1
0
simple-ai-gateway-tool/scenes/07-deny-argument-validation.md
Nilton Constantino d48172539a
first commit
2026-04-22 14:55:58 +01:00

3.1 KiB

Scene 7 — DENY: Restricted Jira Project (Argument Validation)

Policy rule: Argument allowlist (jira.createTicket only allowed for projects in allowlist) Expected result: DENY for restricted project


Presentation Rule

Language: All AI narration and communication during scenes must be in English.

The AI must narrate every interaction with the gateway in detail. Before calling the gateway, explain what it is about to do, which endpoint it will call, what payload it will send, and what it expects to happen. After receiving the response, explain what the gateway returned, what the decision means, and why it matters. The goal is to make the audience understand exactly what is happening between the AI and the gateway at every step.


Communication Flow

sequenceDiagram
    participant AI as AI Agent
    participant GW as Gateway
    participant PE as Policy Engine
    participant JR as Jira Service

    AI->>GW: POST /api/gateway/execute<br/>{tool: jira.createTicket, action: create,<br/>arguments: {project: FINANCE, summary: ...}}
    GW->>GW: Validate JWT + extract scopes
    GW->>PE: Evaluate policy rules
    PE->>PE: Scope check: jira.write ✓
    PE->>PE: Argument allowlist: FINANCE<br/>not in [SAFE, PLATFORM, OPS] ✗
    PE-->>GW: Decision: DENY
    Note over GW,JR: Request never reaches Jira
    GW->>GW: Write audit entry
    GW-->>AI: 200 OK {decision: DENY,<br/>reason: "Project not in allowlist"}

Demo Script

Presenter says: "Even when the AI has write access to Jira, it can only create tickets in approved projects. The FINANCE project? Off limits."

Action

Example request:

"Create a Jira ticket in project FINANCE with summary 'AI-generated report' and type Bug"

Send a gateway request for jira.createTicket with project=FINANCE.

Expected Response

{
  "request_id": "req-...",
  "decision": "deny",
  "reason": "Project not in allowlist",
  "matched_rule": "restrict-jira-projects"
}

Contrast — Allowed Project

Then ask:

"Create a Jira ticket in project PLATFORM with summary 'Update documentation' and type Task"

This returns ALLOW — PLATFORM is in the allowlist [SAFE, PLATFORM, OPS].


What This Proves

  • Argument-level validation — not just "can you use this tool?" but "can you use it with these parameters?"
  • The allowlist is in the policy config (data.allowed_projects), not in code
  • Changing which projects are allowed = editing YAML, not redeploying
  • Prevents data leakage to sensitive projects (FINANCE, HR, LEGAL)
  • Same pattern applies to Liquibase changelogs: only approved changelogs can run

Key Message

"The AI has jira.write scope — it CAN create tickets. But the policy engine adds a second layer: WHICH projects. This is fine-grained access control, defined as data, enforced at the gateway."


Wrap-Up

"We've seen 7 scenarios covering all 6 policy categories. The AI agent is a requesting client — it asks, the gateway decides. Credentials stay server-side, policies are data, and every decision is audited."