@highflame/policy 2.1.35 → 2.1.37

package/_schemas/ai_gateway/templates/defaults/tools.cedar

@@ -1,20 +1,37 @@
 // =============================================================================
-// Tool Permissioning Policy (Default)
+// Tool Permissioning (Default)
 // =============================================================================
-// Controls access to MCP tools based on risk scoring, threat detection,
-// and tool classification.
+// Blocks MCP tool calls based on risk scoring, threat detection, and tool
+// classification.
 //
-// Category: tools
+// Detection layers:
+//   - Computed risk score (tool_risk_score)
+//   - Detector category labels (tool_category, tool_is_sensitive)
+//   - Threat aggregation (threat_count, max_threat_severity)
+//   - Detection rule triggers (detected_threats)
+//
+// Context keys consumed:
+//   - tool_risk_score:      Long (0-100)
+//   - tool_category:        String
+//   - tool_is_sensitive:    Bool
+//   - threat_count:         Long
+//   - max_threat_severity:  Long (0-4)
+//   - detected_threats:     Set<String>
+//
+// Compliance:
+//   - OWASP LLM06, OWASP ASI02
+//   - MITRE T1059
+//
+// Category:  tools
 // Namespace: AIGateway
 // =============================================================================
 
-// Block tools with very high computed risk
-@id("tools-block-high-risk-score")
-@name("Block high-risk tool operations")
-@description("Block tool operations when the computed risk score exceeds 90/100")
+@id("tools.block-high-risk-score")
+@name("Block high-risk tools")
+@description("Blocks call_tool when tool_risk_score >= 90.")
 @severity("critical")
-@tags("tool-risk,security,owasp-llm06,owasp-asi02")
-@reject_message("Tool execution blocked: this operation scored 90+ on the risk assessment.")
+@tags("category:tools,detection:aggregate,surface:call-tool,owasp:llm06,owasp:asi02")
+@reject_message("Tool execution blocked: tool risk score is at or above 90/100.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -24,13 +41,12 @@ when {
     context has tool_risk_score && context.tool_risk_score >= 90
 };
 
-// Block tools classified as dangerous
-@id("tools-block-dangerous-category")
+@id("tools.block-dangerous-category")
 @name("Block dangerous tool category")
-@description("Block all tools classified as dangerous by the detection engine")
+@description("Blocks call_tool when tool_category equals \"dangerous\".")
 @severity("critical")
-@tags("tool-category,dangerous,security,owasp-llm06")
-@reject_message("Tool execution blocked: this tool is classified as dangerous.")
+@tags("category:tools,detection:rule,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: tool is classified as dangerous.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -40,30 +56,28 @@ when {
     context has tool_category && context.tool_category == "dangerous"
 };
 
-// Block sensitive tools when threats are detected
-@id("tools-block-sensitive-with-threats")
+@id("tools.block-sensitive-with-threats")
 @name("Block sensitive tools with threats")
-@description("Block sensitive tools when any threats are detected concurrently")
+@description("Blocks call_tool when tool_is_sensitive is true and threat_count >= 1.")
 @severity("high")
-@tags("tool-category,sensitive,security,defense-in-depth")
-@reject_message("Sensitive tool execution blocked: threats were detected alongside a sensitive tool operation.")
+@tags("category:tools,detection:aggregate,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: a sensitive tool was called while threats were detected.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has tool_is_sensitive && context.tool_is_sensitive &&
-    context has threat_count && context.threat_count > 0
+    context has tool_is_sensitive && context.tool_is_sensitive == true &&
+    context has threat_count && context.threat_count >= 1
 };
 
-// Block tool calls with high severity threats
-@id("tools-block-high-severity-threats")
-@name("Block tool calls with high severity threats")
-@description("Prevent tool execution when high or critical severity threats are detected")
+@id("tools.block-high-severity")
+@name("Block high-severity tool calls")
+@description("Blocks call_tool when threat_count >= 1 and max_threat_severity >= 3.")
 @severity("high")
-@tags("tools,threats,severity,security")
-@reject_message("Tool execution was blocked because high or critical severity threats were detected.")
+@tags("category:tools,detection:aggregate,surface:call-tool")
+@reject_message("Tool execution blocked: high or critical severity threats were detected.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -71,15 +85,14 @@ forbid (
 )
 when {
     context has threat_count && context has max_threat_severity &&
-    context.threat_count > 0 && context.max_threat_severity >= 3
+    context.threat_count >= 1 && context.max_threat_severity >= 3
 };
 
-// Block detected command injection patterns
-@id("tools-block-command-injection")
-@name("Block command injection in tool calls")
-@description("Block tool calls when command injection patterns are detected in arguments")
+@id("tools.block-command-injection")
+@name("Block command injection")
+@description("Blocks call_tool when detected_threats contains \"command_injection\".")
 @severity("critical")
-@tags("command-injection,security,mitre-t1059,owasp-asi02")
+@tags("category:tools,threat:command-injection,detection:rule,surface:call-tool,mitre:t1059,owasp:asi02")
 @reject_message("Tool execution blocked: command injection pattern detected in tool arguments.")
 forbid (
     principal,
@@ -87,6 +100,5 @@ forbid (
     resource
 )
 when {
-    context has detected_threats &&
-    context.detected_threats.contains("command_injection")
+    context has detected_threats && context.detected_threats.contains("command_injection")
 };

package/_schemas/ai_gateway/templates/llm_default_allow.cedar

@@ -1,20 +1,19 @@
 // =============================================================================
-// Default Allow LLM Proxy Calls
+// LLM Default Allow
 // =============================================================================
-// Permits all LLM prompt processing by default. Deploy this alongside
-// threat-specific forbid policies to create a "default allow, block on threat"
-// posture for LLM chat completions.
+// Permits all LLM prompt processing by default. Deploy alongside threat-specific
+// forbid policies to create a "default allow, block on threat" posture for LLM
+// chat completions.
 //
-// Category: organization
+// Category:  organization
 // Namespace: AIGateway
 // =============================================================================
 
-// Allow all LLM prompt processing by default
-@id("llm-permit-all-prompts")
-@name("Allow all LLM proxy calls")
-@description("Permits all LLM chat completion requests by default -- threat-specific forbid policies override this when threats are detected")
+@id("organization.permit-llm-default")
+@name("Permit LLM proxy calls")
+@description("Permits all process_prompt actions for the LLM proxy.")
 @severity("low")
-@tags("llm,permit-default,organization,proxy")
+@tags("category:organization,surface:process-prompt,posture:permit-default")
 permit (
     principal,
     action == AIGateway::Action::"process_prompt",

package/_schemas/ai_gateway/templates/mcp_server_allowlist.cedar

@@ -1,15 +1,22 @@
-// MCP Server Allowlist Template
-// Only allow specific MCP servers to be used
-// Category: tools
+// =============================================================================
+// MCP Server Allowlist
+// =============================================================================
+// Restricts MCP server connections to a pre-approved list. Customize the
+// `context.mcp_server` values in the permit rule to match the allowed
+// servers for your environment.
 //
-// NOTE: Users should customize the mcp_server values in the permit rule
-// to match their allowed servers before deploying this template.
+// Context keys consumed:
+//   - mcp_server: String
+//
+// Category:  tools
+// Namespace: AIGateway
+// =============================================================================
 
-@id("mcp-allowlist-permit")
-@name("Allow specific MCP servers")
-@description("Only allow connections to pre-approved MCP servers (customize the list)")
+@id("tools.allow-mcp-allowlist")
+@name("Allow allowlisted MCP servers")
+@description("Permits connect_server when mcp_server is in the allowlist.")
 @severity("medium")
-@tags("mcp,allowlist,server,governance")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
 permit (
     principal,
     action == AIGateway::Action::"connect_server",
@@ -18,14 +25,15 @@ permit (
 when {
     context has mcp_server &&
     (context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright")
+     context.mcp_server == "playwright")
 };
 
-@id("mcp-allowlist-deny")
-@name("Deny unallowed MCP servers")
-@description("Block all MCP server connections not in the allowlist")
+@id("tools.deny-non-allowlisted-mcp")
+@name("Block non-allowlisted MCP servers")
+@description("Blocks connect_server unconditionally so only the allowlist permit applies.")
 @severity("medium")
-@tags("mcp,deny-default,server")
+@tags("category:tools,surface:connect-server,scope:org-wide,posture:deny-default")
+@reject_message("MCP server connection blocked: server is not on the allowlist.")
 forbid (
     principal,
     action == AIGateway::Action::"connect_server",

package/_schemas/ai_gateway/templates/mcp_tool_permissions.cedar

@@ -1,58 +1,60 @@
 // =============================================================================
-// MCP Tool Permissions Template (AIGateway)
+// MCP Tool Permissions
 // =============================================================================
-// Per-tool access control for MCP servers.
-// Complements the MCP Server Allowlist (connect_server action)
-// with fine-grained per-tool control on call_tool action.
+// Per-tool access control for MCP servers. Complements MCP Server Allowlist
+// (which gates connect_server) with fine-grained control on call_tool.
 //
-// Defaults to permit-all. Customize per-tool gating by adding forbid rules
-// scoped to specific mcp_server / tool_name combinations.
+// Ships permit-all by default plus two opt-in safety rails (exclude
+// untrusted/deprecated servers, block unverified servers). Add additional
+// forbid rules to gate specific servers or tools.
 //
-// Category: tools
+// Context keys consumed:
+//   - mcp_server:           String
+//   - mcp_server_verified:  Bool
+//
+// Category:  tools
 // Namespace: AIGateway
 // =============================================================================
 
-// -- Permit all MCP tool calls (opt-in default) -----------------------------
-
-@id("mcp-tool-allow-all")
-@name("Allow all MCP tool calls")
-@description("Permit every call_tool action. Add forbid rules below for per-tool gating.")
+@id("tools.allow-mcp-tools-baseline")
+@name("Permit MCP tool calls")
+@description("Permits all call_tool actions; combine with forbid rules for gating.")
 @severity("low")
-@tags("mcp,permit-default")
+@tags("category:tools,surface:call-tool,posture:permit-default")
 permit (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 );
 
-// -- Organization-wide MCP server exclusions --------------------------------
-
-@id("mcp-tool-exclude-server")
-@name("Exclude specific MCP servers")
-@description("Block all tool calls from excluded MCP servers (org-wide exclusion list)")
+@id("tools.exclude-mcp-servers")
+@name("Block excluded MCP servers")
+@description("Blocks call_tool when mcp_server is in the org-wide exclusion list.")
 @severity("critical")
-@tags("mcp,exclusion,org-wide,block")
+@tags("category:tools,surface:call-tool,scope:org-wide,posture:deny-default")
+@reject_message("Tool execution blocked: MCP server is on the org-wide exclusion list.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has mcp_server &&
     (context.mcp_server == "untrusted-server" ||
      context.mcp_server == "deprecated-server")
 };
 
-// -- Block unverified MCP servers -------------------------------------------
-
-@id("mcp-tool-block-unverified")
-@name("Block tools from unverified MCP servers")
-@description("Deny tool calls from MCP servers not in the verified registry")
+@id("tools.block-unverified-mcp-tools")
+@name("Block unverified MCP server tools")
+@description("Blocks call_tool when mcp_server_verified is false.")
 @severity("high")
-@tags("mcp,trust,verification")
+@tags("category:tools,threat:supply-chain,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: MCP server is not from a verified registry.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
-) when {
+)
+when {
     context has mcp_server_verified && context.mcp_server_verified == false
 };

package/_schemas/ai_gateway/templates/pii_redaction.cedar

@@ -1,20 +1,29 @@
 // =============================================================================
-// PII Redaction Policy
+// PII & Secrets Redaction
 // =============================================================================
-// Block or redact requests containing personally identifiable information.
-// Covers all AI Gateway actions (MCP tool calls, LLM prompts, file ops).
+// Blocks AI Gateway operations when personally identifiable information or
+// secrets are detected in the content. Covers both LLM prompt processing
+// and MCP tool calls, plus a bulk-exposure catch-all.
 //
-// Category: data_protection
+// Context keys consumed:
+//   - pii_detected:      Bool
+//   - secrets_detected:  Bool
+//   - pii_count:         Long
+//
+// Compliance:
+//   - OWASP LLM06
+//   - GDPR, HIPAA (depending on data classification)
+//
+// Category:  data-protection
 // Namespace: AIGateway
 // =============================================================================
 
-// Block requests with PII detected
-@id("data-block-pii")
-@name("Block PII in requests")
-@description("Block any AI Gateway operation when PII is detected in the content")
+@id("data-protection.block-pii")
+@name("Block PII in prompts")
+@description("Blocks process_prompt when pii_detected is true.")
 @severity("high")
-@tags("pii,data-protection,owasp-llm06,dlp")
-@reject_message("Request was blocked because personally identifiable information (PII) was detected. Remove sensitive data before retrying.")
+@tags("category:data-protection,threat:pii,detection:rule,surface:process-prompt,owasp:llm06")
+@reject_message("Prompt blocked: personally identifiable information was detected — remove sensitive data and retry.")
 forbid (
     principal,
     action == AIGateway::Action::"process_prompt",
@@ -24,29 +33,27 @@ when {
     context has pii_detected && context.pii_detected == true
 };
 
-// Block requests with secrets/credentials
-@id("data-block-secrets")
-@name("Block secrets in requests")
-@description("Block any AI Gateway operation when secrets or credentials are detected")
+@id("data-protection.block-secrets")
+@name("Block secrets in prompts")
+@description("Blocks process_prompt when secrets_detected is true.")
 @severity("critical")
-@tags("secrets,data-protection,credentials,dlp")
-@reject_message("Request was blocked because secrets or credentials were detected in the content. Remove sensitive credentials before retrying.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:process-prompt")
+@reject_message("Prompt blocked: secrets or credentials were detected — remove sensitive data and retry.")
 forbid (
     principal,
     action == AIGateway::Action::"process_prompt",
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
 
-// Block MCP tool calls with PII
-@id("data-block-pii-tools")
+@id("data-protection.block-pii-tools")
 @name("Block PII in tool calls")
-@description("Block MCP tool execution when PII is detected in tool arguments")
+@description("Blocks call_tool when pii_detected is true.")
 @severity("high")
-@tags("pii,tools,data-protection,dlp")
-@reject_message("Tool call was blocked because PII was detected in the arguments.")
+@tags("category:data-protection,threat:pii,detection:rule,surface:call-tool,owasp:llm06")
+@reject_message("Tool execution blocked: personally identifiable information was detected in tool arguments.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
@@ -56,29 +63,27 @@ when {
     context has pii_detected && context.pii_detected == true
 };
 
-// Block MCP tool calls with secrets
-@id("data-block-secrets-tools")
+@id("data-protection.block-secrets-tools")
 @name("Block secrets in tool calls")
-@description("Block MCP tool execution when secrets or credentials are detected")
+@description("Blocks call_tool when secrets_detected is true.")
 @severity("critical")
-@tags("secrets,tools,data-protection,dlp")
-@reject_message("Tool call was blocked because secrets were detected in the arguments.")
+@tags("category:data-protection,threat:secrets,detection:rule,surface:call-tool")
+@reject_message("Tool execution blocked: secrets or credentials were detected in tool arguments.")
 forbid (
     principal,
     action == AIGateway::Action::"call_tool",
     resource
 )
 when {
-    context has contains_secrets && context.contains_secrets == true
+    context has secrets_detected && context.secrets_detected == true
 };
 
-// Block bulk PII exposure (3+ PII matches)
-@id("data-block-bulk-pii")
+@id("data-protection.block-pii-bulk")
 @name("Block bulk PII exposure")
-@description("Block operations with 3 or more PII matches -- indicates data dump or exfiltration attempt")
+@description("Blocks any action when pii_count >= 3.")
 @severity("critical")
-@tags("pii,bulk,data-protection,exfiltration")
-@reject_message("Request was blocked because multiple PII matches were detected, indicating potential data exfiltration.")
+@tags("category:data-protection,threat:exfiltration,detection:aggregate,posture:catch-all")
+@reject_message("Request blocked: multiple PII matches were detected — possible data exfiltration.")
 forbid (
     principal,
     action,

package/_schemas/ai_gateway/templates/templates.json

@@ -1,117 +1,119 @@
 {
   "service": "ai_gateway",
-  "version": "2.0.0",
-  "description": "AIGateway policy templates for MCP + LLM gateway security",
+  "version": "2.1.0",
+  "description": "AI Gateway policy templates for MCP + LLM gateway security",
   "categories": [
     {
       "id": "semantic",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats"
+      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats."
     },
     {
       "id": "tools",
       "name": "Tool Permissioning",
-      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions"
+      "description": "Control access to MCP tools, enforce risk scoring, and manage per-tool permissions."
     },
     {
-      "id": "agent_security",
+      "id": "agent-security",
       "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats"
+      "description": "Detect tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats."
     },
     {
-      "id": "data_protection",
+      "id": "data-protection",
       "name": "Data Protection",
-      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations"
-    },
-    {
-      "id": "content_safety",
-      "name": "Content Safety",
-      "description": "Enforce content moderation score thresholds on LLM prompts and MCP content"
+      "description": "Prevent secrets and PII leakage in LLM chat completions and MCP operations."
     },
     {
       "id": "organization",
-      "name": "Organization Rules",
-      "description": "Apply organization-wide policy baselines for AI gateway operations"
+      "name": "Organization",
+      "description": "Organization-wide baselines and default permit policies."
     }
   ],
   "defaults": [
     {
-      "id": "baseline-default",
+      "id": "organization.permit-baseline",
       "name": "Baseline Permit",
-      "description": "Permits all actions by default -- threat-specific forbid policies override this when threats are detected",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
       "category": "organization",
       "file": "defaults/baseline.cedar",
       "severity": "low",
-      "tags": ["baseline", "permit-default", "organization"],
+      "tags": ["category:organization", "posture:permit-default"],
       "is_active": true
+    }
+  ],
+  "templates": [
+    {
+      "id": "organization.permit-baseline",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default; threat-specific forbid policies override this when detectors fire.",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["category:organization", "posture:permit-default"],
+      "auto_deploy": true
     },
     {
-      "id": "semantic-default",
+      "id": "semantic.defaults",
       "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts",
+      "description": "Block prompt injection, jailbreak attempts, and high-severity threats in MCP tool calls and LLM prompts.",
       "category": "semantic",
       "file": "defaults/semantic.cedar",
       "severity": "critical",
-      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "owasp-llm02", "security", "baseline"],
-      "is_active": true
+      "tags": ["category:semantic", "threat:injection", "threat:jailbreak", "owasp:llm01", "owasp:llm02"]
     },
     {
-      "id": "tools-default",
+      "id": "tools.defaults",
       "name": "Tool Permissioning",
-      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments",
+      "description": "Enforce tool risk scoring, block dangerous tools, and detect command injection in MCP tool arguments.",
       "category": "tools",
       "file": "defaults/tools.cedar",
       "severity": "critical",
-      "tags": ["tool-risk", "command-injection", "owasp-llm06", "owasp-asi02", "baseline"],
-      "is_active": true
+      "tags": ["category:tools", "threat:command-injection", "owasp:llm06", "owasp:asi02"]
     },
     {
-      "id": "agent-security-default",
+      "id": "agent-security.defaults",
       "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats",
-      "category": "agent_security",
+      "description": "Block tool poisoning, rug pull attacks, indirect prompt injection, and MCP supply chain threats.",
+      "category": "agent-security",
       "file": "defaults/agent_security.cedar",
       "severity": "critical",
-      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "owasp-asi01", "owasp-asi04", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
+      "tags": ["category:agent-security", "threat:tool-poisoning", "threat:rug-pull", "threat:indirect-injection", "threat:supply-chain", "owasp:asi01", "owasp:asi04"]
+    },
     {
-      "id": "tools-mcp-allowlist",
+      "id": "tools.mcp-server-allowlist",
       "name": "MCP Server Allowlist",
-      "description": "Only allow specific MCP servers to be used",
+      "description": "Only allow specific MCP servers to be used; customize the allowlist in the permit rule.",
       "category": "tools",
       "file": "mcp_server_allowlist.cedar",
       "severity": "medium",
-      "tags": ["mcp", "allowlist", "whitelist"]
+      "tags": ["category:tools", "scope:org-wide", "posture:deny-default"]
     },
     {
-      "id": "tools-mcp-tool-permissions",
+      "id": "tools.mcp-tool-permissions",
       "name": "MCP Tool Permissions",
-      "description": "Permit every MCP call_tool by default. Ships two opt-in safety rails (block untrusted/deprecated servers, block unverified servers). Add forbid rules for per-tool or per-server gating.",
+      "description": "Permit MCP call_tool by default plus two safety rails (server exclusion list, block unverified servers); add forbid rules for per-tool gating.",
       "category": "tools",
       "file": "mcp_tool_permissions.cedar",
-      "severity": "low",
-      "tags": ["mcp", "tools", "permit-default", "exclusion"]
+      "severity": "critical",
+      "tags": ["category:tools", "threat:supply-chain", "posture:permit-default"]
     },
     {
-      "id": "data-pii-redaction",
+      "id": "data-protection.pii-redaction",
       "name": "PII & Secrets Redaction",
-      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls -- prevents data leakage and credential exposure",
-      "category": "data_protection",
+      "description": "Block requests containing PII or secrets across LLM prompts and MCP tool calls.",
+      "category": "data-protection",
       "file": "pii_redaction.cedar",
-      "severity": "high",
-      "tags": ["pii", "secrets", "data-protection", "dlp", "owasp-llm06"]
+      "severity": "critical",
+      "tags": ["category:data-protection", "threat:pii", "threat:secrets", "threat:exfiltration", "owasp:llm06"]
     },
     {
-      "id": "llm-default-allow",
-      "name": "Default Allow LLM Proxy",
-      "description": "Permit all LLM chat completion requests by default -- deploy alongside threat-specific forbid policies for a default-allow posture",
+      "id": "organization.permit-llm-default",
+      "name": "Permit LLM proxy calls",
+      "description": "Permit all LLM chat completion requests by default; deploy alongside threat-specific forbids for a permit-default posture.",
       "category": "organization",
       "file": "llm_default_allow.cedar",
       "severity": "low",
-      "tags": ["llm", "permit-default", "proxy", "organization"]
+      "tags": ["category:organization", "surface:process-prompt", "posture:permit-default"]
     }
   ]
 }