@highflame/policy 2.0.8 → 2.0.9

package/src/overwatch-defaults.gen.ts

@@ -1,1255 +0,0 @@
-// Code generated by highflame-policy-codegen. DO NOT EDIT.
-// Source: schemas/overwatch/templates/templates.json
-//
-// Overwatch default policies and templates.
-// Cedar text is embedded at build time. PolicyRule[] can be parsed at runtime
-// using parseCedarToRules().
-
-/**
- * Overwatch policy category identifiers.
- * Maps to UI tab names in Studio.
- */
-export type OverwatchCategory = 'secrets' | 'pii' | 'semantic' | 'tools' | 'organization' | 'trust_safety' | 'agent_security';
-
-/**
- * Category metadata for UI display.
- */
-export interface OverwatchCategoryInfo {
-  id: OverwatchCategory;
-  name: string;
-  description: string;
-}
-
-/**
- * A default policy that is auto-created for new projects.
- */
-export interface OverwatchDefaultPolicy {
-  /** Template identifier */
-  id: string;
-  /** Human-readable name */
-  name: string;
-  /** Description for UI display */
-  description: string;
-  /** Policy category */
-  category: OverwatchCategory;
-  /** Cedar policy text (source of truth) */
-  cedarText: string;
-  /** Severity level */
-  severity: string;
-  /** Tags for filtering */
-  tags: string[];
-  /** Whether this default should be activated immediately */
-  isActive: boolean;
-}
-
-/**
- * A policy template available for users to create from.
- */
-export interface OverwatchTemplate {
-  /** Template identifier */
-  id: string;
-  /** Human-readable name */
-  name: string;
-  /** Description for UI display */
-  description: string;
-  /** Policy category */
-  category: OverwatchCategory;
-  /** Cedar policy text */
-  cedarText: string;
-  /** Severity level */
-  severity: string;
-  /** Tags for filtering */
-  tags: string[];
-}
-
-// =============================================================================
-// EMBEDDED CEDAR POLICY TEXT
-// =============================================================================
-
-const OVERWATCH_BASELINE_DEFAULT_CEDAR = `// =============================================================================
-// Baseline Permit Policy (Default)
-// =============================================================================
-// Permits all actions by default. Threat-specific forbid policies override
-// this to block when YARA, Javelin, or other scanners detect issues.
-//
-// Cedar is default-deny: without at least one permit rule, every request
-// is denied regardless of forbid rules. This baseline ensures the system
-// is "allow unless blocked" rather than "block everything".
-//
-// Category: organization
-// Namespace: Overwatch
-// =============================================================================
-
-@id("baseline-permit-all")
-@name("Permit all actions by default")
-@description("Baseline permit for all actions — threat-specific forbid policies override this when threats are detected")
-@severity("low")
-@tags("baseline,permit-default,organization")
-permit (
-    principal,
-    action,
-    resource
-);
-`;
-
-const OVERWATCH_SECRETS_DEFAULT_CEDAR = `// =============================================================================
-// Secrets Detection Policy (Default)
-// =============================================================================
-// Detects and blocks credential leakage across prompts, tool calls, file
-// operations, and AI response content. Combines YARA-based threat detection
-// with pattern matching for known credential formats.
-//
-// Defense layers:
-//   1. YARA scanner detection (contains_secrets, yara_threats)
-//   2. Sensitive file path blocking (.env files)
-//   3. Response content pattern matching (AWS, GitHub, SSH keys)
-//
-// Compliance: NIST 800-53 SC-28, IA-5 | OWASP A02 | MITRE T1552, T1555
-// Category: secrets
-// Namespace: Overwatch
-// =============================================================================
-
-// ---------------------------------------------------------------------------
-// Section 1: YARA-Based Secret Detection
-// ---------------------------------------------------------------------------
-
-// Block prompts containing detected secrets
-@id("secrets-block-prompts")
-@name("Block prompts with secrets")
-@description("Block prompts when YARA scanners detect API keys, tokens, or credential patterns")
-@severity("critical")
-@tags("secrets,credentials,prompts,nist-sc-28,nist-ia-5")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has contains_secrets && context.contains_secrets == true
-};
-
-// Block file reads and tool calls when secrets are detected
-@id("secrets-block-reads-and-tools")
-@name("Block file reads and tool calls with secrets")
-@description("Prevent file reads and tool execution when secrets or credentials are detected in content")
-@severity("high")
-@tags("secrets,file-access,tools,credentials,nist-sc-28")
-forbid (
-    principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has contains_secrets && context.contains_secrets == true
-};
-
-// ---------------------------------------------------------------------------
-// Section 2: Sensitive File Path Protection
-// ---------------------------------------------------------------------------
-
-// Block .env file access across all operations
-@id("secrets-block-env-files")
-@name("Block .env file access")
-@description("Block access to .env files that commonly contain secrets, API keys, and database credentials")
-@severity("high")
-@tags("secrets,env-files,config,nist-sc-28,mitre-t1552")
-forbid (
-    principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has path && context.path like "*.env*"
-};
-
-// ---------------------------------------------------------------------------
-// Section 3: Response Content Pattern Matching
-// Scans AI responses for known credential formats as defense-in-depth.
-// ---------------------------------------------------------------------------
-
-// Block responses containing AWS access keys (AKIA prefix)
-@id("secrets-block-aws-keys")
-@name("Block AWS access keys in responses")
-@description("Detect and block AWS access key IDs (AKIA prefix) in AI responses to prevent credential exfiltration")
-@severity("critical")
-@tags("secrets,aws,credentials,response-scan,nist-ia-5,mitre-t1552")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has response_content &&
-    context.response_content like "*AKIA*"
-};
-
-// Block responses containing AWS secret keys
-@id("secrets-block-aws-secrets")
-@name("Block AWS secret keys in responses")
-@description("Detect and block AWS secret access keys in AI responses")
-@severity("critical")
-@tags("secrets,aws,credentials,response-scan,nist-ia-5")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has response_content &&
-    (context.response_content like "*AWS_SECRET_ACCESS_KEY*" ||
-     context.response_content like "*aws_secret_access_key*")
-};
-
-// Block responses containing GitHub tokens
-@id("secrets-block-github-tokens")
-@name("Block GitHub tokens in responses")
-@description("Detect and block GitHub personal access tokens (ghp_), fine-grained tokens (github_pat_), and app tokens (ghs_)")
-@severity("critical")
-@tags("secrets,github,tokens,response-scan,mitre-t1552")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has response_content &&
-    (context.response_content like "*ghp_*" ||
-     context.response_content like "*github_pat_*" ||
-     context.response_content like "*ghs_*")
-};
-
-// Block responses containing SSH/RSA private keys
-@id("secrets-block-private-keys")
-@name("Block private keys in responses")
-@description("Detect and block SSH, RSA, and OpenSSH private keys in AI responses")
-@severity("critical")
-@tags("secrets,ssh,private-keys,response-scan,nist-sc-28,mitre-t1552")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has response_content &&
-    (context.response_content like "*-----BEGIN PRIVATE KEY-----*" ||
-     context.response_content like "*-----BEGIN RSA PRIVATE KEY-----*" ||
-     context.response_content like "*-----BEGIN OPENSSH PRIVATE KEY-----*")
-};
-
-// ---------------------------------------------------------------------------
-// Section 4: YARA Credential Pattern Detection
-// Catches credential types identified by YARA rule scanning.
-// ---------------------------------------------------------------------------
-
-// Block YARA-detected credential and token patterns
-@id("secrets-block-yara-credentials")
-@name("Block YARA-detected credential patterns")
-@description("Block content flagged by YARA rules for credential exposure, API key leaks, JWT tokens, and bearer tokens")
-@severity("critical")
-@tags("secrets,yara,credentials,jwt,bearer,nist-ia-5")
-forbid (
-    principal,
-    action,
-    resource
-)
-when {
-    context has yara_threats &&
-    (context.yara_threats.contains("secret_exposure") ||
-     context.yara_threats.contains("credential_leak") ||
-     context.yara_threats.contains("api_key_exposure") ||
-     context.yara_threats.contains("jwt_token_exposure") ||
-     context.yara_threats.contains("bearer_token_leak"))
-};
-`;
-
-const OVERWATCH_PII_DEFAULT_CEDAR = `// =============================================================================
-// PII Detection Policy (Default)
-// =============================================================================
-// Detects and blocks personally identifiable information including credit card
-// numbers, Social Security Numbers, and other PII patterns across prompts
-// and tool calls.
-//
-// Compliance: PCI DSS 3.4, 4.1 | NIST 800-53 SI-4 | GDPR Art. 32
-// Category: pii
-// Namespace: Overwatch
-// =============================================================================
-
-// Block prompts containing credit card patterns
-@id("pii-block-credit-cards")
-@name("Block credit card numbers")
-@description("Detect and block content containing credit card number patterns (PCI DSS compliance)")
-@severity("critical")
-@tags("pci,credit-card,payment,compliance,pci-dss-3.4")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has yara_threats && context.yara_threats.contains("credit_card")
-};
-
-// Block prompts containing SSN patterns
-@id("pii-block-ssn")
-@name("Block Social Security Numbers")
-@description("Detect and block content containing SSN patterns (XXX-XX-XXXX format)")
-@severity("critical")
-@tags("ssn,identity,privacy,compliance")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has yara_threats && context.yara_threats.contains("ssn")
-};
-
-// Block prompts with generic PII threats detected
-@id("pii-block-generic")
-@name("Block detected PII content")
-@description("Block content when PII-related threat categories are detected by YARA or Javelin scanners")
-@severity("high")
-@tags("pii,privacy,data-protection,gdpr")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has threat_categories && context.threat_categories.contains("pii")
-};
-
-// Block prompts with high PII confidence score
-@id("pii-block-high-confidence")
-@name("Block high-confidence PII")
-@description("Block content when PII classifier confidence exceeds threshold (80/100)")
-@severity("critical")
-@tags("pii,confidence,privacy,compliance")
-@reject_message("Your content was blocked because personally identifiable information was detected with high confidence.")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has pii_confidence && context.pii_confidence >= 80
-};
-
-// Block PII leakage via tool calls
-@id("pii-block-tool-calls")
-@name("Block tool calls with PII")
-@description("Prevent tool execution when PII patterns are detected in content")
-@severity("high")
-@tags("pii,tools,data-protection")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has threat_categories && context.threat_categories.contains("pii")
-};
-`;
-
-const OVERWATCH_SEMANTIC_DEFAULT_CEDAR = `// =============================================================================
-// Semantic Threat Detection Policy (Default)
-// =============================================================================
-// Detects and blocks prompt injection, jailbreak attempts, and high-severity
-// AI security threats using YARA and Javelin scanner results. Provides
-// defense-in-depth across both prompts and tool calls.
-//
-// Compliance: NIST 800-53 SI-3, SI-4 | OWASP LLM Top 10: LLM01, LLM02
-//             MITRE ATLAS: AML.T0051 (LLM Prompt Injection)
-// Category: semantic
-// Namespace: Overwatch
-// =============================================================================
-
-// Block prompts with prompt injection detected by YARA
-@id("semantic-block-injection")
-@name("Block prompt injection")
-@description("Detect and block prompt injection patterns in user input via YARA scanning (OWASP LLM01)")
-@severity("critical")
-@tags("injection,security,llm,owasp-llm01,baseline")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has yara_threats && context.yara_threats.contains("prompt_injection")
-};
-
-// Block prompts with high injection confidence score
-@id("semantic-block-injection-score")
-@name("Block high-confidence injection")
-@description("Block content when injection classifier confidence exceeds threshold (75/100)")
-@severity("critical")
-@tags("injection,confidence,security,owasp-llm01")
-@reject_message("Your prompt was blocked because a high-confidence prompt injection pattern was detected.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has injection_confidence && context.injection_confidence >= 75
-};
-
-// Block prompts with jailbreak attempts
-@id("semantic-block-jailbreak")
-@name("Block jailbreak attempts")
-@description("Detect and block jailbreak and bypass attempts against AI agents (OWASP LLM02)")
-@severity("critical")
-@tags("jailbreak,bypass,security,owasp-llm02,baseline")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has yara_threats && context.yara_threats.contains("jailbreak")
-};
-
-// Block prompts with high jailbreak confidence score
-@id("semantic-block-jailbreak-score")
-@name("Block high-confidence jailbreak")
-@description("Block content when jailbreak classifier confidence exceeds threshold (75/100)")
-@severity("critical")
-@tags("jailbreak,confidence,security,owasp-llm02")
-@reject_message("Your prompt was blocked because a high-confidence jailbreak attempt was detected.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has jailbreak_confidence && context.jailbreak_confidence >= 75
-};
-
-// Block prompts with high severity semantic threats
-@id("semantic-block-high-severity")
-@name("Block high severity threats")
-@description("Block prompts when semantic threat scanners detect high severity issues (severity >= 3)")
-@severity("high")
-@tags("semantic,severity,security")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has threat_categories && context has max_threat_severity &&
-    context.threat_categories.contains("semantic") &&
-    context.max_threat_severity >= 3
-};
-
-// Block prompts with critical threat level
-@id("semantic-block-critical")
-@name("Block critical threats")
-@description("Block all content when any scanner detects critical severity threats")
-@severity("critical")
-@tags("critical,baseline,security")
-forbid (
-    principal,
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context has highest_severity && context.highest_severity == "critical"
-};
-
-// Block tool calls with prompt injection detected
-@id("semantic-block-tool-injection")
-@name("Block tool calls with injection")
-@description("Prevent tool execution when prompt injection patterns are detected in content")
-@severity("critical")
-@tags("injection,tools,security,owasp-llm01")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has yara_threats && context.yara_threats.contains("prompt_injection")
-};
-`;
-
-const OVERWATCH_TOOLS_DEFAULT_CEDAR = `// =============================================================================
-// Tool Permissioning Policy (Default)
-// =============================================================================
-// Controls access to IDE tools, shell execution, file system paths, and MCP
-// operations. Blocks dangerous command execution tools and restricts access
-// to sensitive system directories and credential files.
-//
-// Compliance: NIST 800-53 AC-3, AC-6, CM-7 | OWASP A01, A03
-//             MITRE ATT&CK T1059 (Command/Scripting Interpreter)
-//             MITRE ATT&CK T1005 (Data from Local System)
-// Category: tools
-// Namespace: Overwatch
-// =============================================================================
-
-// ---------------------------------------------------------------------------
-// Section 1: Dangerous Tool Blocking
-// ---------------------------------------------------------------------------
-
-// Block shell and command execution tools
-@id("tools-block-shell-execution")
-@name("Block shell and command execution")
-@description("Block direct shell, bash, and command execution tools to prevent command injection (MITRE T1059)")
-@severity("critical")
-@tags("shell,command-injection,execution,nist-cm-7,mitre-t1059,baseline")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has tool_name &&
-    (context.tool_name == "shell" ||
-     context.tool_name == "bash" ||
-     context.tool_name == "sh" ||
-     context.tool_name == "terminal" ||
-     context.tool_name == "system.exec" ||
-     context.tool_name == "process.spawn")
-};
-
-// Block destructive file operations
-@id("tools-block-destructive-ops")
-@name("Block destructive file operations")
-@description("Block file deletion and other destructive tool operations to prevent data loss")
-@severity("high")
-@tags("file,delete,destructive,nist-ac-3")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has tool_name &&
-    (context.tool_name == "fs.delete" ||
-     context.tool_name == "fs.rmdir" ||
-     context.tool_name == "fs.unlink")
-};
-
-// ---------------------------------------------------------------------------
-// Section 2: Sensitive Path Blocking
-// ---------------------------------------------------------------------------
-
-// Block access to sensitive system paths and credential files
-@id("tools-block-sensitive-paths")
-@name("Block access to sensitive system paths")
-@description("Prevent access to system directories, credential files, SSH keys, and cloud config (MITRE T1005, T1552.001)")
-@severity("high")
-@tags("file,path,system,security,nist-ac-6,mitre-t1005")
-forbid (
-    principal,
-    action in [Overwatch::Action::"read_file", Overwatch::Action::"write_file", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has path &&
-    (context.path like "/etc/*" ||
-     context.path like "/var/*" ||
-     context.path like "/proc/*" ||
-     context.path like "/sys/*" ||
-     context.path like "/root/*" ||
-     context.path like "*/.ssh/*" ||
-     context.path like "*/.aws/*" ||
-     context.path like "*/.gnupg/*" ||
-     context.path like "*.pem" ||
-     context.path like "*/id_rsa*" ||
-     context.path like "*/id_ed25519*")
-};
-
-// ---------------------------------------------------------------------------
-// Section 3: Threat-Based Tool Blocking
-// ---------------------------------------------------------------------------
-
-// Block tool calls with high severity threats detected
-@id("tools-block-high-severity-threats")
-@name("Block tool calls with high severity threats")
-@description("Prevent tool execution when high or critical severity threats are detected in content")
-@severity("high")
-@tags("tools,threats,severity,security")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has threat_count && context has max_threat_severity &&
-    context.threat_count > 0 && context.max_threat_severity >= 3
-};
-`;
-
-const OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR = `// =============================================================================
-// Content Safety Policy (Default)
-// =============================================================================
-// Detects and blocks violent, harmful, hateful, sexual, and profane content
-// using trust/safety classification scores from Javelin/Lakera/LlamaGuard.
-//
-// Compliance: NIST 800-53 SI-4 | EU AI Act Art. 52
-// Category: trust_safety
-// Namespace: Overwatch
-// =============================================================================
-
-// Block prompts with high violence score
-@id("ts-block-violence")
-@name("Block violent content")
-@description("Block content when violence detection score exceeds threshold (80/100)")
-@severity("critical")
-@tags("violence,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains violent content. Please rephrase without violence-related language.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has violence_score && context.violence_score >= 80
-};
-
-// Block prompts with weapons content
-@id("ts-block-weapons")
-@name("Block weapons content")
-@description("Block content when weapons detection score exceeds threshold (80/100)")
-@severity("critical")
-@tags("weapons,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains weapons-related content. Please rephrase without weapons references.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has weapons_score && context.weapons_score >= 80
-};
-
-// Block prompts with hate speech
-@id("ts-block-hate-speech")
-@name("Block hate speech")
-@description("Block content when hate speech detection score exceeds threshold (75/100)")
-@severity("critical")
-@tags("hate-speech,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains hate speech. Please rephrase without hateful or discriminatory language.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has hate_speech_score && context.hate_speech_score >= 75
-};
-
-// Block prompts with criminal content
-@id("ts-block-crime")
-@name("Block criminal content")
-@description("Block content when criminal activity detection score exceeds threshold (80/100)")
-@severity("high")
-@tags("crime,content-safety,trust-safety,nist-si-4")
-@reject_message("Your prompt was blocked because it contains content related to criminal activity.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has crime_score && context.crime_score >= 80
-};
-
-// Block prompts with sexual content
-@id("ts-block-sexual")
-@name("Block sexual content")
-@description("Block content when sexual content detection score exceeds threshold (80/100)")
-@severity("high")
-@tags("sexual,content-safety,trust-safety,eu-ai-act")
-@reject_message("Your prompt was blocked because it contains sexual content.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has sexual_score && context.sexual_score >= 80
-};
-
-// Block prompts with excessive profanity
-@id("ts-block-profanity")
-@name("Block profanity")
-@description("Block content when profanity detection score exceeds threshold (90/100)")
-@severity("medium")
-@tags("profanity,content-safety,trust-safety")
-@reject_message("Your prompt was blocked due to excessive profanity. Please rephrase in a professional manner.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool"],
-    resource
-)
-when {
-    context has profanity_score && context.profanity_score >= 90
-};
-`;
-
-const OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR = `// =============================================================================
-// Agent Security Policy (Default)
-// =============================================================================
-// Detects and blocks tool poisoning, rug pull attacks, and indirect prompt
-// injection targeting AI coding agents. These are agentic AI-specific attack
-// vectors where tool descriptions or server responses manipulate agent behavior.
-//
-// Compliance: OWASP LLM09 (Improper Output Handling) | MITRE ATLAS AML.T0054
-// Category: agent_security
-// Namespace: Overwatch
-// =============================================================================
-
-// Block tool calls with high tool poisoning risk
-@id("as-block-tool-poisoning")
-@name("Block tool poisoning")
-@description("Block tool execution when tool description contains manipulation patterns (score >= 70/100)")
-@severity("critical")
-@tags("tool-poisoning,agent-security,owasp-llm09")
-@reject_message("Tool execution was blocked because the tool description contains manipulation patterns that could compromise agent behavior.")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has tool_poisoning_score && context.tool_poisoning_score >= 70
-};
-
-// Block tool calls with rug pull detection
-@id("as-block-rug-pull")
-@name("Block rug pull attacks")
-@description("Block tool execution when tool behavior diverges from advertised capabilities (score >= 70/100)")
-@severity("critical")
-@tags("rug-pull,agent-security,mcp-security")
-@reject_message("Tool execution was blocked because the tool's actual behavior diverges from its advertised capabilities.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
-    resource
-)
-when {
-    context has rug_pull_score && context.rug_pull_score >= 70
-};
-
-// Block MCP server connections with high poisoning risk
-@id("as-block-server-poisoning")
-@name("Block poisoned MCP servers")
-@description("Block connections to MCP servers when tool poisoning patterns are detected (score >= 60/100)")
-@severity("critical")
-@tags("tool-poisoning,mcp-security,agent-security")
-@reject_message("Connection to this MCP server was blocked because tool poisoning patterns were detected in its tool descriptions.")
-forbid (
-    principal,
-    action == Overwatch::Action::"connect_server",
-    resource
-)
-when {
-    context has tool_poisoning_score && context.tool_poisoning_score >= 60
-};
-
-// Block prompts with indirect injection patterns
-@id("as-block-indirect-injection")
-@name("Block indirect prompt injection")
-@description("Block content when indirect prompt injection is detected in tool outputs or retrieved documents (score >= 70/100)")
-@severity("critical")
-@tags("indirect-injection,agent-security,owasp-llm01")
-@reject_message("This content was blocked because indirect prompt injection patterns were detected in tool outputs or retrieved documents.")
-forbid (
-    principal,
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"call_tool", Overwatch::Action::"connect_server"],
-    resource
-)
-when {
-    context has indirect_injection_score && context.indirect_injection_score >= 70
-};
-
-// Block unverified MCP server tool calls with any detected threats
-@id("as-block-unverified-threats")
-@name("Block unverified server threats")
-@description("Block tool calls from unverified MCP servers when any threat is detected")
-@severity("high")
-@tags("mcp-trust,agent-security,unverified")
-@reject_message("Tool execution was blocked because the MCP server is unverified and threats were detected in the content.")
-forbid (
-    principal,
-    action == Overwatch::Action::"call_tool",
-    resource
-)
-when {
-    context has mcp_server_verified && context.mcp_server_verified == false &&
-    context has threat_count && context.threat_count > 0
-};
-`;
-
-const OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR = `// MCP Server Allowlist Template
-// Only allow specific MCP servers to be used
-// Category: tools
-//
-// NOTE: Users should customize the mcp_server values in the permit rule
-// to match their allowed servers before deploying this template.
-
-@id("mcp-allowlist-permit")
-@name("Allow specific MCP servers")
-@description("Only allow connections to pre-approved MCP servers (customize the list)")
-@severity("medium")
-@tags("mcp,allowlist,server,governance")
-permit (
-    principal,
-    action == Overwatch::Action::"connect_server",
-    resource
-)
-when {
-    context.mcp_server == "filesystem" ||
-    context.mcp_server == "playwright"
-};
-
-@id("mcp-allowlist-deny")
-@name("Deny unallowed MCP servers")
-@description("Block all MCP server connections not in the allowlist")
-@severity("medium")
-@tags("mcp,deny-default,server")
-forbid (
-    principal,
-    action == Overwatch::Action::"connect_server",
-    resource
-);
-`;
-
-const OVERWATCH_ORG_DEFAULT_DENY_CEDAR = `// Default Deny All Template
-// Organization-wide baseline: deny all unless explicitly permitted
-// Category: organization
-
-@id("org-deny-all")
-@name("Deny all actions by default")
-@description("Block all actions unless explicitly permitted by other policies - use as organization baseline")
-@severity("high")
-@tags("baseline,security,deny-by-default,organization")
-forbid (
-    principal,
-    action,
-    resource
-);
-`;
-
-const OVERWATCH_ORG_AUDIT_ALL_CEDAR = `// Audit All Actions Template
-// Log all agent actions for compliance and monitoring
-// Category: organization
-
-@id("org-audit-all")
-@name("Audit all actions")
-@description("Permit and log all agent actions for compliance auditing and monitoring")
-@severity("low")
-@tags("audit,compliance,logging,organization")
-permit (
-    principal,
-    action,
-    resource
-);
-`;
-
-const OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR = `// Team-Based Permissions (ReBAC)
-// Grant IDE access based on team membership using entity hierarchy
-// Category: organization
-// Namespace: Overwatch
-//
-// Entity hierarchy required:
-//   Organization::"acme-corp"
-//     └── Team::"dev-team"       (in Organization)
-//     │     └── Agent::"claude"  (in Team)
-//     └── Team::"support-team"   (in Organization)
-//           └── Agent::"claude-support" (in Team)
-
-// Dev Team: Full IDE access - all actions permitted
-@id("team-dev-full-access")
-@name("Dev team full IDE access")
-@description("Grant development team agents full IDE access including tools, prompts, file operations, and server connections")
-@severity("medium")
-@tags("rebac,team,dev,permissions,organization")
-permit (
-    principal in Overwatch::Team::"dev-team",
-    action,
-    resource
-);
-
-// Support Team: Read-only access - process prompts and read files only
-@id("team-support-read-only")
-@name("Support team read-only access")
-@description("Grant support team agents read-only access limited to prompt processing and file reading")
-@severity("medium")
-@tags("rebac,team,support,read-only,organization")
-permit (
-    principal in Overwatch::Team::"support-team",
-    action in [Overwatch::Action::"process_prompt", Overwatch::Action::"read_file"],
-    resource
-);
-`;
-
-const OVERWATCH_ORG_AGENT_GUARDRAILS_CEDAR = `// Agent-Specific Guardrails
-// Apply per-agent security policies based on agent identity
-// Category: organization
-// Namespace: Overwatch
-//
-// Different agents have different risk profiles:
-//   Claude Code → prompt injection detection
-//   Cursor      → PII leakage detection
-
-// Claude Code: Block prompt injection attempts
-@id("agent-claude-block-injection")
-@name("Claude Code injection guardrail")
-@description("Block prompt injection attempts specifically for Claude Code agent")
-@severity("critical")
-@tags("rebac,agent,claude,injection,guardrail,organization")
-forbid (
-    principal == Overwatch::Agent::"claude",
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context.yara_threats.contains("prompt_injection")
-};
-
-// Cursor: Block PII leakage
-@id("agent-cursor-block-pii")
-@name("Cursor PII guardrail")
-@description("Block PII content in Cursor agent prompts to prevent data leakage")
-@severity("critical")
-@tags("rebac,agent,cursor,pii,guardrail,organization")
-forbid (
-    principal == Overwatch::Agent::"cursor",
-    action == Overwatch::Action::"process_prompt",
-    resource
-)
-when {
-    context.threat_categories.contains("pii")
-};
-`;
-
-// =============================================================================
-// CATEGORIES
-// =============================================================================
-
-export const OVERWATCH_CATEGORIES: OverwatchCategoryInfo[] = [
-  { id: 'secrets', name: 'Secrets Detection', description: 'Detect and block credentials, tokens, API keys, and sensitive key patterns in prompts, tool calls, and AI responses' },
-  { id: 'pii', name: 'PII Detection', description: 'Detect and block personally identifiable information (PII) such as credit card numbers, SSNs, and other sensitive data' },
-  { id: 'semantic', name: 'Semantic Threat Detection', description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats' },
-  { id: 'tools', name: 'Tool Permissioning', description: 'Control access to shell execution, file operations, MCP servers, and sensitive system paths' },
-  { id: 'organization', name: 'Organization Rules', description: 'Apply organization-wide policy baselines, team permissions, and agent-specific guardrails' },
-  { id: 'trust_safety', name: 'Content Safety', description: 'Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores' },
-  { id: 'agent_security', name: 'Agent Security', description: 'Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents' },
-];
-
-// =============================================================================
-// DEFAULT POLICIES
-// =============================================================================
-
-export const OVERWATCH_DEFAULTS: OverwatchDefaultPolicy[] = [
-  {
-    id: 'baseline-default',
-    name: 'Baseline Permit',
-    description: 'Permits all actions by default — threat-specific forbid policies override this when threats are detected',
-    category: 'organization',
-    cedarText: OVERWATCH_BASELINE_DEFAULT_CEDAR,
-    severity: 'low',
-    tags: ['baseline', 'permit-default', 'organization'],
-    isActive: true,
-  },
-  {
-    id: 'secrets-default',
-    name: 'Secrets Detection',
-    description: 'Detect and block credential leakage across prompts, tool calls, file operations, and AI response content',
-    category: 'secrets',
-    cedarText: OVERWATCH_SECRETS_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['api-keys', 'tokens', 'credentials', 'aws', 'github', 'ssh', 'baseline'],
-    isActive: true,
-  },
-  {
-    id: 'pii-default',
-    name: 'PII Detection',
-    description: 'Detect and block credit card numbers, SSN, and other sensitive personal information in prompts and tool calls',
-    category: 'pii',
-    cedarText: OVERWATCH_PII_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['pii', 'privacy', 'compliance', 'pci-dss', 'gdpr', 'baseline'],
-    isActive: true,
-  },
-  {
-    id: 'semantic-default',
-    name: 'Semantic Threat Detection',
-    description: 'Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats',
-    category: 'semantic',
-    cedarText: OVERWATCH_SEMANTIC_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['prompt-injection', 'jailbreak', 'owasp-llm01', 'security', 'baseline'],
-    isActive: true,
-  },
-  {
-    id: 'tools-default',
-    name: 'Tool Permissioning',
-    description: 'Block dangerous shell execution, restrict sensitive file paths, and enforce threat-based tool access controls',
-    category: 'tools',
-    cedarText: OVERWATCH_TOOLS_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['shell', 'command-injection', 'file-access', 'mitre-t1059', 'baseline'],
-    isActive: false,
-  },
-  {
-    id: 'trust-safety-default',
-    name: 'Content Safety',
-    description: 'Detect and block violent, harmful, hateful, sexual, and profane content using classification scores',
-    category: 'trust_safety',
-    cedarText: OVERWATCH_TRUST_SAFETY_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['violence', 'weapons', 'hate-speech', 'crime', 'sexual', 'profanity', 'content-safety', 'baseline'],
-    isActive: true,
-  },
-  {
-    id: 'agent-security-default',
-    name: 'Agent Security',
-    description: 'Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents',
-    category: 'agent_security',
-    cedarText: OVERWATCH_AGENT_SECURITY_DEFAULT_CEDAR,
-    severity: 'critical',
-    tags: ['tool-poisoning', 'rug-pull', 'indirect-injection', 'mcp-security', 'agent-security', 'baseline'],
-    isActive: true,
-  },
-];
-
-// =============================================================================
-// ALL TEMPLATES
-// =============================================================================
-
-export const OVERWATCH_TEMPLATES: OverwatchTemplate[] = [
-  {
-    id: 'tools-mcp-allowlist',
-    name: 'MCP Server Allowlist',
-    description: 'Only allow specific MCP servers to be used',
-    category: 'tools',
-    cedarText: OVERWATCH_TOOLS_MCP_ALLOWLIST_CEDAR,
-    severity: 'medium',
-    tags: ['mcp', 'allowlist', 'whitelist'],
-  },
-  {
-    id: 'org-default-deny',
-    name: 'Default Deny All',
-    description: 'Organization-wide baseline: deny all unless explicitly permitted',
-    category: 'organization',
-    cedarText: OVERWATCH_ORG_DEFAULT_DENY_CEDAR,
-    severity: 'high',
-    tags: ['baseline', 'security', 'deny-by-default'],
-  },
-  {
-    id: 'org-audit-all',
-    name: 'Audit All Actions',
-    description: 'Log all agent actions for compliance and monitoring',
-    category: 'organization',
-    cedarText: OVERWATCH_ORG_AUDIT_ALL_CEDAR,
-    severity: 'low',
-    tags: ['audit', 'compliance', 'logging'],
-  },
-  {
-    id: 'org-team-permissions',
-    name: 'Team-Based Permissions (ReBAC)',
-    description: 'Grant IDE access based on team membership using entity hierarchy - supports dev team full access and support team read-only',
-    category: 'organization',
-    cedarText: OVERWATCH_ORG_TEAM_PERMISSIONS_CEDAR,
-    severity: 'medium',
-    tags: ['rebac', 'team', 'permissions', 'hierarchy'],
-  },
-  {
-    id: 'org-agent-guardrails',
-    name: 'Agent-Specific Guardrails',
-    description: 'Apply per-agent security guardrails - injection blocking for Claude, PII blocking for Cursor',
-    category: 'organization',
-    cedarText: OVERWATCH_ORG_AGENT_GUARDRAILS_CEDAR,
-    severity: 'critical',
-    tags: ['rebac', 'agent', 'guardrails', 'per-agent'],
-  },
-];
-
-// =============================================================================
-// TEMPLATES METADATA
-// =============================================================================
-
-/** Raw templates.json metadata for the Overwatch service. */
-export const OVERWATCH_TEMPLATES_JSON: string = `{
-  "service": "overwatch",
-  "version": "3.0.0",
-  "description": "Overwatch policy templates for IDE security",
-  "categories": [
-    {
-      "id": "secrets",
-      "name": "Secrets Detection",
-      "description": "Detect and block credentials, tokens, API keys, and sensitive key patterns in prompts, tool calls, and AI responses"
-    },
-    {
-      "id": "pii",
-      "name": "PII Detection",
-      "description": "Detect and block personally identifiable information (PII) such as credit card numbers, SSNs, and other sensitive data"
-    },
-    {
-      "id": "semantic",
-      "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats"
-    },
-    {
-      "id": "tools",
-      "name": "Tool Permissioning",
-      "description": "Control access to shell execution, file operations, MCP servers, and sensitive system paths"
-    },
-    {
-      "id": "organization",
-      "name": "Organization Rules",
-      "description": "Apply organization-wide policy baselines, team permissions, and agent-specific guardrails"
-    },
-    {
-      "id": "trust_safety",
-      "name": "Content Safety",
-      "description": "Detect and control violent, harmful, hateful, sexual, and profane content using trust/safety classification scores"
-    },
-    {
-      "id": "agent_security",
-      "name": "Agent Security",
-      "description": "Detect tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents"
-    }
-  ],
-  "defaults": [
-    {
-      "id": "baseline-default",
-      "name": "Baseline Permit",
-      "description": "Permits all actions by default — threat-specific forbid policies override this when threats are detected",
-      "category": "organization",
-      "file": "defaults/baseline.cedar",
-      "severity": "low",
-      "tags": ["baseline", "permit-default", "organization"],
-      "is_active": true
-    },
-    {
-      "id": "secrets-default",
-      "name": "Secrets Detection",
-      "description": "Detect and block credential leakage across prompts, tool calls, file operations, and AI response content",
-      "category": "secrets",
-      "file": "defaults/secrets.cedar",
-      "severity": "critical",
-      "tags": ["api-keys", "tokens", "credentials", "aws", "github", "ssh", "baseline"],
-      "is_active": true
-    },
-    {
-      "id": "pii-default",
-      "name": "PII Detection",
-      "description": "Detect and block credit card numbers, SSN, and other sensitive personal information in prompts and tool calls",
-      "category": "pii",
-      "file": "defaults/pii.cedar",
-      "severity": "critical",
-      "tags": ["pii", "privacy", "compliance", "pci-dss", "gdpr", "baseline"],
-      "is_active": true
-    },
-    {
-      "id": "semantic-default",
-      "name": "Semantic Threat Detection",
-      "description": "Detect and block prompt injection, jailbreak attempts, and high-severity AI security threats",
-      "category": "semantic",
-      "file": "defaults/semantic.cedar",
-      "severity": "critical",
-      "tags": ["prompt-injection", "jailbreak", "owasp-llm01", "security", "baseline"],
-      "is_active": true
-    },
-    {
-      "id": "tools-default",
-      "name": "Tool Permissioning",
-      "description": "Block dangerous shell execution, restrict sensitive file paths, and enforce threat-based tool access controls",
-      "category": "tools",
-      "file": "defaults/tools.cedar",
-      "severity": "critical",
-      "tags": ["shell", "command-injection", "file-access", "mitre-t1059", "baseline"],
-      "is_active": false
-    },
-    {
-      "id": "trust-safety-default",
-      "name": "Content Safety",
-      "description": "Detect and block violent, harmful, hateful, sexual, and profane content using classification scores",
-      "category": "trust_safety",
-      "file": "defaults/trust_safety.cedar",
-      "severity": "critical",
-      "tags": ["violence", "weapons", "hate-speech", "crime", "sexual", "profanity", "content-safety", "baseline"],
-      "is_active": true
-    },
-    {
-      "id": "agent-security-default",
-      "name": "Agent Security",
-      "description": "Detect and block tool poisoning, rug pull attacks, and indirect prompt injection targeting AI agents",
-      "category": "agent_security",
-      "file": "defaults/agent_security.cedar",
-      "severity": "critical",
-      "tags": ["tool-poisoning", "rug-pull", "indirect-injection", "mcp-security", "agent-security", "baseline"],
-      "is_active": true
-    }
-  ],
-  "templates": [
-    {
-      "id": "tools-mcp-allowlist",
-      "name": "MCP Server Allowlist",
-      "description": "Only allow specific MCP servers to be used",
-      "category": "tools",
-      "file": "mcp_server_allowlist.cedar",
-      "severity": "medium",
-      "tags": ["mcp", "allowlist", "whitelist"]
-    },
-    {
-      "id": "org-default-deny",
-      "name": "Default Deny All",
-      "description": "Organization-wide baseline: deny all unless explicitly permitted",
-      "category": "organization",
-      "file": "default_deny_all.cedar",
-      "severity": "high",
-      "tags": ["baseline", "security", "deny-by-default"]
-    },
-    {
-      "id": "org-audit-all",
-      "name": "Audit All Actions",
-      "description": "Log all agent actions for compliance and monitoring",
-      "category": "organization",
-      "file": "audit_all_actions.cedar",
-      "severity": "low",
-      "tags": ["audit", "compliance", "logging"]
-    },
-    {
-      "id": "org-team-permissions",
-      "name": "Team-Based Permissions (ReBAC)",
-      "description": "Grant IDE access based on team membership using entity hierarchy - supports dev team full access and support team read-only",
-      "category": "organization",
-      "file": "team_permissions.cedar",
-      "severity": "medium",
-      "tags": ["rebac", "team", "permissions", "hierarchy"]
-    },
-    {
-      "id": "org-agent-guardrails",
-      "name": "Agent-Specific Guardrails",
-      "description": "Apply per-agent security guardrails - injection blocking for Claude, PII blocking for Cursor",
-      "category": "organization",
-      "file": "agent_guardrails.cedar",
-      "severity": "critical",
-      "tags": ["rebac", "agent", "guardrails", "per-agent"]
-    }
-  ]
-}
-`;
-
-// =============================================================================
-// HELPER FUNCTIONS
-// =============================================================================
-
-export function getOverwatchDefaultsByCategory(category: OverwatchCategory): OverwatchDefaultPolicy[] {
-  return OVERWATCH_DEFAULTS.filter(d => d.category === category);
-}
-
-export function getOverwatchTemplatesByCategory(category: OverwatchCategory): OverwatchTemplate[] {
-  return OVERWATCH_TEMPLATES.filter(t => t.category === category);
-}
-
-export function getOverwatchTemplateById(id: string): OverwatchTemplate | undefined {
-  return OVERWATCH_TEMPLATES.find(t => t.id === id);
-}