@highflame/policy 2.0.6 → 2.0.8

package/src/overwatch-defaults.gen.ts

@@ -9,7 +9,7 @@
  * Overwatch policy category identifiers.
  * Maps to UI tab names in Studio.
  */
-export type OverwatchCategory = 'secrets' | 'pii' | 'semantic' | 'tools' | 'organization';
+export type OverwatchCategory = 'secrets' | 'pii' | 'semantic' | 'tools' | 'organization' | 'trust_safety' | 'agent_security';
 
 /**
  * Category metadata for UI display.
@@ -66,6 +66,32 @@ export interface OverwatchTemplate {
 // EMBEDDED CEDAR POLICY TEXT
 // =============================================================================
 
+const OVERWATCH_BASELINE_DEFAULT_CEDAR = `// =============================================================================
+// Baseline Permit Policy (Default)
+// =============================================================================
+// Permits all actions by default. Threat-specific forbid policies override
+// this to block when YARA, Javelin, or other scanners detect issues.
+//
+// Cedar is default-deny: without at least one permit rule, every request
+// is denied regardless of forbid rules. This baseline ensures the system
+// is "allow unless blocked" rather than "block everything".
+//
+// Category: organization
+// Namespace: Overwatch
+// =============================================================================
+
+@id("baseline-permit-all")
+@name("Permit all actions by default")
+@description("Baseline permit for all actions — threat-specific forbid policies override this when threats are detected")
+@severity("low")
+@tags("baseline,permit-default,organization")
+permit (
+    principal,
+    action,
+    resource
+);
+`;
+
 const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// =============================================================================
 // Secrets Detection Policy (Default)
 // =============================================================================
@@ -293,6 +319,22 @@ when {
     context has threat_categories && context.threat_categories.contains("pii")
 };
 
+// Block prompts with high PII confidence score
+@id("pii-block-high-confidence")
+@name("Block high-confidence PII")
+@description("Block content when PII classifier confidence exceeds threshold (80/100)")
+@severity("critical")
+@tags("pii,confidence,privacy,compliance")
+@reject_message("Your content was blocked because personally identifiable information was detected with high confidence.")
+forbid (
+    principal,
+    action == Overwatch::Action::"process_prompt",
+    resource
+)
+when {
+    context has pii_confidence && context.pii_confidence >= 80
+};
+
 // Block PII leakage via tool calls
 @id("pii-block-tool-calls")
 @name("Block tool calls with PII")
@@ -337,6 +379,22 @@ when {
     context has yara_threats && context.yara_threats.contains("prompt_injection")
 };
 
+// Block prompts with high injection confidence score
+@id("semantic-block-injection-score")
+@name("Block high-confidence injection")
+@description("Block content when injection classifier confidence exceeds threshold (75/100)")
+@severity("critical")
+@tags("injection,confidence,security,owasp-llm01")
+@reject_message("Your prompt was blocked because a high-confidence prompt injection pattern was detected.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has injection_confidence && context.injection_confidence >= 75
+};
+
 // Block prompts with jailbreak attempts
 @id("semantic-block-jailbreak")
 @name("Block jailbreak attempts")
@@ -352,6 +410,22 @@ when {
     context has yara_threats && context.yara_threats.contains("jailbreak")
 };
 
+// Block prompts with high jailbreak confidence score
+@id("semantic-block-jailbreak-score")
+@name("Block high-confidence jailbreak")
+@description("Block content when jailbreak classifier confidence exceeds threshold (75/100)")
+@severity("critical")
+@tags("jailbreak,confidence,security,owasp-llm02")
+@reject_message("Your prompt was blocked because a high-confidence jailbreak attempt was detected.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has jailbreak_confidence && context.jailbreak_confidence >= 75
+};
+
 // Block prompts with high severity semantic threats
 @id("semantic-block-high-severity")
 @name("Block high severity threats")
@@ -508,6 +582,208 @@ when {
 };
 `;
 
+const OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR = `// =============================================================================
+// Content Safety Policy (Default)
+// =============================================================================
+// Detects and blocks violent, harmful, hateful, sexual, and profane content
+// using trust/safety classification scores from Javelin/Lakera/LlamaGuard.
+//
+// Compliance: NIST 800-53 SI-4 | EU AI Act Art. 52
+// Category: trust_safety
+// Namespace: Overwatch
+// =============================================================================
+
+// Block prompts with high violence score
+@id("ts-block-violence")
+@name("Block violent content")
+@description("Block content when violence detection score exceeds threshold (80/100)")
+@severity("critical")
+@tags("violence,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains violent content. Please rephrase without violence-related language.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has violence_score && context.violence_score >= 80
+};
+
+// Block prompts with weapons content
+@id("ts-block-weapons")
+@name("Block weapons content")
+@description("Block content when weapons detection score exceeds threshold (80/100)")
+@severity("critical")
+@tags("weapons,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains weapons-related content. Please rephrase without weapons references.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has weapons_score && context.weapons_score >= 80
+};
+
+// Block prompts with hate speech
+@id("ts-block-hate-speech")
+@name("Block hate speech")
+@description("Block content when hate speech detection score exceeds threshold (75/100)")
+@severity("critical")
+@tags("hate-speech,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains hate speech. Please rephrase without hateful or discriminatory language.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has hate_speech_score && context.hate_speech_score >= 75
+};
+
+// Block prompts with criminal content
+@id("ts-block-crime")
+@name("Block criminal content")
+@description("Block content when criminal activity detection score exceeds threshold (80/100)")
+@severity("high")
+@tags("crime,content-safety,trust-safety,nist-si-4")
+@reject_message("Your prompt was blocked because it contains content related to criminal activity.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has crime_score && context.crime_score >= 80
+};
+
+// Block prompts with sexual content
+@id("ts-block-sexual")
+@name("Block sexual content")
+@description("Block content when sexual content detection score exceeds threshold (80/100)")
+@severity("high")
+@tags("sexual,content-safety,trust-safety,eu-ai-act")
+@reject_message("Your prompt was blocked because it contains sexual content.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has sexual_score && context.sexual_score >= 80
+};
+
+// Block prompts with excessive profanity
+@id("ts-block-profanity")
+@name("Block profanity")
+@description("Block content when profanity detection score exceeds threshold (90/100)")
+@severity("medium")
+@tags("profanity,content-safety,trust-safety")
+@reject_message("Your prompt was blocked due to excessive profanity. Please rephrase in a professional manner.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
+    resource
+)
+when {
+    context has profanity_score && context.profanity_score >= 90
+};
+`;
+
+const OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
+// Agent Security Policy (Default)
+// =============================================================================
+// Detects and blocks tool poisoning, rug pull attacks, and indirect prompt
+// injection targeting AI coding agents. These are agentic AI-specific attack
+// vectors where tool descriptions or server responses manipulate agent behavior.
+//
+// Compliance: OWASP LLM09 (Improper Output Handling) | MITRE ATLAS AML.T0054
+// Category: agent_security
+// Namespace: Overwatch
+// =============================================================================
+
+// Block tool calls with high tool poisoning risk
+@id("as-block-tool-poisoning")
+@name("Block tool poisoning")
+@description("Block tool execution when tool description contains manipulation patterns (score >= 70/100)")
+@severity("critical")
+@tags("tool-poisoning,agent-security,owasp-llm09")
+@reject_message("Tool execution was blocked because the tool description contains manipulation patterns that could compromise agent behavior.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 70
+};
+
+// Block tool calls with rug pull detection
+@id("as-block-rug-pull")
+@name("Block rug pull attacks")
+@description("Block tool execution when tool behavior diverges from advertised capabilities (score >= 70/100)")
+@severity("critical")
+@tags("rug-pull,agent-security,mcp-security")
+@reject_message("Tool execution was blocked because the tool's actual behavior diverges from its advertised capabilities.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has rug_pull_score && context.rug_pull_score >= 70
+};
+
+// Block MCP server connections with high poisoning risk
+@id("as-block-server-poisoning")
+@name("Block poisoned MCP servers")
+@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60/100)")
+@severity("critical")
+@tags("tool-poisoning,mcp-security,agent-security")
+@reject_message("Connection to this MCP server was blocked because tool poisoning patterns were detected in its tool descriptions.")
+forbid (
+    principal,
+    action == Overwatch::Action::"connect_server",
+    resource
+)
+when {
+    context has tool_poisoning_score && context.tool_poisoning_score >= 60
+};
+
+// Block prompts with indirect injection patterns
+@id("as-block-indirect-injection")
+@name("Block indirect prompt injection")
+@description("Block content when indirect prompt injection is detected in tool outputs or retrieved documents (score >= 70/100)")
+@severity("critical")
+@tags("indirect-injection,agent-security,owasp-llm01")
+@reject_message("This content was blocked because indirect prompt injection patterns were detected in tool outputs or retrieved documents.")
+forbid (
+    principal,
+    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
+    resource
+)
+when {
+    context has indirect_injection_score && context.indirect_injection_score >= 70
+};
+
+// Block unverified MCP server tool calls with any detected threats
+@id("as-block-unverified-threats")
+@name("Block unverified server threats")
+@description("Block tool calls from unverified MCP servers when any threat is detected")
+@severity("high")
+@tags("mcp-trust,agent-security,unverified")
+@reject_message("Tool execution was blocked because the MCP server is unverified and threats were detected in the content.")
+forbid (
+    principal,
+    action == Overwatch::Action::"call_tool",
+    resource
+)
+when {
+    context has mcp_server_verified && context.mcp_server_verified == false &&
+    context has threat_count && context.threat_count > 0
+};
+`;
+
 const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
 // Only allow specific MCP servers to be used
 // Category: tools
@@ -661,6 +937,8 @@ export const OVERWATCH_CATEGORIES: OverwatchCategoryInfo[] = [
   { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats' },
   { id: 'tools', name: 'Tool Permissioning', description: 'Control access to shell execution, file operations, MCP servers, and sensitive system paths' },
   { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines, team permissions, and agent-specific guardrails' },
+  { id: 'trust_safety', name: 'Content Safety', description: 'Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores' },
+  { id: 'agent_security', name: 'Agent Security', description: 'Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents' },
 ];
 
 // =============================================================================
@@ -668,6 +946,16 @@ export const OVERWATCH_CATEGORIES: OverwatchCategoryInfo[] = [
 // =============================================================================
 
 export const OVERWATCH_DEFAULTS: OverwatchDefaultPolicy[] = [
+  {
+    id: 'baseline-default',
+    name: 'Baseline Permit',
+    description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
+    category: 'organization',
+    cedarText: OVERWATCH_BASELINE_DEFAULT_CEDAR,
+    severity: 'low',
+    tags: ['baseline', 'permit-default', 'organization'],
+    isActive: true,
+  },
   {
     id: 'secrets-default',
     name: 'Secrets Detection',
@@ -708,6 +996,26 @@ export const OVERWATCH_DEFAULTS: OverwatchDefaultPolicy[] = [
     tags: ['shell', 'command-injection', 'file-access', 'mitre-t1059', 'baseline'],
     isActive: false,
   },
+  {
+    id: 'trust-safety-default',
+    name: 'Content Safety',
+    description: 'Detect and block violent, harmful, hateful, sexual, and profane content using classification scores',
+    category: 'trust_safety',
+    cedarText: OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR,
+    severity: 'critical',
+    tags: ['violence', 'weapons', 'hate-speech', 'crime', 'sexual', 'profanity', 'content-safety', 'baseline'],
+    isActive: true,
+  },
+  {
+    id: 'agent-security-default',
+    name: 'Agent Security',
+    description: 'Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents',
+    category: 'agent_security',
+    cedarText: OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR,
+    severity: 'critical',
+    tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'agent-security', 'baseline'],
+    isActive: true,
+  },
 ];
 
 // =============================================================================
@@ -769,7 +1077,7 @@ export const OVERWATCH_TEMPLATES: OverwatchTemplate[] = [
 /** Raw templates.json metadata for the Overwatch service. */
 export const OVERWATCH_TEMPLATES_JSON: string = `{
   "service": "overwatch",
-  "version": "2.0.0",
+  "version": "3.0.0",
   "description": "Overwatch policy templates for IDE security",
   "categories": [
     {
@@ -796,9 +1104,29 @@ export const OVERWATCH_TEMPLATES_JSON: string = `{
       "id": "organization",
       "name": "Organization Rules",
       "description": "Apply organization-wide policy baselines, team permissions, and agent-specific guardrails"
+    },
+    {
+      "id": "trust_safety",
+      "name": "Content Safety",
+      "description": "Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores"
+    },
+    {
+      "id": "agent_security",
+      "name": "Agent Security",
+      "description": "Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents"
     }
   ],
   "defaults": [
+    {
+      "id": "baseline-default",
+      "name": "Baseline Permit",
+      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
+      "category": "organization",
+      "file": "defaults/baseline.cedar",
+      "severity": "low",
+      "tags": ["baseline", "permit-default", "organization"],
+      "is_active": true
+    },
     {
       "id": "secrets-default",
       "name": "Secrets Detection",
@@ -838,6 +1166,26 @@ export const OVERWATCH_TEMPLATES_JSON: string = `{
       "severity": "critical",
       "tags": ["shell", "command-injection", "file-access", "mitre-t1059", "baseline"],
       "is_active": false
+    },
+    {
+      "id": "trust-safety-default",
+      "name": "Content Safety",
+      "description": "Detect and block violent, harmful, hateful, sexual, and profane content using classification scores",
+      "category": "trust_safety",
+      "file": "defaults/trust_safety.cedar",
+      "severity": "critical",
+      "tags": ["violence", "weapons", "hate-speech", "crime", "sexual", "profanity", "content-safety", "baseline"],
+      "is_active": true
+    },
+    {
+      "id": "agent-security-default",
+      "name": "Agent Security",
+      "description": "Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents",
+      "category": "agent_security",
+      "file": "defaults/agent_security.cedar",
+      "severity": "critical",
+      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "agent-security", "baseline"],
+      "is_active": true
     }
   ],
   "templates": [

package/src/overwatch-defaults.test.ts

@@ -21,14 +21,14 @@ import {
 // =============================================================================
 
 describe("Overwatch defaults data", () => {
-  test("should have 5 categories", () => {
-    expect(OVERWATCH_CATEGORIES).toHaveLength(5);
+  test("should have 7 categories", () => {
+    expect(OVERWATCH_CATEGORIES).toHaveLength(7);
     const ids = OVERWATCH_CATEGORIES.map((c) => c.id);
-    expect(ids).toEqual(["secrets", "pii", "semantic", "tools", "organization"]);
+    expect(ids).toEqual(["secrets", "pii", "semantic", "tools", "organization", "trust_safety", "agent_security"]);
   });
 
-  test("should have 4 default policies", () => {
-    expect(OVERWATCH_DEFAULTS).toHaveLength(4);
+  test("should have 7 default policies", () => {
+    expect(OVERWATCH_DEFAULTS).toHaveLength(7);
   });
 
   test("should have 5 templates", () => {

package/src/parser.test.ts

@@ -5,8 +5,15 @@
  * These tests demonstrate how a client like highflame-authz would use the parser.
  */
 
+import { readFileSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
 import { describe, it, expect } from 'vitest';
 import { parseCedarToRules } from './parser.js';
+import { rulesToCedar } from './builder.js';
+import type { PolicyRule } from './builder.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
 
 describe('parseCedarToRules', () => {
   it('should parse a simple permit policy', () => {
@@ -114,7 +121,7 @@ describe('parseCedarToRules', () => {
     expect(result.unstructured.length).toBeGreaterThan(0);
   });
 
-  it('should store complex conditions as valid JSON array in rawCondition', () => {
+  it('should store complex conditions as Cedar text in rawCondition', () => {
     // Use a condition with boolean AND that can't be mapped to structured format
     const cedarText = `
       @id("complex-condition")
@@ -131,17 +138,80 @@ describe('parseCedarToRules', () => {
 
     const rule = result.rules[0];
 
-    // The complex && condition should be in rawCondition as valid JSON array
+    // The complex && condition should be in rawCondition as readable Cedar text
     if (rule.rawCondition) {
-      // Verify it's valid JSON (should not throw)
-      const parsed = JSON.parse(rule.rawCondition);
-      expect(Array.isArray(parsed)).toBe(true);
-      expect(parsed.length).toBeGreaterThan(0);
+      // Verify it's Cedar expression text (not JSON AST)
+      expect(rule.rawCondition).toContain('context.a');
+      expect(rule.rawCondition).toContain('context.b');
+      // Should not be JSON
+      expect(rule.rawCondition.startsWith('[')).toBe(false);
     }
-    // Either conditions were mapped or rawCondition contains valid JSON
+    // Either conditions were mapped or rawCondition contains Cedar text
     expect(rule.conditions.length > 0 || rule.rawCondition).toBeTruthy();
   });
 
+  it('should round-trip: parse → remove rule → rebuild → re-parse → add back → verify', () => {
+    // Read shared test fixture (builder output format, sorted by @id, Overwatch namespace)
+    const fixturePath = resolve(__dirname, '../../../test-fixtures/round-trip.cedar');
+    const originalCedar = readFileSync(fixturePath, 'utf-8').trimEnd();
+
+    // Step 1: Parse original
+    const originalResult = parseCedarToRules(originalCedar);
+    expect(originalResult.errors).toHaveLength(0);
+    expect(originalResult.rules).toHaveLength(4);
+
+    // Verify we have both simple (structured) and complex (raw) conditions
+    const simpleRule = originalResult.rules.find(r => r.annotations.id === 'simple-block-threats');
+    const complexRule = originalResult.rules.find(r => r.annotations.id === 'complex-block-injection');
+    expect(simpleRule).toBeDefined();
+    expect(complexRule).toBeDefined();
+    expect(simpleRule!.conditions.length).toBeGreaterThan(0);
+    expect(complexRule!.rawCondition).toBeDefined();
+
+    // Step 2: Remove complex rule → rebuild → re-parse
+    const remaining = originalResult.rules.filter(r => r.annotations.id !== 'complex-block-injection');
+    const removedRule = complexRule!;
+    expect(remaining).toHaveLength(3);
+
+    const partialCedar = rulesToCedar(remaining);
+    const partialResult = parseCedarToRules(partialCedar);
+    expect(partialResult.errors).toHaveLength(0);
+    expect(partialResult.rules).toHaveLength(3);
+
+    // Verify each remaining rule is preserved
+    for (const orig of remaining) {
+      const reparsed = partialResult.rules.find(r => r.annotations.id === orig.annotations.id);
+      expect(reparsed).toBeDefined();
+      assertRulesEquivalent(orig, reparsed!);
+    }
+
+    // Step 3: Add back → rebuild → re-parse
+    const allRules = [...partialResult.rules, removedRule];
+    const finalCedar = rulesToCedar(allRules);
+    const finalResult = parseCedarToRules(finalCedar);
+    expect(finalResult.errors).toHaveLength(0);
+    expect(finalResult.rules).toHaveLength(4);
+
+    // Verify ALL rules match original
+    for (const orig of originalResult.rules) {
+      const final_ = finalResult.rules.find(r => r.annotations.id === orig.annotations.id);
+      expect(final_).toBeDefined();
+      assertRulesEquivalent(orig, final_!);
+    }
+
+    // Step 4: Verify parse→build cycle is idempotent.
+    // The engine may normalize rawCondition text (e.g., adding parens), so we
+    // compare against canonical form (first parse→build) rather than original fixture.
+    const originalSorted = [...originalResult.rules].sort((a, b) => a.annotations.id.localeCompare(b.annotations.id));
+    originalSorted.forEach((r, i) => { r.order = i; });
+    const canonicalCedar = rulesToCedar(originalSorted);
+
+    const finalSorted = [...finalResult.rules].sort((a, b) => a.annotations.id.localeCompare(b.annotations.id));
+    finalSorted.forEach((r, i) => { r.order = i; });
+    const finalReconstructed = rulesToCedar(finalSorted);
+    expect(finalReconstructed).toBe(canonicalCedar);
+  });
+
   it('should warn about duplicate policy IDs', () => {
     const cedarText = `
       @id("duplicate-id")
@@ -167,3 +237,15 @@ describe('parseCedarToRules', () => {
     expect(duplicateError).toContain("2");   // Second occurrence at index 2
   });
 });
+
+/** Assert two PolicyRules are semantically equivalent after round-trip. */
+function assertRulesEquivalent(a: PolicyRule, b: PolicyRule): void {
+  expect(b.annotations.id).toBe(a.annotations.id);
+  expect(b.annotations.name).toBe(a.annotations.name);
+  expect(b.effect).toBe(a.effect);
+  expect(b.action).toEqual(a.action);
+  expect(b.principal).toEqual(a.principal);
+  expect(b.resource).toEqual(a.resource);
+  expect(b.conditions).toEqual(a.conditions);
+  expect(b.rawCondition).toBe(a.rawCondition);
+}