Skip to main content
ThornGuard now includes structured policies and outbound webhook integrations in both the live dashboard and the management API.
In the live dashboard, these controls live under the Platform tab when the relevant feature flags are enabled. Mutating actions require an owner or admin credential.

Structured Policy Rules

Policy rules let you match on request context without relying only on coarse substring blocklists. Each rule has schema fields for:
  • a scope: request, response, or both
  • a mode: allow, audit, or block
  • a priority
  • a conditions_json payload describing what should match
Today, the active enforcement path is request-focused, with audit and block being the meaningful operational modes. Supported condition types include:
  • RPC method patterns
  • target domains
  • client IP CIDR ranges
  • selected header matches
  • JSON selector checks
  • substring or regex content patterns
  • tool name patterns
  • tool risk levels

Evaluation Order

Customer policies run after ThornGuard’s non-overridable transport, auth, SSRF, and rate-limit checks, but before built-in malicious command scanning. That means:
  • policies can narrow what is allowed
  • policies cannot disable built-in safety controls
  • audit-mode policies generate telemetry without blocking traffic

Policy API

The management API exposes:
  • GET /api/policies
  • POST /api/policies
  • PATCH /api/policies/:id
  • DELETE /api/policies/:id
Rules are tied to the authenticated license and stored in the policy_rules D1 table.

Webhook Integrations

Webhook integrations let ThornGuard push security and audit events to external systems. Events are queued asynchronously and recorded in integration_deliveries for traceability. Typical uses include:
  • Slack or chat alerting
  • SIEM ingestion
  • incident response workflows
  • internal compliance pipelines

Integration API

The current backend routes are:
  • GET /api/integrations
  • POST /api/integrations
  • PATCH /api/integrations/:id
  • DELETE /api/integrations/:id
  • POST /api/integrations/:id/test
  • GET /api/integrations/:id/deliveries

Event Payload Shape

Webhook deliveries include fields such as:
  • action
  • targetUrl
  • method
  • details
  • detailsJson
  • responseTimeMs
  • clientIp
  • logId
  • traceId
  • policyRuleId
  • timestamp
  • Use Custom Blocklists for simple tenant-owned block patterns.
  • Use policy rules when you need method-aware, JSON-aware, or risk-aware decisions.
  • Use webhook integrations to get ThornGuard events into your broader security tooling.