68 lines
2.9 KiB
Python
68 lines
2.9 KiB
Python
"""
|
|
Edit this file to configure your bootstrap server. app.py should not need changes.
|
|
"""
|
|
import base64
|
|
import os
|
|
|
|
# ─── Config ──────────────────────────────────────────────────────────
|
|
TENANT_ID = os.environ["TENANT_ID"] # your Entra tenant
|
|
AUDIENCE = "c2995f31-11e7-4882-b7a7-ef9def0a0266" # Claude in Office add-in app ID
|
|
ISSUER = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0"
|
|
JWKS_URL = f"https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys"
|
|
HOST = os.getenv("HOST", "127.0.0.1")
|
|
PORT = int(os.getenv("PORT", "8080"))
|
|
|
|
# Local-dev override: point at a self-issued JWKS instead of Entra.
|
|
# Signature verification still runs. Refuses to start on non-loopback.
|
|
DEV_JWKS_PATH = os.getenv("DEV_JWKS_PATH")
|
|
if DEV_JWKS_PATH and HOST != "127.0.0.1":
|
|
raise SystemExit("DEV_JWKS_PATH may only be used when HOST=127.0.0.1")
|
|
|
|
# ─── Catalog: every skill / MCP server you might hand out ────────────
|
|
def b64(s: str) -> str:
|
|
return base64.b64encode(s.encode()).decode()
|
|
|
|
SKILLS = {
|
|
"deal-memo": {
|
|
"description": "Draft a deal memo from a term sheet",
|
|
"url": "https://your-bucket.s3.amazonaws.com/skills/deal-memo.zip?X-Amz-Signature=...",
|
|
},
|
|
"compliance-check": {
|
|
"description": "Review a document for compliance issues",
|
|
"content": b64("# Compliance check\n\nReview the document for regulatory red flags..."),
|
|
},
|
|
"risk-dashboard": {
|
|
"description": "Summarize positions from the risk dashboard",
|
|
"url": "https://your-bucket.s3.amazonaws.com/skills/risk.zip?X-Amz-Signature=...",
|
|
},
|
|
}
|
|
|
|
MCP_SERVERS = {
|
|
"linear": {"url": "https://mcp.linear.app/sse", "label": "Linear"},
|
|
"risk-api": {
|
|
"url": "https://internal.example.com/mcp/risk",
|
|
"label": "Risk Dashboard",
|
|
"headers": {"Authorization": "Bearer {{gateway_token}}"},
|
|
},
|
|
}
|
|
|
|
# ─── RBAC: first matching rule wins ──────────────────────────────────
|
|
# `when` conditions (all must match):
|
|
# group — value from the Entra token's `groups` claim
|
|
# user — Entra user `oid`
|
|
# app — Office host: "word" | "excel" | "powerpoint"
|
|
# In production, group/user values are GUIDs — replace the names below
|
|
# with real Object IDs from Entra admin center.
|
|
RULES = [
|
|
{"when": {"app": "word", "group": "investment-banking"},
|
|
"skills": ["deal-memo", "compliance-check"], "mcp_servers": ["linear"]},
|
|
|
|
{"when": {"group": "risk"},
|
|
"skills": ["risk-dashboard", "compliance-check"], "mcp_servers": ["risk-api"]},
|
|
|
|
{"when": {"user": "alice"},
|
|
"skills": ["deal-memo"], "mcp_servers": []},
|
|
|
|
{"when": {}, "skills": ["compliance-check"], "mcp_servers": []}, # default
|
|
]
|