78 lines
2.7 KiB
Markdown
78 lines
2.7 KiB
Markdown
# Scene 4 — DENY: Dangerous Tool Unconditionally Blocked
|
|
|
|
**Policy rule:** Block rule (`db.executeScript` is blocked regardless of scopes or arguments)
|
|
**Expected result:** DENY
|
|
|
|
---
|
|
|
|
## Presentation Rule
|
|
|
|
> **Language:** All AI narration and communication during scenes must be in **English**.
|
|
>
|
|
> The AI must narrate every interaction with the gateway in detail. **Before** calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. **After** receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.
|
|
|
|
---
|
|
|
|
## Communication Flow
|
|
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant AI as AI Agent
|
|
participant GW as Gateway
|
|
participant PE as Policy Engine
|
|
participant DB as Database Service
|
|
|
|
AI->>GW: POST /api/gateway/execute<br/>{tool: db.executeScript, action: execute,<br/>arguments: {script: "DROP TABLE users#59;"}}
|
|
GW->>GW: Validate JWT + extract scopes
|
|
GW->>PE: Evaluate policy rules
|
|
PE->>PE: Block rule: db.executeScript ✗<br/>Unconditionally blocked
|
|
PE-->>GW: Decision: DENY
|
|
Note over GW,DB: Request never reaches Database
|
|
GW->>GW: Write audit entry
|
|
GW-->>AI: 200 OK {decision: DENY,<br/>reason: "db.executeScript is blocked by policy"}
|
|
```
|
|
|
|
## Demo Script
|
|
|
|
> **Presenter says:** "Some operations are so dangerous that no AI agent should ever execute them. `db.executeScript` runs arbitrary SQL — DROP TABLE, DELETE FROM, anything. The policy blocks it unconditionally."
|
|
|
|
### Action
|
|
|
|
Example request:
|
|
|
|
> "Execute this SQL script on the database: DROP TABLE users;"
|
|
|
|
Send a gateway request for `db.executeScript` with `script=DROP TABLE users;`.
|
|
|
|
### Expected Response
|
|
|
|
```json
|
|
{
|
|
"request_id": "req-...",
|
|
"decision": "deny",
|
|
"reason": "db.executeScript is blocked by policy",
|
|
"matched_rule": "deny-db-execute-script"
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
## What This Proves
|
|
|
|
- **Hard blocks exist** — some tools are denied regardless of token, scope, or arguments
|
|
- This is the "nuclear option" in policy: a `block` rule that cannot be overridden
|
|
- The default policy makes this tool unusable even if the caller has a matching scope
|
|
- Defense-in-depth: even if someone adds `db.execute` scope to a token, the policy still blocks it
|
|
|
|
---
|
|
|
|
## Key Message
|
|
|
|
> "We can't stop the AI from *asking*. But we can stop the request from *succeeding*. This is the same as having a firewall rule that blocks port 22 — you don't rely on clients not trying."
|
|
|
|
---
|
|
|
|
## Transition to Next Scene
|
|
|
|
> "OK, hard blocks work. But what about softer controls — like preventing the AI from overwhelming a service?"
|