@sunaiva/gate 1.0.0

package/dist/rules/rules.json

@@ -0,0 +1,2119 @@
+[
+  {
+    "id": "fin-001",
+    "name": "No Unauthorized Purchases",
+    "description": "Block any agent action that initiates a payment, subscription, or purchase without explicit human approval",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent attempts to subscribe to a $5,000/yr software license on behalf of the user",
+    "example_allowed": "Agent presents purchase options with pricing and asks for human approval before proceeding",
+    "tags": [
+      "money",
+      "safety",
+      "purchases",
+      "subscriptions"
+    ],
+    "preset_groups": [
+      "essential",
+      "financial-protection",
+      "full-suite",
+      "minimal"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-002",
+    "name": "Spending Cap Enforcement",
+    "description": "Reject any agent action that would exceed the configured daily, weekly, or monthly spending limit across all services",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent triggers 35 parallel Gemini API workers totalling $800 in one week without billing cap",
+    "example_allowed": "Agent estimates API cost before run, confirms it is within budget, then proceeds",
+    "tags": [
+      "money",
+      "budget",
+      "limits",
+      "api-costs"
+    ],
+    "preset_groups": [
+      "essential",
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-003",
+    "name": "Subscription Management Gate",
+    "description": "Require approval before creating, modifying, or cancelling any subscription or recurring billing arrangement",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent upgrades a free Slack plan to Business+ without user confirmation",
+    "example_allowed": "Agent presents upgrade options and cost impact, waits for explicit approval before clicking upgrade",
+    "tags": [
+      "money",
+      "subscriptions",
+      "recurring"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-004",
+    "name": "Crypto Transaction Block",
+    "description": "Block all cryptocurrency transfers, wallet interactions, and token purchases without explicit multi-step human approval",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends 0.5 ETH to a contract address during an automated DeFi strategy",
+    "example_allowed": "Agent prepares transaction details for human review and requires signed confirmation before any transfer",
+    "tags": [
+      "money",
+      "crypto",
+      "blockchain",
+      "transfers"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-005",
+    "name": "Invoice Approval Gate",
+    "description": "Flag any outgoing invoice, payment request, or bill generated by an agent for human review before sending",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent auto-generates and sends a $12,000 invoice to a client with incorrect line items",
+    "example_allowed": "Agent drafts invoice, presents it for review, and sends only after explicit approval",
+    "tags": [
+      "money",
+      "invoices",
+      "billing"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-006",
+    "name": "Refund Processing Gate",
+    "description": "Require human approval before issuing any refund, credit, or chargeback on behalf of the user or organisation",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent issues $800 refund to a customer complaint without verifying the transaction or policy",
+    "example_allowed": "Agent identifies refund eligibility, calculates amount, and presents for human sign-off before executing",
+    "tags": [
+      "money",
+      "refunds",
+      "customer-service"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-007",
+    "name": "API Cost Monitoring",
+    "description": "Alert and pause when cumulative API costs across a session exceed a configured threshold",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn-then-block",
+    "example_blocked": "Agent spawns 50 parallel research workers and racks up $200 in API costs before any check runs",
+    "example_allowed": "Agent estimates total token cost before spawning workers, pauses at 80% of budget, reports to user",
+    "tags": [
+      "money",
+      "api-costs",
+      "monitoring"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite",
+      "developer-safety"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-008",
+    "name": "Wire Transfer Block",
+    "description": "Block all bank wire transfers, ACH payments, and SWIFT transactions initiated by any agent",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent submits ACH payroll file containing $250,000 in transfers after misreading a payroll spreadsheet",
+    "example_allowed": "Agent prepares wire transfer details for human review — no submission occurs without signed approval",
+    "tags": [
+      "money",
+      "banking",
+      "wire-transfer"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite",
+      "minimal"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-009",
+    "name": "Ad Spend Gate",
+    "description": "Require approval before launching, modifying, or increasing budgets for any paid advertising campaign",
+    "category": "financial-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent launches a Google Ads campaign with $5,000 daily budget after misinterpreting targeting instructions",
+    "example_allowed": "Agent sets up campaign draft, presents estimated spend, and activates only after explicit budget approval",
+    "tags": [
+      "money",
+      "advertising",
+      "campaigns"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-010",
+    "name": "Cloud Infrastructure Cost Cap",
+    "description": "Block provisioning of cloud resources that would exceed monthly cost estimates above a configured ceiling",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent provisions 20 GPU instances for a training job without estimating the $3,000/day cost first",
+    "example_allowed": "Agent calculates hourly cost for proposed infrastructure, presents estimate, waits for approval before provisioning",
+    "tags": [
+      "money",
+      "cloud",
+      "infrastructure"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite",
+      "developer-safety"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-011",
+    "name": "Domain and Hosting Purchase Gate",
+    "description": "Require approval before purchasing domain names, hosting plans, or CDN subscriptions",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent registers 12 domain variants to protect a brand name and charges $180 without asking",
+    "example_allowed": "Agent presents recommended domains with pricing, waits for approval before registering any",
+    "tags": [
+      "money",
+      "domains",
+      "hosting"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "fin-012",
+    "name": "Token and Credit Balance Alert",
+    "description": "Alert when any service credit balance (Telnyx, OpenAI, Twilio, etc.) drops below a configured floor before agent auto-recharges",
+    "category": "financial-safety",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent auto-recharges Telnyx balance by $500 without notifying user when balance drops to $10",
+    "example_allowed": "Agent alerts user when balance drops below threshold, presents recharge options, waits for authorisation",
+    "tags": [
+      "money",
+      "credits",
+      "balance",
+      "monitoring"
+    ],
+    "preset_groups": [
+      "financial-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-001",
+    "name": "No Credential Exposure",
+    "description": "Block any agent action that would write, log, transmit, or display API keys, passwords, tokens, or secrets in plaintext",
+    "category": "data-protection",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent logs full Stripe secret key to a public Cloudflare Worker debug endpoint",
+    "example_allowed": "Agent references credentials by variable name only, uses secret manager references, never logs actual values",
+    "tags": [
+      "security",
+      "credentials",
+      "secrets"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite",
+      "minimal"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-002",
+    "name": "PII Handling Gate",
+    "description": "Require approval before storing, transmitting, or processing personally identifiable information beyond the immediate task scope",
+    "category": "data-protection",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent scrapes contact page and stores 500 visitor email addresses in a public Google Sheet",
+    "example_allowed": "Agent collects only name and email for lead form, stores encrypted in approved database, confirms storage policy before proceeding",
+    "tags": [
+      "privacy",
+      "pii",
+      "gdpr",
+      "data"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-003",
+    "name": "File Upload Restriction",
+    "description": "Block agent uploads of sensitive file types (credentials, private keys, financial records) to external services without explicit approval",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent uploads .env.production file containing 12 API keys to a public GitHub repository",
+    "example_allowed": "Agent uploads only processed/anonymised output files to approved destinations, flags any credential-containing files for review",
+    "tags": [
+      "data",
+      "uploads",
+      "files",
+      "security"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-004",
+    "name": "API Key Protection",
+    "description": "Block any agent action that would commit, share, or transmit API keys in code repositories, chat messages, or public endpoints",
+    "category": "data-protection",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent commits hardcoded Stripe secret key directly into index.js before pushing to GitHub",
+    "example_allowed": "Agent uses environment variable references and secret manager calls, never hardcodes values",
+    "tags": [
+      "security",
+      "api-keys",
+      "git",
+      "secrets"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-005",
+    "name": "Database Access Controls",
+    "description": "Block unscoped database queries that could read or modify more records than required for the immediate task",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent runs DELETE FROM users without WHERE clause and wipes entire user table in production",
+    "example_allowed": "Agent runs scoped queries with explicit WHERE conditions, confirms affected row count before executing destructive operations",
+    "tags": [
+      "database",
+      "sql",
+      "data",
+      "safety"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-006",
+    "name": "Data Export Restriction",
+    "description": "Require approval before exporting bulk records, database dumps, or data extracts to external systems or local files",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent exports full customer database as CSV and uploads it to an analysis service without approval",
+    "example_allowed": "Agent exports an anonymised sample (100 rows), confirms purpose and destination before proceeding with full export",
+    "tags": [
+      "data",
+      "exports",
+      "privacy"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-007",
+    "name": "Encryption Requirement",
+    "description": "Block transmission or storage of sensitive data unless encryption (TLS, AES-256, or equivalent) is confirmed active",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent stores customer credit card numbers in a plaintext log file for debugging purposes",
+    "example_allowed": "Agent confirms HTTPS endpoint, verifies SSL certificate, uses encrypted storage before writing sensitive data",
+    "tags": [
+      "security",
+      "encryption",
+      "tls",
+      "data"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-008",
+    "name": "Clipboard Monitoring Block",
+    "description": "Block agent access to clipboard contents unless the user has explicitly granted clipboard read permission for the task",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent reads clipboard silently, extracts password copied by user, and logs it for form-fill purposes",
+    "example_allowed": "Agent requests explicit clipboard permission, explains why it needs the data, and reads only with confirmation",
+    "tags": [
+      "privacy",
+      "clipboard",
+      "browser"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-009",
+    "name": "Third-Party Data Sharing Gate",
+    "description": "Require approval before sending any user data to third-party APIs, analytics platforms, or external services",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends full customer profiles to a third-party enrichment API without user knowledge",
+    "example_allowed": "Agent presents data sharing proposal with recipient, purpose, and data fields; proceeds only with approval",
+    "tags": [
+      "privacy",
+      "third-party",
+      "data-sharing"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-010",
+    "name": "Audit Log Integrity",
+    "description": "Block any agent action that would modify, delete, or truncate audit logs, access logs, or activity records",
+    "category": "data-protection",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent deletes application error logs to clean up a server before an audit, removing evidence of prior failures",
+    "example_allowed": "Agent archives old logs to cold storage, preserving integrity, with human approval before any archival",
+    "tags": [
+      "compliance",
+      "audit-logs",
+      "integrity"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-011",
+    "name": "Screen Capture Restriction",
+    "description": "Block agent screenshot or screen recording of any session containing sensitive financial, medical, or personal data",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent screenshots a banking dashboard with account balances visible and sends it to a reporting endpoint",
+    "example_allowed": "Agent captures only approved UI regions with sensitive data masked or excluded from capture area",
+    "tags": [
+      "privacy",
+      "screenshots",
+      "browser"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "dat-012",
+    "name": "Retention Policy Enforcement",
+    "description": "Alert when agent stores data beyond the configured retention window or in unapproved persistent storage locations",
+    "category": "data-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent stores customer chat transcripts indefinitely in an S3 bucket with no lifecycle policy",
+    "example_allowed": "Agent writes data with explicit TTL metadata, confirms storage location is approved, sets deletion schedule",
+    "tags": [
+      "compliance",
+      "retention",
+      "gdpr"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-001",
+    "name": "Production Deployment Gate",
+    "description": "Block any deployment to production environments without explicit human approval as the final gate",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent auto-deploys a breaking change to production at 2am after a failed test suite",
+    "example_allowed": "Agent builds, tests, and stages the release, then presents for human approval before any production promotion",
+    "tags": [
+      "deployment",
+      "production",
+      "safety"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite",
+      "minimal"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-002",
+    "name": "Destructive Action Confirmation",
+    "description": "Require explicit confirmation before any action that deletes, overwrites, or permanently removes data, files, or resources",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent runs git clean -fd to tidy the repo and deletes 3 years of research reports stored in untracked files",
+    "example_allowed": "Agent lists files to be deleted in a dry-run, presents list for approval, only executes after explicit confirmation",
+    "tags": [
+      "safety",
+      "destructive",
+      "files",
+      "data"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite",
+      "minimal"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-003",
+    "name": "Service Restart Approval",
+    "description": "Require approval before restarting, stopping, or killing any production service, daemon, or critical process",
+    "category": "action-governance",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent restarts the payment API during peak trading hours to apply a config change",
+    "example_allowed": "Agent schedules restart for maintenance window, notifies on-call, waits for acknowledgment before executing",
+    "tags": [
+      "operations",
+      "services",
+      "uptime"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-004",
+    "name": "DNS Change Gate",
+    "description": "Block DNS record additions, modifications, or deletions without human approval — DNS changes can cause instant service outages",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent deletes an MX record while reconfiguring email routing, taking down all inbound email for the domain",
+    "example_allowed": "Agent proposes DNS changes with impact analysis, waits for explicit approval, stages changes in preview first",
+    "tags": [
+      "infrastructure",
+      "dns",
+      "operations"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-005",
+    "name": "Permission and Role Modification Gate",
+    "description": "Require approval before adding, modifying, or removing user permissions, IAM roles, or access control entries",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent grants a new team member admin privileges on the production AWS account to simplify onboarding",
+    "example_allowed": "Agent proposes minimum-required role for new member, presents for approval, applies principle of least privilege",
+    "tags": [
+      "security",
+      "permissions",
+      "access-control"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-006",
+    "name": "Account Deletion Block",
+    "description": "Block deletion of user accounts, organisation profiles, or workspace memberships without multi-step human approval",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent deletes a churned customer's account and all associated data, making refund impossible and violating retention policy",
+    "example_allowed": "Agent flags account for review, proposes data export and anonymisation, requires two-step human confirmation before any deletion",
+    "tags": [
+      "accounts",
+      "deletion",
+      "safety"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-007",
+    "name": "Configuration Change Review",
+    "description": "Flag all changes to system configuration files, environment variables, and infrastructure settings for review before applying",
+    "category": "action-governance",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn-then-block",
+    "example_blocked": "Agent modifies CORS configuration in nginx.conf on the production server to fix a local dev issue",
+    "example_allowed": "Agent presents config diff with impact analysis, applies to staging first, waits for confirmation before production",
+    "tags": [
+      "configuration",
+      "infrastructure",
+      "safety"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-008",
+    "name": "Outreach Campaign Send Gate",
+    "description": "Block mass email, SMS, or social outreach campaign sends without explicit go/no-go approval — prevents brand-damaging accidental sends",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent activates a cold email campaign to 15,000 contacts without Kinan's go-ahead after preparing the sequence",
+    "example_allowed": "Agent prepares campaign, shows preview, estimated reach, and cost — waits for explicit 'ship it' before any send",
+    "tags": [
+      "outreach",
+      "email",
+      "safety",
+      "campaigns"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-009",
+    "name": "Webhook and Integration Toggle Gate",
+    "description": "Require approval before enabling, disabling, or reconfiguring production webhooks and integrations",
+    "category": "action-governance",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent disables the Stripe payment webhook to debug an issue, silently dropping all payment confirmations for 2 hours",
+    "example_allowed": "Agent proposes webhook change in staging, shows impact on live payment flow, requires sign-off before production change",
+    "tags": [
+      "webhooks",
+      "integrations",
+      "operations"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-010",
+    "name": "Secret Rotation Coordination Gate",
+    "description": "Block uncoordinated API key or secret rotation that could silently break dependent services",
+    "category": "action-governance",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent rotates the Stripe API key but forgets to update 4 services that depend on it, causing payment failures",
+    "example_allowed": "Agent maps all services using the secret, stages the rotation, updates all dependents atomically, then confirms health before completing",
+    "tags": [
+      "security",
+      "secrets",
+      "rotation",
+      "operations"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-011",
+    "name": "Merge and Pull Request Gate",
+    "description": "Block direct merges to protected branches (main, master, production) without a completed review process",
+    "category": "action-governance",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent force-merges a feature branch to main at 11pm to meet a deadline, skipping CI and review",
+    "example_allowed": "Agent opens PR, confirms all status checks pass, requests review, merges only after approval and green CI",
+    "tags": [
+      "git",
+      "code-review",
+      "deployment"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "gov-012",
+    "name": "Infrastructure Teardown Block",
+    "description": "Block destruction or deprovisioning of any live infrastructure resource without explicit confirmation and backup verification",
+    "category": "action-governance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent runs terraform destroy on the production environment while attempting to recreate a staging environment",
+    "example_allowed": "Agent confirms backup exists, lists resources to be destroyed, receives explicit confirmation before any teardown command",
+    "tags": [
+      "infrastructure",
+      "destruction",
+      "safety"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-001",
+    "name": "Check Existing Before Building",
+    "description": "Block agent from writing new code, scripts, or modules without first auditing what already exists in the codebase",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent writes a 200-line CSV parser from scratch when pandas is already in requirements.txt and a utility exists in utils/",
+    "example_allowed": "Agent searches codebase for existing utilities, finds relevant module, extends it rather than rebuilding from scratch",
+    "tags": [
+      "quality",
+      "codebase",
+      "reuse"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-002",
+    "name": "Verify Before Claiming Done",
+    "description": "Block marking any task complete without running a verifiable check that confirms the output actually works",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "block",
+    "example_blocked": "Agent marks a live API endpoint as 'deployed and working' based on reading the deploy log without actually calling the endpoint",
+    "example_allowed": "Agent deploys, waits for propagation, makes live API call, confirms 200 response with correct payload before marking done",
+    "tags": [
+      "quality",
+      "verification",
+      "testing"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-003",
+    "name": "Test Before Shipping",
+    "description": "Require passing test suite before any code reaches a production or staging environment",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent deploys to Netlify after skipping tests because 'it's just a CSS change'",
+    "example_allowed": "Agent runs full test suite, confirms 0 failures, then proceeds with deployment",
+    "tags": [
+      "quality",
+      "testing",
+      "deployment"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-004",
+    "name": "Read Docs Before Coding",
+    "description": "Require consultation of official documentation or SDK before writing integration code for any external platform",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent writes a custom Stripe payment handler from scratch without reading the Stripe SDK documentation",
+    "example_allowed": "Agent reads Stripe SDK docs, installs official package, follows documented integration patterns",
+    "tags": [
+      "quality",
+      "documentation",
+      "sdk"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-005",
+    "name": "Backup Before Modifying",
+    "description": "Require a verifiable backup before any modification to production data, configuration files, or live system state",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent edits nginx.conf directly without backing up the current working configuration",
+    "example_allowed": "Agent copies current config to nginx.conf.bak, makes changes, confirms backup exists before applying",
+    "tags": [
+      "quality",
+      "backup",
+      "safety"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-006",
+    "name": "Lint Before Committing",
+    "description": "Block git commits that contain linting errors, type errors, or failed pre-commit hook outputs",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent commits with --no-verify to bypass a pre-commit hook that is catching a type error",
+    "example_allowed": "Agent runs linter, fixes all errors, confirms clean output before committing",
+    "tags": [
+      "quality",
+      "linting",
+      "git"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-007",
+    "name": "Measure Before Optimising",
+    "description": "Block premature optimisation efforts without first establishing a performance baseline and identifying the actual bottleneck",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent adds Redis caching to an API endpoint that handles 10 requests/day, adding complexity with no measurable benefit",
+    "example_allowed": "Agent profiles endpoint, identifies slow query consuming 800ms, adds targeted index, confirms improvement with before/after benchmark",
+    "tags": [
+      "quality",
+      "performance",
+      "optimization"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-008",
+    "name": "Dry Run Before Execute",
+    "description": "Run all destructive or bulk operations in dry-run mode first, with output reviewed before live execution",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent runs a database cleanup script that deletes 50,000 rows without previewing which rows match the criteria",
+    "example_allowed": "Agent runs with --dry-run flag, presents row count and sample records, confirms before executing live deletion",
+    "tags": [
+      "quality",
+      "dry-run",
+      "safety"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-009",
+    "name": "Single Responsibility Enforcement",
+    "description": "Flag when a single agent task attempts to modify more than 3 independent modules or systems simultaneously",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent rewrites authentication, updates database schema, modifies frontend components, and changes nginx config all in one task",
+    "example_allowed": "Agent breaks task into discrete stories: (1) schema migration, (2) backend auth, (3) frontend UI — executed sequentially with verification between",
+    "tags": [
+      "quality",
+      "architecture",
+      "scope"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-010",
+    "name": "Regression Test on Every Change",
+    "description": "Require full regression test suite to pass after any modification to shared utilities, core modules, or API contracts",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "block",
+    "example_blocked": "Agent changes the format of a shared date utility function without running tests that 14 other modules depend on",
+    "example_allowed": "Agent modifies shared utility, runs full test suite including all dependent module tests, confirms 0 regressions before merging",
+    "tags": [
+      "quality",
+      "testing",
+      "regression"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-011",
+    "name": "Documentation Update Gate",
+    "description": "Require corresponding documentation updates when adding new public APIs, configuration options, or user-facing features",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent adds 3 new API endpoints but does not update the API documentation or OpenAPI spec",
+    "example_allowed": "Agent adds endpoint, updates OpenAPI spec, adds .env.example entry for new variable, updates README",
+    "tags": [
+      "quality",
+      "documentation",
+      "api"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "qlt-012",
+    "name": "Scope Creep Prevention",
+    "description": "Alert when agent task scope expands beyond the original request without explicit approval for the expanded scope",
+    "category": "quality-gates",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent asked to fix a button colour ends up refactoring the entire component library over 3 hours",
+    "example_allowed": "Agent fixes button colour, notes that component library refactor could improve consistency, asks if that scope should be added as a separate task",
+    "tags": [
+      "quality",
+      "scope",
+      "project-management"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-001",
+    "name": "Email Review Gate",
+    "description": "Block sending any external email drafted by an agent without human review of content, recipients, and subject line",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends a follow-up email to 40 prospects with incorrect pricing information attached",
+    "example_allowed": "Agent drafts email, presents for review with recipient list and subject, sends only after explicit approval",
+    "tags": [
+      "email",
+      "communication",
+      "safety"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-002",
+    "name": "Social Media Approval Gate",
+    "description": "Block posting, publishing, or scheduling any social media content without human review and approval",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent posts a draft meme to the company LinkedIn page without review, causing brand damage",
+    "example_allowed": "Agent prepares post with caption, image, and scheduled time — presents for approval before any publication",
+    "tags": [
+      "social-media",
+      "communication",
+      "brand"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-003",
+    "name": "Message Sending Limits",
+    "description": "Block bulk messaging (SMS, push, Slack) that exceeds a configured hourly or daily contact limit without approval",
+    "category": "communication-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends 5,000 SMS messages to a prospect list overnight, incurring $500 in Twilio costs and spam complaints",
+    "example_allowed": "Agent respects hourly rate limits, presents batch plan for approval, sends in controlled waves with monitoring",
+    "tags": [
+      "messaging",
+      "communication",
+      "rate-limits"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-004",
+    "name": "Public Content Review",
+    "description": "Require human review before publishing any content to a public website, documentation site, or public repository",
+    "category": "communication-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent publishes unfinished product documentation to the public docs site while still in draft state",
+    "example_allowed": "Agent deploys to preview URL, presents content for review, publishes to production only after approval",
+    "tags": [
+      "content",
+      "publishing",
+      "brand"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-005",
+    "name": "Customer Communication Gate",
+    "description": "Block any direct communication to customers, clients, or partners initiated by an agent without human sign-off",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends a billing dispute response email to a customer with incorrect account details",
+    "example_allowed": "Agent drafts response, tags for human review in CRM, sends only after team member approves",
+    "tags": [
+      "customer",
+      "communication",
+      "crm"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-006",
+    "name": "Press Release and PR Content Gate",
+    "description": "Block publishing or distributing any press release, media statement, or investor communication without executive approval",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent distributes a press release with incorrect acquisition details to 500 journalists",
+    "example_allowed": "Agent drafts release, routes to legal and executive review, distributes only after sign-off",
+    "tags": [
+      "pr",
+      "media",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-007",
+    "name": "Legal Document Send Gate",
+    "description": "Block sending contracts, NDAs, terms of service, or any legally binding documents without qualified human review",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends an NDA with incorrect jurisdiction and missing indemnity clauses to a potential partner",
+    "example_allowed": "Agent generates contract draft from approved template, routes for legal review, sends via DocuSign only after approval",
+    "tags": [
+      "legal",
+      "contracts",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-008",
+    "name": "Notification Management Rate Limit",
+    "description": "Enforce rate limiting on agent-triggered notifications to prevent notification fatigue and unintended spam",
+    "category": "communication-safety",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn-then-block",
+    "example_blocked": "Agent sends 40 Slack messages in 10 minutes to notify the team of individual task completions",
+    "example_allowed": "Agent batches notifications into digest format, respects per-channel rate limits, sends summary instead of individual alerts",
+    "tags": [
+      "notifications",
+      "rate-limits",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-009",
+    "name": "Outreach Approval Before Launch",
+    "description": "Require explicit go/no-go approval before activating any cold outreach sequence or automated follow-up campaign",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent activates a 7-step cold email sequence to 2,000 contacts after completing sequence setup",
+    "example_allowed": "Agent presents sequence, sample email, prospect count, and projected metrics, waits for explicit 'launch it' before activation",
+    "tags": [
+      "outreach",
+      "cold-email",
+      "campaigns"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-010",
+    "name": "Review Response Gate",
+    "description": "Require human approval before posting any response to public reviews (Google, Trustpilot, App Store, etc.)",
+    "category": "communication-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent posts a defensive response to a 1-star review that inflames the situation and attracts media attention",
+    "example_allowed": "Agent drafts response, presents to human for tone review, publishes only after approval",
+    "tags": [
+      "reviews",
+      "reputation",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-011",
+    "name": "Impersonation Block",
+    "description": "Block agent from sending communications that could be interpreted as being from a specific named human without disclosure",
+    "category": "communication-safety",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends cold emails as 'John Smith, CEO' without John's knowledge or a disclosure that the message was AI-assisted",
+    "example_allowed": "Agent sends as a named AI assistant, or human reviews and sends from their own account with AI-assisted drafting clearly noted",
+    "tags": [
+      "impersonation",
+      "ethics",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "com-012",
+    "name": "Internal Broadcast Approval",
+    "description": "Require approval before sending organisation-wide internal communications (all-hands emails, company Slack announcements)",
+    "category": "communication-safety",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent sends a company-wide Slack message announcing a product feature that was not yet approved for public release",
+    "example_allowed": "Agent drafts announcement, routes to team lead for review, posts only after explicit approval",
+    "tags": [
+      "internal",
+      "announcements",
+      "communication"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-001",
+    "name": "Knowledge Base First",
+    "description": "Require agent to check internal knowledge base before performing external web searches or API lookups for factual questions",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent searches the web for the organisation's own pricing structure instead of reading the internal pricing document",
+    "example_allowed": "Agent checks internal KB first, finds pricing document, uses that data — only goes external for information that is genuinely absent internally",
+    "tags": [
+      "knowledge",
+      "efficiency",
+      "research"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-002",
+    "name": "Source Attribution Required",
+    "description": "Block agent from presenting research findings, statistics, or factual claims without citing the source document or URL",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent states '$51.3B AI cybersecurity market' without citing the market research report it came from",
+    "example_allowed": "Agent cites: 'According to Gemini Deep Research 2026-04-06: $51.3B AI cybersecurity market (source: 36-source analysis)'",
+    "tags": [
+      "knowledge",
+      "attribution",
+      "research"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-003",
+    "name": "Fact Verification Gate",
+    "description": "Block agent from presenting generated content as established fact without a verification step against authoritative sources",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent states a competitor's pricing as definitive fact based solely on LLM training data, without checking the competitor's live website",
+    "example_allowed": "Agent notes claim is from training data, cross-references against competitor's current pricing page, confirms accuracy before reporting",
+    "tags": [
+      "knowledge",
+      "verification",
+      "facts"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-004",
+    "name": "Wiki-First Protocol",
+    "description": "Require agent to query the compiled knowledge wiki or index before falling back to raw document search or external queries",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent searches raw JSONL files for entity information when wiki/index.md exists with compiled cross-linked pages",
+    "example_allowed": "Agent reads wiki/index.md, finds relevant page, follows [[backlinks]], only falls back to raw search when wiki lookup returns nothing",
+    "tags": [
+      "knowledge",
+      "wiki",
+      "efficiency"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-005",
+    "name": "Research Before Deciding",
+    "description": "Require a documented research step before recommending a technical architecture, vendor, or strategic approach",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent recommends a specific database without researching alternatives suitable for the workload",
+    "example_allowed": "Agent produces a 3-option comparison (PostgreSQL vs MongoDB vs DynamoDB), shows decision criteria, then recommends with justification",
+    "tags": [
+      "knowledge",
+      "research",
+      "decision-making"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-006",
+    "name": "Context Verification Before Acting",
+    "description": "Block agent from acting on assumed context — require explicit confirmation of key assumptions before starting complex tasks",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent interprets 'clean up the database' as 'delete all records older than 30 days' and executes without confirming that interpretation",
+    "example_allowed": "Agent surfaces interpretation: 'I understand this as archiving records >30 days old, not permanent deletion. Confirm?' before proceeding",
+    "tags": [
+      "knowledge",
+      "clarification",
+      "safety"
+    ],
+    "preset_groups": [
+      "essential",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-007",
+    "name": "Prior Implementation Check",
+    "description": "Block starting any new feature implementation without searching for prior attempts, similar implementations, or related code in the codebase",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent builds a webhook handler from scratch that is 90% identical to one already implemented in another module",
+    "example_allowed": "Agent searches codebase for existing webhook handling patterns, finds similar implementation, adapts it rather than rebuilding",
+    "tags": [
+      "knowledge",
+      "codebase",
+      "reuse"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-008",
+    "name": "Decision Logging Requirement",
+    "description": "Require agent to log the reasoning behind significant architectural or strategic decisions to a persistent record",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent switches the project from REST to GraphQL without documenting why, leaving the team with no rationale for the change",
+    "example_allowed": "Agent writes brief ADR: 'Chose GraphQL over REST because [reasons]. Alternatives considered: [list]. Reversibility: [assessment]'",
+    "tags": [
+      "knowledge",
+      "decisions",
+      "documentation"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-009",
+    "name": "No Fabricated Statistics",
+    "description": "Block agent from presenting invented numbers, market sizes, or performance statistics as factual claims",
+    "category": "knowledge-protocol",
+    "enforcement": "constitutional",
+    "gate_type": "post-action",
+    "severity": "block",
+    "example_blocked": "Agent writes '73% of users prefer AI receptionists' in a sales document without any survey or research backing",
+    "example_allowed": "Agent presents actual research data with source citation, or clearly labels projections as 'estimated' or 'modelled'",
+    "tags": [
+      "knowledge",
+      "statistics",
+      "integrity"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-010",
+    "name": "Title vs Content Verification",
+    "description": "Require agent to verify claims against source content, not just document titles or headlines — titles are often misleading",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent reports 'competitor has real-time AI video analysis' based on a headline, without reading the article which reveals it is a 2027 roadmap item",
+    "example_allowed": "Agent reads full source content before extracting claims, tags findings as [headline-only] vs [verified-in-body]",
+    "tags": [
+      "knowledge",
+      "verification",
+      "research"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-011",
+    "name": "Knowledge Staleness Alert",
+    "description": "Alert when agent uses knowledge or cached data older than a configured freshness threshold for time-sensitive decisions",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent uses 8-month-old competitor pricing data to draft a new pricing page without noting the data may be outdated",
+    "example_allowed": "Agent flags: 'Competitor pricing data is from 2025-08. Recommend refreshing before publishing. Proceed with disclaimer?'",
+    "tags": [
+      "knowledge",
+      "freshness",
+      "research"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "know-012",
+    "name": "Extraction Fidelity Standard",
+    "description": "Block lossy knowledge extraction that summarises verbatim scripts, templates, or pricing into vague descriptions",
+    "category": "knowledge-protocol",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent extracts a 500-word sales call script as 'agent uses consultative selling method' — all actionable detail lost",
+    "example_allowed": "Agent preserves verbatim script with [verbatim] tag, source attribution, and full tactical detail intact",
+    "tags": [
+      "knowledge",
+      "extraction",
+      "fidelity"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-001",
+    "name": "API Rate Limit Compliance",
+    "description": "Block agent from exceeding documented rate limits for any third-party API, with automatic back-off before retry",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "block",
+    "example_blocked": "Agent fires 200 parallel Gemini requests per minute against a 60 RPM free tier limit, causing 429 storms and API key suspension",
+    "example_allowed": "Agent tracks request count, implements exponential back-off on 429, respects per-tier limits with margin",
+    "tags": [
+      "api",
+      "rate-limits",
+      "reliability"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-002",
+    "name": "Token Budget Enforcement",
+    "description": "Alert and halt when LLM token usage in a session exceeds the configured budget ceiling",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn-then-block",
+    "example_blocked": "Agent loads entire codebase (800K tokens) into context for a minor bug fix that required reading 2 files",
+    "example_allowed": "Agent reads only relevant files, tracks running token count, switches to selective reading when approaching budget",
+    "tags": [
+      "tokens",
+      "llm",
+      "costs",
+      "budget"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-003",
+    "name": "Concurrent Request Limit",
+    "description": "Block spawning more concurrent agent tasks, API calls, or workers than the configured concurrency ceiling",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent spawns 200 parallel research workers to maximise speed, overwhelming the API and incurring $800 in charges",
+    "example_allowed": "Agent caps at configured concurrency limit (e.g. 10 workers), queues remaining tasks, scales up only with explicit approval",
+    "tags": [
+      "concurrency",
+      "workers",
+      "api"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-004",
+    "name": "Storage Quota Enforcement",
+    "description": "Alert when agent-generated data, logs, or cache approaches the configured storage limit for any service or drive",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent generates 200GB of log files on C: drive during a long-running process, crashing the Windows system",
+    "example_allowed": "Agent monitors disk usage, rotates logs when approaching threshold, alerts before critical storage levels",
+    "tags": [
+      "storage",
+      "disk",
+      "monitoring"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-005",
+    "name": "Compute Budget Cap",
+    "description": "Block agent from initiating compute-intensive operations (training runs, batch processing) without a resource and cost estimate first",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent kicks off a model fine-tuning job on 10M records without estimating GPU time or cost",
+    "example_allowed": "Agent estimates compute requirements, presents time and cost estimate, waits for approval before job submission",
+    "tags": [
+      "compute",
+      "ml",
+      "budget"
+    ],
+    "preset_groups": [
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-006",
+    "name": "Bandwidth Awareness Gate",
+    "description": "Flag operations that would consume excessive network bandwidth (large file transfers, bulk downloads) before execution",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent clones a 50GB dataset repository to a laptop on a metered connection without checking available bandwidth",
+    "example_allowed": "Agent checks dataset size, confirms connection type, presents transfer estimate, waits for confirmation before initiating",
+    "tags": [
+      "bandwidth",
+      "network",
+      "data"
+    ],
+    "preset_groups": [
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-007",
+    "name": "Cache Expiry Enforcement",
+    "description": "Block agent from serving stale cached data beyond the configured TTL for time-sensitive operations",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent uses a 48-hour cached exchange rate for a financial calculation when the TTL is configured to 1 hour",
+    "example_allowed": "Agent checks cache age before use, refreshes if expired, serves fresh data for time-sensitive operations",
+    "tags": [
+      "cache",
+      "ttl",
+      "reliability"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-008",
+    "name": "Memory Leak Detection",
+    "description": "Alert when agent processes show continuously growing memory consumption without natural release",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent accumulates conversation history in memory across thousands of sessions without pagination, eventually causing OOM crash",
+    "example_allowed": "Agent implements sliding window for history, monitors process memory, triggers garbage collection when threshold approached",
+    "tags": [
+      "memory",
+      "performance",
+      "reliability"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-009",
+    "name": "Netlify Deploy Budget",
+    "description": "Block Netlify deployments that would exceed the configured monthly deploy allowance, enforcing batch-deploy discipline",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn-then-block",
+    "example_blocked": "Agent deploys after every file save during a long QA session, consuming 40 deploys in one afternoon",
+    "example_allowed": "Agent batches all changes, deploys once per logical unit, uses preview deploys for QA, reserves production deploy slots",
+    "tags": [
+      "deployment",
+      "netlify",
+      "budget"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-010",
+    "name": "Service Usage Cap",
+    "description": "Alert when usage of any third-party service approaches a plan limit that would trigger overage charges",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent uses Firecrawl search repeatedly without tracking credit balance, consuming all 3,000 credits in one session",
+    "example_allowed": "Agent checks remaining credit balance before each operation, switches to alternative (Brave MCP) when credits are low",
+    "tags": [
+      "usage",
+      "billing",
+      "monitoring"
+    ],
+    "preset_groups": [
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-011",
+    "name": "Parallel Worker Guardrail",
+    "description": "Require explicit configuration of a concurrency ceiling before any agent spawns parallel sub-agents or worker processes",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent creates asyncio tasks for every item in a 10,000-row list simultaneously, exhausting memory and file descriptors",
+    "example_allowed": "Agent sets explicit semaphore (Semaphore(10)), processes in bounded batches, monitors system resources during execution",
+    "tags": [
+      "concurrency",
+      "workers",
+      "safety"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "res-012",
+    "name": "External Service Health Check",
+    "description": "Verify dependent external services are healthy before initiating operations that would fail if they are degraded",
+    "category": "resource-protection",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent initiates a 1,000-email send while Sendgrid is experiencing an outage, causing all sends to fail silently",
+    "example_allowed": "Agent checks Sendgrid status page and health endpoint before initiating bulk operation, aborts with clear error if degraded",
+    "tags": [
+      "reliability",
+      "health-checks",
+      "dependencies"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "resource-protection",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-001",
+    "name": "No Exposing Secrets in Logs",
+    "description": "Block any logging operation that would write API keys, passwords, tokens, or secrets to log files or stdout",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent logs the full contents of os.environ to debug a configuration issue, exposing all API keys in plaintext logs",
+    "example_allowed": "Agent logs environment variable names but masks values: 'STRIPE_KEY=sk-***[masked]'",
+    "tags": [
+      "security",
+      "logging",
+      "secrets"
+    ],
+    "preset_groups": [
+      "essential",
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-002",
+    "name": "Code Execution Sandboxing",
+    "description": "Block execution of untrusted code (user-provided, LLM-generated, or scraped) outside of an isolated sandbox environment",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent executes code from a web-scraped code block directly in the production environment without sandboxing",
+    "example_allowed": "Agent runs external code in a containerised environment with no network access and resource limits, presents output for review",
+    "tags": [
+      "security",
+      "code-execution",
+      "sandboxing"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-003",
+    "name": "Dependency Verification",
+    "description": "Block installation of new packages without verifying they are from a trusted source and match expected checksums",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent installs 'python-requests-2' (a typosquatting package) while setting up a new project",
+    "example_allowed": "Agent verifies package is from official PyPI/npm, checks download count and maintainer, confirms checksum before installing",
+    "tags": [
+      "security",
+      "dependencies",
+      "supply-chain"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-004",
+    "name": "Privilege Escalation Block",
+    "description": "Block agent from acquiring elevated permissions beyond what is required for the declared task",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent requests full S3 admin permissions to upload a single file to one bucket",
+    "example_allowed": "Agent requests PutObject permission scoped to the specific bucket and prefix required, nothing more",
+    "tags": [
+      "security",
+      "permissions",
+      "least-privilege"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-005",
+    "name": "Network Access Controls",
+    "description": "Block agent from making outbound network requests to IP ranges or domains outside an approved allowlist",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent makes outbound request to a data exfiltration endpoint while processing a user's confidential document",
+    "example_allowed": "Agent only contacts domains on the approved list, all outbound requests logged with destination and payload summary",
+    "tags": [
+      "security",
+      "network",
+      "access-control"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-006",
+    "name": "Auth System Protection",
+    "description": "Block modifications to authentication configuration, login flows, or session management without security review",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent modifies JWT signing algorithm from RS256 to HS256 to simplify local development, breaking production auth",
+    "example_allowed": "Agent proposes auth change, documents security implications, routes for security review before any implementation",
+    "tags": [
+      "security",
+      "authentication",
+      "jwt"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-007",
+    "name": "Vulnerability Scan Gate",
+    "description": "Require a dependency vulnerability scan before shipping any new application or adding a new package to a production project",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "warn",
+    "example_blocked": "Agent ships a new feature with 3 high-severity CVEs in a newly added npm package",
+    "example_allowed": "Agent runs npm audit, reviews CVEs, resolves high-severity issues, provides clean audit report before deployment",
+    "tags": [
+      "security",
+      "vulnerabilities",
+      "cve"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-008",
+    "name": "Input Sanitisation Enforcement",
+    "description": "Block processing of untrusted external input (user forms, webhooks, scraped data) without sanitisation and validation",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent builds a SQL query directly from a webhook payload field without parameterisation, enabling SQL injection",
+    "example_allowed": "Agent uses parameterised queries, validates webhook payload schema, escapes all external strings before HTML rendering",
+    "tags": [
+      "security",
+      "injection",
+      "sanitisation"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-009",
+    "name": "Audit Logging Mandatory",
+    "description": "Require all significant agent actions (data access, config changes, external API calls) to be written to an append-only audit log",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent modifies 500 customer records without writing to the audit log, making it impossible to trace the change later",
+    "example_allowed": "Agent writes structured audit entry before and after each significant action: {timestamp, agent_id, action, affected_records, outcome}",
+    "tags": [
+      "security",
+      "audit",
+      "compliance",
+      "logging"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-010",
+    "name": "No Banned Model Providers",
+    "description": "Block agent from routing requests to providers on the organisation's banned list (e.g. providers with IP leakage concerns)",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent routes a prompt containing proprietary code to a DeepSeek API endpoint to save costs",
+    "example_allowed": "Agent routes all requests through approved providers (Anthropic, Google, OpenRouter with approved models only)",
+    "tags": [
+      "security",
+      "providers",
+      "data-residency"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-011",
+    "name": "Two-Factor Authentication Preservation",
+    "description": "Block any action that would disable, bypass, or remove multi-factor authentication from accounts or services",
+    "category": "security",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent disables 2FA on the production GCP account to simplify a deployment script's authentication flow",
+    "example_allowed": "Agent uses service account keys or workload identity for automation, never touches human account MFA settings",
+    "tags": [
+      "security",
+      "mfa",
+      "authentication"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "sec-012",
+    "name": "SSRF Prevention",
+    "description": "Block agent from making server-side requests to internal network endpoints or metadata services based on external input",
+    "category": "security",
+    "enforcement": "standard",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent fetches a user-supplied URL that redirects to the AWS metadata service endpoint, leaking IAM credentials",
+    "example_allowed": "Agent validates all URLs against allowlist of external domains, rejects private IP ranges and metadata service endpoints",
+    "tags": [
+      "security",
+      "ssrf",
+      "network"
+    ],
+    "preset_groups": [
+      "developer-safety",
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "cmp-001",
+    "name": "EU AI Act Article 15 Awareness",
+    "description": "Alert when an AI system being developed or deployed shows characteristics of a high-risk AI application under EU AI Act Article 15 without corresponding accuracy and robustness documentation",
+    "category": "compliance",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent deploys an AI-powered CV screening tool without any human review process or bias assessment",
+    "example_allowed": "Agent flags system as potentially high-risk under EU AI Act, adds human review checkpoint, triggers compliance documentation workflow",
+    "tags": [
+      "compliance",
+      "eu-ai-act",
+      "regulation"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "cmp-002",
+    "name": "GDPR Data Handling Protocol",
+    "description": "Require explicit lawful basis documentation before any collection, processing, or storage of EU resident personal data",
+    "category": "compliance",
+    "enforcement": "constitutional",
+    "gate_type": "pre-action",
+    "severity": "block",
+    "example_blocked": "Agent stores email addresses of EU website visitors for marketing without a consent record or privacy policy reference",
+    "example_allowed": "Agent confirms consent record exists, stores only consented data, includes lawful basis in storage metadata",
+    "tags": [
+      "compliance",
+      "gdpr",
+      "privacy"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "cmp-003",
+    "name": "Audit Trail Maintenance",
+    "description": "Ensure all agent actions in regulated workflows are traceable with timestamp, actor ID, input, output, and decision rationale",
+    "category": "compliance",
+    "enforcement": "standard",
+    "gate_type": "post-action",
+    "severity": "warn",
+    "example_blocked": "Agent makes automated credit approval decisions with no record of what inputs produced each decision",
+    "example_allowed": "Agent writes structured decision record for each output: {timestamp, inputs_hash, model_version, decision, confidence, human_review_required}",
+    "tags": [
+      "compliance",
+      "audit-trail",
+      "transparency"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  },
+  {
+    "id": "cmp-004",
+    "name": "SOC2 Control Adherence",
+    "description": "Alert when agent actions would violate SOC2 Trust Service Criteria — particularly around access control, availability, and change management",
+    "category": "compliance",
+    "enforcement": "standard",
+    "gate_type": "runtime-monitor",
+    "severity": "warn",
+    "example_blocked": "Agent modifies production database schema directly without creating a change management ticket or notifying the on-call team",
+    "example_allowed": "Agent creates change request, documents risk assessment, waits for change window, executes with monitoring and rollback plan ready",
+    "tags": [
+      "compliance",
+      "soc2",
+      "change-management"
+    ],
+    "preset_groups": [
+      "full-suite"
+    ],
+    "detection_pattern": "[server-side]"
+  }
+]