<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: ZYM</title>
    <description>The latest articles on DEV Community by ZYM (@_aa9d2c4c4ab2eac9230eb).</description>
    <link>https://dev.to/_aa9d2c4c4ab2eac9230eb</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4013195%2Ffe72ea4e-5b43-4848-bfa8-a6f7d163b3d8.jpg</url>
      <title>DEV Community: ZYM</title>
      <link>https://dev.to/_aa9d2c4c4ab2eac9230eb</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/_aa9d2c4c4ab2eac9230eb"/>
    <language>en</language>
    <item>
      <title># AI Agent Refund API Demo: Approval, Redaction, And Audit</title>
      <dc:creator>ZYM</dc:creator>
      <pubDate>Fri, 03 Jul 2026 09:18:56 +0000</pubDate>
      <link>https://dev.to/_aa9d2c4c4ab2eac9230eb/-ai-agent-refund-api-demo-approval-redaction-and-audit-43p3</link>
      <guid>https://dev.to/_aa9d2c4c4ab2eac9230eb/-ai-agent-refund-api-demo-approval-redaction-and-audit-43p3</guid>
      <description>&lt;h1&gt;
  
  
  AI Agent Refund API Demo: Approval, Redaction, And Audit
&lt;/h1&gt;

&lt;p&gt;Letting an AI Agent call a refund API is a good demo because it is simple and risky at the same time.&lt;/p&gt;

&lt;p&gt;If an Agent can directly call a refund endpoint, several questions appear immediately:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Who allowed this refund?&lt;/li&gt;
&lt;li&gt;Which amount should require approval?&lt;/li&gt;
&lt;li&gt;Was the refund API called before approval?&lt;/li&gt;
&lt;li&gt;Where are the execution result and approval evidence?&lt;/li&gt;
&lt;li&gt;Who is responsible if the Agent passes the wrong arguments?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;ATG's refund demo proves that these questions can be handled in one governance path.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffkh95o05xdracevggroi.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffkh95o05xdracevggroi.png" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Agent -&amp;gt; ATG -&amp;gt; approve policy -&amp;gt; approval record -&amp;gt; approver -&amp;gt; refund API -&amp;gt; audit log
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Demo Setup
&lt;/h2&gt;

&lt;p&gt;After PostgreSQL, ATG Server, Mock API, and Web Console are running, execute:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm run demo:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The script creates isolated Agents, Tools, and Policies, then runs three scenarios:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;large refund approval;&lt;/li&gt;
&lt;li&gt;CRM response redaction;&lt;/li&gt;
&lt;li&gt;dangerous delete denial.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Refund approval is the easiest path to explain to business and security stakeholders.&lt;/p&gt;

&lt;h2&gt;
  
  
  Refund Approval Flow
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;The Agent calls &lt;code&gt;refund_order&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Policy checks &lt;code&gt;args.amount &amp;gt; 100&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;ATG returns &lt;code&gt;pending_approval&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;ATG creates an approval record.&lt;/li&gt;
&lt;li&gt;The target refund API has not been called yet.&lt;/li&gt;
&lt;li&gt;An approver uses the API or Web Console to approve the request.&lt;/li&gt;
&lt;li&gt;ATG resumes the original tool call.&lt;/li&gt;
&lt;li&gt;ATG writes approval, invocation, and audit evidence.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The key point: when approval is required, the real API is not executed first.&lt;/p&gt;

&lt;h2&gt;
  
  
  What To Show In The Web Console
&lt;/h2&gt;

&lt;p&gt;Focus on four views:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Dashboard: pending approvals, successful calls, average latency.&lt;/li&gt;
&lt;li&gt;Approvals: status, reason, approver, comments.&lt;/li&gt;
&lt;li&gt;Invocations: request arguments, redacted response, policy decision, approval id.&lt;/li&gt;
&lt;li&gt;Audit Logs: &lt;code&gt;tool.invoke.pending_approval&lt;/code&gt; and &lt;code&gt;approval.approved.executed&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These views give security, business, and engineering teams a shared record of the same Agent action.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Approval Must Happen Before Execution
&lt;/h2&gt;

&lt;p&gt;Many systems treat approval as an after-the-fact note: execute first, ask someone to approve later.&lt;/p&gt;

&lt;p&gt;For refunds, user deletion, permission changes, or other business actions, that is not real approval.&lt;/p&gt;

&lt;p&gt;ATG's approve policy stops target API execution when matched. It creates a pending invocation and approval record. Only after approval does ATG resume the original call.&lt;/p&gt;

&lt;h2&gt;
  
  
  Redaction And Credential Isolation
&lt;/h2&gt;

&lt;p&gt;Refund approval is only one action-oriented demo. ATG also shows two common governance capabilities:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;CRM query results are redacted before returning to the Agent and before audit storage.&lt;/li&gt;
&lt;li&gt;Real business API credentials stay in the Tool Registry. Sensitive headers are encrypted at rest and shown as &lt;code&gt;***&lt;/code&gt; through management APIs.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The Agent cannot bypass approval and does not need to hold real business credentials.&lt;/p&gt;

&lt;h2&gt;
  
  
  Local Verification
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm run &lt;span class="nb"&gt;install&lt;/span&gt;:local
npm run doctor:local
npm run dev:local
npm run verify
npm run demo:local
npm run secret-header:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If &lt;code&gt;ADMIN_TOKEN&lt;/code&gt; is enabled:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;ADMIN_TOKEN&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;local-admin-secret npm run demo:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  What This Demo Answers
&lt;/h2&gt;

&lt;p&gt;This demo is not about proving that ATG can call an HTTP API.&lt;/p&gt;

&lt;p&gt;It proves that:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent calls can be authenticated centrally;&lt;/li&gt;
&lt;li&gt;high-risk actions can pause before execution;&lt;/li&gt;
&lt;li&gt;approved calls can resume the original request;&lt;/li&gt;
&lt;li&gt;results can be redacted;&lt;/li&gt;
&lt;li&gt;real credentials can stay outside Agent runtimes;&lt;/li&gt;
&lt;li&gt;calls and approvals can produce audit evidence.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  PoC Extensions
&lt;/h2&gt;

&lt;p&gt;This flow can be adapted to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;refund approval;&lt;/li&gt;
&lt;li&gt;order cancellation;&lt;/li&gt;
&lt;li&gt;user permission changes;&lt;/li&gt;
&lt;li&gt;ticket closure;&lt;/li&gt;
&lt;li&gt;contract or invoice generation;&lt;/li&gt;
&lt;li&gt;CRM customer lookup;&lt;/li&gt;
&lt;li&gt;internal admin operations.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;The refund demo is not valuable because of refunds alone. It is valuable because it makes the governance path concrete:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;policy decision, human approval, credential isolation, response redaction, and audit evidence.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Once this path works, enterprises can start thinking seriously about letting Agents touch real systems.&lt;/p&gt;

&lt;p&gt;GitHub: &lt;a href="https://github.com/demonzym-hash/agent-tool-gateway" rel="noopener noreferrer"&gt;https://github.com/demonzym-hash/agent-tool-gateway&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>What Gateway Does An MCP Server Need Before Production?</title>
      <dc:creator>ZYM</dc:creator>
      <pubDate>Fri, 03 Jul 2026 09:16:58 +0000</pubDate>
      <link>https://dev.to/_aa9d2c4c4ab2eac9230eb/what-gateway-does-an-mcp-server-need-before-production-1p7i</link>
      <guid>https://dev.to/_aa9d2c4c4ab2eac9230eb/what-gateway-does-an-mcp-server-need-before-production-1p7i</guid>
      <description>&lt;h1&gt;
  
  
  What Gateway Does An MCP Server Need Before Production?
&lt;/h1&gt;

&lt;p&gt;MCP standardizes the connection between models and tools. But standardized connection does not automatically mean production readiness.&lt;/p&gt;

&lt;p&gt;Once MCP tools touch real business systems, teams must answer practical governance questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Who is allowed to call this tool?&lt;/li&gt;
&lt;li&gt;Should the call pause for approval?&lt;/li&gt;
&lt;li&gt;Does the response contain sensitive data?&lt;/li&gt;
&lt;li&gt;Where are the real tool credentials stored?&lt;/li&gt;
&lt;li&gt;Can we audit what happened after an incident?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Agent Tool Gateway acts as the governance layer between MCP clients and enterprise HTTP tools.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F36gbagtfs2ftotdkaym6.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F36gbagtfs2ftotdkaym6.png" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;MCP Client -&amp;gt; ATG /mcp -&amp;gt; Policy / Approval / Redaction / Audit -&amp;gt; HTTP Tool
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  Where MCP Production Risk Comes From
&lt;/h2&gt;

&lt;p&gt;The risk is usually not the MCP protocol itself. The risk is the business action behind the tool.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;data queries may leak customer information;&lt;/li&gt;
&lt;li&gt;write operations may change orders, accounts, or permissions;&lt;/li&gt;
&lt;li&gt;delete operations may be irreversible;&lt;/li&gt;
&lt;li&gt;credentials scattered across multiple MCP servers or clients are hard to rotate and audit;&lt;/li&gt;
&lt;li&gt;each tool implementing its own auth and logging makes incident review difficult.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;When tools only read safe demo data, this may not matter. When they touch CRM, orders, refunds, tickets, permissions, or databases, enterprises need a shared control plane.&lt;/p&gt;

&lt;h2&gt;
  
  
  ATG's Minimal MCP Support
&lt;/h2&gt;

&lt;p&gt;ATG v0.1 supports three MCP JSON-RPC methods:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;initialize&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;tools/list&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;tools/call&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;code&gt;tools/list&lt;/code&gt; exposes active tools from the ATG Tool Registry. &lt;code&gt;tools/call&lt;/code&gt; does not bypass governance. It reuses the same control path as HTTP invoke:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;authenticate the Agent API key;&lt;/li&gt;
&lt;li&gt;find the Tool;&lt;/li&gt;
&lt;li&gt;validate input schema;&lt;/li&gt;
&lt;li&gt;evaluate policy;&lt;/li&gt;
&lt;li&gt;create approval if needed;&lt;/li&gt;
&lt;li&gt;call the target HTTP API;&lt;/li&gt;
&lt;li&gt;redact the result;&lt;/li&gt;
&lt;li&gt;write invocation and audit records.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Why MCP Should Not Hold Business Credentials Directly
&lt;/h2&gt;

&lt;p&gt;If every MCP server or client stores business API tokens, three problems appear.&lt;/p&gt;

&lt;p&gt;First, credentials are scattered and hard to rotate.&lt;/p&gt;

&lt;p&gt;Second, permission and approval logic is duplicated.&lt;/p&gt;

&lt;p&gt;Third, audit evidence is fragmented.&lt;/p&gt;

&lt;p&gt;ATG keeps real business credentials inside the Tool Registry. Sensitive headers are encrypted at rest and shown as &lt;code&gt;***&lt;/code&gt; in management API responses.&lt;/p&gt;

&lt;h2&gt;
  
  
  Shared Gateway vs Per-Server Governance
&lt;/h2&gt;

&lt;p&gt;Letting each MCP server implement governance may look simple at first, but it creates repeated work:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;every server needs auth;&lt;/li&gt;
&lt;li&gt;every server needs policy;&lt;/li&gt;
&lt;li&gt;every server needs audit logs;&lt;/li&gt;
&lt;li&gt;every server needs sensitive-data handling;&lt;/li&gt;
&lt;li&gt;enterprise security teams must review many implementations.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A shared gateway keeps governance stable even as Agent frameworks and MCP tools change.&lt;/p&gt;

&lt;h2&gt;
  
  
  Local Verification
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm run &lt;span class="nb"&gt;install&lt;/span&gt;:local
npm run doctor:local
npm run dev:local
npm run mcp-client:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You can also exercise MCP paths through the Python and TypeScript SDK checks:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm run python-sdk:local
npm run typescript-sdk:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;These checks create isolated Agents and Tools, then verify REST invoke and MCP &lt;code&gt;tools/call&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  MVP Boundary
&lt;/h2&gt;

&lt;p&gt;ATG v0.1 does not try to be a full MCP aggregator, marketplace, enterprise SSO system, or multi-tenant platform.&lt;/p&gt;

&lt;p&gt;It proves one thing first:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;MCP tool calls can reuse the same identity, policy, approval, redaction, credential isolation, and audit path.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;Once that path is working, teams can decide whether they need SSO/RBAC, audit export, enterprise approval integrations, KMS/Vault, or Kubernetes deployment.&lt;/p&gt;

&lt;h2&gt;
  
  
  Who Should Try This
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;MCP server builders;&lt;/li&gt;
&lt;li&gt;teams connecting MCP clients to internal tools;&lt;/li&gt;
&lt;li&gt;enterprise AI platform teams;&lt;/li&gt;
&lt;li&gt;private AI workflow integrators;&lt;/li&gt;
&lt;li&gt;security and architecture teams.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;MCP standardizes tool connection. ATG standardizes enterprise governance.&lt;/p&gt;

&lt;p&gt;When tools reach real business systems, the protocol alone is not enough. Teams need a shared path for permission, approval, redaction, credential isolation, and audit evidence.&lt;/p&gt;

&lt;p&gt;GitHub: &lt;a href="https://github.com/demonzym-hash/agent-tool-gateway" rel="noopener noreferrer"&gt;https://github.com/demonzym-hash/agent-tool-gateway&lt;/a&gt;&lt;/p&gt;

</description>
    </item>
    <item>
      <title>How Dify Can Safely Call Enterprise Internal APIs</title>
      <dc:creator>ZYM</dc:creator>
      <pubDate>Fri, 03 Jul 2026 07:43:29 +0000</pubDate>
      <link>https://dev.to/_aa9d2c4c4ab2eac9230eb/how-dify-can-safely-call-enterprise-internal-apis-324b</link>
      <guid>https://dev.to/_aa9d2c4c4ab2eac9230eb/how-dify-can-safely-call-enterprise-internal-apis-324b</guid>
      <description>&lt;h1&gt;
  
  
  How Dify Can Safely Call Enterprise Internal APIs
&lt;/h1&gt;

&lt;p&gt;Dify is great for building AI workflows quickly. But once a workflow starts calling internal enterprise APIs, the risk moves from "the answer may be wrong" to "the system may execute the wrong action."&lt;/p&gt;

&lt;p&gt;Refunding an order, changing an account, querying CRM data, deleting a user, or creating a ticket should not be handled by giving an Agent direct access to business API credentials.&lt;/p&gt;

&lt;p&gt;Agent Tool Gateway puts an independent governance gateway between Dify and enterprise APIs.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Dify -&amp;gt; ATG -&amp;gt; Policy / Approval / Redaction / Credential Isolation / Audit -&amp;gt; Business API
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fuznknimpfs9tv8rfcrrb.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fuznknimpfs9tv8rfcrrb.png" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The Problem With Direct API Calls
&lt;/h2&gt;

&lt;p&gt;When business APIs are configured directly inside an Agent workflow, several problems show up:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;real business API credentials end up inside workflow tools;&lt;/li&gt;
&lt;li&gt;each tool has its own permission boundary;&lt;/li&gt;
&lt;li&gt;high-risk actions do not pause for human approval;&lt;/li&gt;
&lt;li&gt;responses may contain phone numbers, emails, IDs, addresses, or other sensitive fields;&lt;/li&gt;
&lt;li&gt;denied calls, approvals, failures, and audit evidence are hard to review;&lt;/li&gt;
&lt;li&gt;governance logic has to be rebuilt when the Agent framework changes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These issues may look small during a demo, but they become security and delivery problems in private enterprise deployments.&lt;/p&gt;

&lt;h2&gt;
  
  
  The ATG Boundary
&lt;/h2&gt;

&lt;p&gt;Dify handles application orchestration. ATG handles tool-call governance.&lt;/p&gt;

&lt;p&gt;The HTTP Tool exposed to Dify is only the ATG invoke endpoint:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;POST http://localhost:8080/api/v1/invoke/refund_order
Authorization: Bearer {{ATG_API_KEY}}
Content-Type: application/json
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Dify stores an ATG Agent API key. The real business API endpoint, business credentials, approval policy, redaction rules, and audit records stay inside ATG.&lt;/p&gt;

&lt;h2&gt;
  
  
  Minimal Flow
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Create an Agent in ATG and get its one-time Agent API key.&lt;/li&gt;
&lt;li&gt;Register an HTTP Tool in ATG, such as &lt;code&gt;refund_order&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Configure Dify's HTTP Tool to call &lt;code&gt;/api/v1/invoke/{tool_name}&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;ATG authenticates the Agent API key.&lt;/li&gt;
&lt;li&gt;ATG evaluates policy: &lt;code&gt;allow&lt;/code&gt;, &lt;code&gt;deny&lt;/code&gt;, &lt;code&gt;approve&lt;/code&gt;, or &lt;code&gt;redact&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If approval is required, ATG creates an approval record and does not call the target API yet.&lt;/li&gt;
&lt;li&gt;If execution is allowed, ATG calls the business API.&lt;/li&gt;
&lt;li&gt;ATG redacts the response and writes invocation/audit records.&lt;/li&gt;
&lt;li&gt;Dify receives the governed result.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Three Demo Policies
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. Refund Approval
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Small refunds execute immediately.&lt;/li&gt;
&lt;li&gt;Large refunds return &lt;code&gt;pending_approval&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;An approver reviews the request in the ATG Web Console.&lt;/li&gt;
&lt;li&gt;ATG calls the real refund API only after approval.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This validates that approval happens before execution, not as an after-the-fact note.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. CRM Redaction
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;CRM returns phone numbers, emails, and ID-like values.&lt;/li&gt;
&lt;li&gt;ATG redacts the response before returning it to Dify.&lt;/li&gt;
&lt;li&gt;Audit records also store the redacted result.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The Agent can continue the task without receiving sensitive data it should not see.&lt;/p&gt;

&lt;h3&gt;
  
  
  3. Dangerous Operation Denial
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;delete_user&lt;/code&gt; matches a deny policy.&lt;/li&gt;
&lt;li&gt;ATG does not call the target API.&lt;/li&gt;
&lt;li&gt;Audit logs record the denied operation.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Local Verification
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm run &lt;span class="nb"&gt;install&lt;/span&gt;:local
npm run doctor:local
npm run dev:local
npm run demo:local
npm run dify:local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;npm run dify:local&lt;/code&gt; reads &lt;code&gt;examples/dify/http-tool.refund-order.json&lt;/code&gt;, calls ATG using the same HTTP shape that Dify uses, and verifies invocation plus audit records.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why This Is Not Just A Dify Plugin
&lt;/h2&gt;

&lt;p&gt;ATG should not be understood as a Dify plugin.&lt;/p&gt;

&lt;p&gt;Dify is one entry point. MCP clients, LangChain, Python SDKs, TypeScript SDKs, and custom Agents can also enter the same gateway. What should be centralized is the enterprise control plane:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent identity;&lt;/li&gt;
&lt;li&gt;Tool registry;&lt;/li&gt;
&lt;li&gt;Policy;&lt;/li&gt;
&lt;li&gt;Approval;&lt;/li&gt;
&lt;li&gt;Redaction;&lt;/li&gt;
&lt;li&gt;Credential isolation;&lt;/li&gt;
&lt;li&gt;Audit.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Changing Agent frameworks should not require changing the governance model.&lt;/p&gt;

&lt;h2&gt;
  
  
  Who Should Try This
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Dify private deployment users;&lt;/li&gt;
&lt;li&gt;Dify integrators;&lt;/li&gt;
&lt;li&gt;enterprise AI application teams;&lt;/li&gt;
&lt;li&gt;backend teams exposing internal APIs to Agents;&lt;/li&gt;
&lt;li&gt;security or architecture teams evaluating the risk of Agent actions.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;Dify should orchestrate AI workflows. ATG should govern tool calls.&lt;/p&gt;

&lt;p&gt;That boundary lets teams keep the Dify experience while centralizing permissions, approval, redaction, credential isolation, and audit evidence.&lt;/p&gt;

&lt;p&gt;GitHub: &lt;a href="https://github.com/demonzym-hash/agent-tool-gateway" rel="noopener noreferrer"&gt;https://github.com/demonzym-hash/agent-tool-gateway&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
    </item>
  </channel>
</rss>
