refactor(policy): align mcp deny rules

ddurst-nvidia · ddurst-nvidia · commit da2a2fdf7284 · 2026-06-18T00:10:02.000-07:00
Signed-off-by: ddurst &lt;267424412+ddurst-nvidia@users.noreply.github.com&gt;
diff --git a/crates/openshell-policy/src/lib.rs b/crates/openshell-policy/src/lib.rs
@@ -108,8 +108,8 @@ struct NetworkEndpointDef {
     enforcement: String,
     #[serde(default, skip_serializing_if = "String::is_empty")]
     access: String,
-    #[serde(default, skip_serializing_if = "RulesDef::is_empty")]
-    rules: RulesDef,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    rules: Vec<L7RuleDef>,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     allowed_ips: Vec<String>,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
@@ -195,57 +195,6 @@ struct L7RuleDef {
     allow: L7AllowDef,
 }
 
-// Preserve the original `rules: [{ allow: ... }]` shape while accepting the
-// newer grouped shape (`rules.allow` / `rules.deny`) used by MCP examples.
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(untagged)]
-enum RulesDef {
-    Legacy(Vec<L7RuleDef>),
-    Grouped(L7RuleGroupsDef),
-}
-
-impl Default for RulesDef {
-    fn default() -> Self {
-        Self::Legacy(Vec::new())
-    }
-}
-
-impl RulesDef {
-    // Serde needs this for `skip_serializing_if`; keeping it on the enum keeps
-    // call sites from having to know which rules shape was parsed.
-    fn is_empty(&self) -> bool {
-        match self {
-            Self::Legacy(rules) => rules.is_empty(),
-            Self::Grouped(groups) => groups.allow.is_empty() && groups.deny.is_empty(),
-        }
-    }
-
-    // The proto model still carries allow rules and deny rules separately. This
-    // folds both YAML spellings back into that stable internal representation.
-    fn into_parts(self) -> (Vec<L7RuleDef>, Vec<L7DenyRuleDef>) {
-        match self {
-            Self::Legacy(rules) => (rules, Vec::new()),
-            Self::Grouped(groups) => (
-                groups
-                    .allow
-                    .into_iter()
-                    .map(|allow| L7RuleDef { allow })
-                    .collect(),
-                groups.deny,
-            ),
-        }
-    }
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-#[serde(deny_unknown_fields)]
-struct L7RuleGroupsDef {
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    allow: Vec<L7AllowDef>,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    deny: Vec<L7DenyRuleDef>,
-}
-
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(deny_unknown_fields)]
 struct L7AllowDef {
@@ -635,9 +584,8 @@ fn to_proto(raw: PolicyFile) -> SandboxPolicy {
                     .into_iter()
                     .map(|e| {
                         let protocol = e.protocol;
-                        let (allow_rules, grouped_deny_rules) = e.rules.into_parts();
-                        let mut deny_rules = grouped_deny_rules;
-                        deny_rules.extend(e.deny_rules);
+                        let allow_rules = e.rules;
+                        let deny_rules = e.deny_rules;
                         // Normalize port/ports: ports takes precedence, else
                         // single port is promoted to ports array.
                         let normalized_ports: Vec<u32> = if !e.ports.is_empty() {
@@ -770,39 +718,21 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
                             (clamp(e.ports.first().copied().unwrap_or(e.port)), vec![])
                         };
                         let protocol = e.protocol.clone();
-                        let allow_defs: Vec<L7AllowDef> = e
+                        let rules = e
                             .rules
                             .iter()
-                            .map(|r| {
-                                allow_proto_to_def(&protocol, r.allow.clone().unwrap_or_default())
+                            .map(|r| L7RuleDef {
+                                allow: allow_proto_to_def(
+                                    &protocol,
+                                    r.allow.clone().unwrap_or_default(),
+                                ),
                             })
                             .collect();
-                        let deny_defs: Vec<L7DenyRuleDef> = e
+                        let deny_rules: Vec<L7DenyRuleDef> = e
                             .deny_rules
                             .iter()
                             .map(|d| deny_proto_to_def(&protocol, d))
                             .collect();
-                        let (rules, deny_rules) = if is_mcp_protocol(&protocol)
-                            && (!allow_defs.is_empty() || !deny_defs.is_empty())
-                        {
-                            (
-                                RulesDef::Grouped(L7RuleGroupsDef {
-                                    allow: allow_defs,
-                                    deny: deny_defs,
-                                }),
-                                Vec::new(),
-                            )
-                        } else {
-                            (
-                                RulesDef::Legacy(
-                                    allow_defs
-                                        .into_iter()
-                                        .map(|allow| L7RuleDef { allow })
-                                        .collect(),
-                                ),
-                                deny_defs,
-                            )
-                        };
                         let (json_rpc, mcp) = if is_mcp_protocol(&protocol) {
                             (None, mcp_config_from_proto(e.json_rpc_max_body_bytes))
                         } else {
@@ -2058,7 +1988,7 @@ network_policies:
     }
 
     #[test]
-    fn parse_grouped_mcp_rules_to_runtime_fields() {
+    fn parse_mcp_rules_to_runtime_fields() {
         let yaml = r"
 version: 1
 network_policies:
@@ -2073,17 +2003,19 @@ network_policies:
         mcp:
           max_body_bytes: 131072
         rules:
-          deny:
-            - method: tools/call
-              tool: send_email
-          allow:
-            - method: initialize
-            - method: tools/list
-            - method: tools/call
+          - allow:
+              method: initialize
+          - allow:
+              method: tools/list
+          - allow:
+              method: tools/call
               tool: search_web
               params:
                 arguments:
                   repository: NVIDIA/OpenShell
+        deny_rules:
+          - method: tools/call
+            tool: send_email
     binaries:
       - path: /usr/bin/curl
 ";
@@ -2121,15 +2053,15 @@ network_policies:
         mcp:
           max_body_bytes: 131072
         rules:
-          allow:
-            - method: tools/call
+          - allow:
+              method: tools/call
               tool: search_web
               params:
                 arguments:
                   repository: NVIDIA/OpenShell
-          deny:
-            - method: tools/call
-              tool: send_email
+        deny_rules:
+          - method: tools/call
+            tool: send_email
     binaries:
       - path: /usr/bin/curl
 ";
@@ -2141,6 +2073,7 @@ network_policies:
         assert!(yaml_out.contains("method: tools/call"));
         assert!(yaml_out.contains("tool: search_web"));
         assert!(yaml_out.contains("tool: send_email"));
+        assert!(yaml_out.contains("deny_rules:"));
         assert!(yaml_out.contains("arguments:"));
         assert!(yaml_out.contains("repository: NVIDIA/OpenShell"));
         assert!(!yaml_out.contains("arguments.repository"));
diff --git a/crates/openshell-supervisor-network/src/l7/relay.rs b/crates/openshell-supervisor-network/src/l7/relay.rs
@@ -2306,14 +2306,16 @@ network_policies:
         mcp:
           max_body_bytes: 131072
         rules:
-          deny:
-            - method: tools/call
-              tool: delete_resource
-          allow:
-            - method: initialize
-            - method: tools/list
-            - method: tools/call
+          - allow:
+              method: initialize
+          - allow:
+              method: tools/list
+          - allow:
+              method: tools/call
               tool: read_status
+        deny_rules:
+          - method: tools/call
+            tool: delete_resource
     binaries:
       - { path: /usr/bin/node }
 "#;
diff --git a/crates/openshell-supervisor-network/src/opa.rs b/crates/openshell-supervisor-network/src/opa.rs
@@ -845,57 +845,19 @@ fn normalize_l7_rules_aliases(ep: &mut serde_json::Map<String, serde_json::Value
         .and_then(serde_json::Value::as_str)
         .unwrap_or("")
         .to_string();
-    let mut grouped_denies = Vec::new();
-    if let Some(rules) = ep.get_mut("rules") {
-        match rules {
-            serde_json::Value::Array(items) => {
-                for rule in items {
-                    if let Some(allow) = rule
-                        .get_mut("allow")
-                        .and_then(serde_json::Value::as_object_mut)
-                    {
-                        normalize_l7_rule_aliases(allow, &protocol);
-                    } else if let Some(allow) = rule.as_object_mut() {
-                        normalize_l7_rule_aliases(allow, &protocol);
-                    }
-                }
-            }
-            serde_json::Value::Object(groups) => {
-                let allow_rules = groups
-                    .remove("allow")
-                    .and_then(|v| v.as_array().cloned())
-                    .unwrap_or_default()
-                    .into_iter()
-                    .map(|mut allow| {
-                        if let Some(allow_obj) = allow.as_object_mut() {
-                            normalize_l7_rule_aliases(allow_obj, &protocol);
-                        }
-                        serde_json::json!({ "allow": allow })
-                    })
-                    .collect::<Vec<_>>();
-                let deny_rules = groups
-                    .remove("deny")
-                    .and_then(|v| v.as_array().cloned())
-                    .unwrap_or_default()
-                    .into_iter()
-                    .map(|mut deny| {
-                        if let Some(deny_obj) = deny.as_object_mut() {
-                            normalize_l7_rule_aliases(deny_obj, &protocol);
-                        }
-                        deny
-                    })
-                    .collect::<Vec<_>>();
-                *rules = serde_json::Value::Array(allow_rules);
-                grouped_denies = deny_rules;
+    if let Some(rules) = ep.get_mut("rules").and_then(|v| v.as_array_mut()) {
+        for rule in rules {
+            if let Some(allow) = rule
+                .get_mut("allow")
+                .and_then(serde_json::Value::as_object_mut)
+            {
+                normalize_l7_rule_aliases(allow, &protocol);
+            } else if let Some(allow) = rule.as_object_mut() {
+                normalize_l7_rule_aliases(allow, &protocol);
             }
-            _ => {}
         }
     }
 
-    if !grouped_denies.is_empty() {
-        append_denies(ep, grouped_denies);
-    }
-
     if let Some(denies) = ep.get_mut("deny_rules").and_then(|v| v.as_array_mut()) {
         for deny in denies {
             if let Some(deny_obj) = deny.as_object_mut() {
@@ -905,21 +867,6 @@ fn normalize_l7_rules_aliases(ep: &mut serde_json::Map<String, serde_json::Value
     }
 }
 
-fn append_denies(
-    ep: &mut serde_json::Map<String, serde_json::Value>,
-    mut deny_rules: Vec<serde_json::Value>,
-) {
-    match ep.get_mut("deny_rules") {
-        Some(serde_json::Value::Array(existing)) => existing.append(&mut deny_rules),
-        Some(_) | None => {
-            ep.insert(
-                "deny_rules".to_string(),
-                serde_json::Value::Array(deny_rules),
-            );
-        }
-    }
-}
-
 fn normalize_l7_rule_aliases(
     rule: &mut serde_json::Map<String, serde_json::Value>,
     protocol: &str,
@@ -3117,7 +3064,7 @@ network_policies:
     }
 
     #[test]
-    fn l7_mcp_grouped_rules_filter_tools_call() {
+    fn l7_mcp_rules_filter_tools_call() {
         let data = r#"
 network_policies:
   mcp_params:
@@ -3131,17 +3078,19 @@ network_policies:
         mcp:
           max_body_bytes: 131072
         rules:
-          deny:
-            - method: tools/call
-              tool: blocked_action
-          allow:
-            - method: initialize
-            - method: tools/list
-            - method: tools/call
+          - allow:
+              method: initialize
+          - allow:
+              method: tools/list
+          - allow:
+              method: tools/call
               tool: read_status
               params:
                 arguments:
                   scope: workspace/main
+        deny_rules:
+          - method: tools/call
+            tool: blocked_action
     binaries:
       - { path: /usr/bin/curl }
 "#;
diff --git a/docs/reference/policy-schema.mdx b/docs/reference/policy-schema.mdx
@@ -159,8 +159,8 @@ Each endpoint defines a reachable destination and optional inspection rules.
 | `tls` | string | No | TLS handling mode. The proxy auto-detects TLS by peeking the first bytes of each connection and terminates it for inspected HTTPS traffic, so this field is optional in most cases. Set to `skip` to disable auto-detection for edge cases such as client-certificate mTLS or non-standard protocols. The values `terminate` and `passthrough` are deprecated and log a warning; they are still accepted for backward compatibility but have no effect on behavior. |
 | `enforcement` | string | No | `enforce` actively blocks disallowed requests. `audit` logs violations but allows traffic through. |
 | `access` | string | No | Access preset. One of `read-only`, `read-write`, or `full`. Mutually exclusive with `rules`. |
-| `rules` | list or grouped object | No | Fine-grained protocol-specific allow rules. For MCP, prefer grouped `rules.allow` and `rules.deny`. Mutually exclusive with `access`. |
-| `deny_rules` | list of deny rule objects | No | L7 deny rules that block specific requests even when allowed by `access` or `rules`. Deny rules take precedence over allow rules. Existing policies can keep this shape; new MCP policies should prefer grouped `rules.deny`. |
+| `rules` | list of allow rule objects | No | Fine-grained protocol-specific allow rules. Mutually exclusive with `access`. |
+| `deny_rules` | list of deny rule objects | No | L7 deny rules that block specific requests even when allowed by `access` or `rules`. Deny rules take precedence over allow rules. |
 | `allowed_ips` | list of string | No | CIDR or IP allowlist for SSRF override. Exact user-declared hostname endpoints may resolve to RFC 1918 private addresses without this field, but wildcard, hostless, and policy-advisor-proposed endpoints still require `allowed_ips` for private resolved IPs. Entries overlapping loopback (`127.0.0.0/8`), link-local (`169.254.0.0/16`), or unspecified (`0.0.0.0`) are rejected at load time. |
 | `allow_encoded_slash` | bool | No | When `true`, L7 request parsing preserves `%2F` inside path segments instead of rejecting it. Use this for registries and APIs such as npm scoped packages (`/@scope%2Fname`). Defaults to `false`. |
 | `websocket_credential_rewrite` | bool | No | When `true` on a `protocol: rest` or `protocol: websocket` endpoint, OpenShell rewrites credential placeholders in client-to-server WebSocket text messages after an allowed HTTP `101` upgrade. Binary frames are relayed but not rewritten. Defaults to `false`. |
@@ -282,7 +282,7 @@ Do not combine `method`, `path`, or `query` with `operation_type`, `operation_na
 
 MCP rules match sandbox-to-server MCP Streamable HTTP request bodies by MCP method and optional tool or params selectors. OpenShell parses the underlying JSON-RPC 2.0 envelope, validates known MCP request and notification params, and preserves unknown extension methods as policy-addressable method strings. JSON-RPC responses and server-to-client MCP messages on response bodies or SSE streams are relayed but are not currently parsed for policy enforcement.
 
-Use grouped `rules.allow` and `rules.deny` for MCP policies. Deny rules take precedence over allow rules. In a batch request, one denied call denies the full batch.
+Use `rules` for MCP allow rules and `deny_rules` for MCP deny rules. Deny rules take precedence over allow rules. In a batch request, one denied call denies the full batch.
 
 | Field | Type | Required | Description |
 |---|---|---|---|
@@ -302,21 +302,24 @@ endpoints:
     mcp:
       max_body_bytes: 131072
     rules:
-      deny:
-        - method: tools/call
-          tool: send_email
-        - method: tools/call
-          tool: execute_code
-      allow:
-        - method: initialize
-        - method: tools/list
-        - method: tools/call
+      - allow:
+          method: initialize
+      - allow:
+          method: tools/list
+      - allow:
+          method: tools/call
           tool: search_web
-        - method: tools/call
+      - allow:
+          method: tools/call
           tool: create_issue
           params:
             arguments:
               repository: NVIDIA/OpenShell
+    deny_rules:
+      - method: tools/call
+        tool: send_email
+      - method: tools/call
+        tool: execute_code
 ```
 
 ##### JSON-RPC Allow Rule (`protocol: json-rpc`)
diff --git a/docs/sandboxes/policies.mdx b/docs/sandboxes/policies.mdx
diff --git a/e2e/mcp-conformance/policy-template.yaml b/e2e/mcp-conformance/policy-template.yaml
