admin/tudo-para-ia-mais-humana-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6e230bb97983580d9a32093ab2ef21a377bfde2f
tudo-para-ia-mais-humana-pl…/dados/mcp-gateway-access-policy.json

440 lines
16 KiB
JSON
Raw Blame History

{
"auth_scheme": "Bearer credentialRef; raw token forbidden in artifacts",
"blockers": [],
"checks": [
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "todos os probes usaram POST",
"rule_id": "http.method.post",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "todos os probes usaram application/json",
"rule_id": "header.content-type.json",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "User-Agent operacional aplicado",
"rule_id": "header.user-agent.codex",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "bearer usado como credencial de probe e redigido nos artefatos",
"rule_id": "auth.bearer.present-redacted",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente",
"rule_id": "waf.classification.explicit",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "traceId e auditId presentes em todos os probes",
"rule_id": "evidence.trace-audit-required",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "hashes de request/response presentes",
"rule_id": "evidence.hashes-required",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "nenhum formato de segredo bruto detectado nas evidencias",
"rule_id": "redaction.no-secret-shapes",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "regra institucional materializada no artefato de politica",
"rule_id": "rate-limit.default",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "regra institucional materializada no artefato de politica",
"rule_id": "retention.logs",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "regra institucional materializada no artefato de politica",
"rule_id": "transit.required-fields",
"status": "passed"
},
{
"evidence_refs": [
"evidence-a75a27e0669c49da1db8b615",
"evidence-af37a8d489b0038a7a6b5575",
"evidence-3f0e3b9f829c7ff912b335d0"
],
"next_action": "manter regra como gate de release",
"reason": "regra institucional materializada no artefato de politica",
"rule_id": "governance.plugin-not-operational-path",
"status": "passed"
}
],
"endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute",
"generated_at": "2026-05-02T02:38:41+00:00",
"liveReady": true,
"log_retention_days": 30,
"policy_version": "mcp-gateway-access-policy.v1",
"probes": [
{
"audit_id": "audit-a75a27e0669c49da1db8b615",
"authorization_present": true,
"authorization_redacted": true,
"content_type": "application/json",
"endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute",
"evidence_id": "evidence-a75a27e0669c49da1db8b615",
"http_status": 200,
"method": "POST",
"observed_at": "2026-05-02T02:38:40+00:00",
"ok": true,
"request_hash": "3e1c8f057ac439f4b9b3eb7f8f5be9ac36323f08adc23db6fc7d51633076b79a",
"response_excerpt": {
"__truncated__": true,
"actorId": "codex.service-order-round",
"auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact",
"blockers": "[]",
"consumption": "None",
"nextActions": "[]",
"ok": "True",
"organizationId": "None",
"productId": "None",
"providerId": "mais_humana",
"readiness": "None",
"sampleData": "False",
"simulated": "False",
"status": "ok",
"traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact",
"userId": "None",
"workspaceId": "None"
},
"response_hash": "a75a27e0669c49da1db8b6157757c0615eed06c32674c7ed87a6db5d071359de",
"tool_id": "mais_humana.rulebook.compact",
"trace_id": "trace-3e1c8f057ac439f4b9b3eb7f",
"user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0"
},
{
"audit_id": "audit-af37a8d489b0038a7a6b5575",
"authorization_present": true,
"authorization_redacted": true,
"content_type": "application/json",
"endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute",
"evidence_id": "evidence-af37a8d489b0038a7a6b5575",
"http_status": 200,
"method": "POST",
"observed_at": "2026-05-02T02:38:41+00:00",
"ok": true,
"request_hash": "17e7d8039c8c34e3f570b6de8b386edc1cfd0c079084b0c7013016d2c76b388c",
"response_excerpt": {
"__truncated__": true,
"actorId": "codex.service-order-round",
"auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source",
"blockers": "[]",
"consumption": "None",
"nextActions": "[]",
"ok": "True",
"organizationId": "None",
"productId": "None",
"providerId": "mais_humana",
"readiness": "None",
"sampleData": "False",
"simulated": "False",
"status": "ok",
"traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source",
"userId": "None",
"workspaceId": "None"
},
"response_hash": "af37a8d489b0038a7a6b5575970ec69855dd0f0e0ab09cf38b0e7658d3678195",
"tool_id": "mais_humana.admin_ui.same_source",
"trace_id": "trace-17e7d8039c8c34e3f570b6de",
"user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0"
},
{
"audit_id": "audit-3f0e3b9f829c7ff912b335d0",
"authorization_present": true,
"authorization_redacted": true,
"content_type": "application/json",
"endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute",
"evidence_id": "evidence-3f0e3b9f829c7ff912b335d0",
"http_status": 200,
"method": "POST",
"observed_at": "2026-05-02T02:38:41+00:00",
"ok": true,
"request_hash": "dae7d91a59e37901d50c027d3a0792f697902bd4289801edb2a508f3baf177fe",
"response_excerpt": {
"__truncated__": true,
"actorId": "codex.service-order-round",
"auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger",
"blockers": "[]",
"consumption": "None",
"nextActions": "[]",
"ok": "True",
"organizationId": "None",
"productId": "None",
"providerId": "mais_humana",
"readiness": "None",
"sampleData": "False",
"simulated": "False",
"status": "ok",
"traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger",
"userId": "None",
"workspaceId": "None"
},
"response_hash": "3f0e3b9f829c7ff912b335d01afb5e78acdaa331bd984713dfca757072be6bbf",
"tool_id": "mais_humana.mcp_transit.ledger",
"trace_id": "trace-dae7d91a59e37901d50c027d",
"user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0"
}
],
"rate_limit_per_minute": 30,
"report_id": "mcp-gateway-access-policy-15ac101b6174411e",
"required_content_type": "application/json",
"required_method": "POST",
"required_user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0",
"rules": [
{
"evidence_fields": [
"method",
"endpoint"
],
"failure_status": "blocked",
"kind": "http",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Toda chamada GPT/MCP deve usar POST em /v1/execute.",
"rule_id": "http.method.post",
"title": "Metodo HTTP fixo",
"validation": "Comparar metodo observado com POST."
},
{
"evidence_fields": [
"content_type"
],
"failure_status": "blocked",
"kind": "header",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Toda chamada deve enviar Content-Type application/json.",
"rule_id": "header.content-type.json",
"title": "Content-Type JSON",
"validation": "Comparar content_type observado."
},
{
"evidence_fields": [
"user_agent"
],
"failure_status": "partial",
"kind": "header",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Probes Codex devem usar User-Agent Codex-Mais-Humana-MCP-Publication-Gate/1.0.",
"rule_id": "header.user-agent.codex",
"title": "User-Agent operacional",
"validation": "Comparar User-Agent observado para separar WAF de runtime."
},
{
"evidence_fields": [
"authorization_present",
"authorization_redacted"
],
"failure_status": "blocked",
"kind": "auth",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Authorization Bearer pode ser usado no probe, mas relatorios devem guardar apenas existencia, hash e credentialRef.",
"rule_id": "auth.bearer.present-redacted",
"title": "Bearer presente e nunca persistido bruto",
"validation": "Confirmar authorization_present e authorization_redacted."
},
{
"evidence_fields": [
"http_status",
"response_excerpt"
],
"failure_status": "partial",
"kind": "waf",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "HTTP 403/1010 e bloqueios WAF devem ser separados de tool_not_found, erro de runtime e erro de contrato.",
"rule_id": "waf.classification.explicit",
"title": "Classificacao WAF explicita",
"validation": "Usar http_status e response_excerpt redigido para classificar falha."
},
{
"evidence_fields": [
"trace_id",
"audit_id",
"evidence_id"
],
"failure_status": "blocked",
"kind": "evidence",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Toda resposta aceita deve possuir traceId e auditId reais ou derivados de hash de evidencia.",
"rule_id": "evidence.trace-audit-required",
"title": "Trace e audit obrigatorios",
"validation": "Confirmar trace_id e audit_id por probe."
},
{
"evidence_fields": [
"request_hash",
"response_hash"
],
"failure_status": "blocked",
"kind": "evidence",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Toda evidencia deve guardar request_hash e response_hash sem payload sensivel bruto.",
"rule_id": "evidence.hashes-required",
"title": "Hashes de payload e resposta",
"validation": "Confirmar hashes preenchidos por probe."
},
{
"evidence_fields": [
"response_excerpt"
],
"failure_status": "blocked",
"kind": "redaction",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Evidencias nao podem conter cfat_, Authorization Bearer cru, tokens longos ou bearer numerico bruto.",
"rule_id": "redaction.no-secret-shapes",
"title": "Sem segredo bruto em evidencia",
"validation": "Varrer response_excerpt e campos textuais por formatos proibidos."
},
{
"evidence_fields": [
"rate_limit_per_minute"
],
"failure_status": "partial",
"kind": "rate_limit",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Probes automatizados devem respeitar limite padrao de 30 chamadas/minuto por ator.",
"rule_id": "rate-limit.default",
"title": "Limite operacional padrao",
"validation": "Registrar limite no contrato e bloquear suites que excedam o teto."
},
{
"evidence_fields": [
"log_retention_days"
],
"failure_status": "partial",
"kind": "retention",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Logs de evidencia operacional devem reter metadados redigidos por 30 dias.",
"rule_id": "retention.logs",
"title": "Retencao de logs",
"validation": "Registrar politica no artefato de acesso."
},
{
"evidence_fields": [
"origin",
"destination",
"tool",
"payload",
"actor",
"permission",
"result",
"traceId",
"auditId",
"timestamp"
],
"failure_status": "blocked",
"kind": "transit",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Fluxos interplataforma devem preservar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp.",
"rule_id": "transit.required-fields",
"title": "Ledger MCP obrigatorio",
"validation": "Validar campos exigidos no contrato de transito MCP."
},
{
"evidence_fields": [
"policy_version"
],
"failure_status": "partial",
"kind": "governance",
"owner": "tudo-para-ia-mcps-internos-plataform",
"required": true,
"requirement": "Falha ou aceite do plugin Cloudflare fica fora do diagnostico de Workers; trabalho real usa wrangler ou validacao HTTP live.",
"rule_id": "governance.plugin-not-operational-path",
"title": "Plugin Cloudflare nao substitui caminho operacional",
"validation": "Confirmar que o artefato nao transforma plugin em blocker operacional."
}
],
"secretSafe": true,
"status": "passed",
"summary": [
"Probes live avaliados: 3.",
"Probes live OK: 3/3.",
"Regras aprovadas: 12/12.",
"Bearer bruto persistido: False.",
"Falha do plugin Cloudflare nao e blocker operacional: True."
]
}
Reference in New Issue View Git Blame Copy Permalink