@highflame/policy 2.1.15 → 2.1.16

package/dist/ai_gateway-defaults.gen.js

@@ -0,0 +1,829 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/ai_gateway/templates/templates.json
+//
+// AiGateway default policies and templates.
+// Cedar text is embedded at build time. PolicyRule[] can be parsed at runtime
+// using parseCedarToRules().
+// =============================================================================
+// EMBEDDED CEDAR POLICY TEXT
+// =============================================================================
+const AI_GATEWAY_BASELINE_DEFAULT_CEDAR = `// =============================================================================
+// Baseline Permit Policy (Default)
+// =============================================================================
+// Permits all actions by default. Threat-specific forbid policies override
+// this to block when detection engines identify issues.
+//
+// Cedar is default-deny: without at least one permit rule, every request
+// is denied regardless of forbid rules.
+//
+// Category: organization
+// Namespace: AIGateway
+// =============================================================================
+
+@id("baseline-permit-all")
+@name("Permit all actions by default")
+@description("Baseline permit for all actions -- threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("baseline,permit-default,organization")
+permit (
+    principal,
+    action,
+    resource
+);
+`;
+const AI_GATEWAY_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
+// Semantic Threat Detection Policy (Default)
+// =============================================================================
+// Detects and blocks prompt injection, jailbreak attempts, and high-severity
+// threats in MCP tool calls and server connections.
+//
+// Category: semantic
+// Namespace: AIGateway
+// =============================================================================
+
+// Block content with prompt injection patterns detected by rules
+@id("semantic-block-injection")
+@name("Block prompt injection")
+@description("Block tool calls when detection engine rules identify prompt injection patterns in tool arguments or content")
+@severity("critical")
+@tags("injection,security,owasp-llm01,baseline")
+@reject_message("Tool call was blocked because prompt injection patterns were detected in the content (OWASP LLM01).")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("prompt_injection")
+};
+
+// Block content with high ML injection confidence
+@id("semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block tool calls when the ML injection classifier confidence exceeds 75/100")
+@severity("critical")
+@tags("injection,ml-classifier,security,owasp-llm01")
+@reject_message("Tool call was blocked because the ML classifier detected prompt injection with high confidence.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has injection_confidence && context.injection_confidence >= 75
+};
+
+// Block content with jailbreak patterns
+@id("semantic-block-jailbreak")
+@name("Block jailbreak attempts")
+@description("Block tool calls when jailbreak patterns are detected in content")
+@severity("critical")
+@tags("jailbreak,security,owasp-llm02,baseline")
+@reject_message("Tool call was blocked because jailbreak patterns were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats && context.detected_threats.contains("jailbreak")
+};
+
+// Block content with high ML jailbreak confidence
+@id("semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block tool calls when the ML jailbreak classifier confidence exceeds 75/100")
+@severity("critical")
+@tags("jailbreak,ml-classifier,security,owasp-llm02")
+@reject_message("Tool call was blocked because the ML classifier detected a jailbreak attempt with high confidence.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+};
+
+// Block any content with critical severity threats
+@id("semantic-block-critical")
+@name("Block critical threats")
+@description("Block all MCP operations when any detection engine reports critical severity")
+@severity("critical")
+@tags("critical,baseline,security,catch-all")
+@reject_message("MCP operation was blocked because security scanners detected a critical-severity threat.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has highest_severity && context.highest_severity == "critical"
+};
+
+// Block tool calls with multiple concurrent threats
+@id("semantic-block-multi-threat-tools")
+@name("Block multi-threat tool calls")
+@description("Block tool execution when 3+ distinct threats are detected simultaneously")
+@severity("high")
+@tags("multi-threat,tools,security,defense-in-depth")
+@reject_message("Tool execution was blocked because multiple security threats were detected simultaneously.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has threat_count && context.threat_count >= 3
+};
+`;
+const AI_GATEWAY_TOOLS_DEFAULT_CEDAR = `// =============================================================================
+// Tool Permissioning Policy (Default)
+// =============================================================================
+// Controls access to MCP tools based on risk scoring, threat detection,
+// and tool classification.
+//
+// Category: tools
+// Namespace: AIGateway
+// =============================================================================
+
+// Block tools with very high computed risk
+@id("tools-block-high-risk-score")
+@name("Block high-risk tool operations")
+@description("Block tool operations when the computed risk score exceeds 90/100")
+@severity("critical")
+@tags("tool-risk,security,owasp-llm06,owasp-asi02")
+@reject_message("Tool execution blocked: this operation scored 90+ on the risk assessment.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_risk_score && context.tool_risk_score >= 90
+};
+
+// Block tools classified as dangerous
+@id("tools-block-dangerous-category")
+@name("Block dangerous tool category")
+@description("Block all tools classified as dangerous by the detection engine")
+@severity("critical")
+@tags("tool-category,dangerous,security,owasp-llm06")
+@reject_message("Tool execution blocked: this tool is classified as dangerous.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_category && context.tool_category == "dangerous"
+};
+
+// Block sensitive tools when threats are detected
+@id("tools-block-sensitive-with-threats")
+@name("Block sensitive tools with threats")
+@description("Block sensitive tools when any threats are detected concurrently")
+@severity("high")
+@tags("tool-category,sensitive,security,defense-in-depth")
+@reject_message("Sensitive tool execution blocked: threats were detected alongside a sensitive tool operation.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_is_sensitive && context.tool_is_sensitive &&
+    context has threat_count && context.threat_count > 0
+};
+
+// Block tool calls with high severity threats
+@id("tools-block-high-severity-threats")
+@name("Block tool calls with high severity threats")
+@description("Prevent tool execution when high or critical severity threats are detected")
+@severity("high")
+@tags("tools,threats,severity,security")
+@reject_message("Tool execution was blocked because high or critical severity threats were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has threat_count && context has max_threat_severity &&
+    context.threat_count > 0 && context.max_threat_severity >= 3
+};
+
+// Block detected command injection patterns
+@id("tools-block-command-injection")
+@name("Block command injection in tool calls")
+@description("Block tool calls when command injection patterns are detected in arguments")
+@severity("critical")
+@tags("command-injection,security,mitre-t1059,owasp-asi02")
+@reject_message("Tool execution blocked: command injection pattern detected in tool arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has detected_threats &&
+    context.detected_threats.contains("command_injection")
+};
+`;
+const AI_GATEWAY_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
+// Agent Security Policy (Default)
+// =============================================================================
+// Detects and blocks tool poisoning, rug pull attacks, indirect prompt injection,
+// and MCP supply chain threats.
+//
+// Category: agent_security
+// Namespace: AIGateway
+// =============================================================================
+
+// Block tool calls with tool poisoning risk
+@id("as-block-tool-poisoning")
+@name("Block tool poisoning")
+@description("Block tool execution when hidden instructions are detected in tool descriptions or arguments (score >= 70)")
+@severity("critical")
+@tags("tool-poisoning,agent-security,owasp-asi01")
+@reject_message("Tool execution blocked: hidden manipulation instructions detected in tool description or arguments (OWASP ASI01).")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+};
+
+// Block MCP server connections with poisoning risk
+@id("as-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60)")
+@severity("critical")
+@tags("tool-poisoning,mcp-security,owasp-asi04,owasp-mcp02")
+@reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block tool calls with behavioral drift (rug pull)
+@id("as-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Block tool execution when behavioral drift is detected (score >= 70)")
+@severity("critical")
+@tags("rug-pull,agent-security,owasp-asi04")
+@reject_message("Tool execution blocked: tool behavior has changed significantly from its established pattern.")
+forbid (
+    principal,
+    action in [AIGateway::Action::"call_tool", AIGateway::Action::"connect_server"],
+    resource
+)
+when {
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// Block with indirect injection from tool outputs
+@id("as-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block when indirect prompt injection is detected in tool outputs (score >= 70)")
+@severity("critical")
+@tags("indirect-injection,owasp-llm01,owasp-asi01")
+@reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content.")
+forbid (
+    principal,
+    action in [AIGateway::Action::"call_tool", AIGateway::Action::"connect_server"],
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+// Strict indirect injection for sensitive tool calls
+@id("as-block-indirect-injection-sensitive-tools")
+@name("Block indirect injection on sensitive tools")
+@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive")
+@severity("critical")
+@tags("indirect-injection,sensitive-tools,owasp-asi02")
+@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 50 &&
+    context has tool_is_sensitive && context.tool_is_sensitive
+};
+
+// Block unverified MCP server tool calls with detected threats
+@id("as-block-unverified-threats")
+@name("Block unverified server threats")
+@description("Block tool calls from unverified MCP servers when any threat is detected")
+@severity("high")
+@tags("mcp-trust,owasp-asi04,supply-chain")
+@reject_message("Tool execution blocked: the MCP server is unverified and security threats were detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false &&
+    context has threat_count && context.threat_count > 0
+};
+
+// Block connections to MCP servers with risky configurations
+@id("as-block-mcp-config-risk")
+@name("Block risky MCP server configs")
+@description("Block MCP server connections when risky configuration patterns are detected (score >= 70)")
+@severity("high")
+@tags("mcp-config,owasp-mcp03,supply-chain")
+@reject_message("MCP server connection blocked: risky server configuration detected.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_config_risk && context.mcp_config_risk &&
+    context has mcp_risk_score && context.mcp_risk_score >= 70
+};
+
+// Block connections to unverified MCP servers
+@id("as-block-unverified-server-connect")
+@name("Block unverified MCP server connections")
+@description("Block connections to MCP servers that are not from a verified registry")
+@severity("high")
+@tags("mcp-trust,owasp-asi04,owasp-mcp05,supply-chain")
+@reject_message("MCP server connection blocked: server is not from a verified registry.")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};
+`;
+const AI_GATEWAY_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
+// Only allow specific MCP servers to be used
+// Category: tools
+//
+// NOTE: Users should customize the mcp_server values in the permit rule
+// to match their allowed servers before deploying this template.
+
+@id("mcp-allowlist-permit")
+@name("Allow specific MCP servers")
+@description("Only allow connections to pre-approved MCP servers (customize the list)")
+@severity("medium")
+@tags("mcp,allowlist,server,governance")
+permit (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_server &&
+    (context.mcp_server == "filesystem" ||
+    context.mcp_server == "playwright")
+};
+
+@id("mcp-allowlist-deny")
+@name("Deny unallowed MCP servers")
+@description("Block all MCP server connections not in the allowlist")
+@severity("medium")
+@tags("mcp,deny-default,server")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+);
+`;
+const AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
+// MCP Tool Permissions Template (AIGateway)
+// =============================================================================
+// Per-tool access control for MCP servers.
+// Complements the MCP Server Allowlist (connect_server action)
+// with fine-grained per-tool control on call_tool action.
+//
+// Category: tools
+// Namespace: AIGateway
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-tool-allow-read-github")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github" &&
+    context has tool_name &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-tool-deny-write-github")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-tool-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server &&
+    (context.mcp_server == "untrusted-server" ||
+     context.mcp_server == "deprecated-server")
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-tool-block-unverified")
+@name("Block tools from unverified MCP servers")
+@description("Deny tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};
+`;
+const AI_GATEWAY_DATA_PII_REDACTION_CEDAR = `// =============================================================================
+// PII Redaction Policy
+// =============================================================================
+// Block or redact requests containing personally identifiable information.
+// Covers all AI Gateway actions (MCP tool calls, LLM prompts, file ops).
+//
+// Category: data_protection
+// Namespace: AIGateway
+// =============================================================================
+
+// Block requests with PII detected
+@id("data-block-pii")
+@name("Block PII in requests")
+@description("Block any AI Gateway operation when PII is detected in the content")
+@severity("high")
+@tags("pii,data-protection,owasp-llm06,dlp")
+@reject_message("Request was blocked because personally identifiable information (PII) was detected. Remove sensitive data before retrying.")
+forbid (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};
+
+// Block requests with secrets/credentials
+@id("data-block-secrets")
+@name("Block secrets in requests")
+@description("Block any AI Gateway operation when secrets or credentials are detected")
+@severity("critical")
+@tags("secrets,data-protection,credentials,dlp")
+@reject_message("Request was blocked because secrets or credentials were detected in the content. Remove sensitive credentials before retrying.")
+forbid (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+// Block MCP tool calls with PII
+@id("data-block-pii-tools")
+@name("Block PII in tool calls")
+@description("Block MCP tool execution when PII is detected in tool arguments")
+@severity("high")
+@tags("pii,tools,data-protection,dlp")
+@reject_message("Tool call was blocked because PII was detected in the arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};
+
+// Block MCP tool calls with secrets
+@id("data-block-secrets-tools")
+@name("Block secrets in tool calls")
+@description("Block MCP tool execution when secrets or credentials are detected")
+@severity("critical")
+@tags("secrets,tools,data-protection,dlp")
+@reject_message("Tool call was blocked because secrets were detected in the arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+// Block bulk PII exposure (3+ PII matches)
+@id("data-block-bulk-pii")
+@name("Block bulk PII exposure")
+@description("Block operations with 3 or more PII matches -- indicates data dump or exfiltration attempt")
+@severity("critical")
+@tags("pii,bulk,data-protection,exfiltration")
+@reject_message("Request was blocked because multiple PII matches were detected, indicating potential data exfiltration.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has pii_count && context.pii_count >= 3
+};
+`;
+const AI_GATEWAY_LLM_DEFAULT_ALLOW_CEDAR = `// =============================================================================
+// Default Allow LLM Proxy Calls
+// =============================================================================
+// Permits all LLM prompt processing by default. Deploy this alongside
+// threat-specific forbid policies to create a "default allow, block on threat"
+// posture for LLM chat completions.
+//
+// Category: organization
+// Namespace: AIGateway
+// =============================================================================
+
+// Allow all LLM prompt processing by default
+@id("llm-permit-all-prompts")
+@name("Allow all LLM proxy calls")
+@description("Permits all LLM chat completion requests by default -- threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("llm,permit-default,organization,proxy")
+permit (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+);
+`;
+// =============================================================================
+// CATEGORIES
+// =============================================================================
+export const AI_GATEWAY_CATEGORIES = [
+    { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats' },
+    { id: 'tools', name: 'Tool Permissioning', description: 'Control access to MCP tools, enforce risk scoring, and manage per-tool permissions' },
+    { id: 'agent_security', name: 'Agent Security', description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats' },
+    { id: 'data_protection', name: 'Data Protection', description: 'Prevent secrets and PII leakage in LLM chat completions and MCP operations' },
+    { id: 'content_safety', name: 'Content Safety', description: 'Enforce content moderation score thresholds on LLM prompts and MCP content' },
+    { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines for AI gateway operations' },
+];
+// =============================================================================
+// DEFAULT POLICIES
+// =============================================================================
+export const AI_GATEWAY_DEFAULTS = [
+    {
+        id: 'baseline-default',
+        name: 'Baseline Permit',
+        description: 'Permits all actions by default -- threat-specific forbid policies override this when threats are detected',
+        category: 'organization',
+        cedarText: AI_GATEWAY_BASELINE_DEFAULT_CEDAR,
+        severity: 'low',
+        tags: ['baseline', 'permit-default', 'organization'],
+        isActive: true,
+    },
+    {
+        id: 'semantic-default',
+        name: 'Semantic Threat Detection',
+        description: 'Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts',
+        category: 'semantic',
+        cedarText: AI_GATEWAY_SEMANTIC_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['prompt-injection', 'jailbreak', 'owasp-llm01', 'owasp-llm02', 'security', 'baseline'],
+        isActive: true,
+    },
+    {
+        id: 'tools-default',
+        name: 'Tool Permissioning',
+        description: 'Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments',
+        category: 'tools',
+        cedarText: AI_GATEWAY_TOOLS_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['tool-risk', 'command-injection', 'owasp-llm06', 'owasp-asi02', 'baseline'],
+        isActive: true,
+    },
+    {
+        id: 'agent-security-default',
+        name: 'Agent Security',
+        description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats',
+        category: 'agent_security',
+        cedarText: AI_GATEWAY_AGENT_SECURITY_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'owasp-asi01', 'owasp-asi04', 'baseline'],
+        isActive: true,
+    },
+];
+// =============================================================================
+// ALL TEMPLATES
+// =============================================================================
+export const AI_GATEWAY_TEMPLATES = [
+    {
+        id: 'tools-mcp-allowlist',
+        name: 'MCP Server Allowlist',
+        description: 'Only allow specific MCP servers to be used',
+        category: 'tools',
+        cedarText: AI_GATEWAY_TOOLS_MCP_ALLOWLIST_CEDAR,
+        severity: 'medium',
+        tags: ['mcp', 'allowlist', 'whitelist'],
+    },
+    {
+        id: 'tools-mcp-tool-permissions',
+        name: 'MCP Tool Permissions',
+        description: 'Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources',
+        category: 'tools',
+        cedarText: AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
+        severity: 'high',
+        tags: ['mcp', 'tools', 'least-privilege', 'per-server', 'exclusion'],
+    },
+    {
+        id: 'data-pii-redaction',
+        name: 'PII & Secrets Redaction',
+        description: 'Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure',
+        category: 'data_protection',
+        cedarText: AI_GATEWAY_DATA_PII_REDACTION_CEDAR,
+        severity: 'high',
+        tags: ['pii', 'secrets', 'data-protection', 'dlp', 'owasp-llm06'],
+    },
+    {
+        id: 'llm-default-allow',
+        name: 'Default Allow LLM Proxy',
+        description: 'Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture',
+        category: 'organization',
+        cedarText: AI_GATEWAY_LLM_DEFAULT_ALLOW_CEDAR,
+        severity: 'low',
+        tags: ['llm', 'permit-default', 'proxy', 'organization'],
+    },
+];
+// =============================================================================
+// TEMPLATES METADATA
+// =============================================================================
+/** Raw templates.json metadata for the AiGateway service. */
+export const AI_GATEWAY_TEMPLATES_JSON = `{
+  "service": "ai_gateway",
+  "version": "2.0.0",
+  "description": "AIGateway policy templates for MCP + LLM gateway security",
+  "categories": [
+    {
+      "id": "semantic",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats"
+    },
+    {
+      "id": "tools",
+      "name": "Tool Permissioning",
+      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions"
+    },
+    {
+      "id": "agent_security",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats"
+    },
+    {
+      "id": "data_protection",
+      "name": "Data Protection",
+      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations"
+    },
+    {
+      "id": "content_safety",
+      "name": "Content Safety",
+      "description": "Enforce content moderation score thresholds on LLM prompts and MCP content"
+    },
+    {
+      "id": "organization",
+      "name": "Organization Rules",
+      "description": "Apply organization-wide policy baselines for AI gateway operations"
+    }
+  ],
+  "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default -- threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
+    {
+      "id": "semantic-default",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts",
+      "category": "semantic",
+      "file": "defaults/semantic.cedar",
+      "severity": "critical",
+      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "tools-default",
+      "name": "Tool Permissioning",
+      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments",
+      "category": "tools",
+      "file": "defaults/tools.cedar",
+      "severity": "critical",
+      "tags": ["tool-risk", "command-injection", "owasp-llm06", "owasp-asi02", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "agent-security-default",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats",
+      "category": "agent_security",
+      "file": "defaults/agent_security.cedar",
+      "severity": "critical",
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "owasp-asi01", "owasp-asi04", "baseline"],
+      "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "tools-mcp-allowlist",
+      "name": "MCP Server Allowlist",
+      "description": "Only allow specific MCP servers to be used",
+      "category": "tools",
+      "file": "mcp_server_allowlist.cedar",
+      "severity": "medium",
+      "tags": ["mcp", "allowlist", "whitelist"]
+    },
+    {
+      "id": "tools-mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "tools",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    },
+    {
+      "id": "data-pii-redaction",
+      "name": "PII & Secrets Redaction",
+      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure",
+      "category": "data_protection",
+      "file": "pii_redaction.cedar",
+      "severity": "high",
+      "tags": ["pii", "secrets", "data-protection", "dlp", "owasp-llm06"]
+    },
+    {
+      "id": "llm-default-allow",
+      "name": "Default Allow LLM Proxy",
+      "description": "Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture",
+      "category": "organization",
+      "file": "llm_default_allow.cedar",
+      "severity": "low",
+      "tags": ["llm", "permit-default", "proxy", "organization"]
+    }
+  ]
+}
+`;
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+export function getAiGatewayDefaultsByCategory(category) {
+    return AI_GATEWAY_DEFAULTS.filter(d => d.category === category);
+}
+export function getAiGatewayTemplatesByCategory(category) {
+    return AI_GATEWAY_TEMPLATES.filter(t => t.category === category);
+}
+export function getAiGatewayTemplateById(id) {
+    return AI_GATEWAY_TEMPLATES.find(t => t.id === id);
+}