forked from PaloAltoNetworks/shifter
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.shifter.yaml
More file actions
133 lines (124 loc) · 4.54 KB
/
Copy path.shifter.yaml
File metadata and controls
133 lines (124 loc) · 4.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Shifter runtime configuration.
#
# Today this file scopes the `mcp_ops:` namespace — per-tool policy
# for the shifter-ops MCP server (issue #777). Follow-up #1197
# evolves it into the project's single repo-root runtime
# configuration surface.
#
# DO NOT hand-edit `CHANGELOG.md` references here. CHANGELOG is
# towncrier-collated from `changelog.d/*.md` fragments.
mcp_ops:
version: 1
# Capability classes. Every registered tool MUST be tagged with
# exactly one of these. Adding a new class requires a matching entry
# under `class_defaults:` and at least one profile that includes it.
classes:
- observability # logs, describe-*, list-* — no secrets, no writes
- named_db_read # named, parameterized read-only DB diagnostics
- named_db_write # named, parameterized DB mutations
- secret_handle # returns secret references, not raw values
- ssm_named # allowlisted Django manage.py via SSM
- ssm_arbitrary # free-form SSM send-command / get-command-invocation
- db_arbitrary # query / execute / list_tables / describe_table
- infra_mutation # start/stop/terminate EC2, restart_ecs, reconcile_ranges
- dev_bypass_tunnel # dev-only auth-bypass tunnel for agents (no MFA)
# Session profile gates which classes get registered as tools at
# server startup. `SHIFTER_OPS_PROFILE=read_only|standard|destructive`
# overrides the default at startup. Changing profile requires
# restart — intentional (runtime profile flips would be a
# confused-deputy surface).
session_profile:
default: standard
profiles:
read_only:
- observability
- named_db_read
standard:
- observability
- named_db_read
- named_db_write
- secret_handle
- ssm_named
destructive:
- observability
- named_db_read
- named_db_write
- secret_handle
- ssm_named
- ssm_arbitrary
- db_arbitrary
- infra_mutation
- dev_bypass_tunnel
# Environment policy. The env arg is selection-only; the policy
# layer enforces authorization on top.
environments:
default: dev
prod_requires_confirm: true # confirm_env="prod" required for prod-touching tools
# Per-class defaults. Applied to every tool of that class unless an
# entry in `tools:` overrides specific keys.
class_defaults:
observability: {}
named_db_read: {}
named_db_write:
idempotency_key: required
secret_handle:
return_mode: handle # never return raw value to client
ssm_named: {}
ssm_arbitrary:
execute_default: false # dry-run unless execute=true
two_phase: true # plan_<name> -> execute_<name>
db_arbitrary:
execute_default: false
two_phase: true
infra_mutation:
execute_default: false
two_phase: true
rate_cap:
count: 3
window_seconds: 60
dev_bypass_tunnel:
allowed_envs: [dev]
description_redaction: true # strip bypass-procedure language from MCP description
# Per-tool overrides (only when a specific tool needs to deviate
# from its class defaults). Most tools should leave this empty and
# rely on class defaults.
tools: {}
# Append-only JSONL audit log. `~/` expands at server startup.
audit:
enabled: true
path: ~/.shifter-ops-audit.jsonl
redact:
- password
- db_password
- secret_value
# Phase 4 (#1200): allowlist of source labels that producer tools
# may embed in [UNTRUSTED:<source>:BEGIN/END] fences. Adding a new
# producer descriptor requires its label to appear here first; this
# stops an accidental relabel from silently changing what the LLM
# treats as an untrusted boundary.
untrusted_sources:
- logs
- s3
- ssm_stdout
# Phase 4 (#1200): apex out-of-band approval rules. Each entry sets
# exactly one of `tool` or `class`, plus `env` + `operation_kind`.
# `requires_write: true` further restricts class-keyed rules to
# descriptors that declare `is_write: true` (so `db_arbitrary`
# apex'es on `execute` but not on read-only `query`/`list_tables`).
apex_operations:
- tool: terminate_ec2_instance
env: prod
operation_kind: execute
- tool: restart_ecs_service
env: prod
operation_kind: execute
- tool: promote_ami
env: prod
operation_kind: execute
- tool: promote_gce_image
env: prod
operation_kind: execute
- class: db_arbitrary
env: prod
operation_kind: execute
requires_write: true