github
diff --git a/‎.changeset/patch-surface-audit-guard-policy-events.md‎
Lines changed: 5 additions & 0 deletions b/‎.changeset/patch-surface-audit-guard-policy-events.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎pkg/cli/audit_report.go‎
Lines changed: 21 additions & 4 deletions b/‎pkg/cli/audit_report.go‎
Lines changed: 21 additions & 4 deletions
diff --git a/‎pkg/cli/audit_report_render.go‎
Lines changed: 84 additions & 0 deletions b/‎pkg/cli/audit_report_render.go‎
Lines changed: 84 additions & 0 deletions
@@ -149,10 +149,11 @@ type ToolUsageInfo struct {
 
 // MCPToolUsageData contains detailed MCP tool usage statistics and individual call records
 type MCPToolUsageData struct {
-	Summary        []MCPToolSummary    `json:"summary"`                   // Aggregated statistics per tool
-	ToolCalls      []MCPToolCall       `json:"tool_calls"`                // Individual tool call records
-	Servers        []MCPServerStats    `json:"servers,omitempty"`         // Server-level statistics
-	FilteredEvents []DifcFilteredEvent `json:"filtered_events,omitempty"` // DIFC filtered events
+	Summary            []MCPToolSummary    `json:"summary"`                        // Aggregated statistics per tool
+	ToolCalls          []MCPToolCall       `json:"tool_calls"`                     // Individual tool call records
+	Servers            []MCPServerStats    `json:"servers,omitempty"`              // Server-level statistics
+	FilteredEvents     []DifcFilteredEvent `json:"filtered_events,omitempty"`      // DIFC filtered events
+	GuardPolicySummary *GuardPolicySummary `json:"guard_policy_summary,omitempty"` // Guard policy enforcement summary
 }
 
 // MCPToolSummary contains aggregated statistics for a single MCP tool
@@ -193,6 +194,22 @@ type MCPServerStats struct {
 	ErrorCount      int    `json:"error_count,omitempty" console:"header:Errors,omitempty"`
 }
 
+// GuardPolicySummary contains summary statistics for guard policy enforcement.
+// Guard policies control which tool calls the MCP Gateway allows based on
+// repository scope (repos) and content integrity level (min-integrity).
+type GuardPolicySummary struct {
+	TotalBlocked        int                `json:"total_blocked"`
+	IntegrityBlocked    int                `json:"integrity_blocked"`             // Blocked by min-integrity (-32006)
+	RepoScopeBlocked    int                `json:"repo_scope_blocked"`            // Blocked by repos scope (-32002)
+	AccessDenied        int                `json:"access_denied"`                 // General access denied (-32001)
+	BlockedUserDenied   int                `json:"blocked_user_denied,omitempty"` // Content from blocked user (-32005)
+	PermissionDenied    int                `json:"permission_denied,omitempty"`   // Insufficient permissions (-32003)
+	PrivateRepoDenied   int                `json:"private_repo_denied,omitempty"` // Private repository denied (-32004)
+	Events              []GuardPolicyEvent `json:"events"`
+	BlockedToolCounts   map[string]int     `json:"blocked_tool_counts,omitempty"`   // tool name -> blocked count
+	BlockedServerCounts map[string]int     `json:"blocked_server_counts,omitempty"` // server ID -> blocked count
+}
+
 // PolicySummaryDisplay is a display-optimized version of PolicyAnalysis for console rendering
 type PolicySummaryDisplay struct {
 	Policy        string `console:"header:Policy"`
 
@@ -6,6 +6,7 @@ import (
 	"math"
 	"os"
 	"path/filepath"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -514,6 +515,89 @@ func renderMCPToolUsageTable(mcpData *MCPToolUsageData) {
 
 		fmt.Fprint(os.Stderr, console.RenderTable(toolConfig))
 	}
+
+	// Render guard policy summary
+	if mcpData.GuardPolicySummary != nil && mcpData.GuardPolicySummary.TotalBlocked > 0 {
+		renderGuardPolicySummary(mcpData.GuardPolicySummary)
+	}
+}
+
+// renderGuardPolicySummary renders the guard policy enforcement summary
+func renderGuardPolicySummary(summary *GuardPolicySummary) {
+	auditReportLog.Printf("Rendering guard policy summary: %d total blocked", summary.TotalBlocked)
+
+	fmt.Fprintln(os.Stderr)
+	fmt.Fprintln(os.Stderr, console.FormatWarningMessage(
+		fmt.Sprintf("Guard Policy: %d tool call(s) blocked", summary.TotalBlocked)))
+	fmt.Fprintln(os.Stderr)
+
+	// Breakdown by reason
+	fmt.Fprintln(os.Stderr, "  Block Reasons:")
+	if summary.IntegrityBlocked > 0 {
+		fmt.Fprintf(os.Stderr, "    Integrity below minimum : %d\n", summary.IntegrityBlocked)
+	}
+	if summary.RepoScopeBlocked > 0 {
+		fmt.Fprintf(os.Stderr, "    Repository not allowed  : %d\n", summary.RepoScopeBlocked)
+	}
+	if summary.AccessDenied > 0 {
+		fmt.Fprintf(os.Stderr, "    Access denied           : %d\n", summary.AccessDenied)
+	}
+	if summary.BlockedUserDenied > 0 {
+		fmt.Fprintf(os.Stderr, "    Blocked user            : %d\n", summary.BlockedUserDenied)
+	}
+	if summary.PermissionDenied > 0 {
+		fmt.Fprintf(os.Stderr, "    Insufficient permissions: %d\n", summary.PermissionDenied)
+	}
+	if summary.PrivateRepoDenied > 0 {
+		fmt.Fprintf(os.Stderr, "    Private repo denied     : %d\n", summary.PrivateRepoDenied)
+	}
+	fmt.Fprintln(os.Stderr)
+
+	// Most frequently blocked tools
+	if len(summary.BlockedToolCounts) > 0 {
+		toolNames := sliceutil.MapToSlice(summary.BlockedToolCounts)
+		sort.Slice(toolNames, func(i, j int) bool {
+			return summary.BlockedToolCounts[toolNames[i]] > summary.BlockedToolCounts[toolNames[j]]
+		})
+
+		toolRows := make([][]string, 0, len(toolNames))
+		for _, name := range toolNames {
+			toolRows = append(toolRows, []string{name, strconv.Itoa(summary.BlockedToolCounts[name])})
+		}
+		fmt.Fprint(os.Stderr, console.RenderTable(console.TableConfig{
+			Title:   "Most Blocked Tools",
+			Headers: []string{"Tool", "Blocked"},
+			Rows:    toolRows,
+		}))
+	}
+
+	// Guard policy event details
+	if len(summary.Events) > 0 {
+		fmt.Fprintln(os.Stderr)
+		eventRows := make([][]string, 0, len(summary.Events))
+		for _, evt := range summary.Events {
+			message := evt.Message
+			if len(message) > 60 {
+				message = message[:57] + "..."
+			}
+			repo := evt.Repository
+			if repo == "" {
+				repo = "-"
+			}
+			eventRows = append(eventRows, []string{
+				stringutil.Truncate(evt.ServerID, 20),
+				stringutil.Truncate(evt.ToolName, 25),
+				evt.Reason,
+				message,
+				repo,
+			})
+		}
+		fmt.Fprint(os.Stderr, console.RenderTable(console.TableConfig{
+			Title:   "Guard Policy Events",
+			Headers: []string{"Server", "Tool", "Reason", "Message", "Repository"},
+			Rows:    eventRows,
+		}))
+	}
 }
 
 // renderFirewallAnalysis renders firewall analysis with summary and domain breakdown