portal_check
Check whether a host or command is allowed by the security policy without executing anything. Returns ALLOWED or BLOCKED to surface policy errors early.
Instructions
Dry-run a host (and optional command) through the security policy.
command="" : check whether the host is accessible at all. Example: portal_check(host="web01")
command="rm -rf /" : check whether this command would be allowed on this host. Example: portal_check(host="web01", command="systemctl stop nginx")
Returns "ALLOWED" or "BLOCKED: ". Does not execute anything. Use this before risky multi-host operations to surface policy errors early. Being a dry-run, it does NOT consume a rate-limit token (a pre-flight check never throttles the real operation it is checking for).
⚠️ Default policy is PERMISSIVE — out of the box policies.yaml has an
empty host_allowlist (any host), empty command_blocklist / allowlist
(any command), and only a per-host rate limit. So portal_check will
return ALLOWED for almost anything until you populate
$XDG_CONFIG_HOME/portal-mcp-server/policies.yaml (default
~/.config/portal-mcp-server/policies.yaml)
with explicit rules. Use portal_audit(view="policy") to inspect what
the server actually has loaded. ALLOWED therefore means "no rule
currently blocks this", not "this is safe to run".
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| host | Yes | ||
| command | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |