Skip to main content

Tool Security

The tool-security policy scans the incoming tool request and blocks it when a local pattern, a blocked entity, or an external firewall verdict says the call is unsafe.

Phase and verdicts

  • Phase: input
  • Verdicts: allow or block

Configuration

pack:
name: tool-security-example-1
version: "1.0.0"
enabled: true

policies:
chain:
- tool-security

policy:
tool-security:
analysis_mode: local
blocked_patterns:
- delete_message
blocked_entity_types:
- pan
- ssn
- jwt

Supported fields

FieldTypeDefaultNotes
analysis_modestringlocallocal or external.
firewall_endpointstringUsed only when analysis_mode: external and an endpoint is provided.
secret_key_refobjectUse secret_key_ref.env for the bearer token environment variable.
fail_closedbooleantrueApplies to external-firewall client, network, and response errors.
blocked_entity_typesstring[][]Empty means the built-in blocked-entity defaults are used.
blocked_patternsstring[][]Case-insensitive substring matches against the serialized request JSON.

Local checks

Local mode scans the serialized request for these fixed substrings:

  • ../
  • ..\
  • drop table
  • rm -rf
  • 169.254.169.254
  • file://
  • curl http://localhost

It also blocks detected entities. With an empty blocked_entity_types list, the defaults are:

  • account_number
  • aws_access_key
  • cvv
  • health_plan_beneficiary
  • jwt
  • mrn
  • pan
  • private_key
  • ssn

External mode

When analysis_mode: external and firewall_endpoint is set, the gateway POSTs:

  • the full request payload
  • detected entities

It then interprets any of these as a blocking verdict:

  • verdict
  • action
  • flagged

Values such as deny, block, blocked, reject, rejected, flagged, and review are treated as blocking.

Important behavior notes

  • If analysis_mode: external is set without a firewall_endpoint, the policy falls back to local checks.
  • Local scanning is substring-based over the serialized request JSON. It is not a structured argument validator.
  • Decision details include flagged and reason; matched entities are recorded in event details when available.

Minimal valid example

policy:
tool-security:
analysis_mode: local

Next steps