Tool Security
The tool-security policy scans the incoming tool request and blocks it when a local pattern, a blocked entity, or an external firewall verdict says the call is unsafe.
Phase and verdicts
- Phase: input
- Verdicts:
alloworblock
Configuration
pack:
name: tool-security-example-1
version: "1.0.0"
enabled: true
policies:
chain:
- tool-security
policy:
tool-security:
analysis_mode: local
blocked_patterns:
- delete_message
blocked_entity_types:
- pan
- ssn
- jwt
Supported fields
| Field | Type | Default | Notes |
|---|---|---|---|
analysis_mode | string | local | local or external. |
firewall_endpoint | string | — | Used only when analysis_mode: external and an endpoint is provided. |
secret_key_ref | object | — | Use secret_key_ref.env for the bearer token environment variable. |
fail_closed | boolean | true | Applies to external-firewall client, network, and response errors. |
blocked_entity_types | string[] | [] | Empty means the built-in blocked-entity defaults are used. |
blocked_patterns | string[] | [] | Case-insensitive substring matches against the serialized request JSON. |
Local checks
Local mode scans the serialized request for these fixed substrings:
../..\drop tablerm -rf169.254.169.254file://curl http://localhost
It also blocks detected entities. With an empty blocked_entity_types list, the defaults are:
account_numberaws_access_keycvvhealth_plan_beneficiaryjwtmrnpanprivate_keyssn
External mode
When analysis_mode: external and firewall_endpoint is set, the gateway POSTs:
- the full request payload
- detected entities
It then interprets any of these as a blocking verdict:
verdictactionflagged
Values such as deny, block, blocked, reject, rejected, flagged, and review are treated as blocking.
Important behavior notes
- If
analysis_mode: externalis set without afirewall_endpoint, the policy falls back to local checks. - Local scanning is substring-based over the serialized request JSON. It is not a structured argument validator.
- Decision details include
flaggedandreason; matched entities are recorded in event details when available.
Minimal valid example
policy:
tool-security:
analysis_mode: local