@highflame/policy 2.1.21 → 2.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar +10 -29
  2. package/_schemas/ai_gateway/templates/templates.json +3 -3
  3. package/dist/ai_gateway-defaults.gen.js +16 -35
  4. package/dist/overwatch-defaults.gen.js +16 -35
  5. package/package.json +1 -1
package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar CHANGED
@@ -5,44 +5,25 @@
5
5
  // Complements the MCP Server Allowlist (connect_server action)
6
6
  // with fine-grained per-tool control on call_tool action.
7
7
  //
8
+ // Defaults to permit-all. Customize per-tool gating by adding forbid rules
9
+ // scoped to specific mcp_server / tool_name combinations.
10
+ //
8
11
  // Category: tools
9
12
  // Namespace: AIGateway
10
13
  // =============================================================================
11
14
 
12
- // -- GitHub MCP: Read-only access -------------------------------------------
15
+ // -- Permit all MCP tool calls (opt-in default) -----------------------------
13
16
 
14
- @id("mcp-tool-allow-read-github")
15
- @name("Allow read-only GitHub tools")
16
- @description("Permit read operations from GitHub MCP server")
17
- @severity("medium")
18
- @tags("mcp,github,read-only,least-privilege")
17
+ @id("mcp-tool-allow-all")
18
+ @name("Allow all MCP tool calls")
19
+ @description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
20
+ @severity("low")
21
+ @tags("mcp,permit-default")
19
22
  permit (
20
23
  principal,
21
24
  action == AIGateway::Action::"call_tool",
22
25
  resource
23
- ) when {
24
- context has mcp_server && context.mcp_server == "github" &&
25
- context has tool_name &&
26
- (context.tool_name == "read_issues" ||
27
- context.tool_name == "get_issue" ||
28
- context.tool_name == "list_repos" ||
29
- context.tool_name == "get_pull_request" ||
30
- context.tool_name == "search_code" ||
31
- context.tool_name == "get_file_contents")
32
- };
33
-
34
- @id("mcp-tool-deny-write-github")
35
- @name("Deny write GitHub tools")
36
- @description("Block create/update/delete operations on GitHub MCP server")
37
- @severity("high")
38
- @tags("mcp,github,write-block,least-privilege")
39
- forbid (
40
- principal,
41
- action == AIGateway::Action::"call_tool",
42
- resource
43
- ) when {
44
- context has mcp_server && context.mcp_server == "github"
45
- };
26
+ );
46
27
 
47
28
  // -- Organization-wide MCP server exclusions --------------------------------
48
29
 
package/_schemas/ai_gateway/templates/templates.json CHANGED
@@ -89,11 +89,11 @@
89
89
  {
90
90
  "id": "tools-mcp-tool-permissions",
91
91
  "name": "MCP Tool Permissions",
92
- "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
92
+ "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
93
93
  "category": "tools",
94
94
  "file": "mcp_tool_permissions.cedar",
95
- "severity": "high",
96
- "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
95
+ "severity": "low",
96
+ "tags": ["mcp", "tools", "permit-default", "exclusion"]
97
97
  },
98
98
  {
99
99
  "id": "data-pii-redaction",
package/dist/ai_gateway-defaults.gen.js CHANGED
@@ -412,44 +412,25 @@ const AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// ========================
412
412
  // Complements the MCP Server Allowlist (connect_server action)
413
413
  // with fine-grained per-tool control on call_tool action.
414
414
  //
415
+ // Defaults to permit-all. Customize per-tool gating by adding forbid rules
416
+ // scoped to specific mcp_server / tool_name combinations.
417
+ //
415
418
  // Category: tools
416
419
  // Namespace: AIGateway
417
420
  // =============================================================================
418
421
 
419
- // -- GitHub MCP: Read-only access -------------------------------------------
422
+ // -- Permit all MCP tool calls (opt-in default) -----------------------------
420
423
 
421
- @id("mcp-tool-allow-read-github")
422
- @name("Allow read-only GitHub tools")
423
- @description("Permit read operations from GitHub MCP server")
424
- @severity("medium")
425
- @tags("mcp,github,read-only,least-privilege")
424
+ @id("mcp-tool-allow-all")
425
+ @name("Allow all MCP tool calls")
426
+ @description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
427
+ @severity("low")
428
+ @tags("mcp,permit-default")
426
429
  permit (
427
430
  principal,
428
431
  action == AIGateway::Action::"call_tool",
429
432
  resource
430
- ) when {
431
- context has mcp_server && context.mcp_server == "github" &&
432
- context has tool_name &&
433
- (context.tool_name == "read_issues" ||
434
- context.tool_name == "get_issue" ||
435
- context.tool_name == "list_repos" ||
436
- context.tool_name == "get_pull_request" ||
437
- context.tool_name == "search_code" ||
438
- context.tool_name == "get_file_contents")
439
- };
440
-
441
- @id("mcp-tool-deny-write-github")
442
- @name("Deny write GitHub tools")
443
- @description("Block create/update/delete operations on GitHub MCP server")
444
- @severity("high")
445
- @tags("mcp,github,write-block,least-privilege")
446
- forbid (
447
- principal,
448
- action == AIGateway::Action::"call_tool",
449
- resource
450
- ) when {
451
- context has mcp_server && context.mcp_server == "github"
452
- };
433
+ );
453
434
 
454
435
  // -- Organization-wide MCP server exclusions --------------------------------
455
436
 
@@ -668,11 +649,11 @@ export const AI_GATEWAY_TEMPLATES = [
668
649
  {
669
650
  id: 'tools-mcp-tool-permissions',
670
651
  name: 'MCP Tool Permissions',
671
- description: 'Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources',
652
+ description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
672
653
  category: 'tools',
673
654
  cedarText: AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
674
- severity: 'high',
675
- tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
655
+ severity: 'low',
656
+ tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
676
657
  },
677
658
  {
678
659
  id: 'data-pii-redaction',
@@ -788,11 +769,11 @@ export const AI_GATEWAY_TEMPLATES_JSON = `{
788
769
  {
789
770
  "id": "tools-mcp-tool-permissions",
790
771
  "name": "MCP Tool Permissions",
791
- "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
772
+ "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
792
773
  "category": "tools",
793
774
  "file": "mcp_tool_permissions.cedar",
794
- "severity": "high",
795
- "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
775
+ "severity": "low",
776
+ "tags": ["mcp", "tools", "permit-default", "exclusion"]
796
777
  },
797
778
  {
798
779
  "id": "data-pii-redaction",
package/dist/overwatch-defaults.gen.js CHANGED
@@ -855,44 +855,25 @@ const OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =========================
855
855
  // Complements the existing MCP Server Allowlist (connect_server action)
856
856
  // with fine-grained per-tool control on call_tool action.
857
857
  //
858
+ // Defaults to permit-all. Customize per-tool gating by adding forbid rules
859
+ // scoped to specific mcp_server / tool_name combinations.
860
+ //
858
861
  // Category: tools
859
862
  // Namespace: Overwatch
860
863
  // =============================================================================
861
864
 
862
- // -- GitHub MCP: Read-only access -------------------------------------------
865
+ // -- Permit all MCP tool calls (opt-in default) -----------------------------
863
866
 
864
- @id("mcp-tool-allow-read-github")
865
- @name("Allow read-only GitHub tools")
866
- @description("Permit read operations from GitHub MCP server")
867
- @severity("medium")
868
- @tags("mcp,github,read-only,least-privilege")
867
+ @id("mcp-tool-allow-all")
868
+ @name("Allow all MCP tool calls")
869
+ @description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
870
+ @severity("low")
871
+ @tags("mcp,permit-default")
869
872
  permit (
870
873
  principal,
871
874
  action == Overwatch::Action::"call_tool",
872
875
  resource
873
- ) when {
874
- context has mcp_server && context.mcp_server == "github" &&
875
- context has tool_name &&
876
- (context.tool_name == "read_issues" ||
877
- context.tool_name == "get_issue" ||
878
- context.tool_name == "list_repos" ||
879
- context.tool_name == "get_pull_request" ||
880
- context.tool_name == "search_code" ||
881
- context.tool_name == "get_file_contents")
882
- };
883
-
884
- @id("mcp-tool-deny-write-github")
885
- @name("Deny write GitHub tools")
886
- @description("Block create/update/delete operations on GitHub MCP server")
887
- @severity("high")
888
- @tags("mcp,github,write-block,least-privilege")
889
- forbid (
890
- principal,
891
- action == Overwatch::Action::"call_tool",
892
- resource
893
- ) when {
894
- context has mcp_server && context.mcp_server == "github"
895
- };
876
+ );
896
877
 
897
878
  // -- Organization-wide MCP server exclusions --------------------------------
898
879
 
@@ -1117,11 +1098,11 @@ export const OVERWATCH_TEMPLATES = [
1117
1098
  {
1118
1099
  id: 'tools-mcp-tool-permissions',
1119
1100
  name: 'MCP Tool Permissions',
1120
- description: 'Per-tool access control for MCP servers allow specific tools while denying others, exclude servers org-wide, block unverified sources',
1101
+ description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
1121
1102
  category: 'tools',
1122
1103
  cedarText: OVERWATCH_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
1123
- severity: 'high',
1124
- tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
1104
+ severity: 'low',
1105
+ tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
1125
1106
  },
1126
1107
  {
1127
1108
  id: 'org-default-deny',
@@ -1256,11 +1237,11 @@ export const OVERWATCH_TEMPLATES_JSON = `{
1256
1237
  {
1257
1238
  "id": "tools-mcp-tool-permissions",
1258
1239
  "name": "MCP Tool Permissions",
1259
- "description": "Per-tool access control for MCP servers allow specific tools while denying others, exclude servers org-wide, block unverified sources",
1240
+ "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
1260
1241
  "category": "tools",
1261
1242
  "file": "mcp_tool_permissions.cedar",
1262
- "severity": "high",
1263
- "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
1243
+ "severity": "low",
1244
+ "tags": ["mcp", "tools", "permit-default", "exclusion"]
1264
1245
  },
1265
1246
  {
1266
1247
  "id": "org-default-deny",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@highflame/policy",
3
- "version": "2.1.21",
3
+ "version": "2.1.23",
4
4
  "engines": {
5
5
  "node": ">=18"
6
6
  },