1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
transport:
type: http
addr: "0.0.0.0:4000"
upstream: "http://localhost:3000/mcp"
session_ttl_secs: 3600
# tls:
# cert: "cert.pem"
# key: "key.pem"
audit:
type: sqlite
path: "gateway-audit.db"
# Named upstreams — agents can reference these via `upstream:` in their policy.
# upstreams:
# filesystem: "http://localhost:3001"
# database: "http://localhost:3002"
agents:
cursor:
allowed_tools:
- echo
rate_limit: 5
claude-code:
denied_tools:
- delete_database
rate_limit: 20
# Pre-shared API key — for api_key auth tests
secured-agent:
allowed_tools:
- echo
rate_limit: 10
api_key: "test-key-123"
# Low rate limit — for global rate limit exhaustion test
rate-test:
allowed_tools:
- echo
rate_limit: 3
# Per-tool cap — for tool_rate_limits test
tool-rate-test:
allowed_tools:
- echo
rate_limit: 10
tool_rate_limits:
echo: 2
# Can call secret_dump — for response filtering test
secret-dumper:
allowed_tools:
- secret_dump
rate_limit: 10
# Agent identity derived from JWT "sub" claim — for JWT auth test
jwt-agent:
allowed_tools:
- echo
rate_limit: 10
auth:
secret: "test-jwt-secret"
agent_claim: "sub"
rules:
# ip_rate_limit: 100 # max tools/call per minute per IP (HTTP mode)
block_patterns:
- "password"
- "api_key"
- "secret"
- "Bearer "
- "private_key"