Skip to content

Commit eb82ed8

Browse files
committed
feat(policy): add mcp l7 enforcement
Add MCP-aware JSON-RPC inspection using tower-mcp-types, including strict tool-name enforcement and method/tool policy matching. Wire MCP options through proto, YAML, provider profiles, OPA/Rego policy evaluation, docs, and the MCP conformance harness. Signed-off-by: ddurst <267424412+ddurst-nvidia@users.noreply.github.com>
1 parent 91dac00 commit eb82ed8

22 files changed

Lines changed: 2872 additions & 402 deletions

File tree

Cargo.lock

Lines changed: 13 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ members = ["crates/*"]
88
[workspace.package]
99
version = "0.0.0"
1010
edition = "2024"
11-
rust-version = "1.88"
11+
rust-version = "1.90"
1212
license = "Apache-2.0"
1313
repository = "https://github.com/NVIDIA/OpenShell"
1414

@@ -73,6 +73,7 @@ serde_json = "1"
7373
serde_yml = "0.0.12"
7474
toml = "0.8"
7575
apollo-parser = "0.8.5"
76+
tower-mcp-types = "0.12.0"
7677

7778
# HTTP client
7879
reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots"] }

architecture/sandbox.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -51,10 +51,13 @@ identifies the calling binary, checks trust-on-first-use binary identity, reject
5151
unsafe internal destinations, and evaluates the active policy.
5252
For inspected HTTP traffic, the proxy can enforce REST method/path rules,
5353
WebSocket upgrade and text-message rules, GraphQL operation rules, and
54-
JSON-RPC method and params rules on sandbox-to-server request bodies. JSON-RPC
55-
request inspection buffers up to the endpoint `json_rpc.max_body_bytes` limit.
56-
Literal dotted keys in JSON-RPC params are rejected before policy evaluation so
57-
they cannot be confused with flattened nested selector paths.
54+
MCP or generic JSON-RPC method and params rules on sandbox-to-server request
55+
bodies. MCP and JSON-RPC inspection buffers up to the endpoint
56+
`mcp.max_body_bytes` or `json_rpc.max_body_bytes` limit. MCP `tools/call`
57+
tool names are checked against the spec-recommended syntax by default before
58+
policy evaluation, with a per-endpoint `mcp.strict_tool_names` compatibility
59+
opt-out. Literal dotted keys in JSON-RPC params are rejected before policy
60+
evaluation so they cannot be confused with flattened nested selector paths.
5861
JSON-RPC responses and server-to-client MCP messages on response or SSE streams
5962
are relayed but are not currently parsed for policy enforcement.
6063

0 commit comments

Comments
 (0)