Class PolicyFirewall

Policy firewall that evaluates rules to authorize or deny operations.

Rules are evaluated in order. The first rule that denies the operation stops evaluation and returns the denial. If all rules pass, the operation is allowed.

Example

const firewall = new PolicyFirewall({ mode: 'enforce' });

// Add rules
firewall.addRule(denyMutationsWithoutModeRule);
firewall.addRule(safePathsRule);

// Evaluate
const decision = firewall.evaluate({
  toolName: 'write_file',
  args: { path: '/etc/passwd' },
  mode: 'read-only',
});

if (!decision.allowed) {
  console.error(`Denied: ${decision.reason}`);
}

Implements

IPolicyFirewall

Index

Constructors

constructor

Methods

evaluate addRule removeRule getRules setMode getMode

Constructors

constructor

new PolicyFirewall(config?: PolicyFirewallConfig): PolicyFirewall
Parameters
- Optionalconfig: PolicyFirewallConfig
Returns PolicyFirewall
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:64

Methods

evaluate

evaluate(ctx: FirewallPolicyContext): FirewallPolicyDecision
Evaluates all policy rules against the given context.

Rules are evaluated in order. The first rule that denies stops evaluation and returns the denial decision.
Parameters
- ctx: FirewallPolicyContext
  The policy context to evaluate
Returns FirewallPolicyDecision
The policy decision
Implementation of IPolicyFirewall.evaluate
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:90

addRule

addRule(rule: FirewallPolicyRule): void
Adds a policy rule to the firewall.
Parameters
- rule: FirewallPolicyRule
  The rule to add
Returns void
Implementation of IPolicyFirewall.addRule
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:161

removeRule

removeRule(name: string): boolean
Removes a policy rule by name.
Parameters
- name: string
  The name of the rule to remove
Returns boolean
True if the rule was found and removed
Implementation of IPolicyFirewall.removeRule
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:179

getRules

getRules(): readonly FirewallPolicyRule[]
Gets all registered policy rules.

Returns readonly FirewallPolicyRule[]
A readonly array of policy rules
Implementation of IPolicyFirewall.getRules
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:194

setMode

setMode(mode: PolicyMode): void
Sets the policy enforcement mode.
Parameters
- mode: PolicyMode
  The new enforcement mode
Returns void
Implementation of IPolicyFirewall.setMode
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:203

getMode

getMode(): PolicyMode
Gets the current policy enforcement mode.

Returns PolicyMode
The current mode
Implementation of IPolicyFirewall.getMode
- Defined in packages/nexus-agents/src/mcp/middleware/policy.ts:214

Class PolicyFirewall

Example

Implements

Index

Constructors

Methods

Constructors

constructor

Parameters

Returns PolicyFirewall

Methods

evaluate

Parameters

Returns FirewallPolicyDecision

addRule

Parameters

Returns void

removeRule

Parameters

Returns boolean

getRules

Returns readonly FirewallPolicyRule[]

setMode

Parameters

Returns void

getMode

Returns PolicyMode

Settings

On This Page