mcp-docx/src/py_docx/security.py

from __future__ import annotations
from dataclasses import dataclass
from typing import Set


@dataclass
class SecurityConfig:
    readonly_mode: bool
    sandbox_mode: bool
    allow_external_tools: bool
    allow_network: bool
    max_document_size: int
    max_open_documents: int

    def get_summary(self) -> str:
        parts = []
        if self.readonly_mode:
            parts.append("readonly")
        if self.sandbox_mode:
            parts.append("sandbox")
        if self.allow_external_tools:
            parts.append("external-tools")
        if self.allow_network:
            parts.append("network")
        return ", ".join(parts) or "default"


# Tools allowed in readonly mode
READONLY_COMMANDS: Set[str] = {
    "list_documents",
    "open_document",
    "extract_text",
    "get_metadata",
    "get_document_structure",
    "get_outline",
    "get_ranges",
    "get_tables",
    "list_images",
    "list_hyperlinks",
    "get_fields_summary",
    "get_document_properties",
    "get_word_count",
    "search_text",
    "analyze_formatting",
    "get_security_info",
    "get_storage_info",
    "list_templates",
}

# Tools that modify documents
WRITE_COMMANDS: Set[str] = {
    "create_document",
    "add_paragraph",
    "add_heading",
    "add_table",
    "add_section_break",
    "add_list",
    "add_list_item",
    "add_page_break",
    "insert_toc",
    "insert_bookmark_after_heading",
    "set_header",
    "set_footer",
    "set_page_numbering",
    "embed_page_number_fields",
    "add_image",
    "add_hyperlink",
    "find_and_replace",
    "find_and_replace_advanced",
    "apply_paragraph_format",
    "save_document",
    "close_document",
    "convert_to_pdf",
    "export_pdf_with_field_refresh",
    "convert_to_images",
    "convert_to_images_with_preference",
    "merge_documents",
    "split_document",
    "replace_range_text",
    "set_table_cell_text",
    "set_document_properties",
    "insert_after_heading",
    "sanitize_external_links",
    "redact_text",
    "strip_personal_info",
    "export_to_markdown",
    "export_to_html",
    "open_template",
    "generate_from_template",
}


def is_command_allowed(name: str, config: SecurityConfig) -> bool:
    if config.readonly_mode:
        return name in READONLY_COMMANDS
    return True