@highflame/policy 2.0.6 → 2.0.8

package/dist/overwatch-defaults.gen.js

@@ -7,6 +7,31 @@
 // =============================================================================
 // EMBEDDED CEDAR POLICY TEXT
 // =============================================================================
+const OVERWATCH_BASELINE_DEFAULT_CEDAR = `// =============================================================================
+// Baseline Permit Policy (Default)
+// =============================================================================
+// Permits all actions by default. Threat-specific forbid policies override
+// this to block when YARA, Javelin, or other scanners detect issues.
+//
+// Cedar is default-deny: without at least one permit rule, every request
+// is denied regardless of forbid rules. This baseline ensures the system
+// is "allow unless blocked" rather than "block everything".
+//
+// Category: organization
+// Namespace: Overwatch
+// =============================================================================
+
+@id("baseline-permit-all")
+@name("Permit all actions by default")
+@description("Baseline permit for all actions — threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("baseline,permit-default,organization")
+permit (
+    principal,
+    action,
+    resource
+);
+`;
 const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// =============================================================================
 // Secrets Detection Policy (Default)
 // =============================================================================
@@ -233,6 +258,22 @@ when {
     context has threat_categories && context.threat_categories.contains("pii")
 };
 
+// Block prompts with high PII confidence score
+@id("pii-block-high-confidence")
+@name("Block high-confidence PII")
+@description("Block content when PII classifier confidence exceeds threshold (80/100)")
+@severity("critical")
+@tags("pii,confidence,privacy,compliance")
+@reject_message("Your content was blocked because personally identifiable information was detected with high confidence.")
+forbid (
+    principal,
+    action == Overwatch::Action::"process_prompt",
+    resource
+)
+when {
+    context has pii_confidence && context.pii_confidence >= 80
+};
+
 // Block PII leakage via tool calls
 @id("pii-block-tool-calls")
 @name("Block tool calls with PII")
@@ -276,6 +317,22 @@ when {
     context has yara_threats && context.yara_threats.contains("prompt_injection")
 };
 
+// Block prompts with high injection confidence score
+@id("semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block content when injection classifier confidence exceeds threshold (75/100)")
+@severity("critical")
+@tags("injection,confidence,security,owasp-llm01")
+@reject_message("Your prompt was blocked because a high-confidence prompt injection pattern was detected.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has injection_confidence && context.injection_confidence >= 75
+};
+
 // Block prompts with jailbreak attempts
 @id("semantic-block-jailbreak")
 @name("Block jailbreak attempts")
@@ -291,6 +348,22 @@ when {
     context has yara_threats && context.yara_threats.contains("jailbreak")
 };
 
+// Block prompts with high jailbreak confidence score
+@id("semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block content when jailbreak classifier confidence exceeds threshold (75/100)")
+@severity("critical")
+@tags("jailbreak,confidence,security,owasp-llm02")
+@reject_message("Your prompt was blocked because a high-confidence jailbreak attempt was detected.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+};
+
 // Block prompts with high severity semantic threats
 @id("semantic-block-high-severity")
 @name("Block high severity threats")
@@ -445,6 +518,206 @@ when {
     context.threat_count > 0 && context.max_threat_severity >= 3
 };
 `;
+const OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR = `// =============================================================================
+// Content Safety Policy (Default)
+// =============================================================================
+// Detects and blocks violent, harmful, hateful, sexual, and profane content
+// using trust/safety classification scores from Javelin/Lakera/LlamaGuard.
+//
+// Compliance: NIST 800-53 SI-4 | EU AI Act Art. 52
+// Category: trust_safety
+// Namespace: Overwatch
+// =============================================================================
+
+// Block prompts with high violence score
+@id("ts-block-violence")
+@name("Block violent content")
+@description("Block content when violence detection score exceeds threshold (80/100)")
+@severity("critical")
+@tags("violence,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains violent content. Please rephrase without violence-related language.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has violence_score && context.violence_score >= 80
+};
+
+// Block prompts with weapons content
+@id("ts-block-weapons")
+@name("Block weapons content")
+@description("Block content when weapons detection score exceeds threshold (80/100)")
+@severity("critical")
+@tags("weapons,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains weapons-related content. Please rephrase without weapons references.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has weapons_score && context.weapons_score >= 80
+};
+
+// Block prompts with hate speech
+@id("ts-block-hate-speech")
+@name("Block hate speech")
+@description("Block content when hate speech detection score exceeds threshold (75/100)")
+@severity("critical")
+@tags("hate-speech,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains hate speech. Please rephrase without hateful or discriminatory language.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has hate_speech_score && context.hate_speech_score >= 75
+};
+
+// Block prompts with criminal content
+@id("ts-block-crime")
+@name("Block criminal content")
+@description("Block content when criminal activity detection score exceeds threshold (80/100)")
+@severity("high")
+@tags("crime,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains content related to criminal activity.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has crime_score && context.crime_score >= 80
+};
+
+// Block prompts with sexual content
+@id("ts-block-sexual")
+@name("Block sexual content")
+@description("Block content when sexual content detection score exceeds threshold (80/100)")
+@severity("high")
+@tags("sexual,content-safety,trust-safety,eu-ai-act")
+@reject_message("Your prompt was blocked because it contains sexual content.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has sexual_score && context.sexual_score >= 80
+};
+
+// Block prompts with excessive profanity
+@id("ts-block-profanity")
+@name("Block profanity")
+@description("Block content when profanity detection score exceeds threshold (90/100)")
+@severity("medium")
+@tags("profanity,content-safety,trust-safety")
+@reject_message("Your prompt was blocked due to excessive profanity. Please rephrase in a professional manner.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has profanity_score && context.profanity_score >= 90
+};
+`;
+const OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
+// Agent Security Policy (Default)
+// =============================================================================
+// Detects and blocks tool poisoning, rug pull attacks, and indirect prompt
+// injection targeting AI coding agents. These are agentic AI-specific attack
+// vectors where tool descriptions or server responses manipulate agent behavior.
+//
+// Compliance: OWASP LLM09 (Improper Output Handling) | MITRE ATLAS AML.T0054
+// Category: agent_security
+// Namespace: Overwatch
+// =============================================================================
+
+// Block tool calls with high tool poisoning risk
+@id("as-block-tool-poisoning")
+@name("Block tool poisoning")
+@description("Block tool execution when tool description contains manipulation patterns (score >= 70/100)")
+@severity("critical")
+@tags("tool-poisoning,agent-security,owasp-llm09")
+@reject_message("Tool execution was blocked because the tool description contains manipulation patterns that could compromise agent behavior.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+};
+
+// Block tool calls with rug pull detection
+@id("as-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Block tool execution when tool behavior diverges from advertised capabilities (score >= 70/100)")
+@severity("critical")
+@tags("rug-pull,agent-security,mcp-security")
+@reject_message("Tool execution was blocked because the tool's actual behavior diverges from its advertised capabilities.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// Block MCP server connections with high poisoning risk
+@id("as-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60/100)")
+@severity("critical")
+@tags("tool-poisoning,mcp-security,agent-security")
+@reject_message("Connection to this MCP server was blocked because tool poisoning patterns were detected in its tool descriptions.")
+forbid (
+    principal,
+    action == Overwatch::Action::"connect_server",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block prompts with indirect injection patterns
+@id("as-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block content when indirect prompt injection is detected in tool outputs or retrieved documents (score >= 70/100)")
+@severity("critical")
+@tags("indirect-injection,agent-security,owasp-llm01")
+@reject_message("This content was blocked because indirect prompt injection patterns were detected in tool outputs or retrieved documents.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+// Block unverified MCP server tool calls with any detected threats
+@id("as-block-unverified-threats")
+@name("Block unverified server threats")
+@description("Block tool calls from unverified MCP servers when any threat is detected")
+@severity("high")
+@tags("mcp-trust,agent-security,unverified")
+@reject_message("Tool execution was blocked because the MCP server is unverified and threats were detected in the content.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false &&
+    context has threat_count && context.threat_count > 0
+};
+`;
 const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
 // Only allow specific MCP servers to be used
 // Category: tools
@@ -592,11 +865,23 @@ export const OVERWATCH_CATEGORIES = [
     { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats' },
     { id: 'tools', name: 'Tool Permissioning', description: 'Control access to shell execution, file operations, MCP servers, and sensitive system paths' },
     { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines, team permissions, and agent-specific guardrails' },
+    { id: 'trust_safety', name: 'Content Safety', description: 'Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores' },
+    { id: 'agent_security', name: 'Agent Security', description: 'Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents' },
 ];
 // =============================================================================
 // DEFAULT POLICIES
 // =============================================================================
 export const OVERWATCH_DEFAULTS = [
+    {
+        id: 'baseline-default',
+        name: 'Baseline Permit',
+        description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
+        category: 'organization',
+        cedarText: OVERWATCH_BASELINE_DEFAULT_CEDAR,
+        severity: 'low',
+        tags: ['baseline', 'permit-default', 'organization'],
+        isActive: true,
+    },
     {
         id: 'secrets-default',
         name: 'Secrets Detection',
@@ -637,6 +922,26 @@ export const OVERWATCH_DEFAULTS = [
         tags: ['shell', 'command-injection', 'file-access', 'mitre-t1059', 'baseline'],
         isActive: false,
     },
+    {
+        id: 'trust-safety-default',
+        name: 'Content Safety',
+        description: 'Detect and block violent, harmful, hateful, sexual, and profane content using classification scores',
+        category: 'trust_safety',
+        cedarText: OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['violence', 'weapons', 'hate-speech', 'crime', 'sexual', 'profanity', 'content-safety', 'baseline'],
+        isActive: true,
+    },
+    {
+        id: 'agent-security-default',
+        name: 'Agent Security',
+        description: 'Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents',
+        category: 'agent_security',
+        cedarText: OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR,
+        severity: 'critical',
+        tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'agent-security', 'baseline'],
+        isActive: true,
+    },
 ];
 // =============================================================================
 // ALL TEMPLATES
@@ -694,7 +999,7 @@ export const OVERWATCH_TEMPLATES = [
 /** Raw templates.json metadata for the Overwatch service. */
 export const OVERWATCH_TEMPLATES_JSON = `{
   "service": "overwatch",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "description": "Overwatch policy templates for IDE security",
   "categories": [
     {
@@ -721,9 +1026,29 @@ export const OVERWATCH_TEMPLATES_JSON = `{
       "id": "organization",
       "name": "Organization Rules",
       "description": "Apply organization-wide policy baselines, team permissions, and agent-specific guardrails"
+    },
+    {
+      "id": "trust_safety",
+      "name": "Content Safety",
+      "description": "Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores"
+    },
+    {
+      "id": "agent_security",
+      "name": "Agent Security",
+      "description": "Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents"
     }
   ],
   "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
     {
       "id": "secrets-default",
       "name": "Secrets Detection",
@@ -763,6 +1088,26 @@ export const OVERWATCH_TEMPLATES_JSON = `{
       "severity": "critical",
       "tags": ["shell", "command-injection", "file-access", "mitre-t1059", "baseline"],
       "is_active": false
+    },
+    {
+      "id": "trust-safety-default",
+      "name": "Content Safety",
+      "description": "Detect and block violent, harmful, hateful, sexual, and profane content using classification scores",
+      "category": "trust_safety",
+      "file": "defaults/trust_safety.cedar",
+      "severity": "critical",
+      "tags": ["violence", "weapons", "hate-speech", "crime", "sexual", "profanity", "content-safety", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "agent-security-default",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents",
+      "category": "agent_security",
+      "file": "defaults/agent_security.cedar",
+      "severity": "critical",
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "agent-security", "baseline"],
+      "is_active": true
     }
   ],
   "templates": [

package/dist/overwatch-defaults.gen.js.map

@@ -1 +1 @@
-{"version":3,"file":"overwatch-defaults.gen.js","sourceRoot":"","sources":["../src/overwatch-defaults.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,qDAAqD;AACrD,EAAE;AACF,4CAA4C;AAC5C,8EAA8E;AAC9E,6BAA6B;AA2D7B,gFAAgF;AAChF,6BAA6B;AAC7B,gFAAgF;AAEhF,MAAM,+BAA+B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwKvC,CAAC;AAEF,MAAM,2BAA2B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuEnC,CAAC;AAEF,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyFxC,CAAC;AAEF,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0GrC,CAAC;AAEF,MAAM,mCAAmC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgC3C,CAAC;AAEF,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;CAcxC,CAAC;AAEF,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;CAcrC,CAAC;AAEF,MAAM,oCAAoC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmC5C,CAAC;AAEF,MAAM,oCAAoC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC5C,CAAC;AAEF,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,MAAM,CAAC,MAAM,oBAAoB,GAA4B;IAC3D,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,qHAAqH,EAAE;IAChL,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,wHAAwH,EAAE;IAC3K,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,WAAW,EAAE,8FAA8F,EAAE;IAClK,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,6FAA6F,EAAE;IACvJ,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,2FAA2F,EAAE;CAC7J,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAA6B;IAC1D;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,0GAA0G;QACvH,QAAQ,EAAE,SAAS;QACnB,SAAS,EAAE,+BAA+B;QAC1C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC;QAC/E,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,+GAA+G;QAC5H,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,2BAA2B;QACtC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;QACrE,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,8FAA8F;QAC3G,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,gCAAgC;QAC3C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,CAAC;QAC9E,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,+GAA+G;QAC5H,QAAQ,EAAE,OAAO;QACjB,SAAS,EAAE,6BAA6B;QACxC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,CAAC;QAC9E,QAAQ,EAAE,KAAK;KAChB;CACF,CAAC;AAEF,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,mBAAmB,GAAwB;IACtD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,OAAO;QACjB,SAAS,EAAE,mCAAmC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,WAAW,CAAC;KACxC;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,kEAAkE;QAC/E,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,gCAAgC;QAC3C,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,CAAC;KAClD;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,qDAAqD;QAClE,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,6BAA6B;QACxC,QAAQ,EAAE,KAAK;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,SAAS,CAAC;KACzC;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,6HAA6H;QAC1I,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,oCAAoC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,CAAC;KACpD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,8FAA8F;QAC3G,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,oCAAoC;QAC/C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,CAAC;KACpD;CACF,CAAC;AAEF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,6DAA6D;AAC7D,MAAM,CAAC,MAAM,wBAAwB,GAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyH/C,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,UAAU,8BAA8B,CAAC,QAA2B;IACxE,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,QAA2B;IACzE,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,EAAU;IACjD,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACpD,CAAC"}
+{"version":3,"file":"overwatch-defaults.gen.js","sourceRoot":"","sources":["../src/overwatch-defaults.gen.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,qDAAqD;AACrD,EAAE;AACF,4CAA4C;AAC5C,8EAA8E;AAC9E,6BAA6B;AA2D7B,gFAAgF;AAChF,6BAA6B;AAC7B,gFAAgF;AAEhF,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;CAwBxC,CAAC;AAEF,MAAM,+BAA+B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwKvC,CAAC;AAEF,MAAM,2BAA2B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuFnC,CAAC;AAEF,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyHxC,CAAC;AAEF,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0GrC,CAAC;AAEF,MAAM,oCAAoC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0G5C,CAAC;AAEF,MAAM,sCAAsC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4F9C,CAAC;AAEF,MAAM,mCAAmC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgC3C,CAAC;AAEF,MAAM,gCAAgC,GAAG;;;;;;;;;;;;;;CAcxC,CAAC;AAEF,MAAM,6BAA6B,GAAG;;;;;;;;;;;;;;CAcrC,CAAC;AAEF,MAAM,oCAAoC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAmC5C,CAAC;AAEF,MAAM,oCAAoC,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsC5C,CAAC;AAEF,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF,MAAM,CAAC,MAAM,oBAAoB,GAA4B;IAC3D,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,mBAAmB,EAAE,WAAW,EAAE,qHAAqH,EAAE;IAChL,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,EAAE,WAAW,EAAE,wHAAwH,EAAE;IAC3K,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,WAAW,EAAE,8FAA8F,EAAE;IAClK,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,6FAA6F,EAAE;IACvJ,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,WAAW,EAAE,2FAA2F,EAAE;IAC5J,EAAE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,oHAAoH,EAAE;IACjL,EAAE,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,gBAAgB,EAAE,WAAW,EAAE,4FAA4F,EAAE;CAC5J,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,kBAAkB,GAA6B;IAC1D;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,iBAAiB;QACvB,WAAW,EAAE,0GAA0G;QACvH,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,gCAAgC;QAC3C,QAAQ,EAAE,KAAK;QACf,IAAI,EAAE,CAAC,UAAU,EAAE,gBAAgB,EAAE,cAAc,CAAC;QACpD,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,0GAA0G;QACvH,QAAQ,EAAE,SAAS;QACnB,SAAS,EAAE,+BAA+B;QAC1C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC;QAC/E,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,+GAA+G;QAC5H,QAAQ,EAAE,KAAK;QACf,SAAS,EAAE,2BAA2B;QACtC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,UAAU,CAAC;QACrE,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,8FAA8F;QAC3G,QAAQ,EAAE,UAAU;QACpB,SAAS,EAAE,gCAAgC;QAC3C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,UAAU,EAAE,UAAU,CAAC;QAC9E,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,+GAA+G;QAC5H,QAAQ,EAAE,OAAO;QACjB,SAAS,EAAE,6BAA6B;QACxC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,aAAa,EAAE,UAAU,CAAC;QAC9E,QAAQ,EAAE,KAAK;KAChB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,qGAAqG;QAClH,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,oCAAoC;QAC/C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,gBAAgB,EAAE,UAAU,CAAC;QAC1G,QAAQ,EAAE,IAAI;KACf;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,sGAAsG;QACnH,QAAQ,EAAE,gBAAgB;QAC1B,SAAS,EAAE,sCAAsC;QACjD,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,gBAAgB,EAAE,UAAU,EAAE,oBAAoB,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,CAAC;QACxG,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAEF,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF,MAAM,CAAC,MAAM,mBAAmB,GAAwB;IACtD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,sBAAsB;QAC5B,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,OAAO;QACjB,SAAS,EAAE,mCAAmC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,WAAW,CAAC;KACxC;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,WAAW,EAAE,kEAAkE;QAC/E,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,gCAAgC;QAC3C,QAAQ,EAAE,MAAM;QAChB,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,CAAC;KAClD;IACD;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,WAAW,EAAE,qDAAqD;QAClE,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,6BAA6B;QACxC,QAAQ,EAAE,KAAK;QACf,IAAI,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,SAAS,CAAC;KACzC;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,gCAAgC;QACtC,WAAW,EAAE,6HAA6H;QAC1I,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,oCAAoC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,WAAW,CAAC;KACpD;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,2BAA2B;QACjC,WAAW,EAAE,8FAA8F;QAC3G,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,oCAAoC;QAC/C,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,WAAW,CAAC;KACpD;CACF,CAAC;AAEF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,6DAA6D;AAC7D,MAAM,CAAC,MAAM,wBAAwB,GAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiK/C,CAAC;AAEF,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF,MAAM,UAAU,8BAA8B,CAAC,QAA2B;IACxE,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AACjE,CAAC;AAED,MAAM,UAAU,+BAA+B,CAAC,QAA2B;IACzE,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,EAAU;IACjD,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AACpD,CAAC"}

package/dist/overwatch-defaults.test.js

@@ -11,13 +11,13 @@ import { OVERWATCH_DEFAULTS, OVERWATCH_TEMPLATES, OVERWATCH_CATEGORIES, getOverw
 // DATA STRUCTURE TESTS
 // =============================================================================
 describe("Overwatch defaults data", () => {
-    test("should have 5 categories", () => {
-        expect(OVERWATCH_CATEGORIES).toHaveLength(5);
+    test("should have 7 categories", () => {
+        expect(OVERWATCH_CATEGORIES).toHaveLength(7);
         const ids = OVERWATCH_CATEGORIES.map((c) => c.id);
-        expect(ids).toEqual(["secrets", "pii", "semantic", "tools", "organization"]);
+        expect(ids).toEqual(["secrets", "pii", "semantic", "tools", "organization", "trust_safety", "agent_security"]);
     });
-    test("should have 4 default policies", () => {
-        expect(OVERWATCH_DEFAULTS).toHaveLength(4);
+    test("should have 7 default policies", () => {
+        expect(OVERWATCH_DEFAULTS).toHaveLength(7);
     });
     test("should have 5 templates", () => {
         expect(OVERWATCH_TEMPLATES).toHaveLength(5);

package/dist/overwatch-defaults.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"overwatch-defaults.test.js","sourceRoot":"","sources":["../src/overwatch-defaults.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EAEpB,+BAA+B,EAC/B,wBAAwB,GACzB,MAAM,6BAA6B,CAAC;AAErC,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,IAAI,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,oBAAoB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,kBAAkB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,+BAA+B,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,CAAC,+BAA+B,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACxC,MAAM,IAAI,GAAG,wBAAwB,CAAC,sBAAsB,CAAC,CAAC;QAC9D,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACzD,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,6EAA6E;AAC7E,gFAAgF;AAEhF,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACxD,4EAA4E;IAC5E,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAC7D;SACE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;SACvB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,gEAAgE,EAAE,GAAG,EAAE;QAC1E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,oBAAoB,EAAE;YAChE,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,6BAA6B;gBACtC,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,oBAAoB;gBAC3B,UAAU,EAAE,oBAAoB;gBAChC,GAAG,EAAE,oBAAoB;gBACzB,cAAc,EAAE,oBAAoB;gBACpC,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,MAAM;gBACxB,iBAAiB,EAAE,CAAC,SAAS,CAAC;gBAE9B,YAAY,EAAE,CAAC,gBAAgB,CAAC;gBAChC,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,6BAA6B;gBAC1C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,8DAA8D;QAC9D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAEzE,wDAAwD;QACxD,mFAAmF;QACnF,6EAA6E;QAC7E,gEAAgE;IAClE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,mBAAmB,EAAE;YAC/D,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,kCAAkC;gBAC3C,MAAM,EAAE,YAAY;gBACpB,KAAK,EAAE,kBAAkB;gBACzB,UAAU,EAAE,mBAAmB;gBAC/B,GAAG,EAAE,YAAY;gBACjB,cAAc,EAAE,YAAY;gBAC5B,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,UAAU;gBAC5B,iBAAiB,EAAE,CAAC,UAAU,CAAC;gBAE/B,YAAY,EAAE,CAAC,kBAAkB,CAAC;gBAClC,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,KAAK;gBACvB,WAAW,EAAE,kCAAkC;gBAC/C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,2DAA2D;QAC3D,wEAAwE;QACxE,qGAAqG;QACrG,4DAA4D;QAC5D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;QAC5E,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;QAC3E,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC/E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,oBAAoB,EAAE;YAChE,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,6BAA6B;gBACtC,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,oBAAoB;gBAC3B,UAAU,EAAE,oBAAoB;gBAChC,GAAG,EAAE,YAAY;gBACjB,cAAc,EAAE,YAAY;gBAC5B,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,MAAM;gBACxB,iBAAiB,EAAE,EAAE;gBAErB,YAAY,EAAE,EAAE;gBAChB,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,KAAK;gBACvB,WAAW,EAAE,6BAA6B;gBAC1C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,wDAAwD;QACxD,mDAAmD;QACnD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"overwatch-defaults.test.js","sourceRoot":"","sources":["../src/overwatch-defaults.test.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EAEpB,+BAA+B,EAC/B,wBAAwB,GACzB,MAAM,6BAA6B,CAAC;AAErC,gFAAgF;AAChF,uBAAuB;AACvB,gFAAgF;AAEhF,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;IACvC,IAAI,CAAC,0BAA0B,EAAE,GAAG,EAAE;QACpC,MAAM,CAAC,oBAAoB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,GAAG,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,gBAAgB,CAAC,CAAC,CAAC;IACjH,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,gCAAgC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,kBAAkB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACnC,MAAM,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC/C,MAAM,CAAC,+BAA+B,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjE,MAAM,CAAC,+BAA+B,CAAC,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC1E,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,8BAA8B,EAAE,GAAG,EAAE;QACxC,MAAM,IAAI,GAAG,wBAAwB,CAAC,sBAAsB,CAAC,CAAC;QAC9D,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC3B,MAAM,CAAC,IAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;QAC1D,MAAM,CAAC,IAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACzD,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,gFAAgF;AAChF,yBAAyB;AACzB,6EAA6E;AAC7E,gFAAgF;AAEhF,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACxD,4EAA4E;IAC5E,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAC7C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,UAAU,CAC7D;SACE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;SACvB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,IAAI,CAAC,gEAAgE,EAAE,GAAG,EAAE;QAC1E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,oBAAoB,EAAE;YAChE,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,6BAA6B;gBACtC,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,oBAAoB;gBAC3B,UAAU,EAAE,oBAAoB;gBAChC,GAAG,EAAE,oBAAoB;gBACzB,cAAc,EAAE,oBAAoB;gBACpC,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,MAAM;gBACxB,iBAAiB,EAAE,CAAC,SAAS,CAAC;gBAE9B,YAAY,EAAE,CAAC,gBAAgB,CAAC;gBAChC,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,IAAI;gBACtB,WAAW,EAAE,6BAA6B;gBAC1C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,8DAA8D;QAC9D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;QAEzE,wDAAwD;QACxD,mFAAmF;QACnF,6EAA6E;QAC7E,gEAAgE;IAClE,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,mBAAmB,EAAE;YAC/D,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,kCAAkC;gBAC3C,MAAM,EAAE,YAAY;gBACpB,KAAK,EAAE,kBAAkB;gBACzB,UAAU,EAAE,mBAAmB;gBAC/B,GAAG,EAAE,YAAY;gBACjB,cAAc,EAAE,YAAY;gBAC5B,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,UAAU;gBAC5B,iBAAiB,EAAE,CAAC,UAAU,CAAC;gBAE/B,YAAY,EAAE,CAAC,kBAAkB,CAAC;gBAClC,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,KAAK;gBACvB,WAAW,EAAE,kCAAkC;gBAC/C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,2DAA2D;QAC3D,wEAAwE;QACxE,qGAAqG;QACrG,4DAA4D;QAC5D,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,0BAA0B,CAAC,CAAC;QAC5E,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;QAC3E,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,SAAS,CAAC,8BAA8B,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,qEAAqE,EAAE,GAAG,EAAE;QAC/E,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEjC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,EAAE,oBAAoB,EAAE;YAChE,MAAM,EAAE,qCAAqC;YAC7C,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,EAAE,EAAE,aAAa,EAAE;YAC7D,OAAO,EAAE;gBACP,OAAO,EAAE,6BAA6B;gBACtC,MAAM,EAAE,QAAQ;gBAChB,KAAK,EAAE,oBAAoB;gBAC3B,UAAU,EAAE,oBAAoB;gBAChC,GAAG,EAAE,YAAY;gBACjB,cAAc,EAAE,YAAY;gBAC5B,YAAY,EAAE,CAAC;gBACf,gBAAgB,EAAE,MAAM;gBACxB,iBAAiB,EAAE,EAAE;gBAErB,YAAY,EAAE,EAAE;gBAChB,mBAAmB,EAAE,CAAC;gBACtB,gBAAgB,EAAE,KAAK;gBACvB,WAAW,EAAE,6BAA6B;gBAC1C,gBAAgB,EAAE,EAAE;aACrB;SACF,CAAC,CAAC;QAEH,wDAAwD;QACxD,mDAAmD;QACnD,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAI/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CA6EhE"}
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAkE,MAAM,cAAc,CAAC;AAI/G;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,iFAAiF;IACjF,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAmDD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,WAAW,CAoFhE"}

package/dist/parser.js

@@ -59,7 +59,12 @@ export function parseCedarToRules(cedarText) {
             }
             const policy = jsonResult.json;
             const policyId = policy.annotations?.id || `policy${index}`;
-            const conversion = cedarJsonToRule(policy, policyId, index, policyText);
+            // Get engine-serialized Cedar text for rawCondition extraction.
+            // Using cedar-wasm's policyToText ensures we get the official engine's
+            // representation rather than relying on our own text extraction.
+            const engineTextResult = cedar.policyToText(jsonResult.json);
+            const engineText = engineTextResult.type === "success" ? engineTextResult.text : policyText;
+            const conversion = cedarJsonToRule(policy, policyId, index, engineText);
             if (conversion.error) {
                 result.errors.push(`Policy ${policyId}: ${conversion.error}`);
             }
@@ -129,7 +134,7 @@ function cedarJsonToRule(policy, policyId, index, originalText) {
             order: index,
         };
         // Map conditions
-        const { conditions, rawCondition } = mapConditions(policy.conditions);
+        const { conditions, rawCondition } = mapConditions(policy.conditions, originalText);
         rule.conditions = conditions;
         if (rawCondition) {
             rule.rawCondition = rawCondition;
@@ -236,6 +241,19 @@ function mapScopeToEntity(scope, field) {
  *
  * Throws ParserError for malformed constraints to prevent silent misinterpretation.
  */
+/**
+ * Format action entity reference, preserving namespace if present.
+ *
+ * If entity type is just "Action", returns just the id (e.g., "process_prompt").
+ * If entity type has a namespace (e.g., "Overwatch::Action"),
+ * returns the fully qualified action string (e.g., 'Overwatch::Action::"process_prompt"').
+ */
+function formatActionEntity(entity) {
+    if (entity.type !== "Action") {
+        return `${entity.type}::"${entity.id}"`;
+    }
+    return entity.id;
+}
 function mapActionScope(scope) {
     if (scope.op === "All") {
         return "*";
@@ -243,29 +261,31 @@ function mapActionScope(scope) {
     if (scope.op === "==") {
         if ("entity" in scope) {
             const entity = normalizeEntityRef(scope.entity);
-            return entity.id;
+            return formatActionEntity(entity);
         }
         throw ParserError.actionMissingEntity("==");
     }
     if (scope.op === "in") {
         if ("entities" in scope) {
-            const actions = scope.entities.map(e => normalizeEntityRef(e).id);
+            const actions = scope.entities.map(e => formatActionEntity(normalizeEntityRef(e)));
             return actions.length === 1 ? actions[0] : actions;
         }
         if ("entity" in scope) {
             const entity = normalizeEntityRef(scope.entity);
-            return entity.id;
+            return formatActionEntity(entity);
         }
         throw ParserError.actionMissingEntities();
     }
     throw ParserError.actionUnsupportedOp(scope.op);
 }
 /**
- * Map Cedar conditions to PolicyCondition array
+ * Map Cedar conditions to PolicyCondition array.
+ * When conditions can't be mapped to structured format, extract the raw Cedar
+ * condition text from the engine-serialized policy text (not JSON AST).
  */
-function mapConditions(conditions) {
+function mapConditions(conditions, originalText) {
     const result = [];
-    const rawParts = [];
+    let hasUnmapped = false;
     for (const cond of conditions) {
         if (cond.kind !== "when") {
             continue;
@@ -275,16 +295,44 @@ function mapConditions(conditions) {
             result.push(parsed.condition);
         }
         else if (parsed.raw) {
-            rawParts.push(parsed.raw);
+            hasUnmapped = true;
         }
     }
-    // Store raw conditions as a valid JSON array instead of joining with " && "
-    // This ensures downstream systems can parse the rawCondition field
+    // Extract readable Cedar condition text instead of storing JSON AST
+    let rawCondition;
+    if (hasUnmapped && originalText) {
+        rawCondition = extractWhenClause(originalText);
+    }
     return {
         conditions: result,
-        rawCondition: rawParts.length > 0 ? `[${rawParts.join(",")}]` : undefined,
+        rawCondition: rawCondition || undefined,
     };
 }
+/**
+ * Extract the readable condition text from a Cedar policy's when clause.
+ * Given: `forbid (...)\nwhen { context.path like "/etc/*" };`
+ * Returns: `context.path like "/etc/*"`
+ */
+function extractWhenClause(cedarText) {
+    const whenPrefix = "when {";
+    const idx = cedarText.indexOf(whenPrefix);
+    if (idx < 0) {
+        return "";
+    }
+    const body = cedarText.substring(idx + whenPrefix.length);
+    let depth = 1;
+    for (let i = 0; i < body.length; i++) {
+        if (body[i] === "{")
+            depth++;
+        if (body[i] === "}") {
+            depth--;
+            if (depth === 0) {
+                return body.substring(0, i).trim();
+            }
+        }
+    }
+    return body.trim();
+}
 /**
  * Map a Cedar expression body to PolicyCondition
  *