@highflame/overwatch 1.0.0

package/dist/policy.cedar

@@ -0,0 +1,783 @@
+// ============================================================================
+// OVERWATCH SECURITY POLICIES - MULTI-FRAMEWORK COMPLIANCE
+// ============================================================================
+// This Cedar policy file implements security controls that map to multiple
+// compliance frameworks including NIST 800-53, OWASP, and MITRE ATT&CK.
+//
+// Framework Coverage:
+// • NIST 800-53 Rev 5: Access Control, System Integrity, Configuration Management
+// • OWASP Top 10 2021: Injection, Access Control, Security Misconfiguration  
+// • MITRE ATT&CK v14: Execution, Defense Evasion, Credential Access techniques
+// • CIS Controls v8: Inventory, Access Control, Malware Defenses
+// ============================================================================
+
+// === DEFAULT ACTION ===
+// @compliance_id: "DEFAULT_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: AC-2 (Account Management), AC-3 (Access Enforcement)
+// @owasp: V4.1.1 (General Access Control Design)
+// @cis: 5.1 (Account Management)
+// @description: "Default permit policy with least privilege enforcement"
+// @severity: MEDIUM
+permit (principal, action, resource);
+
+// ============================================================================
+// COMMAND EXECUTION PREVENTION - CRITICAL SECURITY CONTROL
+// ============================================================================
+// @compliance_id: "CMD_EXEC_001" 
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), SI-3 (Malicious Code Protection), CM-7 (Least Functionality)
+// @owasp: A01 (Broken Access Control), A03 (Injection)
+// @mitre: T1059 (Command and Scripting Interpreter), T1059.004 (Unix Shell)
+// @cis: 5.1 (Secure System Boot Settings), 16.1 (Network Monitoring and Defense)
+// @description: "Prevents execution of dangerous system commands and shell access"
+// @severity: CRITICAL
+// @category: "Command Injection Prevention"
+
+// Block shell command execution
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource == Tool::"shell"
+);
+
+// Block bash command execution  
+forbid (
+  principal == User::"mcp_client", 
+  action == Action::"call_tool",
+  resource == Tool::"bash"
+);
+
+// Block sh command execution
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool", 
+  resource == Tool::"sh"
+);
+
+// Block system.exec calls
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource == Tool::"system.exec"
+);
+
+// Block process spawning
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource == Tool::"process.spawn"
+);
+
+// Block dangerous file operations
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource == Tool::"fs.delete"
+);
+
+// ============================================================================
+// PROMPT INJECTION PROTECTION - COMPREHENSIVE AI SECURITY CONTROL
+// ============================================================================
+// @compliance_id: "PROMPT_INJ_001"
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "OWASP-ASVS"]
+// @nist: SI-3 (Malicious Code Protection), SI-4 (Information System Monitoring), AC-3 (Access Enforcement)
+// @owasp: A03 (Injection), A04 (Insecure Design)
+// @owasp_asvs: V5.1.1 (Input Validation), V5.3.4 (Output Encoding and Injection Prevention)
+// @mitre: T1566 (Phishing), T1027 (Obfuscated Files or Information), T1204 (User Execution)
+// @description: "Prevents prompt injection, jailbreak attempts, and AI manipulation techniques"
+// @severity: HIGH
+// @category: "AI Security / Prompt Injection Prevention"
+
+// Allow legitimate system-related queries (whitelist approach)
+permit (
+  principal == User::"mcp_client",
+  action == Action::"process_prompt",
+  resource
+) when {
+  context has prompt_text &&
+  (context.prompt_text like "*how to ignore errors in python*" ||
+   context.prompt_text like "*git ignore file*" ||
+   context.prompt_text like "*docker ignore*" ||
+   context.prompt_text like "*ignore whitespace*" ||
+   context.prompt_text like "*ignore case*" ||
+   context.prompt_text like "*system requirements*" ||
+   context.prompt_text like "*system design*" ||
+   context.prompt_text like "*system architecture*")
+};
+
+// Block malicious prompt injection patterns
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"process_prompt",
+  resource
+) when {
+  context has prompt_text &&
+  (// Instruction override attempts (MITRE T1204: User Execution)
+   context.prompt_text like "*ignore all*" ||
+   context.prompt_text like "*ignore previous*" ||
+   context.prompt_text like "*ignore instructions*" ||
+   context.prompt_text like "*ignore the*" ||
+   context.prompt_text like "*forget all*" ||
+   context.prompt_text like "*forget previous*" ||
+   context.prompt_text like "*forget instructions*" ||
+   context.prompt_text like "*forget what*" ||
+   context.prompt_text like "*forget that*" ||
+   context.prompt_text like "*forget everything*" ||
+   context.prompt_text like "*disregard all*" ||
+   context.prompt_text like "*disregard previous*" ||
+   context.prompt_text like "*disregard instructions*" ||
+   context.prompt_text like "*override*" ||
+   context.prompt_text like "*bypass*" ||
+   context.prompt_text like "*jailbreak*" ||
+   // Mode manipulation attempts (MITRE T1027: Obfuscated Files or Information)
+   context.prompt_text like "*developer mode*" ||
+   context.prompt_text like "*god mode*" ||
+   context.prompt_text like "*admin mode*" ||
+   context.prompt_text like "*disable all filters*" ||
+   context.prompt_text like "*remove all limitations*" ||
+   // System prompt extraction attempts (MITRE T1566: Phishing)
+   context.prompt_text like "*show me your system prompt*" ||
+   context.prompt_text like "*what are your instructions*" ||
+   context.prompt_text like "*reveal your instructions*" ||
+   context.prompt_text like "*print your system prompt*" ||
+   // Role manipulation attempts
+   context.prompt_text like "*you are now a different ai*" ||
+   context.prompt_text like "*pretend you are*" ||
+   context.prompt_text like "*act as if you are*" ||
+   // Role/conversation markers that indicate injection (OWASP A03: Injection)
+   context.prompt_text like "*system:*" ||
+   context.prompt_text like "*assistant:*" ||
+   context.prompt_text like "*user:*" ||
+   context.prompt_text like "*human:*" ||
+   context.prompt_text like "*ai:*" ||
+   context.prompt_text like "*chatgpt:*" ||
+   // Code injection patterns (OWASP A03: Injection)
+   context.prompt_text like "*exec *" ||
+   context.prompt_text like "*eval *" ||
+   context.prompt_text like "*execute *" ||
+   context.prompt_text like "*run code*" ||
+   context.prompt_text like "*<script*" ||
+   context.prompt_text like "*javascript:*" ||
+   // Prompt structure manipulation
+   context.prompt_text like "*\\n\\n*" ||
+   context.prompt_text like "*---*" ||
+   context.prompt_text like "*###*" ||
+   context.prompt_text like "*```*")
+};
+
+// ============================================================================
+// SECRETS DETECTION - DATA PROTECTION CONTROL  
+// ============================================================================
+// @compliance_id: "SECRET_DETECT_001"
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: SC-28 (Protection of Information at Rest), IA-5 (Authenticator Management)
+// @owasp: A02 (Cryptographic Failures), V2.1.1 (Password Security)
+// @mitre: T1552 (Unsecured Credentials), T1555 (Credentials from Password Stores)
+// @cis: 16.1 (Network Monitoring and Defense), 18.1 (Application Software Security)
+// @description: "Prevents exposure of secrets, credentials, and sensitive data in prompts"
+// @severity: HIGH
+// @category: "Data Protection / Secrets Management"
+
+// Block prompts containing secrets
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"process_prompt",
+  resource
+) when {
+  context has contains_secrets && context.contains_secrets == true
+};
+
+// ============================================================================
+// MCP SERVER ACCESS CONTROL - NETWORK BOUNDARY PROTECTION
+// ============================================================================
+// @compliance_id: "MCP_ACCESS_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), SC-7 (Boundary Protection), AC-4 (Information Flow Enforcement)
+// @owasp: V4.1.1 (General Access Control Design), V4.2.1 (Operation Level Access Control)
+// @cis: 5.1 (Account Management), 12.1 (Network Infrastructure Management)
+// @description: "Controls access to specific MCP servers based on authorization policies"
+// @severity: MEDIUM
+// @category: "Access Control / Server Authorization"
+
+// === PLAYWRIGHT SERVER RESTRICTIONS ===
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource
+) when {
+  context has server_name && context.server_name == "playwright"
+};
+
+// === FILESYSTEM SERVER RESTRICTIONS ===
+// Allow filesystem tools for specific operations
+permit (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource
+) when {
+  context has server_name && context.server_name == "filesystem" &&
+  (resource == Tool::"read_file" ||
+   resource == Tool::"write_file" ||
+   resource == Tool::"list_directory" ||
+   resource == Tool::"create_directory")
+};
+
+// Block dangerous filesystem operations
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource
+) when {
+  context has server_name && context.server_name == "filesystem" &&
+  (resource == Tool::"delete_file" ||
+   resource == Tool::"execute_file" ||
+   resource == Tool::"move_file")
+};
+
+// ============================================================================
+// FILE SYSTEM ACCESS CONTROL - SENSITIVE DATA PROTECTION
+// ============================================================================
+// @compliance_id: "FS_ACCESS_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls", "MITRE-ATT&CK"]
+// @nist: AC-3 (Access Enforcement), SC-28 (Protection of Information at Rest), AC-6 (Least Privilege)
+// @owasp: V4.1.1 (General Access Control Design), V14.2.1 (File Upload Requirements)
+// @cis: 5.1 (Secure System Boot Settings), 13.1 (Network Ports, Protocols and Services)
+// @mitre: T1005 (Data from Local System), T1552.001 (Credentials In Files)
+// @description: "Blocks access to sensitive system directories and credential files"
+// @severity: HIGH
+// @category: "Data Protection / File System Security"
+
+// Block access to sensitive system directories
+forbid (
+  principal == User::"mcp_client",
+  action in [Action::"read_file", Action::"write_file"],
+  resource
+) when {
+  context has path &&
+  (context.path like "/etc/*" ||
+   context.path like "/var/*" ||
+   context.path like "/proc/*" ||
+   context.path like "/sys/*" ||
+   context.path like "/root/*" ||
+   context.path like "*/.env" ||
+   context.path like "*.pem" ||
+   context.path like "*/id_*" ||
+   context.path like "*/.ssh/*" ||
+   context.path like "*/.aws/*")
+};
+
+// @compliance_id: "FS_ALLOW_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), AC-6 (Least Privilege)
+// @owasp: V4.1.1 (General Access Control Design)
+// @cis: 5.1 (Account Management)
+// @description: "Allows controlled access to workspace and temporary file locations"
+// @severity: MEDIUM
+// @category: "Access Control / Workspace Management"
+
+// Allow workspace and temp file access
+permit (
+  principal == User::"mcp_client",
+  action in [Action::"read_file", Action::"write_file"],
+  resource
+) when {
+  context has path &&
+  ((context has is_within_workspace &&
+    context.is_within_workspace == true) ||
+   context.path like "/tmp/*" ||
+   context.path like "/var/tmp/*" ||
+   context.path like "./tmp/*" ||
+   context.path like "*/tmp/*" ||
+   context.path like "~/tmp/*")
+};
+
+// ============================================================================
+// HTTP REQUEST CONTROL - SSRF PROTECTION
+// ============================================================================
+// @compliance_id: "HTTP_SSRF_001"
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: SC-7 (Boundary Protection), SI-3 (Malicious Code Protection), AC-4 (Information Flow Enforcement)
+// @owasp: A10 (Server-Side Request Forgery), V5.2.5 (Sanitization and Sandboxing Requirements)
+// @mitre: T1071.001 (Web Protocols), T1190 (Exploit Public-Facing Application)
+// @cis: 12.1 (Network Infrastructure Management), 13.1 (Network Ports, Protocols and Services)
+// @description: "Prevents Server-Side Request Forgery (SSRF) attacks by blocking requests to private networks"
+// @severity: HIGH
+// @category: "Network Security / SSRF Prevention"
+
+// Block requests to private/internal networks (SSRF protection)
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"http_request",
+  resource
+) when {
+  context has ip_address &&
+  (context.ip_address like "127.*" ||      // IPv4 loopback
+   context.ip_address like "10.*" ||       // RFC1918
+   context.ip_address like "172.16.*" ||   // RFC1918 subset
+   context.ip_address like "172.17.*" ||
+   context.ip_address like "172.18.*" ||
+   context.ip_address like "172.19.*" ||
+   context.ip_address like "172.2?.*" ||
+   context.ip_address like "172.3?.*" ||
+   context.ip_address like "192.168.*" ||  // RFC1918
+   context.ip_address like "169.254.*" ||  // IPv4 link-local
+   context.ip_address like "100.64.*" ||   // Carrier-grade NAT subset
+   context.ip_address like "224.*" ||      // Multicast subset
+   context.ip_address == "::1" ||          // IPv6 loopback
+   context.ip_address like "fc*" ||        // IPv6 unique local
+   context.ip_address like "fd*" ||
+   context.ip_address like "fe8*")         // IPv6 link-local
+};
+
+// HTTP response size limits are handled by the general response size policies below
+
+
+// ============================================================================
+// SECRET DETECTION - AWS ACCESS KEY PROTECTION
+// ============================================================================
+// @compliance_id: "SECRET_AWS_001"
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: IA-5 (Authenticator Management), SC-28 (Protection of Information at Rest)
+// @owasp: A02 (Cryptographic Failures), V2.1.1 (Password Security)
+// @mitre: T1552.001 (Credentials In Files), T1555 (Credentials from Password Stores)
+// @cis: 16.1 (Network Monitoring and Defense), 18.1 (Application Software Security)
+// @description: "Detects and blocks AWS access keys from being exposed in responses"
+// @severity: CRITICAL
+// @category: "Credential Protection / AWS Security"
+
+// Block responses containing AWS access keys
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has response_content &&
+  context.response_content like "*AKIA*"
+};
+
+// Block responses containing AWS secret keys
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has response_content &&
+  (context.response_content like "*AWS_SECRET_ACCESS_KEY*" ||
+   context.response_content like "*aws_secret_access_key*")
+};
+
+// Block responses containing GitHub tokens
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has response_content &&
+  (context.response_content like "*ghp_*" ||
+   context.response_content like "*github_pat_*" ||
+   context.response_content like "*ghs_*")
+};
+
+// Block responses containing AI API keys - use YARA threat analysis
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has yara_threats &&
+  (context.yara_threats.contains("openai_api_key") ||
+   context.yara_threats.contains("anthropic_api_key") ||
+   context.yara_threats.contains("ai_service_key"))
+};
+
+// Block responses containing SSH private keys
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has response_content &&
+  (context.response_content like "*-----BEGIN PRIVATE KEY-----*" ||
+   context.response_content like "*-----BEGIN RSA PRIVATE KEY-----*" ||
+   context.response_content like "*-----BEGIN OPENSSH PRIVATE KEY-----*")
+};
+
+// Block responses containing JWTs - use YARA threat analysis for sophisticated detection
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has yara_threats &&
+  context.yara_threats.contains("jwt_token_exposure") ||
+  context has yara_threats &&
+  context.yara_threats.contains("bearer_token_leak")
+};
+
+// Block responses containing common secret patterns - use YARA threat analysis
+forbid (
+  principal,
+  action,
+  resource
+) when {
+  context has yara_threats &&
+  (context.yara_threats.contains("secret_exposure") ||
+   context.yara_threats.contains("credential_leak") ||
+   context.yara_threats.contains("api_key_exposure"))
+};
+
+// === RESPONSE SIZE LIMITS ===
+// Response size limits are handled by specific Enhanced Response Size Policies below
+// This allows for different limits for different types of responses
+
+// ============================================================================
+// CONCURRENCY AND RATE LIMITS - RESOURCE PROTECTION
+// ============================================================================
+// @compliance_id: "RATE_LIMIT_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: SC-5 (Denial of Service Protection), AC-7 (Unsuccessful Logon Attempts)
+// @owasp: V4.2.1 (Operation Level Access Control), V11.1.1 (Business Logic Security Requirements)
+// @cis: 13.1 (Network Ports, Protocols and Services)
+// @description: "Prevents resource exhaustion by limiting concurrent operations"
+// @severity: MEDIUM
+// @category: "Resource Management / DoS Prevention"
+
+// Block requests exceeding concurrent tool call limits
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"call_tool",
+  resource
+) when {
+  context has concurrent_calls && context.concurrent_calls > 4
+};
+
+// @compliance_id: "RATE_LIMIT_002"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: SC-5 (Denial of Service Protection), AC-7 (Unsuccessful Logon Attempts)
+// @owasp: V4.2.1 (Operation Level Access Control), V11.1.1 (Business Logic Security Requirements)
+// @cis: 13.1 (Network Ports, Protocols and Services)
+// @description: "Prevents abuse by enforcing per-minute request rate limits"
+// @severity: MEDIUM
+// @category: "Resource Management / Rate Limiting"
+
+// Block requests exceeding rate limits
+forbid (
+  principal == User::"mcp_client",
+  action,
+  resource
+) when {
+  context has requests_per_minute && context.requests_per_minute > 100
+};
+
+// ============================================================================
+// SECURITY SCANNING AUTHORIZATION - VULNERABILITY MANAGEMENT
+// ============================================================================
+// @compliance_id: "SCAN_AUTH_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CA-2 (Security Assessments)
+// @owasp: V14.1.1 (Build and Deploy Requirements), V14.2.1 (Dependency Requirements)
+// @cis: 7.1 (Malware Defenses), 18.1 (Application Software Security)
+// @description: "Authorizes legitimate security scanning operations for vulnerability assessment"
+// @severity: LOW
+// @category: "Security Operations / Vulnerability Management"
+
+// Allow security scanner to scan targets
+permit (
+  principal == User::"security_scanner",
+  action == Action::"scan_target",
+  resource
+) when {
+  context has scan_type &&
+  (context.scan_type == "vulnerability_scan" ||
+   context.scan_type == "security_audit" ||
+   context.scan_type == "compliance_check")
+};
+
+// @compliance_id: "VULN_FLAG_001"
+// @frameworks: ["NIST-800-53", "CIS-Controls"]
+// @nist: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), IR-4 (Incident Handling)
+// @cis: 7.1 (Malware Defenses), 18.1 (Application Software Security)
+// @description: "Allows flagging of discovered vulnerabilities with appropriate severity classification"
+// @severity: LOW
+// @category: "Vulnerability Management / Incident Response"
+
+// Allow flagging vulnerabilities found during scans
+permit (
+  principal == User::"security_scanner",
+  action == Action::"flag_vulnerability",
+  resource
+) when {
+  context has severity &&
+  context.severity in ["low", "medium", "high", "critical"]
+};
+
+// ============================================================================
+// YARA THREAT-BASED SECURITY POLICIES - ADVANCED THREAT DETECTION
+// ============================================================================
+// @compliance_id: "YARA_THREAT_001"
+// @frameworks: ["NIST-800-53", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: SI-3 (Malicious Code Protection), SI-4 (Information System Monitoring)
+// @mitre: T1027 (Obfuscated Files or Information), T1204 (User Execution)
+// @cis: 8.1 (Malware Defenses), 16.1 (Network Monitoring and Defense)
+// @description: "Uses YARA rules for advanced threat detection and automatic blocking of critical threats"
+// @severity: CRITICAL
+// @category: "Threat Detection / Malware Protection"
+
+// CRITICAL threats: Always reject
+forbid (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has max_threat_severity && context.max_threat_severity >= 4
+};
+
+// HIGH severity threats: Reject by default, allow only for trusted users
+forbid (
+  principal == User::"threat_processor", 
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has max_threat_severity && context.max_threat_severity >= 3 &&
+  context has user_trust_level && context.user_trust_level != "high"
+};
+
+// Command injection: Always reject
+// YARA rule name is "command_injection" - check both yara_threats and threat_types for compatibility
+forbid (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has yara_threats && context.yara_threats.contains("command_injection")
+};
+
+// Prompt injection: Always reject
+// YARA rule name is "prompt_injection" - blocks jailbreak attempts, DAN mode, etc.
+forbid (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has yara_threats && context.yara_threats.contains("prompt_injection")
+};
+
+// Secrets leakage: Alert but allow for internal users
+// YARA rule name is "secrets_leakage"
+permit (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has yara_threats && context.yara_threats.contains("secrets_leakage") &&
+  context has user_type && context.user_type == "internal" &&
+  context has alert_enabled && context.alert_enabled == true
+};
+
+// Cross-origin escalation: Monitor and warn
+// YARA rule name is "cross_origin_escalation"
+permit (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has yara_threats && context.yara_threats.contains("cross_origin_escalation") &&
+  context has monitoring_enabled && context.monitoring_enabled == true
+};
+
+// Path traversal: Block external users, warn internal users
+// YARA rule name is "path_traversal"
+forbid (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has yara_threats && context.yara_threats.contains("path_traversal") &&
+  context has user_type && context.user_type == "external"
+};
+
+// No threats detected: Always allow
+permit (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has threat_count && context.threat_count == 0
+};
+
+// Low severity threats: Always allow with monitoring
+permit (
+  principal == User::"threat_processor",
+  action == Action::"process_prompt",
+  resource == Resource::"threat_analysis"
+) when {
+  context has max_threat_severity && context.max_threat_severity <= 1
+};
+
+// ============================================================================
+// ENHANCED RESPONSE SIZE POLICIES - RESOURCE MANAGEMENT
+// ============================================================================
+// @compliance_id: "RESP_SIZE_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: SC-5 (Denial of Service Protection), SC-6 (Resource Availability)
+// @owasp: V11.1.1 (Business Logic Security Requirements), V4.2.1 (Operation Level Access Control)
+// @cis: 13.1 (Network Ports, Protocols and Services)
+// @description: "Controls response sizes to prevent resource exhaustion and ensure system stability"
+// @severity: MEDIUM
+// @category: "Resource Management / DoS Prevention"
+
+// Allow responses up to 50MB
+permit (
+  principal == User::"mcp_client",
+  action == Action::"process_response",
+  resource == ResponseData::"response_data"
+) when {
+  context has response_size_mb && context.response_size_mb <= 50
+};
+
+// @compliance_id: "RESP_SIZE_002"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: SC-5 (Denial of Service Protection), SC-6 (Resource Availability)
+// @owasp: V11.1.1 (Business Logic Security Requirements)
+// @cis: 13.1 (Network Ports, Protocols and Services)
+// @description: "Hard limit on response sizes to prevent system overload and memory exhaustion"
+// @severity: HIGH
+// @category: "Resource Management / System Protection"
+
+// Block responses over 100MB
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"process_response",
+  resource == ResponseData::"response_data"
+) when {
+  context has response_size_mb && context.response_size_mb > 100
+};
+
+// ============================================================================
+// GUARDRAIL SKIP POLICIES - SELECTIVE BYPASS CONTROL
+// ============================================================================
+// @compliance_id: "GUARDRAIL_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS"]
+// @nist: AC-3 (Access Enforcement), AC-6 (Least Privilege)
+// @owasp: V4.1.1 (General Access Control Design), V4.2.1 (Operation Level Access Control)
+// @description: "Allows selective bypass of guardrails for safe, read-only operations while maintaining security"
+// @severity: LOW
+// @category: "Access Control / Performance Optimization"
+
+// Allow skipping guardrails for safe read-only methods
+permit (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"tools/list"
+);
+
+permit (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"resources/list"
+);
+
+permit (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"prompts/list"
+);
+
+// @compliance_id: "GUARDRAIL_002"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), SI-3 (Malicious Code Protection)
+// @owasp: V4.1.1 (General Access Control Design)
+// @cis: 5.1 (Account Management)
+// @description: "Prevents bypass of security guardrails for potentially dangerous operations"
+// @severity: HIGH
+// @category: "Security Enforcement / Guardrail Protection"
+
+// Block skipping guardrails for potentially dangerous methods
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"tools/call"
+);
+
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"resources/read"
+);
+
+// Block skipping guardrails for unknown methods (regular LLM chat requests)
+// These should always go through Javelin Guardrails validation
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"skip_guardrails",
+  resource == Resource::"unknown"
+);
+
+// ============================================================================
+// ENHANCED SERVER-SPECIFIC ACCESS POLICIES - LEAST PRIVILEGE ACCESS
+// ============================================================================
+// @compliance_id: "SERVER_ACCESS_001"
+// @frameworks: ["NIST-800-53", "OWASP-ASVS", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), AC-6 (Least Privilege), AC-4 (Information Flow Enforcement)
+// @owasp: V4.1.1 (General Access Control Design), V4.2.1 (Operation Level Access Control)
+// @cis: 5.1 (Account Management), 12.1 (Network Infrastructure Management)
+// @description: "Default-allow policy for server resources with explicit security restrictions"
+// @severity: MEDIUM
+// @category: "Access Control / Server Authorization"
+
+// Default allow for server-specific access unless explicitly forbidden
+permit (
+  principal == User::"mcp_client",
+  action == Action::"access_server_resource",
+  resource
+);
+
+// @compliance_id: "SERVER_BLOCK_001"
+// @frameworks: ["NIST-800-53", "OWASP-Top10", "MITRE-ATT&CK", "CIS-Controls"]
+// @nist: AC-3 (Access Enforcement), SI-3 (Malicious Code Protection), CM-7 (Least Functionality)
+// @owasp: A01 (Broken Access Control), A03 (Injection)
+// @mitre: T1059 (Command and Scripting Interpreter), T1059.004 (Unix Shell)
+// @cis: 5.1 (Secure System Boot Settings)
+// @description: "Blocks dangerous command execution tools across all server contexts"
+// @severity: CRITICAL
+// @category: "Command Injection Prevention / Server Security"
+
+// Block dangerous tools on any server
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"access_server_resource",
+  resource
+) when {
+  context has tool_name &&
+  (context.tool_name == "shell" ||
+   context.tool_name == "bash" ||
+   context.tool_name == "system.exec" ||
+   context.tool_name == "process.spawn")
+};
+
+// Block access to sensitive resources
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"access_server_resource",
+  resource
+) when {
+  context has resource_name &&
+  (context.resource_name.contains("/etc/") ||
+   context.resource_name.contains("passwd") ||
+   context.resource_name.contains("shadow") ||
+   context.resource_name.contains(".ssh/"))
+};
+
+// Block dangerous prompts that might leak system information
+forbid (
+  principal == User::"mcp_client",
+  action == Action::"access_server_resource",
+  resource
+) when {
+  context has prompt_name &&
+  (context.prompt_name.contains("system") ||
+   context.prompt_name.contains("admin") ||
+   context.prompt_name.contains("root"))
+};
+