HubSpot Block Deal Closure
Blocks HubSpot CRM-object calls that move a deal into a closed stage (closedwon or closedlost). Both create and update requests are inspected.
Blocks HubSpot CRM-object calls that move a deal into a closed stage (closedwon or closedlost). Both create and update requests are inspected.
Blocks HubSpot CRM-object calls that create or change associations between objects (deal↔company, contact↔company, etc.).
Blocks HubSpot CRM-object update calls that set or change a deal's owner.
Blocks HubSpot CRM-object calls that set or change a contact's lifecycle stage.
Makes the HubSpot connection read-only by blocking the write tool.
Reusable DTwo policies for HubSpot MCP servers (the HubSpot-hosted MCP server and compatible implementations).
| Policy | Direction | Purpose |
|---|---|---|
| block-deal-closure | ingress | Deny CRM-object calls that move a deal into a closed stage (closedwon / closedlost); all other deal changes and tools pass through. |
| protect-associations | ingress | Deny CRM-object calls that create or change object associations; all other calls pass through. |
| protect-deal-owner | ingress | Deny deal-update calls that set or change hubspot_owner_id; deal creates and other fields pass through. |
| protect-lifecycle-stage | ingress | Deny contact create/update calls that set or change lifecyclestage; all other calls pass through. |
| read-only | ingress | Block all HubSpot writes (the *-manage-crm-objects tool); read/search/list tools pass through. |
| redact-pii | egress | Redact contact PII (phone, email, fax, SSN) from HubSpot tool responses. Transform-only — never denies. |
DTwo prefixes tool names with the MCP server name configured on the gateway. A HubSpot MCP server registered as hubspot surfaces tools like hubspot-manage-crm-objects, while one registered under another name (e.g. hubspot-mcp) would surface hubspot-mcp-manage-crm-objects. The block-deal-closure policy matches on the suffix (-manage-crm-objects) so it stays portable across naming conventions. Always confirm the exact tool name your gateway sends using the dump-input debug technique before deploying.
These policies do not require any specific IdP claims. If you want identity-based exemptions (e.g., a break-glass role that can close deals), gate the relevant rule with object.get(input.subject.claims, "<claim>", "<default>").
To add a HubSpot policy:
apps/hubspot/<policy-slug>/ with policy.md and a tests.yaml test file.apps: ["hubspot"] in the policy frontmatter, plus any industry / bundle slugs that apply.bundles/crm), link to it from the matching landing page.pnpm manifest from the repo root.See CONTRIBUTING.md for the full process.