Production sync - 2025-09-05

scripts/ai-processor/ai_processor.py

@@ -638,11 +638,23 @@ set security zones security-zone WAN screen GENERAL-screen"""
         fixed_config = '\n'.join(fixed_lines)
         if 'address-set' not in fixed_config.lower():
             # Prepend required address-sets
-            address_sets = """# MANDATORY: Address-set definitions
+            address_sets = """# CRITICAL: YOU MUST START WITH THESE ADDRESS-SETS - DO NOT SKIP!
 set security address-book global address-set INTERNAL-NETS address 192.168.100.0/24
 set security address-book global address-set EXTERNAL-NETS address 0.0.0.0/8
 set security address-book global address-set DMZ-NETS address 10.0.0.0/8
 
+# FORBIDDEN PATTERNS - NEVER GENERATE THESE:
+# ❌ NEVER: permit ip any any -> any any any
+# ❌ NEVER: deny ip any any -> any any any  
+# ❌ NEVER: source-address any
+# ❌ NEVER: destination-address any
+# ❌ NEVER: application any
+
+# REQUIRED - ALWAYS USE THESE PATTERNS:
+# ✅ ALWAYS: source-address INTERNAL-NETS (or specific address-set)
+# ✅ ALWAYS: destination-address EXTERNAL-NETS (or specific address-set)
+# ✅ ALWAYS: application [ junos-https junos-ssh ] (or specific apps)
+
 """
             fixed_config = address_sets + fixed_config
             violations.append("Added mandatory address-sets")