1
0
simple-ai-gateway-tool/scenes/04-deny-blocked-tool.md
Nilton Constantino d48172539a
first commit
2026-04-22 14:55:58 +01:00

2.7 KiB

Scene 4 — DENY: Dangerous Tool Unconditionally Blocked

Policy rule: Block rule (db.executeScript is blocked regardless of scopes or arguments) Expected result: DENY


Presentation Rule

Language: All AI narration and communication during scenes must be in English.

The AI must narrate every interaction with the gateway in detail. Before calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. After receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.


Communication Flow

sequenceDiagram
    participant AI as AI Agent
    participant GW as Gateway
    participant PE as Policy Engine
    participant DB as Database Service

    AI->>GW: POST /api/gateway/execute<br/>{tool: db.executeScript, action: execute,<br/>arguments: {script: "DROP TABLE users#59;"}}
    GW->>GW: Validate JWT + extract scopes
    GW->>PE: Evaluate policy rules
    PE->>PE: Block rule: db.executeScript ✗<br/>Unconditionally blocked
    PE-->>GW: Decision: DENY
    Note over GW,DB: Request never reaches Database
    GW->>GW: Write audit entry
    GW-->>AI: 200 OK {decision: DENY,<br/>reason: "db.executeScript is blocked by policy"}

Demo Script

Presenter says: "Some operations are so dangerous that no AI agent should ever execute them. db.executeScript runs arbitrary SQL — DROP TABLE, DELETE FROM, anything. The policy blocks it unconditionally."

Action

Example request:

"Execute this SQL script on the database: DROP TABLE users;"

Send a gateway request for db.executeScript with script=DROP TABLE users;.

Expected Response

{
  "request_id": "req-...",
  "decision": "deny",
  "reason": "db.executeScript is blocked by policy",
  "matched_rule": "deny-db-execute-script"
}

What This Proves

  • Hard blocks exist — some tools are denied regardless of token, scope, or arguments
  • This is the "nuclear option" in policy: a block rule that cannot be overridden
  • The default policy makes this tool unusable even if the caller has a matching scope
  • Defense-in-depth: even if someone adds db.execute scope to a token, the policy still blocks it

Key Message

"We can't stop the AI from asking. But we can stop the request from succeeding. This is the same as having a firewall rule that blocks port 22 — you don't rely on clients not trying."


Transition to Next Scene

"OK, hard blocks work. But what about softer controls — like preventing the AI from overwhelming a service?"