capgate

Parses MCP (Model Context Protocol) tool manifests in JSON/YAML format to extract tool definitions, input schemas, and capability metadata. Uses schema introspection to build an intermediate representation of tool capabilities that can be compiled into sandbox policies. Handles nested JSON schemas with support for complex type definitions and validation constraints.

Compiles extracted MCP tool capabilities into concrete sandbox enforcement policies by mapping tool operations to system-level restrictions. Generates bwrap (bubblewrap) configuration, egress rules, and filesystem access policies based on tool input/output schemas and declared resource requirements. Uses capability analysis to determine minimum required permissions and generates deny-by-default policies with explicit allow lists.

Generates bubblewrap (bwrap) sandbox configurations from capability policies, creating isolated execution environments with restricted filesystem access, network isolation, and process constraints. Translates abstract capability restrictions into concrete bwrap command-line arguments and configuration files, handling mount point mapping, read-only filesystem layers, and capability dropping. Supports both inline argument generation and persistent configuration file output.

Generates network egress rules (firewall rules, iptables configurations, or cloud-native network policies) that restrict outbound network access based on tool capabilities. Analyzes tool schemas to identify which external services or APIs each tool needs to contact, then generates minimal allow-list rules that permit only necessary egress traffic. Supports multiple policy backends including iptables, nftables, and Kubernetes NetworkPolicy formats.

Translates compiled capability policies into multiple sandbox policy formats and backends, enabling deployment across heterogeneous infrastructure. Supports output to bwrap configurations, iptables/nftables rules, Kubernetes NetworkPolicy manifests, and custom policy formats. Uses a backend-agnostic intermediate representation that can be serialized to any target format, allowing single policy definitions to target multiple enforcement mechanisms.

Validates that generated sandbox policies actually enforce the intended capability restrictions by analyzing policy rules against tool capability declarations. Performs static verification that policies don't grant unintended permissions, checks for gaps in coverage (capabilities without corresponding restrictions), and validates policy syntax for target backends. Uses policy analysis to detect overly permissive rules and suggest tighter restrictions.

Normalizes and canonicalizes MCP tool manifests to a standard internal representation, handling variations in schema format, version differences, and optional field defaults. Resolves schema references, expands nested definitions, and validates against MCP specification. Produces a canonical form suitable for policy compilation, enabling consistent policy generation regardless of manifest source or format variations.

Enables declarative composition of sandbox policies through inheritance and mixins, allowing policy templates to be defined once and reused across multiple tools. Supports policy composition rules that combine base policies with tool-specific overrides, enabling consistent policy patterns across tool families. Uses composition semantics to merge policies while detecting conflicts and maintaining least-privilege principles.

Provides a TypeScript/JavaScript SDK enabling programmatic policy compilation within Node.js applications and build pipelines. Exports typed APIs for manifest parsing, capability analysis, policy compilation, and backend code generation. Integrates with TypeScript type system for compile-time safety and enables IDE autocomplete for policy configuration. Supports both ESM and CommonJS module formats.

Provides a command-line interface for batch compilation of tool manifests into sandbox policies and deployment to target environments. Supports reading manifest directories, compiling multiple tools in parallel, and outputting policies to files or directly deploying to infrastructure. Includes options for policy validation, format selection, and deployment configuration. Integrates with shell scripts and CI/CD pipelines.