npm - @highflame/policy - Versions diffs - 2.1.35 → 2.1.37 - Mend

@highflame/policy 2.1.35 → 2.1.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/dist/ai_gateway-defaults.gen.js CHANGED Viewed

@@ -7,47 +7,65 @@
 // =============================================================================
 // EMBEDDED CEDAR POLICY TEXT
 // =============================================================================
-const AI_GATEWAY_BASELINE_DEFAULT_CEDAR = `// =============================================================================
-// Baseline Permit Policy (Default)
+const AI_GATEWAY_ORGANIZATION_PERMIT_BASELINE_CEDAR = `// =============================================================================
+// Baseline Permit (Default)
 // =============================================================================
-// Permits all actions by default. Threat-specific forbid policies override
-// this to block when detection engines identify issues.
+// Permits all AI Gateway actions by default. Threat-specific forbid policies
+// override this when detectors fire. Cedar is default-deny: without at least
+// one permit rule, every request is denied regardless of forbid rules.
 //
-// Cedar is default-deny: without at least one permit rule, every request
-// is denied regardless of forbid rules.
-//
-// Category: organization
+// Category:  organization
 // Namespace: AIGateway
 // =============================================================================
-@id("baseline-permit-all")
-@name("Permit all actions by default")
-@description("Baseline permit for all actions -- threat-specific forbid policies override this when threats are detected")
+@id("organization.permit-baseline")
+@name("Permit baseline")
+@description("Permits all AI Gateway actions.")
 @severity("low")
-@tags("baseline,permit-default,organization")
+@tags("category:organization,posture:permit-default")
 permit (
     principal,
     action,
     resource
 );
 `;
-const AI_GATEWAY_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
-// Semantic Threat Detection Policy (Default)
+const AI_GATEWAY_SEMANTIC_DEFAULTS_CEDAR = `// =============================================================================
+// Semantic Threat Detection (Default)
 // =============================================================================
-// Detects and blocks prompt injection, jailbreak attempts, and high-severity
-// threats in MCP tool calls and server connections.
+// Blocks prompt injection, jailbreak attempts, and high-severity threats in
+// MCP tool calls and LLM prompts. Uses both detection-engine rule triggers and
+// ML classifier confidence scores.
+//
+// Detection layers:
+//   - Rule triggers (detected_threats), always available
+//   - ML classifier scores (injection_score, jailbreak_score), require API token
+//   - Severity aggregation (highest_severity, threat_count), catch-all rules
+//
+// Context keys consumed:
+//   - detected_threats:  Set<String>
+//   - injection_score:   Long (0-100)
+//   - jailbreak_score:   Long (0-100)
+//   - highest_severity:  String
+//   - threat_count:      Long
 //
-// Category: semantic
+// Compliance:
+//   - OWASP LLM01, OWASP LLM02
+//   - MITRE ATLAS AML.T0051, AML.T0054
+//
+// Category:  semantic
 // Namespace: AIGateway
 // =============================================================================
-// Block content with prompt injection patterns detected by rules
-@id("semantic-block-injection")
-@name("Block prompt injection")
-@description("Block tool calls when detection engine rules identify prompt injection patterns in tool arguments or content")
+// ---------------------------------------------------------------------------
+// Section 1: Prompt injection
+// ---------------------------------------------------------------------------
+@id("semantic.block-injection-rule")
+@name("Block injection (rule)")
+@description("Blocks call_tool when detected_threats contains \\"prompt_injection\\".")
 @severity("critical")
-@tags("injection,security,owasp-llm01,baseline")
-@reject_message("Tool call was blocked because prompt injection patterns were detected in the content (OWASP LLM01).")
+@tags("category:semantic,threat:injection,detection:rule,surface:call-tool,owasp:llm01,mitre:atlas-t0051,posture:baseline")
+@reject_message("Tool execution blocked: prompt injection patterns detected (OWASP LLM01).")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -57,29 +75,31 @@ when {
     context has detected_threats && context.detected_threats.contains("prompt_injection")
 };
-// Block content with high ML injection confidence
-@id("semantic-block-injection-score")
-@name("Block high-confidence injection")
-@description("Block tool calls when the ML injection classifier confidence exceeds 75/100")
+@id("semantic.block-injection-ml")
+@name("Block injection (ML)")
+@description("Blocks call_tool when injection_score >= 75.")
 @severity("critical")
-@tags("injection,ml-classifier,security,owasp-llm01")
-@reject_message("Tool call was blocked because the ML classifier detected prompt injection with high confidence.")
+@tags("category:semantic,threat:injection,detection:ml,surface:call-tool,owasp:llm01,mitre:atlas-t0051")
+@reject_message("Tool execution blocked: the ML classifier detected prompt injection with high confidence.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has injection_confidence && context.injection_confidence >= 75
+    context has injection_score && context.injection_score >= 75
 };
-// Block content with jailbreak patterns
-@id("semantic-block-jailbreak")
-@name("Block jailbreak attempts")
-@description("Block tool calls when jailbreak patterns are detected in content")
+// ---------------------------------------------------------------------------
+// Section 2: Jailbreak
+// ---------------------------------------------------------------------------
+@id("semantic.block-jailbreak-rule")
+@name("Block jailbreak (rule)")
+@description("Blocks call_tool when detected_threats contains \\"jailbreak\\".")
 @severity("critical")
-@tags("jailbreak,security,owasp-llm02,baseline")
-@reject_message("Tool call was blocked because jailbreak patterns were detected.")
+@tags("category:semantic,threat:jailbreak,detection:rule,surface:call-tool,owasp:llm02,mitre:atlas-t0054,posture:baseline")
+@reject_message("Tool execution blocked: jailbreak patterns detected (OWASP LLM02).")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -89,29 +109,31 @@ when {
     context has detected_threats && context.detected_threats.contains("jailbreak")
 };
-// Block content with high ML jailbreak confidence
-@id("semantic-block-jailbreak-score")
-@name("Block high-confidence jailbreak")
-@description("Block tool calls when the ML jailbreak classifier confidence exceeds 75/100")
+@id("semantic.block-jailbreak-ml")
+@name("Block jailbreak (ML)")
+@description("Blocks call_tool when jailbreak_score >= 75.")
 @severity("critical")
-@tags("jailbreak,ml-classifier,security,owasp-llm02")
-@reject_message("Tool call was blocked because the ML classifier detected a jailbreak attempt with high confidence.")
+@tags("category:semantic,threat:jailbreak,detection:ml,surface:call-tool,owasp:llm02,mitre:atlas-t0054")
+@reject_message("Tool execution blocked: the ML classifier detected a jailbreak attempt with high confidence.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+    context has jailbreak_score && context.jailbreak_score >= 75
 };
-// Block any content with critical severity threats
-@id("semantic-block-critical")
+// ---------------------------------------------------------------------------
+// Section 3: Severity aggregation
+// ---------------------------------------------------------------------------
+@id("semantic.block-critical")
 @name("Block critical threats")
-@description("Block all MCP operations when any detection engine reports critical severity")
+@description("Blocks all MCP operations when highest_severity equals \\"critical\\".")
 @severity("critical")
-@tags("critical,baseline,security,catch-all")
-@reject_message("MCP operation was blocked because security scanners detected a critical-severity threat.")
+@tags("category:semantic,detection:aggregate,posture:catch-all")
+@reject_message("MCP operation blocked: a critical-severity threat was detected.")
 forbid (
     principal,
     action,
@@ -121,13 +143,12 @@ when {
     context has highest_severity && context.highest_severity == "critical"
 };
-// Block tool calls with multiple concurrent threats
-@id("semantic-block-multi-threat-tools")
+@id("semantic.block-multi-threat")
 @name("Block multi-threat tool calls")
-@description("Block tool execution when 3+ distinct threats are detected simultaneously")
+@description("Blocks call_tool when threat_count >= 3.")
 @severity("high")
-@tags("multi-threat,tools,security,defense-in-depth")
-@reject_message("Tool execution was blocked because multiple security threats were detected simultaneously.")
+@tags("category:semantic,detection:aggregate,surface:call-tool,posture:catch-all")
+@reject_message("Tool execution blocked: multiple concurrent security threats were detected.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -137,23 +158,40 @@ when {
     context has threat_count && context.threat_count >= 3
 };
 `;
-const AI_GATEWAY_TOOLS_DEFAULT_CEDAR = `// =============================================================================
-// Tool Permissioning Policy (Default)
+const AI_GATEWAY_TOOLS_DEFAULTS_CEDAR = `// =============================================================================
+// Tool Permissioning (Default)
 // =============================================================================
-// Controls access to MCP tools based on risk scoring, threat detection,
-// and tool classification.
+// Blocks MCP tool calls based on risk scoring, threat detection, and tool
+// classification.
+//
+// Detection layers:
+//   - Computed risk score (tool_risk_score)
+//   - Detector category labels (tool_category, tool_is_sensitive)
+//   - Threat aggregation (threat_count, max_threat_severity)
+//   - Detection rule triggers (detected_threats)
+//
+// Context keys consumed:
+//   - tool_risk_score:      Long (0-100)
+//   - tool_category:        String
+//   - tool_is_sensitive:    Bool
+//   - threat_count:         Long
+//   - max_threat_severity:  Long (0-4)
+//   - detected_threats:     Set<String>
 //
-// Category: tools
+// Compliance:
+//   - OWASP LLM06, OWASP ASI02
+//   - MITRE T1059
+//
+// Category:  tools
 // Namespace: AIGateway
 // =============================================================================
-// Block tools with very high computed risk
-@id("tools-block-high-risk-score")
-@name("Block high-risk tool operations")
-@description("Block tool operations when the computed risk score exceeds 90/100")
+@id("tools.block-high-risk-score")
+@name("Block high-risk tools")
+@description("Blocks call_tool when tool_risk_score >= 90.")
 @severity("critical")
-@tags("tool-risk,security,owasp-llm06,owasp-asi02")
-@reject_message("Tool execution blocked: this operation scored 90+ on the risk assessment.")
+@tags("category:tools,detection:aggregate,surface:call-tool,owasp:llm06,owasp:asi02")
+@reject_message("Tool execution blocked: tool risk score is at or above 90/100.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -163,13 +201,12 @@ when {
     context has tool_risk_score && context.tool_risk_score >= 90
 };
-// Block tools classified as dangerous
-@id("tools-block-dangerous-category")
+@id("tools.block-dangerous-category")
 @name("Block dangerous tool category")
-@description("Block all tools classified as dangerous by the detection engine")
+@description("Blocks call_tool when tool_category equals \\"dangerous\\".")
 @severity("critical")
-@tags("tool-category,dangerous,security,owasp-llm06")
-@reject_message("Tool execution blocked: this tool is classified as dangerous.")
+@tags("category:tools,detection:rule,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: tool is classified as dangerous.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -179,30 +216,28 @@ when {
     context has tool_category && context.tool_category == "dangerous"
 };
-// Block sensitive tools when threats are detected
-@id("tools-block-sensitive-with-threats")
+@id("tools.block-sensitive-with-threats")
 @name("Block sensitive tools with threats")
-@description("Block sensitive tools when any threats are detected concurrently")
+@description("Blocks call_tool when tool_is_sensitive is true and threat_count >= 1.")
 @severity("high")
-@tags("tool-category,sensitive,security,defense-in-depth")
-@reject_message("Sensitive tool execution blocked: threats were detected alongside a sensitive tool operation.")
+@tags("category:tools,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: a sensitive tool was called while threats were detected.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has tool_is_sensitive && context.tool_is_sensitive &&
-    context has threat_count && context.threat_count > 0
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has threat_count && context.threat_count >= 1
 };
-// Block tool calls with high severity threats
-@id("tools-block-high-severity-threats")
-@name("Block tool calls with high severity threats")
-@description("Prevent tool execution when high or critical severity threats are detected")
+@id("tools.block-high-severity")
+@name("Block high-severity tool calls")
+@description("Blocks call_tool when threat_count >= 1 and max_threat_severity >= 3.")
 @severity("high")
-@tags("tools,threats,severity,security")
-@reject_message("Tool execution was blocked because high or critical severity threats were detected.")
+@tags("category:tools,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: high or critical severity threats were detected.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -210,15 +245,14 @@ forbid (
 )
 when {
     context has threat_count && context has max_threat_severity &&
-    context.threat_count > 0 && context.max_threat_severity >= 3
+    context.threat_count >= 1 && context.max_threat_severity >= 3
 };
-// Block detected command injection patterns
-@id("tools-block-command-injection")
-@name("Block command injection in tool calls")
-@description("Block tool calls when command injection patterns are detected in arguments")
+@id("tools.block-command-injection")
+@name("Block command injection")
+@description("Blocks call_tool when detected_threats contains \\"command_injection\\".")
 @severity("critical")
-@tags("command-injection,security,mitre-t1059,owasp-asi02")
+@tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,mitre:t1059,owasp:asi02")
 @reject_message("Tool execution blocked: command injection pattern detected in tool arguments.")
 forbid (
     principal,
@@ -226,27 +260,44 @@ forbid (
     resource
 )
 when {
-    context has detected_threats &&
-    context.detected_threats.contains("command_injection")
+    context has detected_threats && context.detected_threats.contains("command_injection")
 };
 `;
-const AI_GATEWAY_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
-// Agent Security Policy (Default)
+const AI_GATEWAY_AGENT_SECURITY_DEFAULTS_CEDAR = `// =============================================================================
+// Agent Security (Default)
 // =============================================================================
-// Detects and blocks tool poisoning, rug pull attacks, indirect prompt injection,
-// and MCP supply chain threats.
+// Blocks tool poisoning, rug pull behavioral drift, indirect prompt injection
+// from tool outputs, and MCP supply-chain risks (unverified servers, risky
+// configurations).
+//
+// Context keys consumed:
+//   - tool_poisoning_score:      Long (0-100)
+//   - rug_pull_score:            Long (0-100)
+//   - indirect_injection_score:  Long (0-100)
+//   - tool_is_sensitive:         Bool
+//   - mcp_server_verified:       Bool
+//   - mcp_config_risk:           Bool
+//   - mcp_risk_score:            Long (0-100)
+//   - threat_count:              Long
+//
+// Compliance:
+//   - OWASP LLM01, OWASP ASI01, OWASP ASI02, OWASP ASI04
+//   - OWASP MCP02, MCP03, MCP05
 //
-// Category: agent_security
+// Category:  agent-security
 // Namespace: AIGateway
 // =============================================================================
-// Block tool calls with tool poisoning risk
-@id("as-block-tool-poisoning")
+// ---------------------------------------------------------------------------
+// Section 1: Tool poisoning
+// ---------------------------------------------------------------------------
+@id("agent-security.block-tool-poisoning")
 @name("Block tool poisoning")
-@description("Block tool execution when hidden instructions are detected in tool descriptions or arguments (score >= 70)")
+@description("Blocks call_tool when tool_poisoning_score >= 70.")
 @severity("critical")
-@tags("tool-poisoning,agent-security,owasp-asi01")
-@reject_message("Tool execution blocked: hidden manipulation instructions detected in tool description or arguments (OWASP ASI01).")
+@tags("category:agent-security,threat:tool-poisoning,detection:ml,surface:call-tool,owasp:asi01")
+@reject_message("Tool execution blocked: hidden manipulation instructions detected (OWASP ASI01).")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -256,12 +307,11 @@ when {
     context has tool_poisoning_score && context.tool_poisoning_score >= 70
 };
-// Block MCP server connections with poisoning risk
-@id("as-block-server-poisoning")
+@id("agent-security.block-server-poisoning")
 @name("Block poisoned MCP servers")
-@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60)")
+@description("Blocks connect_server when tool_poisoning_score >= 60.")
 @severity("critical")
-@tags("tool-poisoning,mcp-security,owasp-asi04,owasp-mcp02")
+@tags("category:agent-security,threat:tool-poisoning,detection:ml,surface:connect-server,owasp:asi04,owasp:mcp02")
 @reject_message("MCP server connection blocked: tool poisoning patterns detected in server tool descriptions.")
 forbid (
     principal,
@@ -272,13 +322,16 @@ when {
     context has tool_poisoning_score && context.tool_poisoning_score >= 60
 };
-// Block tool calls with behavioral drift (rug pull)
-@id("as-block-rug-pull")
+// ---------------------------------------------------------------------------
+// Section 2: Rug pull (behavioral drift)
+// ---------------------------------------------------------------------------
+@id("agent-security.block-rug-pull")
 @name("Block rug pull attacks")
-@description("Block tool execution when behavioral drift is detected (score >= 70)")
+@description("Blocks call_tool and connect_server when rug_pull_score >= 70.")
 @severity("critical")
-@tags("rug-pull,agent-security,owasp-asi04")
-@reject_message("Tool execution blocked: tool behavior has changed significantly from its established pattern.")
+@tags("category:agent-security,threat:rug-pull,detection:ml,owasp:asi04")
+@reject_message("Tool execution blocked: tool behavior has drifted significantly from its established pattern.")
 forbid (
     principal,
     action in [AIGateway::Action::"call_tool", AIGateway::Action::"connect_server"],
@@ -288,12 +341,15 @@ when {
     context has rug_pull_score && context.rug_pull_score >= 70
 };
-// Block with indirect injection from tool outputs
-@id("as-block-indirect-injection")
-@name("Block indirect prompt injection")
-@description("Block when indirect prompt injection is detected in tool outputs (score >= 70)")
+// ---------------------------------------------------------------------------
+// Section 3: Indirect prompt injection
+// ---------------------------------------------------------------------------
+@id("agent-security.block-indirect-injection")
+@name("Block indirect injection")
+@description("Blocks call_tool and connect_server when indirect_injection_score >= 70.")
 @severity("critical")
-@tags("indirect-injection,owasp-llm01,owasp-asi01")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,owasp:llm01,owasp:asi01")
 @reject_message("Content blocked: indirect prompt injection detected in tool output or retrieved content.")
 forbid (
     principal,
@@ -304,13 +360,12 @@ when {
     context has indirect_injection_score && context.indirect_injection_score >= 70
 };
-// Strict indirect injection for sensitive tool calls
-@id("as-block-indirect-injection-sensitive-tools")
+@id("agent-security.block-indirect-injection-sensitive")
 @name("Block indirect injection on sensitive tools")
-@description("Lower threshold (>= 50) for indirect injection when the tool is classified as sensitive")
+@description("Blocks call_tool when tool_is_sensitive is true and indirect_injection_score >= 50.")
 @severity("critical")
-@tags("indirect-injection,sensitive-tools,owasp-asi02")
-@reject_message("Sensitive tool execution blocked: moderate indirect injection risk detected.")
+@tags("category:agent-security,threat:indirect-injection,detection:ml,surface:call-tool,owasp:asi02")
+@reject_message("Tool execution blocked: a sensitive tool was called with moderate indirect-injection risk.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -318,15 +373,18 @@ forbid (
 )
 when {
     context has indirect_injection_score && context.indirect_injection_score >= 50 &&
-    context has tool_is_sensitive && context.tool_is_sensitive
+    context has tool_is_sensitive && context.tool_is_sensitive == true
 };
-// Block unverified MCP server tool calls with detected threats
-@id("as-block-unverified-threats")
+// ---------------------------------------------------------------------------
+// Section 4: MCP supply chain & trust
+// ---------------------------------------------------------------------------
+@id("agent-security.block-unverified-threats")
 @name("Block unverified server threats")
-@description("Block tool calls from unverified MCP servers when any threat is detected")
+@description("Blocks call_tool when mcp_server_verified is false and threat_count >= 1.")
 @severity("high")
-@tags("mcp-trust,owasp-asi04,supply-chain")
+@tags("category:agent-security,threat:supply-chain,detection:aggregate,surface:call-tool,owasp:asi04")
 @reject_message("Tool execution blocked: the MCP server is unverified and security threats were detected.")
 forbid (
     principal,
@@ -335,15 +393,14 @@ forbid (
 )
 when {
     context has mcp_server_verified && context.mcp_server_verified == false &&
-    context has threat_count && context.threat_count > 0
+    context has threat_count && context.threat_count >= 1
 };
-// Block connections to MCP servers with risky configurations
-@id("as-block-mcp-config-risk")
+@id("agent-security.block-mcp-config-risk")
 @name("Block risky MCP server configs")
-@description("Block MCP server connections when risky configuration patterns are detected (score >= 70)")
+@description("Blocks connect_server when mcp_config_risk is true and mcp_risk_score >= 70.")
 @severity("high")
-@tags("mcp-config,owasp-mcp03,supply-chain")
+@tags("category:agent-security,threat:mcp-config-risk,detection:ml,surface:connect-server,owasp:mcp03")
 @reject_message("MCP server connection blocked: risky server configuration detected.")
 forbid (
     principal,
@@ -351,16 +408,15 @@ forbid (
     resource
 )
 when {
-    context has mcp_config_risk && context.mcp_config_risk &&
+    context has mcp_config_risk && context.mcp_config_risk == true &&
     context has mcp_risk_score && context.mcp_risk_score >= 70
 };
-// Block connections to unverified MCP servers
-@id("as-block-unverified-server-connect")
+@id("agent-security.block-unverified-server")
 @name("Block unverified MCP server connections")
-@description("Block connections to MCP servers that are not from a verified registry")
+@description("Blocks connect_server when mcp_server_verified is false.")
 @severity("high")
-@tags("mcp-trust,owasp-asi04,owasp-mcp05,supply-chain")
+@tags("category:agent-security,threat:supply-chain,detection:rule,surface:connect-server,owasp:asi04,owasp:mcp05")
 @reject_message("MCP server connection blocked: server is not from a verified registry.")
 forbid (
     principal,
@@ -371,18 +427,25 @@ when {
     context has mcp_server_verified && context.mcp_server_verified == false
 };
 `;
-const AI_GATEWAY_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
-// Only allow specific MCP servers to be used
-// Category: tools
+const AI_GATEWAY_TOOLS_MCP_SERVER_ALLOWLIST_CEDAR = `// =============================================================================
+// MCP Server Allowlist
+// =============================================================================
+// Restricts MCP server connections to a pre-approved list. Customize the
+// \`context.mcp_server\` values in the permit rule to match the allowed
+// servers for your environment.
+//
+// Context keys consumed:
+//   - mcp_server: String
 //
-// NOTE: Users should customize the mcp_server values in the permit rule
-// to match their allowed servers before deploying this template.
+// Category:  tools
+// Namespace: AIGateway
+// =============================================================================
-@id("mcp-allowlist-permit")
-@name("Allow specific MCP servers")
-@description("Only allow connections to pre-approved MCP servers (customize the list)")
+@id("tools.allow-mcp-allowlist")
+@name("Allow allowlisted MCP servers")
+@description("Permits connect_server when mcp_server is in the allowlist.")
 @severity("medium")
-@tags("mcp,allowlist,server,governance")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
 permit (
     principal,
     action == AIGateway::Action::"connect_server",
@@ -391,14 +454,15 @@ permit (
 when {
     context has mcp_server &&
     (context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright")
+     context.mcp_server == "playwright")
 };
-@id("mcp-allowlist-deny")
-@name("Deny unallowed MCP servers")
-@description("Block all MCP server connections not in the allowlist")
+@id("tools.deny-non-allowlisted-mcp")
+@name("Block non-allowlisted MCP servers")
+@description("Blocks connect_server unconditionally so only the allowlist permit applies.")
 @severity("medium")
-@tags("mcp,deny-default,server")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
+@reject_message("MCP server connection blocked: server is not on the allowlist.")
 forbid (
     principal,
     action == AIGateway::Action::"connect_server",
@@ -406,81 +470,92 @@ forbid (
 );
 `;
 const AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR = `// =============================================================================
-// MCP Tool Permissions Template (AIGateway)
+// MCP Tool Permissions
 // =============================================================================
-// Per-tool access control for MCP servers.
-// Complements the MCP Server Allowlist (connect_server action)
-// with fine-grained per-tool control on call_tool action.
+// Per-tool access control for MCP servers. Complements MCP Server Allowlist
+// (which gates connect_server) with fine-grained control on call_tool.
+//
+// Ships permit-all by default plus two opt-in safety rails (exclude
+// untrusted/deprecated servers, block unverified servers). Add additional
+// forbid rules to gate specific servers or tools.
 //
-// Defaults to permit-all. Customize per-tool gating by adding forbid rules
-// scoped to specific mcp_server / tool_name combinations.
+// Context keys consumed:
+//   - mcp_server:           String
+//   - mcp_server_verified:  Bool
 //
-// Category: tools
+// Category:  tools
 // Namespace: AIGateway
 // =============================================================================
-// -- Permit all MCP tool calls (opt-in default) -----------------------------
-@id("mcp-tool-allow-all")
-@name("Allow all MCP tool calls")
-@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@id("tools.allow-mcp-tools-baseline")
+@name("Permit MCP tool calls")
+@description("Permits all call_tool actions; combine with forbid rules for gating.")
 @severity("low")
-@tags("mcp,permit-default")
+@tags("category:tools,surface:call-tool,posture:permit-default")
 permit (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 );
-// -- Organization-wide MCP server exclusions --------------------------------
-@id("mcp-tool-exclude-server")
-@name("Exclude specific MCP servers")
-@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@id("tools.exclude-mcp-servers")
+@name("Block excluded MCP servers")
+@description("Blocks call_tool when mcp_server is in the org-wide exclusion list.")
 @severity("critical")
-@tags("mcp,exclusion,org-wide,block")
+@tags("category:tools,surface:call-tool,scope:org-wide,posture:deny-default")
+@reject_message("Tool execution blocked: MCP server is on the org-wide exclusion list.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has mcp_server &&
     (context.mcp_server == "untrusted-server" ||
      context.mcp_server == "deprecated-server")
 };
-// -- Block unverified MCP servers -------------------------------------------
-@id("mcp-tool-block-unverified")
-@name("Block tools from unverified MCP servers")
-@description("Deny tool calls from MCP servers not in the verified registry")
+@id("tools.block-unverified-mcp-tools")
+@name("Block unverified MCP server tools")
+@description("Blocks call_tool when mcp_server_verified is false.")
 @severity("high")
-@tags("mcp,trust,verification")
+@tags("category:tools,threat:supply-chain,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: MCP server is not from a verified registry.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has mcp_server_verified && context.mcp_server_verified == false
 };
 `;
-const AI_GATEWAY_DATA_PII_REDACTION_CEDAR = `// =============================================================================
-// PII Redaction Policy
+const AI_GATEWAY_DATA_PROTECTION_PII_REDACTION_CEDAR = `// =============================================================================
+// PII & Secrets Redaction
 // =============================================================================
-// Block or redact requests containing personally identifiable information.
-// Covers all AI Gateway actions (MCP tool calls, LLM prompts, file ops).
+// Blocks AI Gateway operations when personally identifiable information or
+// secrets are detected in the content. Covers both LLM prompt processing
+// and MCP tool calls, plus a bulk-exposure catch-all.
+//
+// Context keys consumed:
+//   - pii_detected:      Bool
+//   - secrets_detected:  Bool
+//   - pii_count:         Long
+//
+// Compliance:
+//   - OWASP LLM06
+//   - GDPR, HIPAA (depending on data classification)
 //
-// Category: data_protection
+// Category:  data-protection
 // Namespace: AIGateway
 // =============================================================================
-// Block requests with PII detected
-@id("data-block-pii")
-@name("Block PII in requests")
-@description("Block any AI Gateway operation when PII is detected in the content")
+@id("data-protection.block-pii")
+@name("Block PII in prompts")
+@description("Blocks process_prompt when pii_detected is true.")
 @severity("high")
-@tags("pii,data-protection,owasp-llm06,dlp")
-@reject_message("Request was blocked because personally identifiable information (PII) was detected. Remove sensitive data before retrying.")
+@tags("category:data-protection,threat:pii,detection:rule,surface:process-prompt,owasp:llm06")
+@reject_message("Prompt blocked: personally identifiable information was detected — remove sensitive data and retry.")
 forbid (
     principal,
     action == AIGateway::Action::"process_prompt",
@@ -490,29 +565,27 @@ when {
     context has pii_detected && context.pii_detected == true
 };
-// Block requests with secrets/credentials
-@id("data-block-secrets")
-@name("Block secrets in requests")
-@description("Block any AI Gateway operation when secrets or credentials are detected")
+@id("data-protection.block-secrets")
+@name("Block secrets in prompts")
+@description("Blocks process_prompt when secrets_detected is true.")
 @severity("critical")
-@tags("secrets,data-protection,credentials,dlp")
-@reject_message("Request was blocked because secrets or credentials were detected in the content. Remove sensitive credentials before retrying.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:process-prompt")
+@reject_message("Prompt blocked: secrets or credentials were detected — remove sensitive data and retry.")
 forbid (
     principal,
     action == AIGateway::Action::"process_prompt",
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
-// Block MCP tool calls with PII
-@id("data-block-pii-tools")
+@id("data-protection.block-pii-tools")
 @name("Block PII in tool calls")
-@description("Block MCP tool execution when PII is detected in tool arguments")
+@description("Blocks call_tool when pii_detected is true.")
 @severity("high")
-@tags("pii,tools,data-protection,dlp")
-@reject_message("Tool call was blocked because PII was detected in the arguments.")
+@tags("category:data-protection,threat:pii,detection:rule,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: personally identifiable information was detected in tool arguments.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -522,29 +595,27 @@ when {
     context has pii_detected && context.pii_detected == true
 };
-// Block MCP tool calls with secrets
-@id("data-block-secrets-tools")
+@id("data-protection.block-secrets-tools")
 @name("Block secrets in tool calls")
-@description("Block MCP tool execution when secrets or credentials are detected")
+@description("Blocks call_tool when secrets_detected is true.")
 @severity("critical")
-@tags("secrets,tools,data-protection,dlp")
-@reject_message("Tool call was blocked because secrets were detected in the arguments.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: secrets or credentials were detected in tool arguments.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
-// Block bulk PII exposure (3+ PII matches)
-@id("data-block-bulk-pii")
+@id("data-protection.block-pii-bulk")
 @name("Block bulk PII exposure")
-@description("Block operations with 3 or more PII matches -- indicates data dump or exfiltration attempt")
+@description("Blocks any action when pii_count >= 3.")
 @severity("critical")
-@tags("pii,bulk,data-protection,exfiltration")
-@reject_message("Request was blocked because multiple PII matches were detected, indicating potential data exfiltration.")
+@tags("category:data-protection,threat:exfiltration,detection:aggregate,posture:catch-all")
+@reject_message("Request blocked: multiple PII matches were detected — possible data exfiltration.")
 forbid (
     principal,
     action,
@@ -554,23 +625,22 @@ when {
     context has pii_count && context.pii_count >= 3
 };
 `;
-const AI_GATEWAY_LLM_DEFAULT_ALLOW_CEDAR = `// =============================================================================
-// Default Allow LLM Proxy Calls
+const AI_GATEWAY_ORGANIZATION_PERMIT_LLM_DEFAULT_CEDAR = `// =============================================================================
+// LLM Default Allow
 // =============================================================================
-// Permits all LLM prompt processing by default. Deploy this alongside
-// threat-specific forbid policies to create a "default allow, block on threat"
-// posture for LLM chat completions.
+// Permits all LLM prompt processing by default. Deploy alongside threat-specific
+// forbid policies to create a "default allow, block on threat" posture for LLM
+// chat completions.
 //
-// Category: organization
+// Category:  organization
 // Namespace: AIGateway
 // =============================================================================
-// Allow all LLM prompt processing by default
-@id("llm-permit-all-prompts")
-@name("Allow all LLM proxy calls")
-@description("Permits all LLM chat completion requests by default -- threat-specific forbid policies override this when threats are detected")
+@id("organization.permit-llm-default")
+@name("Permit LLM proxy calls")
+@description("Permits all process_prompt actions for the LLM proxy.")
 @severity("low")
-@tags("llm,permit-default,organization,proxy")
+@tags("category:organization,surface:process-prompt,posture:permit-default")
 permit (
     principal,
     action == AIGateway::Action::"process_prompt",
@@ -581,97 +651,103 @@ permit (
 // CATEGORIES
 // =============================================================================
 export const AI_GATEWAY_CATEGORIES = [
-    { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats' },
-    { id: 'tools', name: 'Tool Permissioning', description: 'Control access to MCP tools, enforce risk scoring, and manage per-tool permissions' },
-    { id: 'agent_security', name: 'Agent Security', description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats' },
-    { id: 'data_protection', name: 'Data Protection', description: 'Prevent secrets and PII leakage in LLM chat completions and MCP operations' },
-    { id: 'content_safety', name: 'Content Safety', description: 'Enforce content moderation score thresholds on LLM prompts and MCP content' },
-    { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines for AI gateway operations' },
+    { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats.' },
+    { id: 'tools', name: 'Tool Permissioning', description: 'Control access to MCP tools, enforce risk scoring, and manage per-tool permissions.' },
+    { id: 'agent-security', name: 'Agent Security', description: 'Detect tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats.' },
+    { id: 'data-protection', name: 'Data Protection', description: 'Prevent secrets and PII leakage in LLM chat completions and MCP operations.' },
+    { id: 'organization', name: 'Organization', description: 'Organization-wide baselines and default permit policies.' },
 ];
 // =============================================================================
 // DEFAULT POLICIES
 // =============================================================================
 export const AI_GATEWAY_DEFAULTS = [
     {
-        id: 'baseline-default',
+        id: 'organization.permit-baseline',
         name: 'Baseline Permit',
-        description: 'Permits all actions by default -- threat-specific forbid policies override this when threats are detected',
+        description: 'Permits all actions by default; threat-specific forbid policies override this when detectors fire.',
         category: 'organization',
-        cedarText: AI_GATEWAY_BASELINE_DEFAULT_CEDAR,
+        cedarText: AI_GATEWAY_ORGANIZATION_PERMIT_BASELINE_CEDAR,
         severity: 'low',
-        tags: ['baseline', 'permit-default', 'organization'],
+        tags: ['category:organization', 'posture:permit-default'],
         isActive: true,
     },
+];
+// =============================================================================
+// ALL TEMPLATES
+// =============================================================================
+export const AI_GATEWAY_TEMPLATES = [
     {
-        id: 'semantic-default',
+        id: 'organization.permit-baseline',
+        name: 'Baseline Permit',
+        description: 'Permits all actions by default; threat-specific forbid policies override this when detectors fire.',
+        category: 'organization',
+        cedarText: AI_GATEWAY_ORGANIZATION_PERMIT_BASELINE_CEDAR,
+        severity: 'low',
+        tags: ['category:organization', 'posture:permit-default'],
+        autoDeploy: true,
+    },
+    {
+        id: 'semantic.defaults',
         name: 'Semantic Threat Detection',
-        description: 'Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts',
+        description: 'Block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts.',
         category: 'semantic',
-        cedarText: AI_GATEWAY_SEMANTIC_DEFAULT_CEDAR,
+        cedarText: AI_GATEWAY_SEMANTIC_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['prompt-injection', 'jailbreak', 'owasp-llm01', 'owasp-llm02', 'security', 'baseline'],
-        isActive: true,
+        tags: ['category:semantic', 'threat:injection', 'threat:jailbreak', 'owasp:llm01', 'owasp:llm02'],
     },
     {
-        id: 'tools-default',
+        id: 'tools.defaults',
         name: 'Tool Permissioning',
-        description: 'Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments',
+        description: 'Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments.',
         category: 'tools',
-        cedarText: AI_GATEWAY_TOOLS_DEFAULT_CEDAR,
+        cedarText: AI_GATEWAY_TOOLS_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['tool-risk', 'command-injection', 'owasp-llm06', 'owasp-asi02', 'baseline'],
-        isActive: true,
+        tags: ['category:tools', 'threat:command-injection', 'owasp:llm06', 'owasp:asi02'],
     },
     {
-        id: 'agent-security-default',
+        id: 'agent-security.defaults',
         name: 'Agent Security',
-        description: 'Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats',
-        category: 'agent_security',
-        cedarText: AI_GATEWAY_AGENT_SECURITY_DEFAULT_CEDAR,
+        description: 'Block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats.',
+        category: 'agent-security',
+        cedarText: AI_GATEWAY_AGENT_SECURITY_DEFAULTS_CEDAR,
         severity: 'critical',
-        tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'owasp-asi01', 'owasp-asi04', 'baseline'],
-        isActive: true,
+        tags: ['category:agent-security', 'threat:tool-poisoning', 'threat:rug-pull', 'threat:indirect-injection', 'threat:supply-chain', 'owasp:asi01', 'owasp:asi04'],
     },
-];
-// =============================================================================
-// ALL TEMPLATES
-// =============================================================================
-export const AI_GATEWAY_TEMPLATES = [
     {
-        id: 'tools-mcp-allowlist',
+        id: 'tools.mcp-server-allowlist',
         name: 'MCP Server Allowlist',
-        description: 'Only allow specific MCP servers to be used',
+        description: 'Only allow specific MCP servers to be used; customize the allowlist in the permit rule.',
         category: 'tools',
-        cedarText: AI_GATEWAY_TOOLS_MCP_ALLOWLIST_CEDAR,
+        cedarText: AI_GATEWAY_TOOLS_MCP_SERVER_ALLOWLIST_CEDAR,
         severity: 'medium',
-        tags: ['mcp', 'allowlist', 'whitelist'],
+        tags: ['category:tools', 'scope:org-wide', 'posture:deny-default'],
     },
     {
-        id: 'tools-mcp-tool-permissions',
+        id: 'tools.mcp-tool-permissions',
         name: 'MCP Tool Permissions',
-        description: 'Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.',
+        description: 'Permit MCP call_tool by default plus two safety rails (server exclusion list, block unverified servers); add forbid rules for per-tool gating.',
         category: 'tools',
         cedarText: AI_GATEWAY_TOOLS_MCP_TOOL_PERMISSIONS_CEDAR,
-        severity: 'low',
-        tags: ['mcp', 'tools', 'permit-default', 'exclusion'],
+        severity: 'critical',
+        tags: ['category:tools', 'threat:supply-chain', 'posture:permit-default'],
     },
     {
-        id: 'data-pii-redaction',
+        id: 'data-protection.pii-redaction',
         name: 'PII & Secrets Redaction',
-        description: 'Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure',
-        category: 'data_protection',
-        cedarText: AI_GATEWAY_DATA_PII_REDACTION_CEDAR,
-        severity: 'high',
-        tags: ['pii', 'secrets', 'data-protection', 'dlp', 'owasp-llm06'],
+        description: 'Block requests containing PII or secrets across LLM prompts and MCP tool calls.',
+        category: 'data-protection',
+        cedarText: AI_GATEWAY_DATA_PROTECTION_PII_REDACTION_CEDAR,
+        severity: 'critical',
+        tags: ['category:data-protection', 'threat:pii', 'threat:secrets', 'threat:exfiltration', 'owasp:llm06'],
     },
     {
-        id: 'llm-default-allow',
-        name: 'Default Allow LLM Proxy',
-        description: 'Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture',
+        id: 'organization.permit-llm-default',
+        name: 'Permit LLM proxy calls',
+        description: 'Permit all LLM chat completion requests by default; deploy alongside threat-specific forbids for a permit-default posture.',
         category: 'organization',
-        cedarText: AI_GATEWAY_LLM_DEFAULT_ALLOW_CEDAR,
+        cedarText: AI_GATEWAY_ORGANIZATION_PERMIT_LLM_DEFAULT_CEDAR,
         severity: 'low',
-        tags: ['llm', 'permit-default', 'proxy', 'organization'],
+        tags: ['category:organization', 'surface:process-prompt', 'posture:permit-default'],
     },
 ];
 // =============================================================================
@@ -680,118 +756,120 @@ export const AI_GATEWAY_TEMPLATES = [
 /** Raw templates.json metadata for the AiGateway service. */
 export const AI_GATEWAY_TEMPLATES_JSON = `{
   "service": "ai_gateway",
-  "version": "2.0.0",
-  "description": "AIGateway policy templates for MCP + LLM gateway security",
+  "version": "2.1.0",
+  "description": "AI Gateway policy templates for MCP + LLM gateway security",
   "categories": [
     {
       "id": "semantic",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats"
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats."
     },
     {
       "id": "tools",
       "name": "Tool Permissioning",
-      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions"
+      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions."
     },
     {
-      "id": "agent_security",
+      "id": "agent-security",
       "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats"
+      "description": "Detect tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats."
     },
     {
-      "id": "data_protection",
+      "id": "data-protection",
       "name": "Data Protection",
-      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations"
-    },
-    {
-      "id": "content_safety",
-      "name": "Content Safety",
-      "description": "Enforce content moderation score thresholds on LLM prompts and MCP content"
+      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations."
     },
     {
       "id": "organization",
-      "name": "Organization Rules",
-      "description": "Apply organization-wide policy baselines for AI gateway operations"
+      "name": "Organization",
+      "description": "Organization-wide baselines and default permit policies."
     }
   ],
   "defaults": [
     {
-      "id": "baseline-default",
+      "id": "organization.permit-baseline",
       "name": "Baseline Permit",
-      "description": "Permits all actions by default -- threat-specific forbid policies override this when threats are detected",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
       "category": "organization",
       "file": "defaults/baseline.cedar",
       "severity": "low",
-      "tags": ["baseline", "permit-default", "organization"],
+      "tags": ["category:organization", "posture:permit-default"],
       "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "organization.permit-baseline",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["category:organization", "posture:permit-default"],
+      "auto_deploy": true
     },
     {
-      "id": "semantic-default",
+      "id": "semantic.defaults",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts",
+      "description": "Block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts.",
       "category": "semantic",
       "file": "defaults/semantic.cedar",
       "severity": "critical",
-      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
-      "is_active": true
+      "tags": ["category:semantic", "threat:injection", "threat:jailbreak", "owasp:llm01", "owasp:llm02"]
     },
     {
-      "id": "tools-default",
+      "id": "tools.defaults",
       "name": "Tool Permissioning",
-      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments",
+      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments.",
       "category": "tools",
       "file": "defaults/tools.cedar",
       "severity": "critical",
-      "tags": ["tool-risk", "command-injection", "owasp-llm06", "owasp-asi02", "baseline"],
-      "is_active": true
+      "tags": ["category:tools", "threat:command-injection", "owasp:llm06", "owasp:asi02"]
     },
     {
-      "id": "agent-security-default",
+      "id": "agent-security.defaults",
       "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats",
-      "category": "agent_security",
+      "description": "Block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats.",
+      "category": "agent-security",
       "file": "defaults/agent_security.cedar",
       "severity": "critical",
-      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "owasp-asi01", "owasp-asi04", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
+      "tags": ["category:agent-security", "threat:tool-poisoning", "threat:rug-pull", "threat:indirect-injection", "threat:supply-chain", "owasp:asi01", "owasp:asi04"]
+    },
     {
-      "id": "tools-mcp-allowlist",
+      "id": "tools.mcp-server-allowlist",
       "name": "MCP Server Allowlist",
-      "description": "Only allow specific MCP servers to be used",
+      "description": "Only allow specific MCP servers to be used; customize the allowlist in the permit rule.",
       "category": "tools",
       "file": "mcp_server_allowlist.cedar",
       "severity": "medium",
-      "tags": ["mcp", "allowlist", "whitelist"]
+      "tags": ["category:tools", "scope:org-wide", "posture:deny-default"]
     },
     {
-      "id": "tools-mcp-tool-permissions",
+      "id": "tools.mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
+      "description": "Permit MCP call_tool by default plus two safety rails (server exclusion list, block unverified servers); add forbid rules for per-tool gating.",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "low",
-      "tags": ["mcp", "tools", "permit-default", "exclusion"]
+      "severity": "critical",
+      "tags": ["category:tools", "threat:supply-chain", "posture:permit-default"]
     },
     {
-      "id": "data-pii-redaction",
+      "id": "data-protection.pii-redaction",
       "name": "PII & Secrets Redaction",
-      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure",
-      "category": "data_protection",
+      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls.",
+      "category": "data-protection",
       "file": "pii_redaction.cedar",
-      "severity": "high",
-      "tags": ["pii", "secrets", "data-protection", "dlp", "owasp-llm06"]
+      "severity": "critical",
+      "tags": ["category:data-protection", "threat:pii", "threat:secrets", "threat:exfiltration", "owasp:llm06"]
     },
     {
-      "id": "llm-default-allow",
-      "name": "Default Allow LLM Proxy",
-      "description": "Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture",
+      "id": "organization.permit-llm-default",
+      "name": "Permit LLM proxy calls",
+      "description": "Permit all LLM chat completion requests by default; deploy alongside threat-specific forbids for a permit-default posture.",
       "category": "organization",
       "file": "llm_default_allow.cedar",
       "severity": "low",
-      "tags": ["llm", "permit-default", "proxy", "organization"]
+      "tags": ["category:organization", "surface:process-prompt", "posture:permit-default"]
     }
   ]
 }