{ "auth_scheme": "Bearer credentialRef; raw token forbidden in artifacts", "blockers": [], "checks": [ { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "todos os probes usaram POST", "rule_id": "http.method.post", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "todos os probes usaram application/json", "rule_id": "header.content-type.json", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "User-Agent operacional aplicado", "rule_id": "header.user-agent.codex", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "bearer usado como credencial de probe e redigido nos artefatos", "rule_id": "auth.bearer.present-redacted", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente", "rule_id": "waf.classification.explicit", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "traceId e auditId presentes em todos os probes", "rule_id": "evidence.trace-audit-required", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "hashes de request/response presentes", "rule_id": "evidence.hashes-required", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "nenhum formato de segredo bruto detectado nas evidencias", "rule_id": "redaction.no-secret-shapes", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "regra institucional materializada no artefato de politica", "rule_id": "rate-limit.default", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "regra institucional materializada no artefato de politica", "rule_id": "retention.logs", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "regra institucional materializada no artefato de politica", "rule_id": "transit.required-fields", "status": "passed" }, { "evidence_refs": [ "evidence-a75a27e0669c49da1db8b615", "evidence-af37a8d489b0038a7a6b5575", "evidence-3f0e3b9f829c7ff912b335d0", "evidence-6be52832c728db2bbbbce461" ], "next_action": "manter regra como gate de release", "reason": "regra institucional materializada no artefato de politica", "rule_id": "governance.plugin-not-operational-path", "status": "passed" } ], "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", "generated_at": "2026-05-02T08:24:25+00:00", "liveReady": true, "log_retention_days": 30, "policy_version": "mcp-gateway-access-policy.v1", "probes": [ { "audit_id": "audit-a75a27e0669c49da1db8b615", "authorization_present": true, "authorization_redacted": true, "content_type": "application/json", "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", "evidence_id": "evidence-a75a27e0669c49da1db8b615", "http_status": 200, "method": "POST", "observed_at": "2026-05-02T08:24:10+00:00", "ok": true, "request_hash": "3e1c8f057ac439f4b9b3eb7f8f5be9ac36323f08adc23db6fc7d51633076b79a", "response_excerpt": { "__truncated__": true, "actorId": "codex.service-order-round", "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact", "blockers": "[]", "consumption": "None", "nextActions": "[]", "ok": "True", "organizationId": "None", "productId": "None", "providerId": "mais_humana", "readiness": "None", "sampleData": "False", "simulated": "False", "status": "ok", "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact", "userId": "None", "workspaceId": "None" }, "response_hash": "a75a27e0669c49da1db8b6157757c0615eed06c32674c7ed87a6db5d071359de", "tool_id": "mais_humana.rulebook.compact", "trace_id": "trace-3e1c8f057ac439f4b9b3eb7f", "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" }, { "audit_id": "audit-af37a8d489b0038a7a6b5575", "authorization_present": true, "authorization_redacted": true, "content_type": "application/json", "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", "evidence_id": "evidence-af37a8d489b0038a7a6b5575", "http_status": 200, "method": "POST", "observed_at": "2026-05-02T08:24:10+00:00", "ok": true, "request_hash": "17e7d8039c8c34e3f570b6de8b386edc1cfd0c079084b0c7013016d2c76b388c", "response_excerpt": { "__truncated__": true, "actorId": "codex.service-order-round", "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source", "blockers": "[]", "consumption": "None", "nextActions": "[]", "ok": "True", "organizationId": "None", "productId": "None", "providerId": "mais_humana", "readiness": "None", "sampleData": "False", "simulated": "False", "status": "ok", "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source", "userId": "None", "workspaceId": "None" }, "response_hash": "af37a8d489b0038a7a6b5575970ec69855dd0f0e0ab09cf38b0e7658d3678195", "tool_id": "mais_humana.admin_ui.same_source", "trace_id": "trace-17e7d8039c8c34e3f570b6de", "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" }, { "audit_id": "audit-3f0e3b9f829c7ff912b335d0", "authorization_present": true, "authorization_redacted": true, "content_type": "application/json", "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", "evidence_id": "evidence-3f0e3b9f829c7ff912b335d0", "http_status": 200, "method": "POST", "observed_at": "2026-05-02T08:24:10+00:00", "ok": true, "request_hash": "dae7d91a59e37901d50c027d3a0792f697902bd4289801edb2a508f3baf177fe", "response_excerpt": { "__truncated__": true, "actorId": "codex.service-order-round", "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger", "blockers": "[]", "consumption": "None", "nextActions": "[]", "ok": "True", "organizationId": "None", "productId": "None", "providerId": "mais_humana", "readiness": "None", "sampleData": "False", "simulated": "False", "status": "ok", "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger", "userId": "None", "workspaceId": "None" }, "response_hash": "3f0e3b9f829c7ff912b335d01afb5e78acdaa331bd984713dfca757072be6bbf", "tool_id": "mais_humana.mcp_transit.ledger", "trace_id": "trace-dae7d91a59e37901d50c027d", "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" }, { "audit_id": "audit-6be52832c728db2bbbbce461", "authorization_present": true, "authorization_redacted": true, "content_type": "application/json", "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", "evidence_id": "evidence-6be52832c728db2bbbbce461", "http_status": 200, "method": "POST", "observed_at": "2026-05-02T08:24:10+00:00", "ok": true, "request_hash": "364a5b5997194d485948655720ff713f61ec091dc08ab899e302ad965ace04ba", "response_excerpt": { "__truncated__": true, "actorId": "codex.service-order-round", "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.admin_routes.acceptance", "blockers": "[]", "consumption": "None", "nextActions": "[]", "ok": "True", "organizationId": "None", "productId": "None", "providerId": "mais_humana", "readiness": "None", "sampleData": "False", "simulated": "False", "status": "blocked", "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.admin_routes.acceptance", "userId": "None", "workspaceId": "None" }, "response_hash": "6be52832c728db2bbbbce461ff39cbf52b8e26111b0710f303061dc38a0ecb3d", "tool_id": "mais_humana.admin_routes.acceptance", "trace_id": "trace-364a5b5997194d4859486557", "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" } ], "rate_limit_per_minute": 30, "report_id": "mcp-gateway-access-policy-adf1c665f552483b", "required_content_type": "application/json", "required_method": "POST", "required_user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0", "rules": [ { "evidence_fields": [ "method", "endpoint" ], "failure_status": "blocked", "kind": "http", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Toda chamada GPT/MCP deve usar POST em /v1/execute.", "rule_id": "http.method.post", "title": "Metodo HTTP fixo", "validation": "Comparar metodo observado com POST." }, { "evidence_fields": [ "content_type" ], "failure_status": "blocked", "kind": "header", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Toda chamada deve enviar Content-Type application/json.", "rule_id": "header.content-type.json", "title": "Content-Type JSON", "validation": "Comparar content_type observado." }, { "evidence_fields": [ "user_agent" ], "failure_status": "partial", "kind": "header", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Probes Codex devem usar User-Agent Codex-Mais-Humana-MCP-Publication-Gate/1.0.", "rule_id": "header.user-agent.codex", "title": "User-Agent operacional", "validation": "Comparar User-Agent observado para separar WAF de runtime." }, { "evidence_fields": [ "authorization_present", "authorization_redacted" ], "failure_status": "blocked", "kind": "auth", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Authorization Bearer pode ser usado no probe, mas relatorios devem guardar apenas existencia, hash e credentialRef.", "rule_id": "auth.bearer.present-redacted", "title": "Bearer presente e nunca persistido bruto", "validation": "Confirmar authorization_present e authorization_redacted." }, { "evidence_fields": [ "http_status", "response_excerpt" ], "failure_status": "partial", "kind": "waf", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "HTTP 403/1010 e bloqueios WAF devem ser separados de tool_not_found, erro de runtime e erro de contrato.", "rule_id": "waf.classification.explicit", "title": "Classificacao WAF explicita", "validation": "Usar http_status e response_excerpt redigido para classificar falha." }, { "evidence_fields": [ "trace_id", "audit_id", "evidence_id" ], "failure_status": "blocked", "kind": "evidence", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Toda resposta aceita deve possuir traceId e auditId reais ou derivados de hash de evidencia.", "rule_id": "evidence.trace-audit-required", "title": "Trace e audit obrigatorios", "validation": "Confirmar trace_id e audit_id por probe." }, { "evidence_fields": [ "request_hash", "response_hash" ], "failure_status": "blocked", "kind": "evidence", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Toda evidencia deve guardar request_hash e response_hash sem payload sensivel bruto.", "rule_id": "evidence.hashes-required", "title": "Hashes de payload e resposta", "validation": "Confirmar hashes preenchidos por probe." }, { "evidence_fields": [ "response_excerpt" ], "failure_status": "blocked", "kind": "redaction", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Evidencias nao podem conter cfat_, Authorization Bearer cru, tokens longos ou bearer numerico bruto.", "rule_id": "redaction.no-secret-shapes", "title": "Sem segredo bruto em evidencia", "validation": "Varrer response_excerpt e campos textuais por formatos proibidos." }, { "evidence_fields": [ "rate_limit_per_minute" ], "failure_status": "partial", "kind": "rate_limit", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Probes automatizados devem respeitar limite padrao de 30 chamadas/minuto por ator.", "rule_id": "rate-limit.default", "title": "Limite operacional padrao", "validation": "Registrar limite no contrato e bloquear suites que excedam o teto." }, { "evidence_fields": [ "log_retention_days" ], "failure_status": "partial", "kind": "retention", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Logs de evidencia operacional devem reter metadados redigidos por 30 dias.", "rule_id": "retention.logs", "title": "Retencao de logs", "validation": "Registrar politica no artefato de acesso." }, { "evidence_fields": [ "origin", "destination", "tool", "payload", "actor", "permission", "result", "traceId", "auditId", "timestamp" ], "failure_status": "blocked", "kind": "transit", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Fluxos interplataforma devem preservar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp.", "rule_id": "transit.required-fields", "title": "Ledger MCP obrigatorio", "validation": "Validar campos exigidos no contrato de transito MCP." }, { "evidence_fields": [ "policy_version" ], "failure_status": "partial", "kind": "governance", "owner": "tudo-para-ia-mcps-internos-plataform", "required": true, "requirement": "Falha ou aceite do plugin Cloudflare fica fora do diagnostico de Workers; trabalho real usa wrangler ou validacao HTTP live.", "rule_id": "governance.plugin-not-operational-path", "title": "Plugin Cloudflare nao substitui caminho operacional", "validation": "Confirmar que o artefato nao transforma plugin em blocker operacional." } ], "secretSafe": true, "status": "passed", "summary": [ "Probes live avaliados: 4.", "Probes live OK: 4/4.", "Regras aprovadas: 12/12.", "Bearer bruto persistido: False.", "Falha do plugin Cloudflare nao e blocker operacional: True." ] }