@sunaiva/gate 1.0.0

package/LICENSE

@@ -0,0 +1,10 @@
+Business Source License 1.1
+
+Licensor: Sunaiva Digital
+Licensed Work: @sunaiva/gate
+Change Date: 2030-05-09 (4 years from publication)
+Change License: Apache License, Version 2.0
+
+Full BUSL 1.1 text: https://mariadb.com/bsl11/
+
+Until the Change Date, use is permitted for non-commercial purposes and internal evaluation. Production use requires a commercial license from Sunaiva Digital.

package/README.md

@@ -0,0 +1,67 @@
+# @sunaiva/gate
+
+**Stop documenting rules your agents ignore. Start enforcing them.**
+
+Sunaiva Gate is an MCP server that enforces validation rules on AI agent actions. 100 battle-tested rules across 9 categories. Constitutional rules that never bend. Audit trail for every decision.
+
+## Install
+
+```bash
+npx @sunaiva/gate
+```
+
+## MCP Configuration
+
+Add to your Claude Code or Cursor MCP settings:
+
+```json
+{
+  "mcpServers": {
+    "sunaiva-gate": {
+      "command": "npx",
+      "args": ["@sunaiva/gate"]
+    }
+  }
+}
+```
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `validate_action` | Check if a proposed action passes all active rules |
+| `log_bypass` | Record an intentional rule bypass (non-constitutional only) |
+| `get_rules` | List active rules, filter by category or preset |
+| `update_rules` | Enable/disable rules (constitutional rules cannot be disabled) |
+| `get_audit_log` | View recent gate decisions |
+
+## Presets
+
+- **minimal** (5 rules) — absolute non-negotiables
+- **essential** (15 rules) — recommended starting point
+- **developer-safety** (25 rules) — for AI coding agents
+- **financial-protection** (24 rules) — all financial + resource rules
+- **full-suite** (100 rules) — everything
+
+## Privacy
+
+Your data stays where you choose:
+- **Managed** — zero config, Gemini Flash included
+- **BYOK** — bring your own API key (Gemini, Claude, OpenRouter)
+- **Local** — Ollama/LM Studio, nothing leaves your machine
+
+## License
+
+**Business Source License 1.1 (BUSL-1.1)**
+
+- Licensor: Sunaiva Digital
+- Change Date: 2030-05-09 (4 years from publication)
+- Change License: Apache License, Version 2.0
+
+Until the Change Date, use is permitted for non-commercial purposes and internal evaluation. Production use requires a commercial license from Sunaiva Digital.
+
+Full BUSL 1.1 text: https://mariadb.com/bsl11/
+
+---
+
+Built by [Sunaiva Digital](https://sunaivadigital.com). Patent-protected validation infrastructure.

package/dist/config/defaults.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Default configuration values for @sunaiva/gate
+ */
+export declare const CONFIG_DIR: string;
+export declare const CONFIG_PATH: string;
+export declare const AUDIT_LOG_PATH: string;
+export declare const DEFAULT_CONFIG: GateConfig;
+export declare const MANAGED_API_BASE = "https://api.sunaiva.ai/v1/gate";
+export interface ModelConfig {
+    provider: "managed" | "gemini" | "anthropic" | "openrouter" | "local";
+    api_key?: string;
+    model_name?: string;
+    endpoint?: string;
+}
+export interface GateConfig {
+    api_key: string;
+    active_rules: string[];
+    active_preset?: string;
+    enforcement_mode: "enforce" | "warn-only" | "audit";
+    model: ModelConfig;
+    audit_log_path: string;
+}
+//# sourceMappingURL=defaults.d.ts.map

package/dist/config/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH,eAAO,MAAM,UAAU,QAA8B,CAAC;AACtD,eAAO,MAAM,WAAW,QAAuC,CAAC;AAChE,eAAO,MAAM,cAAc,QAAkC,CAAC;AAE9D,eAAO,MAAM,cAAc,EAAE,UAe5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,mCAAmC,CAAC;AAEjE,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,SAAS,GAAG,QAAQ,GAAG,WAAW,GAAG,YAAY,GAAG,OAAO,CAAC;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,SAAS,GAAG,WAAW,GAAG,OAAO,CAAC;IACpD,KAAK,EAAE,WAAW,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;CACxB"}

package/dist/config/defaults.js

@@ -0,0 +1,26 @@
+/**
+ * Default configuration values for @sunaiva/gate
+ */
+import { homedir } from "os";
+import { join } from "path";
+export const CONFIG_DIR = join(homedir(), ".sunaiva");
+export const CONFIG_PATH = join(CONFIG_DIR, "gate-config.json");
+export const AUDIT_LOG_PATH = join(CONFIG_DIR, "audit.jsonl");
+export const DEFAULT_CONFIG = {
+    api_key: "",
+    active_rules: [
+        "fin-001",
+        "gov-001",
+        "gov-002",
+        "dat-001",
+        "gov-008",
+    ],
+    active_preset: "minimal",
+    enforcement_mode: "enforce",
+    model: {
+        provider: "managed",
+    },
+    audit_log_path: AUDIT_LOG_PATH,
+};
+export const MANAGED_API_BASE = "https://api.sunaiva.ai/v1/gate";
+//# sourceMappingURL=defaults.js.map

package/dist/config/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,MAAM,CAAC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;AACtD,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAChE,MAAM,CAAC,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AAE9D,MAAM,CAAC,MAAM,cAAc,GAAe;IACxC,OAAO,EAAE,EAAE;IACX,YAAY,EAAE;QACZ,SAAS;QACT,SAAS;QACT,SAAS;QACT,SAAS;QACT,SAAS;KACV;IACD,aAAa,EAAE,SAAS;IACxB,gBAAgB,EAAE,SAAS;IAC3B,KAAK,EAAE;QACL,QAAQ,EAAE,SAAS;KACpB;IACD,cAAc,EAAE,cAAc;CAC/B,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,gCAAgC,CAAC"}

package/dist/config/loader.d.ts

@@ -0,0 +1,5 @@
+import { type GateConfig } from "./defaults.js";
+export declare function getConfig(): GateConfig;
+export declare function saveConfig(cfg: GateConfig): void;
+export declare function getActiveRuleIds(): string[];
+//# sourceMappingURL=loader.d.ts.map

package/dist/config/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AACA,OAAO,EAA2C,KAAK,UAAU,EAAE,MAAM,eAAe,CAAC;AAEzF,wBAAgB,SAAS,IAAI,UAAU,CAMtC;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAGhD;AAED,wBAAgB,gBAAgB,IAAI,MAAM,EAAE,CAE3C"}

package/dist/config/loader.js

@@ -0,0 +1,19 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
+import { CONFIG_DIR, CONFIG_PATH, DEFAULT_CONFIG } from "./defaults.js";
+export function getConfig() {
+    try {
+        if (existsSync(CONFIG_PATH))
+            return JSON.parse(readFileSync(CONFIG_PATH, "utf-8"));
+    }
+    catch { }
+    saveConfig(DEFAULT_CONFIG);
+    return { ...DEFAULT_CONFIG };
+}
+export function saveConfig(cfg) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+    writeFileSync(CONFIG_PATH, JSON.stringify(cfg, null, 2), { mode: 0o600 });
+}
+export function getActiveRuleIds() {
+    return getConfig().active_rules;
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAmB,MAAM,eAAe,CAAC;AAEzF,MAAM,UAAU,SAAS;IACvB,IAAI,CAAC;QACH,IAAI,UAAU,CAAC,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;IACrF,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,UAAU,CAAC,cAAc,CAAC,CAAC;IAC3B,OAAO,EAAE,GAAG,cAAc,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAe;IACxC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,OAAO,SAAS,EAAE,CAAC,YAAY,CAAC;AAClC,CAAC"}

package/dist/engine/pattern-matcher.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Pattern Matcher — local regex/keyword matching for rule detection_pattern fields.
+ * No API call. Runs entirely in-process.
+ */
+export interface MatchResult {
+    matched: boolean;
+    matched_keywords: string[];
+    confidence: "high" | "medium" | "low";
+}
+/**
+ * Extract keyword phrases from a human-readable detection_pattern string.
+ * The pattern field is prose like:
+ *   "Detects: Stripe charges, PayPal payments, checkout URLs, credit card forms..."
+ */
+export declare function parseDetectionPattern(detectionPattern: string): string[];
+/**
+ * Match an action description against a rule's detection_pattern string.
+ *
+ * @param action      The proposed action text from the agent
+ * @param detectionPattern  The rule's detection_pattern field
+ * @returns MatchResult
+ */
+export declare function matchAction(action: string, detectionPattern: string): MatchResult;
+/**
+ * Match an action against multiple rules' detection patterns in one pass.
+ * Returns a map of ruleId -> MatchResult.
+ */
+export declare function matchAgainstRules(action: string, rules: Array<{
+    id: string;
+    detection_pattern: string;
+}>): Map<string, MatchResult>;
+//# sourceMappingURL=pattern-matcher.d.ts.map

package/dist/engine/pattern-matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern-matcher.d.ts","sourceRoot":"","sources":["../../src/engine/pattern-matcher.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACvC;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,gBAAgB,EAAE,MAAM,GAAG,MAAM,EAAE,CAexE;AAeD;;;;;;GAMG;AACH,wBAAgB,WAAW,CACzB,MAAM,EAAE,MAAM,EACd,gBAAgB,EAAE,MAAM,GACvB,WAAW,CAwBb;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,iBAAiB,EAAE,MAAM,CAAA;CAAE,CAAC,GACtD,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAM1B"}

package/dist/engine/pattern-matcher.js

@@ -0,0 +1,75 @@
+/**
+ * Pattern Matcher — local regex/keyword matching for rule detection_pattern fields.
+ * No API call. Runs entirely in-process.
+ */
+/**
+ * Extract keyword phrases from a human-readable detection_pattern string.
+ * The pattern field is prose like:
+ *   "Detects: Stripe charges, PayPal payments, checkout URLs, credit card forms..."
+ */
+export function parseDetectionPattern(detectionPattern) {
+    // Strip "Detects:" prefix if present
+    const cleaned = detectionPattern.replace(/^Detects:\s*/i, "");
+    // Split on commas, newlines, semicolons
+    const fragments = cleaned.split(/[,;\n]+/);
+    const keywords = [];
+    for (const fragment of fragments) {
+        const trimmed = fragment.trim().toLowerCase();
+        if (trimmed.length > 2) {
+            keywords.push(trimmed);
+        }
+    }
+    return keywords;
+}
+/**
+ * Build regex patterns from a list of keyword phrases.
+ * Each phrase becomes a word-boundary regex.
+ */
+function buildPatterns(keywords) {
+    return keywords.map((kw) => {
+        // Escape special regex characters
+        const escaped = kw.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        // Allow word boundary or start/end of string matching
+        return new RegExp(escaped, "i");
+    });
+}
+/**
+ * Match an action description against a rule's detection_pattern string.
+ *
+ * @param action      The proposed action text from the agent
+ * @param detectionPattern  The rule's detection_pattern field
+ * @returns MatchResult
+ */
+export function matchAction(action, detectionPattern) {
+    const keywords = parseDetectionPattern(detectionPattern);
+    const patterns = buildPatterns(keywords);
+    const actionLower = action.toLowerCase();
+    const matchedKeywords = [];
+    for (let i = 0; i < patterns.length; i++) {
+        if (patterns[i].test(actionLower)) {
+            matchedKeywords.push(keywords[i]);
+        }
+    }
+    const matched = matchedKeywords.length > 0;
+    // Confidence based on how many distinct signals match
+    let confidence = "low";
+    if (matchedKeywords.length >= 3) {
+        confidence = "high";
+    }
+    else if (matchedKeywords.length >= 1) {
+        confidence = "medium";
+    }
+    return { matched, matched_keywords: matchedKeywords, confidence };
+}
+/**
+ * Match an action against multiple rules' detection patterns in one pass.
+ * Returns a map of ruleId -> MatchResult.
+ */
+export function matchAgainstRules(action, rules) {
+    const results = new Map();
+    for (const rule of rules) {
+        results.set(rule.id, matchAction(action, rule.detection_pattern));
+    }
+    return results;
+}
+//# sourceMappingURL=pattern-matcher.js.map

package/dist/engine/pattern-matcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern-matcher.js","sourceRoot":"","sources":["../../src/engine/pattern-matcher.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,gBAAwB;IAC5D,qCAAqC;IACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;IAE9D,wCAAwC;IACxC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAE3C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,QAAkB;IACvC,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;QACzB,kCAAkC;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;QAC1D,sDAAsD;QACtD,OAAO,IAAI,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CACzB,MAAc,EACd,gBAAwB;IAExB,MAAM,QAAQ,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAC;IACzD,MAAM,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEzC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAE3C,sDAAsD;IACtD,IAAI,UAAU,GAA8B,KAAK,CAAC;IAClD,IAAI,eAAe,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAChC,UAAU,GAAG,MAAM,CAAC;IACtB,CAAC;SAAM,IAAI,eAAe,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACvC,UAAU,GAAG,QAAQ,CAAC;IACxB,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC;AACpE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAC/B,MAAc,EACd,KAAuD;IAEvD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC/C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/engine/rule-engine.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Rule Engine — loads rules.json, filters active rules, evaluates actions.
+ */
+import type { GateConfig } from "../config/defaults.js";
+export interface Rule {
+    id: string;
+    name: string;
+    description: string;
+    category: string;
+    enforcement: "constitutional" | "standard";
+    gate_type: string;
+    severity: "block" | "warn";
+    detection_pattern: string;
+    tags: string[];
+    preset_groups: string[];
+}
+export interface EvaluationResult {
+    allowed: boolean;
+    violations: Rule[];
+    warnings: Rule[];
+}
+export declare function loadAllRules(): Rule[];
+export declare function getActiveRules(config: GateConfig): Rule[];
+export declare function evaluateAction(action: string, config: GateConfig, warningCounts: Map<string, number>, context?: string): EvaluationResult;
+//# sourceMappingURL=rule-engine.d.ts.map

package/dist/engine/rule-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-engine.d.ts","sourceRoot":"","sources":["../../src/engine/rule-engine.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,gBAAgB,GAAG,UAAU,CAAC;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,GAAG,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,aAAa,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,IAAI,EAAE,CAAC;IACnB,QAAQ,EAAE,IAAI,EAAE,CAAC;CAClB;AAID,wBAAgB,YAAY,IAAI,IAAI,EAAE,CAKrC;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG,IAAI,EAAE,CAGzD;AAED,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,UAAU,EAClB,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,OAAO,CAAC,EAAE,MAAM,GACf,gBAAgB,CA+BlB"}

package/dist/engine/rule-engine.js

@@ -0,0 +1,56 @@
+/**
+ * Rule Engine — loads rules.json, filters active rules, evaluates actions.
+ */
+import { readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+import { matchAction } from "./pattern-matcher.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+// In dist, rules are in ../rules/ (relative to dist/engine/). In dev, ../../rules/.
+const RULES_PATH = join(__dirname, "../rules/rules.json");
+let _rules = null;
+export function loadAllRules() {
+    if (_rules)
+        return _rules;
+    const raw = readFileSync(RULES_PATH, "utf-8");
+    _rules = JSON.parse(raw);
+    return _rules;
+}
+export function getActiveRules(config) {
+    const all = loadAllRules();
+    return all.filter((r) => config.active_rules.includes(r.id));
+}
+export function evaluateAction(action, config, warningCounts, context) {
+    const activeRules = getActiveRules(config);
+    const combined = context ? `${action} ${context}` : action;
+    const violations = [];
+    const warnings = [];
+    for (const rule of activeRules) {
+        const result = matchAction(combined, rule.detection_pattern);
+        if (!result.matched)
+            continue;
+        if (rule.enforcement === "constitutional") {
+            // Constitutional rules always block
+            violations.push(rule);
+        }
+        else {
+            // Standard rules: warn first time, block on repeat
+            const count = warningCounts.get(rule.id) ?? 0;
+            if (config.enforcement_mode === "warn-only") {
+                warnings.push(rule);
+            }
+            else if (config.enforcement_mode === "audit") {
+                warnings.push(rule);
+            }
+            else if (count === 0) {
+                warnings.push(rule);
+            }
+            else {
+                violations.push(rule);
+            }
+        }
+    }
+    const allowed = violations.length === 0;
+    return { allowed, violations, warnings };
+}
+//# sourceMappingURL=rule-engine.js.map

package/dist/engine/rule-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-engine.js","sourceRoot":"","sources":["../../src/engine/rule-engine.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,KAAK,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAC1D,oFAAoF;AACpF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,EAAE,qBAAqB,CAAC,CAAC;AAqB1D,IAAI,MAAM,GAAkB,IAAI,CAAC;AAEjC,MAAM,UAAU,YAAY;IAC1B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAW,CAAC;IACnC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAkB;IAC/C,MAAM,GAAG,GAAG,YAAY,EAAE,CAAC;IAC3B,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,MAAc,EACd,MAAkB,EAClB,aAAkC,EAClC,OAAgB;IAEhB,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IAE3D,MAAM,UAAU,GAAW,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAW,EAAE,CAAC;IAE5B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,SAAS;QAE9B,IAAI,IAAI,CAAC,WAAW,KAAK,gBAAgB,EAAE,CAAC;YAC1C,oCAAoC;YACpC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAC9C,IAAI,MAAM,CAAC,gBAAgB,KAAK,WAAW,EAAE,CAAC;gBAC5C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;iBAAM,IAAI,MAAM,CAAC,gBAAgB,KAAK,OAAO,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;iBAAM,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC;IACxC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAC3C,CAAC"}

package/dist/engine/session-state.d.ts

@@ -0,0 +1,14 @@
+interface SessionState {
+    session_start: string;
+    action_count: number;
+    warnings_issued: Record<string, number>;
+}
+export declare function getState(): SessionState;
+export declare function saveState(s: SessionState): void;
+export declare function recordWarning(ruleId: string): number;
+export declare function getWarningCount(ruleId: string): number;
+export declare function getWarningCounts(): Map<string, number>;
+export declare function incrementAction(): void;
+export declare function resetState(): void;
+export {};
+//# sourceMappingURL=session-state.d.ts.map

package/dist/engine/session-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-state.d.ts","sourceRoot":"","sources":["../../src/engine/session-state.ts"],"names":[],"mappings":"AAIA,UAAU,YAAY;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC;AAMD,wBAAgB,QAAQ,IAAI,YAAY,CAGvC;AAED,wBAAgB,SAAS,CAAC,CAAC,EAAE,YAAY,GAAG,IAAI,CAE/C;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAKpD;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED,wBAAgB,gBAAgB,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAGtD;AAED,wBAAgB,eAAe,IAAI,IAAI,CAItC;AAED,wBAAgB,UAAU,IAAI,IAAI,CAEjC"}

package/dist/engine/session-state.js

@@ -0,0 +1,38 @@
+import { readFileSync, writeFileSync } from "node:fs";
+const STATE_FILE = "/tmp/sunaiva_gate_session.json";
+function defaultState() {
+    return { session_start: new Date().toISOString(), action_count: 0, warnings_issued: {} };
+}
+export function getState() {
+    try {
+        return JSON.parse(readFileSync(STATE_FILE, "utf-8"));
+    }
+    catch {
+        return defaultState();
+    }
+}
+export function saveState(s) {
+    writeFileSync(STATE_FILE, JSON.stringify(s, null, 2));
+}
+export function recordWarning(ruleId) {
+    const s = getState();
+    s.warnings_issued[ruleId] = (s.warnings_issued[ruleId] || 0) + 1;
+    saveState(s);
+    return s.warnings_issued[ruleId];
+}
+export function getWarningCount(ruleId) {
+    return getState().warnings_issued[ruleId] || 0;
+}
+export function getWarningCounts() {
+    const s = getState();
+    return new Map(Object.entries(s.warnings_issued));
+}
+export function incrementAction() {
+    const s = getState();
+    s.action_count++;
+    saveState(s);
+}
+export function resetState() {
+    saveState(defaultState());
+}
+//# sourceMappingURL=session-state.js.map

package/dist/engine/session-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-state.js","sourceRoot":"","sources":["../../src/engine/session-state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,MAAM,UAAU,GAAG,gCAAgC,CAAC;AAQpD,SAAS,YAAY;IACnB,OAAO,EAAE,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,YAAY,EAAE,CAAC,EAAE,eAAe,EAAE,EAAE,EAAE,CAAC;AAC3F,CAAC;AAED,MAAM,UAAU,QAAQ;IACtB,IAAI,CAAC;QAAC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAAC,CAAC;IAC7D,MAAM,CAAC;QAAC,OAAO,YAAY,EAAE,CAAC;IAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,CAAe;IACvC,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc;IAC1C,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjE,SAAS,CAAC,CAAC,CAAC,CAAC;IACb,OAAO,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,OAAO,QAAQ,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,eAAe;IAC7B,MAAM,CAAC,GAAG,QAAQ,EAAE,CAAC;IACrB,CAAC,CAAC,YAAY,EAAE,CAAC;IACjB,SAAS,CAAC,CAAC,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;AAC5B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":""}

package/dist/index.js

@@ -0,0 +1,61 @@
+#!/usr/bin/env node
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+import { handleValidateAction } from "./tools/validate.js";
+import { handleLogBypass } from "./tools/bypass.js";
+import { handleGetRules } from "./tools/rules.js";
+import { handleUpdateRules } from "./tools/update.js";
+import { handleGetAuditLog } from "./tools/audit.js";
+const server = new Server({ name: "sunaiva-gate", version: "1.0.0" }, { capabilities: { tools: {} } });
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+        {
+            name: "validate_action",
+            description: "Check if a proposed action passes all active validation rules. Returns allowed/blocked with rule violations.",
+            inputSchema: { type: "object", properties: { action: { type: "string", description: "The action to validate" }, context: { type: "string", description: "Optional additional context" } }, required: ["action"] },
+        },
+        {
+            name: "log_bypass",
+            description: "Record an intentional rule bypass with justification. Cannot bypass constitutional rules.",
+            inputSchema: { type: "object", properties: { rule_id: { type: "string", description: "ID of the rule to bypass" }, reason: { type: "string", description: "Justification for the bypass" } }, required: ["rule_id", "reason"] },
+        },
+        {
+            name: "get_rules",
+            description: "List active validation rules, optionally filtered by category or preset.",
+            inputSchema: { type: "object", properties: { category: { type: "string", description: "Filter by category" }, preset: { type: "string", description: "Filter by preset name" } } },
+        },
+        {
+            name: "update_rules",
+            description: "Enable or disable validation rules. Constitutional rules cannot be disabled.",
+            inputSchema: { type: "object", properties: { enable: { type: "array", items: { type: "string" }, description: "Rule IDs to enable" }, disable: { type: "array", items: { type: "string" }, description: "Rule IDs to disable" } } },
+        },
+        {
+            name: "get_audit_log",
+            description: "View recent gate decisions — blocks, warnings, passes, and bypasses.",
+            inputSchema: { type: "object", properties: { limit: { type: "number", description: "Max entries to return (default 50)" }, rule_id: { type: "string", description: "Filter by rule ID" } } },
+        },
+    ],
+}));
+server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const { name, arguments: args } = req.params;
+    try {
+        switch (name) {
+            case "validate_action": return await handleValidateAction(args);
+            case "log_bypass": return await handleLogBypass(args);
+            case "get_rules": return await handleGetRules(args);
+            case "update_rules": return await handleUpdateRules(args);
+            case "get_audit_log": return await handleGetAuditLog(args);
+            default: return { content: [{ type: "text", text: `Unknown tool: ${name}` }] };
+        }
+    }
+    catch (err) {
+        return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }] };
+    }
+});
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch(console.error);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAC;AACnG,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAErD,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,EAAE,EAC1C,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAChC,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK,EAAE;QACL;YACE,IAAI,EAAE,iBAAiB;YACvB,WAAW,EAAE,8GAA8G;YAC3H,WAAW,EAAE,EAAE,IAAI,EAAE,QAAiB,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,6BAA6B,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE;SAC3N;QACD;YACE,IAAI,EAAE,YAAY;YAClB,WAAW,EAAE,2FAA2F;YACxG,WAAW,EAAE,EAAE,IAAI,EAAE,QAAiB,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,0BAA0B,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,8BAA8B,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,EAAE;SACzO;QACD;YACE,IAAI,EAAE,WAAW;YACjB,WAAW,EAAE,0EAA0E;YACvF,WAAW,EAAE,EAAE,IAAI,EAAE,QAAiB,EAAE,UAAU,EAAE,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,uBAAuB,EAAE,EAAE,EAAE;SAC5L;QACD;YACE,IAAI,EAAE,cAAc;YACpB,WAAW,EAAE,8EAA8E;YAC3F,WAAW,EAAE,EAAE,IAAI,EAAE,QAAiB,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,WAAW,EAAE,oBAAoB,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,WAAW,EAAE,qBAAqB,EAAE,EAAE,EAAE;SAC7O;QACD;YACE,IAAI,EAAE,eAAe;YACrB,WAAW,EAAE,sEAAsE;YACnF,WAAW,EAAE,EAAE,IAAI,EAAE,QAAiB,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,oCAAoC,EAAE,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,mBAAmB,EAAE,EAAE,EAAE;SACtM;KACF;CACF,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;IAC5D,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC;IAC7C,IAAI,CAAC;QACH,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,iBAAiB,CAAC,CAAC,OAAO,MAAM,oBAAoB,CAAC,IAAW,CAAC,CAAC;YACvE,KAAK,YAAY,CAAC,CAAC,OAAO,MAAM,eAAe,CAAC,IAAW,CAAC,CAAC;YAC7D,KAAK,WAAW,CAAC,CAAC,OAAO,MAAM,cAAc,CAAC,IAAW,CAAC,CAAC;YAC3D,KAAK,cAAc,CAAC,CAAC,OAAO,MAAM,iBAAiB,CAAC,IAAW,CAAC,CAAC;YACjE,KAAK,eAAe,CAAC,CAAC,OAAO,MAAM,iBAAiB,CAAC,IAAW,CAAC,CAAC;YAClE,OAAO,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,iBAAiB,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;QAC1F,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,UAAU,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IACtH,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC"}

package/dist/rules/categories.json

@@ -0,0 +1,83 @@
+[
+  {
+    "id": "financial-safety",
+    "name": "Financial Safety",
+    "icon": "💰",
+    "description": "Prevent unauthorized spending, subscriptions, wire transfers, and financial actions. The category that pays for itself immediately.",
+    "rule_count": 12,
+    "risk_if_skipped": "Unauthorized charges, runaway API costs, accidental subscriptions, fraudulent transfers",
+    "example_incident": "gemini_credit_blaster.py ran 8 days, 35 workers, ~$800 charged — no billing cap"
+  },
+  {
+    "id": "data-protection",
+    "name": "Data Protection",
+    "icon": "🔐",
+    "description": "Prevent credential exposure, PII mishandling, unauthorized data exports, and privacy violations.",
+    "rule_count": 12,
+    "risk_if_skipped": "API key leaks, GDPR violations, customer data exposure, audit trail destruction",
+    "example_incident": "Agent commits .env.production to GitHub — 12 API keys exposed publicly"
+  },
+  {
+    "id": "action-governance",
+    "name": "Action Governance",
+    "icon": "🔒",
+    "description": "Gate destructive, irreversible, and high-impact actions — deployments, deletions, DNS changes, permission changes.",
+    "rule_count": 12,
+    "risk_if_skipped": "Production outages, accidental data deletion, broken infrastructure, unauthorized access grants",
+    "example_incident": "Agent deletes MX record while reconfiguring email routing — all inbound email down for 4 hours"
+  },
+  {
+    "id": "quality-gates",
+    "name": "Quality Gates",
+    "icon": "✅",
+    "description": "Enforce check-before-build, verify-before-claiming-done, test-before-shipping, and scope discipline.",
+    "rule_count": 12,
+    "risk_if_skipped": "Rebuilt code that already existed, unverified claims of completion, ships with failing tests, scope creep",
+    "example_incident": "Agent marks API endpoint 'deployed and working' based on deploy log without calling the live endpoint"
+  },
+  {
+    "id": "communication-safety",
+    "name": "Communication Safety",
+    "icon": "📢",
+    "description": "Gate email sends, social media posts, customer communications, outreach campaigns, and public content.",
+    "rule_count": 12,
+    "risk_if_skipped": "Mass emails with wrong content, brand-damaging social posts, GDPR violations, accidental campaign launches",
+    "example_incident": "Agent activates cold email campaign to 15,000 contacts without go-ahead after completing sequence setup"
+  },
+  {
+    "id": "knowledge-protocol",
+    "name": "Knowledge Protocol",
+    "icon": "📚",
+    "description": "Enforce knowledge-base-first lookups, source attribution, fact verification, and no fabricated statistics.",
+    "rule_count": 12,
+    "risk_if_skipped": "Invented statistics in reports, duplicate builds, outdated data used for decisions, title-only research",
+    "example_incident": "Agent states competitor pricing as fact from training data without checking competitor's current website"
+  },
+  {
+    "id": "resource-protection",
+    "name": "Resource Protection",
+    "icon": "⚡",
+    "description": "Enforce API rate limits, token budgets, storage quotas, concurrency caps, and service usage monitoring.",
+    "rule_count": 12,
+    "risk_if_skipped": "API key suspension, storage overflow, memory leaks, exceeded plan limits with overage charges",
+    "example_incident": "Agent fires 200 parallel Gemini workers against 60 RPM limit — 429 storm, key suspension"
+  },
+  {
+    "id": "security",
+    "name": "Security",
+    "icon": "🛡️",
+    "description": "Prevent secret exposure in logs, privilege escalation, dependency injection, SSRF, and banned provider routing.",
+    "rule_count": 12,
+    "risk_if_skipped": "Credential theft, supply chain compromise, auth bypass, proprietary code leaked to banned AI providers",
+    "example_incident": "Agent routes prompt containing proprietary IP to a DeepSeek endpoint to save costs"
+  },
+  {
+    "id": "compliance",
+    "name": "Compliance",
+    "icon": "⚖️",
+    "description": "EU AI Act Article 15 awareness, GDPR data handling, SOC2 controls, and audit trail maintenance.",
+    "rule_count": 4,
+    "risk_if_skipped": "EU AI Act fines (up to 3% global revenue), GDPR penalties, SOC2 audit failures",
+    "example_incident": "AI-powered CV screening deployed without bias assessment or human review — EU AI Act high-risk violation"
+  }
+]