Enforce actor-level MCP policy wiring and Claude tool gates
This commit is contained in:
@@ -35,8 +35,14 @@ This middleware provides a first-pass hardening layer for agent-executed shell c
|
||||
|
||||
`McpRegistry.resolveServerWithHandler(...)` now accepts optional tool clearance and applies it to resolved Codex MCP tool lists (`enabled_tools`, `disabled_tools`).
|
||||
|
||||
`ActorExecutionInput` now carries an `mcp` execution context with:
|
||||
|
||||
- `registry`: resolved runtime `McpRegistry`
|
||||
- `resolveConfig(...)`: centralized MCP config resolution with persona tool-clearance applied
|
||||
- `createClaudeCanUseTool()`: helper for Claude SDK `canUseTool` callback so each tool invocation is allowlist/banlist-enforced before execution
|
||||
|
||||
## Known limits and TODOs
|
||||
|
||||
- AST validation is token-based and does not yet model full shell evaluation semantics (e.g. runtime-generated paths from env expansion).
|
||||
- Audit output is line-oriented file logging; move to a centralized telemetry pipeline for long-term profiling.
|
||||
- Audit output remains line-oriented file logging; runtime events now mirror security decisions for side-channel analytics and alerting.
|
||||
- Deno sandbox mode is not enforced yet. A future executor mode can wrap shell runs via `deno run` with strict `--allow-read/--allow-run` flags.
|
||||
|
||||
Reference in New Issue
Block a user