feat: add capability_class to @guard decorator (RFC-008)#19
Merged
Conversation
- Add capability_class: str | None param to @guard and @guard_sync decorators - Add deny_on_unknown_class: bool | None param for PEP-level unknown class behavior - Wire both params through evaluate_tool_access() to gRPC request - Set capability_class and deny_on_unknown_class on proto request when provided Part of: RFC-008 §5.5 capability class enforcement
|
✅ Integration tests passed! capiscio-core gRPC tests working. |
There was a problem hiding this comment.
Pull request overview
Adds RFC-008 capability class enforcement hooks to the capiscio_mcp guard layer by introducing capability_class and deny_on_unknown_class parameters and wiring them through to the core gRPC EvaluateToolAccess request.
Changes:
- Extend
evaluate_tool_access()withcapability_classanddeny_on_unknown_classparameters and set corresponding gRPC request fields. - Extend
@guard/@guard_syncdecorator APIs (including overloads) to accept and forward these parameters. - Update docstrings/examples to reflect capability class usage.
| if capability_class: | ||
| request.capability_class = capability_class | ||
| if deny_on_unknown_class is not None: | ||
| request.deny_on_unknown_class = deny_on_unknown_class |
Comment on lines
478
to
489
| def guard_sync( | ||
| func: Optional[Callable[P, R]] = None, | ||
| *, | ||
| config: Optional[GuardConfig] = None, | ||
| min_trust_level: Optional[int] = None, | ||
| tool_name: Optional[str] = None, | ||
| require_badge: bool = False, | ||
| capability_class: Optional[str] = None, | ||
| deny_on_unknown_class: Optional[bool] = None, | ||
| ) -> Union[Callable[P, R], Callable[[Callable[P, R]], Callable[P, R]]]: | ||
| """ | ||
| Sync decorator to guard MCP tool execution. |
Comment on lines
442
to
449
| # Evaluate access | ||
| result = await evaluate_tool_access( | ||
| tool_name=effective_tool_name, | ||
| params=params, | ||
| config=effective_config, | ||
| capability_class=capability_class, | ||
| deny_on_unknown_class=deny_on_unknown_class, | ||
| ) |
Regenerated from capiscio-core's updated mcp.proto which includes the optional bool deny_on_unknown_class field (field 15) and the updated comment clarifying proto3 bool default semantics.
|
✅ Integration tests passed! capiscio-core gRPC tests working. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
capability_classanddeny_on_unknown_classparameters to the@guardand@guard_syncdecorators for RFC-008 capability class enforcement.Changes
capability_class: str | Noneanddeny_on_unknown_class: bool | Noneparams to:evaluate_tool_access()low-level API@guardasync decorator (both overloads)@guard_syncsync decoratorEvaluateToolAccessRequestUsage
Linked PRs
feat/rfc008-capability-class-allow-path