apiVersion: gateway.bquarkz.net/v1 kind: PolicyConfig metadata: name: ai-gateway-policies spec: defaultDecision: deny data: allowed_projects: [SAFE, PLATFORM, OPS] allowed_changelogs: ["release_*.xml", "hotfix_*.xml"] business_hours: start: "08:00" end: "18:00" timezone: "Europe/Oslo" rate_limits: default: 30 db.queryReadonly: 60 rules: - name: env-deploy-rules type: environment tool: jenkins.deploy when: staging: allow prod: require_approval - name: allow-jira-read type: scope decision: allow tool: "jira.*" required_scope: jira.read actions: [read, get, list, search] - name: allow-jira-write type: scope decision: allow tool: "jira.*" required_scope: jira.write actions: [create, update, delete] - name: allow-db-readonly type: scope decision: allow tool: db.queryReadonly required_scope: db.read - name: restrict-jira-projects type: argument_allowlist decision: deny tool: jira.createTicket argument: project allowlist: "$data.allowed_projects" reason: "Project not in allowlist" - name: restrict-liquibase-changelogs type: argument_allowlist decision: deny tool: db.runLiquibase argument: changelog allowlist: "$data.allowed_changelogs" reason: "Changelog not in allowlist" - name: deny-db-execute-script type: block tool: db.executeScript reason: "db.executeScript is blocked by policy" - name: rate-limit-default type: rate_limit decision: deny tool: "*" max_per_minute: 30 reason: "Rate limit exceeded" - name: deny-deploy-outside-hours type: time_window decision: deny tool: jenkins.deploy window: start: "08:00" end: "18:00" timezone: "Europe/Oslo" reason: "Deployments only allowed during business hours"