feat(policy): add MCP-aware JSON-RPC L7 governance

Cargo.toml

@@ -8,7 +8,7 @@ members = ["crates/*"]
 [workspace.package]
 version = "0.0.0"
 edition = "2024"
-rust-version = "1.88"
+rust-version = "1.90"
 license = "Apache-2.0"
 repository = "https://github.com/NVIDIA/OpenShell"
 
@@ -73,6 +73,7 @@ serde_json = "1"
 serde_yml = "0.0.12"
 toml = "0.8"
 apollo-parser = "0.8.5"
+tower-mcp-types = "0.12.0"
 
 # HTTP client
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots"] }

architecture/sandbox.md

@@ -51,12 +51,13 @@ identifies the calling binary, checks trust-on-first-use binary identity, reject
 unsafe internal destinations, and evaluates the active policy.
 For inspected HTTP traffic, the proxy can enforce REST method/path rules,
 WebSocket upgrade and text-message rules, GraphQL operation rules, and
-JSON-RPC method and params rules on sandbox-to-server request bodies. JSON-RPC
-request inspection buffers up to the endpoint `json_rpc.max_body_bytes` limit.
-Literal dotted keys in JSON-RPC params are rejected before policy evaluation so
-they cannot be confused with flattened nested selector paths.
-JSON-RPC responses and server-to-client MCP messages on response or SSE streams
-are relayed but are not currently parsed for policy enforcement.
+MCP or generic JSON-RPC method and params rules on sandbox-to-server request
+bodies. MCP and JSON-RPC inspection buffers up to the endpoint
+`mcp.max_body_bytes` or `json_rpc.max_body_bytes` limit. Literal dotted keys in
+JSON-RPC params are rejected before policy evaluation so they cannot be confused
+with flattened nested selector paths. JSON-RPC responses and server-to-client
+MCP messages on response or SSE streams are relayed but are not currently
+parsed for policy enforcement.
 
 `https://inference.local` is special. It bypasses OPA network policy and is
 handled by the inference interception path: