@highflame/policy 2.1.13 → 2.1.14

package/_schemas/mcp_gateway/templates/mcp_tool_permissions.cedar

@@ -0,0 +1,77 @@
+// =============================================================================
+// MCP Tool Permissions Template (MCPGateway)
+// =============================================================================
+// Per-tool access control for MCP servers.
+// Complements the MCP Server Allowlist (connect_server action)
+// with fine-grained per-tool control on call_tool action.
+//
+// Category: tools
+// Namespace: MCPGateway
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-tool-allow-read-github")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == MCPGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github" &&
+    context has tool_name &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-tool-deny-write-github")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == MCPGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-tool-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == MCPGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server &&
+    (context.mcp_server == "untrusted-server" ||
+     context.mcp_server == "deprecated-server")
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-tool-block-unverified")
+@name("Block tools from unverified MCP servers")
+@description("Deny tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == MCPGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};

package/_schemas/mcp_gateway/templates/templates.json

@@ -0,0 +1,89 @@
+{
+  "service": "mcp_gateway",
+  "version": "1.0.0",
+  "description": "MCPGateway policy templates for MCP proxy security",
+  "categories": [
+    {
+      "id": "semantic",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats in MCP operations"
+    },
+    {
+      "id": "tools",
+      "name": "Tool Permissioning",
+      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions"
+    },
+    {
+      "id": "organization",
+      "name": "Organization Rules",
+      "description": "Apply organization-wide policy baselines for MCP gateway operations"
+    },
+    {
+      "id": "agent_security",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats"
+    }
+  ],
+  "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default -- threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
+    {
+      "id": "semantic-default",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls",
+      "category": "semantic",
+      "file": "defaults/semantic.cedar",
+      "severity": "critical",
+      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "tools-default",
+      "name": "Tool Permissioning",
+      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments",
+      "category": "tools",
+      "file": "defaults/tools.cedar",
+      "severity": "critical",
+      "tags": ["tool-risk", "command-injection", "owasp-llm06", "owasp-asi02", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "agent-security-default",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats",
+      "category": "agent_security",
+      "file": "defaults/agent_security.cedar",
+      "severity": "critical",
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "owasp-asi01", "owasp-asi04", "baseline"],
+      "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "tools-mcp-allowlist",
+      "name": "MCP Server Allowlist",
+      "description": "Only allow specific MCP servers to be used",
+      "category": "tools",
+      "file": "mcp_server_allowlist.cedar",
+      "severity": "medium",
+      "tags": ["mcp", "allowlist", "whitelist"]
+    },
+    {
+      "id": "tools-mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "tools",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    }
+  ]
+}

package/dist/index.d.ts

@@ -9,19 +9,23 @@ export * from './errors.js';
 export * from './annotations.js';
 export * from './explain.js';
 export * from './condition-groups.js';
-export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, MCP_GATEWAY_SCHEMA, MCP_GATEWAY_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
 export type { ContextAttribute, ActionContext, ServiceContext, } from './service-schemas.gen.js';
 export { GuardrailsContextKey } from './guardrails-context.gen.js';
+export { McpGatewayContextKey } from './mcp_gateway-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
 export { SentryContextKey } from './sentry-context.gen.js';
 export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
+export { MCP_GATEWAY_ENTITIES, MCP_GATEWAY_ACTION_ENTITIES, } from './mcp_gateway-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 export { SENTRY_ENTITIES, SENTRY_ACTION_ENTITIES, } from './sentry-entities.gen.js';
 export type { ServiceEntityMetadata, ActionEntityMetadata } from './entity-metadata-types.gen.js';
 export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
 export type { GuardrailsCategory, GuardrailsCategoryInfo, GuardrailsDefaultPolicy, GuardrailsTemplate, } from './guardrails-defaults.gen.js';
+export { MCP_GATEWAY_DEFAULTS, MCP_GATEWAY_TEMPLATES, MCP_GATEWAY_CATEGORIES, MCP_GATEWAY_TEMPLATES_JSON, getMcpGatewayDefaultsByCategory, getMcpGatewayTemplatesByCategory, getMcpGatewayTemplateById, } from './mcp_gateway-defaults.gen.js';
+export type { McpGatewayCategory, McpGatewayCategoryInfo, McpGatewayDefaultPolicy, McpGatewayTemplate, } from './mcp_gateway-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
 export type { OverwatchCategory, OverwatchCategoryInfo, OverwatchDefaultPolicy, OverwatchTemplate, } from './overwatch-defaults.gen.js';
 export { SENTRY_DEFAULTS, SENTRY_TEMPLATES, SENTRY_CATEGORIES, SENTRY_TEMPLATES_JSON, getSentryDefaultsByCategory, getSentryTemplatesByCategory, getSentryTemplateById, } from './sentry-defaults.gen.js';

package/dist/index.js

@@ -18,18 +18,21 @@ export * from './explain.js';
 // Condition groups (AST ↔ flat UI groups)
 export * from './condition-groups.js';
 // Service-specific schemas and context (inlined)
-export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
+export { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT, MCP_GATEWAY_SCHEMA, MCP_GATEWAY_CONTEXT, OVERWATCH_SCHEMA, OVERWATCH_CONTEXT, PALISADE_SCHEMA, PALISADE_CONTEXT, SENTRY_SCHEMA, SENTRY_CONTEXT, } from './service-schemas.gen.js';
 // Service-specific context key enums
 export { GuardrailsContextKey } from './guardrails-context.gen.js';
+export { McpGatewayContextKey } from './mcp_gateway-context.gen.js';
 export { OverwatchContextKey } from './overwatch-context.gen.js';
 export { PalisadeContextKey } from './palisade-context.gen.js';
 export { SentryContextKey } from './sentry-context.gen.js';
 // Service-specific entity metadata (for UI - principals, resources, actions)
 export { GUARDRAILS_ENTITIES, GUARDRAILS_ACTION_ENTITIES, } from './guardrails-entities.gen.js';
+export { MCP_GATEWAY_ENTITIES, MCP_GATEWAY_ACTION_ENTITIES, } from './mcp_gateway-entities.gen.js';
 export { OVERWATCH_ENTITIES, OVERWATCH_ACTION_ENTITIES, } from './overwatch-entities.gen.js';
 export { PALISADE_ENTITIES, PALISADE_ACTION_ENTITIES, } from './palisade-entities.gen.js';
 export { SENTRY_ENTITIES, SENTRY_ACTION_ENTITIES, } from './sentry-entities.gen.js';
 // Service-specific default policies, templates, and categories
 export { GUARDRAILS_DEFAULTS, GUARDRAILS_TEMPLATES, GUARDRAILS_CATEGORIES, GUARDRAILS_TEMPLATES_JSON, getGuardrailsDefaultsByCategory, getGuardrailsTemplatesByCategory, getGuardrailsTemplateById, } from './guardrails-defaults.gen.js';
+export { MCP_GATEWAY_DEFAULTS, MCP_GATEWAY_TEMPLATES, MCP_GATEWAY_CATEGORIES, MCP_GATEWAY_TEMPLATES_JSON, getMcpGatewayDefaultsByCategory, getMcpGatewayTemplatesByCategory, getMcpGatewayTemplateById, } from './mcp_gateway-defaults.gen.js';
 export { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, OVERWATCH_TEMPLATES_JSON, getOverwatchDefaultsByCategory, getOverwatchTemplatesByCategory, getOverwatchTemplateById, } from './overwatch-defaults.gen.js';
 export { SENTRY_DEFAULTS, SENTRY_TEMPLATES, SENTRY_CATEGORIES, SENTRY_TEMPLATES_JSON, getSentryDefaultsByCategory, getSentryTemplatesByCategory, getSentryTemplateById, } from './sentry-defaults.gen.js';

package/dist/mcp_gateway-context.gen.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Context attribute keys for McpGateway Context attributes for MCPGateway Cedar policies.
+ *
+ * These constants correspond to the context attributes defined in the
+ * McpGateway Cedar schema and are used at policy evaluation time.
+ */
+export declare const McpGatewayContextKey: {
+    readonly ContainsInvisibleChars: "contains_invisible_chars";
+    readonly ContainsSecrets: "contains_secrets";
+    readonly Content: "content";
+    readonly CrimeScore: "crime_score";
+    readonly DetectedThreats: "detected_threats";
+    readonly HateSpeechScore: "hate_speech_score";
+    readonly HighestSeverity: "highest_severity";
+    readonly IndirectInjectionScore: "indirect_injection_score";
+    readonly InjectionConfidence: "injection_confidence";
+    readonly InvisibleCharsScore: "invisible_chars_score";
+    readonly JailbreakConfidence: "jailbreak_confidence";
+    readonly LoopCount: "loop_count";
+    readonly LoopDetected: "loop_detected";
+    readonly MaxThreatSeverity: "max_threat_severity";
+    readonly McpConfigRisk: "mcp_config_risk";
+    readonly McpRiskScore: "mcp_risk_score";
+    readonly McpServer: "mcp_server";
+    readonly McpServerVerified: "mcp_server_verified";
+    readonly McpTool: "mcp_tool";
+    readonly PatternType: "pattern_type";
+    readonly PiiCount: "pii_count";
+    readonly PiiDetected: "pii_detected";
+    readonly PiiTypes: "pii_types";
+    readonly ProfanityScore: "profanity_score";
+    readonly RugPullDetected: "rug_pull_detected";
+    readonly RugPullScore: "rug_pull_score";
+    readonly SecretCount: "secret_count";
+    readonly SecretTypes: "secret_types";
+    readonly SequenceRisk: "sequence_risk";
+    readonly SexualScore: "sexual_score";
+    readonly SuspiciousPattern: "suspicious_pattern";
+    readonly ThreatCategories: "threat_categories";
+    readonly ThreatCount: "threat_count";
+    readonly ToolCategory: "tool_category";
+    readonly ToolIsBuiltin: "tool_is_builtin";
+    readonly ToolIsSensitive: "tool_is_sensitive";
+    readonly ToolName: "tool_name";
+    readonly ToolPoisoningDetected: "tool_poisoning_detected";
+    readonly ToolPoisoningScore: "tool_poisoning_score";
+    readonly ToolRiskScore: "tool_risk_score";
+    readonly ViolenceScore: "violence_score";
+    readonly WeaponsScore: "weapons_score";
+};
+export type McpGatewayContextKey = (typeof McpGatewayContextKey)[keyof typeof McpGatewayContextKey];

package/dist/mcp_gateway-context.gen.js

@@ -0,0 +1,52 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/mcp_gateway/context.json
+/**
+ * Context attribute keys for McpGateway Context attributes for MCPGateway Cedar policies.
+ *
+ * These constants correspond to the context attributes defined in the
+ * McpGateway Cedar schema and are used at policy evaluation time.
+ */
+export const McpGatewayContextKey = {
+    ContainsInvisibleChars: 'contains_invisible_chars',
+    ContainsSecrets: 'contains_secrets',
+    Content: 'content',
+    CrimeScore: 'crime_score',
+    DetectedThreats: 'detected_threats',
+    HateSpeechScore: 'hate_speech_score',
+    HighestSeverity: 'highest_severity',
+    IndirectInjectionScore: 'indirect_injection_score',
+    InjectionConfidence: 'injection_confidence',
+    InvisibleCharsScore: 'invisible_chars_score',
+    JailbreakConfidence: 'jailbreak_confidence',
+    LoopCount: 'loop_count',
+    LoopDetected: 'loop_detected',
+    MaxThreatSeverity: 'max_threat_severity',
+    McpConfigRisk: 'mcp_config_risk',
+    McpRiskScore: 'mcp_risk_score',
+    McpServer: 'mcp_server',
+    McpServerVerified: 'mcp_server_verified',
+    McpTool: 'mcp_tool',
+    PatternType: 'pattern_type',
+    PiiCount: 'pii_count',
+    PiiDetected: 'pii_detected',
+    PiiTypes: 'pii_types',
+    ProfanityScore: 'profanity_score',
+    RugPullDetected: 'rug_pull_detected',
+    RugPullScore: 'rug_pull_score',
+    SecretCount: 'secret_count',
+    SecretTypes: 'secret_types',
+    SequenceRisk: 'sequence_risk',
+    SexualScore: 'sexual_score',
+    SuspiciousPattern: 'suspicious_pattern',
+    ThreatCategories: 'threat_categories',
+    ThreatCount: 'threat_count',
+    ToolCategory: 'tool_category',
+    ToolIsBuiltin: 'tool_is_builtin',
+    ToolIsSensitive: 'tool_is_sensitive',
+    ToolName: 'tool_name',
+    ToolPoisoningDetected: 'tool_poisoning_detected',
+    ToolPoisoningScore: 'tool_poisoning_score',
+    ToolRiskScore: 'tool_risk_score',
+    ViolenceScore: 'violence_score',
+    WeaponsScore: 'weapons_score',
+};

package/dist/mcp_gateway-defaults.gen.d.ts

@@ -0,0 +1,61 @@
+/**
+ * McpGateway policy category identifiers.
+ * Maps to UI tab names in Studio.
+ */
+export type McpGatewayCategory = 'semantic' | 'tools' | 'organization' | 'agent_security';
+/**
+ * Category metadata for UI display.
+ */
+export interface McpGatewayCategoryInfo {
+    id: McpGatewayCategory;
+    name: string;
+    description: string;
+}
+/**
+ * A default policy that is auto-created for new projects.
+ */
+export interface McpGatewayDefaultPolicy {
+    /** Template identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Description for UI display */
+    description: string;
+    /** Policy category */
+    category: McpGatewayCategory;
+    /** Cedar policy text (source of truth) */
+    cedarText: string;
+    /** Severity level */
+    severity: string;
+    /** Tags for filtering */
+    tags: string[];
+    /** Whether this default should be activated immediately */
+    isActive: boolean;
+}
+/**
+ * A policy template available for users to create from.
+ */
+export interface McpGatewayTemplate {
+    /** Template identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Description for UI display */
+    description: string;
+    /** Policy category */
+    category: McpGatewayCategory;
+    /** Cedar policy text */
+    cedarText: string;
+    /** Severity level */
+    severity: string;
+    /** Tags for filtering */
+    tags: string[];
+}
+export declare const MCP_GATEWAY_CATEGORIES: McpGatewayCategoryInfo[];
+export declare const MCP_GATEWAY_DEFAULTS: McpGatewayDefaultPolicy[];
+export declare const MCP_GATEWAY_TEMPLATES: McpGatewayTemplate[];
+/** Raw templates.json metadata for the McpGateway service. */
+export declare const MCP_GATEWAY_TEMPLATES_JSON: string;
+export declare function getMcpGatewayDefaultsByCategory(category: McpGatewayCategory): McpGatewayDefaultPolicy[];
+export declare function getMcpGatewayTemplatesByCategory(category: McpGatewayCategory): McpGatewayTemplate[];
+export declare function getMcpGatewayTemplateById(id: string): McpGatewayTemplate | undefined;