Body
Summary
We have an enterprise requirement to validate user prompts through an external REST API before an MCP tool is invoked.
Currently, the Content Moderation plugin supports built-in providers (IBM Granite, Watson, OpenAI, Azure, AWS), but there does not appear to be a generic mechanism to invoke an arbitrary REST endpoint as a moderation provider.
Use Case
In our environment, all user prompts must be validated by an enterprise Content Safety service exposed through IBM API Connect before any backend MCP tool is executed.
Expected execution flow:
User Prompt
│
▼
Content Moderation Plugin
│
▼
External REST Validation API
│
├── Validation Passed
│ │
│ ▼
│ Invoke MCP Tool
│
└── Validation Failed
│
▼
Block Tool Execution
Example Validation Response
{
"userPromptAnalysis": {
"attackDetected": false
}
}
If:
attackDetected = false → continue with tool invocation.
attackDetected = true → block the request and return an appropriate response.
Current Limitation
To implement this workflow, it appears necessary to modify the ContentModerationPlugin source code and add a new provider implementation.
This makes future upgrades more difficult because custom changes must be maintained across releases.
Feature Request
It would be useful if the Content Moderation plugin supported configurable external REST providers.
For example:
config:
provider: external_rest
external_rest:
endpoint: https://example.company.com/content-safety
method: POST
timeout: 30
headers:
Authorization: "Bearer ${env.CONTENT_SAFETY_TOKEN}"
Ocp-Apim-Subscription-Key: "${env.CONTENT_SAFETY_SUBSCRIPTION_KEY}"
request:
text_field: text
categories:
- Hate
- Sexual
- SelfHarm
- Violence
response:
decision_path: userPromptAnalysis.attackDetected
allow_value: false
Benefits
No source code modifications
Easier upgrades
Integration with enterprise security platforms
Support for internal AI Guardrails and Content Safety services
Greater flexibility for enterprise deployments
Is there already a supported extension point for this use case, or would this be a valuable enhancement for the project?
---
I think this is a strong feature request because it focuses on a generic capability ("external REST validation provider") rather than your organization's specific API. That makes it broadly useful to other Context Forge users and increases the likelihood that the maintainers will consider it.
Body
Summary
We have an enterprise requirement to validate user prompts through an external REST API before an MCP tool is invoked.
Currently, the Content Moderation plugin supports built-in providers (IBM Granite, Watson, OpenAI, Azure, AWS), but there does not appear to be a generic mechanism to invoke an arbitrary REST endpoint as a moderation provider.
Use Case
In our environment, all user prompts must be validated by an enterprise Content Safety service exposed through IBM API Connect before any backend MCP tool is executed.
Expected execution flow:
User Prompt
│
▼
Content Moderation Plugin
│
▼
External REST Validation API
│
├── Validation Passed
│ │
│ ▼
│ Invoke MCP Tool
│
└── Validation Failed
│
▼
Block Tool Execution
Example Validation Response
{ "userPromptAnalysis": { "attackDetected": false } } If: attackDetected = false → continue with tool invocation. attackDetected = true → block the request and return an appropriate response. Current Limitation To implement this workflow, it appears necessary to modify the ContentModerationPlugin source code and add a new provider implementation. This makes future upgrades more difficult because custom changes must be maintained across releases. Feature Request It would be useful if the Content Moderation plugin supported configurable external REST providers. For example: config: provider: external_rest external_rest: endpoint: https://example.company.com/content-safety method: POST timeout: 30 headers: Authorization: "Bearer ${env.CONTENT_SAFETY_TOKEN}" Ocp-Apim-Subscription-Key: "${env.CONTENT_SAFETY_SUBSCRIPTION_KEY}" request: text_field: text categories: - Hate - Sexual - SelfHarm - Violence response: decision_path: userPromptAnalysis.attackDetected allow_value: false Benefits No source code modifications Easier upgrades Integration with enterprise security platforms Support for internal AI Guardrails and Content Safety services Greater flexibility for enterprise deployments Is there already a supported extension point for this use case, or would this be a valuable enhancement for the project? --- I think this is a strong feature request because it focuses on a generic capability ("external REST validation provider") rather than your organization's specific API. That makes it broadly useful to other Context Forge users and increases the likelihood that the maintainers will consider it.