Docker MCP Gateway's existing interceptor pattern (block_secrets.go, github_unauthorized.go, log_calls.go) is the cleanest extension point I've seen in any MCP gateway. Wanted to ask about one more interceptor that fits the same shape.
Proposal: pkg/interceptors/block_prompt_injection.go — runs on tool-call response payloads, applies regex + optional model checks, can opt to short-circuit (return error to MCP client) or annotate (add a header / log a policy decision through pkg/policy). Same interface as block_secrets.go so users get one mental model.
I maintain Agent Threat Rules (ATR), an MIT-licensed YAML rule library (462 rules) shipped in Microsoft Agent Governance Toolkit (PR #1277, 287 rules + weekly auto-sync), Cisco AI Defense skill-scanner (PR #99, 314 rules), MISP via CIRCL Luxembourg (PR #1207, 336 rules), and Microsoft PyRIT (PR #1715, merged 2026-05-27 by Roman Lutz). Of the 462 rules, ~200 are pure regex (method: pattern in our spec) with explicit fixtures and a 0% FP gate on a 432-skill benign corpus — the right shape to bundle as the default rule set for the interceptor.
Two ways this could land:
- Docker owns the interceptor; ATR is an optional rule source loaded from
--block-prompt-injection-rules=path/to/rules.json. Default: ATR's regex-method subset, vendored at build time.
- ATR ships a separate
docker-mcp-gateway-interceptor Go module; docker/mcp-gateway only adds the registration point.
If (1) is too much rule surface for Docker to maintain in-tree, (2) is fine. If neither shape works, happy to hear what does.
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Method spec: https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/spec/atr-method-v1.1.md
Docker MCP Gateway's existing interceptor pattern (
block_secrets.go,github_unauthorized.go,log_calls.go) is the cleanest extension point I've seen in any MCP gateway. Wanted to ask about one more interceptor that fits the same shape.Proposal:
pkg/interceptors/block_prompt_injection.go— runs on tool-call response payloads, applies regex + optional model checks, can opt to short-circuit (return error to MCP client) or annotate (add a header / log a policy decision throughpkg/policy). Same interface asblock_secrets.goso users get one mental model.I maintain Agent Threat Rules (ATR), an MIT-licensed YAML rule library (462 rules) shipped in Microsoft Agent Governance Toolkit (PR #1277, 287 rules + weekly auto-sync), Cisco AI Defense skill-scanner (PR #99, 314 rules), MISP via CIRCL Luxembourg (PR #1207, 336 rules), and Microsoft PyRIT (PR #1715, merged 2026-05-27 by Roman Lutz). Of the 462 rules, ~200 are pure regex (
method: patternin our spec) with explicit fixtures and a 0% FP gate on a 432-skill benign corpus — the right shape to bundle as the default rule set for the interceptor.Two ways this could land:
--block-prompt-injection-rules=path/to/rules.json. Default: ATR's regex-method subset, vendored at build time.docker-mcp-gateway-interceptorGo module;docker/mcp-gatewayonly adds the registration point.If (1) is too much rule surface for Docker to maintain in-tree, (2) is fine. If neither shape works, happy to hear what does.
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Method spec: https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/spec/atr-method-v1.1.md