[PR #145] [CLOSED] feat(mcp): enable policy explanations in generate_policy tool #264

New issue

Closed

opened 2026-03-15 11:56:24 +03:00 by kerem · 0 comments

kerem commented

2026-03-15 11:56:24 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/awslabs/iam-policy-autopilot/pull/145
Author: @Oluwatobi-Mustapha
Created: 2/9/2026
Status: ❌ Closed

Base: main ← Head: feat/mcp-explanations

📝 Commits (10+)

5b7adce feat(mcp): enable policy explanations in generate_policy tool
cb6cf34 refactor(mcp): reduce visibility and harden tests
278dce5 refactor(mcp): reduce visibility and harden tests
87608fd docs: update Operation struct docs to match fields
5ea6a14 style: fix clippy manual-non-exhaustive and apply cargo fmt
3e2c690 Merge branch 'main' into feat/mcp-explanations
2ba54d9 Merge branch 'main' into feat/mcp-explanations
034eb37 docs: update tool prompt with explanation instructions
3a67a3c docs: fix formatting in mcp.rs
b3a0937 chore: apply clippy fixes and resolve url deserialization

📊 Changes

5 files changed (+155 additions, -428 deletions)

View changed files

📝 iam-policy-autopilot-mcp-server/src/mcp.rs (+7 -6)
📝 iam-policy-autopilot-mcp-server/src/tools/generate_policy.rs (+113 -5)
📝 iam-policy-autopilot-policy-generation/src/enrichment/mod.rs (+13 -10)
📝 iam-policy-autopilot-policy-generation/src/enrichment/service_reference.rs (+13 -405)
📝 iam-policy-autopilot-policy-generation/src/lib.rs (+9 -2)

📄 Description

Description of changes

Context

The core iam-policy-autopilot engine can generate reasoning data (mapping permissions to source code lines), but the MCP server was previously discarding this data. This limited AI agents’ ability to understand why a specific permission was granted.

Changes

Schema extension: Updated GeneratePoliciesInput to accept an optional explain boolean, and GeneratePoliciesOutput to return a serialized explanations string.
Data plumbing: Updated generate_application_policies logic to pass the explanation filter to the core engine and serialize the results.
Core visibility: Promoted the enrichment module in iam-policy-autopilot-policy-generation from pub(crate) to pub to enable robust integration testing of explanation data structures.
Documentation: Added missing documentation to enrichment structs/enums to satisfy crate-level lint requirements (#![deny(missing_docs)]).
Testing: Added a new integration test test_generate_application_policies_with_explanations to verify end-to-end data flow.

Visual proof

Before (Gap Identified): Output contains only the policy, lacking context.

After: Output now includes detailed reasoning mapping actions (e.g., s3:ListBucket) to source locations.

Testing

Ran:

cargo test --package iam-policy-autopilot-mcp-server

✅ Result: All tests passed, including the new test_generate_application_policies_with_explanations.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/awslabs/iam-policy-autopilot/pull/145 **Author:** [@Oluwatobi-Mustapha](https://github.com/Oluwatobi-Mustapha) **Created:** 2/9/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat/mcp-explanations` --- ### 📝 Commits (10+) - [`5b7adce`](https://github.com/awslabs/iam-policy-autopilot/commit/5b7adce63b687592217e4eb74d8d34e8f0c7e2f3) feat(mcp): enable policy explanations in generate_policy tool - [`cb6cf34`](https://github.com/awslabs/iam-policy-autopilot/commit/cb6cf34cd86ee9aaa2333a84b19f3e195ae667f0) refactor(mcp): reduce visibility and harden tests - [`278dce5`](https://github.com/awslabs/iam-policy-autopilot/commit/278dce50c76f388d9437bf078b459e626c7fd609) refactor(mcp): reduce visibility and harden tests - [`87608fd`](https://github.com/awslabs/iam-policy-autopilot/commit/87608fd87d4abd05d15d205274036e288f131839) docs: update Operation struct docs to match fields - [`5ea6a14`](https://github.com/awslabs/iam-policy-autopilot/commit/5ea6a1440f48c2f7c9abacc6ec474848af3350c7) style: fix clippy manual-non-exhaustive and apply cargo fmt - [`3e2c690`](https://github.com/awslabs/iam-policy-autopilot/commit/3e2c690bfec081eeb67491c4a3f1165205491c4b) Merge branch 'main' into feat/mcp-explanations - [`2ba54d9`](https://github.com/awslabs/iam-policy-autopilot/commit/2ba54d911ceea4c5f816ec82b7df50abfdd7897f) Merge branch 'main' into feat/mcp-explanations - [`034eb37`](https://github.com/awslabs/iam-policy-autopilot/commit/034eb37bb8cb41e7f3cd109b107d1ec4c54ed8ad) docs: update tool prompt with explanation instructions - [`3a67a3c`](https://github.com/awslabs/iam-policy-autopilot/commit/3a67a3cb0e5304fac543ae4888768f745845fcb5) docs: fix formatting in mcp.rs - [`b3a0937`](https://github.com/awslabs/iam-policy-autopilot/commit/b3a09375815c7363dfae935d6234971c0964b65a) chore: apply clippy fixes and resolve url deserialization ### 📊 Changes **5 files changed** (+155 additions, -428 deletions) <details> <summary>View changed files</summary> 📝 `iam-policy-autopilot-mcp-server/src/mcp.rs` (+7 -6) 📝 `iam-policy-autopilot-mcp-server/src/tools/generate_policy.rs` (+113 -5) 📝 `iam-policy-autopilot-policy-generation/src/enrichment/mod.rs` (+13 -10) 📝 `iam-policy-autopilot-policy-generation/src/enrichment/service_reference.rs` (+13 -405) 📝 `iam-policy-autopilot-policy-generation/src/lib.rs` (+9 -2) </details> ### 📄 Description ## Description of changes ### Context The core `iam-policy-autopilot` engine can generate reasoning data (mapping permissions to source code lines), but the MCP server was previously discarding this data. This limited AI agents’ ability to understand *why* a specific permission was granted. ### Changes - **Schema extension:** Updated `GeneratePoliciesInput` to accept an optional `explain` boolean, and `GeneratePoliciesOutput` to return a serialized `explanations` string. - **Data plumbing:** Updated `generate_application_policies` logic to pass the explanation filter to the core engine and serialize the results. - **Core visibility:** Promoted the `enrichment` module in `iam-policy-autopilot-policy-generation` from `pub(crate)` to `pub` to enable robust integration testing of explanation data structures. - **Documentation:** Added missing documentation to enrichment structs/enums to satisfy crate-level lint requirements (`#![deny(missing_docs)]`). - **Testing:** Added a new integration test `test_generate_application_policies_with_explanations` to verify end-to-end data flow. ### Visual proof **Before (Gap Identified):** ***Output contains only the policy, lacking context.*** ![C5E81391-761B-4B33-8E8B-CD2892D03C62_1_201_a](https://github.com/user-attachments/assets/869baabd-5ba7-43d4-aeeb-c984a7d55b45) **After:** ***Output now includes detailed reasoning mapping actions (e.g., `s3:ListBucket`) to source locations.*** ![Image 2026-02-09 at 1 23 AM](https://github.com/user-attachments/assets/6768eb33-94a5-4b47-ab67-efdd393d582c) ### Testing Ran: ```bash cargo test --package iam-policy-autopilot-mcp-server ``` ✅ Result: All tests passed, including the new `test_generate_application_policies_with_explanations`. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>