Problem
_emit_allow_event() does not pass requested_capability or presented_capability to emit_policy_enforced(), while _emit_deny_event() does:
# _emit_deny_event passes both:
emitter.emit_policy_enforced(
...
requested_capability=result.requested_capability,
presented_capability=result.presented_capability,
)
# _emit_allow_event omits them:
emitter.emit_policy_enforced(
decision="ALLOW",
tool_name=tool_name,
agent_did=result.agent_did,
trust_level=result.trust_level,
evidence_id=result.evidence_id,
capability_class=capability_class,
# missing: requested_capability, presented_capability
)This creates an incomplete audit trail — on ALLOW decisions you can't see what capability the agent presented to gain access.
Where
capiscio_mcp/guard.py — _emit_allow_event() function.
Suggested fix
Add requested_capability and presented_capability parameters to _emit_allow_event, mirroring _emit_deny_event:
def _emit_allow_event(
result: "GuardResult",
tool_name: str,
capability_class: Optional[str] = None,
) -> None:
...
emitter.emit_policy_enforced(
decision="ALLOW",
tool_name=tool_name,
agent_did=result.agent_did,
trust_level=result.trust_level,
evidence_id=result.evidence_id,
capability_class=capability_class,
requested_capability=result.requested_capability,
presented_capability=result.presented_capability,
)Context
Introduced on feat/guard-event-emission branch.
Problem
_emit_allow_event()does not passrequested_capabilityorpresented_capabilitytoemit_policy_enforced(), while_emit_deny_event()does:This creates an incomplete audit trail — on ALLOW decisions you can't see what capability the agent presented to gain access.
Where
capiscio_mcp/guard.py—_emit_allow_event()function.Suggested fix
Add
requested_capabilityandpresented_capabilityparameters to_emit_allow_event, mirroring_emit_deny_event:Context
Introduced on
feat/guard-event-emissionbranch.