1.3 KiB
1.3 KiB
Assistant Tool Lattice Policy Mapping
This guide defines the tool lattice rule schema and default scope mapping for assistant tool calls. The lattice is evaluated by Policy Gateway and returns allow or deny decisions for each tool request.
Default deny behavior
- If no rule matches a tool request, the decision is deny.
- A rule must match tool name, action, and any configured tenant, role, scope, or resource filters to allow access.
Rule fields
- tool: Tool name or wildcard pattern (for example, "vex.query" or "scanner.*").
- action: Read or action discriminator (for example, "read" or "action").
- scopes: Required Authority scopes (one or more).
- roles: Optional role filters (one or more).
- tenants: Optional tenant filters (one or more).
- resource: Optional resource pattern (for example, "sbom:component:*").
- effect: allow or deny.
- priority: Integer priority; higher values evaluate first.
Default scope mapping
| Tool | Action | Required scopes |
|---|---|---|
| vex.query | read | vex:read |
| sbom.read | read | sbom:read |
| scanner.findings.topk | read | scanner:read or findings:read |
Override guidance
- Use priority to override default rules.
- Keep rules deterministic by using stable patterns and avoiding ambiguous overlaps.