","title":"ChatsPolicy"},"ClaudeExtensionsConfig":{"properties":{"extension_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Extension Name","description":"Extension name from manifest.json","default":"","examples":["chrome-control"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for extension_name matching","default":"exact"}},"type":"object","title":"ClaudeExtensionsConfig"},"CommonDeleteRuleResponse":{"properties":{"message":{"type":"string","title":"Message"},"rule_id":{"type":"string","title":"Rule Id"}},"type":"object","required":["message","rule_id"],"title":"CommonDeleteRuleResponse","description":"Confirmation of rule deletion."},"DLPEventType":{"type":"string","enum":["file_upload","file_download","paste","prompt","copy"],"title":"DLPEventType"},"DLPTarget":{"properties":{"event_type":{"$ref":"#/components/schemas/DLPEventType","description":"DLP event type to simulate"},"data_type_ids":{"items":{"type":"string"},"type":"array","title":"Data Type Ids","description":"Data type UUIDs the text violates. Empty list = 'any text' (no DLP violations)."},"domain":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Domain","description":"Domain name or IPv4 address"},"url":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Url","description":"Full URL"},"genai_app":{"anyOf":[{"$ref":"#/components/schemas/SimulationGenAIApp"},{"type":"null"}],"description":"GenAI application target"},"category_id":{"anyOf":[{"$ref":"#/components/schemas/URLFCategory"},{"type":"null"}],"description":"URLF category ID"}},"type":"object","required":["event_type","data_type_ids"],"title":"DLPTarget","description":"Target for DLP rules. ``event_type`` is always required and exactly\nONE of the other target fields must be set."},"DLPType":{"type":"string","enum":["PRE_DEFINED","CUSTOM"],"title":"DLPType"},"DataType":{"properties":{"id":{"type":"string","format":"uuid","title":"Id","description":"UUID of the data type","default":"","examples":["cf0523c1-537e-4a4b-8bb8-084b7b9e0b45"]},"name":{"type":"string","title":"Name","description":"Display name of the data type","default":"","examples":["American Express Travelers Cheques Number"]},"type":{"$ref":"#/components/schemas/DLPType","description":"Type of the data type","default":"PRE_DEFINED"},"matchingLevel":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Matchinglevel","description":"Matching level for the data type"}},"type":"object","title":"DataType"},"DlpCreateType":{"type":"string","enum":["PRE_DEFINED","CUSTOM"],"title":"DlpCreateType"},"DlpDataType":{"properties":{"id":{"type":"string","title":"Id"},"assetId":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Assetid"},"objectStatus":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Objectstatus"},"name":{"type":"string","title":"Name"},"type":{"type":"string","title":"Type"},"createType":{"$ref":"#/components/schemas/DlpCreateType"},"description":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Description"},"creationTime":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Creationtime"},"lastUpdateTime":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Lastupdatetime"},"dataTypeTags":{"anyOf":[{"items":{"$ref":"#/components/schemas/DlpDataTypeTag"},"type":"array"},{"type":"null"}],"title":"Datatypetags"},"redactSupported":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Redactsupported"},"matchingLevel":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Matchinglevel"},"content":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"Content"},"comment":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Comment"}},"additionalProperties":true,"type":"object","required":["id","name","type","createType"],"title":"DlpDataType","example":{"assetId":"3e2ed446-5d2e-4091-b561-2db1458f9791","createType":"PRE_DEFINED","creationTime":"2023-02-22T15:23:55.446Z","dataTypeTags":[{"isCategory":false,"name":"Financial & Business"}],"description":"Matches American Bankers Association (ABA) Routing Transit Numbers","id":"3e2ed446-5d2e-4091-b561-2db1458f9791","lastUpdateTime":"2023-02-22T15:23:56.317Z","matchingLevel":1,"name":"ABA Transit Numbers","objectStatus":"Normal","redactSupported":false,"type":"PATTERN"}},"DlpDataTypeTag":{"properties":{"name":{"type":"string","title":"Name"},"data":{"anyOf":[{"items":{"type":"string"},"type":"array"},{"type":"null"}],"title":"Data"},"isCategory":{"type":"boolean","title":"Iscategory"}},"type":"object","required":["name","isCategory"],"title":"DlpDataTypeTag","example":{"data":["Other"],"isCategory":true,"name":"Regulation"}},"DlpTenantDataType":{"properties":{"id":{"type":"string","title":"Id"},"name":{"type":"string","title":"Name"},"type":{"type":"string","title":"Type"},"createType":{"$ref":"#/components/schemas/DlpCreateType"},"internal":{"type":"boolean","title":"Internal"},"matchingLevel":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Matchinglevel"}},"type":"object","required":["id","name","type","createType","internal"],"title":"DlpTenantDataType","example":{"createType":"PRE_DEFINED","id":"73e1e0b1-1d23-4281-9ca7-8e64aa2b9e90","internal":false,"matchingLevel":1,"name":"IP Address","type":"GROUP"}},"DockerGatewayConfig":{"properties":{},"type":"object","title":"DockerGatewayConfig"},"DockerRunnerConfig":{"properties":{"image_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Image Name","description":"Docker image name","default":"","examples":["modelcontextprotocol/server-github"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for image_name matching","default":"exact"}},"type":"object","title":"DockerRunnerConfig"},"DomainConfig":{"properties":{"domain_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Domain Name","description":"Domain name of the remote server","default":"","examples":["mcp-server.example.com","example.com"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/DomainMatchMode"},{"type":"null"}],"description":"Match mode for domain matching (exact_host or any_subdomain)","default":"exact_host"}},"type":"object","title":"DomainConfig"},"DomainItem":{"properties":{"domain":{"type":"string","format":"hostname","title":"Domain","description":"Valid domain name or IPv4 address"},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/DomainMatchMode"},{"type":"null"}],"description":"Match mode for domain matching (exact_host or any_subdomain)","default":"exact_host"}},"type":"object","required":["domain"],"title":"DomainItem"},"DomainMatchMode":{"type":"string","enum":["exact_host","any_subdomain"],"title":"DomainMatchMode","description":"Domain matching mode enumeration for remote server domain matching.\n\nMatching modes:\n- EXACT_HOST: Matches the exact host/domain\n e.g., \"sub1.sub2.something.com\"\n- ANY_SUBDOMAIN: Matches any subdomain of the specified domain\n e.g., \"something.com\" matches \"sub1.something.com\", \"sub2.something.com\", etc."},"DomainsObject":{"properties":{"domains":{"items":{"$ref":"#/components/schemas/DomainItem"},"type":"array","maxItems":200,"title":"Domains","description":"List of domains"}},"type":"object","title":"DomainsObject","description":"External-safe twin of DomainsObject."},"DomainsObjectResponse":{"properties":{"object_id":{"type":"string","title":"Object Id","description":"Unique identifier of the object"},"name":{"type":"string","title":"Name","description":"Display name of the object"},"description":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Description"},"version":{"type":"integer","title":"Version","description":"Incremented on every update"},"created_at":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Created At"},"updated_at":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Updated At"},"object_data":{"anyOf":[{"$ref":"#/components/schemas/DomainsObject"},{"type":"null"}],"description":"The domain list entries"}},"type":"object","required":["object_id","name","version"],"title":"DomainsObjectResponse","description":"A domains object with its full configuration."},"ExecutableServerConfig":{"properties":{"executable_path":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Executable Path","description":"Path to the executable","default":"","examples":["/path/to/executable"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for executable_path matching","default":"exact"}},"type":"object","title":"ExecutableServerConfig"},"FileActionUnsupported":{"type":"string","enum":["Block","Allow"],"title":"FileActionUnsupported"},"FileDownloadActionSupported":{"type":"string","enum":["na","Block","Allow","EmulateInBackground","WaitForEmulation","Detect","Extract"],"title":"FileDownloadActionSupported"},"FileFailClose":{"type":"string","enum":["FailClose","FailOpen"],"title":"FileFailClose"},"FileProtectionObject":{"properties":{"file_download_action_unsupported":{"anyOf":[{"$ref":"#/components/schemas/FileActionUnsupported"},{"type":"null"}]},"file_upload_action_unsupported":{"anyOf":[{"$ref":"#/components/schemas/FileActionUnsupported"},{"type":"null"}]},"file_download_size_limit_mb":{"anyOf":[{"type":"integer","maximum":100.0,"minimum":1.0},{"type":"null"}],"title":"File Download Size Limit Mb"},"file_upload_size_limit_mb":{"anyOf":[{"type":"integer","maximum":100.0,"minimum":1.0},{"type":"null"}],"title":"File Upload Size Limit Mb"},"file_download_error_fail_close":{"anyOf":[{"$ref":"#/components/schemas/FileFailClose"},{"type":"null"}]},"file_download_size_limit_fail_close":{"anyOf":[{"$ref":"#/components/schemas/FileFailClose"},{"type":"null"}]},"file_upload_error_fail_close":{"anyOf":[{"$ref":"#/components/schemas/FileFailClose"},{"type":"null"}]},"file_upload_size_limit_fail_close":{"anyOf":[{"$ref":"#/components/schemas/FileFailClose"},{"type":"null"}]},"file_download_action_per_supported_file":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/FileDownloadActionSupported"},"propertyNames":{"$ref":"#/components/schemas/SupportedFileType"},"type":"object"},{"type":"null"}],"title":"File Download Action Per Supported File"},"file_download_action_per_unsupported_file":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/FileActionUnsupported"},"type":"object","maxProperties":1000},{"type":"null"}],"title":"File Download Action Per Unsupported File"},"file_upload_action_per_supported_file":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/FileUploadActionSupported"},"propertyNames":{"$ref":"#/components/schemas/SupportedFileType"},"type":"object"},{"type":"null"}],"title":"File Upload Action Per Supported File"},"file_upload_action_per_unsupported_file":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/FileActionUnsupported"},"type":"object","maxProperties":1000},{"type":"null"}],"title":"File Upload Action Per Unsupported File"}},"type":"object","title":"FileProtectionObject","description":"External-safe twin of FileProtectionObject."},"FileProtectionObjectResponse":{"properties":{"object_id":{"type":"string","title":"Object Id","description":"Unique identifier of the object"},"name":{"type":"string","title":"Name","description":"Display name of the object"},"description":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Description"},"version":{"type":"integer","title":"Version","description":"Incremented on every update"},"created_at":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Created At"},"updated_at":{"anyOf":[{"type":"string","format":"date-time"},{"type":"null"}],"title":"Updated At"},"object_data":{"anyOf":[{"$ref":"#/components/schemas/FileProtectionObject"},{"type":"null"}],"description":"File protection settings: upload/download actions, size limits, fail-close behavior, and per-file-type overrides"}},"type":"object","required":["object_id","name","version"],"title":"FileProtectionObjectResponse","description":"A file-protection object with its full configuration."},"FileUploadActionSupported":{"type":"string","enum":["na","Block","Allow","EmulateInBackground","WaitForEmulation","Detect"],"title":"FileUploadActionSupported"},"GenAIApp":{"properties":{"id":{"type":"integer","exclusiveMinimum":0.0,"title":"Id","description":"GenAI application ID"},"mode":{"anyOf":[{"$ref":"#/components/schemas/AccountSelectionMode"},{"type":"null"}],"description":"Account selection mode: 'all' or 'selected_account'","default":"all"},"accounts":{"items":{"$ref":"#/components/schemas/Account"},"type":"array","title":"Accounts","description":"List of selected accounts (used when mode='selected_account')"}},"type":"object","required":["id"],"title":"GenAIApp"},"GetDlpDataTypesResponse":{"properties":{"status":{"type":"string","title":"Status"},"dataTypes":{"items":{"$ref":"#/components/schemas/DlpDataType"},"type":"array","title":"Datatypes"}},"type":"object","required":["status","dataTypes"],"title":"GetDlpDataTypesResponse","example":{"dataTypes":[{"assetId":"3e2ed446-5d2e-4091-b561-2db1458f9791","createType":"PRE_DEFINED","creationTime":"2023-02-22T15:23:55.446Z","description":"Matches ABA Routing Transit Numbers","id":"3e2ed446-5d2e-4091-b561-2db1458f9791","lastUpdateTime":"2023-02-22T15:23:56.317Z","name":"ABA Transit Numbers","objectStatus":"Normal","redactSupported":false,"type":"PATTERN"}],"status":"SUCCESS"}},"GetDlpTenantDataTypesResponse":{"properties":{"status":{"type":"string","title":"Status"},"id":{"type":"string","title":"Id"},"dataTypes":{"items":{"$ref":"#/components/schemas/DlpTenantDataType"},"type":"array","title":"Datatypes"}},"type":"object","required":["status","id","dataTypes"],"title":"GetDlpTenantDataTypesResponse","example":{"dataTypes":[{"createType":"PRE_DEFINED","id":"73e1e0b1-1d23-4281-9ca7-8e64aa2b9e90","internal":false,"name":"IP Address","type":"GROUP"},{"createType":"PRE_DEFINED","id":"d2c4411f-dd0e-495b-b856-5686e68892b4","internal":false,"name":"PCI - Credit Card Numbers","type":"PATTERN"}],"id":"bb47587c-fda0-4cb3-896e-1d359d0e3f9d","status":"SUCCESS"}},"GetDomainsObjectsResponse":{"properties":{"objects":{"items":{"$ref":"#/components/schemas/DomainsObjectResponse"},"type":"array","title":"Objects"}},"type":"object","required":["objects"],"title":"GetDomainsObjectsResponse","description":"All domains objects for the tenant, including their full configuration."},"GetFileProtectionObjectsResponse":{"properties":{"objects":{"items":{"$ref":"#/components/schemas/FileProtectionObjectResponse"},"type":"array","title":"Objects"}},"type":"object","required":["objects"],"title":"GetFileProtectionObjectsResponse","description":"All file-protection objects for the tenant, including their full configuration."},"GetRulebaseResponse":{"properties":{"rulebase_version":{"type":"integer","title":"Rulebase Version","description":"Monotonically increasing version of this rulebase. Incremented whenever any rule in the rulebase is created, modified, or deleted. Compare with a previously stored value to detect whether the rulebase has changed (useful for caching or polling)"},"rules":{"items":{"$ref":"#/components/schemas/RuleResponse"},"type":"array","title":"Rules","description":"All rules in the rulebase, ordered by priority (ascending)"}},"type":"object","required":["rulebase_version","rules"],"title":"GetRulebaseResponse","description":"Full rulebase for a given policy type, including its version for change detection."},"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"LoggingStatus":{"type":"string","enum":["enabled","disabled"],"title":"LoggingStatus","description":"Logging status enumeration."},"MCPClient":{"properties":{"os":{"anyOf":[{"$ref":"#/components/schemas/OSType"},{"type":"null"}],"description":"Operating system for the client"},"name_id":{"anyOf":[{"$ref":"#/components/schemas/MCPClientNameId"},{"type":"null"}],"description":"Client name identifier e.g. 'claude_desktop', 'docker_desktop'","examples":["claude_desktop","docker_desktop"]}},"type":"object","title":"MCPClient"},"MCPClientNameId":{"type":"string","enum":["claude_desktop","vscode","cursor","windsurf","zed","perplexity","antigravity","jetbrains","roo","cline","docker_desktop"],"title":"MCPClientNameId","description":"MCP Client name identifier enumeration."},"MCPClients":{"properties":{"mode":{"anyOf":[{"$ref":"#/components/schemas/SelectionMode"},{"type":"null"}],"description":"Mode for client selection"},"selected":{"anyOf":[{"items":{"$ref":"#/components/schemas/MCPClient"},"type":"array"},{"type":"null"}],"title":"Selected","description":"List of selected clients"}},"type":"object","title":"MCPClients"},"MCPIds":{"properties":{"name_id":{"anyOf":[{"type":"string","minLength":1},{"type":"null"}],"title":"Name Id","description":"Name of the managed MCP","default":"","examples":["jira","github"]}},"type":"object","title":"MCPIds"},"MCPRiskLevel":{"properties":{"use_min":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Use Min","description":"Whether to use minimum risk level limit","default":false},"use_max":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Use Max","description":"Whether to use maximum risk level limit","default":false},"min":{"anyOf":[{"type":"integer","minimum":0.0},{"type":"null"}],"title":"Min","description":"Minimum risk level"},"max":{"anyOf":[{"type":"integer","minimum":0.0},{"type":"null"}],"title":"Max","description":"Maximum risk level"}},"type":"object","title":"MCPRiskLevel"},"MCPServer":{"properties":{"server_type":{"anyOf":[{"type":"string","enum":["all","node_server","python_server","claude_extensions","executable_server","unknown_server","docker_gateway","docker_runner","remote_server"]},{"type":"null"}],"title":"Server Type","description":"Type of the MCP server"},"node_server":{"anyOf":[{"$ref":"#/components/schemas/NodeServerConfig"},{"type":"null"}],"description":"Node server configuration"},"python_server":{"anyOf":[{"$ref":"#/components/schemas/PythonServerConfig"},{"type":"null"}],"description":"Python server configuration"},"claude_extensions":{"anyOf":[{"$ref":"#/components/schemas/ClaudeExtensionsConfig"},{"type":"null"}],"description":"Claude extensions configuration"},"executable_server":{"anyOf":[{"$ref":"#/components/schemas/ExecutableServerConfig"},{"type":"null"}],"description":"Executable server configuration"},"unknown_server":{"anyOf":[{"$ref":"#/components/schemas/UnknownServerConfig"},{"type":"null"}],"description":"Unknown server configuration"},"docker_gateway":{"anyOf":[{"$ref":"#/components/schemas/DockerGatewayConfig"},{"type":"null"}],"description":"Docker gateway configuration"},"docker_runner":{"anyOf":[{"$ref":"#/components/schemas/DockerRunnerConfig"},{"type":"null"}],"description":"Docker runner configuration"},"remote_server":{"anyOf":[{"$ref":"#/components/schemas/RemoteServerConfig"},{"type":"null"}],"description":"Remote server configuration"}},"type":"object","title":"MCPServer"},"MCPServers":{"properties":{"mcp_servers_mode":{"anyOf":[{"$ref":"#/components/schemas/MCPServersMode"},{"type":"null"}],"description":"Mode for MCP servers selection: all, risk_level, managed, manual"},"risk_level":{"anyOf":[{"$ref":"#/components/schemas/MCPRiskLevel"},{"type":"null"}],"description":"Risk level configuration for MCP servers"},"managed":{"anyOf":[{"$ref":"#/components/schemas/ManagedMCP"},{"type":"null"}],"description":"Managed MCP configuration"},"manual":{"anyOf":[{"items":{"$ref":"#/components/schemas/MCPServer"},"type":"array"},{"type":"null"}],"title":"Manual","description":"List of manual MCP servers"}},"type":"object","title":"MCPServers"},"MCPServersMode":{"type":"string","enum":["all","risk_level","manual","managed"],"title":"MCPServersMode","description":"MCP Servers mode enumeration."},"MCPTarget":{"properties":{"client":{"anyOf":[{"$ref":"#/components/schemas/SimulationMCPClient"},{"type":"null"}],"description":"MCP client to simulate"},"server_type":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Server Type","description":"MCP server type (e.g. node_server, remote_server)"},"server_identifier":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Server Identifier","description":"Server identifier (package name / module / URL / domain / image name)"},"tool_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Tool Name","description":"Tool name to simulate"},"operation":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Operation","description":"CRUD operation (CREATE/READ/UPDATE/DELETE/OTHER)"}},"type":"object","title":"MCPTarget","description":"Target for MCP_SERVER rules — all applicable dimensions."},"MCPToolItem":{"properties":{"tool_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Tool Name","description":"Name of a tool e.g. 'create_issue', 'update_issue'","default":"","examples":["create_issue","update_issue"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for tool name matching","default":"exact"}},"type":"object","title":"MCPToolItem"},"ManagedMCP":{"properties":{"name_ids":{"anyOf":[{"items":{"$ref":"#/components/schemas/MCPIds"},"type":"array"},{"type":"null"}],"title":"Name Ids","description":"List of managed MCP identifiers"}},"type":"object","title":"ManagedMCP"},"MatchMode":{"type":"string","enum":["exact","contains"],"title":"MatchMode","description":"Matching mode enumeration."},"MatchToolsMode":{"type":"string","enum":["tools_include","tools_exclude","operations","all"],"title":"MatchToolsMode","description":"Match mode for tools enumeration."},"NodeServerConfig":{"properties":{"package_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Package Name","description":"NPM package name e.g. '@modelcontextprotocol/server-github'","default":"","examples":["@modelcontextprotocol/server-github"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for package_name matching","default":"exact"}},"type":"object","title":"NodeServerConfig"},"OSType":{"type":"string","enum":["windows","macos","all"],"title":"OSType","description":"Operating system enumeration."},"ObjectFeature":{"type":"string","enum":["FILE_EMULATION","PROTECTED_DOMAINS","DOMAIN_SERVICES","EXCLUDE_DOMAINS"],"title":"ObjectFeature"},"OnOff":{"type":"string","enum":["on","off"],"title":"OnOff","description":"Simple on/off toggle."},"OperationMatch":{"type":"string","enum":["match","unmatch"],"title":"OperationMatch","description":"Operation match enumeration."},"PaaSTarget":{"properties":{"environment_id":{"type":"string","minLength":1,"title":"Environment Id","description":"PaaS environment identifier"}},"type":"object","required":["environment_id"],"title":"PaaSTarget","description":"Target for PAAS rules — environment ID only."},"PolicyType":{"type":"string","enum":["POLICY_TYPE_DLP","POLICY_TYPE_ACCESS","POLICY_TYPE_USER_INTERACTION","POLICY_TYPE_MCP_SERVER","POLICY_TYPE_PAAS","POLICY_TYPE_DEPLOYMENT","POLICY_TYPE_THREAT_PREVENTION","POLICY_TYPE_STRONG_AUTH"],"title":"PolicyType"},"PythonServerConfig":{"properties":{"module_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Module Name","description":"Python module name e.g. 'modelcontextprotocol_server_github'","default":"","examples":["modelcontextprotocol_server_github"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for module_name matching","default":"exact"}},"type":"object","title":"PythonServerConfig"},"RemoteServerConfig":{"properties":{"match_mode":{"anyOf":[{"type":"string","enum":["url","domain"]},{"type":"null"}],"title":"Match Mode","description":"Match mode type: 'url' for URL-based matching or 'domain' for domain-based matching"},"url":{"anyOf":[{"$ref":"#/components/schemas/URLConfig"},{"type":"null"}],"description":"URL configuration for remote server (used when match_mode='url')"},"domain":{"anyOf":[{"$ref":"#/components/schemas/DomainConfig"},{"type":"null"}],"description":"Domain configuration for remote server (used when match_mode='domain')"}},"type":"object","title":"RemoteServerConfig"},"ResolveAccessRequest":{"properties":{"policy_type":{"type":"string","const":"POLICY_TYPE_ACCESS","title":"Policy Type","default":"POLICY_TYPE_ACCESS"},"user_id":{"type":"string","title":"User Id","description":"User ID to simulate"},"tag":{"type":"string","enum":["genai","browsing"],"title":"Tag","description":"Rule tag context: 'genai' evaluates only genai rules, 'browsing' evaluates both genai and browsing rules"},"target":{"$ref":"#/components/schemas/AccessTarget"}},"type":"object","required":["user_id","tag","target"],"title":"ResolveAccessRequest","description":"Resolve for ACCESS — user + access target."},"ResolveDLPRequest":{"properties":{"policy_type":{"type":"string","const":"POLICY_TYPE_DLP","title":"Policy Type","default":"POLICY_TYPE_DLP"},"user_id":{"type":"string","title":"User Id","description":"User ID to simulate"},"tag":{"type":"string","enum":["genai","browsing"],"title":"Tag","description":"Rule tag context: 'genai' evaluates only genai rules, 'browsing' evaluates both genai and browsing rules"},"target":{"$ref":"#/components/schemas/DLPTarget"}},"type":"object","required":["user_id","tag","target"],"title":"ResolveDLPRequest","description":"Resolve for DLP — user + DLP target."},"ResolveMCPRequest":{"properties":{"policy_type":{"type":"string","const":"POLICY_TYPE_MCP_SERVER","title":"Policy Type","default":"POLICY_TYPE_MCP_SERVER"},"user_id":{"type":"string","title":"User Id","description":"User ID to simulate"},"tag":{"type":"string","const":"genai","title":"Tag","default":"genai"},"target":{"$ref":"#/components/schemas/MCPTarget"}},"type":"object","required":["user_id","target"],"title":"ResolveMCPRequest","description":"Resolve for MCP_SERVER — user + MCP target."},"ResolvePaaSRequest":{"properties":{"policy_type":{"type":"string","const":"POLICY_TYPE_PAAS","title":"Policy Type","default":"POLICY_TYPE_PAAS"},"tag":{"type":"string","const":"genai","title":"Tag","default":"genai"},"target":{"$ref":"#/components/schemas/PaaSTarget"}},"type":"object","required":["target"],"title":"ResolvePaaSRequest","description":"Resolve for PAAS — no user, only environment target."},"ResolveResponse":{"properties":{"rule_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Rule Id","description":"Matched rule UUID (None if no rule matches)"},"rule_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Rule Name","description":"Matched rule name"},"order":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Order","description":"Matched rule order"},"policy_type":{"$ref":"#/components/schemas/PolicyType"}},"type":"object","required":["policy_type"],"title":"ResolveResponse","description":"Response for the resolve API — the single rule that would apply."},"ResolveTPRequest":{"properties":{"policy_type":{"type":"string","const":"POLICY_TYPE_THREAT_PREVENTION","title":"Policy Type","default":"POLICY_TYPE_THREAT_PREVENTION"},"user_id":{"type":"string","title":"User Id","description":"User ID to simulate"},"tag":{"type":"string","const":"browsing","title":"Tag","default":"browsing"}},"type":"object","required":["user_id"],"title":"ResolveTPRequest","description":"Resolve for THREAT_PREVENTION — user only, no target."},"RuleResponse":{"properties":{"rule_id":{"type":"string","title":"Rule Id","description":"Unique identifier of the rule"},"name":{"type":"string","title":"Name","description":"Human-readable rule name"},"description":{"type":"string","title":"Description","description":"Explanation of the rule's purpose","default":""},"version":{"type":"integer","title":"Version","description":"Incremented on every modification; can be used for optimistic concurrency checks"},"order":{"type":"integer","title":"Order","description":"Position in the rulebase that determines evaluation priority. Lower values are evaluated first; when two rules match the same request, the lower-order rule takes precedence"},"active":{"type":"boolean","title":"Active","description":"Whether the rule is currently enforced; inactive rules are skipped"},"created_at":{"type":"string","format":"date-time","title":"Created At"},"updated_at":{"type":"string","format":"date-time","title":"Updated At"},"policy":{"anyOf":[{"$ref":"#/components/schemas/ChatsPolicy"},{"$ref":"#/components/schemas/AccessPolicy"},{"$ref":"#/components/schemas/AgentsPolicy"},{"$ref":"#/components/schemas/SecureBrowsingPolicy"}],"title":"Policy","description":"The enforcement configuration for this rule. Structure varies by rulebase type (Chats, Access, Agents, Secure Browsing)"},"source":{"items":{"$ref":"#/components/schemas/Assignment"},"type":"array","title":"Source","description":"Users or groups this rule applies to (source entries). An empty list means the rule matches all users in the tenant"},"objects":{"anyOf":[{"additionalProperties":{"items":{"type":"string"},"type":"array"},"propertyNames":{"$ref":"#/components/schemas/ObjectFeature"},"type":"object"},{"type":"null"}],"title":"Objects","description":"Reusable policy objects attached to this rule, keyed by feature (e.g. FILE_EMULATION, DOMAIN_SERVICES). Values are lists of object IDs. Objects allow sharing configuration (domain lists, file-protection settings) across rules"}},"type":"object","required":["rule_id","name","version","order","active","created_at","updated_at","policy"],"title":"RuleResponse","description":"A single rule within a rulebase."},"RuleTag":{"type":"string","enum":["genai","browsing","general"],"title":"RuleTag"},"SecureBrowsingPolicy":{"properties":{"password_reuse":{"anyOf":[{"$ref":"#/components/schemas/ThreatPreventionAction"},{"type":"null"}]},"zero_phishing":{"anyOf":[{"$ref":"#/components/schemas/ThreatPreventionAction"},{"type":"null"}]},"safe_search":{"anyOf":[{"$ref":"#/components/schemas/OnOff"},{"type":"null"}]},"search_reputation":{"anyOf":[{"$ref":"#/components/schemas/OnOff"},{"type":"null"}]},"domain_exclusions":{"items":{"$ref":"#/components/schemas/DomainItem"},"type":"array","title":"Domain Exclusions","description":"List of excluded domains"},"protected_domains":{"items":{"$ref":"#/components/schemas/DomainItem"},"type":"array","title":"Protected Domains","description":"List of protected domains"}},"type":"object","title":"SecureBrowsingPolicy"},"SelectionMode":{"type":"string","enum":["selected","all"],"title":"SelectionMode","description":"Selection mode enumeration."},"ServerOperations":{"properties":{"CREATE":{"anyOf":[{"$ref":"#/components/schemas/OperationMatch"},{"type":"null"}],"description":"Match or unmatch CREATE operation"},"READ":{"anyOf":[{"$ref":"#/components/schemas/OperationMatch"},{"type":"null"}],"description":"Match or unmatch READ operation"},"UPDATE":{"anyOf":[{"$ref":"#/components/schemas/OperationMatch"},{"type":"null"}],"description":"Match or unmatch UPDATE operation"},"DELETE":{"anyOf":[{"$ref":"#/components/schemas/OperationMatch"},{"type":"null"}],"description":"Match or unmatch DELETE operation"},"OTHER":{"anyOf":[{"$ref":"#/components/schemas/OperationMatch"},{"type":"null"}],"description":"Match or unmatch OTHER operation (those not detected)"}},"type":"object","title":"ServerOperations"},"ServicesAndApplication":{"properties":{"domain":{"items":{"$ref":"#/components/schemas/DomainItem"},"type":"array","title":"Domain","description":"List of domains"},"url":{"items":{"$ref":"#/components/schemas/URLItem"},"type":"array","title":"Url","description":"List of URLs"},"genai_application":{"items":{"$ref":"#/components/schemas/GenAIApp"},"type":"array","title":"Genai Application","description":"List of GenAI applications"},"category":{"items":{"$ref":"#/components/schemas/CategoryItem"},"type":"array","title":"Category","description":"List of URLF categories"},"mode":{"anyOf":[{"$ref":"#/components/schemas/SelectionMode"},{"type":"null"}],"description":"Whether to apply to all services and applications or to only selected ones"}},"type":"object","title":"ServicesAndApplication"},"ShadowAnalysisResponse":{"properties":{"policy_type":{"$ref":"#/components/schemas/PolicyType"},"total_rules":{"type":"integer","title":"Total Rules","description":"Total number of active rules evaluated"},"shadowed_rules":{"items":{"$ref":"#/components/schemas/ShadowedRule"},"type":"array","title":"Shadowed Rules"}},"type":"object","required":["policy_type","total_rules","shadowed_rules"],"title":"ShadowAnalysisResponse","description":"Response for the shadow analysis API."},"ShadowedRule":{"properties":{"rule_id":{"type":"string","title":"Rule Id"},"rule_name":{"type":"string","title":"Rule Name"},"order":{"type":"integer","title":"Order"},"shadowed_by_rule_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Shadowed By Rule Id"},"shadowed_by_rule_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Shadowed By Rule Name"},"shadowed_by_order":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Shadowed By Order"},"reason":{"type":"string","title":"Reason","description":"Human-readable verdict explaining WHY this rule is shadowed"}},"type":"object","required":["rule_id","rule_name","order","reason"],"title":"ShadowedRule","description":"A rule that is fully shadowed by an earlier rule, or unreachable."},"SimulationGenAIApp":{"properties":{"app_id":{"type":"integer","exclusiveMinimum":0.0,"title":"App Id","description":"GenAI application ID"},"account_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Account Id","description":"Account/organization ID within the GenAI app (optional)"}},"type":"object","required":["app_id"],"title":"SimulationGenAIApp","description":"GenAI application target — app_id is mandatory, account_id is optional."},"SimulationMCPClient":{"properties":{"name_id":{"$ref":"#/components/schemas/MCPClientNameId","description":"MCP client name identifier"},"os":{"anyOf":[{"$ref":"#/components/schemas/OSType"},{"type":"null"}],"description":"Operating system filter"}},"type":"object","required":["name_id"],"title":"SimulationMCPClient","description":"MCP client target with all client identification options."},"SupportedFileType":{"type":"string","enum":["pdf","doc","docx","xls","xlsx","ppt","pptx","exe","tar","zip","rar","7z","rtf","dot","docm","dotx","dotm","xlt","xlm","xltx","xlsm","xltm","xlsb","xla","xlam","xll","xlw","pps","pptm","potx","potm","ppam","ppsx","ppsm","sldx","sldm","csv","scr","swf","jar","cab","tgz","pif","gz","bz2","tbz2","tb2","tbz","com","xz","cpl","dll","lnk","img","iso","wim","arj","bat","ps1","hwp","iqy","slk","udf","uue","pkg","msi","msg","o","dylib","app","dmg","qcow2","sh","one","xar","wsf","aspx"],"title":"SupportedFileType"},"ThreatPreventionAction":{"type":"string","enum":["detect","prevent","ask","off"],"title":"ThreatPreventionAction","description":"Actions for threat prevention features."},"Tooling":{"properties":{"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchToolsMode"},{"type":"null"}],"description":"Match mode for tools: tools_include, tools_exclude, operations, all"},"tools":{"anyOf":[{"items":{"$ref":"#/components/schemas/MCPToolItem"},"type":"array"},{"type":"null"}],"title":"Tools","description":"List of tools for matching"},"operations":{"anyOf":[{"$ref":"#/components/schemas/ServerOperations"},{"type":"null"}],"description":"Operations match configuration"}},"type":"object","title":"Tooling"},"URLConfig":{"properties":{"url":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Url","description":"URL of the remote server","default":"","examples":["https://mcp-server.example.com/path"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/URLMatchMode"},{"type":"null"}],"description":"Match mode for URL matching (exact_url or url_contains)","default":"exact_url"}},"type":"object","title":"URLConfig"},"URLFCategory":{"type":"integer","enum":[1,3,5,7,11,12,15,32,21,24,25,0,34,35,37,39,41,42,45,47,49,51,53,54,58,59,60,68,69,71,72,74,75,76,51000001,51000002,52000130,50000032,52000132,60517663,60530541,60530542,60530648,31,55,65,66,67,77,51000003,51000004,51000005,52000038,60530540,9,13,14,17,18,26,33,56,61,62,70,73,78,30,52000047,52000058,52000069,50000086,23,52000136,52000046,52000051,60531762],"title":"URLFCategory","description":"URLF Category enumeration with display names as keys and category IDs as values."},"URLItem":{"properties":{"url":{"type":"string","format":"uri","title":"Url","description":"Valid URL"}},"type":"object","required":["url"],"title":"URLItem"},"URLMatchMode":{"type":"string","enum":["exact_url","url_contains"],"title":"URLMatchMode","description":"URL matching mode enumeration for remote server URL matching.\n\nMatching modes:\n- EXACT_URL: Matches the exact full URL\n e.g., \"http://sub1.sub2.something.com/alsohere/something\"\n- URL_CONTAINS: Matches if the URL contains the specified string\n e.g., \"alsohere\" matches any URL containing \"alsohere\""},"UnknownServerConfig":{"properties":{"args":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Args","description":"Arguments for unknown server types","default":"","examples":["--default-arg"]},"match_mode":{"anyOf":[{"$ref":"#/components/schemas/MatchMode"},{"type":"null"}],"description":"Match mode for args matching","default":"exact"}},"type":"object","title":"UnknownServerConfig"},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"},"input":{"title":"Input"},"ctx":{"type":"object","title":"Context"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"},"Asset":{"properties":{"device":{"$ref":"#/components/schemas/Device"},"user":{"anyOf":[{"$ref":"#/components/schemas/User"},{"type":"null"}]},"ping":{"anyOf":[{"$ref":"#/components/schemas/Ping"},{"type":"null"}]},"deployment":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/ModuleDeploymentData"},"propertyNames":{"$ref":"#/components/schemas/ModuleEnum"},"type":"object"},{"type":"null"}],"title":"Deployment"},"policy":{"anyOf":[{"additionalProperties":{"additionalProperties":{"$ref":"#/components/schemas/PolicyTypeData"},"propertyNames":{"$ref":"#/components/schemas/PolicyTypeExternal"},"type":"object"},"propertyNames":{"$ref":"#/components/schemas/RequestSource"},"type":"object"},{"type":"null"}],"title":"Policy"},"status":{"anyOf":[{"additionalProperties":{"$ref":"#/components/schemas/HealthStatus"},"propertyNames":{"$ref":"#/components/schemas/StatusComponent"},"type":"object"},{"type":"null"}],"title":"Status"},"environment":{"anyOf":[{"$ref":"#/components/schemas/EnvironmentData"},{"type":"null"}]}},"type":"object","required":["device"],"title":"Asset","description":"Complete asset with optional joined domains."},"AssetsCountResponse":{"properties":{"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"count":{"type":"integer","title":"Count"},"filters_applied":{"type":"integer","title":"Filters Applied","description":"Number of filters that were applied"}},"type":"object","required":["tenant_id","count","filters_applied"],"title":"AssetsCountResponse","description":"Response for count queries."},"AssetsResponse":{"properties":{"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"assets":{"items":{"$ref":"#/components/schemas/Asset"},"type":"array","title":"Assets"},"limit":{"type":"integer","title":"Limit"},"offset":{"type":"integer","title":"Offset"}},"type":"object","required":["tenant_id","assets","limit","offset"],"title":"AssetsResponse","description":"Response with assets and pagination metadata."},"Device":{"properties":{"device_unique_id":{"type":"string","format":"uuid","title":"Device Unique Id","description":"Unique device identifier"},"name":{"type":"string","title":"Name","description":"Device name (unique per tenant)"},"device_sid":{"type":"string","title":"Device Sid","description":"Device SID"},"created_at":{"type":"string","format":"date-time","title":"Created At","description":"Created timestamp"},"updated_at":{"type":"string","format":"date-time","title":"Updated At","description":"Updated timestamp"}},"type":"object","required":["device_unique_id","name","device_sid","created_at","updated_at"],"title":"Device","description":"External-safe twin of GlobalDevice."},"DeviceTypeEnum":{"type":"string","enum":["Laptop","Desktop","Workstation","unknown"],"title":"DeviceTypeEnum"},"EnvironmentData":{"properties":{"device_type":{"anyOf":[{"$ref":"#/components/schemas/DeviceTypeEnum"},{"type":"null"}],"description":"Device type (laptop, desktop, etc.)"},"os":{"anyOf":[{"$ref":"#/components/schemas/OSEnum"},{"type":"null"}],"description":"Operating system"},"os_version":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Os Version","description":"Operating system version"},"ip":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Ip","description":"Device IP address (IPv4 or IPv6)"}},"type":"object","title":"EnvironmentData","description":"External-safe twin of EnvironmentData."},"HealthStatus":{"type":"string","enum":["healthy","unhealthy"],"title":"HealthStatus","description":"Component health derived from status code: healthy when code == 0, unhealthy otherwise."},"ModuleDeploymentData":{"properties":{"version":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Version","description":"Current version"}},"type":"object","title":"ModuleDeploymentData","description":"External-safe twin of ModuleDeploymentData — exposes version only."},"ModuleEnum":{"type":"string","enum":["chrome","firefox","edge","brave","comet","safari","surf","mcp","proxy","da"],"title":"ModuleEnum"},"OSEnum":{"type":"string","enum":["Windows","macOS","Linux"],"title":"OSEnum","description":"Operating system enumeration"},"Ping":{"properties":{"last_connected":{"type":"string","format":"date-time","title":"Last Connected","description":"Last connection timestamp"}},"type":"object","required":["last_connected"],"title":"Ping","description":"External-safe twin of PingData."},"PolicyTypeData":{"properties":{"rulebase_version":{"type":"integer","title":"Rulebase Version","description":"Version of the rulebase"}},"type":"object","required":["rulebase_version"],"title":"PolicyTypeData","description":"Policy rulebase version for a given policy type."},"PolicyTypeExternal":{"type":"string","enum":["chats","access","agents","browse_securing"],"title":"PolicyTypeExternal","description":"External-facing policy types with consumer-friendly names."},"RequestSource":{"type":"string","enum":["device","edge","chrome","firefox","brave","comet","safari","surf","na"],"title":"RequestSource"},"StatusComponent":{"type":"string","enum":["proxy_health","mcp_health"],"title":"StatusComponent","description":"External-facing subset of status components exposed to API consumers."},"User":{"properties":{"user_unique_id":{"type":"string","format":"uuid","title":"User Unique Id","description":"Unique user identifier"},"name":{"type":"string","title":"Name","description":"User name"},"display_name":{"type":"string","title":"Display Name","description":"Display name"},"samname":{"type":"string","title":"Samname","description":"SAM account name (unique per tenant)"},"created_at":{"type":"string","format":"date-time","title":"Created At","description":"Created timestamp"},"updated_at":{"type":"string","format":"date-time","title":"Updated At","description":"Updated timestamp"}},"type":"object","required":["user_unique_id","name","display_name","samname","created_at","updated_at"],"title":"User","description":"External-safe twin of GlobalUser."},"UserItem":{"properties":{"user_unique_id":{"type":"string","format":"uuid","title":"User Unique Id","description":"Unique user identifier"},"name":{"type":"string","title":"Name","description":"User name (CN path)"},"display_name":{"type":"string","title":"Display Name","description":"Display name"},"samname":{"type":"string","title":"Samname","description":"SAM account name"}},"type":"object","required":["user_unique_id","name","display_name","samname"],"title":"UserItem","description":"External-safe user item."},"UsersResponse":{"properties":{"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"users":{"items":{"$ref":"#/components/schemas/UserItem"},"type":"array","title":"Users"},"limit":{"type":"integer","title":"Limit"},"offset":{"type":"integer","title":"Offset"}},"type":"object","required":["tenant_id","users","limit","offset"],"title":"UsersResponse","description":"Response with users and pagination metadata."},"AppResult":{"properties":{"app_id":{"type":"integer","title":"App Id","description":"Unique app identifier"},"name":{"type":"string","title":"Name","description":"App name"},"description":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Description","description":"App description"},"page_url":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Page Url","description":"App page URL"}},"type":"object","required":["app_id","name"],"title":"AppResult","description":"A single app result with minimal fields."},"AppSearchResponse":{"properties":{"results":{"items":{"$ref":"#/components/schemas/AppResult"},"type":"array","title":"Results","description":"Matching apps (max 10)"}},"type":"object","title":"AppSearchResponse","description":"Response with matching apps (max 10)."},"AppsByIdsResponse":{"properties":{"results":{"items":{"$ref":"#/components/schemas/AppResult"},"type":"array","title":"Results","description":"Matching apps"}},"type":"object","title":"AppsByIdsResponse","description":"Response with apps by IDs."},"SearchBy":{"type":"string","enum":["name","name_and_description","url"],"title":"SearchBy"}},"securitySchemes":{"HTTPBearer":{"type":"http","scheme":"bearer"}}}}