DTwo Policy Store

HubSpot Read-Only

Makes the HubSpot connection read-only by blocking the write tool.

Direction
ingress
Rego package
hubspot.ingress.readonly
App
hubspot
Bundle
crm
Published
Minimum gateway
1.0.0b24
Schema version
1.0.0
Checksum
sha256:c4ef50764a959af252cfbd5474bfea02a57b207fa3d352636dc70b8f11b45de0

hubspotaccess-controlgovernanceread-onlyingress

What this policy does

Direction: ingress (tool_pre_invoke) Default: deny on match, allow otherwise Package: hubspot.ingress.readonly

What it does

Makes the HubSpot connection read-only by blocking the write tool. Any call to hubspot-manage-crm-objects — the create/update tool exposed by the HubSpot MCP server — is denied. Every other HubSpot tool (search, list, read) passes through unchanged.

Why ingress

Writes have permanent side effects on the CRM. The connection's read/write posture is fully determined by the tool being called, so denying the write tool at ingress guarantees no mutation reaches HubSpot regardless of the payload.

How it matches

The policy is default allow := false and re-allows every tool except the one whose (lowercased) name ends with -manage-crm-objects. Suffix matching keeps the policy portable regardless of the MCP server name prefix the gateway adds (hubspot-, hubspot-mcp-, etc.). Confirm the exact tool name with the dump-input debug technique before deploying.

Examples

Allowed (read tool)

{
  "input": {
    "action": "tool_pre_invoke",
    "resource": { "name": "hubspot-list-objects", "type": "tool" },
    "payload": { "name": "hubspot-list-objects", "args": { "objectType": "deals" } }
  }
}

allow = true, no reason.

Denied (write tool)

{
  "input": {
    "action": "tool_pre_invoke",
    "resource": { "name": "hubspot-manage-crm-objects", "type": "tool" },
    "payload": {
      "name": "hubspot-manage-crm-objects",
      "args": { "updateRequest": { "objects": [ { "objectType": "deals", "id": "12345" } ] } }
    }
  }
}

allow = false, reason = "HubSpot write operations are disabled on this gateway. This connection is read-only.".

Known limitations

  • Single write tool. This assumes hubspot-manage-crm-objects is the only write tool exposed by the HubSpot MCP server on the gateway. If your server exposes other mutating tools (e.g. dedicated association or engagement endpoints), add their suffixes to the deny condition.
  • Suffix tool-name match. The policy allows any tool that does not end in -manage-crm-objects. If a non-HubSpot MCP server exposed a tool with that same suffix, it would also be blocked — narrow the match if that is a concern.
  • No identity-based exemptions. All callers are read-only. To allow a break-glass writer, add an allow if branch gated on input.subject.claims.

Policy source (Rego)

package hubspot.ingress.readonly

default allow := false

allow if {
    not endswith(lower(input.resource.name), "-manage-crm-objects")
}

reason := "HubSpot write operations are disabled on this gateway. This connection is read-only." if not allow

Canonical source: policy.md on GitHub · raw · raw on this site (.md)

Used in these guides