@highflame/policy 2.1.15 → 2.1.17

package/_schemas/ai_gateway/templates/mcp_server_allowlist.cedar

@@ -0,0 +1,33 @@
+// MCP Server Allowlist Template
+// Only allow specific MCP servers to be used
+// Category: tools
+//
+// NOTE: Users should customize the mcp_server values in the permit rule
+// to match their allowed servers before deploying this template.
+
+@id("mcp-allowlist-permit")
+@name("Allow specific MCP servers")
+@description("Only allow connections to pre-approved MCP servers (customize the list)")
+@severity("medium")
+@tags("mcp,allowlist,server,governance")
+permit (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+)
+when {
+    context has mcp_server &&
+    (context.mcp_server == "filesystem" ||
+    context.mcp_server == "playwright")
+};
+
+@id("mcp-allowlist-deny")
+@name("Deny unallowed MCP servers")
+@description("Block all MCP server connections not in the allowlist")
+@severity("medium")
+@tags("mcp,deny-default,server")
+forbid (
+    principal,
+    action == AIGateway::Action::"connect_server",
+    resource
+);

package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar

@@ -0,0 +1,77 @@
+// =============================================================================
+// MCP Tool Permissions Template (AIGateway)
+// =============================================================================
+// Per-tool access control for MCP servers.
+// Complements the MCP Server Allowlist (connect_server action)
+// with fine-grained per-tool control on call_tool action.
+//
+// Category: tools
+// Namespace: AIGateway
+// =============================================================================
+
+// -- GitHub MCP: Read-only access -------------------------------------------
+
+@id("mcp-tool-allow-read-github")
+@name("Allow read-only GitHub tools")
+@description("Permit read operations from GitHub MCP server")
+@severity("medium")
+@tags("mcp,github,read-only,least-privilege")
+permit (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github" &&
+    context has tool_name &&
+    (context.tool_name == "read_issues" ||
+     context.tool_name == "get_issue" ||
+     context.tool_name == "list_repos" ||
+     context.tool_name == "get_pull_request" ||
+     context.tool_name == "search_code" ||
+     context.tool_name == "get_file_contents")
+};
+
+@id("mcp-tool-deny-write-github")
+@name("Deny write GitHub tools")
+@description("Block create/update/delete operations on GitHub MCP server")
+@severity("high")
+@tags("mcp,github,write-block,least-privilege")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server && context.mcp_server == "github"
+};
+
+// -- Organization-wide MCP server exclusions --------------------------------
+
+@id("mcp-tool-exclude-server")
+@name("Exclude specific MCP servers")
+@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@severity("critical")
+@tags("mcp,exclusion,org-wide,block")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server &&
+    (context.mcp_server == "untrusted-server" ||
+     context.mcp_server == "deprecated-server")
+};
+
+// -- Block unverified MCP servers -------------------------------------------
+
+@id("mcp-tool-block-unverified")
+@name("Block tools from unverified MCP servers")
+@description("Deny tool calls from MCP servers not in the verified registry")
+@severity("high")
+@tags("mcp,trust,verification")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+) when {
+    context has mcp_server_verified && context.mcp_server_verified == false
+};

package/_schemas/ai_gateway/templates/pii_redaction.cedar

@@ -0,0 +1,89 @@
+// =============================================================================
+// PII Redaction Policy
+// =============================================================================
+// Block or redact requests containing personally identifiable information.
+// Covers all AI Gateway actions (MCP tool calls, LLM prompts, file ops).
+//
+// Category: data_protection
+// Namespace: AIGateway
+// =============================================================================
+
+// Block requests with PII detected
+@id("data-block-pii")
+@name("Block PII in requests")
+@description("Block any AI Gateway operation when PII is detected in the content")
+@severity("high")
+@tags("pii,data-protection,owasp-llm06,dlp")
+@reject_message("Request was blocked because personally identifiable information (PII) was detected. Remove sensitive data before retrying.")
+forbid (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};
+
+// Block requests with secrets/credentials
+@id("data-block-secrets")
+@name("Block secrets in requests")
+@description("Block any AI Gateway operation when secrets or credentials are detected")
+@severity("critical")
+@tags("secrets,data-protection,credentials,dlp")
+@reject_message("Request was blocked because secrets or credentials were detected in the content. Remove sensitive credentials before retrying.")
+forbid (
+    principal,
+    action == AIGateway::Action::"process_prompt",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+// Block MCP tool calls with PII
+@id("data-block-pii-tools")
+@name("Block PII in tool calls")
+@description("Block MCP tool execution when PII is detected in tool arguments")
+@severity("high")
+@tags("pii,tools,data-protection,dlp")
+@reject_message("Tool call was blocked because PII was detected in the arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has pii_detected && context.pii_detected == true
+};
+
+// Block MCP tool calls with secrets
+@id("data-block-secrets-tools")
+@name("Block secrets in tool calls")
+@description("Block MCP tool execution when secrets or credentials are detected")
+@severity("critical")
+@tags("secrets,tools,data-protection,dlp")
+@reject_message("Tool call was blocked because secrets were detected in the arguments.")
+forbid (
+    principal,
+    action == AIGateway::Action::"call_tool",
+    resource
+)
+when {
+    context has contains_secrets && context.contains_secrets == true
+};
+
+// Block bulk PII exposure (3+ PII matches)
+@id("data-block-bulk-pii")
+@name("Block bulk PII exposure")
+@description("Block operations with 3 or more PII matches -- indicates data dump or exfiltration attempt")
+@severity("critical")
+@tags("pii,bulk,data-protection,exfiltration")
+@reject_message("Request was blocked because multiple PII matches were detected, indicating potential data exfiltration.")
+forbid (
+    principal,
+    action,
+    resource
+)
+when {
+    context has pii_count && context.pii_count >= 3
+};

package/_schemas/ai_gateway/templates/templates.json

@@ -0,0 +1,117 @@
+{
+  "service": "ai_gateway",
+  "version": "2.0.0",
+  "description": "AIGateway policy templates for MCP + LLM gateway security",
+  "categories": [
+    {
+      "id": "semantic",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats"
+    },
+    {
+      "id": "tools",
+      "name": "Tool Permissioning",
+      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions"
+    },
+    {
+      "id": "agent_security",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats"
+    },
+    {
+      "id": "data_protection",
+      "name": "Data Protection",
+      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations"
+    },
+    {
+      "id": "content_safety",
+      "name": "Content Safety",
+      "description": "Enforce content moderation score thresholds on LLM prompts and MCP content"
+    },
+    {
+      "id": "organization",
+      "name": "Organization Rules",
+      "description": "Apply organization-wide policy baselines for AI gateway operations"
+    }
+  ],
+  "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default -- threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
+    {
+      "id": "semantic-default",
+      "name": "Semantic Threat Detection",
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts",
+      "category": "semantic",
+      "file": "defaults/semantic.cedar",
+      "severity": "critical",
+      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "tools-default",
+      "name": "Tool Permissioning",
+      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments",
+      "category": "tools",
+      "file": "defaults/tools.cedar",
+      "severity": "critical",
+      "tags": ["tool-risk", "command-injection", "owasp-llm06", "owasp-asi02", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "agent-security-default",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats",
+      "category": "agent_security",
+      "file": "defaults/agent_security.cedar",
+      "severity": "critical",
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "owasp-asi01", "owasp-asi04", "baseline"],
+      "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "tools-mcp-allowlist",
+      "name": "MCP Server Allowlist",
+      "description": "Only allow specific MCP servers to be used",
+      "category": "tools",
+      "file": "mcp_server_allowlist.cedar",
+      "severity": "medium",
+      "tags": ["mcp", "allowlist", "whitelist"]
+    },
+    {
+      "id": "tools-mcp-tool-permissions",
+      "name": "MCP Tool Permissions",
+      "description": "Per-tool access control for MCP servers -- allow specific tools while denying others, exclude servers org-wide, block unverified sources",
+      "category": "tools",
+      "file": "mcp_tool_permissions.cedar",
+      "severity": "high",
+      "tags": ["mcp", "tools", "least-privilege", "per-server", "exclusion"]
+    },
+    {
+      "id": "data-pii-redaction",
+      "name": "PII & Secrets Redaction",
+      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure",
+      "category": "data_protection",
+      "file": "pii_redaction.cedar",
+      "severity": "high",
+      "tags": ["pii", "secrets", "data-protection", "dlp", "owasp-llm06"]
+    },
+    {
+      "id": "llm-default-allow",
+      "name": "Default Allow LLM Proxy",
+      "description": "Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture",
+      "category": "organization",
+      "file": "llm_default_allow.cedar",
+      "severity": "low",
+      "tags": ["llm", "permit-default", "proxy", "organization"]
+    }
+  ]
+}

package/dist/ai_gateway-context.gen.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Context attribute keys for AiGateway Context attributes for AIGateway Cedar policies (MCP + LLM).
+ *
+ * These constants correspond to the context attributes defined in the
+ * AiGateway Cedar schema and are used at policy evaluation time.
+ */
+export declare const AiGatewayContextKey: {
+    readonly ContainsInvisibleChars: "contains_invisible_chars";
+    readonly ContainsSecrets: "contains_secrets";
+    readonly Content: "content";
+    readonly CrimeScore: "crime_score";
+    readonly DetectedThreats: "detected_threats";
+    readonly HateSpeechScore: "hate_speech_score";
+    readonly HighestSeverity: "highest_severity";
+    readonly IndirectInjectionScore: "indirect_injection_score";
+    readonly InjectionConfidence: "injection_confidence";
+    readonly InvisibleCharsScore: "invisible_chars_score";
+    readonly JailbreakConfidence: "jailbreak_confidence";
+    readonly LoopCount: "loop_count";
+    readonly LoopDetected: "loop_detected";
+    readonly MaxThreatSeverity: "max_threat_severity";
+    readonly McpConfigRisk: "mcp_config_risk";
+    readonly McpRiskScore: "mcp_risk_score";
+    readonly McpServer: "mcp_server";
+    readonly McpServerVerified: "mcp_server_verified";
+    readonly McpTool: "mcp_tool";
+    readonly ModelName: "model_name";
+    readonly ModelProvider: "model_provider";
+    readonly PatternType: "pattern_type";
+    readonly PiiCount: "pii_count";
+    readonly PiiDetected: "pii_detected";
+    readonly PiiTypes: "pii_types";
+    readonly ProfanityScore: "profanity_score";
+    readonly RugPullDetected: "rug_pull_detected";
+    readonly RugPullScore: "rug_pull_score";
+    readonly SecretCount: "secret_count";
+    readonly SecretTypes: "secret_types";
+    readonly SequenceRisk: "sequence_risk";
+    readonly SexualScore: "sexual_score";
+    readonly SuspiciousPattern: "suspicious_pattern";
+    readonly ThreatCategories: "threat_categories";
+    readonly ThreatCount: "threat_count";
+    readonly ToolCategory: "tool_category";
+    readonly ToolIsBuiltin: "tool_is_builtin";
+    readonly ToolIsSensitive: "tool_is_sensitive";
+    readonly ToolName: "tool_name";
+    readonly ToolPoisoningDetected: "tool_poisoning_detected";
+    readonly ToolPoisoningScore: "tool_poisoning_score";
+    readonly ToolRiskScore: "tool_risk_score";
+    readonly ViolenceScore: "violence_score";
+    readonly WeaponsScore: "weapons_score";
+};
+export type AiGatewayContextKey = (typeof AiGatewayContextKey)[keyof typeof AiGatewayContextKey];

package/dist/ai_gateway-context.gen.js

@@ -0,0 +1,54 @@
+// Code generated by highflame-policy-codegen. DO NOT EDIT.
+// Source: schemas/ai_gateway/context.json
+/**
+ * Context attribute keys for AiGateway Context attributes for AIGateway Cedar policies (MCP + LLM).
+ *
+ * These constants correspond to the context attributes defined in the
+ * AiGateway Cedar schema and are used at policy evaluation time.
+ */
+export const AiGatewayContextKey = {
+    ContainsInvisibleChars: 'contains_invisible_chars',
+    ContainsSecrets: 'contains_secrets',
+    Content: 'content',
+    CrimeScore: 'crime_score',
+    DetectedThreats: 'detected_threats',
+    HateSpeechScore: 'hate_speech_score',
+    HighestSeverity: 'highest_severity',
+    IndirectInjectionScore: 'indirect_injection_score',
+    InjectionConfidence: 'injection_confidence',
+    InvisibleCharsScore: 'invisible_chars_score',
+    JailbreakConfidence: 'jailbreak_confidence',
+    LoopCount: 'loop_count',
+    LoopDetected: 'loop_detected',
+    MaxThreatSeverity: 'max_threat_severity',
+    McpConfigRisk: 'mcp_config_risk',
+    McpRiskScore: 'mcp_risk_score',
+    McpServer: 'mcp_server',
+    McpServerVerified: 'mcp_server_verified',
+    McpTool: 'mcp_tool',
+    ModelName: 'model_name',
+    ModelProvider: 'model_provider',
+    PatternType: 'pattern_type',
+    PiiCount: 'pii_count',
+    PiiDetected: 'pii_detected',
+    PiiTypes: 'pii_types',
+    ProfanityScore: 'profanity_score',
+    RugPullDetected: 'rug_pull_detected',
+    RugPullScore: 'rug_pull_score',
+    SecretCount: 'secret_count',
+    SecretTypes: 'secret_types',
+    SequenceRisk: 'sequence_risk',
+    SexualScore: 'sexual_score',
+    SuspiciousPattern: 'suspicious_pattern',
+    ThreatCategories: 'threat_categories',
+    ThreatCount: 'threat_count',
+    ToolCategory: 'tool_category',
+    ToolIsBuiltin: 'tool_is_builtin',
+    ToolIsSensitive: 'tool_is_sensitive',
+    ToolName: 'tool_name',
+    ToolPoisoningDetected: 'tool_poisoning_detected',
+    ToolPoisoningScore: 'tool_poisoning_score',
+    ToolRiskScore: 'tool_risk_score',
+    ViolenceScore: 'violence_score',
+    WeaponsScore: 'weapons_score',
+};

package/dist/ai_gateway-defaults.gen.d.ts

@@ -0,0 +1,61 @@
+/**
+ * AiGateway policy category identifiers.
+ * Maps to UI tab names in Studio.
+ */
+export type AiGatewayCategory = 'semantic' | 'tools' | 'agent_security' | 'data_protection' | 'content_safety' | 'organization';
+/**
+ * Category metadata for UI display.
+ */
+export interface AiGatewayCategoryInfo {
+    id: AiGatewayCategory;
+    name: string;
+    description: string;
+}
+/**
+ * A default policy that is auto-created for new projects.
+ */
+export interface AiGatewayDefaultPolicy {
+    /** Template identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Description for UI display */
+    description: string;
+    /** Policy category */
+    category: AiGatewayCategory;
+    /** Cedar policy text (source of truth) */
+    cedarText: string;
+    /** Severity level */
+    severity: string;
+    /** Tags for filtering */
+    tags: string[];
+    /** Whether this default should be activated immediately */
+    isActive: boolean;
+}
+/**
+ * A policy template available for users to create from.
+ */
+export interface AiGatewayTemplate {
+    /** Template identifier */
+    id: string;
+    /** Human-readable name */
+    name: string;
+    /** Description for UI display */
+    description: string;
+    /** Policy category */
+    category: AiGatewayCategory;
+    /** Cedar policy text */
+    cedarText: string;
+    /** Severity level */
+    severity: string;
+    /** Tags for filtering */
+    tags: string[];
+}
+export declare const AI_GATEWAY_CATEGORIES: AiGatewayCategoryInfo[];
+export declare const AI_GATEWAY_DEFAULTS: AiGatewayDefaultPolicy[];
+export declare const AI_GATEWAY_TEMPLATES: AiGatewayTemplate[];
+/** Raw templates.json metadata for the AiGateway service. */
+export declare const AI_GATEWAY_TEMPLATES_JSON: string;
+export declare function getAiGatewayDefaultsByCategory(category: AiGatewayCategory): AiGatewayDefaultPolicy[];
+export declare function getAiGatewayTemplatesByCategory(category: AiGatewayCategory): AiGatewayTemplate[];
+export declare function getAiGatewayTemplateById(id: string): AiGatewayTemplate | undefined;