npm - @highflame/policy - Versions diffs - 2.1.14 → 2.1.16 - Mend

@highflame/policy 2.1.14 → 2.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/_schemas/ai_gateway/context.json +703 -0
package/_schemas/ai_gateway/schema.cedarschema +286 -0
package/_schemas/ai_gateway/templates/defaults/agent_security.cedar +140 -0
package/_schemas/ai_gateway/templates/defaults/baseline.cedar +23 -0
package/_schemas/ai_gateway/templates/defaults/semantic.cedar +105 -0
package/_schemas/ai_gateway/templates/defaults/tools.cedar +92 -0
package/_schemas/ai_gateway/templates/llm_default_allow.cedar +22 -0
package/_schemas/ai_gateway/templates/mcp_server_allowlist.cedar +33 -0
package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar +77 -0
package/_schemas/ai_gateway/templates/pii_redaction.cedar +89 -0
package/_schemas/ai_gateway/templates/templates.json +117 -0
package/dist/ai_gateway-context.gen.d.ts +53 -0
package/dist/ai_gateway-context.gen.js +54 -0
package/dist/ai_gateway-defaults.gen.d.ts +61 -0
package/dist/ai_gateway-defaults.gen.js +829 -0
package/dist/ai_gateway-entities.gen.d.ts +11 -0
package/dist/ai_gateway-entities.gen.js +37 -0
package/dist/index.d.ts +5 -5
package/dist/index.js +4 -4
package/dist/overwatch-defaults.gen.js +54 -59
package/dist/service-schemas.gen.d.ts +10 -10
package/dist/service-schemas.gen.js +667 -645
package/dist/types.d.ts +5 -5
package/dist/types.js +4 -4
package/package.json +1 -1

package/dist/service-schemas.gen.js CHANGED Viewed

@@ -1,15 +1,307 @@
 // Code generated by highflame-policy-codegen. DO NOT EDIT.
-// Source: schemas/guardrails/schema.cedarschema, schemas/mcp_gateway/schema.cedarschema, schemas/overwatch/schema.cedarschema, schemas/palisade/schema.cedarschema, schemas/sentry/schema.cedarschema
+// Source: schemas/ai_gateway/schema.cedarschema, schemas/guardrails/schema.cedarschema, schemas/overwatch/schema.cedarschema, schemas/palisade/schema.cedarschema, schemas/sentry/schema.cedarschema
 //
 // Service-specific Cedar schemas and context metadata.
 // Works in both browser and Node.js environments.
 //
 // Usage:
+//   import { AI_GATEWAY_SCHEMA, AI_GATEWAY_CONTEXT } from '@highflame/policy/types';
 //   import { GUARDRAILS_SCHEMA, GUARDRAILS_CONTEXT } from '@highflame/policy/types';
-//   import { MCP_GATEWAY_SCHEMA, MCP_GATEWAY_CONTEXT } from '@highflame/policy/types';
 //   import { OVERWATCH_SCHEMA, OVERWATCH_CONTEXT } from '@highflame/policy/types';
 //   import { PALISADE_SCHEMA, PALISADE_CONTEXT } from '@highflame/policy/types';
 //   import { SENTRY_SCHEMA, SENTRY_CONTEXT } from '@highflame/policy/types';
+/**
+ * AiGateway Cedar schema
+ *
+ * Full Cedar schema for ai_gateway, embedded at codegen time.
+ */
+export const AI_GATEWAY_SCHEMA = `// AIGateway Cedar Schema
+// ===================================
+// AI Gateway Security & Policy Enforcement
+//
+// AIGateway protects both MCP proxy operations (tool calls, server connections)
+// and LLM chat completions (prompt processing) by evaluating threats detected
+// by the Shield detection engine pipeline against Cedar policies.
+//
+// Architecture:
+//   MCP/LLM Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny
+//
+// Threat Coverage:
+//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)
+//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)
+//   - OWASP MCP Top 10 (MCP01-MCP05)
+namespace AIGateway {
+// =============================================================================
+// ENTITIES - Tenant Hierarchy (ReBAC)
+// =============================================================================
+// AIGateway does not use App/Session hierarchy.
+//
+// Entity hierarchy:
+//   Account (org root)
+//     -> Project in [Account]
+//          -> Tool/Server in [Project]
+//
+// Policy scoping examples:
+//   resource == AIGateway::Tool::"get_me"            -> specific tool
+//   resource in AIGateway::Project::"<uuid>"          -> project-wide
+//   resource in AIGateway::Account::"<uuid>"          -> org-wide
+/// Account represents an organization (top-level tenant)
+entity Account;
+/// Project represents a project within an account
+entity Project in [Account];
+// =============================================================================
+// ENTITIES - Principals
+// =============================================================================
+/// Human user authenticated via JWT or API key
+entity User;
+/// MCP client (default principal for unauthenticated requests)
+entity MCP_Client;
+// =============================================================================
+// ENTITIES - Resources (scoped under Project)
+// =============================================================================
+/// MCP tool -- resource for call_tool action
+entity Tool in [Project];
+/// MCP server -- resource for connect_server action
+entity Server in [Project];
+/// MCP prompt -- resource for process_prompt action
+entity LlmPrompt in [Project];
+/// File/resource path -- resource for read_file/write_file actions
+entity FilePath in [Project];
+// =============================================================================
+// ACTIONS
+// =============================================================================
+// Call an MCP tool
+// Threat focus: command injection, tool poisoning, rug pull, secrets, PII
+action call_tool appliesTo {
+  principal: [User, MCP_Client],
+  resource: [Tool],
+  context: {
+    // --- Content ---
+    content: String,                  // Raw content being scanned
+    // --- Tool & MCP ---
+    tool_name?: String,               // Tool name
+    mcp_server?: String,              // MCP server name
+    mcp_tool?: String,                // MCP tool name
+    // --- Threat Detection (from Shield detection pipeline) ---
+    threat_count?: Long,              // Total threats detected
+    highest_severity?: String,        // "critical", "high", "medium", "low", "none"
+    threat_categories?: Set<String>,  // Threat category names
+    detected_threats?: Set<String>,   // Detection rule names that matched
+    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)
+    contains_secrets?: Bool,          // Whether secrets/credentials detected
+    // --- Secrets (granular) ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+    // --- ML Detector Confidence Scores (0-100) ---
+    injection_confidence?: Long,      // Prompt injection classifier confidence
+    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence
+    // --- Agent Security (0-100) ---
+    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args
+    tool_poisoning_detected?: Bool,
+    rug_pull_score?: Long,            // Tool behavior drift after trust establishment
+    rug_pull_detected?: Bool,
+    indirect_injection_score?: Long,  // Indirect injection via tool output
+    // --- Tool Risk Assessment ---
+    tool_risk_score?: Long,           // Computed tool risk (0-100)
+    tool_category?: String,           // "safe", "sensitive", "dangerous"
+    tool_is_sensitive?: Bool,
+    tool_is_builtin?: Bool,
+    // --- MCP Trust ---
+    mcp_server_verified?: Bool,       // Whether server is from verified registry
+    // --- Content Safety Scores (0-100) ---
+    violence_score?: Long,
+    weapons_score?: Long,
+    hate_speech_score?: Long,
+    crime_score?: Long,
+    sexual_score?: Long,
+    profanity_score?: Long,
+    // --- Encoding & Unicode Attacks ---
+    contains_invisible_chars?: Bool,
+    invisible_chars_score?: Long,
+    // --- Behavioral Analysis ---
+    loop_detected?: Bool,
+    loop_count?: Long,
+    loop_tool?: String,
+    suspicious_pattern?: Bool,
+    pattern_type?: String,
+    sequence_risk?: Long,
+  },
+};
+// Connect to an MCP server
+// Threat focus: supply chain, tool poisoning, rug pull, config risk
+action connect_server appliesTo {
+  principal: [User, MCP_Client],
+  resource: [Server],
+  context: {
+    content?: String,                 // Server config content (if available)
+    mcp_server?: String,
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    max_threat_severity?: Long,
+    // --- Agent Security (0-100) ---
+    tool_poisoning_score?: Long,
+    tool_poisoning_detected?: Bool,
+    rug_pull_score?: Long,
+    rug_pull_detected?: Bool,
+    indirect_injection_score?: Long,
+    // --- Secrets ---
+    contains_secrets?: Bool,
+    secret_types?: Set<String>,
+    secret_count?: Long,
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+    // --- MCP Trust & Config Risk ---
+    mcp_server_verified?: Bool,
+    mcp_config_risk?: Bool,
+    mcp_risk_score?: Long,
+  },
+};
+// Process a prompt (MCP prompts/get or LLM chat completions)
+// Threat focus: injection, jailbreak, secrets, PII, content safety
+action process_prompt appliesTo {
+  principal: [User, MCP_Client],
+  resource: [LlmPrompt],
+  context: {
+    content: String,
+    mcp_server?: String,
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+    // --- ML Detector Confidence Scores (0-100) ---
+    injection_confidence?: Long,
+    jailbreak_confidence?: Long,
+    // --- Content Safety Scores (0-100) ---
+    violence_score?: Long,
+    weapons_score?: Long,
+    hate_speech_score?: Long,
+    crime_score?: Long,
+    sexual_score?: Long,
+    profanity_score?: Long,
+    // --- Encoding ---
+    contains_invisible_chars?: Bool,
+    invisible_chars_score?: Long,
+    // --- LLM-specific ---
+    model_name?: String,              // Target model name (e.g., "gpt-4", "claude-3-opus")
+    model_provider?: String,          // Provider name (e.g., "openai", "anthropic", "bedrock")
+  },
+};
+// Read an MCP resource (resources/read, resources/list)
+// Threat focus: secrets exposure, PII exposure, sensitive paths
+action read_file appliesTo {
+  principal: [User, MCP_Client],
+  resource: [FilePath],
+  context: {
+    content: String,
+    mcp_server?: String,
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+  },
+};
+// Write an MCP resource (resources/write)
+// Threat focus: secrets in output, PII in output
+action write_file appliesTo {
+  principal: [User, MCP_Client],
+  resource: [FilePath],
+  context: {
+    content: String,
+    mcp_server?: String,
+    // --- Threat Detection ---
+    threat_count?: Long,
+    highest_severity?: String,
+    threat_categories?: Set<String>,
+    detected_threats?: Set<String>,
+    max_threat_severity?: Long,
+    contains_secrets?: Bool,
+    // --- Secrets ---
+    secret_types?: Set<String>,
+    secret_count?: Long,
+    // --- PII Detection ---
+    pii_detected?: Bool,
+    pii_types?: Set<String>,
+    pii_count?: Long,
+  },
+};
+}
+`;
 /**
  * Guardrails Cedar schema
  *
@@ -200,231 +492,13 @@ namespace Guardrails {
         "keyword_categories"?: Set<String>,
         "keyword_count"?: Long,
         "contains_non_ascii"?: Bool,
-        "phishing_detected"?: Bool,
-        "content_safety_score"?: Long,           // 0-100
-        "content_safety_blocked"?: Bool,
-        // Agentic - Multi-Turn Context (optional)
-        "conversation_turn"?: Long,
-        "multi_turn_detection"?: Bool,
-        // Session Detection History — cross-turn sticky flags (optional)
-        "session_pii_detected"?: Bool,
-        "session_pii_types"?: Set<String>,
-        "session_secrets_detected"?: Bool,
-        "session_secret_types"?: Set<String>,
-        "session_injection_detected"?: Bool,
-        "session_command_injection"?: Bool,
-        "session_threat_turns"?: Long,
-        "session_max_injection_score"?: Long,
-        "session_max_jailbreak_score"?: Long,
-        "session_max_command_injection_score"?: Long,
-        "session_max_pii_score"?: Long,
-        "session_max_secret_score"?: Long,
-        "session_cumulative_risk_score"?: Long,
-        // Agent Identity — authenticated agent principal metadata (optional)
-        // Present when the request is made by an AI agent (API key or JWT with agent claims).
-        // Empty strings for human user requests. Use these to write agent-specific policies.
-        "agent_id"?: String,             // Unique agent identifier (e.g., "agent_research_v3")
-        "agent_type"?: String,           // "orchestrator" | "autonomous" | "tool_agent" | "human_proxy"
-        "agent_trust_level"?: String,    // "first_party" | "verified_third_party" | "unverified"
-        "agent_framework"?: String,      // Agent framework (e.g., "claude-code", "langchain", "crewai")
-        "agent_publisher"?: String,      // Organization that published the agent
-    };
-    /// Context for call_tool action (agentic tool execution)
-    type CallToolContext = {
-        // Core metadata (required)
-        "request_id": String,
-        "timestamp": Long,
-        // Tool Risk (optional)
-        "tool_name"?: String,            // "shell", "write_file", "http_post", etc.
-        "tool_risk_score"?: Long,        // 0-100
-        "tool_is_sensitive"?: Bool,
-        "tool_category"?: String,        // "safe" | "sensitive" | "dangerous"
-        "tool_is_builtin"?: Bool,
-        // MCP context (optional — only present for MCP tool calls)
-        "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
-        "mcp_tool"?: String,             // MCP tool name within the server
-        "mcp_server_verified"?: Bool,    // Whether server is from verified registry
-        // Agentic - Behavioral Patterns (optional)
-        "suspicious_pattern"?: Bool,
-        "pattern_type"?: String,         // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "credential_theft" | "destructive_sequence" | "none"
-        "sequence_risk"?: Long,          // 0-100
-        // Agentic - Loop Detection (optional)
-        "loop_detected"?: Bool,
-        "loop_count"?: Long,
-        "loop_tool"?: String,
-        // Agentic - Budget Control (optional)
-        "budget_remaining_pct"?: Long,   // 0-100
-        "budget_exceeded"?: Bool,
-        // Semantic - Topic Classification (optional)
-        "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
-        "topic_confidence"?: Long,           // 0-100
-        // Security checks on tool arguments (optional)
-        "contains_secrets"?: Bool,
-        "secret_count"?: Long,
-        "secret_types"?: Set<String>,
-        "pii_detected"?: Bool,
-        "pii_types"?: Set<String>,
-        "pii_count"?: Long,              // Number of PII pattern matches in tool content
-        "pii_confidence"?: Long,         // PII ML classifier confidence (0-100)
-        "injection_confidence"?: Long,
-        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
-        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
-        // Security - Pattern Detection (optional)
-        "command_injection_detected"?: Bool,
-        "command_injection_type"?: String,
-        "command_injection_score"?: Long,        // 0-100
-        "path_traversal_detected"?: Bool,
-        "path_traversal_severity"?: String,
-        "path_traversal_type"?: String,
-        "sql_injection_detected"?: Bool,
-        "sql_injection_type"?: String,
-        "sql_injection_score"?: Long,            // 0-100
-        // Security - Cross-Origin Escalation (optional)
-        "cross_origin_detected"?: Bool,
-        "cross_origin_type"?: String,
-        "cross_origin_score"?: Long,             // 0-100
-        // File & Path (optional — for path-based access control policies)
-        "path"?: String,                         // File path when tool operates on files
-        // Security - Invisible Character Detection in tool args (optional)
-        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in tool args
-        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
-        // Security - Encoded Injection (optional)
-        "encoded_content_detected"?: Bool,
-        "encoded_types"?: Set<String>,
-        "encoded_count"?: Long,
-        "encoded_score"?: Long,                  // 0-100
-        // Agentic - Agent Security (optional)
-        "tool_poisoning_detected"?: Bool,
-        "tool_poisoning_score"?: Long,           // 0-100
-        "tool_poisoning_type"?: String,          // "hidden_instructions" | "system_prompt_injection" | "authority_hijack"
-        "rug_pull_detected"?: Bool,
-        "rug_pull_score"?: Long,                 // 0-100
-        "rug_pull_type"?: String,                // "risk_spike" | "pattern_change" | "combined" | "none"
-        // Agentic - Indirect Prompt Injection (optional — injection via tool outputs/retrieved content)
-        "indirect_injection_score"?: Long,       // Indirect injection risk score (0-100)
-        "indirect_injection_type"?: String,      // Type of indirect injection detected
-        // Agentic - MCP Risk (optional)
-        "mcp_config_risk"?: Bool,
-        "mcp_risk_type"?: String,                // "inline_execution" | "suspicious_url" | "cross_origin"
-        "mcp_risk_score"?: Long,                 // 0-100
-        // Agentic - Multi-Turn Context (optional)
-        "conversation_turn"?: Long,
-        "multi_turn_detection"?: Bool,
-        // Session Detection History — cross-turn sticky flags (optional)
-        "session_pii_detected"?: Bool,
-        "session_pii_types"?: Set<String>,
-        "session_secrets_detected"?: Bool,
-        "session_secret_types"?: Set<String>,
-        "session_injection_detected"?: Bool,
-        "session_command_injection"?: Bool,
-        "session_threat_turns"?: Long,
-        "session_max_injection_score"?: Long,
-        "session_max_jailbreak_score"?: Long,
-        "session_max_command_injection_score"?: Long,
-        "session_max_pii_score"?: Long,
-        "session_max_secret_score"?: Long,
-        "session_cumulative_risk_score"?: Long,
-        // Agent Identity — authenticated agent principal metadata (optional)
-        "agent_id"?: String,
-        "agent_type"?: String,
-        "agent_trust_level"?: String,
-        "agent_framework"?: String,
-        "agent_publisher"?: String,
-    };
-    /// Context for read_file action
-    type FileReadContext = {
-        // Core metadata (required)
-        "request_id": String,
-        "timestamp": Long,
-        // File path (optional — for path-based access control policies)
-        "path"?: String,                 // File path being read
-        // Security checks on file content (optional)
-        "contains_secrets"?: Bool,
-        "secret_count"?: Long,
-        "secret_types"?: Set<String>,
-        "pii_detected"?: Bool,
-        "pii_types"?: Set<String>,
-        // Security - Path Traversal (optional)
-        "path_traversal_detected"?: Bool,
-        "path_traversal_severity"?: String,
-        "path_traversal_type"?: String,
-        // Session Detection History — cross-turn sticky flags (optional)
-        "session_pii_detected"?: Bool,
-        "session_pii_types"?: Set<String>,
-        "session_secrets_detected"?: Bool,
-        "session_secret_types"?: Set<String>,
-        "session_injection_detected"?: Bool,
-        "session_command_injection"?: Bool,
-        "session_threat_turns"?: Long,
-        "session_max_injection_score"?: Long,
-        "session_max_jailbreak_score"?: Long,
-        "session_max_command_injection_score"?: Long,
-        "session_max_pii_score"?: Long,
-        "session_max_secret_score"?: Long,
-        "session_cumulative_risk_score"?: Long,
-        // Agent Identity — authenticated agent principal metadata (optional)
-        "agent_id"?: String,
-        "agent_type"?: String,
-        "agent_trust_level"?: String,
-        "agent_framework"?: String,
-        "agent_publisher"?: String,
-    };
-    /// Context for write_file action
-    type FileWriteContext = {
-        // Core metadata (required)
-        "request_id": String,
-        "timestamp": Long,
-        // File path (optional — for path-based access control policies)
-        "path"?: String,                         // File path being written
-        // Security - Invisible Character Detection in write content (optional)
-        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in write content
-        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
-        // Security checks on content being written (optional)
-        "contains_secrets"?: Bool,
-        "secret_count"?: Long,
-        "secret_types"?: Set<String>,
-        "pii_detected"?: Bool,
-        "pii_types"?: Set<String>,
+        "phishing_detected"?: Bool,
+        "content_safety_score"?: Long,           // 0-100
+        "content_safety_blocked"?: Bool,
-        // Security - Path Traversal (optional)
-        "path_traversal_detected"?: Bool,
-        "path_traversal_severity"?: String,
-        "path_traversal_type"?: String,
+        // Agentic - Multi-Turn Context (optional)
+        "conversation_turn"?: Long,
+        "multi_turn_detection"?: Bool,
         // Session Detection History — cross-turn sticky flags (optional)
         "session_pii_detected"?: Bool,
@@ -442,38 +516,113 @@ namespace Guardrails {
         "session_cumulative_risk_score"?: Long,
         // Agent Identity — authenticated agent principal metadata (optional)
-        "agent_id"?: String,
-        "agent_type"?: String,
-        "agent_trust_level"?: String,
-        "agent_framework"?: String,
-        "agent_publisher"?: String,
+        // Present when the request is made by an AI agent (API key or JWT with agent claims).
+        // Empty strings for human user requests. Use these to write agent-specific policies.
+        "agent_id"?: String,             // Unique agent identifier (e.g., "agent_research_v3")
+        "agent_type"?: String,           // "orchestrator" | "autonomous" | "tool_agent" | "human_proxy"
+        "agent_trust_level"?: String,    // "first_party" | "verified_third_party" | "unverified"
+        "agent_framework"?: String,      // Agent framework (e.g., "claude-code", "langchain", "crewai")
+        "agent_publisher"?: String,      // Organization that published the agent
     };
-    /// Context for connect_server action (MCP server connections)
-    type ConnectServerContext = {
+    /// Context for call_tool action (agentic tool execution)
+    type CallToolContext = {
         // Core metadata (required)
         "request_id": String,
         "timestamp": Long,
-        // MCP context (optional)
+        // Tool Risk (optional)
+        "tool_name"?: String,            // "shell", "write_file", "http_post", etc.
+        "tool_risk_score"?: Long,        // 0-100
+        "tool_is_sensitive"?: Bool,
+        "tool_category"?: String,        // "safe" | "sensitive" | "dangerous"
+        "tool_is_builtin"?: Bool,
+        // MCP context (optional — only present for MCP tool calls)
         "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
+        "mcp_tool"?: String,             // MCP tool name within the server
         "mcp_server_verified"?: Bool,    // Whether server is from verified registry
+        // Agentic - Behavioral Patterns (optional)
+        "suspicious_pattern"?: Bool,
+        "pattern_type"?: String,         // "data_exfiltration" | "secret_exfiltration" | "db_exfiltration" | "credential_theft" | "destructive_sequence" | "none"
+        "sequence_risk"?: Long,          // 0-100
+        // Agentic - Loop Detection (optional)
+        "loop_detected"?: Bool,
+        "loop_count"?: Long,
+        "loop_tool"?: String,
+        // Agentic - Budget Control (optional)
+        "budget_remaining_pct"?: Long,   // 0-100
+        "budget_exceeded"?: Bool,
+        // Semantic - Topic Classification (optional)
+        "content_topics"?: Set<String>,      // ["controlled_substances", "weapons_manufacturing", ...]
+        "topic_confidence"?: Long,           // 0-100
+        // Security checks on tool arguments (optional)
+        "contains_secrets"?: Bool,
+        "secret_count"?: Long,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
+        "pii_count"?: Long,              // Number of PII pattern matches in tool content
+        "pii_confidence"?: Long,         // PII ML classifier confidence (0-100)
+        "injection_confidence"?: Long,
+        "injection_pulse_score"?: Long,  // 0-100 Pulse single-turn classifier
+        "injection_deep_context_score"?: Long, // 0-100 DeepContext multi-turn
+        // Security - Pattern Detection (optional)
+        "command_injection_detected"?: Bool,
+        "command_injection_type"?: String,
+        "command_injection_score"?: Long,        // 0-100
+        "path_traversal_detected"?: Bool,
+        "path_traversal_severity"?: String,
+        "path_traversal_type"?: String,
+        "sql_injection_detected"?: Bool,
+        "sql_injection_type"?: String,
+        "sql_injection_score"?: Long,            // 0-100
+        // Security - Cross-Origin Escalation (optional)
+        "cross_origin_detected"?: Bool,
+        "cross_origin_type"?: String,
+        "cross_origin_score"?: Long,             // 0-100
+        // File & Path (optional — for path-based access control policies)
+        "path"?: String,                         // File path when tool operates on files
+        // Security - Invisible Character Detection in tool args (optional)
+        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in tool args
+        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
+        // Security - Encoded Injection (optional)
+        "encoded_content_detected"?: Bool,
+        "encoded_types"?: Set<String>,
+        "encoded_count"?: Long,
+        "encoded_score"?: Long,                  // 0-100
         // Agentic - Agent Security (optional)
         "tool_poisoning_detected"?: Bool,
-        "tool_poisoning_score"?: Long,
-        "tool_poisoning_type"?: String,
+        "tool_poisoning_score"?: Long,           // 0-100
+        "tool_poisoning_type"?: String,          // "hidden_instructions" | "system_prompt_injection" | "authority_hijack"
+        "rug_pull_detected"?: Bool,
+        "rug_pull_score"?: Long,                 // 0-100
+        "rug_pull_type"?: String,                // "risk_spike" | "pattern_change" | "combined" | "none"
+        // Agentic - Indirect Prompt Injection (optional — injection via tool outputs/retrieved content)
+        "indirect_injection_score"?: Long,       // Indirect injection risk score (0-100)
+        "indirect_injection_type"?: String,      // Type of indirect injection detected
         // Agentic - MCP Risk (optional)
         "mcp_config_risk"?: Bool,
-        "mcp_risk_type"?: String,
-        "mcp_risk_score"?: Long,
+        "mcp_risk_type"?: String,                // "inline_execution" | "suspicious_url" | "cross_origin"
+        "mcp_risk_score"?: Long,                 // 0-100
-        // Security - Cross-Origin Escalation (optional)
-        "cross_origin_detected"?: Bool,
-        "cross_origin_type"?: String,
-        "cross_origin_score"?: Long,
+        // Agentic - Multi-Turn Context (optional)
+        "conversation_turn"?: Long,
+        "multi_turn_detection"?: Bool,
         // Session Detection History — cross-turn sticky flags (optional)
         "session_pii_detected"?: Bool,
@@ -498,284 +647,149 @@ namespace Guardrails {
         "agent_publisher"?: String,
     };
-}
-`;
-/**
- * McpGateway Cedar schema
- *
- * Full Cedar schema for mcp_gateway, embedded at codegen time.
- */
-export const MCP_GATEWAY_SCHEMA = `// MCPGateway Cedar Schema
-// ===================================
-// MCP Gateway Security & Policy Enforcement
-//
-// MCPGateway protects MCP proxy operations (tool calls, server connections)
-// by evaluating threats detected by the Shield detection engine pipeline
-// against Cedar policies.
-//
-// Architecture:
-//   MCP Client -> Firehog Proxy -> Shield (detection + Cedar) -> Allow/Deny
-//
-// Threat Coverage:
-//   - OWASP Top 10 for LLM Applications 2025 (LLM01, LLM06)
-//   - OWASP Top 10 for Agentic Applications (ASI01, ASI02, ASI04)
-//   - OWASP MCP Top 10 (MCP01-MCP05)
-namespace MCPGateway {
-// =============================================================================
-// ENTITIES - Tenant Hierarchy (ReBAC)
-// =============================================================================
-// MCPGateway does not use App/Session hierarchy.
-//
-// Entity hierarchy:
-//   Account (org root)
-//     -> Project in [Account]
-//          -> Tool/Server in [Project]
-//
-// Policy scoping examples:
-//   resource == MCPGateway::Tool::"get_me"            -> specific tool
-//   resource in MCPGateway::Project::"<uuid>"          -> project-wide
-//   resource in MCPGateway::Account::"<uuid>"          -> org-wide
-/// Account represents an organization (top-level tenant)
-entity Account;
-/// Project represents a project within an account
-entity Project in [Account];
-// =============================================================================
-// ENTITIES - Principals
-// =============================================================================
-/// Human user authenticated via JWT or API key
-entity User;
-/// MCP client (default principal for unauthenticated requests)
-entity MCP_Client;
-// =============================================================================
-// ENTITIES - Resources (scoped under Project)
-// =============================================================================
-/// MCP tool -- resource for call_tool action
-entity Tool in [Project];
-/// MCP server -- resource for connect_server action
-entity Server in [Project];
-/// MCP prompt -- resource for process_prompt action
-entity LlmPrompt in [Project];
-/// File/resource path -- resource for read_file/write_file actions
-entity FilePath in [Project];
-// =============================================================================
-// ACTIONS
-// =============================================================================
-// Call an MCP tool
-// Threat focus: command injection, tool poisoning, rug pull, secrets, PII
-action call_tool appliesTo {
-  principal: [User, MCP_Client],
-  resource: [Tool],
-  context: {
-    // --- Content ---
-    content: String,                  // Raw content being scanned
-    // --- Tool & MCP ---
-    tool_name?: String,               // Tool name
-    mcp_server?: String,              // MCP server name
-    mcp_tool?: String,                // MCP tool name
-    // --- Threat Detection (from Shield detection pipeline) ---
-    threat_count?: Long,              // Total threats detected
-    highest_severity?: String,        // "critical", "high", "medium", "low", "none"
-    threat_categories?: Set<String>,  // Threat category names
-    detected_threats?: Set<String>,   // Detection rule names that matched
-    max_threat_severity?: Long,       // Numeric severity (0=none, 1=low, 2=medium, 3=high, 4=critical)
-    contains_secrets?: Bool,          // Whether secrets/credentials detected
-    // --- Secrets (granular) ---
-    secret_types?: Set<String>,
-    secret_count?: Long,
-    // --- PII Detection ---
-    pii_detected?: Bool,
-    pii_types?: Set<String>,
-    pii_count?: Long,
-    // --- ML Detector Confidence Scores (0-100) ---
-    injection_confidence?: Long,      // Prompt injection classifier confidence
-    jailbreak_confidence?: Long,      // Jailbreak detection classifier confidence
-    // --- Agent Security (0-100) ---
-    tool_poisoning_score?: Long,      // Hidden instructions in tool description/args
-    tool_poisoning_detected?: Bool,
-    rug_pull_score?: Long,            // Tool behavior drift after trust establishment
-    rug_pull_detected?: Bool,
-    indirect_injection_score?: Long,  // Indirect injection via tool output
-    // --- Tool Risk Assessment ---
-    tool_risk_score?: Long,           // Computed tool risk (0-100)
-    tool_category?: String,           // "safe", "sensitive", "dangerous"
-    tool_is_sensitive?: Bool,
-    tool_is_builtin?: Bool,
-    // --- MCP Trust ---
-    mcp_server_verified?: Bool,       // Whether server is from verified registry
-    // --- Content Safety Scores (0-100) ---
-    violence_score?: Long,
-    weapons_score?: Long,
-    hate_speech_score?: Long,
-    crime_score?: Long,
-    sexual_score?: Long,
-    profanity_score?: Long,
-    // --- Encoding & Unicode Attacks ---
-    contains_invisible_chars?: Bool,
-    invisible_chars_score?: Long,
-    // --- Behavioral Analysis ---
-    loop_detected?: Bool,
-    loop_count?: Long,
-    loop_tool?: String,
-    suspicious_pattern?: Bool,
-    pattern_type?: String,
-    sequence_risk?: Long,
-  },
-};
+    /// Context for read_file action
+    type FileReadContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
-// Connect to an MCP server
-// Threat focus: supply chain, tool poisoning, rug pull, config risk
-action connect_server appliesTo {
-  principal: [User, MCP_Client],
-  resource: [Server],
-  context: {
-    content?: String,                 // Server config content (if available)
-    mcp_server?: String,
+        // File path (optional — for path-based access control policies)
+        "path"?: String,                 // File path being read
-    // --- Threat Detection ---
-    threat_count?: Long,
-    highest_severity?: String,
-    threat_categories?: Set<String>,
-    max_threat_severity?: Long,
+        // Security checks on file content (optional)
+        "contains_secrets"?: Bool,
+        "secret_count"?: Long,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
-    // --- Agent Security (0-100) ---
-    tool_poisoning_score?: Long,
-    tool_poisoning_detected?: Bool,
-    rug_pull_score?: Long,
-    rug_pull_detected?: Bool,
-    indirect_injection_score?: Long,
+        // Security - Path Traversal (optional)
+        "path_traversal_detected"?: Bool,
+        "path_traversal_severity"?: String,
+        "path_traversal_type"?: String,
-    // --- MCP Trust & Config Risk ---
-    mcp_server_verified?: Bool,
-    mcp_config_risk?: Bool,
-    mcp_risk_score?: Long,
-  },
-};
+        // Session Detection History — cross-turn sticky flags (optional)
+        "session_pii_detected"?: Bool,
+        "session_pii_types"?: Set<String>,
+        "session_secrets_detected"?: Bool,
+        "session_secret_types"?: Set<String>,
+        "session_injection_detected"?: Bool,
+        "session_command_injection"?: Bool,
+        "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
-// Process an MCP prompt (prompts/get, prompts/list)
-// Threat focus: injection, jailbreak, secrets, PII, content safety
-action process_prompt appliesTo {
-  principal: [User, MCP_Client],
-  resource: [LlmPrompt],
-  context: {
-    content: String,
-    mcp_server?: String,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
-    // --- Threat Detection ---
-    threat_count?: Long,
-    highest_severity?: String,
-    threat_categories?: Set<String>,
-    detected_threats?: Set<String>,
-    max_threat_severity?: Long,
-    contains_secrets?: Bool,
+    };
-    // --- Secrets ---
-    secret_types?: Set<String>,
-    secret_count?: Long,
+    /// Context for write_file action
+    type FileWriteContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
-    // --- PII Detection ---
-    pii_detected?: Bool,
-    pii_types?: Set<String>,
-    pii_count?: Long,
+        // File path (optional — for path-based access control policies)
+        "path"?: String,                         // File path being written
-    // --- ML Detector Confidence Scores (0-100) ---
-    injection_confidence?: Long,
-    jailbreak_confidence?: Long,
+        // Security - Invisible Character Detection in write content (optional)
+        "contains_invisible_chars"?: Bool,       // Whether invisible Unicode chars detected in write content
+        "invisible_chars_score"?: Long,          // Invisible character attack severity (0-100)
-    // --- Content Safety Scores (0-100) ---
-    violence_score?: Long,
-    weapons_score?: Long,
-    hate_speech_score?: Long,
-    crime_score?: Long,
-    sexual_score?: Long,
-    profanity_score?: Long,
+        // Security checks on content being written (optional)
+        "contains_secrets"?: Bool,
+        "secret_count"?: Long,
+        "secret_types"?: Set<String>,
+        "pii_detected"?: Bool,
+        "pii_types"?: Set<String>,
-    // --- Encoding ---
-    contains_invisible_chars?: Bool,
-    invisible_chars_score?: Long,
-  },
-};
+        // Security - Path Traversal (optional)
+        "path_traversal_detected"?: Bool,
+        "path_traversal_severity"?: String,
+        "path_traversal_type"?: String,
-// Read an MCP resource (resources/read, resources/list)
-// Threat focus: secrets exposure, PII exposure, sensitive paths
-action read_file appliesTo {
-  principal: [User, MCP_Client],
-  resource: [FilePath],
-  context: {
-    content: String,
-    mcp_server?: String,
+        // Session Detection History — cross-turn sticky flags (optional)
+        "session_pii_detected"?: Bool,
+        "session_pii_types"?: Set<String>,
+        "session_secrets_detected"?: Bool,
+        "session_secret_types"?: Set<String>,
+        "session_injection_detected"?: Bool,
+        "session_command_injection"?: Bool,
+        "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
-    // --- Threat Detection ---
-    threat_count?: Long,
-    highest_severity?: String,
-    threat_categories?: Set<String>,
-    detected_threats?: Set<String>,
-    max_threat_severity?: Long,
-    contains_secrets?: Bool,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
-    // --- Secrets ---
-    secret_types?: Set<String>,
-    secret_count?: Long,
+    };
-    // --- PII Detection ---
-    pii_detected?: Bool,
-    pii_types?: Set<String>,
-    pii_count?: Long,
-  },
-};
+    /// Context for connect_server action (MCP server connections)
+    type ConnectServerContext = {
+        // Core metadata (required)
+        "request_id": String,
+        "timestamp": Long,
-// Write an MCP resource (resources/write)
-// Threat focus: secrets in output, PII in output
-action write_file appliesTo {
-  principal: [User, MCP_Client],
-  resource: [FilePath],
-  context: {
-    content: String,
-    mcp_server?: String,
+        // MCP context (optional)
+        "mcp_server"?: String,           // MCP server name (e.g., "github", "filesystem")
+        "mcp_server_verified"?: Bool,    // Whether server is from verified registry
-    // --- Threat Detection ---
-    threat_count?: Long,
-    highest_severity?: String,
-    threat_categories?: Set<String>,
-    detected_threats?: Set<String>,
-    max_threat_severity?: Long,
-    contains_secrets?: Bool,
+        // Agentic - Agent Security (optional)
+        "tool_poisoning_detected"?: Bool,
+        "tool_poisoning_score"?: Long,
+        "tool_poisoning_type"?: String,
-    // --- Secrets ---
-    secret_types?: Set<String>,
-    secret_count?: Long,
+        // Agentic - MCP Risk (optional)
+        "mcp_config_risk"?: Bool,
+        "mcp_risk_type"?: String,
+        "mcp_risk_score"?: Long,
-    // --- PII Detection ---
-    pii_detected?: Bool,
-    pii_types?: Set<String>,
-    pii_count?: Long,
-  },
-};
+        // Security - Cross-Origin Escalation (optional)
+        "cross_origin_detected"?: Bool,
+        "cross_origin_type"?: String,
+        "cross_origin_score"?: Long,
+        // Session Detection History — cross-turn sticky flags (optional)
+        "session_pii_detected"?: Bool,
+        "session_pii_types"?: Set<String>,
+        "session_secrets_detected"?: Bool,
+        "session_secret_types"?: Set<String>,
+        "session_injection_detected"?: Bool,
+        "session_command_injection"?: Bool,
+        "session_threat_turns"?: Long,
+        "session_max_injection_score"?: Long,
+        "session_max_jailbreak_score"?: Long,
+        "session_max_command_injection_score"?: Long,
+        "session_max_pii_score"?: Long,
+        "session_max_secret_score"?: Long,
+        "session_cumulative_risk_score"?: Long,
+        // Agent Identity — authenticated agent principal metadata (optional)
+        "agent_id"?: String,
+        "agent_type"?: String,
+        "agent_trust_level"?: String,
+        "agent_framework"?: String,
+        "agent_publisher"?: String,
+    };
 }
 `;
 /**
@@ -1758,9 +1772,160 @@ action upload_file appliesTo {
     session_threat_turns?: Long,
   },
 };
-}
-`;
+}
+`;
+/**
+ * AiGateway context metadata (parsed JSON)
+ */
+export const AI_GATEWAY_CONTEXT = {
+    "service": "ai_gateway",
+    "version": "2.0.0",
+    "description": "Context attributes for AIGateway Cedar policies (MCP + LLM)",
+    "actions": [
+        {
+            "name": "call_tool",
+            "description": "Call an MCP tool — threat focus: command injection, tool poisoning, rug pull, secrets, PII",
+            "context_attributes": [
+                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
+                { "key": "tool_name", "type": "string", "required": false, "description": "Tool name" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
+                { "key": "mcp_tool", "type": "string", "required": false, "description": "MCP tool name" },
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
+                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Injection classifier confidence (0-100)" },
+                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak classifier confidence (0-100)" },
+                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool poisoning risk score (0-100)" },
+                { "key": "tool_poisoning_detected", "type": "boolean", "required": false, "description": "Tool poisoning detected flag" },
+                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Rug pull risk score (0-100)" },
+                { "key": "rug_pull_detected", "type": "boolean", "required": false, "description": "Rug pull detected flag" },
+                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect injection score (0-100)" },
+                { "key": "tool_risk_score", "type": "number", "required": false, "description": "Computed tool risk (0-100)" },
+                { "key": "tool_category", "type": "string", "required": false, "description": "Tool category: safe/sensitive/dangerous" },
+                { "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Tool sensitivity flag" },
+                { "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Built-in tool flag" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether server is from verified registry" },
+                { "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
+                { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
+                { "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech score (0-100)" },
+                { "key": "crime_score", "type": "number", "required": false, "description": "Crime content score (0-100)" },
+                { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content score (0-100)" },
+                { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity score (0-100)" },
+                { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Invisible Unicode chars detected" },
+                { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Unicode attack severity (0-100)" },
+                { "key": "loop_detected", "type": "boolean", "required": false, "description": "Tool call loop detected" },
+                { "key": "loop_count", "type": "number", "required": false, "description": "Consecutive repeat calls" },
+                { "key": "suspicious_pattern", "type": "boolean", "required": false, "description": "Data exfiltration or attack sequence detected" },
+                { "key": "pattern_type", "type": "string", "required": false, "description": "Pattern type" },
+                { "key": "sequence_risk", "type": "number", "required": false, "description": "Sequence risk score (0-100)" }
+            ]
+        },
+        {
+            "name": "connect_server",
+            "description": "Connect to an MCP server — threat focus: supply chain, tool poisoning, config risk",
+            "context_attributes": [
+                { "key": "content", "type": "string", "required": false, "description": "Server config content" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
+                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool poisoning risk (0-100)" },
+                { "key": "tool_poisoning_detected", "type": "boolean", "required": false, "description": "Tool poisoning detected" },
+                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Rug pull risk (0-100)" },
+                { "key": "rug_pull_detected", "type": "boolean", "required": false, "description": "Rug pull detected" },
+                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect injection score (0-100)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" },
+                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Verified registry status" },
+                { "key": "mcp_config_risk", "type": "boolean", "required": false, "description": "Risky server config detected" },
+                { "key": "mcp_risk_score", "type": "number", "required": false, "description": "Config risk severity (0-100)" }
+            ]
+        },
+        {
+            "name": "process_prompt",
+            "description": "Process a prompt (MCP or LLM chat completion) — threat focus: injection, jailbreak, secrets, PII, content safety",
+            "context_attributes": [
+                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
+                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" },
+                { "key": "injection_confidence", "type": "number", "required": false, "description": "Injection classifier confidence (0-100)" },
+                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak classifier confidence (0-100)" },
+                { "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
+                { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
+                { "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech score (0-100)" },
+                { "key": "crime_score", "type": "number", "required": false, "description": "Crime content score (0-100)" },
+                { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content score (0-100)" },
+                { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity score (0-100)" },
+                { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Invisible Unicode chars detected" },
+                { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Unicode attack severity (0-100)" },
+                { "key": "model_name", "type": "string", "required": false, "description": "Target model name (e.g., gpt-4, claude-3-opus)" },
+                { "key": "model_provider", "type": "string", "required": false, "description": "Provider name (e.g., openai, anthropic, bedrock)" }
+            ]
+        },
+        {
+            "name": "read_file",
+            "description": "Read an MCP resource — threat focus: secrets exposure, PII exposure",
+            "context_attributes": [
+                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
+                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" }
+            ]
+        },
+        {
+            "name": "write_file",
+            "description": "Write an MCP resource — threat focus: secrets in output, PII in output",
+            "context_attributes": [
+                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
+                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
+                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
+                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
+                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
+                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
+                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
+                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
+                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
+                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
+                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
+                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
+                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" }
+            ]
+        }
+    ]
+};
 /**
  * Guardrails context metadata (parsed JSON)
  */
@@ -2057,149 +2222,6 @@ export const GUARDRAILS_CONTEXT = {
         }
     ]
 };
-/**
- * McpGateway context metadata (parsed JSON)
- */
-export const MCP_GATEWAY_CONTEXT = {
-    "service": "mcp_gateway",
-    "version": "1.0.0",
-    "description": "Context attributes for MCPGateway Cedar policies",
-    "actions": [
-        {
-            "name": "call_tool",
-            "description": "Call an MCP tool — threat focus: command injection, tool poisoning, rug pull, secrets, PII",
-            "context_attributes": [
-                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
-                { "key": "tool_name", "type": "string", "required": false, "description": "Tool name" },
-                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "mcp_tool", "type": "string", "required": false, "description": "MCP tool name" },
-                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
-                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
-                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
-                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
-                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
-                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
-                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
-                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
-                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" },
-                { "key": "injection_confidence", "type": "number", "required": false, "description": "Injection classifier confidence (0-100)" },
-                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak classifier confidence (0-100)" },
-                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool poisoning risk score (0-100)" },
-                { "key": "tool_poisoning_detected", "type": "boolean", "required": false, "description": "Tool poisoning detected flag" },
-                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Rug pull risk score (0-100)" },
-                { "key": "rug_pull_detected", "type": "boolean", "required": false, "description": "Rug pull detected flag" },
-                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect injection score (0-100)" },
-                { "key": "tool_risk_score", "type": "number", "required": false, "description": "Computed tool risk (0-100)" },
-                { "key": "tool_category", "type": "string", "required": false, "description": "Tool category: safe/sensitive/dangerous" },
-                { "key": "tool_is_sensitive", "type": "boolean", "required": false, "description": "Tool sensitivity flag" },
-                { "key": "tool_is_builtin", "type": "boolean", "required": false, "description": "Built-in tool flag" },
-                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Whether server is from verified registry" },
-                { "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
-                { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
-                { "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech score (0-100)" },
-                { "key": "crime_score", "type": "number", "required": false, "description": "Crime content score (0-100)" },
-                { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content score (0-100)" },
-                { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity score (0-100)" },
-                { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Invisible Unicode chars detected" },
-                { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Unicode attack severity (0-100)" },
-                { "key": "loop_detected", "type": "boolean", "required": false, "description": "Tool call loop detected" },
-                { "key": "loop_count", "type": "number", "required": false, "description": "Consecutive repeat calls" },
-                { "key": "suspicious_pattern", "type": "boolean", "required": false, "description": "Data exfiltration or attack sequence detected" },
-                { "key": "pattern_type", "type": "string", "required": false, "description": "Pattern type" },
-                { "key": "sequence_risk", "type": "number", "required": false, "description": "Sequence risk score (0-100)" }
-            ]
-        },
-        {
-            "name": "connect_server",
-            "description": "Connect to an MCP server — threat focus: supply chain, tool poisoning, config risk",
-            "context_attributes": [
-                { "key": "content", "type": "string", "required": false, "description": "Server config content" },
-                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
-                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
-                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
-                { "key": "tool_poisoning_score", "type": "number", "required": false, "description": "Tool poisoning risk (0-100)" },
-                { "key": "tool_poisoning_detected", "type": "boolean", "required": false, "description": "Tool poisoning detected" },
-                { "key": "rug_pull_score", "type": "number", "required": false, "description": "Rug pull risk (0-100)" },
-                { "key": "rug_pull_detected", "type": "boolean", "required": false, "description": "Rug pull detected" },
-                { "key": "indirect_injection_score", "type": "number", "required": false, "description": "Indirect injection score (0-100)" },
-                { "key": "mcp_server_verified", "type": "boolean", "required": false, "description": "Verified registry status" },
-                { "key": "mcp_config_risk", "type": "boolean", "required": false, "description": "Risky server config detected" },
-                { "key": "mcp_risk_score", "type": "number", "required": false, "description": "Config risk severity (0-100)" }
-            ]
-        },
-        {
-            "name": "process_prompt",
-            "description": "Process an MCP prompt — threat focus: injection, jailbreak, secrets, PII, content safety",
-            "context_attributes": [
-                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
-                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
-                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
-                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
-                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
-                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
-                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
-                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
-                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
-                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" },
-                { "key": "injection_confidence", "type": "number", "required": false, "description": "Injection classifier confidence (0-100)" },
-                { "key": "jailbreak_confidence", "type": "number", "required": false, "description": "Jailbreak classifier confidence (0-100)" },
-                { "key": "violence_score", "type": "number", "required": false, "description": "Violence content score (0-100)" },
-                { "key": "weapons_score", "type": "number", "required": false, "description": "Weapons content score (0-100)" },
-                { "key": "hate_speech_score", "type": "number", "required": false, "description": "Hate speech score (0-100)" },
-                { "key": "crime_score", "type": "number", "required": false, "description": "Crime content score (0-100)" },
-                { "key": "sexual_score", "type": "number", "required": false, "description": "Sexual content score (0-100)" },
-                { "key": "profanity_score", "type": "number", "required": false, "description": "Profanity score (0-100)" },
-                { "key": "contains_invisible_chars", "type": "boolean", "required": false, "description": "Invisible Unicode chars detected" },
-                { "key": "invisible_chars_score", "type": "number", "required": false, "description": "Unicode attack severity (0-100)" }
-            ]
-        },
-        {
-            "name": "read_file",
-            "description": "Read an MCP resource — threat focus: secrets exposure, PII exposure",
-            "context_attributes": [
-                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
-                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
-                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
-                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
-                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
-                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
-                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
-                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
-                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
-                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" }
-            ]
-        },
-        {
-            "name": "write_file",
-            "description": "Write an MCP resource — threat focus: secrets in output, PII in output",
-            "context_attributes": [
-                { "key": "content", "type": "string", "required": true, "description": "Raw content being scanned" },
-                { "key": "mcp_server", "type": "string", "required": false, "description": "MCP server name" },
-                { "key": "threat_count", "type": "number", "required": false, "description": "Total threats detected" },
-                { "key": "highest_severity", "type": "string", "required": false, "description": "Highest threat severity" },
-                { "key": "threat_categories", "type": "array", "required": false, "description": "Threat category names" },
-                { "key": "detected_threats", "type": "array", "required": false, "description": "Detection rule names that matched" },
-                { "key": "max_threat_severity", "type": "number", "required": false, "description": "Numeric severity (0-4)" },
-                { "key": "contains_secrets", "type": "boolean", "required": false, "description": "Whether secrets/credentials detected" },
-                { "key": "secret_types", "type": "array", "required": false, "description": "Types of secrets found" },
-                { "key": "secret_count", "type": "number", "required": false, "description": "Number of distinct secrets" },
-                { "key": "pii_detected", "type": "boolean", "required": false, "description": "Whether PII detected" },
-                { "key": "pii_types", "type": "array", "required": false, "description": "Types of PII detected" },
-                { "key": "pii_count", "type": "number", "required": false, "description": "Number of PII matches" }
-            ]
-        }
-    ]
-};
 /**
  * Overwatch context metadata (parsed JSON)
  */