Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .claude-plugin/marketplace.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"name": "dtwo",
"source": "./dtwo",
"description": "DTwo MCP gateway management — bundles the DTwo MCP server and skills for managing gateway configs, deploys, and policies",
"version": "1.0.3",
"version": "1.0.4",
"category": "security",
"keywords": [
"agentic",
Expand Down
2 changes: 1 addition & 1 deletion dtwo/.claude-plugin/plugin.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "dtwo",
"version": "1.0.3",
"version": "1.0.4",
"description": "Manage DTwo gateways, policies, and Rego with the DTwo MCP server.",
"author": {
"name": "DTwo",
Expand Down
4 changes: 2 additions & 2 deletions dtwo/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ Naming the connector `dtwo` is required — it has to match the plugin's MCP ser
| Skill | Use when |
| --------------------- | -------------------------------------------------------------------------------------- |
| `dtwo-gateway-config` | Editing gateway YAML, adding/removing MCP servers, publishing or rolling back configs. |
| `dtwo-gateway-policy` | Creating, attaching, publishing, deploying, or verifying policies and pipelines. |
| `dtwo-policy-rego` | Authoring, modifying, explaining, or debugging Rego policy code for the DTwo Gateway. |
| `dtwo-gateway-policy` | Creating, attaching, publishing, deploying, or verifying policies and pipelines; managing markers (and the intent registry when those tools are enabled). |
| `dtwo-policy-rego` | Authoring, modifying, explaining, or debugging Rego policy code for the DTwo Gateway, including marker writer/reader policies. |

The skills load each other on demand via Claude Code's `Skill` tool — most real tasks pull in two or three together.

Expand Down
4 changes: 2 additions & 2 deletions dtwo/skills/dtwo-gateway-config/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ The tools listed below reflect the initial set. The DTwo MCP server may add new
| `dtwo-validate-gateway-config` | Validate YAML configuration without saving |
| `dtwo-save-gateway-draft-config` | Validate and save YAML as the draft configuration |
| `dtwo-publish-gateway-config` | Publish the gateway draft as a new version |
| `dtwo-revert-gateway-config` | Restore a published gateway version back into the draft |
| `dtwo-revert-gateway-config` | Restore a published `version` back into the draft. Pass `publish: true` to publish it immediately as well |

### Deploy & Status Tools

Expand Down Expand Up @@ -215,7 +215,7 @@ Every field marked `secret: true` in the artifact. Emit a self-describing placeh

### Gateway Section

Controls authentication, SSRF protection, logging, CORS, and advanced flags.
Controls authentication, SSRF protection, `log_level`, and `advanced` flags — all documented in the Schema Digest above. (CORS is also modeled by the parser but is not detailed in the digest; configure it via the `advanced` escape hatch or confirm the field names with `dtwo-validate-gateway-config` before relying on them.) Authentication and SSRF are the load-bearing ones and are expanded below.

- **Authentication** defaults to enabled when omitted. Supports JWKS-based JWT verification, SSO issuer, audience/issuer verification, JTI requirements, token expiration enforcement, and OAuth resource metadata.
- **Gateway-side `jwks_info` is independent of any `mcp_servers[].authentication` block.** When the prompt supplies an IdP tenant and audience (e.g. Auth0), populate `gateway.authentication.jwks_info` (`jwt_algorithm`, `jwt_jwks_uri`, `jwt_issuer`, `jwt_audience`) — even when the upstream MCP server uses OAuth/DCR, and even when the prompt says the upstream server "only supports OAuth" or "does not accept bearer tokens." Those statements describe the outbound leg to the MCP server, not the inbound leg from clients to the gateway.
Expand Down
Loading