Expand description
Guardrail policy for the MCP server.
Policy is evaluated before any tool call dispatches to dns::*.
Config, CLI, and env vars are the source of truth — callers of DnsServer::new
must construct a Policy for the selected DNS server and pass it in.
§Operation sets
A Policy holds an explicit set of allowed PolicyRule variants.
Rules are independent: you can permit any combination of Read, Write, and Delete.
- Read: list/export/stats/settings/cache-browse tools are permitted.
- Write: create/update/import/flush/block/allow tools are permitted.
- Delete: delete tools are permitted.
- Zone allow-list: any tool that targets a specific zone is rejected unless that zone (or its parent) is in the allow-list. Zone-agnostic tools (stats, settings, cache browse) are always permitted.
Structs§
- Policy
- Governs what the MCP server is permitted to do.
Enums§
- Policy
Rule - Identifies a single class of DNS operation.